Network

TLS Config Generator

Generate TLS/SSL configuration for nginx , Apache , and HAProxy based on Mozilla's SSL Config Generator. Choose modern (TLS 1.3 only), intermediate (TLS 1.2+), or old (legacy compatibility) profiles.

Security Profile

Min TLS VersionTLS 1.2

Max TLS VersionTLS 1.3

Cipher Suites

ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-CHACHA20-POLY1305DHE-RSA-AES128-GCM-SHA256DHE-RSA-AES256-GCM-SHA384

Browser Compatibility

Firefox 27+Chrome 30+Safari 9+Edge 14+IE 11+ (no TLS 1.3)Android 5.0+iOS 9+

Server Configuration

# Nginx TLS Configuration (intermediate profile)
# Based on Mozilla SSL Configuration Generator
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
    # DH parameters (for DHE ciphers)
    ssl_dhparam /etc/nginx/dhparam.pem;
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
    # HSTS (ngx_http_headers_module required)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    # Other security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
}

Notes

Recommended for most production deployments.
Drops support for TLS 1.0 and TLS 1.1 (deprecated per RFC 8996).
DHE key exchange requires a 2048-bit DH parameter file.
Generate: openssl dhparam -out /etc/nginx/dhparam.pem 2048