From 09e8cdf6c96500b6c3a53198114487cda0482818 Mon Sep 17 00:00:00 2001
From: fro <committer@tuxwarrior.xyz>
Date: Tue, 28 Oct 2025 16:17:38 -0500
Subject: [PATCH] / mozilla ssl cfg generator

---
 cfg/ngx/nginx.conf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cfg/ngx/nginx.conf b/cfg/ngx/nginx.conf
index a4f51f5..8191b21 100644
--- a/cfg/ngx/nginx.conf
+++ b/cfg/ngx/nginx.conf
@@ -32,8 +32,18 @@ http {
         ##
 
         ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1
+        ssl_ecdh_curve X25519:prime256v1:secp384r1;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
         ssl_prefer_server_ciphers off; # Don't force server cipher order.
 
+        # see also ssl_session_ticket_key alternative to stateful session cache
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+        # mkdir -p /var/www/dhparam
+        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/www/dhparam/dhparam
+        ssl_dhparam "/var/www/dhparam/dhparam";
+
         ##
         # Logging Settings
         ##