How To: Optimizing SSL on Laravel Forge

Published on by

How To: Optimizing SSL on Laravel Forge image

Let’s Encrypt is a new automated SSL certificate authority. Because it is free, it is opening the doors to an exciting new era of secure servers and technologies. Laravel Forge was recently to allow one-click installations of Let’s Encrypt certificates. It is now easier than ever to have your own SSL!

Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).

Prerequisites

  • A forge-managed server.
  • Site running under SSL.
  • nginx 1.9.5 or higher for HTTP/2 (everything else should work).

Considerations

Multiple HTTPS sites on a single IP address will cause nginx to use SNI to establish an SSL connection. Internet Explorer 8 and below on Windows XP, as well as Android 2.3.7, do not support SNI. They will likely report a broken certificate, or might not be able to connect at all. This is only something to worry about if you need to support old browsers.

SSL Log-Jam Fix

Forge now includes a recipe to apply the Diffie-Helmann Log-Jam Vulnerability patch. Run that against the server in question before performing the following steps.

SSL Optimizations

Enabling SSL can slow down your site’s load times, especially if you have many files. Each request has some overhead of SSL negotiation. before a response gets issued. Setting up SSL session caching eliminates renegotiation for each request unless the cache expires.

Using an optimized cypher suite will further harden our security configuration. This will address browser compatibility and cypher blacklists.

We will also enable Online Certificate Status Protocol (OCSP) stapling. The server will cache the revocation status of the SSL certificates. This eliminates the need to query the certificate authority each time.

All these settings are best set up as a recipe in Laravel Forge. You can then run it with ease against any of your servers:

Here is the script depicted above:

> **Note:** adding this recipe to a server will not affect the non-SSL-secured web sites on your server.

HTTP Strict Transport Security (HSTS)

HSTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. – Wikipedia

Enabling HSTS gives us all the benefits for browsers that support it. It also won’t affect browsers that don’t support it.

Lets get to it. For this we need to edit your sites nginx configuration file. You can get to it using the Edit Files drop-down on your site screen in Laravel Forge:

Add the following line to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Note: some tutorials include a trailing “always” keyword. But that isn’t the correct usage of the command in this case. It should not be in every response. Instead, the browser will determine the correct usage of the HSTS header once it sees it.

HTTP/2

This is by far the simplest step. In your site’s nginx configuration file add “http2” to the end of the listen line for the server block.

listen 443 ssl http2;

Note: Do not add this to the non-ssl server block listening on port 80.

Wrapping Things Up

All that’s left now is to reload nginx and test your server’s SSL configuration.

Next head to SSL Labs and test your certificate. You should now be sporting a solid “A+”! Congratulations on making the internet a faster and safer place! If you go to your site now, you should notice an appreciable speed increase compared to before.

Mike Bronner photo

Husband. Genealogist. Web Designer. Translator. German-American.

Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

image
Tinkerwell

Version 4 of Tinkerwell is available now. Get the most popular PHP scratchpad with all its new features and simplify your development workflow today.

Visit Tinkerwell
Laravel Forge logo

Laravel Forge

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Forge
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $7500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Bacancy logo

Bacancy

Supercharge your project with a seasoned Laravel developer with 4-6 years of experience for just $2500/month. Get 160 hours of dedicated expertise & a risk-free 15-day trial. Schedule a call now!

Bacancy
LoadForge logo

LoadForge

Easy, affordable load testing and stress tests for websites, APIs and databases.

LoadForge
Paragraph logo

Paragraph

Manage your Laravel app as if it was a CMS – edit any text on any page or in any email without touching Blade or language files.

Paragraph
Lucky Media logo

Lucky Media

Bespoke software solutions built for your business. We ♥ Laravel

Lucky Media
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce
DocuWriter.ai logo

DocuWriter.ai

Save hours of manually writing Code Documentation, Comments & DocBlocks, Test suites and Refactoring.

DocuWriter.ai
Rector logo

Rector

Your partner for seamless Laravel upgrades, cutting costs, and accelerating innovation for successful companies

Rector

The latest

View all →
Non-backed Enums in Database Queries and a withSchedule() bootstrap method in Laravel 11.1 image

Non-backed Enums in Database Queries and a withSchedule() bootstrap method in Laravel 11.1

Read article
Laravel Pint --bail Flag image

Laravel Pint --bail Flag

Read article
Laravel Herd for Windows is now released! image

Laravel Herd for Windows is now released!

Read article
The Laravel Worldwide Meetup is Today image

The Laravel Worldwide Meetup is Today

Read article
Cache Routes with Cloudflare in Laravel image

Cache Routes with Cloudflare in Laravel

Read article
Learn how to manage timezones in your Laravel Apps image

Learn how to manage timezones in your Laravel Apps

Read article