/ /
Configuring reliable SSL for NginX and Apache

Configuring reliable SSL for NginX and Apache

Updated Dec 17, 2021

This article lists the basic settings to improve the security of Apache and Nginx servers.

Content
Force the use of an encrypted connection
Activating XSS protection
Prohibition of using the site in an iFrame
Using the latest TLS versions
Forward Secrecy
Nginx Configuration
Apache Configuration

Force the use of an encrypted connection

When users follow the link http://hotels.com through the open Wi-Fi in the cafe, their data can be stolen.
When users follow the link http://hotels.com through the open Wi-Fi in the cafe, their data can be stolen.

Often web servers are configured in such a way as to redirect the user from an unsecured HTTP connection to a secure HTTPS connection. But it’s not enough to simply redirect the user, you also need to give the browser a command that the site can only be used via an encrypted channel. Otherwise, the open data channel will remain available.

Let’s say the domain of your site example.com . The user logs in at http://example.com and the web server automatically redirects it to https://example.com . After that, he logs in. Then in the messenger the user clicks on the link http://example.com . At this point, the browser sends a request with all the authorization data via an open channel.

This leak can be avoided by adding just one line to the web server configuration. After the first visit to the site via an encrypted connection, the browser will receive a command that the site should be used only over the HTTPS protocol. The Strict-Transport-Security header is responsible for this function.

Activating XSS protection

XSS vulnerabilities are a whole set of all kinds of attack methods. The ‘X-XSS-Protection` header can prevent some XSS attacks.

Prohibition of using the site in an iFrame

If your site can be loaded into an iFrame, then you are vulnerable to Clickjacking attacks. The ‘X-Frame-Options` header allows you to reduce vulnerability.

Using the latest TLS versions

TLS is a protocol for secure data exchange. It is important to use its current versions of TLS v1.2 and TLS v1.3.

Forward Secrecy

You can tell your server to use enhanced encryption methods.

Nginx Configuration

Add these lines to the server {} section of the virtual host configuration file. You can find it by the line listen 443;.

add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "HIGH:!RC4:!aNULL:!MD5:!kEDH";
ssl_prefer_server_ciphers on;

Apache Configuration

Add these lines to the virtual host configuration file in the Secure connection settings section. You can find it by the line <VirtualHost *:443>.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!RC4:!aNULL:!MD5
SSLHonorCipherOrder On
x

We use cookies. By continuing to use the site, you agree to the processing of personal data in accordance with privacy policy. I agree