Talks, papers and publications

Using Nginx as SSL reverse proxy

While OpenSSL in Debian 7 (wheezy) supports all ciphers needed for perfect forward secrecy, the old Apache 2.2 does not. Instead we can use nginx as reverse proxy for SSL-only.

The following configuration provides forward secrecy with almost all browsers. The ciphers list disables all weak ciphers and protocols and still allows IE8 on WinXP and Java versions above 6. If you don't care about Java or XP add !AES128:!CAMELLIA128.

If you want an A+ rating from SSL Labs like this server, you have to add a HTTP Strict Transport Security (HSTS) header like the one below as well.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
        listen 443;
        server_name example.com;

        ssl on;
        ssl_certificate /etc/ssl/certs/example.com-bundle.pem;
        ssl_certificate_key /etc/ssl/private/example.com.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!MD5:!EXP:!PSK:!SRP:!DSS:!DES:!RC4:!aECDH:!3DES:!RSA;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security max-age=17280000;

        location / {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header Host $host;
                proxy_pass http://127.0.0.1:80;

                proxy_redirect     off;
        }

}