The Snapt Accelerator is built on Nginx, so Nginx SSL security is something we are very familiar with. If you'd like to try the full Accelerator package, please get a trial from the website.

This is a guide on how to ensure you have the  best SSL set-up and get your own A+ rating! This guide will favor getting it done over explaining the intricacies of what you are doing in  an effort to help the most users.

Snapt users can all enjoy an easy A+ rating

Step 1: Get up to date

Make sure you are running the latest relevant versions of Nginx and  OpenSSL. There have been many exploits in OpenSSL recently and it is  critical to keep it patched. Most linux systems will update openssl with  simple apt-get or yum commands.

Step 2: Ensure you have a full certificate chain

When you get an SSL certificate you are usually left with a .key file  (your private key) and a .crt file (the certificate created from your  .csr). However, you typically need a set of intermediary certificates as  well. These should be included after your certificate in your .crt  file, and will normally be provided to you by your certificate vendor.

Step 3: Setting your ciphers

You will want to restrict the ciphers you are willing to use, as well  as disable older SSL protocols like SSLv3. This can easily be done in  your server {} block by adding the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

This will limit requests to using TLS, with a much more secure set of ciphers (required to get that A+ rating).

Step 4: DH Parameters

You may often see the message: This server supports weak  Diffie-Hellman (DH) key exchange parameters. This is a simple fix and  requires generating your own DH params file and telling nginx to use it.  Run the following command to generate them (and consider the location  of the file):

openssl dhparam -out dhparam.pem 4096

This will generate a dhparam.pem file for you. You must then add this to your Nginx config (in your server {} block) to use it:

ssl_dhparam /path/to/dhparam.pem;

Step 5: OCSP Stapling

Enabling OCSP Stapling on a new version of Nginx is very simple, just add the following lines to the same server {} block:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Step 6: Enable HSTS

HTTP Strict Transport Security, or HSTS is a header sent back from  your server that tells clients to only use HTTPS when communicating with  the server. This can be added by your application (in PHP for example)  or simply forced on the webserver. Add this to your nginx server {}  block to add it:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Step 7: Optional Extras

You may want to disable server tokens (nginx version numbers) in  headers as well, which you can do by adding this to your server {} block  –

server_tokens off;

And that's all you need for that bright green A+ rating! Don't forget to test your site.