If you're following the mini series this is part 3!

šŸ’”
It is incredibly important when configuring TLS ( you will see this referred to as SSL in a lot of server configuration still) to be aware of what changes you are making and what you are trying to achieve. It can often be a balance between the 'most secure' and actually accessible, depending on your goals around speed, availability and compatibility.

Firstly we need a basic server listening on 443, in the example below I have enabled http2 and included the TLS configuration in a snippet file. I've done this so we can refer to it in multiple 'servers' if needed. We put the path to our certificates. 

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-params.conf;

    server_name norefseclan.uk www.norefseclan.uk;
    add_header Referrer-Policy "no-referrer";
    ssl_certificate         /etc/ssl/certs/norefseclan_key.pem;
    ssl_certificate_key     /etc/ssl/private/norefseclan_cert.pem;

     }

Now let's create the ssl-params.conf file. SSL Labs has an excellent SSL Best Practice Guide that goes into significant details about best Cipher Suites and Configuration for your server. Below is a config that will work for most browsers, it is not necessarily the best or safest for you.

Create a dhparams file. These parameters define how OpenSSL performs the Diffie-Helman Key Exchange 

sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

The resolvers in this case are 1.1.1.1 (cloudflare) and 8.8.8.8 (google). Change these to your preferred resolvers. There are some example headers for enhanced security or useability options such as X-Frame-Options and XSS-Protection.

ssl_protocols TLSv1.3;   # - Choose a protocol, TLS1.2 and 1.3 is recommended
ssl_prefer_server_ciphers on; 
ssl_dhparam /etc/nginx/dhparam.pem; #dhparam file if you need/want them
ssl_ciphers EECDH+AESGCM:EDH+AESGCM; #your chosen ciphers
ssl_ecdh_curve secp384r1;  #chosen ecdh curve
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s; #resolvers for your ssl certs 
resolver_timeout 5s;
#You can uncomment the following line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

You can test your config before actually restarting your server by doing the following

nginx -t 
#Output should be something like 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

You can then restart the nginx service. 

systemctl restart nginx

Next up, DNS config!