From 4bae9425854a25e9b73e31b0e0084d4f9322d6e6 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 29 Mar 2025 22:31:32 +0300
Subject: [PATCH] roles/nginx: add nginx ssl_ecdh_curve

This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
---
 roles/nginx/defaults/main.yml  | 1 +
 roles/nginx/templates/https.j2 | 1 +
 2 files changed, 2 insertions(+)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 50ef831..98122e9 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -14,6 +14,7 @@ nginx_ssl_session_cache: shared:SSL:10m
 nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 8b31cf6..efd215c 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -27,6 +27,7 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
     ssl_prefer_server_ciphers on;