fix: enforce TLSv1.3 on Mozilla-Modern SSL policy

nginx.tmpl

@@ -142,15 +142,12 @@
 {{- define "ssl_policy" }}
     {{- if eq .ssl_policy "Mozilla-Modern" }}
     ssl_protocols TLSv1.3;
-        {{- /*
-             * nginx currently lacks ability to choose ciphers in TLS 1.3 in
-             * configuration, see https://trac.nginx.org/nginx/ticket/1529.
-             * A possible workaround can be modify /etc/ssl/openssl.cnf to change
-             * it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12).
-             * Explicitly set nginx default value in order to allow single servers
-             * to override the global http value.
-             */}}
-    ssl_ciphers HIGH:!aNULL:!MD5;
+    {{- /*
+         * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
+         * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
+         */}}
+    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
+    ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
     ssl_prefer_server_ciphers off;
     {{- else if eq .ssl_policy "Mozilla-Intermediate" }}
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -162,6 +159,10 @@
     ssl_prefer_server_ciphers on;
     {{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
     ssl_protocols TLSv1.3;
+    {{- /*
+         * This ssl_ciphers directive is not used but necessary to get TLSv1.3 only.
+         * see https://serverfault.com/questions/1023766/nginx-with-only-tls1-3-cipher-suites
+         */}}
     ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
     ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
     ssl_prefer_server_ciphers on;