Down to Linux

NGINX, Let's Encrypt, TLS 1.2/1.3 and HSTS ...

Marco Bicca -

Hi Everyone,

This is a fairly simple post about how to configure your NGINX instance to use strong ciphers, HSTS and only TLS 1.2/1.3 ..

If you are using certbot (Let's Encrypt) to get your SSL certificates from and you have used the NGINX switch, it will usually add a file called options-ssl-nginx.conf under /etc/letsencrypt

To make it easier you can just use these options within that file, which will also be used as an include in the NGINX website configuration for your domain:

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 9.9.9.11 149.112.112.11 valid=300s;
resolver_timeout 5s;'

I also have these lines in my domain configuration file to enable HSTS and add a few headers that will help against XSS and other known attacks too:

listen 443 default_server ssl http2;
root /var/www/html/example;
index index.php;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "img-src * https://example.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://example.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com;";
add_header X-XSS-Protection "1; mode=block" always;

Of course, these are just examples, you can always tweak them to fit your needs.

I hope this helps you quickly deploying a website using SSL and recommended ciphers and protocols.