Introduction
Transport Layer Security (TLS) is the backbone of any modern web service. When you’re running Nginx on a Linux box, a sloppy TLS setup can expose your users to man‑in‑the‑middle attacks, data leakage, and poor performance. This checklist walks a DevOps lead through the essential steps to lock down Nginx TLS, squeeze out every bit of performance, and keep the configuration maintainable.
1️⃣ Generate Strong Private Keys and Certificates
-
Prefer ECC over RSA – Elliptic Curve Cryptography (e.g.,
prime256v1) gives comparable security with smaller keys and faster handshakes. - Use at least 2048‑bit RSA if you must stay with RSA.
-
Store keys with restricted permissions (
chmod 600).
# Generate an ECC private key
openssl ecparam -genkey -name prime256v1 -out /etc/nginx/ssl/privkey.pem
# Create a CSR (replace placeholders as needed)
openssl req -new -key /etc/nginx/ssl/privkey.pem -out /etc/nginx/ssl/nginx.csr -subj "/C=US/ST=CA/L=SF/O=Acme Corp/CN=example.com"
# Self‑sign for internal use (replace with CA‑signed cert in prod)
openssl req -x509 -nodes -days 365 -key /etc/nginx/ssl/privkey.pem -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/fullchain.pem
2️⃣ Enforce TLS 1.3‑Only and Disable Legacy Protocols
Legacy protocols (SSLv2/3, TLS 1.0/1.1) are riddled with known exploits. Modern browsers support TLS 1.3, which also reduces round‑trip latency.
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
3️⃣ Choose a Hardened Cipher Suite
A curated list of ciphers prevents weak algorithms like 3DES or RC4.
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
ssl_ecdh_curve secp384r1;
Why these ciphers? They are all TLS 1.3 native, provide forward secrecy, and are widely supported.
4️⃣ Enable HTTP/2 and OCSP Stapling
HTTP/2 reduces latency for asset loading, and OCSP stapling eliminates the extra round‑trip needed for certificate revocation checks.
listen 443 ssl http2;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s; # Google DNS for OCSP
5️⃣ Deploy HSTS and Secure Cookie Flags
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
When you serve cookies, add Secure; HttpOnly; SameSite=Strict to mitigate XSS and CSRF.
6️⃣ Use Diffie‑Hellman Parameters for Perfect Forward Secrecy
Even with ECC, providing a strong DH group for RSA‑based handshakes is a good safety net.
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
Reference it in the Nginx block:
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
7️⃣ Redirect All HTTP Traffic to HTTPS and Log Securely
A single server block can catch plain HTTP and issue a 301 redirect.
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# … TLS config from above …
access_log /var/log/nginx/secure_access.log combined;
error_log /var/log/nginx/secure_error.log warn;
}
Tip: Enable log_format with $ssl_protocol and $ssl_cipher to audit which clients negotiate weaker ciphers.
Monitoring and Automation
- Fail2Ban: Block repeated TLS handshake failures.
-
Certbot / acme.sh: Automate certificate renewal; schedule a cron job (
0 3 * * * /usr/bin/certbot renew --quiet). -
Prometheus Exporter: Use
nginx-exporterto expose TLS metrics (handshake latency, protocol usage).
Quick Checklist Recap
| ✅ | Item |
|---|---|
| 1 | Generate ECC/RSA keys with proper permissions |
| 2 | Enforce TLS 1.3 only |
| 3 | Apply hardened cipher suite |
| 4 | Enable HTTP/2 and OCSP stapling |
| 5 | Add HSTS header and secure cookie flags |
| 6 | Include strong DH parameters |
| 7 | Redirect HTTP → HTTPS and log TLS details |
Conclusion
Securing Nginx TLS isn’t a one‑time task; it’s a living configuration that must evolve with browser support and emerging cryptographic research. By following this checklist you’ll reduce attack surface, improve latency, and gain visibility into TLS usage across your fleet. For deeper dives into Linux‑based hosting best practices, you might find the resources at https://lacidaweb.com helpful.
Top comments (0)