From cbd4d1ff7af66e1d6c061778b27c6689037e9fbd Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 27 Nov 2022 09:53:50 +0100
Subject: [PATCH] [nginx] Configure SSL.

Parameter values taken from Let's Encrypt.
---
 nginx/nginx.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index bf7dfe7..128c081 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -35,8 +35,14 @@ http {
     # SSL Settings
     ##
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
-    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:le_nginx_SSL:10m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
     ##
     # Logging Settings
-- 
2.39.5