If you use Laravel Forge to provision your servers, you probably already know that it can install SSL via Let’s Encrypt. The process is as simple as clicking two buttons–one for the install and a second to activate. However, what Forge fails to mention is you need to add a couple more directives to Nginx. In fact, even Forge (which is provisioned with Forge) does not add these extra directives. You can see this by clicking the lock icon in Chrome and then the connections tab.
We can get more information by testing SSL using Qualsys’ SSL Labs. After running the test, we see that Forge’s grade is capped at B because the server supports weak Diffie-Hellman (DH) key exchange parameters. So, how can we fix it?
Mozilla provides recommendations for Nginx configuration and even offer an SSL configuration generator specific to your server and OpenSSL versions. Using the modern profile is safe at this point unless you need to support really old browsers. If you do, you’re on your own. If you don’t, we simply need to generate a strong DH key and add a few directives to our nginx config.
To generate the key:
sudo openssl dhparam -out dhparam.pem 2048
Move the key:
sudo mv dhparam.pem /etc/ssl/certs/dhparam.pem
Then edit your Nginx config. You can do this in Forge or from the command line.
sudo nano /etc/nginx/sites-enabled/yoursite.com
Add the following directives in the server section of your config file. Right after the Forge lines will work fine:
ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000;
Go ahead and restart Nginx and you should be good to go.
sudo /etc/init.d/nginx restart
Now when you check Chrome you will see that your connection is secured by a modern cipher suite and when you run the Qualsys test you should get an A+.