diff --git a/doc/nginx/snippets/publik-ssl.conf b/doc/nginx/snippets/publik-ssl.conf
new file mode 100644
index 0000000..33a9d73
--- /dev/null
+++ b/doc/nginx/snippets/publik-ssl.conf
@@ -0,0 +1,21 @@
+# from https://ssl-config.mozilla.org/
+# nginx 1.10.3, intermediate config, OpenSSL 1.1.0l
+
+ssl_certificate         /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key     /etc/ssl/private/ssl-cert-snakeoil.key;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# openssl dhparam -out /etc/ssl/dhparam2048.pem 2048
+# or fastly: curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/dhparam2048.pem
+ssl_dhparam /etc/ssl/dhparam2048.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;