FreeBSD, NGINX and TLSv1.3
After a six months hiatus here is a new blogpost.
This saturday I finally found the time to upgrade the configuration of the server
that hosts this very website.
Software stack is pretty simple: FreeBSD
(version 12.0-p6),nginx
(version 1.15.10)
and OpenSSL
(version 1.1.1a-freebsd).
Install the required software:
$ pkg install nginx-devel py36-certbot
Get a SSL certificate from letsencrypt:
$ certbot-3.6 certonly --standalone -d domain.tld -d www.domain.tld
Certfiles location is /usr/local/etc/letsencrypt/live/<domain.tld>
, you might,
or might not, want to move them to another directory.
Generate a Diffie-Hellman global public parameters and save them in a folder with the appropriate permissions:
$ mkdir /usr/local/etc/nginx/ssl && cd /usr/local/etc/nginx/ssl
$ openssl dhparam -out dhparams.pem 4096
$ chmod 600 dhparam.pem
Nginx configuration can be found in /usr/local/etc/nginx
, edit nginx.conf
or
the desired v.host
file.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.tld www.domain.tld;
access_log /var/log/nginx/domain.tld-ssl-access.log;
error_log /var/log/nginx/domain.tld-ssl-error.log;
ssl_certificate /usr/local/etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /usr/local/etc/nginx/ssl/domain.tld/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/etc/nginx/ssl/cert.pem;
ssl_protocols TLSv1.2 TLSv1.3;
sl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam /usr/local/etc/nginx/ssl/dhparams.pem;
keepalive_timeout 60;
}
Set Nginx service to start at boot by adding nginx_enable="YES"
to /etc/rc.conf`.
TLS settings can be tested using the following command:
$ openssl s_client -connect domain.tld:443 -tlsv1_3
.:. Links
letsencrypt
ssllabs
mozilla wiki
mozilla ssl configuration generator