Nginx SSL/TLS Configuration

Q: How do I configure SSL/TLS Configuration in Nginx?

SSL/TLS encryption is essential for securing data in transit between clients and your server. Nginx provides robust and performant TLS termination capabilities that can handle thousands of encrypted connections efficiently. ### Basic SSL Setup To enable HTTPS, you need an SSL certificate and private key. The ssl_certificate directive points to your full certificate chain, and ssl_certificate_key points to your private key file. nginx server { listen 443 ssl; server_name example.com;

Configure SSL/TLS certificates in Nginx for secure HTTPS connections with modern cipher suites, protocol settings, OCSP stapling, and session caching.

Security

Detailed Explanation

SSL/TLS encryption is essential for securing data in transit between clients and your server. Nginx provides robust and performant TLS termination capabilities that can handle thousands of encrypted connections efficiently.

Basic SSL Setup

To enable HTTPS, you need an SSL certificate and private key. The ssl_certificate directive points to your full certificate chain, and ssl_certificate_key points to your private key file.

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
}

Protocol and Cipher Selection

Disable older protocols like SSLv3, TLSv1.0, and TLSv1.1 as they have known vulnerabilities that can be exploited by attackers. TLSv1.2 and TLSv1.3 are the recommended minimum for modern deployments. For ciphers, prefer authenticated encryption with associated data (AEAD) cipher suites like AES-GCM and ChaCha20-Poly1305. These provide both confidentiality and integrity in a single operation, improving both security and performance compared to older CBC-mode ciphers.

OCSP Stapling

OCSP stapling improves TLS handshake performance by having Nginx fetch and cache the certificate revocation status directly, rather than making each client check with the certificate authority independently. This reduces connection latency and improves privacy for your users.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;

Session Caching

TLS handshakes are computationally expensive because they involve asymmetric cryptography operations. Session caching allows clients to resume previous sessions using a stored session ticket or identifier, dramatically reducing latency on subsequent connections.

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

Disabling session tickets (ssl_session_tickets off) is recommended when perfect forward secrecy is a priority, as session tickets can undermine PFS if the ticket key is compromised.

Security Recommendations

Generate a strong DH parameter file with openssl dhparam -out dhparam.pem 2048 for key exchange.
Always use the full certificate chain to avoid trust errors on mobile devices and older browsers.
Test your configuration with SSL Labs to aim for an A+ rating and identify any weaknesses in your setup.

Use Case

You are hardening your production web server to achieve an A+ SSL Labs rating and ensure all client-server communication is encrypted with modern TLS standards.

Try It — Nginx Config Generator

Open full tool →