====== Configure NGINX web server to use SSL ======

  - You need an installed [[linux:install:webserver|NGINX web server]]
  - You also need an [[linux:openssl|SSL key and certificate]], but you can use [[linux:nginx:letsencrypt|Let's Encrypt]] for signed SSL certificates as well.
  - Copy the certificate and key to ''/etc/ssl''
  - Configure the server to serve an SSL site:<code bash>
cat > /tmp/ssl<< EOF
server {
    listen 443 ssl http2;

    ssl on;
    ssl_certificate /etc/ssl/certs/cert.pem;
    ssl_certificate_key /etc/ssl/private/cert.key;

    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:10m;

    ssl_stapling on;
    ssl_stapling_verify on;
  
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    keepalive_timeout 90;

    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$remote_addr;
        proxy_set_header Host \$host;
        proxy_pass http://127.0.0.1:80;
    }
}
EOF

sudo mv /tmp/ssl /etc/nginx/sites-available/

sudo ln -s /etc/nginx/sites-available/ssl /etc/nginx/sites-enabled/ssl

cd /etc/ssl/certs
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

sudo service nginx reload
</code>