InfraPilot
Get Started
Back to Blog
securitytlsnginxdocker

TLS Hardening for Docker-Hosted Services: A Practical Guide

I

InfraPilot Team

January 28, 2026

The Problem with "Just Enable HTTPS"

Most developers enable HTTPS by pointing a domain at their server and running certbot. The certificate is valid, the padlock is green — but the TLS configuration underneath may still support TLS 1.0, weak cipher suites, or insecure renegotiation. These aren't theoretical risks; they're real attack vectors used in POODLE, BEAST, and DROWN attacks.

Getting from a valid cert to a true A+ configuration takes about 15 minutes once you know what to change.

What an A+ Configuration Looks Like

  • TLS 1.2 and 1.3 only — TLS 1.0 and 1.1 disabled
  • Strong cipher suites (ECDHE, AES-GCM, ChaCha20)
  • HTTP Strict Transport Security (HSTS) with a long max-age
  • OCSP stapling enabled
  • Session tickets disabled or rotated frequently
  • Perfect Forward Secrecy (PFS) enforced

The Nginx Configuration

Add this to your server block (or a shared ssl.conf included everywhere):

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Generating a Strong DH Parameter

For TLS 1.2 cipher suites that use DHE key exchange, you need a strong DH parameter file:

openssl dhparam -out /etc/nginx/dhparam.pem 4096

Then reference it in Nginx: ssl_dhparam /etc/nginx/dhparam.pem;

Note: TLS 1.3 doesn't use DHE in the same way — this is mainly for TLS 1.2 compatibility with older clients.

Security Headers

While you're in the Nginx config, add these security headers to close common web vulnerabilities:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Monitoring TLS Health with InfraPilot

InfraPilot's security dashboard continuously monitors your TLS configuration and SSL certificate expiry. It flags weak cipher suites, upcoming expirations, and missing security headers — so you don't have to manually run SSL Labs after every Nginx change.

Set an alert for certificates expiring within 30 days under Settings → Alerts → SSL Expiry. You'll get an email with enough lead time to renew before anything breaks.

Related posts

The Best Self-Hosted Docker Dashboards in 2026 (Honestly Compared)

Portainer, Dockge, Yacht, Lazydocker, InfraPilot — there are more Docker management UIs than ever. Here's an honest breakdown of which one fits which use case, from CLI-lovers to teams that want a full web dashboard.

Nginx Proxy Manager vs InfraPilot: Is There a Better Alternative?

Nginx Proxy Manager is the most popular Docker reverse proxy GUI — but it only manages proxies and SSL. If you're already running Docker containers, there's a case for combining your proxy management with your container dashboard.

Portainer vs InfraPilot: The Honest Docker Management Comparison (2026)

Portainer is great — but it doesn't manage Nginx, SSL, or give you traffic analytics. Here's an honest comparison of when to use Portainer, when to use InfraPilot, and what actually matters for single-server Docker setups.

All postsGet Started Free