# SSL settings
ssl_protocols TLSv1.3 TLSv1.2;

ssl_buffer_size 4K;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:le_nginx_SSL:2m;
ssl_session_tickets off;
ssl_session_timeout 1440m;

# Ciphers
ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA';

# Additional headers
add_header Strict-Transport-Security "max-age=63072000" always;