From 9b3bfe9bc855f5e4a3afeca216c21273e945b246 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 5 Jul 2019 10:20:25 +0300
Subject: [PATCH] nginx: use mozilla recommended ssl options

---
 roles/nginx/server/templates/nginx.conf.j2 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index 081cb3b..c39daad 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -18,10 +18,12 @@ http {
     access_log {{ nginx_logdir }}/access.log main;
 
     ssl on;
-    ssl_session_cache builtin:1000 shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
     ssl_protocols {{ tls_protocols }};
     ssl_ciphers {{ tls_ciphers }};
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     server {
         listen 443 ssl http2;