diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 0b7ae9a..1da44e5 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -32,5 +32,29 @@ http { gzip on; + # modern configuration + ssl_protocols TLSv1.3; + ssl_ecdh_curve X25519:prime256v1:secp384r1; + ssl_prefer_server_ciphers off; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # replace with the IP address of your resolver; + # async 'resolver' is important for proper operation of OCSP stapling + resolver 2001:4860:4860::8888 2001:4860:4860::8844; + + # If certificates are marked OCSP Must-Staple, consider managing the + # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher + + # HTTPS redirect + server { + listen 80 default_server; + listen [::]:80 default_server; + + return 301 https://$host$request_uri; + } + include /etc/nginx/conf.d/*.conf; }