Getting the A+

NOTICE: This blog post is ancient at this point. Please use or anything else instead of the following content. 2019-06-23

I've been determined recently to get the A+ rating on It's driving me mad and I have FINALLY figured it out. So here's how to do it.


OS: Debian 7 Wheezy
Webserver: nginx 1.6

The following is the nginx config you should use. This would go into your /etc/nginx/sites-enabled/[sitename] config file.


  1. Grab an offical SSL cert via your favorite provider
  2. Grab the providers CA certs and staple them together in the correct order


    server {
        listen          			443 default_server;
        root						/var/www/;
        ssl_ciphers 				"AES256+EECDH:AES256+EDH";
        ssl_protocols				TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers 	on;
        ssl_dhparam				  /etc/ssl/certs/dhparam.pem;
        ssl_session_cache 			shared:SSL:10m;
        add_header 				Strict-Transport-Security "max-age=63072000; includeSubDomains";
        add_header 				X-Frame-Options DENY;
        add_header 				X-Content-Type-Options nosniff;
        ssl_stapling 			on; 
        ssl_stapling_verify 	on; 
        resolver 				[DNS-IP-1] [DNS-IP-2] valid=300s;
        resolver_timeout 		5s;

In the above config, we specify a new ssl_dhparam file. This is because nginx by default uses OpenSSL's 1024 bit key. Instead, we want a 4096 bit key. You'll need to generate this file using the following command (It's going to take a while...): cd /etc/ssl/certs/ && openssl dhparam -out dhparam.pem 4096

Now, test the config with nginx -t and if that's successfuly run service nginx restart.

My Results! SSLLabs Rating

unsplash-logoChris Ried