Configuring TLS to pass ssllabs test

Hey there,

I’m using NextCloud 27.1.4 based on Centos 7. All the services run inside docker container.
My question is, how to configure NGINX properly? It seems to be located in /opt/app/nextcloud_config/config/nginx, so I have several config filres, such as:

ssl.conf
nginx.conf
resolver.conf and etc.

I tried to edit these file and enabled HSTS (which is not working obiously) , and find TLS setting in ssl.conf

So, ssl.conf is here:

Version 2023/08/13 - Changelog: History for root/defaults/nginx/ssl.conf.sample - linuxserver/docker-baseimage-alpine-nginx · GitHub

Mozilla Recommendations

generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration

Mozilla SSL Configuration Generator

ssl_certificate /config/keys/cloud.cer;
ssl_certificate_key /config/keys/cloud.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam

ssl_dhparam /config/nginx/dh4096.pem;

intermediate configuration

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers yes;

HSTS (ngx_http_headers_module is required) (63072000 seconds)

add_header Strict-Transport-Security “max-age=63072000” always; “includeSubDomains” always;

OCSP stapling

#ssl_stapling on;
#ssl_stapling_verify on;

verify chain of trust of OCSP response using Root CA and Intermediate certs

#ssl_trusted_certificate /config/keys/cert.crt;

Optional additional headers

#add_header Cache-Control “no-transform” always;
#add_header Content-Security-Policy “upgrade-insecure-requests; frame-ancestors ‘self’” always;
#add_header Permissions-Policy “interest-cohort=()” always;
#add_header Referrer-Policy “same-origin” always;
#add_header X-Content-Type-Options “nosniff” always;
#add_header X-Frame-Options “SAMEORIGIN” always;
#add_header X-UA-Compatible “IE=Edge” always;
#add_header X-XSS-Protection “1; mode=block” always;

As you can see, ssl_protocols TLSv1.2 TLSv1.3 are enabled , but scanning through SSL Server Test (Powered by Qualys SSL Labs) results that TLS 1.0 and TLS 1.1 is currently on. Arter editing ssl.conf the docker was restarted but nothing changed.
How could I configiure TLS/nginx properly inside the container?

Best regards,

Evgeny