TLS Configuration Generator

Generate secure TLS/SSL configurations for Nginx, Apache, HAProxy, and Caddy. Based on Mozilla's recommended settings. 100% client-side.

Configuration Options

Choose your server and security level

Web Server

Security Level

Enable HSTS

OCSP Stapling

TLS 1.2 + 1.3. Best balance of security and compatibility.

Protocols: TLSv1.2, TLSv1.3

Compatibility: Firefox 27+, Chrome 31+, Safari 9+, Edge 12+, Android 5+, iOS 9+

Generated Configuration

Ready to paste into your nginx.conf

# Nginx TLS Configuration
# Security Level: Intermediate (Grade A)
# Generated by WebGuarder — 2026-03-14

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;

ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter (generate with: openssl dhparam -out /etc/nginx/dhparam.pem 2048)
ssl_dhparam /etc/nginx/dhparam.pem;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

# HSTS (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Cipher Suites (11)

Enabled cipher suites for this configuration

TLS_AES_256_GCM_SHA384

TLS 1.3

TLS_CHACHA20_POLY1305_SHA256

Mobile-optimized

TLS 1.3

TLS_AES_128_GCM_SHA256

TLS 1.3

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

Mobile-optimized

ECDHE-RSA-CHACHA20-POLY1305

Mobile-optimized

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

About TLS Configuration

Transport Layer Security (TLS) encrypts data between your server and visitors. Proper configuration is critical — weak settings can expose your users to man-in-the-middle attacks, downgrade attacks, and data interception.

Best Practices

Use TLS 1.2+ (disable TLS 1.0/1.1 if possible)
Enable HSTS with long max-age
Use OCSP Stapling for faster connections
Prefer ECDHE key exchange (forward secrecy)
Generate strong DH parameters (2048+ bits)

Testing Your Config

Use WebGuarder's SSL Checker
Test with openssl s_client
Check SSL Labs (ssllabs.com/ssltest)
Verify cipher order with nmap --script ssl-enum-ciphers

This tool generates configurations client-side based on Mozilla's recommended settings. No data is sent to any server. Always test in a staging environment first.

Home Security ToolsTLS Config Generator

TLS Configuration Generator

Generate secure TLS/SSL configurations for Nginx, Apache, HAProxy, and Caddy. Based on Mozilla's recommended settings. 100% client-side.

Configuration Options

Choose your server and security level

Web Server

Security Level

Enable HSTS

OCSP Stapling

TLS 1.2 + 1.3. Best balance of security and compatibility.

Protocols: TLSv1.2, TLSv1.3

Compatibility: Firefox 27+, Chrome 31+, Safari 9+, Edge 12+, Android 5+, iOS 9+

Generated Configuration

Ready to paste into your nginx.conf

# Nginx TLS Configuration
# Security Level: Intermediate (Grade A)
# Generated by WebGuarder — 2026-03-14

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;

ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter (generate with: openssl dhparam -out /etc/nginx/dhparam.pem 2048)
ssl_dhparam /etc/nginx/dhparam.pem;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

# HSTS (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Cipher Suites (11)

Enabled cipher suites for this configuration

TLS_AES_256_GCM_SHA384

TLS 1.3

TLS_CHACHA20_POLY1305_SHA256

Mobile-optimized

TLS 1.3

TLS_AES_128_GCM_SHA256

TLS 1.3

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

Mobile-optimized

ECDHE-RSA-CHACHA20-POLY1305

Mobile-optimized

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

About TLS Configuration

Best Practices

Use TLS 1.2+ (disable TLS 1.0/1.1 if possible)
Enable HSTS with long max-age
Use OCSP Stapling for faster connections
Prefer ECDHE key exchange (forward secrecy)
Generate strong DH parameters (2048+ bits)

Testing Your Config

Use WebGuarder's SSL Checker
Test with openssl s_client
Check SSL Labs (ssllabs.com/ssltest)
Verify cipher order with nmap --script ssl-enum-ciphers

This tool generates configurations client-side based on Mozilla's recommended settings. No data is sent to any server. Always test in a staging environment first.