7 Tips for Securing Nginx with TLS and Firewall Rules Today

Introduction

As a DevOps lead, you know that a web server is the front line of every internet‑facing service. Nginx is fast, flexible, and widely used, but its default installation leaves a lot of security and performance on the table. This tutorial walks you through seven practical steps to lock down TLS, tighten firewall rules, and squeeze out extra performance without breaking your existing workflow.

---

1. Enforce Strong TLS Settings

Why it matters

TLS termination is the first line of defense against eavesdropping and man‑in‑the‑middle attacks. Weak ciphers or outdated protocol versions can expose sensitive data.

Action steps

• Install a reputable certificate (Let’s Encrypt is free and automated).
• Use ssl_prefer_server_ciphers on; to force the server’s choice.
• Disable SSLv3, TLSv1, and TLSv1.1.
• Enable only modern cipher suites.

Sample Nginx snippet

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
}

2. Enable HTTP/2 and OCSP Stapling

Both features reduce latency and improve perceived performance.

• Add listen 443 ssl http2; (already in the snippet above).
• Configure OCSP stapling to avoid extra round‑trips:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

3. Harden the Linux Firewall (UFW)

Quick audit

Run sudo ufw status verbose to see current rules. By default, Ubuntu ships with a permissive policy.

Hardened rule set

# Deny everything by default
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (limit to prevent brute force)
sudo ufw limit ssh

# Allow HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Enable the firewall
sudo ufw enable

Verify

sudo ufw status numbered should list only the three allowed ports.

4. Deploy Fail2Ban for Brute‑Force Protection

Fail2Ban monitors log files and bans IPs that show malicious signs.

sudo apt-get install fail2ban

Create /etc/fail2ban/jail.local with a minimal Nginx block:

[nginx-http-auth]
enabled = true
port    = http,https
filter  = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600

Restart the service: sudo systemctl restart fail2ban.

5. Optimize Compression: Gzip + Brotli

Compression reduces payload size, improving TTFB and overall speed.

# Gzip – works for all modern browsers
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss;
gzip_min_length 1024;

# Brotli – better compression ratio (requires ngx_brotli module)
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/javascript text/xml application/xml+rss;

If you don’t have the Brotli module, install it via your package manager or compile Nginx with --add-module=....

6. Fine‑Tune Connection Settings

Adjust worker processes and keepalive settings to match your hardware.

worker_processes auto;
worker_connections 1024;
keepalive_timeout 65;
keepalive_requests 100;

These defaults work well for a 4‑core VPS, but scale worker_processes to the number of CPU cores for best throughput.

7. Automate Certificate Renewal and Reload

Let’s Encrypt certificates expire every 90 days. Automate renewal with a systemd timer or cron job.

# Test renewal first
sudo certbot renew --dry-run

# Add a systemd timer (certbot creates one automatically on install)
# Ensure Nginx reloads after renewal
sudo systemctl reload nginx

You can also hook into Certbot’s --deploy-hook to reload Nginx automatically.

---

Putting It All Together

After applying the seven steps, run a quick sanity check:

• openssl s_client -connect example.com:443 -servername example.com – verify the cipher suite and protocol version.
• curl -I https://example.com – confirm HTTP/2 and compression headers.
• sudo fail2ban-client status nginx-http-auth – ensure the jail is active.

Monitoring tools like Prometheus + Grafana can visualize TLS handshake latency, request rates, and blocked IP counts, giving you early warning of anomalies.

Conclusion

Securing Nginx is not a one‑off task; it’s a continuous process of tightening TLS, trimming the attack surface, and squeezing performance out of every request. By following these seven practical tips, you’ll protect your users, improve load times, and keep your infrastructure compliant with modern security standards. For deeper dives into server hardening and managed hosting options, you might find the resources at https://lacidaweb.com useful.