Register

Nginx SSL Configuration Guide

Detailed explanation of SSL configuration differences between different Nginx versions to help you correctly configure SSL certificates

Version Overview

Nginx 1.0.x - 1.2.x
Deprecated
These are older Nginx versions that only support basic SSL/TLS functionality. Do not support modern features such as HTTP/2 and OCSP Stapling.
⚠️ 注意: These versions have stopped maintenance and have security risks. It is strongly recommended to upgrade to the latest stable version.
Nginx 1.4.x - 1.8.x
Stable Version
These versions introduced OCSP Stapling support (1.3.7+), but do not yet support HTTP/2. Suitable for scenarios that do not require HTTP/2.
Nginx 1.9.5+
HTTP/2 Support
Starting from version 1.9.5, HTTP/2 protocol is supported, which is an important feature of modern web servers and can significantly improve performance.
Nginx 1.10.x - 1.18.x
Recommended Version
These are long-term support and stable versions that support all modern SSL/TLS features, including HTTP/2, OCSP Stapling, TLS 1.3 (1.13.0+), etc.
✅ 推荐: These versions are stable and reliable, suitable for production use.
Nginx 1.20.x - 1.24.x+
Latest Version
Latest stable version, includes the latest security patches and performance optimizations, supports all modern SSL/TLS features and best practices.

Basic SSL Configuration

The basic SSL configuration of all Nginx versions is basically the same, the main difference is in the supported protocols and features:

Basic Configuration (All Versions)

server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; root /var/www/html; index index.html index.php; }
💡 提示: Nginx always uses merged certificate chain files (fullchain.crt), which is different from Apache. The certificate chain file should contain: domain certificate + intermediate certificate + root certificate (optional).

Merge Certificate Chain

# # Merge certificate chain (domain certificate first, intermediate certificate second)cat your_domain.crt intermediate_ca.crt > fullchain.crt # # Verify certificate chainopenssl x509 -in fullchain.crt -text -noout

HTTP/2 Support

⚠️ 重要: HTTP/2 support requires Nginx 1.9.5 or higher. If your Nginx version is lower than 1.9.5, you will not be able to use HTTP/2.

Nginx 1.9.5+ Configuration (Supports HTTP/2)

server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # # Recommended to turn off when using HTTP/2 root /var/www/html; index index.html index.php; }

Nginx 1.4.x - 1.8.x Configuration (No HTTP/2 Support)

server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; root /var/www/html; index index.html index.php; }
📝 说明: When using HTTP/2, it is recommended to set ssl_prefer_server_ciphers to off, because the HTTP/2 protocol itself handles cipher suite negotiation.

Protocols and Cipher Suites

Configuration Item Nginx 1.0-1.2 Nginx 1.4-1.8 Nginx 1.9.5+ Nginx 1.13.0+
SSL Protocol Support TLSv1, TLSv1.1, TLSv1.2 TLSv1, TLSv1.1, TLSv1.2 TLSv1.2, TLSv1.3 TLSv1.2, TLSv1.3
Recommended Protocol TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.3 TLSv1.2 TLSv1.3
HTTP/2 ❌ Not Supported ❌ Not Supported ✅ Supported ✅ Supported
OCSP Stapling ❌ Not Supported ✅ Supported (1.3.7+) ✅ Supported ✅ Supported
TLS 1.3 ❌ Not Supported ❌ Not Supported ❌ Not Supported ✅ Supported
ssl_prefer_server_ciphers Needs Explicit Setting Needs Explicit Setting Recommended off for HTTP/2 Recommended off for HTTP/2

Modern Configuration Example (Nginx 1.13.0+)

server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; # # Modern TLS protocols (disable insecure protocols) ssl_protocols TLSv1.2 TLSv1.3; # # Modern cipher suites (prioritize ECDHE and GCM) ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # # SSL session configuration ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # 1.5.9+ 支持 root /var/www/html; index index.html index.php; }

OCSP Stapling

💡 说明: OCSP Stapling can improve SSL handshake performance and reduce the time for clients to verify certificates. Requires Nginx 1.3.7 or higher.

Nginx 1.3.7+ OCSP Stapling Configuration

server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; # # OCSP Stapling configuration ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_ca.crt; # # Root certificate or full certificate chain resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; root /var/www/html; index index.html index.php; }
⚠️ Note:
  • ssl_trusted_certificate should contain root certificate or full certificate chain
  • Need to configure DNS resolver to get OCSP response
  • If OCSP server is unreachable, it may affect SSL handshake

Performance Optimization

SSL Session Cache

# # Configure in http block (global)http { # # SSL session cache (shared by all server blocks) ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # # 1.5.9+ support, disable session tickets to improve security}

SSL Buffer Size

http { # # SSL buffer optimization ssl_buffer_size 8k; # # 1.5.9+ support, reduce number of SSL records}

Complete Performance Optimization Configuration

http { # # SSL session configuration ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # # SSL buffer optimization ssl_buffer_size 8k; server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; # # OCSP Stapling configuration ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_ca.crt; root /var/www/html; } }

Security Headers

Adding security HTTP headers can improve website security. These configurations are available in all Nginx versions:

server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /path/to/fullchain.crt; ssl_certificate_key /path/to/your_domain.key; # # SSL configuration... ssl_protocols TLSv1.2 TLSv1.3; # # Security HTTP headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # # Remove server version information (optional) server_tokens off; root /var/www/html; index index.html index.php; }
📝 说明: Using the always parameter ensures that security headers are added even when returning error status codes (such as 404, 500).

HTTP Redirects

All Nginx versions support HTTP to HTTPS redirection, the configuration method is the same:

Method 1: Use return directive (Recommended)

server { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://$host$request_uri; }

Method 2: Use rewrite directive

server { listen 80; server_name yourdomain.com www.yourdomain.com; rewrite ^(.*)$ https://$host$1 permanent; }
💡 提示: It is recommended to use return 301 method because it is more efficient and does not require regular expression matching.

Best Practices

1. Certificate File Organization

  • Store certificate files in a secure directory, such as /etc/nginx/ssl/
  • Set correct file permissions: certificate files 644, private key files 600
  • Use full certificate chain (fullchain.crt) instead of separate files
  • Regularly backup certificate and private key files

2. Complete Recommended Configuration (Nginx 1.13.0+)

http { # # SSL global configuration ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_buffer_size 8k; # # HTTP to HTTPS redirect server { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://$host$request_uri; } # # HTTPS server configuration server { listen 443 ssl http2; server_name yourdomain.com www.yourdomain.com; # # Certificate configuration ssl_certificate /etc/nginx/ssl/fullchain.crt; ssl_certificate_key /etc/nginx/ssl/your_domain.key; # # SSL protocols and cipher suites ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; # # OCSP Stapling configuration ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/root_ca.crt; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # # Security HTTP headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # # Hide server version server_tokens off; root /var/www/html; index index.html index.php; } }

3. Version Check

# # Check Nginx versionnginx -v # # Check modules included at compile timenginx -V # # Test configuration file syntaxnginx -t # # Reload configuration (without interrupting service)nginx -s reload

Troubleshooting

1. Check Nginx Version

# # Check versionnginx -v # # Check detailed information and compile optionsnginx -V

2. Test Configuration Syntax

# # Test configuration file syntaxnginx -t # # If configuration is correct, will display:# # nginx: the configuration file /etc/nginx/nginx.conf syntax is ok# # nginx: configuration file /etc/nginx/nginx.conf test is successful

3. Common Errors and Solutions

Error: nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module
Solution: Nginx is not compiled with SSL module, need to recompile Nginx and enable --with-http_ssl_module option
Error: nginx: [emerg] the "http2" parameter requires ngx_http_v2_module
Solution: Nginx version is lower than 1.9.5 or HTTP/2 module is not compiled, need to upgrade to 1.9.5+ or enable --with-http_v2_module when recompiling
Error: SSL_CTX_use_certificate_file() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line)
Solution: Certificate file format error or path is incorrect, check if certificate file exists and format is correct
Error: SSL_CTX_use_PrivateKey_file() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line)
Solution: Private key file format error or path is incorrect, check if private key file exists and format is correct

4. Verify SSL Configuration

# # Use online tools to verifyhttps://www.ssllabs.com/ssltest/ https://myssl.com/ # # Use command line toolsopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com # # Check HTTP/2 supportcurl -I --http2 https://yourdomain.com

5. View Error Logs

# # View Nginx error logtail -f /var/log/nginx/error.log # # View access logtail -f /var/log/nginx/access.log