As soon as I got my site on the web with HTTPS I hit it from the Qualsys SSL Labs test page and here’s the very pleasing result::
As a complete n00b to ErpNext as of a week ago, seeing this test result further convinces me that ErpNext has been a good choice.
However, there’s a warning there that’s worth noting:
This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020
If you are OCD and cannot abide the thought of having less than an A+ rating here are some easy tweaks I used to upgrade my site:
Generate a fat Diffie Hellman file:
cd /tmp
openssl dhparam -out dhparams_4096.pem 4096
sudo mkdir -p /etc/ssl/private
sudo mv dhparams_4096.pem /etc/ssl/private
Deprecate the obsolete SSL protocols and link to the dhparams file
Replace the line …
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
… with …
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
Disallow HTTP; Accept only HTTPS
Below the line add_header X-Frame-Options "SAMEORIGIN";
add a new line as follows
Instead of …
add_header X-Frame-Options "SAMEORIGIN";
… you want …
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
Then …
sudo service nginx restart;
… and get …
There are a bunch of other tricks, including helping NGinx process SSL much more quickly than the current settings support, which you can find easily by searching “A+ SSL Labs Nginx”;