Secure nginx SSL config explained

A good nginx TLS configuration is short, but every line earns its place. Copying one from a forum without understanding it is how servers end up supporting protocols they should not. Here is what the directives that matter actually do.

Protocols and ciphers

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_protocols limits which TLS versions you accept. TLS 1.2 and 1.3 only is the modern baseline; 1.0 and 1.1 are deprecated and should be off. With TLS 1.3 in the mix, ssl_prefer_server_ciphers off is now recommended, because 1.3's cipher suites are all strong and clients pick sensibly.

The redirect

server {
  listen 80;
  return 301 https://$host$request_uri;
}

A separate plain-HTTP server block that does nothing but 301 every request to HTTPS. This is also an SEO detail: a clean permanent redirect consolidates link signals on the HTTPS URL instead of splitting them.

HSTS

add_header Strict-Transport-Security "max-age=63072000" always;

HSTS tells browsers to use HTTPS for this domain for the next two years, even if a user types http://. The always keyword ensures the header is sent on error responses too. Add includeSubDomains only when every subdomain truly serves HTTPS.

OCSP stapling

ssl_stapling on;
ssl_stapling_verify on;

Stapling lets your server attach a fresh, signed proof that its certificate is not revoked, so the visitor's browser does not have to contact the CA separately. It speeds up the handshake and improves privacy.

Certificate paths

ssl_certificate must point at your certificate followed by its intermediate chain in one file, and ssl_certificate_key at the private key. A missing intermediate is the single most common cause of "works in my browser but fails for others," because some clients do not fetch the missing link.

You can generate a config with these directives filled in for your domain using the nginx Config Generator, then confirm the chain is complete with the SSL certificate chain errors guide.