# nginx basic ssl config

```  
server {  
 listen 80 default\_server;  
 listen \[::\]:80 default\_server;

 location / {  
 return 301 https://$host$request\_uri;  
 }  
}

server {  
 listen 443 ssl http2;  
 listen \[::\]:443 ssl http2;

 ssl\_certificate /path/to/signed\_cert\_plus\_intermediates;  
 ssl\_certificate\_key /path/to/private\_key;  
 ssl\_trusted\_certificate /path/to/root\_CA\_cert\_plus\_intermediates;  
 ssl\_session\_timeout 1d;  
 ssl\_session\_cache shared:MozSSL:10m; # about 40000 sessions  
 ssl\_session\_tickets off;

 # OCSP stapling  
 ssl\_stapling on;  
 ssl\_stapling\_verify on;

 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam  
 ssl\_dhparam /path/to/dhparam;

 # intermediate configuration  
 ssl\_protocols TLSv1.2 TLSv1.3;  
 ssl\_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;  
 ssl\_prefer\_server\_ciphers off;

 # HSTS (ngx\_http\_headers\_module is required) (63072000 seconds)  
 add\_header Strict-Transport-Security "max-age=63072000" always;  
}  
```