Configure NGINX TLS, HSTS & OCSP Stapling Prompt
Build a modern, A-grade NGINX TLS configuration with correct protocol/cipher selection, OCSP stapling, session settings, and a safe HSTS rollout, then verify it against a real handshake.
- Target user
- DevOps and security engineers terminating TLS at NGINX
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior security engineer who hardens TLS termination on NGINX. I need a modern, correct TLS config and a safe HSTS rollout plan. I will provide: - My current `ssl_*` directives and the certificate chain layout (fullchain vs leaf-only, CA bundle) - NGINX and OpenSSL versions - The client compatibility floor I must support (e.g. modern browsers only vs legacy clients) - Output of `openssl s_client -connect host:443 -status` and/or an SSL Labs summary if available Your job: 1. **Protocols & ciphers** — set `ssl_protocols` and `ssl_ciphers`/`ssl_ecdh_curve` for a modern profile, enabling TLS 1.3 and pruning weak suites, with a note on what to relax only if legacy clients exist. 2. **Certificate chain** — confirm the chain is complete and ordered (leaf → intermediate), since a missing intermediate breaks OCSP stapling and some clients. 3. **OCSP stapling** — enable `ssl_stapling`, `ssl_stapling_verify`, and `ssl_trusted_certificate`, and explain why the resolver and a warm-up request matter. 4. **Session & performance** — set `ssl_session_cache`, `ssl_session_timeout`, disable session tickets if forward secrecy requires it, and enable OCSP must-staple considerations. 5. **HSTS rollout** — propose a staged max-age ramp (short → long → includeSubDomains → preload), with the exact header and prerequisites before each step. 6. **Verify** — give `openssl s_client -status` and `nginx -T` checks proving stapling=good and the negotiated protocol/cipher. Output as: (a) the full ssl config snippet, (b) chain/stapling verification steps, (c) the staged HSTS plan with rollback.
Related prompts
-
Secure NGINX Reverse-Proxy Vhost Prompt
Write a hardened NGINX reverse-proxy server block that forwards correct headers, hides upstream details, sets sane security headers, and avoids common proxy footguns like open host headers and missing real-IP handling.
-
Troubleshoot NGINX Config That Fails nginx -t Prompt
Diagnose and fix an NGINX configuration that fails `nginx -t` by reading the exact error/line, explaining the underlying cause, and returning a corrected, test-passing config with the change isolated.