Skip to Content

How to Configure NGINX to get an A+ SSL Labs Rating

SSL Labs provide a free tool that lets you check the security of your web servers SSL configuration. The tool performs a scan of your server and generates a report with A+ being the best. This tutorial will show you the steps involved in getting an A+ for an NGINX server.


Before we begin, you will need to have access to a public facing Ubuntu 18.04 server and have assigned its public IP address to your public DNS service so that your domain is resolvable.

You will also need to have generated SSL certificates and copied them to the /etc/ssl/certs directory on the server. Read this tutorial to learn how to generate Let’s Encrypt certificates on your local machine using Ansible.

The following steps have been tested on Ubuntu 18.04 running on a DigitalOcean* droplet. If you don’t have a DigitalOcean account use my affiliate link* to get $100 free credit).

Step 1: Install NGINX

Connect to the Ubuntu server with SSH and then install NGINX with the following command:

sudo apt install nginx ssl-cert

Step 2: Create Virtual Host

Create a virtual host conf file inside the /etc/nginx/sites-enabled folder with the name of the domain you want NGINX to serve. In the following example I will use, replace this with your own.

sudo vim /etc/nginx/sites-enabled/

Add the following config to the file replacing with your domain.

server {
  listen 80;
  listen [::]:80;
  return 301$request_uri;

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  root /var/www/;

  ssl_certificate     /etc/ssl/certs/;
  ssl_certificate_key /etc/ssl/private/;
  ssl_dhparam         /etc/ssl/certs/;

  # SSL Settings
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_timeout 1d;
  ssl_session_cache   shared:SSL:10m;
  ssl_session_tickets off;
  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/ssl/certs/;

  add_header Strict-Transport-Security "max-age=63072000" always;

  location / {
    try_files $uri $uri/ =404;

Note: If you didn’t use the Ansible playbook to generate your certs, you will need generate a DH Params Key exchange cert that is 4096 bits with the command openssl dhparam -out dhparam.pem and assign it to the ssl_dhparam directive.

Reload the NGINX config:

sudo nginx -s reload

Browse to the domain and check to see if the website loads and SSL is enabled.

Lets Encrypt NGINX SSL

Step 3: Run SSL Labs Report

Head over to the SSL Labs Test page, enter your domain, click Submit and wait for the test to complete.

You should have an A+


In this post we saw how easy it is to configure NGINX so that it gets an A+ rating by SSL Labs. You should run the report every so often and make tweaks as things may change in the future. A good way to get the latest config is to use the Mozilla SSL Configuration Generator.