If you want to use the same IP for few sites, you need SNI support by target browsers (some legacy browser have not it).

For HTTP2 modern browser use ALPN instead NPN, so check what you have installed OpenSSL with version 1.0.2+ to have ALPN!

I assume you have certificates, for example, I write how to obtain it in previous post.

Yes you can think this is yet another SSL configuration for nginx, so this is my result after longspun research:

server {
    listen 443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    ssl_stapling on;
    ssl_stapling_verify on;


    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE:+AES256:-3DES:RSA+AES:!NULL:!RC4';

    add_header Strict-Transport-Security "max-age=15768000";

Some notes about this configuration:

  • you should set ssl_trusted_certificate to enable ssl_stapling
  • as resolver you can use your local DNS like dnsmasq
  • ssl_session_tickets should be off for all server configurations otherwise you can get strage error in some browser, so it’s better to set it in http {}
  • Strict-Transport-Security header should have age more than six months, which one add + to your grade
  • for ssl_ciphers I use ECDHE ciphers instead DHE, so no need to set ssl_dhparam and generate dhparam.pem with 2048 bits

As result I get ‘A+’ by SSL Server Test from SSL Labs.

P.S. You can check configuration generator for different web servers with recommendations from Mozilla.