Skip to main content

Nginx ssl Generator

The NGINX SSL Generator mathematically constructs A+ rated TLS configurations. It enforces strict TLS 1.2/1.3 protocols, modern cipher suites, and HTTP Strict Transport Security (HSTS) headers.

Loading editor...

A+ Qualys Rating

Disables vulnerable SSLv3 and TLS 1.0/1.1 protocols.

HSTS Enforced

Prevents SSL stripping attacks via strict transport headers.

How it Works

1

Provide Domain - Input your FQDN for the SSL certificate.

2

Certificate Paths - Define where your Let's Encrypt certs are located.

3

Generate Config - Export the hardened HTTPS configuration.

Best Practices

Modern SSL configurations must balance strict cryptographic security with performance features like Session Tickets.

ssl_protocols

TLSv1 TLSv1.1 TLSv1.2

TLSv1.2 TLSv1.3 (Modern browsers only)

add_header

None

Strict-Transport-Security (HSTS)

Example Output

Here is a real generated snippet matching the production best practices above:

server {
    listen 443 ssl http2;
    server_name secure.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
}

Advanced Configuration Logic

Copying old NGINX SSL configurations from the internet is dangerous. They frequently include outdated ciphers that are vulnerable to attacks like POODLE or BEAST. Achieving an A+ rating on SSL Labs requires disabling TLS 1.1, explicitly defining modern elliptical curve ciphers, enabling OCSP stapling, and generating custom Diffie-Hellman parameters. Our generator automates this exact cryptographic hardening process.

Frequently Asked Questions

Technical troubleshooting and advanced configuration insights for your infrastructure.

Ready to automate your infrastructure?

Scroll back up to the generator and export your production-ready configuration in seconds.

Start Building