Hello beautiful peoples!
Yes, its 3:15 in the morning while I am typing this. I couldn’t sleep… I was messing with some software earlier today and I don’t know how it started but I discovered that my server’s Qualys SSL Labs score all of the sudden dropped to A- with 2 x 100 and 2 x 90 score… After I collected my jaw from the ground I started looking into it and after I have found out that they have changed the scoring system around March 2025…
I knew I had to fix it otherwise there was NO chance for me to get any sleep tonight and so I did…
https://www.ssllabs.com/ssltest/analyze.html?d=andrzej.langow.ski&latest
Here is my nginx config for your convinience:
server {
if ($host = andrzej.langow.ski) {
return 301 https://$host$request_uri;
listen 80;
root /var/www/html/main/;
server_name andrzej.langow.ski;
}
server {
listen 80;
server_name www.andrzej.langow.ski;
return 301 $scheme://andrzej.langow.ski$request_uri;
}
server {
listen 443 ssl http2;
server_name www.andrzej.langow.ski;
return 301 $scheme://andrzej.langow.ski$request_uri;
ssl_trusted_certificate /path/to/your/ca.cer;
ssl_certificate /path/to/your/fullchain.cer;
ssl_certificate_key /path/to/www/ssl.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_conf_command CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
ssl_session_timeout 30m;
}
server {
listen 443 ssl http2;
server_name andrzej.langow.ski;
ssl_trusted_certificate /path/to/your/ca.cer;
ssl_certificate /path/to/your/fullchain.cer;
ssl_certificate_key /path/to/your/not-www/ssl.key;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_conf_command CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
ssl_session_timeout 30m;
root /var/www/html/main/;
index index.html index.php .index.php;
location / {
try_files $uri $uri/ /index.php?$args;
autoindex on;
}
location ~\.(yml)$ {
deny all;
return 404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
fastcgi_read_timeout 240;
fastcgi_param HTTPS on;
}
access_log /var/log/nginx/andrzej.langow.ski_ssl_access.log;
error_log /var/log/nginx/andrzej.langow.ski_ssl_error.log;
}Everything InYellow you should at least consider changing. Use common sense. Test your config with:
nginx -tI was looking online and I could not find ready-made solution so I have decided to post my config.
My config on its own will not sort everything for you. There are other things that You will have to figure out.
– You need to configure php-fpm.
– You need to add CAA to your DNS Zone. I bought my domain from OVH and I am getting my SSL Certificates from LetsEncrypt.org so that’s what I had to use.
– Your SSL Certificate must be 4096 bit (or more)
Let me know in the comments if you found it helpful and now that I have applied the fixes to all my domains and subdomains I am going Zzzzzz. Nitey nite.
I hope this helps!
Catch you on the flip side,
AndrzejL
