Nginx SSL/TLS Best Practices and Hardening is a common requirement for VPS administrators. This guide provides practical instructions that you can follow on Ubuntu 22.04/24.04 or Debian 12, though most steps apply to other distributions as well.
Prerequisites
- A registered domain name (for public-facing services)
- A web server installed (Nginx or Apache)
- A VPS running Ubuntu 22.04 or later (2GB+ RAM recommended)
Server Installation
For production deployments, consider implementing high availability by running multiple instances behind a load balancer. This approach provides both redundancy and improved performance under heavy load.
# /etc/nginx/sites-available/nginx.conf
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Make sure to restart the service after applying these changes. Some settings require a full restart rather than a reload to take effect.
Virtual Host Configuration
The default configuration works well for development environments, but production servers require additional tuning. Pay particular attention to connection limits, timeout values, and logging settings.
# Test and reload Nginx configuration
sudo nginx -t
sudo systemctl reload nginx
# Check access and error logs
sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log
Note that file paths may vary depending on your Linux distribution. The examples here are for Debian/Ubuntu; adjust paths accordingly for RHEL/CentOS-based systems.
- Keep your system packages updated regularly
- Monitor disk space usage and set up alerts
- Test your backup restore procedure monthly
- Review log files weekly for anomalies
SSL/TLS Setup
If you encounter issues during setup, check the system logs first. Most problems can be diagnosed by examining the output of journalctl or the application-specific log files in /var/log/.
# Install Nginx with modules
sudo apt update
sudo apt install -y nginx
# Enable the site
sudo ln -s /etc/nginx/sites-available/nginx.conf /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo systemctl restart nginx
The output should show the service running without errors. If you see any warning messages, address them before proceeding to the next step.
Wrapping Up
Following this guide, your nginx setup should be production-ready. Keep an eye on resource usage as your traffic grows and don't forget to test your backup and recovery procedures periodically.