Introduction
As a DevOps lead, you know that a mis‑configured web server can expose sensitive data and ruin user trust. Nginx is a popular reverse proxy, but out‑of‑the‑box it ships with a fairly permissive TLS setup. This tutorial walks you through seven practical steps to lock down TLS, enable HTTP/2, and squeeze out extra performance without breaking compatibility.
1. Obtain a Trusted Certificate
-
Free option: Use Let’s Encrypt with
certbot. - Enterprise option: Purchase an EV certificate from a reputable CA.
# Install certbot (Debian/Ubuntu example)
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
# Generate a certificate for example.com and www.example.com
sudo certbot --nginx -d example.com -d www.example.com
The command automatically updates your Nginx configuration with a basic SSL block. We’ll refine it in the next steps.
2. Enforce TLS 1.2+ Only
Older protocol versions are vulnerable to POODLE, BEAST, and other attacks. Add the following to your server block:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
TLS 1.3 is supported on modern OpenSSL builds and offers lower latency.
3. Choose Strong Cipher Suites
A well‑crafted cipher list balances security and compatibility. The Mozilla SSL Configuration Generator recommends the following for intermediate compatibility:
ssl_ciphers \
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
Avoid RSA‑only key exchange and the RC4, 3DES, or MD5 families.
4. Enable HTTP/2 for Faster Page Loads
HTTP/2 reduces round‑trips and multiplexes streams over a single connection. Simply add the http2 flag to the listen directive:
listen 443 ssl http2;
Make sure your client base supports HTTP/2; the fallback to HTTP/1.1 is automatic.
5. Harden Headers: HSTS, OCSP Stapling, and Referrer‑Policy
These headers tell browsers to stay on HTTPS and protect against downgrade attacks.
# HTTP Strict Transport Security (max 2 years)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling – reduces latency for certificate revocation checks
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Referrer‑Policy – limit information leakage
add_header Referrer-Policy "no-referrer-when-downgrade" always;
If you plan to submit your domain to the HSTS preload list, verify the header meets the requirements.
6. Turn On Gzip/Brotli Compression
Compressing static assets reduces bandwidth and improves TTFB. Nginx supports both Gzip and the newer Brotli module.
# Gzip (fallback)
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss image/svg+xml;
# Brotli (requires the ngx_brotli module)
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/javascript text/xml application/xml+rss image/svg+xml;
Brotli offers ~20 % better compression for text assets.
7. Test and Monitor Continuously
After applying the changes, run a quick sanity check:
# SSL Labs test (public)
curl -s https://www.ssllabs.com/ssltest/analyze.html?d=example.com | grep "Grade"
# Verify HTTP/2 support locally
curl -I -s --http2 https://example.com | grep "HTTP/2"
For ongoing monitoring, add a Prometheus exporter like nginx‑exporter and set alerts for:
- Expiring certificates (30‑day warning)
- TLS handshake failures
- Unexpected protocol downgrades
Conclusion
By following these seven steps you’ll have a Nginx front‑end that:
- Only speaks modern TLS versions
- Uses vetted cipher suites
- Serves content over HTTP/2 with efficient compression
- Communicates security intent via headers
- Keeps an eye on certificate health and performance
Implementing a hardened TLS stack is a one‑time investment that pays dividends in user trust and SEO rankings. For more hands‑on guides and a curated list of production‑ready Nginx snippets, check out https://lacidaweb.com.
Top comments (0)