Search DevFox

Search tools and pages.

Nginx SSL Config Generator

Generate an HTTPS-ready nginx.conf with SSL certificate paths, modern protocols, ciphers, HSTS, and HTTP-to-HTTPS redirect

Loading tool...

What is Nginx SSL Config Generator

Written by Giorgos Kostas. Last reviewed:

Nginx SSL Config Generator emits an HTTPS server block ready for Let's Encrypt — including the redirect block that 301s plain HTTP to HTTPS.

It picks ciphers and protocols from the Mozilla SSL Configuration Generator profiles (Modern, Intermediate, Old) and lets you toggle HSTS, OCSP stapling, and HTTP/2 with one click.

Why use it

  • Stop guessing TLS cipher strings — pick a Mozilla profile and get the official suite.
  • Generate the HTTP→HTTPS redirect server block automatically when you opt into 'Force HTTPS'.
  • Configure HSTS with `max-age`, `includeSubDomains`, and `preload` from labelled toggles.
  • Get OCSP stapling and resolver directives wired in for valid stapled responses.
  • Combines with proxy_pass — one config can both terminate TLS and forward to your upstream.

Features

  • Mozilla SSL profiles: Modern / Intermediate / Old
  • Auto-generated HTTP→HTTPS redirect block
  • HSTS with max-age / includeSubDomains / preload toggles
  • OCSP stapling with resolver directive
  • HTTP/2 toggle, optional proxy_pass body, security headers

How to use Nginx SSL Config Generator

  1. Pick the SSL profile. Modern for new apps, Intermediate for broad compatibility.
  2. Update cert paths. Point ssl_certificate / ssl_certificate_key at your real .pem files.
  3. Toggle HSTS / OCSP / HTTP/2. Enable the protections that match your client base.
  4. Reload Nginx. Run `sudo nginx -t && sudo systemctl reload nginx`.

Example (before/after)

Form input

server_name  = app.example.com
proxy_pass   = http://127.0.0.1:3000
SSL profile  = Modern
Force HTTPS  = on
HSTS         = on (1 year, includeSubDomains)

Generated server blocks

server { listen 80; server_name app.example.com; return 301 https://$host$request_uri; }
server {
  listen 443 ssl http2;
  server_name app.example.com;
  ssl_certificate     /etc/letsencrypt/live/app.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;
  ssl_protocols TLSv1.3;
  ssl_ciphers   TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  location / { proxy_pass http://127.0.0.1:3000; ... }
}

Common errors

ERR_SSL_PROTOCOL_ERROR after deploying Modern profile

Modern allows only TLS 1.3 — older clients (IE 11, very old Android) can't connect.

Fix: Switch to the Intermediate profile if you need to support TLS 1.2 clients.

OCSP stapling shows 'no response sent'

Nginx needs a working `resolver` directive to fetch the OCSP response.

Fix: Keep the bundled `resolver 1.1.1.1 8.8.8.8 valid=300s;` line, or point to an internal resolver.

HSTS preload submission rejected

`includeSubDomains` and `preload` are required, plus a valid cert chain on every subdomain.

Fix: Toggle both, set max-age to 365+ days, and verify with hstspreload.org.

FAQ

Where do the cert paths come from?

The defaults assume Certbot's standard layout (`/etc/letsencrypt/live/<domain>/fullchain.pem` and `privkey.pem`). Edit the fields to match your CA bundle paths.

Which Mozilla profile should I pick?

Modern (TLS 1.3 only) for greenfield apps with no legacy clients. Intermediate (TLS 1.2 + 1.3) is the safe default. Old (TLS 1.0+) only when you genuinely have to support pre-2018 mobile devices.

Why does the generator emit a second server block on port 80?

When 'Force HTTPS' is on we 301 every plain HTTP request to its HTTPS counterpart so users (and search engines) never land on cleartext.

How do I get a Let's Encrypt cert?

Install Certbot (`apt install certbot python3-certbot-nginx`) and run `sudo certbot --nginx -d app.example.com`. Then paste the resulting paths back into the form.

Should I enable HSTS preload immediately?

No — preload is hard to undo. Roll out HSTS with `max-age=300` first, verify everything is HTTPS-only, then ramp to 1 year and submit to the preload list.

Does it support multiple certificates / SNI?

It produces a single server block. For multi-domain hosting, generate one config per domain or extend the output with additional `server_name` lines after copying.

Related tools

Round out your TLS setup. You can also browse the full DevOps & Infra category for more options.

Nginx Reverse Proxy Generator

Generate a production-ready nginx.conf for reverse proxying with proxy_pass, headers, timeouts, and gzip from a focused form

SSL Chain Inspector

Probe a host:port and render the full TLS certificate chain with subject, issuer, SAN, key, signature, fingerprints, and days-until-expiry

CSP Policy Builder

Build a Content Security Policy header from per-directive cards with chip-style sources, presets, and a live header + meta-tag preview

Nginx Load Balancer Config Generator

Generate an nginx upstream + load balancer config with round-robin, least_conn, ip_hash, weights, health checks, and keepalive

HTTP Header Inspector

Paste response headers to audit HSTS, CSP, CORS, X-Powered-By disclosure, and Set-Cookie flags

Nginx Static Site Config Generator

Generate an nginx.conf for serving a static site with try_files, SPA fallback, gzip, brotli, and aggressive cache headers

Nginx WebSocket Proxy Generator

Generate an nginx config for proxying WebSocket connections with Upgrade and Connection headers and long read timeouts

Docker Compose Validator

Validate docker-compose.yml against the Compose Spec schema with hand-written lints (port collisions, undefined networks, depends_on cycles)

ENV File Editor

Edit .env files in a key/value table with type detection, masked secrets, duplicate-key warnings, and export to JSON, YAML, shell, or docker-compose

Kubernetes YAML Explorer

Explore multi-document Kubernetes manifests grouped by kind with a cross-reference graph (Service to Deployment, ConfigMap mounts, Ingress backends)