Want to have a perfect ssl-labs score? An A+ 100/100/100/100 on SSLLabs that is? Here is my config file/example and adjust it for your own purposes. You can ofcourse implement the same features in Apache, but who wants to use apache as a "frontend" server nowadays?
This version is outdated but kept as is for historic purposes. New versions are available.
# Configuration by Angelique Dawnbringer
# HTTPS server
server {
listen 1.2.3.4:443;
server_name example.net;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
server_tokens off;
ssl_certificate /etc/nginx/ssl/example.net/cert.crt;
ssl_certificate_key /etc/nginx/ssl/example.net/cert.key;
ssl_dhparam /etc/nginx/ssl/dh4k.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:2m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:CAMELLIA256-SHA:AES256-SHA;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000;";
resolver 8.8.8.8 8.8.4.4;
#Some document root#
}
My website uses Cloudflare as a proxy and waf but scores lower than that. But all my internal hosts use this profile since I only want to use TLS1.2 to begin with. This domain (oceandns) does have the above profile running: Check SSL Labs here
Are you stuck on 90% key exchange? Then you most likely haven't changed or hard coded the SSL ECDH Curve setting. The standard value for Nginx is:
ssl_ecdh_curve prime256v1
Which will give you an equivalent of 3k instead of 4k. Change or set this value to:
ssl_ecdh_curve secp384r1;
Have fun!