# Use http2
http2 on;

# Shared TLS configuration

## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;

## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys

ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;

## Enable HSTS header

proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

## The following settings need to be declared manually per vhost:
# ssl_certificate
# ssl_certificate_key
# ssl_trusted_certificate
# ssl_stapling_file

# Disable server tokens
server_tokens off;

server {
    listen ipv4_1:80 default_server;
    listen [ipv6_1]:80 default_server;

    include snippets/universal_paths.conf;

    # Don't send headers
    add_header "" "";

    location / {
        return 308 https://$host$request_uri;
    }
}