BestHub
Sign in
Backend Development 16 min read

Mastering Nginx HTTPS: From SSL Certificates to Advanced Security Optimizations

This guide walks you through obtaining a trusted SSL certificate, generating keys and CSR with OpenSSL, configuring HTTPS in Nginx, and applying performance and security enhancements such as keep‑alive, session caching, HSTS, strong cipher suites, and name‑based virtual host solutions.

Aotu Lab
Aotu Lab
Aotu Lab
Mastering Nginx HTTPS: From SSL Certificates to Advanced Security Optimizations

Obtain a Trusted SSL Certificate

SSL provides encryption and identity verification. Common certificate types include EV, OV, DV, and IV; EV and OV require payment, while DV can be free but only validates domain ownership. For production sites, OV or EV certificates are strongly recommended.

Generate Key and CSR with OpenSSL

Use OpenSSL to create a private key ( example.key) and a certificate signing request ( example.csr) that you submit to a Certificate Authority (CA). The CA returns a signed certificate ( example.crt).

openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=ShenZhen/L=ShenZhen/O=Example Inc./OU=Web Security/CN=example.com"

The subject fields are:

C : Country code (e.g., CN)

ST : State or province

L : Locality (city)

O : Organization name

OU : Organizational unit (often used for certificate type)

CN : Common name (the domain name)

Configure HTTPS in Nginx

Basic Server Block

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate example.com.crt;
    ssl_certificate_key example.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

Store the private key in a directory with restricted permissions so that only the Nginx master process can read it.

Performance Optimizations

Enable keep‑alive connections to reduce handshake overhead.

Reuse SSL session parameters with ssl_session_cache and ssl_session_timeout.

Example shared cache configuration for a multi‑core server:

worker_processes auto;
http {
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server {
        listen 443 ssl;
        server_name www.example.com;
        keepalive_timeout 70;
        ssl_certificate www.example.com.crt;
        ssl_certificate_key www.example.com.key;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM ... !RC4";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-Xss-Protection 1;
    }
}

HSTS Enforcement

Add the Strict‑Transport‑Security header to force browsers to use HTTPS for the specified period.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Parameters:

max-age : duration (in seconds) browsers must use HTTPS.

includeSubDomains : applies the rule to all sub‑domains.

preload : requests inclusion in browsers' HSTS preload lists.

always : ensures the header is sent with all responses.

Strengthening Cipher Suite

Replace the weak SHA‑1 algorithm with stronger suites and enable Diffie‑Hellman key exchange.

openssl dhparam -out dhparam.pem 2048
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM ... !RC4";

Mixed HTTP/HTTPS Server

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    ssl_certificate www.example.com.crt;
    ssl_certificate_key www.example.com.key;
}

Name‑Based Virtual Hosts

When multiple HTTPS sites share an IP, the default certificate may be sent, causing mismatches. Solutions include:

Assign a unique IP address to each HTTPS server.

Use a wildcard certificate.

Enable Server Name Indication (SNI), which modern Nginx versions support automatically.

Older Nginx versions required the ssl on directive; newer versions use listen 443 ssl and rely on SNI support in the linked OpenSSL library.

Summary

Obtain an SSL certificate by generating a key and CSR with OpenSSL and submitting the CSR to a trusted CA.

Configure Nginx with listen 443 ssl, referencing the certificate and key files.

Apply performance and security enhancements: keep‑alive, SSL session cache, HSTS, strong cipher suites, DH parameters, and security headers.

Optionally configure mixed HTTP/HTTPS listeners.

For name‑based virtual hosts, use separate IPs, wildcard certificates, or SNI to avoid certificate mismatches.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NginxOpenSSLServer ConfigurationSSLHSTS
Aotu Lab
Written by

Aotu Lab

Aotu Lab, founded in October 2015, is a front-end engineering team serving multi-platform products. The articles in this public account are intended to share and discuss technology, reflecting only the personal views of Aotu Lab members and not the official stance of JD.com Technology.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment