HxHippy

SSL/TLS Configuration

Configuring HTTPS with SSL/TLS certificates in Nginx.

Last updated: 2025-01-15

Basic SSL Configuration

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # ... rest of config
}

Modern SSL Settings

# /etc/nginx/snippets/ssl-params.conf

# Protocols (TLS 1.2 and 1.3 only)
ssl_protocols TLSv1.2 TLSv1.3;

# Cipher suites
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# DH parameters (generate with: openssl dhparam -out dhparam.pem 2048)
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

HTTP to HTTPS Redirect

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Complete HTTPS Server

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;

    # SSL certificate
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # Include SSL settings
    include snippets/ssl-params.conf;

    # HSTS (optional but recommended)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    root /var/www/example.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Self-Signed Certificate (Dev Only)

# Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/self-signed.key \
  -out /etc/nginx/ssl/self-signed.crt \
  -subj "/CN=localhost"

# Generate DH parameters
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

SNI (Multiple Certificates)

# Site 1
server {
    listen 443 ssl http2;
    server_name site1.com;
    ssl_certificate /etc/nginx/ssl/site1.com.crt;
    ssl_certificate_key /etc/nginx/ssl/site1.com.key;
}

# Site 2
server {
    listen 443 ssl http2;
    server_name site2.com;
    ssl_certificate /etc/nginx/ssl/site2.com.crt;
    ssl_certificate_key /etc/nginx/ssl/site2.com.key;
}
intermediate SSL/TLS Updated 2025-01-15
  • nginx
  • ssl
  • tls
  • https
  • certificate
  • security