ssl_protocols              TLSv1.2 TLSv1.3;
ssl_ciphers                EECDH+CHACHA20:EECDH+AES;
ssl_ecdh_curve             X25519;
ssl_prefer_server_ciphers  on;
ssl_stapling               off;
ssl_stapling_verify        off;
ssl_session_cache          shared:SSL:10m;
ssl_session_timeout        24h;
ssl_session_tickets        off;
ssl_dhparam                /etc/ssl/certs/dhparam.pem;
keepalive_timeout          300s;
resolver                   127.0.0.53 valid=60s;
resolver_timeout           10s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;