diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
index 1385eb0..3c670a1 100644
--- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
+++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
@@ -14,10 +14,13 @@ real_ip_header P-Real-Ip;
 # SSL
 ssl on;
 ssl_session_timeout 5m;
-ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES";
-ssl_prefer_server_ciphers off;
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5";
+ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 
+# Use more secure ECDH curve
+ssl_ecdh_curve secp521r1:secp384r1;
+
 # In buster we will be able to use TLSv1.3
 ssl_protocols TLSv1.2;