# {{ ansible_managed }}

ssl_session_timeout         {{ nginx_tls_session_timeout }};
ssl_session_tickets         off;

ssl_prefer_server_ciphers   on;
ssl_session_cache           shared:SSL:{{ nginx_tls_cache_size }};

ssl_protocols               {{ nginx_tls_version }};
ssl_ciphers                 {{ nginx_tls_cipherlist }};
ssl_ecdh_curve              {{ nginx_tls_curve }};

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header                  X-Frame-Options "sameorigin";
add_header                  X-Content-Type-Options "nosniff";
add_header                  X-Robots-Tag noindex;

# OCSP stapling
ssl_stapling                {{ nginx_ssl_stapling }};
ssl_stapling_verify         {{ nginx_ssl_stapling_verify }};