Created with Sketch.
All Recipes
Staff Picks
Login
Harden and Optimise Nginx/SSL
By
mrl22
//
1 year ago
Clone
Hardens Nginx and Optimises Nginx SSL.
Pretty much automates this guide > https://beguier.eu/nicolas/articles/nginx-tls-security-configuration.html
#!/usr/bin/env bash # Ensure the script is run as root if [ "$EUID" -ne 0 ]; then echo "This script must be run as root" 1>&2 exit fi # Generate 4096-bit DH group generate_dhparam() { echo "Generating 4096-bit DH parameters..." openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 } # Configure Nginx security settings configure_nginx() { echo "Configuring Nginx security settings..." # Uncomment server_tokens off; if it exists, otherwise add it if grep -q "# server_tokens off;" /etc/nginx/nginx.conf; then sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf elif ! grep -q "server_tokens off;" /etc/nginx/nginx.conf; then echo "server_tokens off;" >> /etc/nginx/nginx.conf fi # Comment out any existing ssl directives in nginx.conf sed -i 's/^\s*ssl_/#&/' /etc/nginx/nginx.conf # Create a new configuration file for SSL settings cat > /etc/nginx/conf.d/ssl.conf <<EOF ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on; ssl_session_tickets off; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_buffer_size 8k; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/ssl/certs/dhparam.pem; EOF # Create a new configuration file for security headers cat > /etc/nginx/conf.d/security_headers.conf <<EOF add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';"; add_header Content-Security-Policy "frame-ancestors 'self';"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; EOF } # Restart Nginx service restart_services() { echo "Restarting Nginx service..." systemctl restart nginx } # Execute functions generate_dhparam configure_nginx restart_services echo "Nginx configuration updated and service restarted successfully."
Site maintained by your friends at
Tighten
© 2026