Nginx is known for its high performance and flexibility, and most of the highest-traffic websites in the world run on it. SSL configuration in Nginx uses slightly different syntax compared to Apache, but it becomes very convenient once you get familiar with it. The Sayt.uz technical team works with Nginx daily and in this article we share tested production settings.
Placing certificate files
Certificate and private key files are typically placed in /etc/ssl/certs and /etc/ssl/private, but when using Let's Encrypt, certbot places them in /etc/letsencrypt/live/example.com, which has become the de facto standard. Private key file permissions must be 600 or lower; otherwise other users could read them, leading to compromise. Instead of a separate certificate file, we recommend using the full chain fullchain.pem.
Core server block directives
Inside the server block in your Nginx configuration, specify listen 443 ssl http2, then set ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem and ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem. Enabling HTTP/2 noticeably speeds up site loading and improves user experience. Do not forget the server_name directive, which defines which domains this block serves.
Redirecting HTTP to HTTPS
Users do not always visit with the https prefix, so in the port 80 block add return 301 https://$server_name$request_uri and automatically redirect all traffic to the secure version. This is especially important for SEO because Google indexes only one version of a site and duplicate content can hurt rankings. All internal links must also point to HTTPS or mixed content warnings will appear.
Modern encryption settings
Disable obsolete TLS 1.0 and 1.1 protocols, leaving only TLS 1.2 and 1.3 as required by modern security standards. Add ssl_protocols TLSv1.2 TLSv1.3 and configure ssl_ciphers using the Mozilla Modern profile. Enabling OCSP Stapling speeds up loading because browsers no longer need a separate request to check certificate status. Add ssl_stapling on and ssl_stapling_verify on to enable this feature.
Sayt.uz practice
Sixty-five percent of the Sayt.uz infrastructure runs on Nginx, and we ship clients with optimal SSL settings out of the box. Every VPS comes with HTTP/2, TLS 1.3, OCSP Stapling and HSTS enabled. As part of free migration, our technical team converts existing Apache or LiteSpeed configs to Nginx in about four hours on average. VPS pricing starts at 150,000 soum per month and includes SSL setup.