SSL Labs has capped my security rating at a B because of the Diffie-Hellman Key Exchange.
After a bit of Googling and some frustration, I came across ScaleScale.com’s article on how to fix this.
Hardening Nginx SSL/TSL Configuration
Since we’re using Easy Engine, Steps 1 and 2 can be skipped as this has already been configured. However, step 3 has not been done. Run the following command:
cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 2048
Then edit the nginx.conf file in /etc/nginx/nginx.conf and add the following line into the HTTP block:
After you save the nginx.connf file, text the Nginx config:
If all is well, go ahead and restart Nginx so the new configuration will take affect.
Tada! Grade A on SSL Labs now.
Also a useful site for encryption ciphers for servers I found today is: https://cipherli.st/
Easy Engine is great, and makes life much easier when you host your own WordPress sites, or any PHP sites really. However, there’s some things this awesome autonomous script doesn’t do. Like enable IPv6 for each website. By default IPv6 isn’t turned on for each website. You can see this reflected in SSL Labs Report:
Enabling IPv6 in Nginx
Using your favorite terminal (currently i’m using Cygwin with ConEmu on Windows 10), go ahead and SSH into your server. This is where the process gets a bit daunting, especially if you have as many domains hosted on the server as I do. Once you’ve enabled Let’s Encrypt for a domain, easy engine creates a file named: ssl.conf in each website’s nginx config folder which is located in: /var/www/websitedomain.com/conf/nginx/
You’ll notice the first line of the file should read:
immediately after that, add the line:
listen [::]:443 ssl http2;
You may also need to edit the virtual host file:
and add the lines:
Now test your nginx config file by running: nginx -t`
If all is well, go ahead and restart the nginx service:
Now IPv6 will be enabled for each website you did this for. Checking SSL Labs, you can see the certificate for the proper domain is now loaded (don’t forget to click the Clear Cache link).
Next, I’d like to cover those B Grades I’m receiving for my website. This will be covered in my next post, Easy Engine: Upgrading SSL Security.