Support TLSv1.2

nginx/nginx.conf

@@ -40,12 +40,17 @@ http {
     http2 on;
 
     add_header Alt-Svc 'h3=":443"; ma=86400';
+    add_header Strict-Transport-Security "max-age=63072000; preload" always;
 
-    # modern configuration
+    # intermediate configuration
-    ssl_protocols TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
     ssl_prefer_server_ciphers off;
 
+    ssl_session_timeout 1h;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
     # Make sure to generate it first
     ssl_dhparam dhparam.pem;
 
@@ -53,14 +58,13 @@ http {
     ssl_stapling on;
     ssl_stapling_verify on;
 
-    # replace with the IP address of your resolver;
     # async 'resolver' is important for proper operation of OCSP stapling
-    resolver [2001:4860:4860::8888] [2001:4860:4860::8844];
+    resolver [2001:4860:4860::8888] 8.8.8.8;
 
     # If certificates are marked OCSP Must-Staple, consider managing the
     # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher
 
-    # HTTPS redirect
+    # HTTPS redirect / HSTS
     server {
         listen 80 default_server;
         listen [::]:80 default_server;