Upgrading to Nginx 1.16 From 1.15

With the release of Nginx 1.16, Nginx 1.15 has now reached end-of-life and will no longer receive bug fixes or security updates. For that reason, we recommend that users update Nginx to version 1.16. Before doing so, we recommend that you create a server snapshot via your server provider’s control panel.

SSH to your server using a sudo user and run the following commands:

sudo add-apt-repository ppa:ondrej/nginx
sudo apt-get update
sudo apt-get -y install nginx

When asked about modified config files:

“Package distributor has shipped an updated version. What would you like to do about it?”

Hit ‘N’ to keep the current config files.

Enabling TLS 1.3

As this version of Nginx is compiled against a more recent version of OpenSSL, TLS 1.3 support can be enabled. Now would also be a good time to remove some older less secure TLS versions. Open the following file:

sudo nano /etc/nginx/global/https.conf

Replace:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

With:

ssl_protocols TLSv1.2 TLSv1.3;

More secure ciphers can also be used without sacrificing client compatibility.

Replace:

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

With:

ssl_ciphers EECDH+CHACHA20:EECDH+AES;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

You will also need to update your Nginx catch-all configuration to include the more secure HTTPS defaults. Open the following file:

sudo nano /etc/nginx/sites-available/no-default

Add the following line before the return directive:

include global/https.conf;

To verify that there are no issues with your Nginx configuration you can run:

sudo nginx -t

Finally, restart Nginx for the changes to take effect:

sudo service nginx restart