0
0
NginxHow-ToBeginner · 4 min read

How to Configure SSL Ciphers in Nginx for Secure Connections

To configure SSL ciphers in Nginx, use the ssl_ciphers directive inside the server or http block to specify allowed cipher suites. Combine it with ssl_protocols and ssl_prefer_server_ciphers on; for better security and control over encryption.
📐

Syntax

The ssl_ciphers directive defines which encryption algorithms Nginx will allow for SSL/TLS connections. It accepts a colon-separated list of cipher names or predefined groups.

  • ssl_ciphers: List of ciphers to enable.
  • ssl_protocols: Specifies SSL/TLS protocol versions to allow.
  • ssl_prefer_server_ciphers on;: Makes Nginx choose the server's preferred cipher over the client's.
nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
💻

Example

This example shows a basic Nginx server block with SSL enabled and a secure cipher configuration. It allows only strong ciphers and TLS versions 1.2 and 1.3.

nginx
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    location / {
        root /var/www/html;
        index index.html;
    }
}
Output
Nginx starts successfully and serves HTTPS using the specified ciphers and protocols.
⚠️

Common Pitfalls

Common mistakes when configuring SSL ciphers in Nginx include:

  • Using weak or deprecated ciphers like RC4 or MD5, which reduce security.
  • Not enabling ssl_prefer_server_ciphers on;, which lets clients pick weaker ciphers.
  • Forgetting to reload or restart Nginx after changes, so new settings don't apply.
  • Not specifying ssl_protocols, which may allow insecure SSL versions.
nginx
Wrong:
ssl_ciphers RC4:MD5:!aNULL;

Right:
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
📊

Quick Reference

Use this quick guide to configure SSL ciphers safely in Nginx:

DirectivePurposeExample Value
ssl_protocolsSet allowed SSL/TLS versionsTLSv1.2 TLSv1.3
ssl_ciphersDefine allowed cipher suitesHIGH:!aNULL:!MD5
ssl_prefer_server_ciphersForce server cipher preferenceon
ssl_certificatePath to SSL certificate file/etc/nginx/ssl/example.com.crt
ssl_certificate_keyPath to SSL key file/etc/nginx/ssl/example.com.key

Key Takeaways

Always specify strong ciphers with the ssl_ciphers directive to secure HTTPS.
Enable ssl_prefer_server_ciphers on to prioritize server-chosen ciphers.
Restrict SSL protocols to TLSv1.2 and TLSv1.3 for better security.
Reload Nginx after changes to apply new SSL settings.
Avoid weak or deprecated ciphers like RC4 and MD5.

Related by keyword

How to Configure Multiple Sites in Nginx: Simple GuideConfiguration BasicsHow to Configure Nginx: Basic Syntax and ExampleConfiguration BasicsWhat is worker_connections in Nginx: Explanation and UsageConfiguration BasicsHow to Configure Fallback with try_files in nginxLocation BlockHow to Configure Reverse Proxy in Nginx: Simple GuideReverse Proxy

Up next

Round Robin vs Least Connections in NGINX: Key Differences and UsageWhat is Upstream in Nginx: Explanation and ExampleHow to Bypass Cache in Nginx: Simple Configuration GuideHow to Configure Caching in Nginx for Faster Web Performance

More in SSL TLS

How to Auto Renew SSL Certificate in Nginx EasilyHow to Configure HSTS in Nginx for Secure HTTPSHow to Configure SSL in Nginx: Simple StepsHow to Configure SSL Protocols in Nginx for Secure Connections