SSL Configurations

1.) Create a “ssl.conf” file

  • On Windows, under <Installation Directory>\nginx\

ssl on; ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt"; ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key";
  • On Linux, under /etc/ometascan/nginx.d/

ssl on; ssl_certificate /etc/ometascan/nginx.d/your.crt; ssl_certificate_key /etc/ometascan/nginx.d/your.key;

2.) A restart of the “OPSWAT Metadefender Core” service is required.

Advanced SSL configurations

1.) Explicitly allow specific TLS versions, optionally with preferred ciphers. For example:

ssl on; ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt"; ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key";   ssl_protocols tlsv1.1 tlsv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256;

2.) Use SSL private key and(or) certificate which is encrypted with a passphrase. Strongly recommended to put the passphrase file(s) into a secured vault where only MetaDefender Core can access.

A reference for typical practice: https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/

ssl on;   ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/cert.pem"; ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your_encrypted.key"; ssl_password_file "/etc/keys/private.pass";   ssl_protocols tlsv1.1 tlsv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

For more SSL-options please consult Nginx documentation.