+ access_log <%= node[:nginx][:access_log] %> main buffer=256k flush=1m;
+<% else -%>
+ access_log off;
+<% end -%>
+
+ keepalive_timeout 20 20;
+
+ server_tokens off;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 30m;
+
+ ssl_stapling on;
+
+ # Validate the stapling response is signed by a trusted certificate
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;