How to Secure Your Nginx Server

In this tutorial I will go through on how to secure your Nginx server, with the benifits of a boost in pagespeed.

A few Simple ways to Speedup & Secure it.

Step 1. Install an SSL certificate

Go to your Nginx website configuration file.

sudo nano /etc/nginx/conf.d/default.conf

Edit your configuration and make your server listen on port 443 with http2 instead.

listen       443 http2;
listen       [::]:443 http2;
server_name  localhost;

Then right under it, add the path to your SSL certificate keys.

      ssl        on;
      ssl_certificate         /etc/certificate/public/certificate.pem;
      ssl_certificate_key     /etc/certificate/private/certificate.key;

Save and exit.

Now put your public key in here:

sudo nano /etc/certificate/public/certificate.pem

And your private key in here:

sudo nano /etc/certificate/private/certificate.key

You have now installed your SSL certificate. Please restart your nginx server for the changes to take effect.

sudo systemctl restart nginx.service

Step 2. Nginx.conf – TLS 1.3 Other Settings

Navigate to your Nginx config file

sudo nano /etc/nginx/nginx.conf

Locate your SSL settings if you have any, if not put this under ‘http {‘

# SSL Settings
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# Optimize session cache
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;

# Enable session tickets
ssl_session_tickets on;

It is also recommended to add secure headers.

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsaf$
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

To add Gzip compression:

# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 32 16k;
gzip_http_version 1.1;
gzip_min_length 250;
gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;

Save and exit.

You can now restart your Nginx server to apply the changes.

sudo nano /etc/nginx/nginx.conf

Add comment

Most popular

Most discussed