SOP-3 Edge Security and Nginx Hardening
Status: PRODUCTION
Security Level: TLS 1.3 / HSTS Preload
Objective: After setting up the software, automation and deploying between the two computers we need to now publish it to my portfolio domain.
1. Protocol & Cipher Suite Selection
To give this resource the same a high security posture, I moved away from legacy protocols (TLS 1.0/1.1) and optimized the handshake for modern clients.
-
Protocols: Restricted to TLSv1.2 and TLSv1.3.
-
Ciphers: Prioritized Perfect Forward Secrecy (PFS) to ensure that if a private key is compromised in the future, past sessions remain encrypted.
-
DH Parameters: Generated a custom 2048-bit Diffie-Hellman group to replace the default NGINX default parameters.
Nginx
# My SSL Configurations
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
- This is at the top of my NGINX configuration so encryption applies at both the local and public layers of the network.
2. Hardening Security Headers
Beyond encryption, the server was configured to mitigate client-side vulnerabilities like Clickjacking, Cross-Site Scripting (XSS), and MIME-type sniffing.
-
HSTS (HTTP Strict Transport Security): Forces browsers to use HTTPS for the next 12 months, preventing protocol downgrade attacks.
-
X-Frame-Options: Set to
SAMEORIGINto prevent the site from being embedded in malicious iframes. -
Content Security Policy (CSP): Restricted source domains to prevent unauthorized script execution.
Nginx
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
3. Performance & Optimization (The "Caching" Flag)
To reduce the I/O load on the Samba share and improve user experience, I implemented server-side caching for static assets.
-
Buffer Tuning: Optimized buffer sizes to handle larger headers safely.
-
Static Caching: Set long-term expiration for images, CSS, and JS files.
Nginx
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
add_header Cache-Control "public, no-transform";
}
4. Validation & Auditing
The configuration was validated using industry-standard auditing tools to confirm the security posture.
- SSL Labs Rating:
A+
Audit Here - SecurityHeaders.com:
A
Audit Here
Engineer's Note: Security is a moving target. This configuration is reviewed quarterly against the OWASP Top Ten and Mozilla SSL Configuration Generator recommendations.