Enable TLS/SSL on Nginx – Arch Linux
Prerequisites
- Nginx running on Arch Linux
- A valid domain name pointing to your server IP
Step 1 – Obtain a certificate with Certbot
See Install Certbot with Nginx on Arch Linux for the full Certbot setup. For a quick test with a self-signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/nginx-selfsigned.key \
-out /etc/ssl/certs/nginx-selfsigned.crt \
-subj "/CN=example.com"Step 2 – Generate DH parameters (recommended)
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048Step 3 – Update the server block
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /var/www/example.com/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}Step 4 – Test and reload
nginx -t
systemctl reload nginxStep 5 – Verify with curl
curl -vk https://example.com 2>&1 | grep 'SSL connection'