Configure Nginx SSL Hardening on Ubuntu VPS: Complete Guide

SSL Configuration Foundation for Production Nginx

Strong SSL configuration protects your website traffic and builds user trust. This guide shows you how to configure Nginx SSL hardening on Ubuntu VPS, covering modern TLS protocols, secure cipher suites, and advanced security headers.

You'll implement production-grade SSL settings that pass security audits and protect against common attacks. These configurations work for any website hosted on Hostperl VPS infrastructure.

Prerequisites and SSL Certificate Setup

Before hardening SSL, ensure you have a valid certificate installed. Most hosting customers use Let's Encrypt or purchase commercial certificates through their control panel.

Verify your current SSL setup:

sudo nginx -t
sudo systemctl status nginx
ssl-cert-check -c /etc/ssl/certs/your-domain.crt

Your certificate files should be readable by the nginx user. Check file permissions:

sudo ls -la /etc/ssl/certs/your-domain.crt
sudo ls -la /etc/ssl/private/your-domain.key

The private key should have 600 permissions. The certificate should have 644 permissions.

Modern TLS Protocol Configuration

Remove support for outdated TLS versions that expose your server to attacks. Edit your Nginx server block configuration:

sudo nano /etc/nginx/sites-available/your-domain

Add these SSL protocol and cipher configurations:

server {
    listen 443 ssl http2;
    server_name your-domain.com www.your-domain.com;
    
    # SSL Certificate Configuration
    ssl_certificate /etc/ssl/certs/your-domain.crt;
    ssl_certificate_key /etc/ssl/private/your-domain.key;
    
    # Modern TLS Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    # SSL Session Configuration
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
}

This configuration removes TLS 1.0 and 1.1 support while prioritizing modern cipher suites. The ssl_prefer_server_ciphers off directive lets clients choose the best cipher they support.

Advanced Security Headers Implementation

Security headers protect against various web attacks. Add these to your server block:

# Security Headers for SSL Hardening
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self';" always;

The HSTS header forces browsers to use HTTPS for future visits. The 31536000 value sets a one-year expiration.

Only add the preload directive if you plan to submit your domain to the HSTS preload list. Adjust the Content-Security-Policy based on your website's requirements.

This example allows inline styles and scripts, which many websites need.

OCSP Stapling and Performance Optimization

OCSP stapling improves SSL handshake performance. Your server fetches certificate revocation status instead of the client.

Configure OCSP stapling in your server block:

# OCSP Stapling Configuration
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

# DNS Resolver for OCSP
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

The resolver directives tell Nginx which DNS servers to use for OCSP requests. Using Google's public DNS provides reliable resolution for certificate authority servers.

For additional SSL performance, consider implementing SSL buffer optimization:

# SSL Performance Tuning
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Generate Strong Diffie-Hellman Parameters

Create custom Diffie-Hellman parameters for perfect forward secrecy. This process takes several minutes:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

For maximum security, use 4096-bit parameters. This increases handshake time:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Reference the dhparam file in your Nginx configuration as shown in the previous section. This prevents attackers from exploiting weak default DH parameters.

Complete Hardened SSL Configuration Example

Here's a complete server block with all SSL hardening measures applied:

server {
    listen 80;
    server_name your-domain.com www.your-domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name your-domain.com www.your-domain.com;
    
    root /var/www/your-domain;
    index index.html index.php;
    
    # SSL Certificate Configuration
    ssl_certificate /etc/ssl/certs/your-domain.crt;
    ssl_certificate_key /etc/ssl/private/your-domain.key;
    
    # Modern TLS Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    # SSL Session Configuration
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    
    # SSL Performance
    ssl_buffer_size 8k;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

This configuration forces HTTPS redirects, implements modern TLS, enables OCSP stapling, and adds comprehensive security headers.

Testing SSL Hardening Configuration

Test your configuration before applying it to production:

sudo nginx -t

If the test passes, reload Nginx:

sudo systemctl reload nginx

Verify SSL configuration with online tools:

• SSL Labs Server Test (ssllabs.com/ssltest) - Comprehensive SSL analysis
• Security Headers scanner (securityheaders.com) - Header validation
• HSTS Preload checker (hstspreload.org) - HSTS configuration verification

Test OCSP stapling locally:

echo QUIT | openssl s_client -connect your-domain.com:443 -status

Look for "OCSP response: no response sent" in the output. This indicates OCSP stapling is working correctly.

SSL Monitoring and Maintenance

Monitor SSL certificate expiration to prevent service interruptions. Create a monitoring script:

#!/bin/bash
# SSL Certificate Expiration Check
CERT_FILE="/etc/ssl/certs/your-domain.crt"
DAYS_WARNING=30

EXP_DATE=$(openssl x509 -enddate -noout -in $CERT_FILE | cut -d= -f2)
EXP_TIMESTAMP=$(date -d "$EXP_DATE" +%s)
CURRENT_TIMESTAMP=$(date +%s)
DAYS_LEFT=$(( ($EXP_TIMESTAMP - $CURRENT_TIMESTAMP) / 86400 ))

if [ $DAYS_LEFT -lt $DAYS_WARNING ]; then
    echo "SSL certificate expires in $DAYS_LEFT days!"
    # Send alert email or notification
fi

Schedule this script with cron to run daily:

0 8 * * * /path/to/ssl-monitor.sh

Regular SSL monitoring prevents certificate expiration surprises. This maintains continuous HTTPS protection.

Troubleshooting Common SSL Issues

Mixed content warnings occur when HTTPS pages load HTTP resources. Check browser developer tools for insecure content:

# Find HTTP references in web files
grep -r "http://" /var/www/your-domain/
# Replace with HTTPS or relative URLs

SSL handshake failures often result from cipher suite mismatches. Check Nginx error logs:

sudo tail -f /var/log/nginx/error.log

If older clients can't connect, temporarily add broader cipher support:

ssl_ciphers HIGH:!aNULL:!MD5;

Certificate chain issues prevent proper SSL validation. Verify your certificate includes intermediate certificates:

openssl s_client -connect your-domain.com:443 -showcerts

Frequently Asked Questions

Should I use TLS 1.3 only or include TLS 1.2?

Include both TLS 1.2 and 1.3 for compatibility. While TLS 1.3 is more secure, some older clients and corporate networks still require TLS 1.2 support. Monitor your traffic to determine when you can safely drop TLS 1.2.

How often should I update SSL cipher suites?

Review cipher configurations every 6 months or when security advisories recommend changes. Subscribe to security bulletins from your certificate authority and monitor SSL testing tools for newly deprecated ciphers.

Can SSL hardening break website functionality?

Strict Content-Security-Policy headers may block legitimate resources. Test thoroughly in staging before production deployment. Start with permissive CSP settings and gradually tighten them based on your application's requirements.

What's the performance impact of SSL hardening?

Modern SSL hardening typically improves performance through HTTP/2 support and session caching. OCSP stapling reduces handshake time. The main performance factor is certificate chain length and cipher efficiency.

How do I handle SSL for multiple domains?

Use separate server blocks for each domain or implement a wildcard certificate for subdomains. SNI (Server Name Indication) allows multiple SSL certificates on a single IP address, which modern browsers support universally.