Get an A+ SSL Rating for Nginx

2 min read time
Get an A+ SSL Rating for Nginx

The Snapt Accelerator is built on Nginx, so Nginx SSL security is something we are very familiar with. If you'd like to try the full Accelerator package, please get a trial from the website.

This is a guide on how to ensure you have the best SSL set-up and get your own A+ rating! This guide will favor getting it done over explaining the intricacies of what you are doing in an effort to help the most users.


Snapt users can all enjoy an easy A+ rating.

Step 1: Get up to date

Make sure you are running the latest relevant versions of Nginx and OpenSSL. There have been many exploits in OpenSSL recently and it is critical to keep it patched. Most linux systems will update openssl with simple apt-get or yum commands.

Step 2: Ensure you have a full certificate chain

When you get an SSL certificate you are usually left with a .key file (your private key) and a .crt file (the certificate created from your .csr). However, you typically need a set of intermediary certificates as well. These should be included after your certificate in your .crt file, and will normally be provided to you by your certificate vendor.

Step 3: Setting your ciphers

You will want to restrict the ciphers you are willing to use, as well as disable older SSL protocols like SSLv3. This can easily be done in your server {} block by adding the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

This will limit requests to using TLS, with a much more secure set of ciphers (required to get that A+ rating).

Step 4: DH Parameters

You may often see the message: This server supports weak Diffie-Hellman (DH) key exchange parameters. This is a simple fix and requires generating your own DH params file and telling nginx to use it. Run the following command to generate them (and consider the location of the file):

openssl dhparam -out dhparam.pem 4096

This will generate a dhparam.pem file for you. You must then add this to your Nginx config (in your server {} block) to use it:

ssl_dhparam /path/to/dhparam.pem;

Step 5: OCSP Stapling

Enabling OCSP Stapling on a new version of Nginx is very simple, just add the following lines to the same server {} block:
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;

Step 6: Enable HSTS

HTTP Strict Transport Security, or HSTS is a header sent back from your server that tells clients to only use HTTPS when communicating with the server. This can be added by your application (in PHP for example) or simply forced on the webserver. Add this to your nginx server {} block to add it:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

Step 7: Optional Extras

You may want to disable server tokens (nginx version numbers) in headers as well, which you can do by adding this to your server {} block –

And that's all you need for that bright green A+ rating! Don't forget to test your site.

Subscribe via Email

Get daily blog updates straight to your email inbox.

You have successfully been subscribed!