Enable Secure SSL with HTTP2 support in NGINX for WordPress

Following my previous blog to generate a wildcard SSL Certificate from Let’s Encrypt for *.aventistech.com

su -
Password:
cd /etc/letsencrypt/live/aventistech.com/
ls
#You should see the following SSL Cert  
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

#Create a SSL Directory for Nginx and Copy fullchain.pem & privkey.pem 
mkdir /etc/nginx/ssl
cp /etc/letsencrypt/live/aventistech.com/fullchain.pem /etc/nginx/ssl/fullchain.pem
cp /etc/letsencrypt/live/aventistech.com/privkey.pem /etc/nginx/ssl/privkey.pem

Enable SSL with http2 support in Nginx Configuration file

vi /etc/nginx/sites-available/wordpress 

  listen 443 ssl http2;
  listen [::]:443 ssl https;

  ssl_certificate /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key /etc/nginx/ssl/privkey.pem;

Verfiy Nginx configuration file and reload it to enable SSL with http2 support

nginx -t 
systemctl reload nginx

Edit the /etc/nginx/sites-available/wordpress with the following to further enhance the SSL Security of Nginx

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
#Disable TLS 1.0 
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

You will need to enable HSTS in order to get A+ in https://www.ssllabs.com/ssltest

HTTP Strict Transport Security (HSTS) header tells the client that this website should always be visited through HTTPS.

Reference
1. HTTP2
2. https://mozilla.github.io/server-side-tls/ssl-config-generator/ – To provide the standard secure HTTPS configuration for Nginx
3. https://www.ssllabs.com/ssltest – To verify whether Nginx is HTTP2 enabled