Nginxdevops~5 mins

SSL protocol and cipher configuration in Nginx - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Websites need to protect data sent between users and servers. SSL protocols and ciphers help encrypt this data to keep it safe from hackers.

When you want to secure your website with HTTPS to protect user information.

When you need to disable old insecure SSL protocols to prevent attacks.

When you want to specify which encryption methods (ciphers) your server accepts for better security.

When you want to improve your website's security score on tools like SSL Labs.

When you want to ensure compatibility with modern browsers while blocking weak encryption.

Config File - nginx.conf

nginx.conf

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;

    location / {
        root /var/www/html;
        index index.html;
    }
}

listen 443 ssl; tells Nginx to listen on port 443 with SSL enabled.

ssl_certificate and ssl_certificate_key specify the paths to your SSL certificate and private key files.

ssl_protocols sets which SSL/TLS versions are allowed; here only TLS 1.2 and 1.3 are enabled for security.

ssl_ciphers lists strong encryption methods your server accepts.

ssl_prefer_server_ciphers on; makes the server choose the best cipher from the list instead of the client's choice.

Commands

This command tests the Nginx configuration file for syntax errors before applying changes.

Terminal

sudo nginx -t

Expected OutputExpected

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

This command reloads Nginx to apply the new SSL protocol and cipher settings without stopping the server.

Terminal

sudo systemctl reload nginx

Expected OutputExpected

No output (command runs silently)

This command tries to connect to the server using TLS 1.1, which should fail because it is disabled.

Terminal

openssl s_client -connect example.com:443 -tls1_1

Expected OutputExpected

CONNECTED(00000003) 140735213994560:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 301 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported ---

This command connects to the server using TLS 1.2, which should succeed showing the certificate details.

Terminal

openssl s_client -connect example.com:443 -tls1_2

Expected OutputExpected

CONNECTED(00000003) depth=2 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = example.com verify return:1 --- Certificate chain 0 s:CN = example.com i:C = US, O = Let's Encrypt, CN = R3 --- Server certificate -----BEGIN CERTIFICATE----- MIIF... (certificate content) ... -----END CERTIFICATE----- --- SSL handshake has read 3456 bytes and written 456 bytes --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Secure Renegotiation IS supported ---

Key Concept

If you remember nothing else from this pattern, remember: always enable only modern TLS protocols and strong ciphers to keep your website secure and compatible.

Common Mistakes

Leaving old SSL protocols like SSLv3 or TLS 1.0 enabled.

These old protocols have known security flaws that attackers can exploit.

Explicitly set ssl_protocols to only TLSv1.2 and TLSv1.3 in your Nginx config.

Using weak or default cipher suites without specifying strong ones.

Weak ciphers can allow attackers to decrypt or tamper with data.

Specify a strong list of ciphers in ssl_ciphers and enable ssl_prefer_server_ciphers.

Not testing the configuration with nginx -t before reloading.

Syntax errors can cause Nginx to fail to reload, leading to downtime.

Always run sudo nginx -t and fix errors before reloading.

Summary

Configure ssl_protocols in nginx.conf to allow only TLS 1.2 and 1.3 for security.

Specify strong ssl_ciphers and enable ssl_prefer_server_ciphers to control encryption methods.

Test the configuration with 'nginx -t' and reload Nginx to apply changes safely.

Use openssl s_client to verify which SSL/TLS versions your server accepts.