diff --git a/roles/nginx-https/defaults/main.yml b/roles/nginx-https/defaults/main.yml
index 31b35dbed5adc28dd915cae73c0d5373badccbe4..ffdd00447d249a0ab2d5d534c6c46bbbdf1ec2e3 100644
--- a/roles/nginx-https/defaults/main.yml
+++ b/roles/nginx-https/defaults/main.yml
@@ -2,6 +2,9 @@ nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
 nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
 nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
 nginx_ssl_dhparam_bits: 4096
+nginx_ssl_ecdh_curve: "secp521r1:secp384r1"
+nginx_ssl_prefer_server_ciphers: true
+nginx_ssl_stapling: true
 
 nginx_https_default_headers: null
 
diff --git a/roles/nginx-https/templates/ssl.conf.j2 b/roles/nginx-https/templates/ssl.conf.j2
index 5c3fb54af16c19c7d4c6cddbf728caba42bf4955..05e4f80e76abaa7ec1e06cb4b4b7a98e09647c43 100644
--- a/roles/nginx-https/templates/ssl.conf.j2
+++ b/roles/nginx-https/templates/ssl.conf.j2
@@ -6,8 +6,9 @@ listen [::]:443 ssl http2;
 ssl_dhparam {{ nginx_ssl_dhparam }};
 ssl_protocols {{ nginx_ssl_protocols }};
 ssl_ciphers {{ nginx_ssl_ciphers }};
-ssl_prefer_server_ciphers on;
-ssl_stapling on;
+ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
+ssl_prefer_server_ciphers {{ "on" if nginx_ssl_prefer_server_ciphers else "off" }};
+ssl_stapling {{ "on" if nginx_ssl_stapling else "off" }};
 
 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}