Question

question regarding ssl setting

Hello, i have installed an wildcard ssl from alphassl. and on configuring i used ssl-param from this following post. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

so now i have put all these ssl settings inside snippets/ssl-param.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; always";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

i just added ssl_session_timeout 60m; to the list and change preload to always.

now my question is, are these settings meant to be with with any other certificates other then let’s encrypt? im a bit confused are those going to help or degrade ssl negotiation? because on my previous server i used only few of above configs only.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;

also please take a look at the following image, my site initial loading is not that fast i expected. and 6/7 files are now requiring ssl handshake even when they are from the same domain. is this normal??

http://imgur.com/a/89Xyq

@jtittle @hansen


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

@newbie

Open up wp-config.php and find:

/* That's all, stop editing! Happy blogging. */

Below it, add:

define( 'WP_ALLOW_MULTISITE', true );

Now login to ./wp-admin and navigate to Tools => Network Setup and choose Sub-Directories.

We’ll need to open wp-config.php up once again and below the above define(), we’ll add:

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'yourdomain.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

So what you end up with is:

/* That's all, stop editing! Happy blogging. */

define( 'WP_ALLOW_MULTISITE', true );

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'yourdomain.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

Note: Make sure you change yourdomain.com in the above.

Once you add the above, you’ll be asked to log back in to your WordPress Dashboard and you’ll see a new option in the admin bar called ‘My Sites’. You can add new sites by navigating to:

My Sites => Network Admin => Sites 

For NGINX, you’ll want to add the following rewrites to your server block.

if ( !-e $request_filename ) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;	
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;                     
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;                   
}

I added the snippet above location /, so what I ended up with is:

if ( !-e $request_filename ) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;	
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;                     
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;                   
}

location / {
    try $uri $uri/ /index.php?$args;
}

You’d then restart NGINX for the changes to take. I just tested this on a demo Droplet and it’s working as expected, so hopefully that’ll help you to get things running :-).

@newbie

Most guides that cover settings for InnoDB make the assumption that you’re running MySQL on it’s own server as allocating 50-70% of your RAM to the buffer in any other case would most likely be an issue as you’d be severely reducing RAM for other services.

Unless you’re experiencing issues, you’ve ran MySQL Tuner, and it’s giving you the same suggestion, I’d keep it set at or around 512M for a 1-2GB instance, but even that may be overkill on a 1GB. I’d even recommend potentially setting it to 256M.

When it comes to MySQL, before changing values, as per recommendations by the sysadmin and developer of MySQL Tuner, you really need to wait 24-48 hours to let MySQL gather details on it’s own metrics. If you run MySQL Tuner on a freshly restarted instance of MySQL, it’ll tell you the same.

In regards to permissions, you shouldn’t be using a chmod of 755 on both files and directories. Files should use 644 and directories should be using 755.

By using chmod -R 755 /var/www you’re telling the command to recursively set everything from /var/www down to a chmod of 755, regardless of whether it’s a file or directory.

Unless you’ve changed the defaults for files and directories, on Ubuntu, files are normally created with a chmod of 644 and directories with a chmod of 755 by default. So unless you’ve changed them in some way, shape, or form by running other commands, that step shouldn’t really be required.

As far as ownership (chown), that part is correct :).

As far as multi-site with NGINX, I used to have a guide that I had written for a client, though I can’t seem to find it. I’ll have to re-test on my end, though the steps really don’t change from one release of PHP or Ubuntu to the next. They may change as WordPress changes the requirements, but beyond WordPress itself, the rest of the steps have no bearing on OS or PHP version (though WordPress does recommend PHP 7.x as of now).

@jtittle @hansen you guy’s are awesome. my ssllab report showing A+ now. :)

i need to ask u another question regarding mysql 5.7. i have separate (1gb) db server thats connected with my webserver though private IP. now is it ok to allot higher space for innodb buffer? i have only an wordpress & my application database where all tables are innodb. i know everyone says 50-70% should be allocated. but since my whole server is mysql dedicated, should i allocate higher? please post your opinion

is there a problem if i add these inside my.cnf

[mysqld]
innodb_buffer_pool_size = 850M
innodb_log_file_size = 128M
innodb_flush_method = O_DIRECT

also, can u guy’s point me to any tutorial on enable multi-site on sub-directory for an existing wordpress install on nginx? i read all post thats related here and over other places but none of one i found concrete and for latest versions of php, ubuntu. the multi-site setup worked for me last time from this community, gave me issue on fastCGI. so i need some expert guidance from you guy’s.

one last thing, i have 3 server blocks, 2 & 3 is on subdomain

  1. main site which is wordpress
  2. application on codeigniter
  3. affilaite program on php

now what permission should for number 2 & 3 document root? as per DO tutorial,

sudo chown -R $USER:$USER /var/www/test.com/html
sudo chmod -R 755 /var/www

should i follow above? or make permission like user:www-data

best regards,