Nginx TLS Config Generator

Generate a hardened Nginx server block for your domain — TLS 1.2/1.3 (or TLS 1.3 only), OCSP stapling, HSTS, secure session resumption, modern cipher selection. Companion to the Nginx TLS guide.

Not a substitute for reading the guide — the disclaimer applies. Test on a non-production server before deploying.

Domain Apex domain only (e.g. example.com, not https://example.com/path).

Backend type PHP-FPM is right for WordPress / classic PHP apps; Reverse proxy covers Python (gunicorn/uvicorn), Node, Go; Static skips the upstream entirely.

Upstream address (proxy-pass only) Used only when backend is "Reverse proxy". For Unix-socket upstreams use http://unix:/run/yourapp.sock.

PHP-FPM socket path (php-fpm only) Used only when backend is "PHP-FPM". Leave blank to use /run/php/<domain>.sock.

Document root Where Nginx serves files from. Leave blank to use /var/www/<domain>/public.

Security profile "Intermediate" matches the Mozilla profile — broad compatibility, TLS 1.2 + 1.3. "Modern" drops TLS 1.2 entirely — choose this only if you control all clients.

Redirect www.<domain> → <domain> Adds a 301 from www.<domain> to the apex — standard pattern.

Add `preload` to the HSTS header (one-way — see warning) Warning: HSTS preload is one-way. Adding preload and submitting your domain to hstspreload.org hard-codes HTTPS into browsers for years. Removing the domain takes months. Do not enable until every subdomain is HTTPS-capable.