Let’s Encrypt is a new automated SSL certificate authority. Because it is free, it is opening the doors to an exciting new era of secure servers and technologies. Laravel Forge was recently to allow one-click installations of Let’s Encrypt certificates. It is now easier than ever to have your own SSL!
Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).
- A forge-managed server.
- Site running under SSL.
- nginx 1.9.5 or higher for HTTP/2 (everything else should work).
Multiple HTTPS sites on a single IP address will cause nginx to use SNI to establish an SSL connection. Internet Explorer 8 and below on Windows XP, as well as Android 2.3.7, do not support SNI. They will likely report a broken certificate, or might not be able to connect at all. This is only something to worry about if you need to support old browsers.
SSL Log-Jam Fix
Forge now includes a recipe to apply the Diffie-Helmann Log-Jam Vulnerability patch. Run that against the server in question before performing the following steps.
Enabling SSL can slow down your site’s load times, especially if you have many files. Each request has some overhead of SSL negotiation. before a response gets issued. Setting up SSL session caching eliminates renegotiation for each request unless the cache expires.
Using an optimized cypher suite will further harden our security configuration. This will address browser compatibility and cypher blacklists.
We will also enable Online Certificate Status Protocol (OCSP) stapling. The server will cache the revocation status of the SSL certificates. This eliminates the need to query the certificate authority each time.
All these settings are best set up as a recipe in Laravel Forge. You can then run it with ease against any of your servers:
Here is the script depicted above:
Note: adding this recipe to a server will not affect the non-SSL-secured web sites on your server.
HTTP Strict Transport Security (HSTS)
HSTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Enabling HSTS gives us all the benefits for browsers that support it. It also won’t affect browsers that don’t support it.
Lets get to it. For this we need to edit your sites nginx configuration file. You can get to it using the Edit Files drop-down on your site screen in Laravel Forge:
Add the following line to your server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
Note: some tutorials include a trailing “always” keyword. But that isn’t the correct usage of the command in this case. It should not be in every response. Instead, the browser will determine the correct usage of the HSTS header once it sees it.
This is by far the simplest step. In your site’s nginx configuration file add “http2” to the end of the listen line for the server block.
listen 443 ssl http2;
Note: Do not add this to the non-ssl server block listening on port 80.
Wrapping Things Up
All that’s left now is to reload nginx and test your server’s SSL configuration.
Next head to SSL Labs and test your certificate. You should now be sporting a solid “A+”! Congratulations on making the internet a faster and safer place! If you go to your site now, you should notice an appreciable speed increase compared to before.