andrewjoy.co.uk

Hello

Welcome, not much here at the moment. Will be content soon.

NGINX Security

DNS CCA

You should add a DNS CAA record each domain or sub domain for letsencrypt.org add this on your DNS provider. Provider has to support CCA records, cloudflare does however i would not use all the crapy features they provide unless your running a huge website or somthing, just use DNS.

SSL Settings

We want to use only modern encryption for SSL, so we disable TLSv1.0 and 1.1 we also disable any insecure cipers. This will cause some older browsers or opperating systems to throw an error e.g Safari 8 and older for iOS and OSX and Windows Phone 8.1 and older (so the three people who have windows phone 8.1 devices are out of luck). We also enable Strict Transport Security and some other things.

Harden NGINX

We harden NGINX against some basic attacks, we again disable TLSv1.0 and 1.1, we could remove this from the default nginx.conf file as its in options-ssl-nginx.conf but its doing no harm.

NGINX config

File to edit /etc/nginx/nginx.conf

Site Config

File to edit /etc/nginx/sites-available/* ( your config file)

Testing

SSL config: ssllabs.com! (you should get an A+)
HTTP/2: tools.keycdn.com
HTTP Markup: validator.w3.org

Thanks

For ciphers: fr921.wordpress.com
Nginx Security: linuxtechi.com
SSL Config: ssl-config.mozilla.org

Email Server Settings

Below is the config for my email server as a reminder to myself. To add a new user:

set a password

SERVER: mail.andrewjoy.co.uk
IN: 993 SSL/TLS
OUT: STARTTLS 587
USER: users unix username