# SSL connector settings
# Sever public certificate to be used
ssl_certificate ${NGX_SSL_CRT};

# Server corresponding private key
ssl_certificate_key ${NGX_SSL_KEY};

# TLS protocols supported by server - space separated list. Possible values - [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
ssl_protocols       ${NGX_SSL_PROTO};

# Current set of SSL ciphers supported by server, openssl format
ssl_ciphers         ${NGX_SSL_CIPHERS};

# Time during which a client may reuse the session parameters - 30m
ssl_session_timeout ${NGX_SSL_SSN_TIMEOUT};

# Whether server ciphers should be preferred over client ciphers - on
ssl_prefer_server_ciphers ${NGX_SSL_PRFR_SRVR_CIPHERS};

# SSL session cache size
ssl_session_cache shared:SSL:${NGX_SSL_CACHE_SIZE};

# Ensure session resumption is disabled to enable perfect forward security
ssl_session_tickets ${NGX_SSL_SESSION_TICKETS};

# Diffie-Hellman param with 2048 bits. Use this after generating the
# dhparam.pem at the desired location(in this example ${NGX_SSL_DIR}/dhparam.pem),
# using the commands:
#        openssl dhparam -out ${NGX_SSL_DIR}/dhparam.pem 2048 
#        chmod 400 ${NGX_SSL_DIR}/dhparam.pem
# ssl_dhparam ${NGX_SSL_DHPARAM};

# Verify revocation of CA certificate using OCSP. To be used when 
# CA signed certificates are used.
ssl_stapling ${NGX_SSL_STAPLING};
ssl_stapling_verify ${NGX_SSL_STAPLING_VERIFY};

proxy_ssl_certificate ${NGX_SSL_CRT};
proxy_ssl_certificate_key ${NGX_SSL_KEY};

#Enforce upstream server certificate validation at proxy ->
#this is not mandated as per CIS buit definitely adds to security.
#It requires the administrator to upload all upstream server certificates to the proxy certificate store
proxy_ssl_verify ${NGX_PRXY_SSL_VERIFY};
proxy_ssl_verify_depth ${NGX_PRXY_SSL_VERIFY_DEPTH};
proxy_ssl_trusted_certificate ${NGX_PRXY_SSL_TRUST_CRT};
