diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 0b7ae9a..1da44e5 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -32,5 +32,29 @@ http {
 
     gzip  on;
 
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_prefer_server_ciphers off;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # replace with the IP address of your resolver;
+    # async 'resolver' is important for proper operation of OCSP stapling
+    resolver 2001:4860:4860::8888 2001:4860:4860::8844;
+
+    # If certificates are marked OCSP Must-Staple, consider managing the
+    # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher
+
+    # HTTPS redirect
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        return 301 https://$host$request_uri;
+    }
+
     include /etc/nginx/conf.d/*.conf;
 }