Nginx

SSL/TLS Commands

Implement secure HTTPS connections with modern TLS protocols, automate certificate management with Let's Encrypt and Certbot, configure strong cipher suites, and enable security headers like HSTS.

8 commands

Pro Tips

Use Certbot for free Let's Encrypt certificates: `certbot --nginx -d example.com` automates the entire setup.

Enable HTTP/2 with HTTPS for better performance: `listen 443 ssl http2;` in your server block.

Configure HSTS to force HTTPS: `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`

Use Mozilla SSL Configuration Generator to get modern cipher suites and TLS settings for your Nginx version.

Common Mistakes

Never commit SSL private keys to version control. Store them securely with restricted file permissions (chmod 600).

Test SSL configuration with SSL Labs before going live - misconfigurations can leave your site vulnerable.

Commands

SSL certificate paths

$ ssl_certificate /etc/ssl/certs/example.com.crt; ssl_certificate_key /etc/ssl/private/example.com.key;

Configure certificate and key file locations

Install Let's Encrypt certificate

$ sudo certbot --nginx -d example.com -d www.example.com

Obtain free SSL with Certbot

Enable HSTS

$ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Force browsers to always use HTTPS

Modern TLS protocols only

$ ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on;

Disable outdated SSL versions

HTTP to HTTPS redirect

$ server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }

Redirect all HTTP to HTTPS

Renew certificates

$ sudo certbot renew

Renew all Let's Encrypt certificates

Test certificate renewal

$ sudo certbot renew --dry-run

Test renewal process without renewing

SSL session cache

$ ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;

Cache SSL sessions for performance