There are no notfications.

This article was last reviewed for Debian 9 (Stretch).

Nginx configuration for TLS certificates (Debian, repository)

Nginx configuration for TLS certificates (Debian, repository)
Author: Stefán Örvar Sigmundsson
Initial publication:
Last updated:
Written in: English (United Kingdom)

Nginx implements the Transport Layer Security protocol in its ngx_http_ssl_module module. This article will demonstrate how configure TLS on Nginx on Debian or its derivatives such as Ubuntu and Linux Mint. The server will be configured for the domain name example.org as a virtual server.

Configuration

The server must be restarted or reloaded for the configuration to take effect.

TLS module

The conf.d/http_ssl.conf file configures the TLS module:

ssl_certificate /etc/ssl/example.org/certificate.crt;
ssl_certificate_key /etc/ssl/example.org/certificate.key;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/ssl/example.org/certificate.crt;
Locates the public key certificate.
ssl_certificate_key /etc/ssl/example.org/certificate.key;
Locates the private key of the public key certificate.
ssl_session_cache shared:SSL:10m;
Enables TLS session caching. Caching improves the performance of the server.

Virtual server

The following demonstrates a partial configuration for the example.org domain name:

server
{
	…

	listen 80 default_server;
	listen 443 http2 ssl default_server;

	server_name example.org;

	…
}
listen 80 default_server;
Instructs the virtual server to listen to port 80. The virtual server is additionally defined as being the default virtual server for the port.
listen 443 http2 ssl default_server;
Instructs the virtual server to listen to port 443. The virtual server is additionally defined as being the default virtual server for the port and HTTP/2 is enabled.
server_name example.org;
Sets the server name for the virtual server. The domain name (example.org) should be replaced with the relevant domain name.

Rewrite module (optional)

Communicatin security can be maximised by forcing all HTTP communication to be conducted over TLS. The following can be added to the virtual server block:

…

	if ($scheme = http)
	{
		return 301 https://$server_name$request_uri;
	}

…
if ($scheme = http)
Checks if the URI scheme is http.
return 301 https://$server_name$request_uri;
Redirects the connection over TLS and returns a 301 HTTP status code.

See also

External links

This article has additional content here.