TLS Configurator: Generate Secure TLS Configs for nginx, Apache, Postfix & More

---

What Is TLS Configurator?

TLS Configurator is a web-based tool provided by TLSRef that allows you to easily generate secure TLS configurations. By visiting the official site at https://configurator.tlsref.org/, you can create configuration files for various server software including nginx and Apache. The ability to select profiles aligned with Mozilla and SSL Labs guidelines is a key strength.

📑Table of Contents

1. What Is TLS Configurator?
2. Supported Server Software and Options
3. Differences Between Modern, Intermediate, and Old Profiles
4. Configuration Generation Steps and Example Output
5. Roles of HSTS and OCSP Stapling
6. Frequently Asked Questions
7. Summary and Recommended Usage

First, let’s explain what TLS Configurator is. This tool is a client-side JavaScript-based generator. By entering the server version and OpenSSL version, it automatically creates settings that meet the latest security requirements while maintaining compatibility. The Intermediate profile is set as default and recommended for most systems. According to the official documentation at https://docs.tlsref.org/Security/Server_Side_TLS, it supports more than 20 types of software.

---

Supported Server Software and Options

Next, let’s look at the supported server software and options. The main supported software includes the following.

Software	Example Versions	Notes
nginx	1.18+	HTTP/2 support
Apache	2.4+	Uses mod_ssl
Postfix	3.4+	SMTP encryption
HAProxy	2.2+	Load balancer
Caddy	2.x	Auto HTTPS
Dovecot	2.3+	IMAP/POP3
MySQL	8.0+	Database connections
PostgreSQL	12+	Same as above
Redis	6.0+	Caching

After selecting the software, you can input version information to customize the configuration. The generated settings can be copied to the clipboard and applied directly to production environments.

---

Differences Between Modern, Intermediate, and Old Profiles

Let’s compare the differences between the three profiles: Modern, Intermediate, and Old. Each offers a different balance of security level and compatibility.

Profile	TLS Versions	Recommended Cipher Suites	Compatibility	Use Case
Modern	TLS 1.3 only	Latest AEAD only	Low (incompatible with old clients)	Cutting-edge new builds
Intermediate	TLS 1.2/1.3	Balanced (CHACHA20-POLY1305 etc.)	High	Almost all production environments (recommended)
Old	TLS 1.0/1.1/1.2	Broad (includes 3DES)	Highest	Legacy systems

Intermediate is explicitly recommended by the official documentation as suitable for “almost all systems” and represents the optimal balance between security and compatibility. Modern provides the highest security but carries the risk of connection failures with older browsers or clients. Old prioritizes compatibility the most but is not recommended due to higher security risks.

---

Configuration Generation Steps and Example Output

The actual configuration generation steps are simple. First, access the site and select the target server software. Next, input the Server Version and OpenSSL Version. Select the profile and enable the HSTS redirect and OCSP Stapling checkboxes. Finally, click the “Generate” button to obtain the configuration file. As an output example, for nginx, a server block like the following is generated.

server {
    listen 443 ssl http2;
    server_name example.com;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...';
    ssl_prefer_server_ciphers on;
    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /path/to/chain.pem;
}

This process completes a secure configuration in just a few minutes.

---

Roles of HSTS and OCSP Stapling

Let’s understand the roles of HSTS and OCSP Stapling. HSTS (HTTP Strict Transport Security) is a header that forces browsers to always connect via HTTPS to the site, preventing man-in-the-middle attacks. Setting max-age to 63072000 seconds (2 years) is common. On the other hand, OCSP Stapling is a mechanism where the server pre-fetches certificate revocation information and attaches it to the client response, contributing to privacy protection and performance improvement. Enabling these options in the tool eliminates the need for additional manual configuration.

---

Frequently Asked Questions

Here are answers to frequently asked questions (FAQ).

Q: Which profile should I choose?

Intermediate is recommended. It offers a good balance of security and compatibility and works without issues in most environments. Modern is for the latest environments only, while Old is for legacy systems.

Q: What should I check before applying the generated configuration to production?

We recommend scanning with Qualys SSL Labs Server Test (https://www.ssllabs.com/ssltest/). Aim for an A+ rating.

Q: Once HSTS is enabled, can it not be reverted?

If max-age is long, browser caches may remain, so test with a short period first. Be cautious when registering with the preload list.

Q: Does it also support mail servers such as Postfix and Dovecot?

Yes. It supports more than 20 types of software including Postfix, Dovecot, and MySQL. Secure settings for mail encryption can also be generated.

Q: Is the tool free to use?

It is a completely free web tool. Templates can also be added via the GitHub repository (https://github.com/tlsref/configurator).

Q: What happens if I am using an old OpenSSL version?

The tool automatically adjusts for compatibility, but we recommend updating to OpenSSL 1.1.1 or later whenever possible.

---

Summary and Recommended Usage

Finally, here is a summary and recommended usage. TLS Configurator is a convenient tool that dramatically simplifies the generation of TLS configurations. It allows you to create reliable settings based on official sources in a short time, making it a powerful aid for server administrators and developers. Start by trying the Intermediate profile, verify with Qualys SSL Labs, and then apply to production. Regularly reviewing your configurations will help maintain the latest security standards at all times. For more details, please check the official site (https://configurator.tlsref.org/) and the guide (https://docs.tlsref.org/Security/Server_Side_TLS).

Related articles:

• Tokyu Warns Against Charging Power Banks on Train Outlets
• Monitoring External Communications When DNS and SNI Become Invisible
• 5 WordPress Challenges for Corporate Sites and SaaS CMS Alternatives

Related new article:

• KDDI ISP Email System Breach: Up to 14.22 Million Addresses Potentially Exposed – This published update adds current operational context for TLS Configurator: Generate Secure TLS Configs for nginx, Apache, Postfix & More.
• SDF Confidential System Infected by Chinese Virus via USB for a Year Unnoticed | Security Blind Spots Exposed – This published update adds current operational context for TLS Configurator: Generate Secure TLS Configs for nginx, Apache, Postfix & More.
• AgentSea / SurfKit: Kubernetes-style AI Agent Orchestrator Overview and Usage – This published update adds current operational context for TLS Configurator: Generate Secure TLS Configs for nginx, Apache, Postfix & More.