How to configure nginx for TLS 1.3
1 min readDec 5, 2020
nginx configuration
/etc/nginx$ cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;events {
worker_connections 768;
# multi_accept on;
}http {
# BASIC SETTING
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; # Logging Settings
log_format combined_ssl '$remote_addr:$remote_port - $remote_user [$time_local] '
'$ssl_protocol/$ssl_session_reused/$ssl_cipher/$ssl_session_id '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log; # Gzip Settings
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
status check
systemctl status nginx.servicehost configuration
/etc/nginx$ cat sites-available/your.company.comserver {
listen 80;
listen [::]:80; # SSL configuration
listen 443;
ssl on;
ssl_certificate /etc/nginx/certificates/your.company.com.ecc.crt.pem;
ssl_certificate_key /etc/nginx/certificates/your.company.com.ecc.key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
listen [::]:443;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name your.company.com; location / {
try_files $uri $uri/ =404;
}
}
nginx syntax check
sudo nginx -t -c /etc/nginx/nginx.confreload nginx configuration
sudo service nginx restartsudo systemctl reload nginx.service
