Tips & Tricks

Nginx SSL example

This post is more of a reminder for myself but it might help others, it shows a example of how to setup a good vhost with SSL support that gives a A+ rating with a (100/95/100/100) score.

Example of my website:

Nginx SSL example.

server {
  listen 80;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  return 301$request_uri;

server {
  listen       443 ssl default_server;
  listen  [::]:443 ssl default_server ipv6only=on;

  root         /srv/nginx/;
  index        index.php;

  access_log  /var/log/nginx/ main;
  error_log   /var/log/nginx/;

if ($http_user_agent ~ "Windows 95|Windows 98||xpymep|TurnitinBot|sindice|Purebot|libwww-perl")  {
  return 403;

  ssl_certificate             /etc/nginx/ssl/;
  ssl_certificate_key         /etc/ssl/certs/;
  ssl_dhparam                 /etc/nginx/ssl/dhparams.pem;
  ssl_session_cache           builtin:1000  shared:SSL:2m;
  ssl_session_timeout         5m;
  ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers   on;


  ssl_stapling on;
  ssl_stapling_verify on;
  resolver valid=300s;
  resolver_timeout 5s;
  ssl_trusted_certificate /etc/ssl/certs/;

  add_header Strict-Transport-Security "max-age=31536000;";
  add_header X-Frame-Options DENY;
  add_header Public-Key-Pins "pin-sha256=\"zco8Bhue8GQPxzzGd9unFQteH9JAk4VUxsofgGUkb7k=\"; max-age=172800;";

location = /favicon.ico {
  alias  /srv/nginx/;

location ~ /\.ht {
  deny all;

location / {

To get your “Public key pin” you can use the command:
$ openssl rsa -in -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Of course use your own key file.

If anyone has a better way of a more secure way feel free to show me I would like to see more examples or learn more about it.

You can test it yourself on this website:

Related posts

How to make Nginx log in JSON format

Sjir Bagmeijer

AWS Cli Commands to remember

Sjir Bagmeijer

Courses I did to become a cloud ninja

Sjir Bagmeijer

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More