Introduction
As a DevOps lead, you know that a mis‑configured web server can expose sensitive data and ruin user trust. Nginx is a popular reverse proxy, but out‑of‑the‑box it ships with a fairly permissive TLS setup. This tutorial walks you through seven practical steps to lock down TLS, enable HTTP/2, and squeeze out extra performance without breaking compatibility.
1. Obtain a Trusted Certificate
- Free option: Use Let’s Encrypt with
certbot. - Enterprise option: Purchase an EV certificate from a reputable CA.
# Install certbot (Debian/Ubuntu example) sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx # Generate a certificate for example.com and www.example.com sudo certbot --nginx -d example.com -d www.example.com The command automatically updates your Nginx configuration with a basic SSL block. We’ll refine it in the next steps.
2. Enforce TLS 1.2+ Only
Older protocol versions are vulnerable to POODLE, BEAST, and other attacks. Add the following to your server block:
ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; TLS 1.3 is supported on modern OpenSSL builds and offers lower latency.
3. Choose Strong Cipher Suites
A well‑crafted cipher list balances security and compatibility. The Mozilla SSL Configuration Generator recommends the following for intermediate compatibility:
ssl_ciphers \ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:\ ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"; Avoid RSA‑only key exchange and the RC4, 3DES, or MD5 families.
4. Enable HTTP/2 for Faster Page Loads
HTTP/2 reduces round‑trips and multiplexes streams over a single connection. Simply add the http2 flag to the listen directive:
listen 443 ssl http2; Make sure your client base supports HTTP/2; the fallback to HTTP/1.1 is automatic.
5. Harden Headers: HSTS, OCSP Stapling, and Referrer‑Policy
These headers tell browsers to stay on HTTPS and protect against downgrade attacks.
# HTTP Strict Transport Security (max 2 years) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # OCSP Stapling – reduces latency for certificate revocation checks ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Referrer‑Policy – limit information leakage add_header Referrer-Policy "no-referrer-when-downgrade" always; If you plan to submit your domain to the HSTS preload list, verify the header meets the requirements.
6. Turn On Gzip/Brotli Compression
Compressing static assets reduces bandwidth and improves TTFB. Nginx supports both Gzip and the newer Brotli module.
# Gzip (fallback) gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss image/svg+xml; # Brotli (requires the ngx_brotli module) brotli on; brotli_comp_level 6; brotli_types text/plain text/css application/json application/javascript text/xml application/xml+rss image/svg+xml; Brotli offers ~20 % better compression for text assets.
7. Test and Monitor Continuously
After applying the changes, run a quick sanity check:
# SSL Labs test (public) curl -s https://www.ssllabs.com/ssltest/analyze.html?d=example.com | grep "Grade" # Verify HTTP/2 support locally curl -I -s --http2 https://example.com | grep "HTTP/2" For ongoing monitoring, add a Prometheus exporter like nginx‑exporter and set alerts for:
- Expiring certificates (30‑day warning)
- TLS handshake failures
- Unexpected protocol downgrades
Conclusion
By following these seven steps you’ll have a Nginx front‑end that:
- Only speaks modern TLS versions
- Uses vetted cipher suites
- Serves content over HTTP/2 with efficient compression
- Communicates security intent via headers
- Keeps an eye on certificate health and performance
Implementing a hardened TLS stack is a one‑time investment that pays dividends in user trust and SEO rankings. For more hands‑on guides and a curated list of production‑ready Nginx snippets, check out https://lacidaweb.com.
Top comments (0)