From 8b7bfdc88930acfe9aeb918fa71996b50f92db06 Mon Sep 17 00:00:00 2001
From: Marco Kundt <mrckndt@riseup.net>
Date: Tue, 20 Apr 2021 19:27:53 +0200
Subject: [PATCH] introduce TLS 1.3's 0-RTT

---
 nginx/mattermost.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nginx/mattermost.conf b/nginx/mattermost.conf
index cb042cf..c6cf24f 100644
--- a/nginx/mattermost.conf
+++ b/nginx/mattermost.conf
@@ -54,6 +54,10 @@ server {
     ssl_certificate /cert.pem;
     ssl_certificate_key /key.pem;
 
+    # enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to prevent replay attacks.
+    # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+    ssl_early_data on;
+
     # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -94,6 +98,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_set_header Early-Data $ssl_early_data;
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         client_body_timeout 60;
@@ -113,6 +118,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_set_header Early-Data $ssl_early_data;
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;