Nginx is an efficient web server and reverse proxy server that is widely used in handling HTTPS requests. SSL/TLS (Secure Sockets Layer/Transport Layer Security) is a protocol used to encrypt communication between clients and servers to ensure data confidentiality, integrity and identity authentication. In modern web service architecture, enabling SSL/TLS encryption has become a standard practice, which not only protects users' data security, but also improves the SEO ranking and credibility of the website.
1. Basic concepts of SSL/TLS
1.1 What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both encryption protocols, mainly used to protect the security of network communication. SSL is the earliest version, and TLS is its subsequent version. Although TLS is safer and more efficient, people often habitually call it SSL for historical reasons.
The SSL/TLS protocol combines symmetric encryption and asymmetric encryption to establish a secure encryption channel between the client and the server to prevent data from being stolen or tampered during transmission.
1.2 How SSL/TLS Work
The working principle of the SSL/TLS protocol can be summarized into the following steps:
- The client initiates a connection request: The client (such as a browser) requests to establish an HTTPS connection with the server.
- Server Sends Certificate: The server responds to the request and sends its SSL/TLS certificate to the client.
- Certificate Verification: The client verifys that the server certificate is issued by a trusted certificate authority (CA).
- Key Exchange: Clients and servers exchange encryption keys through public key encryption and private key decryption.
- Encrypted communication: Both parties use symmetric encryption (symmetric keys) for subsequent communication to ensure the confidentiality and integrity of the data.
2. Nginx SSL/TLS configuration
2.1 Basic SSL configuration
In order to enable SSL/TLS encryption in Nginx, you first need to prepare a valid SSL certificate. You can purchase an SSL certificate, or use the free Let’s Encrypt certificate. Here are the basic Nginx SSL configuration steps.
2.1.1 Obtaining an SSL certificate
Before starting configuration, you need to prepare the following two files:
- SSL certificate file (.crt or .pem)
- SSL private key file (.key)
You can purchase a certificate from a Certificate Authority (CA) or use the free Let’s Encrypt certificate.
2.1.2 Configuring Nginx to enable SSL
- In Nginx
serverConfigure SSL in the block. You need to specify the location of the certificate file and the private key file:
server {
listen 443 ssl; # Enable HTTPS (port 443) server_name ; # Server domain name
ssl_certificate /etc/nginx/ssl/; # Certificate file path ssl_certificate_key /etc/nginx/ssl/; # Private key file path
# Configure other related SSL settings ssl_protocols TLSv1.2 TLSv1.3; #Enabled protocol version ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; # Encryption Kit ssl_prefer_server_ciphers on; # Priority to using server-configured encryption suites}
- listen 443 ssl: Enable HTTPS service on port 443.
- ssl_certificate: Specifies the path to the SSL certificate file.
- ssl_certificate_key: Specifies the path to the SSL private key file.
2.1.3 Configuring HTTP to HTTPS redirection
To ensure that all traffic is transported over HTTPS, you can set up HTTP to HTTPS redirection. The following is the configuration method:
server {
listen 80;
server_name ;
# Force all HTTP requests to jump to HTTPS return 301 https://$server_name$request_uri;
}
3. Optimize SSL/TLS configuration
3.1 Enable the modern TLS protocol
SSL 2.0 and SSL 3.0 have been considered unsafe, so when configuring Nginx, you should ensure that only secure versions of TLS protocols such as TLS 1.2 and TLS 1.3 are enabled.
ssl_protocols TLSv1.2 TLSv1.3; # Disable SSL 2.0 and SSL 3.0
3.2 Configuring the encryption kit
The SSL/TLS encryption suite defines a combination of encryption algorithms and key exchange algorithms. Nginx allows us to configure the encryption suite we want to use to ensure the security of encrypted communications. It is important to choose the right crypto suite, which can withstand security risks such as man-in-the-middle attacks and downgrade attacks.
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on; # Priority to using server encryption suite
When selecting these encryption suites, you should prioritize encryption algorithms that support Forward Secrecy.
3.3 Enable HSTS (HTTP Strict Transmission Security)
HSTS (HTTP Strict Transport Security) is a web security policy that tells browsers that websites can only be accessed through the HTTPS protocol, thereby preventing man-in-the-middle attacks. Can be passedStrict-Transport-SecurityHTTP header to enable HSTS.
server {
listen 443 ssl;
server_name ;
# Enable HSTS (maximum validity period is 1 year) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}
3.4 Enable OCSP Stapling
OCSP (Online Certificate Status Protocol) is used to check whether the certificate has been revoked. Enabling OCSP Stapling reduces the need for clients to request certificate status from the Certificate Authority (CA) every time, thereby improving performance.
ssl_stapling on; ssl_stapling_verify on;
3.5 Configuring SSL Session Cache
Efficiency of TLS handshakes can be improved by enabling SSL session caching. Nginx supports cache SSL sessions to memory or disk for multiplexed time during handshakes, thereby speeding up the encryption process.
ssl_session_cache shared:SSL:10m; #Session cache is set to 10MBssl_session_timeout 1d; # Session timeout is set to 1 day
3.6 Optimized SSL Performance
Nginx provides some performance optimization options to reduce latency of SSL handshakes. The following are commonly used optimization methods:
- Enable
ssl_session_cacheandssl_session_timeout: As mentioned earlier, this improves performance and avoids a full handshake every time a new connection is established. - Enable
ssl_prefer_server_ciphers: Specify that Nginx prefers the encryption suite supported by the server so that the client does not force the use of weaker encryption algorithms.
ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; ssl_prefer_server_ciphers on;
4. Common SSL/TLS configuration problems and solutions
4.1 SSL handshake failed
SSL handshake failures can be caused by a variety of reasons, such as:
- Certificate chain is incomplete: Make sure that the Intermediate Certificate is configured correctly and that the entire certificate chain is complete.
- TLS protocol version mismatch: Make sure both the client and the server support the same TLS protocol version.
Solution:
- Make sure Nginx is configured with the appropriate certificate chain and protocol.
- Check the SSL configuration using tools such as SSL Labs to make sure there are no problems.
4.2 “Mixed Content” issue
When the page is loaded via HTTPS, when certain resources in the page (such as images, CSS, JavaScript) are still loaded via HTTP, the browser will display a "Mixed Content" warning. To resolve this problem, it is necessary to ensure that all resources are loaded via HTTPS.
4.3 SSL certificates are not trusted
If the client fails to verify the SSL certificate, it may be because the certificate is not issued by the trusted root certificate authority. Make sure to issue certificates using a trusted CA, or use free certificates like Let’s Encrypt.
5. Summary
By configuring SSL/TLS in Nginx, we can effectively protect the security of user data and prevent security risks such as man-in-the-middle attacks and data leakage. In addition to basic SSL configuration, you should also pay attention to advanced settings such as protocol version, encryption suite, HSTS, OCSP, and session cache, thereby improving SSL/TLS security and performance.
This is the end of this article about the implementation of Nginx SSL/TLS configuration. For more information about Nginx SSL/TLS, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!