Nginx SSL Configuration

Secure your Nginx server with SSL/TLS.

Nginx is known for its performance and elegant SSL configuration. A well-optimized configuration gives you security and speed.

This guide gives you a production-ready configuration with current best practices.

We cover settings to achieve an A+ on SSL Labs while maintaining compatibility.

Nginx SSL Directives

Key directives for SSL/TLS:

  • ssl_certificate: path to certificate (fullchain).
  • ssl_certificate_key: path to private key.
  • ssl_protocols: allowed TLS versions.
  • ssl_ciphers: accepted cipher suites.

Nginx SSL Benefits

Why Nginx excels at SSL:

  • Performance: efficient TLS connection handling.
  • Native HTTP/2: HTTP/2 support with a simple directive.
  • Clear configuration: simple and readable syntax.
  • Session resumption: performant TLS session cache.

Configuration

SSL setup on Nginx:

  1. Get certificates: Let's Encrypt or commercial certificate.
  2. Create server block: configure the HTTPS server block.
  3. Optimize settings: apply security best practices.
  4. Test and reload: nginx -t && systemctl reload nginx.

Optimized Configuration

Modern HTTPS server block:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Modern protocols
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Session cache
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
}

# HTTP redirect
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

http2 enables HTTP/2. ssl_session_tickets off for perfect PFS.

Best Practices

Optimize your Nginx:

  • Enable HTTP/2: add http2 after listen 443 ssl.
  • Session cache: improves performance for returning visitors.
  • OCSP Stapling: reduces latency and improves privacy.
  • Disable TLS 1.0/1.1: only TLS 1.2 and 1.3 are secure.

Nginx SSL Checklist

  • Fullchain certificate configured
  • HTTP/2 enabled
  • TLS 1.2+ only
  • Session cache configured
  • HSTS enabled
  • OCSP Stapling enabled

Frequently Asked Questions

How to enable HTTP/2?

Add http2 in listen directive: listen 443 ssl http2;

Error "SSL: error" in logs?

Check certificate format and that the key matches.

Nginx won't start?

Use nginx -t to see the syntax error.

How to support TLS 1.3?

Nginx 1.13+ and OpenSSL 1.1.1+ natively support TLS 1.3.

Difference between ssl_session_cache and tickets?

Cache stores server-side, tickets client-side. Disable tickets for PFS.

How to test my configuration?

Use SSL Labs (ssllabs.com/ssltest) or testssl.sh.

High Security Nginx

Nginx offers excellent SSL performance with a well-optimized configuration.

Monitor your certificates with MoniTao to be alerted before any expiration.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing