Enable TLS 1.3 on nginx

@newbie

Right now, the latest mainline version of NGINX does not provide out-of-box support from TLSv1.3. CloudFlare has introduced it as a beta feature (if you’re using them for DNS), though NGINX support isn’t fully supported just yet.

That being said, a typical NGINX configuration file that handles requests on both port 80 and 443, in that requests on 80 are automatically redirected to 443, will look like this:

server {
    listen 80;
    server_name yourdomain.com www.youdomain.com;

    return 301 https://$host$request_uri;
}

server
{
    listen                          443 ssl http2;
    listen                          [::]:443 ssl http2 ipv6only=on;
    server_name                     yourdomain.com www.youdomain.com;

    root                            /path/to/web/root;

    add_header                      X-Frame-Options SAMEORIGIN;
    add_header                      X-Content-Type-Options nosniff;
    add_header                      X-XSS-Protection "1; mode=block";

    ssl_certificate                 /path/to/fullchain.pem;
    ssl_certificate_key             /path/to/privkey.pem;
    ssl_session_cache               shared:SSL:50m;
    ssl_session_timeout             5m;
    ssl_dhparam                     /path/to/dhparam.pem;

    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers       on;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    location / {
        ...
        ...
    }
}

Breakdown

You need to change:

server_name on both blocks to match your actual domain.

root to the full path to your web root.

ssl_certificate to the full path of your SSL Certificate.

ssl_certificate_key to the full path of your SSL Certificate Private Key.

ssl_dhparam to the full path of your dhparam.pem file.

location block to match your site-specific needs.

Generating dhparam.pem

To generate the dhparam.pem file, you’ll need to login to the CLI and run the following command. It can take a while on low-resource systems (i.e. 512MB Droplets) and to make sure it fully generates, do not close off your connection until you return to the prompt.

The minimum is 2048 bits:

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

… though I personally recommend 4096

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

This file will take anywhere from 10 minutes up to 30 minutes (generally), so please be patient.

After the changes to your server block have been made, as noted above (correcting paths), simply restart NGINX and test things out.

Keep In Mind

The above configuration may not be valid on all releases of NGINX (especially HTTP2 support). I’m using the latest mainline built from source, which supports HTTP2.

If you run in to issues (i.e. errors) stating that the configuration is invalid, remove the references to HTTP2 in the first two lines of the second server block.

Hello! Any update?

Any update?