##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;

##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##

ssl_protocols             TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout       1d; # defaults to 5m
ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets       off;
ssl_stapling              on;
ssl_stapling_verify       on;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";