# Use http2
http2 on;

# Shared TLS configuration

## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;

# Use strong ciphers for proxies
proxy_ssl_verify on;
proxy_ssl_server_name on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
proxy_ssl_conf_command Options PrioritizeChaCha;

## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys

ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;

## The following settings need to be declared manually per vhost:
## ssl_certificate
## ssl_certificate_key
## ssl_trusted_certificate
## ssl_stapling_file

# Cookie flags
proxy_cookie_flags ~ secure;

# Disable compression
## Mitigates oracle attacks
gzip off;

# Disable server tokens
server_tokens off;

server {
    listen ipv4_1:80 default_server;
    listen [ipv6_1]:80 default_server;

    include snippets/universal_paths.conf;

    location / {
        return 308 https://$host$request_uri;
    }
}