# SSL/TLS Configuration # Modern SSL configuration for security # SSL protocols and ciphers ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # SSL session configuration ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # SSL optimization ssl_buffer_size 8k; # Default SSL certificate paths (to be replaced by Let's Encrypt) # ssl_certificate /etc/ssl/certs/roa2web.crt; # ssl_certificate_key /etc/ssl/private/roa2web.key; # Diffie-Hellman parameters ssl_dhparam /etc/ssl/certs/dhparam.pem;