3.2.3.2 SSL Configurations

1.) Create a “ssl.conf” file

  • On Windows, under <Installation Directory>\nginx\

ssl on;
ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt";
ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key";

  • On Linux, under /etc/ometascan/nginx.d/

ssl on;
ssl_certificate /etc/ometascan/nginx.d/your.crt;
ssl_certificate_key /etc/ometascan/nginx.d/your.key;

2.) A restart of the “OPSWAT Metadefender Core” service is required.

Advanced SSL configurations

1.) Explicitly allow specific TLS versions, optionally with preferred ciphers. For example:

ssl on;
ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt";
ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key";
 
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;

2.) Use SSL private key and(or) certificate which is encrypted with a passphrase. Strongly recommended to put the passphrase file(s) into a secured vault where only MetaDefender Core can access.

A reference for typical practice: https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/

ssl on;
 
ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/cert.pem";
ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your_encrypted.key";
ssl_password_file "/etc/keys/private.pass";
 
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

For more SSL-options please consult Nginx documentation.