Upgrading to Nginx 1.16 From 1.15

With the release of Nginx 1.16, Nginx 1.15 has now reached end-of-life and will no longer receive bug fixes or security updates. For that reason, we recommend that users update Nginx to version 1.16. Before doing so, we recommend that you create a server snapshot via your server provider’s control panel.

SSH to your server using a sudo user and run the following commands:

sudo add-apt-repository ppa:ondrej/nginx
sudo apt-get update
sudo apt-get -y install nginx

When asked about modified config files:

“Package distributor has shipped an updated version. What would you like to do about it?”

Hit ‘N’ to keep the current config files.

Enabling TLS 1.3

As this version of Nginx is compiled against a more recent version of OpenSSL, TLS 1.3 support can be enabled. Now would also be a good time to remove some older less secure TLS versions. Open the following file:

sudo nano /etc/nginx/global/https.conf

Replace:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

With:

ssl_protocols TLSv1.2 TLSv1.3;

More secure ciphers can also be used without sacrificing client compatibility.

Replace:

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

With:

ssl_ciphers EECDH+CHACHA20:EECDH+AES;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

You will also need to update your Nginx catch-all configuration to include the more secure HTTPS defaults. Open the following file:

sudo nano /etc/nginx/sites-available/no-default

Add the following line before the return directive:

include global/https.conf;

To verify that there are no issues with your Nginx configuration you can run:

sudo nginx -t

Finally, restart Nginx for the changes to take effect:

sudo service nginx restart

Start Your 7-Day Free Trial

Start your SpinupWP journey today and spin up your first server within minutes.

Start Your Free Trial

No credit card required

Subscribe to get the latest news, updates and optimizations in performance and security.

Thanks for subscribing 👍

To receive awesome stuff, you'll need to head to your inbox and click on the verification link we sent you.
Make sure to check your "spam" folder or your "promotions" tab (if you have Gmail).
If you're still having trouble, then messages us at sudo@spinupwp.com.

You are already logged in

It looks like you are already logged in to SpinupWP.

Please log out of this account to continue.

Registration Successful

Thanks for registering for a new
SpinupWP account.

Before getting started, could you verify your email address by clicking on the link we just emailed to you?

SpinupWP

Free Trial

Start Your 7-Day Free Trial

No credit card required. All features included.

By signing up to SpinupWP, you agree to our Terms and Conditions.
For privacy related information, view our Privacy Policy.