ssl.conf

# Settings according to https://syslink.pl/cipherlist/

ssl_protocols             TLSv1.3;
ssl_prefer_server_ciphers on;
# This file needs to be generate by running "openssl dhparam -out extra/dhparam.pem 4096"
ssl_dhparam               extra/dhparam.pem;
ssl_ciphers               EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve            secp384r1;
ssl_session_timeout       10m;
ssl_session_cache         shared:SSL:10m;
ssl_session_tickets       off;
ssl_stapling              on;
ssl_stapling_verify       on;

# Adjust resolver (this IP is the default Docker DNS)
resolver                  127.0.0.11 valid=300s;
resolver_timeout          5s;

# Only uncomment this line if you know what you're doing!
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options           DENY;
add_header X-Content-Type-Options    nosniff;
add_header X-XSS-Protection          "1; mode=block";