diff --git a/jitsi-post-install.sh b/jitsi-post-install.sh
index 2c464c8..20f1deb 100755
--- a/jitsi-post-install.sh
+++ b/jitsi-post-install.sh
@@ -1045,25 +1045,15 @@ server {
     #
     ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
-    # Eable session resumption to improve https performance
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 10m;
-    ssl_session_tickets off;
-
-    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
-    # omit SSLv3 because of POODLE
-    # omit  TLSv1 TLSv1.1
+    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
     ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 
-    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
-    # Everything better than SHA1 (deprecated)
-    #
-    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
-    ssl_prefer_server_ciphers on;
-
-    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    #ssl_prefer_server_ciphers on;
-    #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
+    # Eable session resumption to improve https performance
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
 
     add_header Strict-Transport-Security "max-age=31536000";
 
@@ -1081,8 +1071,10 @@ server {
     error_page 404 /static/404.html;
 
     gzip on;
-    gzip_types text/plain text/css application/javascript application/json;
+    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
     gzip_vary on;
+    gzip_proxied no-cache no-store private expired auth;
+    gzip_min_length 512;
 
     location = /config.js {
         alias /etc/jitsi/meet/${FQHN_HOSTNAME}-config.js;
@@ -1097,6 +1089,11 @@ server {
     {
         add_header 'Access-Control-Allow-Origin' '*';
         alias /usr/share/jitsi-meet/\$1/\$2;
+
+        # cache all versioned files
+        if (\$arg_v) {
+          expires 1y;
+        }
     }
 
     # BOSH
@@ -1116,6 +1113,15 @@ server {
         tcp_nodelay on;
     }
 
+    # colibri (JVB) websockets for jvb1
+    location ~ ^/colibri-ws/default-id/(.*) {
+       proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/\$1\$is_args\$args;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade \$http_upgrade;
+       proxy_set_header Connection "upgrade";
+       tcp_nodelay on;
+    }
+
     location ~ ^/([^/?&:'"]+)\$ {
         try_files \$uri @root_path;
     }