From 0307f11fc0876343786317e456ebf90ad0ccc0aa Mon Sep 17 00:00:00 2001
From: zico <zico@noreply.localhost>
Date: Sat, 11 Jun 2022 21:37:33 +0000
Subject: [PATCH] Improvements to the ngnix-ssl snippet

Based on the Mozilla nginx config best practices
---
 ansible/roles/nginx/templates/ssl.conf.j2 | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/nginx/templates/ssl.conf.j2 b/ansible/roles/nginx/templates/ssl.conf.j2
index 900fe7d..58851db 100644
--- a/ansible/roles/nginx/templates/ssl.conf.j2
+++ b/ansible/roles/nginx/templates/ssl.conf.j2
@@ -1,2 +1,8 @@
-ssl_protocols TLSv1.2 TLSv1.3;
-add_header Strict-Transport-Security max-age=31536000;
+ssl_protocols TLSv1.3;
+add_header Strict-Transport-Security max-age=63072000 always;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+ssl_session_tickets off;
+ssl_prefer_server_ciphers off;
+ssl_stapling on;
+ssl_stapling_verify on;
\ No newline at end of file
-- 
2.40.1