ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES; ssl_ecdh_curve X25519; ssl_prefer_server_ciphers on; ssl_stapling off; ssl_stapling_verify off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 24h; ssl_session_tickets off; ssl_dhparam /etc/ssl/certs/dhparam.pem; keepalive_timeout 300s; resolver 127.0.0.53 valid=60s; resolver_timeout 10s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;