Tips & Tricks

Nginx SSL example

This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.

Example of my website:

Nginx SSL example.
[js]server {
listen 80;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
return 301$request_uri;

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;

root /srv/nginx/;
index index.php;

access_log /var/log/nginx/ main;
error_log /var/log/nginx/;

if ($http_user_agent ~ “Windows 95|Windows 98||xpymep|TurnitinBot|sindice|Purebot|libwww-perl”) {
return 403;

ssl_certificate /etc/nginx/ssl/;
ssl_certificate_key /etc/ssl/certs/;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache builtin:1000 shared:SSL:2m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;


ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/ssl/certs/;

add_header Strict-Transport-Security “max-age=31536000;”;
add_header X-Frame-Options DENY;
add_header Public-Key-Pins “pin-sha256=\”zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\”; max-age=172800;”;

location = /favicon.ico {
alias /srv/nginx/;

location ~ /\.ht {
deny all;

location / {

To get your “Public key pin” you can use the command:
$ openssl rsa -in -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Of course use your own key file.

If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.

You can test it yourself on this website:

Related posts

How to fix the “Pane is dead” error during the installation of Fedora on a HP Proliant server

Sjir Bagmeijer

How to set a white background in Windows and Windows server

Sjir Bagmeijer

How to create a SELinux policy module file

Sjir Bagmeijer

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More