Here's what the directives do:
- listen 443 ssl: Firstly, we tell NGINX to listen on port 443 (the HTTPS standard) using the SSL protocol. Previously, we'd simply told NGINX to listen on port 80, and it used HTTP by default.
- ssl_certificate: This is the location of the public key, which needs to be in the PEM format. If your CA also provided intermediate certificates, then they also need to be in this file.
- ssl_certificate_key: This is the location of the private key, and it also needs to be in PEM format. This key needs to be kept safe to ensure the integrity of your certificate—it should only reside on the server.
- ssl_protocols: Here, we specify what variants of the SSL protocols we want to make available. The easiest default is to support Transport Layer Security (TLS), which is the successor to the older SSL protocol. As both SSLv2 and SSLv3 have had significant flaws exposed in recent years, they should only be enabled as a last resort.
- ssl_ciphers: The ciphers dictate the type of encryption used and at what level. The default of HIGH:!aNULL:!MD5 means that we use only high grade (128-bit and higher), authenticated (the exclamation means NOT) encryption and not MD5 hashing. The defaults are secure and shouldn't be changed without a good reason.