Update ssl_early_data configuration

etc/nginx/conf.d/default.conf

@@ -36,6 +36,9 @@ ssl_session_ticket_key session-ticket-keys/1.key;
 ## ssl_trusted_certificate
 ## ssl_stapling_file
 
+# Make sure ssl early data is off - replay attack mitigation
+ssl_early_data off;
+
 # Cookie flags
 proxy_cookie_flags ~ secure;
 

etc/nginx/snippets/proxy.conf

@@ -4,7 +4,7 @@
 # Force http 1.1, anything not supporting it shouldn't be used
 proxy_http_version 1.1;
 
-# Replay attack mitigation for early data
+# Signal to upstream whether ssl_early_data is used
 proxy_set_header Early-Data $ssl_early_data;
 
 # Restore visitor IP