From 07f201271f49c3c5e4aa606c2754a3f3a38e9927 Mon Sep 17 00:00:00 2001
From: Minecon724 <minecon724@noreply.git.m724.eu>
Date: Mon, 5 May 2025 15:36:17 +0200
Subject: [PATCH] Support TLSv1.2

---
 nginx/nginx.conf | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index a68d36a..22968bf 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -40,12 +40,17 @@ http {
     http2 on;
 
     add_header Alt-Svc 'h3=":443"; ma=86400';
+    add_header Strict-Transport-Security "max-age=63072000; preload" always;
 
-    # modern configuration
-    ssl_protocols TLSv1.3;
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
     ssl_prefer_server_ciphers off;
 
+    ssl_session_timeout 1h;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
     # Make sure to generate it first
     ssl_dhparam dhparam.pem;
 
@@ -53,14 +58,13 @@ http {
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    # replace with the IP address of your resolver;
     # async 'resolver' is important for proper operation of OCSP stapling
-    resolver [2001:4860:4860::8888] [2001:4860:4860::8844];
+    resolver [2001:4860:4860::8888] 8.8.8.8;
 
     # If certificates are marked OCSP Must-Staple, consider managing the
     # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher
 
-    # HTTPS redirect
+    # HTTPS redirect / HSTS
     server {
         listen 80 default_server;
         listen [::]:80 default_server;