Hardening NGINX SSL Configuration.

Author: ScIT-Raphael

install/debian/8/nginx/nginx.conf

@@ -2,7 +2,6 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-timer_resolution         50ms; #In order to free some CPU cycles
 error_log               /var/log/nginx/error.log crit;
 pid                     /var/run/nginx.pid;
 
@@ -71,33 +70,35 @@ http {
 
 
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from 103.21.244.0/22;
-    set_real_ip_from 103.22.200.0/22;
-    set_real_ip_from 103.31.4.0/22;
-    set_real_ip_from 104.16.0.0/12;
-    set_real_ip_from 108.162.192.0/18;
-    set_real_ip_from 131.0.72.0/22;
-    set_real_ip_from 141.101.64.0/18;
-    set_real_ip_from 162.158.0.0/15;
-    set_real_ip_from 172.64.0.0/13;
-    set_real_ip_from 173.245.48.0/20;
-    set_real_ip_from 188.114.96.0/20;
-    set_real_ip_from 190.93.240.0/20;
-    set_real_ip_from 197.234.240.0/22;
-    set_real_ip_from 198.41.128.0/17;
-    set_real_ip_from 2400:cb00::/32;
-    set_real_ip_from 2606:4700::/32;
-    set_real_ip_from 2803:f800::/32;
-    set_real_ip_from 2405:b500::/32;
-    set_real_ip_from 2405:8100::/32;
-    set_real_ip_from 2c0f:f248::/32;
-    set_real_ip_from 2a06:98c0::/29;
+    set_real_ip_from   199.27.128.0/21;
+    set_real_ip_from   173.245.48.0/20;
+    set_real_ip_from   103.21.244.0/22;
+    set_real_ip_from   103.22.200.0/22;
+    set_real_ip_from   103.31.4.0/22;
+    set_real_ip_from   141.101.64.0/18;
+    set_real_ip_from   108.162.192.0/18;
+    set_real_ip_from   190.93.240.0/20;
+    set_real_ip_from   188.114.96.0/20;  
+    set_real_ip_from   197.234.240.0/22;
+    set_real_ip_from   198.41.128.0/17;
+    set_real_ip_from   162.158.0.0/15;
+    set_real_ip_from   104.16.0.0/12;
+    set_real_ip_from   172.64.0.0/13;
+    #set_real_ip_from   2400:cb00::/32;
+    #set_real_ip_from   2606:4700::/32;
+    #set_real_ip_from   2803:f800::/32;
+    #set_real_ip_from   2405:b500::/32;
+    #set_real_ip_from   2405:8100::/32;
     real_ip_header     CF-Connecting-IP;
 
 
+    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    # ssl_dhparam /etc/ssl/dhparam.pem;
+
+
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

install/debian/9/nginx/nginx.conf

@@ -2,7 +2,6 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-timer_resolution         50ms; #In order to free some CPU cycles
 error_log               /var/log/nginx/error.log crit;
 pid                     /var/run/nginx.pid;
 
@@ -71,33 +70,35 @@ http {
 
 
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from 103.21.244.0/22;
-    set_real_ip_from 103.22.200.0/22;
-    set_real_ip_from 103.31.4.0/22;
-    set_real_ip_from 104.16.0.0/12;
-    set_real_ip_from 108.162.192.0/18;
-    set_real_ip_from 131.0.72.0/22;
-    set_real_ip_from 141.101.64.0/18;
-    set_real_ip_from 162.158.0.0/15;
-    set_real_ip_from 172.64.0.0/13;
-    set_real_ip_from 173.245.48.0/20;
-    set_real_ip_from 188.114.96.0/20;
-    set_real_ip_from 190.93.240.0/20;
-    set_real_ip_from 197.234.240.0/22;
-    set_real_ip_from 198.41.128.0/17;
-    set_real_ip_from 2400:cb00::/32;
-    set_real_ip_from 2606:4700::/32;
-    set_real_ip_from 2803:f800::/32;
-    set_real_ip_from 2405:b500::/32;
-    set_real_ip_from 2405:8100::/32;
-    set_real_ip_from 2c0f:f248::/32;
-    set_real_ip_from 2a06:98c0::/29;
+    set_real_ip_from   199.27.128.0/21;
+    set_real_ip_from   173.245.48.0/20;
+    set_real_ip_from   103.21.244.0/22;
+    set_real_ip_from   103.22.200.0/22;
+    set_real_ip_from   103.31.4.0/22;
+    set_real_ip_from   141.101.64.0/18;
+    set_real_ip_from   108.162.192.0/18;
+    set_real_ip_from   190.93.240.0/20;
+    set_real_ip_from   188.114.96.0/20;  
+    set_real_ip_from   197.234.240.0/22;
+    set_real_ip_from   198.41.128.0/17;
+    set_real_ip_from   162.158.0.0/15;
+    set_real_ip_from   104.16.0.0/12;
+    set_real_ip_from   172.64.0.0/13;
+    #set_real_ip_from   2400:cb00::/32;
+    #set_real_ip_from   2606:4700::/32;
+    #set_real_ip_from   2803:f800::/32;
+    #set_real_ip_from   2405:b500::/32;
+    #set_real_ip_from   2405:8100::/32;
     real_ip_header     CF-Connecting-IP;
 
 
+    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    # ssl_dhparam /etc/ssl/dhparam.pem;
+
+
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

install/ubuntu/14.04/nginx/nginx.conf

@@ -92,9 +92,13 @@ http {
     real_ip_header     CF-Connecting-IP;
 
 
+    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    # ssl_dhparam /etc/ssl/dhparam.pem;
+
+
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

install/ubuntu/16.04/nginx/nginx.conf

@@ -70,33 +70,35 @@ http {
 
 
     # Cloudflare https://www.cloudflare.com/ips
+    set_real_ip_from   199.27.128.0/21;
+    set_real_ip_from   173.245.48.0/20;
     set_real_ip_from   103.21.244.0/22;
     set_real_ip_from   103.22.200.0/22;
     set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   131.0.72.0/22;
     set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   172.64.0.0/13;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   188.114.96.0/20;
+    set_real_ip_from   108.162.192.0/18;
     set_real_ip_from   190.93.240.0/20;
+    set_real_ip_from   188.114.96.0/20;  
     set_real_ip_from   197.234.240.0/22;
     set_real_ip_from   198.41.128.0/17;
+    set_real_ip_from   162.158.0.0/15;
+    set_real_ip_from   104.16.0.0/12;
+    set_real_ip_from   172.64.0.0/13;
     #set_real_ip_from   2400:cb00::/32;
     #set_real_ip_from   2606:4700::/32;
     #set_real_ip_from   2803:f800::/32;
     #set_real_ip_from   2405:b500::/32;
     #set_real_ip_from   2405:8100::/32;
-    #set_real_ip_from   2c0f:f248::/32;
-    #set_real_ip_from   2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
 
+    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    # ssl_dhparam /etc/ssl/dhparam.pem;
+
+
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

install/ubuntu/18.04/nginx/nginx.conf

@@ -2,7 +2,7 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log;
+error_log               /var/log/nginx/error.log crit;
 pid                     /var/run/nginx.pid;
 
 
@@ -19,14 +19,14 @@ http {
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           60s;
-    client_body_timeout             60s;
+    client_header_timeout           1m;
+    client_body_timeout             1m;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4 8k;
-    send_timeout                    60s;
-    keepalive_timeout               30s;
+    large_client_header_buffers     4   8k;
+    send_timeout                    30;
+    keepalive_timeout               60 60;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
@@ -50,11 +50,9 @@ http {
 
     # Compression
     gzip                on;
-    gzip_static         on;
-    gzip_vary           on;
-    gzip_comp_level     6;
-    gzip_min_length     1024;
-    gzip_buffers        16 8k;
+    gzip_comp_level     9;
+    gzip_min_length     512;
+    gzip_buffers        8 64k;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -65,40 +63,42 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
+    proxy_connect_timeout   90;
+    proxy_send_timeout  90;
+    proxy_read_timeout  90;
     proxy_buffers       32 4k;
-    proxy_connect_timeout   30s;
-    proxy_send_timeout  90s;
-    proxy_read_timeout  90s;
 
-        
+
     # Cloudflare https://www.cloudflare.com/ips
+    set_real_ip_from   199.27.128.0/21;
+    set_real_ip_from   173.245.48.0/20;
     set_real_ip_from   103.21.244.0/22;
     set_real_ip_from   103.22.200.0/22;
     set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   131.0.72.0/22;
     set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   172.64.0.0/13;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   188.114.96.0/20;
+    set_real_ip_from   108.162.192.0/18;
     set_real_ip_from   190.93.240.0/20;
+    set_real_ip_from   188.114.96.0/20;  
     set_real_ip_from   197.234.240.0/22;
     set_real_ip_from   198.41.128.0/17;
+    set_real_ip_from   162.158.0.0/15;
+    set_real_ip_from   104.16.0.0/12;
+    set_real_ip_from   172.64.0.0/13;
     #set_real_ip_from   2400:cb00::/32;
     #set_real_ip_from   2606:4700::/32;
     #set_real_ip_from   2803:f800::/32;
     #set_real_ip_from   2405:b500::/32;
     #set_real_ip_from   2405:8100::/32;
-    #set_real_ip_from   2c0f:f248::/32;
-    #set_real_ip_from   2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
 
+    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    # ssl_dhparam /etc/ssl/dhparam.pem;
+
+
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 

src/deb/nginx/nginx.conf

@@ -37,8 +37,8 @@ http {
 
 
     # SSL PCI Compliance
-    ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;
-    ssl_ciphers                 EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_protocols               TLSv1.3 TLSv1.2 TLSv1.1;
+    ssl_ciphers                 "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
     ssl_session_cache           shared:SSL:10m;
     ssl_prefer_server_ciphers   on;