<link href="https://fonts.googleapis.com/css?family=Roboto:100,100italic,200,200italic,300,300italic,400,400italic,500,500italic,600,600italic,700,700italic,800,800italic,900,900italic&amp;display=swap" rel="stylesheet"/>
3 minutes reading time (610 words)

Get an SSL Labs A+ Rating for your Nginx Website

How to get an SSL Labs A+ rating for your Nginx website on Debian 11

The SSL Labs report shows that OCSP stapling is not enabled, and TLS 1.0 and 1.1 protocols are available, which means our website gets a B rating.

In the following steps, we'll make some changes to improve SSL security on Nginx to get an A+ rating.

Qualys SSL Labs
https://www.ssllabs.com

Backup Nginx configuration files

Make a backup copy of your Nginx configuration files before making any changes.

Main Nginx config file
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.26092022.bak

Website config file
cp /etc/nginx/sites-available/ctrlf.cloud.conf /etc/nginx/sites-available/ctrlf.cloud.conf.26092022.bak

Nginx SSL settings for an A+ rating

Edit the main Nginx configuration file and make the following changes

nano /etc/nginx/nginx.conf

ssl_session_timeout 1d Set ssl_session_timeout to 1 day. This improves performance by reusing cached sessions, which reduces the number of SSL handshakes
ssl_session_cache shared:SSL:1m Share SSL session cache among all Nginx worker processes. This speeds up connections because the connection setup information is already cached. 1 MB shared cache can hold approximately 4,000 sessions.
ssl_session_tickets offTurn off SSL session tickets. Session tickets are used to store session information on the client side. Session tickets are an alternative to session cache.
ssl_protocols TLSv1.2 TLSv1.3Allow connections using TLS 1.2 and TLS 1.3
ssl_ciphersAllow the specified SSL ciphers
ssl_prefer_server_ciphers offTurn off preferred server ciphers. Allow the client to choose the encryption method. ssl_prefer_server_ciphers on is not needed because we are not allowing old protocols (TLS 1.0, TLS 1.1) with weak SSL ciphers.
ssl_stapling onUse OCSP stapling to check if SSL certificates have been revoked. 

For SSL certificate verification to work, the root certificate and all intermediate certificates need to be configured using the ssl_trusted_certificate directive in the website Nginx config.
ssl_stapling_verify onEnable OCSP responses using stapling. Stapling is a time-stamped OCSP response signed by the Certificate Authority.

The certificate holder queries the OCSP server at regular intervals and gets a signed, time-stamped response. Stapling eliminates the need for clients to contact the CA.
resolver 1.1.1.1 1.0.0.1Use Cloudflare OCSP DNS resolvers.

Example nginx.conf SSL settings

	# SSL Settings
	ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:1m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # Cloudflare OCSP DNS resolvers
    resolver 1.1.1.1 1.0.0.1; 

Enable HTTP Strict Transport Security (HSTS) 

Edit website configuration file and enable OCSP stapling

nano /etc/nginx/sites-available/yourdomain.conf
add_header Strict-Transport-Security "max-age=63072000" always;

Enabling HSTS means that your website can only be accessed using HTTPS. Web browsers will upgrade all connections to HTTPS
max-age=31536000. The domain must be accessed using HTTPS for one year

Example Website configuration SSL settings

# https server block
server {
    listen 443 ssl http2;
    server_name yourdomain.com;
    root /var/www/yourdomain.com/html;
    index index.html index.php;
    # ssl certificates
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
	# Strict Transport Security (HSTS)
    add_header Strict-Transport-Security "max-age=63072000" always;
}	 

Test config and reload Nginx

# Test Nginx config
nginx -t

# Reload Nginx
service nginx reload
 

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, 02 October 2025
You can help support this website by buying me a coffee!
Buy Me A Coffee