Beginner Fundamentals Updated on Jun 25, 2025

SSL and HTTPS

HTTPS encrypts traffic between the browser and your server. Nginx handles the encryption (TLS termination) so your site can be served securely.

Enabling HTTPS

To serve HTTPS, listen on port 443 with the ssl flag and point to your certificate and key:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate     /etc/nginx/ssl/example.crt;
    ssl_certificate_key /etc/nginx/ssl/example.key;

    root /var/www/example;
}

ssl_certificate is the public certificate (often the full chain).
ssl_certificate_key is the private key. Keep it readable only by root.

Redirecting HTTP to HTTPS

Visitors arriving on port 80 should be sent to the secure version. Use a small server block that redirects:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

return 301 issues a permanent redirect, preserving the original path and query string.

Recommended TLS Settings

Restrict to modern protocols and let the server prefer strong ciphers:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

Free Certificates

Tools like Certbot from Let’s Encrypt can obtain and renew certificates automatically:

sudo certbot --nginx -d example.com

This is the easiest way to get trusted certificates at no cost.