From 8539344331d75afb272c34eaa2775bbc849adef1 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 29 Dec 2022 11:03:55 +0100
Subject: [PATCH 1/2] Reduce nginx ssl_session_cache to 3m each

---
 core/nginx/conf/nginx.conf        | 4 ++--
 towncrier/newsfragments/2605.misc | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/2605.misc

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index b373fb13..2c2b568d 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -100,7 +100,7 @@ http {
       include /etc/nginx/tls.conf;
       ssl_stapling on;
       ssl_stapling_verify on;
-      ssl_session_cache shared:SSLHTTP:50m;
+      ssl_session_cache shared:SSLHTTP:3m;
       add_header Strict-Transport-Security 'max-age=31536000';
 
       {% if not TLS_FLAVOR in [ 'mail', 'mail-letsencrypt' ] %}
@@ -284,7 +284,7 @@ mail {
 
     {% if TLS and not TLS_ERROR %}
     include /etc/nginx/tls.conf;
-    ssl_session_cache shared:SSLMAIL:50m;
+    ssl_session_cache shared:SSLMAIL:3m;
     {% endif %}
 
     # Advertise real capabilities of backends (postfix/dovecot)
diff --git a/towncrier/newsfragments/2605.misc b/towncrier/newsfragments/2605.misc
new file mode 100644
index 00000000..aec69c5c
--- /dev/null
+++ b/towncrier/newsfragments/2605.misc
@@ -0,0 +1 @@
+Reduce the SSL session caches from 50m each to 3m each. This should be good for 12k sessions (within 1day) for each cache and will help reduce memory usage.

From cd107182c15297c38107071559a63324b5c9aee5 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 29 Dec 2022 11:04:16 +0100
Subject: [PATCH 2/2] comment

---
 core/nginx/conf/tls.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 3970ed33..93a2f39f 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -6,7 +6,7 @@ ssl_certificate_key {{ TLS[3] }};
 ssl_trusted_certificate /etc/ssl/certs/ca-cert-ISRG_Root_X1.pem;
 {% endif %}
 ssl_session_timeout 1d;
-ssl_session_tickets off;
+ssl_session_tickets off; # this can be removed when we have nginx v1.23.2
 ssl_dhparam /conf/dhparam.pem;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;