Learn how to implement HTTPS and SSL/TLS to protect your website’s traffic and user data.
1. Setting Up HTTPS with Let’s Encrypt
Install Certbot
# Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx
# CentOS/RHEL
sudo yum install certbot python3-certbot-nginx
# macOS
brew install certbotObtain and Install Certificate
# For Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
# For Apache
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
# Manual mode (if you're not using Nginx/Apache)
sudo certbot certonly --manual -d yourdomain.comAuto-Renewal Setup
# Test renewal
sudo certbot renew --dry-run
# Add to crontab for automatic renewal
0 0 * * * /usr/bin/certbot renew --quiet2. Nginx SSL Configuration
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# HSTS (uncomment if you're sure)
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Rest of your configuration...
}3. Node.js HTTPS Server
const https = require('https');
const fs = require('fs');
const express = require('express');
const app = express();
const options = {
key: fs.readFileSync('/path/to/privkey.pem'),
cert: fs.readFileSync('/path/to/fullchain.pem'),
// Enable modern TLS settings
minVersion: 'TLSv1.2',
ciphers: [
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384'
].join(':'),
// Enable OCSP Stapling
requestCert: true,
rejectUnauthorized: true
};
// Redirect HTTP to HTTPS
app.use((req, res, next) => {
if (!req.secure) {
return res.redirect(`https://${req.headers.host}${req.url}`);
}
next();
});
// Your routes here
app.get('/', (req, res) => {
res.send('Hello Secure World!');
});
// Create HTTPS server
const server = https.createServer(options, app);
server.listen(443, () => {
console.log('HTTPS server running on port 443');
});4. Testing SSL Configuration
# Test SSL configuration
curl -vI https://yourdomain.com
# Check SSL certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
# Test SSL Labs rating
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com⚠️ Common SSL/TLS Mistakes
Using outdated SSL/TLS versions (TLS 1.0, 1.1)
Weak cipher suites
Missing certificate chain
Not enabling HSTS
Mixed content issues
✅ SSL/TLS Best Practices
Use TLS 1.2 or 1.3 only
Enable HSTS with proper configuration
Implement OCSP Stapling
Use strong cipher suites
Regularly update certificates
Certificate Information
# View certificate details
openssl x509 -in /etc/letsencrypt/live/yourdomain.com/cert.pem -text -noout
# Check certificate expiration
openssl x509 -in /etc/letsencrypt/live/yourdomain.com/cert.pem -enddate -noout
# Verify certificate chain
openssl verify -CAfile /etc/letsencrypt/live/yourdomain.com/chain.pem /etc/letsencrypt/live/yourdomain.com/cert.pem