Logging Stuff
Log Format String
This is just the standart nginx log format prefixed by the server_name of the virtual server servibg the request
http {
log_format vhost '$server_name $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
}Use this log format
server {
[...]
access_log /var/log/nginx/access.log vhost;
[...]
}Enable Re-Write Log
Rewrite log is going to the error-log with a ‘notice’-level by default
So be sure you activate notice level messages to be written.
server {
[...]
rewrite_log on;
error_log /var/log/nginx/error.log notice;
[...]
}SSL Stuff
Things are changing quickly!
This needs to be reviewed every time using it!
Use https://www.ssllabs.com/ssltest/ to test your server and get recommendations for ciphers and other stuff.
There is also a test for your browser: https://www.ssllabs.com/ssltest/viewMyClient.html
server {
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS";
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
# PFS
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";Generate dhparam
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048Key Pinning
Extract Base64 encoded hash for pinning
From the Key
openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64From Signing Request
openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64From the Certificate
openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64From the Certificate (grabbing it from a running server over network)
openssl s_client -connect www.example.com:443 | openssl x509 -pubkey -noout | \
openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | \
openssl enc -base64Add to your server config:
server {
add_header Public-Key-Pins 'pin-sha256="/6Q+2zQb+oBanHld5PQq6bjlO1/MIjiPBxQVuYJGjmM="; pin-sha256="7DRbL0z6zyAj3Qq3PoHATgwyNYkdMzTn54UpPWcv3CI="; pin-sha256="Y9gcAXAbTSTmeespRJZfTip9Ozthg40scR2Xkj2vXh0="; max-age=5184000';
}