Since security is a process not a single task I updated my server config.
I noticed that I was missing a good dhparam. This is a follow up post to last years "CAA, site configuration, security and HTTP2" post.
Generate the prime
ssl_ecdh_curve secp384r1; ssl_dhparam /etc/nginx/dhparam.pem;
Disable prime256v1 aka NIST P-256
Going for the stronger curve should have a minimal impact on performance.
Regenerate the dhparam
Regenerating keys is a good idea in general. In 2016 some stackexchange user said no.
Automating it every week or so still seems like a good idea so we add this cron job with
sudo crontab -e:
# m h dom mon dow command 14 3 * * 1 openssl dhparam -out /etc/nginx/dhparam.pem 4096 && chmod 600 /etc/nginx/dhparam.pem && /bin/systemctl restart nginx.service
Note: We have to use absolute paths. You can get that absolute path with this command:
See the crontab man page.