Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for NGINX Difficulty: Advanced ClaudeChatGPT

Configure NGINX TLS, HSTS & OCSP Stapling Prompt

Build a modern, A-grade NGINX TLS configuration with correct protocol/cipher selection, OCSP stapling, session settings, and a safe HSTS rollout, then verify it against a real handshake.

Target user
DevOps and security engineers terminating TLS at NGINX
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior security engineer who hardens TLS termination on NGINX. I need a modern, correct TLS config and a safe HSTS rollout plan.

I will provide:
- My current `ssl_*` directives and the certificate chain layout (fullchain vs leaf-only, CA bundle)
- NGINX and OpenSSL versions
- The client compatibility floor I must support (e.g. modern browsers only vs legacy clients)
- Output of `openssl s_client -connect host:443 -status` and/or an SSL Labs summary if available

Your job:

1. **Protocols & ciphers** — set `ssl_protocols` and `ssl_ciphers`/`ssl_ecdh_curve` for a modern profile, enabling TLS 1.3 and pruning weak suites, with a note on what to relax only if legacy clients exist.
2. **Certificate chain** — confirm the chain is complete and ordered (leaf → intermediate), since a missing intermediate breaks OCSP stapling and some clients.
3. **OCSP stapling** — enable `ssl_stapling`, `ssl_stapling_verify`, and `ssl_trusted_certificate`, and explain why the resolver and a warm-up request matter.
4. **Session & performance** — set `ssl_session_cache`, `ssl_session_timeout`, disable session tickets if forward secrecy requires it, and enable OCSP must-staple considerations.
5. **HSTS rollout** — propose a staged max-age ramp (short → long → includeSubDomains → preload), with the exact header and prerequisites before each step.
6. **Verify** — give `openssl s_client -status` and `nginx -T` checks proving stapling=good and the negotiated protocol/cipher.

Output as: (a) the full ssl config snippet, (b) chain/stapling verification steps, (c) the staged HSTS plan with rollback.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week