# Many of these parameters configured based on https://ssl-config.mozilla.org/#server=nginx&version=1.26.0&config=intermediate&openssl=1.1.1w&guideline=5.7

# Listen on port 443 (IPv4/IPv6)
listen 443      ssl;                     
listen [::]:443 ssl;

# Listen on port 443 with quic (IPv4/IPv6)
listen 443      quic reuseport;                     
listen [::]:443 quic reuseport;

# Enable http2
http2 on;

# Enable http3
http3 on;

# Enable QUIC Functions
quic_retry on;
add_header Alt-Svc 'h3=":443"; ma=86400';

# Set SSL Session Parameters
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# Configure DHParam
ssl_dhparam /etc/nginx/dhparam.txt;

# Intermediate SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# Include a resolver for OSCP Stapling
include snippets/resolver.conf;