

NGINX Configuration for Django with SSL - Xangis
http://championix.com/blog/2014/06/30/nginx-configuration-django-ssl/

======
moduloo
your setup is pretty bad (performance and security), here comes why:

1\. combine all listen 80 - serverblocks into one, and then

return 301 [https://$host$request_uri;](https://$host$request_uri;) instead of
rewrite, it is faster and you can skip the if (scheme) - part, because if is
evil [http://wiki.nginx.org/IfIsEvil](http://wiki.nginx.org/IfIsEvil)

2\. where are your ciphers? they are bad anyway and doesnt seem to be the
defaults, and RC4 as preferred ciphers, phew!

3\. you are vulnerable to the latest CCS-vuln
[https://8ack.de/scan/result/sslvulns/71ba019e9d4bf25fd422ab0...](https://8ack.de/scan/result/sslvulns/71ba019e9d4bf25fd422ab0395e9fdc12a18ddf9a8e1583b769fe7f075e19290f5d9d44e23c0902fb6dd17da6e4c9bf1f647b44a3e1fd82c1ea982062a474c27)

4\. you use an quite old nginx-version; debian? you should use a newer one
that supports SPDY (faster loading for all those images)

5\. OH NOES .... [https://wbsrch.com/admin/](https://wbsrch.com/admin/) rule
nr. 1: never expose admin/backend-logins to the interwebs

6\. no HSTS

7\. you support TLS 1.2., but no PFS, is there a reason for this? otherwise,
this is a bad decision
[https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com](https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com)

8\. define STATIC - resouces with django; advantage: you dont have to
try_files and can skip the regex-location for static content
[https://docs.djangoproject.com/en/dev/howto/static-
files/](https://docs.djangoproject.com/en/dev/howto/static-files/)

9\. why did you turned off ssl_session_cache??? [https://www.mare-
system.de/guide-to-nginx-ssl-spdy-hsts/#opt...](https://www.mare-
system.de/guide-to-nginx-ssl-spdy-hsts/#optimizing-for-better-ssl-performance)

10\. use proxy_cache for /

11\. turn off server_tokens
e3c4676d14a8ddd07d140f6d3e771ae8994ff5f4a159ba70fa5f5a9eaf026ada9a9f61021ef5ec27466718573c8a73621d119c385eb284fe322eaefaff2d1b42

more on nginx + ssl: [https://www.mare-system.de/guide-to-nginx-ssl-spdy-
hsts/](https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/)

~~~
moduloo
sslabs gives you grade F
[https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com](https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com)

btw, where are your cipher_suites from?

