In previous article, you can understand about benefits of Reverse Proxy Server. One common case is using it as TLS termination server. Today I show you my recommended config about TLS setup

Below is my config (with explained comments why I use it), which I chosen to balance between Compatibility - Speed - Security

### TLS Protocol : use TLSv1.2+ more secure (support some old devices from
### Android 4.4 - good enough), if you want to support more old devices
### just add "TLSv1 TLSv1.1"

ssl_protocols TLSv1.3 TLSv1.2;

### TLS session : it's about TLS session resumption
### (session is tls connection already handshake)

ssl_session_timeout 60m;
ssl_session_cache shared:SSL:30m;

### Diffie-Hellman (DH) key-exchange => More secure (should use with
### above TLS session resumption). Before run this command to generate 
### dhparam file : openssl dhparam -out /etc/nginx/tls/dhparam.pem 2048

ssl_dhparam /etc/nginx/tls/dhparam.pem;

### TLS Cipher : include common ciphers and disable ssl_prefer_server_ciphers
###  (which allow old clients choose prefered cipher)

ssl_prefer_server_ciphers off;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;

### TLS 1.3 0-RTT : less latency with 0-Round-Trip

ssl_early_data on;

### TLS stapling is system which clients will try to re-check about
### certificate validation. Enable stapling in server which is better,
### so clients don't need to check it

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;

### Add HTTP Strict Transport Security , which means once browser
### connected to server, it remembers to always connect to TLS
### directly on later (decrease HTTP to HTTPS redirect)

add_header Strict-Transport-Security "max-age=31536000";