LoginSignup

This article is a Private article. Only a writer and users who know the URL can access it.
Please change open range to public in publish setting if you want to share this article with other users.

More than 3 years have passed since last update.

@heishi1HUMANITY

nginxサーバのセキュリティを上げていく

Last updated at Posted at 2020-10-08

SSL Server TestでA+評価がもらえるようになります。
緑の部分が変更を加えたところです。

4096ビットのdhparamを生成する

openssl dhparam -out dhparam.pem 4096
sudo mv dhparam.pem /etc/nginx/

/etc/nginx/site-available/defaultを編集する

vimかなんかで編集する。sudoでやってね。
これを

/etc/nginx/sites-available/default
 ...略
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/chattestserveringcp.ml/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/chattestserveringcp.ml/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 ...略

こうじゃ

/etc/nginx/sites-available/default
 ...略
+    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot #ここ
+    listen 443 ssl http2; # managed by Certbot  #ここ
    ssl_certificate /etc/letsencrypt/live/chattestserveringcp.ml/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/chattestserveringcp.ml/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/nginx/dhparam.pem;  #ここ
+    add_header Strict-Transport-Security "max-age=3153600; includeSubdomains";  #これ
 ...略

/etc/nginx/nginx.confを編集する

これも

/etc/nginx/nginx.conf
 ...略
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ##
    # SSL Settings
    ## 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
 ...略

こうじゃ

/etc/nginx/nginx.conf
 ...略
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
+    server_tokens off;  #ここ
    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    ##
    # SSL Settings
    ##
+    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE  #ここ
    ssl_prefer_server_ciphers on;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE- ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;  #これ
 ...略

終わり

これでA+が取れるはず。
スクリーンショット 2020-10-08 143258.jpg

0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin