SSL/TLS Setup and HTTPS Configuration

In this lesson, we'll secure your Nginx web server by implementing SSL/TLS encryption and configuring HTTPS. You'll learn how to protect data in transit and provide a secure browsing experience for your users.

By the end of this lesson, you will be able to:

• Generate SSL certificates using Let's Encrypt
• Configure Nginx to serve content over HTTPS
• Set up automatic certificate renewal
• Implement HTTP to HTTPS redirection
• Understand different SSL/TLS configuration options

Understanding SSL/TLS Basics

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over a computer network. When implemented on your web server, they:

• Encrypt data between the client and server
• Verify server identity
• Ensure data integrity

tip

Modern browsers now display "Not Secure" warnings for HTTP sites, making SSL/TLS essential for all production websites.

Generating SSL Certificates with Let's Encrypt

Let's Encrypt provides free SSL certificates through an automated process. We'll use Certbot, the official ACME client.

First, install Certbot:

Install Certbot

sudo apt update
sudo apt install certbot python3-certbot-nginx

Generate certificates for your domain:

Generate SSL Certificate

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Certbot will automatically modify your Nginx configuration to use the generated certificates.

Configuring HTTPS in Nginx

Let's examine a basic HTTPS server block configuration:

/etc/nginx/sites-available/yourdomain.com

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;
    
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    
    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    root /var/www/yourdomain.com/html;
    index index.html index.htm;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Redirecting HTTP to HTTPS

It's crucial to redirect all HTTP traffic to HTTPS. Add this server block:

HTTP to HTTPS Redirect

server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    
    return 301 https://$server_name$request_uri;
}

warning

Always test your redirects! A misconfigured redirect can create infinite loops or break your site.

Advanced SSL/TLS Configuration

Strong SSL Configuration

For better security, use this enhanced SSL configuration:

Enhanced SSL Settings

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# Modern configuration for TLS 1.3
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;

# Enable HSTS
add_header Strict-Transport-Security "max-age=63072000" always;

OCSP Stapling

Enable OCSP stapling for better performance and privacy:

OCSP Stapling Configuration

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Certificate Auto-Renewal

Let's Encrypt certificates expire every 90 days. Set up automatic renewal:

Test Auto-Renewal

sudo certbot renew --dry-run

Add a cron job for automatic renewal:

Add to crontab

sudo crontab -e
# Add this line:
0 12 * * * /usr/bin/certbot renew --quiet

Single Domain

Single Domain SSL

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    # ... rest of configuration
}

Multiple Domains

Multiple Domains SSL

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    # ... rest of configuration
}

server {
    listen 443 ssl;
    server_name anotherexample.com;
    ssl_certificate /etc/letsencrypt/live/anotherexample.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/anotherexample.com/privkey.pem;
    # ... rest of configuration
}

Testing Your SSL Configuration

After configuring SSL, test your setup:

Test Nginx Configuration

sudo nginx -t
sudo systemctl reload nginx

Use online tools or OpenSSL to verify your SSL setup:

Test SSL with OpenSSL

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Common Pitfalls

• Mixed Content Issues: Ensure all resources (CSS, JS, images) are loaded via HTTPS
• Certificate Chain Problems: Always include intermediate certificates in your configuration
• HSTS Preload: Don't enable HSTS preload until you're certain you'll always use HTTPS
• Wildcard Certificates: Remember they only cover one level of subdomains (*.example.com doesn't cover sub.sub.example.com)
• SNI Support: Ensure your Nginx version supports Server Name Indication for hosting multiple SSL sites on one IP

Summary

You've successfully learned how to:

• Generate free SSL certificates using Let's Encrypt and Certbot
• Configure Nginx to serve content over HTTPS with proper security settings
• Implement HTTP to HTTPS redirection
• Set up automatic certificate renewal
• Apply advanced SSL/TLS features like OCSP stapling and HSTS

SSL/TLS configuration is essential for modern web security and user trust. Regular maintenance and staying updated with security best practices will keep your sites secure.

Quiz

Nginx SSL/TLS and HTTPS Configuration

What is the primary purpose of implementing SSL/TLS on a web server?

Question 1/5