7 Tips for Securing Nginx with TLS and HTTP/2 on Production Servers

Introduction

Transport Layer Security (TLS) is the backbone of modern web security, and Nginx is one of the most popular front‑end servers for delivering encrypted traffic. As a DevOps lead, you’ll often be asked to harden Nginx without sacrificing performance. This checklist walks you through the essential steps— from certificate management to HTTP/2 tuning— that keep your production endpoints both fast and safe.

1. Use TLS 1.3 Wherever Possible

TLS 1.3 reduces round‑trip latency and drops legacy cipher suites that are prone to attacks. Edit your nginx.conf (or a site‑specific file) to enforce it:

server { listen 443 ssl http2; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # TLS 1.3 decides ciphers ssl_certificate /etc/ssl/certs/example.com.crt; ssl_certificate_key /etc/ssl/private/example.com.key; # … other directives … } 

If you must support older clients, add TLSv1.2 as a fallback, but keep TLS 1.3 first in the list.

2. Deploy Strong Cipher Suites for TLS 1.2

When TLS 1.2 is required, disable weak ciphers and enable forward‑secrecy (FS) suites. A well‑tested set looks like this:

ssl_ciphers \ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; ssl_prefer_server_ciphers on; 

Avoid RC4, 3DES, DES, and any RSA‑only key‑exchange suites.

3. Enable HTTP/2 for Faster Page Loads

HTTP/2 multiplexes streams over a single TLS connection, dramatically cutting TTFB. The http2 flag on the listen directive activates it:

listen 443 ssl http2; 

Make sure your TLS configuration supports ALPN (Application‑Layer Protocol Negotiation); Nginx does this automatically when HTTP/2 is enabled.

4. Harden Certificate Management

a. Use an Automated Renewal Tool

Let certbot, acme.sh, or your preferred ACME client handle renewals. A typical cron entry for certbot looks like:

0 3 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx" 

b. Enable OCSP Stapling

OCSP stapling offloads the revocation check from the client to the server, shaving milliseconds off the handshake:

ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; 

5. Enforce Strict Transport Security (HSTS)

Tell browsers to always use HTTPS for the next year (or longer). Add the header once you’re confident all sub‑domains serve valid certs:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 

Submit your domain to the HSTS preload list to protect users on the first visit.

6. Redirect All HTTP Traffic to HTTPS

A simple 301 redirect ensures no plain‑text traffic slips through:

server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; } 

Make sure the redirect server block is outside any SSL block to avoid accidental SSL termination on port 80.

7. Fine‑Tune SSL Session Settings

Re‑using TLS sessions reduces CPU load on repeat connections. Configure a shared session cache:

ssl_session_cache shared:SSL:10m; # roughly 4000 sessions ssl_session_timeout 1d; 

If you run multiple Nginx workers, the shared memory zone works across them, keeping the cache efficient.

Bonus: Additional Hardening Layers

• Disable TLS 1.0/1.1: ssl_protocols TLSv1.2 TLSv1.3;
• Turn off SSLv2/SSLv3: they are disabled by default in modern Nginx builds.
• Enable DNS‑based Authentication of Named Entities (DANE) if your CA supports it.
• Deploy a Web Application Firewall (WAF) such as ModSecurity in “DetectionOnly” mode before moving to “Blocking”.
• Monitor cipher usage with tools like Qualys SSL Labs or testssl.sh after each change.

Conclusion

Hardening Nginx for TLS and HTTP/2 is a blend of security hygiene and performance tuning. By following this checklist— from enforcing TLS 1.3, picking forward‑secrecy ciphers, enabling OCSP stapling, to setting HSTS and proper redirects— you’ll protect your users while keeping latency low. Remember to automate certificate renewals and regularly scan your endpoints for regressions.

For deeper dives on Nginx best practices, the community at https://lacidaweb.com offers practical guides and real‑world case studies that can help you stay ahead of emerging threats.