Looks like the bava has finally gotten the a-listing it has long deserved!* Well, at least its SSL certificate did, alas the bava is still but a “b” blog. So, another note for the bavaserver series is that SSL certificates have ratings, and by default the SSL certificate I installed was rated B, rather than A. This is not unlike the restaurant rating system in cities around the USA, when did we become some scared of the joy of sleazy? I mean who wants to eat at a b-rated restaurant anymore, especially when you can eat at an A-lister. By that logic I ‘m doing no favors for this blog content, but at least you can enjoy the guilty pleasure with the peace of mind that our SSL certificate is A-rated! You can test your certificate here: https://www.ssllabs.com/ssltest/analyze.html
The idea is to create “a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.” Quote from this guide at DO.
You do this by with the following command:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048This takes a bit, but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem that is used in your Nginx configuration. On the other hand, I believe the Certbot brought to you by the fine folks at the EFF does this by default, so that is probably the better route.
One more thing, when reviewing this I figured out how to force my blog to load over HTTPs. I’ll just copy over my comment to myself on the previous post:
Looks like I figured out how to force SSL on bavatuesdays, I created
/etc/nginx/conf.d/ssl-redirect.confAnd added the following configuration:
server {
listen 80;
server_name ;
return 301 https://$host$request_uri;
}
Here were the resources I found for this:
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7
https://stackoverflow.com/questions/34341782/nginx-server-directive-is-not-allowed-here
*Do you remember when blogging was a thing and there were A-lister bloggers? I hated them all.
