Stricter ciphers

swag/nginx/ssl.conf

@@ -15,8 +15,8 @@ ssl_dhparam /config/nginx/dhparams.pem;
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-ssl_prefer_server_ciphers off;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
 
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
@@ -38,4 +38,4 @@ add_header X-XSS-Protection "0" always;
 add_header Cross-Origin-Resource-Policy same-origin;
 add_header Cross-Origin-Embedder-Policy require-corp;
 add_header Cross-Origin-Opener-Policy same-origin;
-add_header Expect-CT "enforce, max-age=63072000";
+add_header Expect-CT "enforce, max-age=63072000";