# vim: set ts=4 sw=4 expandtab syntax=nginx:
###############################################################################
# Global default TLS configuration
#
# NOTE: This file will be OVERWRITTEN when imh-nginx is updated! Do NOT make
#       changes to this file. Instead, copy it to '00-tls.conf', and make your
#       customizations in that file. Once made, run `nginx-validate -f` to
#       remove any duplicate directives from this file. nginx-validate
#       will preference directives from conf.d files in alphanumeric order.
#       This will ensure your changes are preserved with future updates.
#
##

# General options
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:32m;
ssl_buffer_size 8k;

# Protocol and cipher options
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256';

# !! For greater compatibility with old clients, comment-out the above lines, and uncomment the two lines below !!
#ssl_protocols TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';

# Diffie-Hellman options
ssl_ecdh_curve secp384r1;
ssl_dhparam /var/nginx/dhparams.pem;

# HTTP/2 options
# http2_push_preload on; obsoleted