My Ghost blog, NGiNX TLS configuration | X25519 & secp384r1 | RSA & ECDSA

tls.conf

# RSA
ssl_certificate		/path/fullchain.pem;
ssl_certificate_key	/path/privkey.pem;

# ECDSA
ssl_certificate		/path/0001_chain.pem;
ssl_certificate_key	/path/itchy.nl.ec.key;

ssl_dhparam		/path/dhparam4096.pem;

ssl_buffer_size		1400;
ssl_session_timeout	1d;
ssl_session_cache	shared:SSL:50m;
ssl_session_tickets	off;

# modern configuration.
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
ssl_protocols		TLSv1.2;
ssl_ciphers		"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve		X25519:secp384r1;

# OCSP Stapling.
# fetch OCSP records from URL in ssl_certificate and cache them.
ssl_stapling		on;
ssl_stapling_verify	on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/cert.pem;
resolver		8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout	5s;