Tag Archive for ssl

Hardening Nginx SSL/TSL Configuration

Days ago I had to investigate a SSL issue in one of my customer’s servers, he installed a SSL certificate but the Nginx SSL configuration was not hardened at all, so he was getting a very poor grade while checking his site at SSL Server Test.

In the same case, if you have a grade lower than A, you should try to optimize your Nginx SSL configuration. Here are some tips to harden your Nginx SSL Configuration.
Read more

Handle X-Forwarded-Proto in backend nginx

When nginx is being used as backend server, it will talk plain «http» to the frontend server only (for performance reasons and to simplify setup).

But web applications often need to know, if the traffic between the browser and server is encrypted (https), e.g. when checking if a particular part of the site is being accessed securely.

Since only the frontend proxy (the one between nginx and the browser) knows about this, this information has to be forwarded to the backend.
Read more

How to create a self-signed SSL Certificate


The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server’s private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.
Read more