How to configure HTTPS and SSL certificates in Nginx?
Configuring HTTPS in Nginx requires using the SSL module and enabling encrypted communication by configuring SSL certificates. HTTPS can protect the security of data transmission, preventing data from being eavesdropped or tampered with.
Basic Configuration Example:
server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; location / { root /var/www/html; index index.html; } }
SSL Certificate Configuration Parameters:
server { listen 443 ssl http2; server_name example.com; # Certificate file paths ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; # SSL protocol versions ssl_protocols TLSv1.2 TLSv1.3; # Cipher suites ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # SSL session cache ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/chain.crt; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; }
HTTP to HTTPS Automatic Redirect:
server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; location / { root /var/www/html; } }
SSL Certificate Types:
- Self-signed certificates: For testing environments, not trusted by browsers
- Free certificates: Like Let's Encrypt, valid for 90 days, can be automatically renewed
- Commercial certificates: Issued by CA organizations, typically valid for 1 year
Let's Encrypt Certificate Application:
Use Certbot tool to apply for free certificates:
# Install Certbot sudo apt-get install certbot python3-certbot-nginx # Apply for certificate and automatically configure Nginx sudo certbot --nginx -d example.com -d www.example.com # Only apply for certificate, don't auto-configure sudo certbot certonly --nginx -d example.com
Certificate Renewal:
# Manual renewal sudo certbot renew # Automatic renewal (add to crontab) 0 0,12 * * * certbot renew --quiet
Security Configuration Recommendations:
- Use TLS 1.2 or higher
- Disable weak cipher suites
- Enable HSTS to prevent downgrade attacks
- Configure OCSP Stapling for better performance
- Regularly update certificates
- Use strong keys (at least 2048 bits)
- Enable HTTP/2 for better performance
Performance Optimization:
# SSL session cache ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; # Enable HTTP/2 listen 443 ssl http2; # SSL buffer size ssl_buffer_size 4k;
Multi-Domain Certificate Configuration:
server { listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/nginx/ssl/wildcard.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.key; location / { root /var/www/html; } }
Certificate Chain Configuration:
If the certificate requires intermediate certificates, you need to merge the certificate and intermediate certificates:
cat example.com.crt intermediate.crt > bundle.crt
Then use bundle.crt in Nginx configuration:
ssl_certificate /etc/nginx/ssl/bundle.crt;