# Managed by Ansible

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;

# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

ssl_dhparam {{ dhparam_path }};

# Security Headers
# Add secure header values if not set upstream
map $upstream_http_referrer_policy $referrerpolicy {'' no-referrer;}
map $upstream_http_strict_transport_security $sts {'' "max-age=63072000; includeSubDomains; preload"; }
map $upstream_http_x_content_type_options $xcontentoptions {'' nosniff;}
map $upstream_http_x_xss_protection $xxssprotection {'' "1; mode=block";}
map $upstream_http_x_frame_options $xframeoptions {'' SAMEORIGIN;}