3.2.3.2 SSL Configurations
1.) Create a “ssl.conf” file
-
On Windows, under <Installation Directory>\nginx\
ssl on;
ssl_certificate
"C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt"
;
ssl_certificate_key
"C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key"
;
-
On Linux, under /etc/ometascan/nginx.d/
ssl on;
ssl_certificate /etc/ometascan/nginx.d/your.crt;
ssl_certificate_key /etc/ometascan/nginx.d/your.key;
2.) A restart of the “OPSWAT Metadefender Core” service is required.
Advanced SSL configurations
1.) Explicitly allow specific TLS versions, optionally with preferred ciphers. For example:
ssl on;
ssl_certificate
"C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt"
;
ssl_certificate_key
"C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key"
;
ssl_protocols tlsv1.
1
tlsv1.
2
;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;
2.) Use SSL private key and(or) certificate which is encrypted with a passphrase. Strongly recommended to put the passphrase file(s) into a secured vault where only MetaDefender Core can access.
A reference for typical practice: https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/
ssl on;
ssl_certificate
"C:/Program Files/OPSWAT/Metadefender Core/nginx/cert.pem"
;
ssl_certificate_key
"C:/Program Files/OPSWAT/Metadefender Core/nginx/your_encrypted.key"
;
ssl_password_file
"/etc/keys/private.pass"
;
ssl_protocols tlsv1.
1
tlsv1.
2
;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
For more SSL-options please consult Nginx documentation.