server {
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_certificate         /etc/nginx/ssl.crt;
    ssl_certificate_key     /etc/nginx/ssl.key;
    ssl_dhparam             /etc/nginx/dhparam.pem;

    # OCSP 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/chain.pem;

    # Chipers    
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; 
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1;
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    
    # Session resumption
    ssl_session_timeout 10m;
    ssl_session_cache off;
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/nginx-ticketkey;