SSL_TLS setup

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that:

Encrypt data between client (browser) and server

Ensure confidentiality, integrity, and authentication
Protect against:
- Man-in-the-Middle (MITM) attacks
- Data tampering
- Credential theft

In NGINX, SSL/TLS is configured at the server block level to enable HTTPS.

Core Components of SSL/TLS in NGINX

SSL Certificate (`.crt`, `.pem`)

An SSL certificate:

Is issued by a Certificate Authority (CA) (e.g., Let’s Encrypt, DigiCert)
Contains:
- Server’s public key
- Domain name
- Issuer details
- Validity period
Used by clients to verify server identity

File formats

.crt – certificate file
.pem – Base64 encoded certificate (most common)
Can include certificate chain (intermediate certificates)

Private Key (.key)

The private key:

Must remain secret
Is mathematically paired with the certificate’s public key
Used to:
- Decrypt session keys
- Prove ownership of the certificate

If compromised, attackers can impersonate your website.

NGINX SSL Directives Explained

`ssl_certificate`

ssl_certificate /etc/nginx/ssl/example.com.crt;

Specifies:

Public SSL certificate
Often includes:
- Server certificate
- Intermediate certificates (certificate chain)

Best practice:

Use full chain certificate (fullchain.pem)

`ssl_certificate_key`

ssl_certificate_key /etc/nginx/ssl/example.com.key;

Specifies:

The private key for the certificate

Security:

File permissions should be restricted:

chmod 600 example.com.key
chown root:root example.com.key

Basic HTTPS Server Configuration

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate     /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    root /var/www/html;
    index index.html;
}

Directive	Purpose
`listen 443 ssl`	Enables HTTPS on port 443
`server_name`	Domain name(s)
`ssl_certificate`	Public certificate
`ssl_certificate_key`	Private key

Using Let’s Encrypt Certificates (Recommended)

Let’s Encrypt provides free, trusted certificates.

File paths typically look like:

ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Why fullchain.pem?

Contains:
- Server certificate
- Intermediate certificates
Prevents “incomplete certificate chain” errors

Secure SSL/TLS Configuration (Best Practices)

Strong Protocols Only

ssl_protocols TLSv1.2 TLSv1.3;

❌ Disable:

SSLv3
TLSv1.0 / TLSv1.1 (deprecated)

Secure Ciphers

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

Session Reuse (Performance)

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

HTTP to HTTPS Redirection

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Forces encrypted connections

Full Secure NGINX SSL Configuration Example

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    root /var/www/html;
    index index.html;
}

Certificate Chain & Verification Flow

Browser connects to HTTPS site
NGINX sends:
- Server certificate
- Intermediate certificates
Browser:
- Verifies certificate chain up to trusted CA
- Negotiates session key
Secure encrypted communication begins

Common SSL/TLS Mistakes in NGINX

Mistake	Impact
Using only server cert (no chain)	Browser trust errors
Exposed private key	Total security breach
Old TLS versions	Vulnerable to attacks
Wrong permissions on `.key`	Unauthorized access
No HTTPS redirect	Downgrade attacks

How to Test SSL Configuration

Check NGINX config

nginx -t

Verify certificate

openssl x509 -in example.com.crt -text -noout

Online tools

SSL Labs Server Test
SecurityHeaders.com

Core Components of SSL/TLS in NGINX​

SSL Certificate (.crt, .pem)​

Private Key (.key)​

NGINX SSL Directives Explained​

ssl_certificate​

ssl_certificate_key​

Basic HTTPS Server Configuration​

Using Let’s Encrypt Certificates (Recommended)​

File paths typically look like:​

Secure SSL/TLS Configuration (Best Practices)​

Strong Protocols Only​

Secure Ciphers​

Session Reuse (Performance)​

HTTP to HTTPS Redirection​

Full Secure NGINX SSL Configuration Example​

Certificate Chain & Verification Flow​

Common SSL/TLS Mistakes in NGINX​

How to Test SSL Configuration​