improve nginx tls config

1 files changed, 8 insertions, 3 deletions

diff --git a/modules/nginx/files/ssl b/modules/nginx/files/ssl
index acb1643..e8e3437 100644
--- a/modules/nginx/files/ssl
+++ b/modules/nginx/files/ssl
@@ -1,11 +1,16 @@
+# generated by https://ssl-config.mozilla.org/
 ssl_certificate            /media/persistent/certbot/live/tozt.net/fullchain.pem;
 ssl_certificate_key        /media/persistent/certbot/live/tozt.net/privkey.pem;
-ssl_protocols              TLSv1.1 TLSv1.2;
-ssl_ciphers                'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+ssl_protocols              TLSv1.2 TLSv1.3;
+ssl_ciphers                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_dhparam                /etc/nginx/dhparam.pem;
-ssl_prefer_server_ciphers  on;
+ssl_prefer_server_ciphers  off;
 ssl_session_cache          shared:SSL:10m;
 ssl_stapling               on;
 ssl_stapling_verify        on;
+ssl_trusted_certificate    /etc/ssl/cert.pem;
+ssl_session_timeout        1d;
+ssl_session_tickets        off;
+add_header                 Strict-Transport-Security "max-age=63072000" always;
 
 # vim:ft=nginx