switched nginx from boringssl to libressl

nginx/conf/nginx.conf

@@ -1,9 +1,9 @@
 
-# load_module modules/ngx_http_xslt_filter_module.so;
-# load_module modules/ngx_http_image_filter_module.so;
-# load_module modules/ngx_http_geoip_module.so;
-# load_module modules/ngx_http_perl_module.so;
-# load_module modules/ngx_stream_geoip_module.so;
+load_module modules/ngx_http_xslt_filter_module.so;
+#load_module modules/ngx_http_image_filter_module.so;
+load_module modules/ngx_http_geoip_module.so;
+#load_module modules/ngx_http_perl_module.so;
+load_module modules/ngx_stream_geoip_module.so;
 load_module modules/ngx_http_headers_more_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 load_module modules/ngx_http_brotli_filter_module.so;
@@ -41,9 +41,9 @@ http {
     keepalive_disable  msie6;
 
     ssl_dyn_rec_enable on;
-    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.3;
     ssl_ecdh_curve X25519:P-521:P-384;
-    ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout 1h;
@@ -53,7 +53,7 @@ http {
     http2 on;
     http3 on;
     quic_retry on;
-    #ssl_early_data on;
+    ssl_early_data off;
     
     gzip_static on;
     gzip on;
@@ -62,30 +62,64 @@ http {
     gzip_proxied any;
     gzip_vary on;
     gzip_disable "msie6";
-    gzip_types
-        text/plain
-        text/css
-        text/x-component
-        text/javascript application/javascript application/x-javascript
-        text/xml application/xml application/rss+xml
-        application/json
-        application/vnd.ms-fontobject
-        font/truetype font/opentype
-        image/svg+xml;
+    
+    gzip_types 
+        application/atom+xml 
+        application/javascript 
+        application/json 
+        application/ld+json 
+        application/manifest+json 
+        application/rss+xml 
+        application/vnd.geo+json 
+        application/vnd.ms-fontobject 
+        application/x-font-ttf 
+        application/x-web-app-manifest+json 
+        application/xhtml+xml 
+        application/xml 
+        font/opentype 
+        image/bmp 
+        image/svg+xml
+        image/x-icon 
+        text/cache-manifest 
+        text/css 
+        text/plain 
+        text/vcard 
+        text/vnd.rim.location.xloc 
+        text/vtt text/x-component 
+        text/x-cross-domain-policy 
+        application/wasm;
+
+
 
     brotli_static on;
     brotli on;
     brotli_comp_level 6;
-    brotli_types
-       text/plain
-       text/css
-       text/x-component
-       text/javascript application/javascript application/x-javascript
-       text/xml application/xml application/rss+xml
-       application/json
-       application/vnd.ms-fontobject
-       font/truetype font/opentype
-       image/svg+xml;
+    brotli_types 
+        application/atom+xml 
+        application/javascript 
+        application/json 
+        application/rss+xml
+        application/vnd.ms-fontobject
+        application/x-font-opentype 
+        application/x-font-truetype
+        application/x-font-ttf 
+        application/x-javascript 
+        application/xhtml+xml 
+        application/xml
+        font/eot 
+        font/opentype 
+        font/otf 
+        font/truetype 
+        image/svg+xml 
+        image/vnd.microsoft.icon
+        image/x-icon 
+        image/x-win-bitmap 
+        text/css 
+        text/javascript 
+        text/plain 
+        text/xml 
+        application/wasm;
+
 
     include /etc/nginx/conf.d/*.conf;
 }

nginx/conf/nginx.vh.no-default.conf

@@ -11,6 +11,7 @@ server {
 }
 
 server {
-  listen 443 ssl http2 default_server;
+  listen 443 ssl default_server;
+  http2 on;
   ssl_reject_handshake on;
 }