Securing Nginx with SSL/TLS
Obtain a valid SSL certificate (recommended Let's Encrypt and automatically configure it with certbot); 2. Configure Nginx to enable TLSv1.2/1.3, strong encryption suite and security headers (such as HSTS); 3. Redirect HTTP traffic to HTTPS; 4. Test configuration and ensure that the certificate is automatically renewed, and ultimately achieve a secure and trustworthy HTTPS site.
Securing Nginx with SSL/TLS isn't just about checking a box—it's about protecting your users, building trust, and improving SEO. If you're running an Nginx web server, setting up HTTPS properly is essential. Here's how to do it right without overcomplicating things.
✅ 1. Get a Valid SSL Certificate
You've got options:
- Let's Encrypt (Free & Recommended) : Use
certbotto automate certificate issue and renewal. - Commercial CA (eg, DigiCert, Sectigo) : For enterprise needs or extended validation (EV).
For Let's Encrypt:
sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
This automatically configures Nginx and renews certs (via cron/systemd timer). Easy win.
? 2. Configure Nginx for Strong TLS
Edit your Nginx site config (usually in /etc/nginx/sites-available/your-site ):
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Strong protocols & ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Security headers
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}Why this matters:
http2boosts performance over HTTPS.- Disabling old TLS versions (like 1.0/1.1) blocks known vulnerabilities.
- HSTS (
max-age=63072000) tells browsers to always use HTTPS—even if someone typeshttp://.
? 3. Redirect HTTP → HTTPS Automatically
Add this block to redirect all insecure traffic:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}This ensures users never land on an unencrypted page—even if they forget to type "https://".
?️ 4. Test & Monitor
- Run
nginx -tbefore reloading config (systemctl reload nginx). - Test your setup at:
? SSL Labs SSL Test
Aim for an A or A rating. - Enable auto-renewal for Let's Encrypt:
sudo certbot renew --dry-run
If that passes, you're golden—certs auto-renew every 60 days.
Bottom line : With just a few well-placed config lines and a free cert from Let's Encrypt, you can have a secure, fast, modern HTTPS site. No excuses—just do it.
(And don't forget to test!)The above is the detailed content of Securing Nginx with SSL/TLS. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to configure an Nginx server block for SSL/TLS on port 443?
Jul 14, 2025 am 01:27 AM
To configure Nginx's SSL/TLS service, you need to prepare the certificate and private key and set the relevant parameters in the serverblock. 1. Prepare the certificate file: Obtain the certificate in .crt or .pem format and the corresponding .key private key. You can use Let'sEncrypt or commercial organization to issue it, and merge the intermediate certificate into the bundle file; 2. Configure the serverblock: define listen443ssl, ssl_certificate path as /etc/ssl/example.com.crt, and ssl_certificate_key path as /etc/ssl/example.com.k in the site configuration file.
How to set up an Nginx server block (virtual host)?
Jul 19, 2025 am 02:00 AM
TosetupanNginxserverblock,firstunderstanditsstructureusingtheserverdirectivewithsettingslikelisten,server_name,andlocation;next,createadirectorystructureforyoursitesuchas/var/www/example.com/htmlandsetproperpermissions;thenenabletheserverblockbycreat
What is the proxy_pass directive and how does it work?
Jul 14, 2025 am 12:29 AM
proxy_pass is used in Nginx to forward client requests to the backend server, and its core role is to enable Nginx to handle HTTP requests as a reverse proxy. 1. It receives user requests and forwards to the specified backend service (such as Node.js application running on port 3000); 2. Nginx will process the response returned by the backend and send it back to the user. At the same time, it can add cache, compression or access control functions in the process; 3. When setting, pay attention to the relationship between path matching and tail slashes to determine whether to strip the path of the matching part; 4. It is necessary to cooperate with setting standard proxy headers (such as Host, X-Real-IP, etc.) to ensure that the backend obtains the correct context information; 5. Common problems include path not
How to block specific user agents?
Jul 26, 2025 am 08:20 AM
To block a specific User-Agent, it can be implemented in Nginx, Apache, or code (such as PHP, Python). 1. In Nginx, judge $http_user_agent by if and return 403; 2. In Apache, use SetEnvIfNoCase and Deny to deny access; 3. judge User-Agent in the program and intercept the request. Common UAs that need to be blocked include python-requests, curl, empty UA, etc. Choosing the appropriate method can effectively reduce garbage traffic and security risks.
How to serve MP4 video files efficiently with the mp4 module?
Jul 20, 2025 am 04:01 AM
To efficiently provide MP4 video files, you need to enable byte range requests, optimize file structure, rational encoding and compression, and adopt strategic caching. First, enable byte range request (Accept-Ranges:bytes) to support video jumps, interrupted broadcasts and adaptive bit rate streams; second, use tools such as qt-faststart to move MOOV atoms to the beginning of the file to achieve bottom-playing; third, use H.264/H.265 encoding, reasonably set the bit rate and enable double-pass encoding to reduce the file size while ensuring quality; finally, by setting long-term Cache-Control headers and using CDN for edge caching, reduce server load and improve response speed.
How to serve static files with maximum efficiency?
Jul 15, 2025 am 12:17 AM
To provide static files efficiently, we need to start from four aspects: cache policy, compression transmission, CDN acceleration and response header settings. 1. Enable browser caching, set long-term cache through Cache-Control and Expires, and add version numbers to the file name to ensure that the update takes effect; 2. Use Gzip or Brotli to compress text files, enable compression and control the compression level in combination with server configuration; 3. Use CDN to distribute resources to global nodes, improve loading speed and alleviate traffic pressure; 4. Set the correct MIME type and security response header to ensure the correct resolution and security of resources.
How to secure an Nginx server?
Jul 25, 2025 am 01:00 AM
Key measures to protect the security of Nginx servers include: 1. Configure HTTPS encrypted connections, use Let'sEncrypt free certificates and automatically configure them through Certbot, set up forced jumps and appropriate encryption suites, and enable automatic renewal; 2. Restrict access permissions, protect sensitive paths through IP control and BasicAuth authentication; 3. Turn off information leakage, hide version numbers, prohibit directory browsing, and customize error pages to reduce the attack surface.
How to implement if statements in Nginx configuration (and why is it 'evil')?
Jul 16, 2025 am 12:30 AM
Nginx's if statement is limited and has traps, which is officially called "ifisevil". Its basic usage is to execute instructions according to conditions in server or location block, such as preventing specific User-Agents or redirecting domain names; but problems include: 1. Some instructions such as proxy_pass behave abnormally in if; 2. The execution order depends on priority rather than code order, and the logic may not meet expectations; 3. Multiple if conditions are judged independently, which may lead to conflicts or overwrite operations, such as rewrite being ignored by return; the recommended alternative is to use map modules, multi-layer location matching or handing over complex logic to the backend; in summary, if is suitable for simple judgments and complex scenarios
