nginxlets-encrypt

How do you score A+ with 100 on all categories on SSL Labs test with Let's Encrypt and Nginx?


I'm trying to score 100 on all categories when testing my SSL certs at www.ssllabs.com

However, I am struggling to get A+ and 100 on all scores.

Any tips as to what NGINX config I should use? Or how I should generate my Let's Encrypt certs? thx


Solution

  • The recommendations below are outdated. You can get an A+ score by following the 'Intermediate' instructions on https://ssl-config.mozilla.org/. Make sure to watch the releases of their repository (Watch > Custom > Releases) to get email notifications when they update their guidelines in order to make sure that your config stays A+ in the future.

    ======================

    These instructions apply to all certs (including Let's Encrypt certs). However, one or two Let's Encrypt specific tips are given.

    The NGINX SSL config given below will give you the following SSL Labs scores. You choose:

    Recommended

    Perfect but restrictive

    NGINX SSL config - Extract the bits you want. The notes clarify how a given NGINX directive will effect your SSL Labs score:

    # Your listen directive should be .. listen 443 ssl http2;
    # gzip off; # gzip over ssl? really?
    
    ssl_certificate      /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    
    #################### ssllabs.com Protocol Support
    
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended)
    # ssl_protocols TLSv1.2; # Score=100
    
    #################### ssllabs.com Key Exchange
    
    # Score=90 (recommended)
    ssl_dhparam          /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048
    ssl_ecdh_curve       secp384r1; # optional
    
    # Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096)
    # ssl_dhparam        /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
    # ssl_ecdh_curve     secp384r1; # required
    
    #################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
    DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25
    6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended)
    # ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
    
    #################### ssllabs.com A+ - Enable HSTS on all subdomains
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)
    
    # THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    
    #################### Other typical SSL settings that DO NOT effect the ssllabs.com score
    
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on;
    
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;
    
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    

    Note, you can only get 100 on Key Exchange if your:

    EDIT