Tips / Nginx

Hardening Nginx SSL/TSL Configuration

Days ago I had to investigate a SSL issue in one of my customer’s servers, he installed a SSL certificate but the Nginx SSL configuration was not hardened at all, so he was getting a very poor grade while checking his site at SSL Server Test.

In the same case, if you have a grade lower than A, you should try to optimize your Nginx SSL configuration. Here are some tips to harden your Nginx SSL Configuration.

1) Protocol Support

By saying “SSL” you should think it’s one single security protocol, but in fact it is not. One thing you have to know is there are many “SSL” protocols:

SSL 1.0 – SSL 2.0 – SSL 3.0
TLS 1.0 – TLS 1.1 – TLS 1.2

Both, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols which are designed to provide communication security over the Internet. However, at present, SSL v1, v2 and v3 are more insecure than TLS protocols. TLS it’s the default used on most SSL servers as it is a more robust security protocol than it’s predecessor (SSL).

So, first step is disable old SSL protocols, most people disable only sslv2, however if TLS 1.0 suffers a downgrade attack, the attacker could force a SSLV3 connection and break the SSL PFS (perfect forward secrecy), a key part of the SSL cryptographic system.

Add this to your Nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

2) Cipher Suite Configuration

These are very agressive rules I use, please tweak as you need:


Let’s also disable Beast Attacks¬†adding this into your Nginx configuration:

ssl_prefer_server_ciphers on;

3) Configure Stronger DHE Parameters

As of version 1.4.4 Nginx still rely on OpenSSL for input parameters to Diffie-Hellman cryptographic protocol. This means that DHE (Ephemeral Diffie-Hellman) will use OpenSSL’s default cryptographic values, this will result in a 1024-bit key. Today most people use 2048-bit certificates, so we need to generate a stronger DHE parameter in our server:

cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 2048

Now configure Nginx at http or server block level to use the new parameters:

ssl_dhparam /etc/ssl/certs/dhparam.pem;


If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl. This mechanism is very important to reduce man in the middle attacks, for examle. In order to enable HSTS on Nginx, you shoul need to add this code to your virtual host or server block of your site:

add_header Strict-Transport-Security max-age=15768000;

Virtual Host Example:

server {
    listen 80;
    add_header Strict-Transport-Security max-age=15768000;
    return 301$request_uri;


How can I test if my SSL security grade? There is an amazing website called Qualys SSL Labs, this company has some great SSL testing tools like:

Need to read more about SSL hardening? Check out SSLLabs Best Practices

Popular search terms:

  • nginx hardening
  • harden nginx ssl
  • configure nginx for tls psk
  • dh2048 nginx

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking

  • To be HSTS compliant your website should not issue a HSTS header over HTTP. A user agent should disregard this header as it could have been injected maliciously ans the host website might not support SSL/TLS. Instead, you should only issue HSTS headers over a secure transport layer. The ‘add_header’ should ideally be removed from step 4.

  • Very useful post. It helped me to understand better nginx ssl configuration. While reading on the subject I found a couple of resources that may come handy:

    1) Mozilla tool for automatic generation of SSL configurations for nginx, apache or ha-proxy:

    2) Qualys “SSL Server Test” for checking strength:


  • msx

    Watch out! TLSv1 protocol is rendered insecure as of today, 2015-06-04.
    Other than that, thanks a lot for this useful article.