ssl_certificate /etc/nginx/certs/{{ websites_enabled[0] }}.crt;
    ssl_certificate_key /etc/nginx/certs/{{ websites_enabled[0] }}.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam dh-4096.pem;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";