7 Tips for TLS Hardening on Nginx – Modern Ciphers and Forward Secrecy

Introduction

Transport Layer Security (TLS) is the backbone of encrypted web traffic. For a DevOps lead managing high‑traffic sites, a mis‑configured TLS stack can leak data, degrade performance, or even expose your server to downgrade attacks. This checklist walks you through the most effective hardening steps for Nginx on Linux, focusing on modern cipher suites, Perfect Forward Secrecy (PFS), and minimal latency.

---

1. Use a Recent TLS Version

Older protocol versions (SSLv3, TLS 1.0/1.1) are riddled with known vulnerabilities. In your nginx.conf enable only TLS 1.2 and TLS 1.3:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

Both versions are widely supported by browsers today, and TLS 1.3 brings a 30‑40 % reduction in handshake latency.

---

2. Choose Strong Cipher Suites

A well‑curated cipher list prevents fallback to weak algorithms. The following set works for most browsers while keeping CPU usage low:

ssl_ciphers \
    "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" \
    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" \
    "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";

• Why these ciphers?
  • All are AEAD (Authenticated Encryption with Associated Data) – no need for separate MAC.
  • They use Elliptic Curve Diffie‑Hellman (ECDHE) for PFS.
  • The list prefers 256‑bit keys but falls back to 128‑bit for older hardware.

---

3. Enforce Perfect Forward Secrecy

PFS ensures that even if your private key is compromised, past sessions stay encrypted. The ECDHE suites above already provide PFS, but you can double‑check with:

openssl s_client -connect example.com:443 -cipher "ECDHE" -tls1_2

If the output shows Cipher : ECDHE‑RSA‑AES256‑GCM‑SHA384, you’re good.

---

4. Harden Certificate Chain

• Use a reputable CA – avoid self‑signed certificates in production.
• Include intermediate certificates – a full chain avoids extra round‑trips.
• Enable OCSP stapling to let browsers verify revocation status without separate requests:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

---

5. Optimize TLS Session Resumption

Session tickets reduce handshake overhead. Turn them on, but rotate the ticket key daily to limit exposure:

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_ticket_key /etc/nginx/ticket.key;

Generate a fresh ticket key with:

openssl rand 48 > /etc/nginx/ticket.key
chmod 600 /etc/nginx/ticket.key

---

6. Enable HTTP/2 (or HTTP/3) Over TLS

Both protocols multiplex streams, reducing latency for page loads. In Nginx 1.19+ you can enable HTTP/2 easily:

listen 443 ssl http2;
# For HTTP/3 (requires quic module)
# listen 443 ssl http3 reuseport;

If you’re feeling adventurous, try the experimental HTTP/3 module for sub‑millisecond improvements.

---

7. Test and Monitor Continuously

Hardening is not a one‑off task. Use automated tools to catch regressions:

• Qualys SSL Labs – free deep scan, grades A‑ to F.
• Mozilla Observatory – checks for best‑practice headers.
• Prometheus + node_exporter – monitor TLS handshake latency:

- job_name: 'nginx_tls'
  static_configs:
    - targets: ['localhost:9113']

Set alerts for handshake times > 200 ms or certificate expiry within 30 days.

---

Bonus: Reduce TLS Overhead with Brotli Compression

While not a TLS setting per se, serving compressed assets over HTTPS saves bandwidth without compromising security. In Nginx:

brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/javascript application/json image/svg+xml;

Combine this with HTTP/2’s header compression for a snappy user experience.

---

Conclusion

A solid TLS configuration on Nginx protects data, improves performance, and builds trust with users. By following the seven steps above—updating protocols, curating ciphers, enforcing PFS, perfecting the certificate chain, enabling session resumption, turning on HTTP/2/3, and continuously testing—you’ll have a future‑proof, low‑latency HTTPS endpoint.

When you’re ready to audit your entire stack or need a managed Linux environment that respects these hardening practices, consider checking out https://lacidaweb.com for a straightforward, developer‑friendly hosting solution.