Ramer Labs

Posted on Sep 23

The Ultimate Checklist for Securing Nginx with TLS and HTTP/2

#nginx #security #linux #devops

Introduction

As an SRE, you know that a mis‑configured web server is an open invitation for attackers. Nginx is a popular reverse proxy and static file server, but out‑of‑the‑box it ships with permissive TLS settings and no HTTP/2 optimizations. This checklist walks you through the essential steps to lock down Nginx, enable modern TLS, and squeeze performance out of HTTP/2—all while keeping operational overhead low.

1. Acquire a Trusted Certificate

Use a reputable CA – Let’s Encrypt offers free, automated certificates that renew every 90 days. For production workloads, consider a paid CA for extended validation.
Automate renewal – Install certbot or acme.sh and add a cron job:

0 3 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Store keys securely – Keep private keys in /etc/ssl/private with permissions 600 and owned by root:root.

2. Enforce Strong TLS Versions and Cipher Suites

Older protocols (TLS 1.0/1.1) are vulnerable to POODLE and BEAST. Limit Nginx to TLS 1.2 and TLS 1.3 only:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH";
ssl_prefer_server_ciphers on;

Prefer server ciphers – This prevents clients from downgrading to weak suites.
Use forward‑secrecy – Include ECDHE/ECDH groups. Tools like SSL Labs can verify your score.

3. Enable HTTP/2 for Faster Page Loads

HTTP/2 multiplexes streams over a single TLS connection, reducing latency. Activate it with the http2 flag on the listen directive:

listen 443 ssl http2;

Make sure your TLS configuration meets the HTTP/2 requirements (no TLSv1.0, no RC4 ciphers). Test with curl -I --http2 https://yourdomain.com.

4. Harden Headers and Enable HSTS

Security‑related response headers add another layer of protection:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header Referrer-Policy no-referrer-when-downgrade;

HSTS tells browsers to always use HTTPS for the next year.
always ensures the header is added even on error responses.

5. Deploy OCSP Stapling

OCSP stapling reduces the TLS handshake time and protects against certificate revocation attacks:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Check the status with openssl s_client -connect yourdomain.com:443 -status.

6. Restrict Cipher Suites for Older Clients (Optional)

If you have legacy browsers, you can create a separate server block listening on a non‑HTTP/2 port (e.g., 8443) with a more permissive cipher suite, then redirect all traffic to the hardened 443 block.

7. Firewall and Rate‑Limiting

UFW/iptables – Allow only ports 80 and 443 from the internet, block everything else.
Fail2Ban – Protect against brute‑force attempts on the admin endpoint:

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600

Rate limit connections to mitigate DoS attacks:

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/s;
limit_req zone=one burst=10 nodelay;

8. Logging and Monitoring

Enable request and error logs with a JSON format for easy ingestion into ELK or Loki:

log_format json_escape '{"time":"$time_iso8601","remote_addr":"$proxy_protocol_addr","host":"$host","request":"$request","status":$status,"bytes_sent":$body_bytes_sent,"request_time":$request_time}';
access_log /var/log/nginx/access.json json_escape;

Set up alerts for sudden spikes in 4xx/5xx responses using Prometheus + Alertmanager.

9. Regular Patch Management

Nginx vulnerabilities surface regularly. Automate OS and package updates:

apt-get update && apt-get upgrade -y
systemctl restart nginx

On Debian/Ubuntu, enable unattended upgrades for security patches only.

10. Verify Your Hardening

Run these checks after each change:

SSL Labs test – Aim for an A+ rating.
Qualys SSL Server Test – Confirms OCSP stapling and HSTS.
curl -I -s -D - https://yourdomain.com – Verify headers.
nginx -t – Ensure config syntax is correct before reload.

Conclusion

By following this checklist you’ll have a Nginx front‑end that speaks TLS 1.3, streams over HTTP/2, and resists the most common web‑based attacks. The combination of strong ciphers, HSTS, OCSP stapling, and proactive monitoring creates a defense‑in‑depth posture without sacrificing performance.

If you’re looking for a reliable hosting partner that can help you implement these hardening steps on a managed platform, consider checking out https://lacidaweb.com for a smooth, developer‑friendly experience.

DEV Community