###############################################################################
#                                                                             #
#  This file will be overwritten on an update!!                               #
#  Please use                                                                 #
#    /etc/nginx/openitc/custom.conf                                           #
#  for custom nginx configurations or                                         #
#    /etc/nginx/openitc/ssl_cert.conf                                         #
#  for custom ssl certificates.                                               #
#                                                                             #
###############################################################################

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

ssl_dhparam /etc/nginx/openitc/dhparam.pem;

ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

add_header Strict-Transport-Security "max-age=63072000" always;
