Harden and Optimise Nginx/SSL

By mrl22 // 1 month ago

Clone

Hardens Nginx and Optimises Nginx SSL.

Pretty much automates this guide > https://beguier.eu/nicolas/articles/nginx-tls-security-configuration.html

#!/usr/bin/env bash

# Ensure the script is run as root
if [ "$EUID" -ne 0 ]; then 
  echo "This script must be run as root" 1>&2
  exit
fi

# Generate 4096-bit DH group
generate_dhparam() {
  echo "Generating 4096-bit DH parameters..."
  openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
}

# Configure Nginx security settings
configure_nginx() {
  echo "Configuring Nginx security settings..."

# Uncomment server_tokens off; if it exists, otherwise add it
  if grep -q "# server_tokens off;" /etc/nginx/nginx.conf; then
    sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf
  elif ! grep -q "server_tokens off;" /etc/nginx/nginx.conf; then
    echo "server_tokens off;" >> /etc/nginx/nginx.conf
  fi

# Comment out any existing ssl directives in nginx.conf
  sed -i 's/^\s*ssl_/#&/' /etc/nginx/nginx.conf

# Create a new configuration file for SSL settings
  cat > /etc/nginx/conf.d/ssl.conf <<EOF
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
EOF

# Create a new configuration file for security headers
  cat > /etc/nginx/conf.d/security_headers.conf <<EOF
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
add_header Content-Security-Policy "frame-ancestors 'self';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
EOF
}

# Restart Nginx service
restart_services() {
  echo "Restarting Nginx service..."
  systemctl restart nginx
}

# Execute functions
generate_dhparam
configure_nginx
restart_services

echo "Nginx configuration updated and service restarted successfully."

Site maintained by Vince Mitchell.

Inspired by original by David Hemphill, Tanner Hearne, & Matt Stauffer.