Basic SSL Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# ... rest of config
}
Modern SSL Settings
# /etc/nginx/snippets/ssl-params.conf
# Protocols (TLS 1.2 and 1.3 only)
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# DH parameters (generate with: openssl dhparam -out dhparam.pem 2048)
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
HTTP to HTTPS Redirect
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Complete HTTPS Server
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# SSL certificate
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# Include SSL settings
include snippets/ssl-params.conf;
# HSTS (optional but recommended)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /var/www/example.com/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
Self-Signed Certificate (Dev Only)
# Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/self-signed.key \
-out /etc/nginx/ssl/self-signed.crt \
-subj "/CN=localhost"
# Generate DH parameters
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
SNI (Multiple Certificates)
# Site 1
server {
listen 443 ssl http2;
server_name site1.com;
ssl_certificate /etc/nginx/ssl/site1.com.crt;
ssl_certificate_key /etc/nginx/ssl/site1.com.key;
}
# Site 2
server {
listen 443 ssl http2;
server_name site2.com;
ssl_certificate /etc/nginx/ssl/site2.com.crt;
ssl_certificate_key /etc/nginx/ssl/site2.com.key;
}
intermediate | SSL/TLS | Updated 2025-01-15
- nginx
- ssl
- tls
- https
- certificate
- security