nginx SSL Setup

Posted on 15 Jan 2015 by Eric Oestrich

I reconfigured SSL for nginx this morning and wanted to post the config that got me an “A” on SSL Labs. I will keep this post updated as I change it over time. Hopefully this will be helpful to someone else who is setting nginx up with SSL.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
server {
  listen   443;

  ssl on;
  ssl_certificate /path/to/crt/example_com.crt;
  ssl_certificate_key /path/to/key/example_com.key;

  # ...

For redirecting all traffic on non-SSL to SSL:

server {
  listen 80 default deferred;
  rewrite ^(.*) https://$host$1 permanent;

For creating the crt file, the server’s crt should be first followed by a chain to the root CA. I got this flipped a few times and it took a bit to realize they were in the wrong order. It should be noted that nginx -t will let you know of this problem.

comments powered by Disqus
Creative Commons License
This site's content is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise specified. Code on this site is licensed under the MIT License unless otherwise specified.