This page is heavily outdated. New pages are available
Want to score an A+ 100/95/100/100 on SSLLabs? Use my friend's config file/example and adjust it for your own purposes. You can ofcourse implement the same features in Apache, but who wants to use apache as a "frontend" server nowadays?
# Configuration by Oscar Koeroo @Okoeroo / okoeroo.net
# HTTPS server
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
server_name koeroo.net oscar.koeroo.net;
root /ondisk/oscar.koeroo.net;
index index.php index.html index.htm;
access_log /ondisk.log;
error_log /ondisk.error.log;
server_tokens off;
ssl_certificate /ondisk/hosts/oscar.koeroo.net.crt;
ssl_certificate_key /ondisk/private/oscar.koeroo.net_priv.pem;
ssl_dhparam /ondisk/private/dh4k.pem;
ssl_session_cache builtin:1000 shared:SSL:2m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# Most support, but 128bit
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA;
# Slightly less support, but all 256 bit
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DES-CBC3-SHA;
#ssl_ciphers AES256-SHA:CAMELLIA256-SHA:AES256-SHA:AES128-SHA;
#ssl_ciphers DES-CBC3-SHA:RC4-MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;
ssl_stapling on;
ssl_stapling_verify off;
resolver 127.0.0.1;
ssl_trusted_certificate /ondisk/hosts/oscar.koeroo.net.trusted_chain.crt;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options DENY;
add_header Public-Key-Pins "pin-sha256=\"5VOkem8EbRzXYJarz5ad1W6nBmYqDQ+z5hySUMkirVk=\"; max-age=172800;";
location /pub/ {
autoindex on;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
#fastcgi_split_path_info ^(.+\.php)(/.*)$; #CVE-2019-11043
# START OF MITIGATION/"FIX" FOR CVE-2019-11043
# 1 The location regex capable to handle PATH_INFO and properly check that the extension indeed .php (not .phps) whether there is PATH_INFO or not.
# 2 The fastcgi_split_path_info regex capable to correctly handle request like /test.php/foo/blah.php or /test.php/
# 3 Mitigate https://trac.nginx.org/nginx/ticket/321 by using IF instead of try_files
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
#END OF FIX
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
sub_filter 'http:' 'https:';
sub_filter_once off;
}
location ~ /\.ht {
deny all;
}
location / {
sub_filter 'http:' 'https:';
sub_filter_once off;
}
}
My website uses Cloudflare as a proxy and waf but scores lower than that. Click here for the test results for my domain(100/95/90/90) and here for Oscar's(100/95/100/100).