Nginx, HTTP/3, and a TLS config that's actually current for 2026

Mainline Nginx has had HTTP/3 + QUIC support since 1.25 (2023). The TLS config most teams still ship was written for the SSL Labs ciphersuite wars of 2018-2020 and has rotted since. Both deserve a refresh.

Here's the edge TLS + HTTP/3 config we deploy on every managed Nginx host in 2026.

Listening on QUIC alongside HTTPS

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    listen [::]:443 ssl;
    listen [::]:443 quic reuseport;
    http2 on;
    http3 on;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
 
    add_header Alt-Svc 'h3=":443"; ma=86400';
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}

The Alt-Svc header is what gets clients to upgrade from HTTP/2 to HTTP/3 on subsequent requests.

The full write-up covers:

• TLS 1.3 — why ssl_prefer_server_ciphers off is the correct setting in 2026
• Disabling session tickets (forward secrecy isn't real with re-used ticket keys)
• OCSP stapling with ssl_stapling_verify — and how to monitor it
• The Mozilla "Intermediate" config and where we differ from it
• HTTP/3 quirks: UDP firewall rules, connection migration, 0-RTT
• Cert renewal with certbot + the nginx-reload hook that survives certbot renew
• Weekly SSL Labs scan as a CI job across the fleet

We ship this config on every managed Nginx install.