diff --git a/nginx_proxy/CHANGELOG.md b/nginx_proxy/CHANGELOG.md
index 4e77f77..7de62e5 100644
--- a/nginx_proxy/CHANGELOG.md
+++ b/nginx_proxy/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 3.0
+
+- Update Alpine to 3.11
+- Use mozilla Recommended SSL settings
+
 ## 2.6
 
 - Remove ipv6 listener because we run only inside virtual network on a ipv4 range
diff --git a/nginx_proxy/build.json b/nginx_proxy/build.json
index bbf7ade..460c6cd 100644
--- a/nginx_proxy/build.json
+++ b/nginx_proxy/build.json
@@ -1,9 +1,9 @@
 {
   "build_from": {
-    "aarch64": "homeassistant/aarch64-base:3.10",
-    "amd64": "homeassistant/amd64-base:3.10",
-    "armhf": "homeassistant/armhf-base:3.10",
-    "armv7": "homeassistant/armv7-base:3.10",
-    "i386": "homeassistant/i386-base:3.10"
+    "aarch64": "homeassistant/aarch64-base:3.11",
+    "amd64": "homeassistant/amd64-base:3.11",
+    "armhf": "homeassistant/armhf-base:3.11",
+    "armv7": "homeassistant/armv7-base:3.11",
+    "i386": "homeassistant/i386-base:3.11"
   }
 }
diff --git a/nginx_proxy/config.json b/nginx_proxy/config.json
index 17243bc..67c5272 100644
--- a/nginx_proxy/config.json
+++ b/nginx_proxy/config.json
@@ -1,6 +1,6 @@
 {
   "name": "NGINX Home Assistant SSL proxy",
-  "version": "2.6",
+  "version": "3.0",
   "slug": "nginx_proxy",
   "description": "An SSL/TLS proxy",
   "url": "https://github.com/home-assistant/hassio-addons/tree/master/nginx_proxy",
diff --git a/nginx_proxy/data/nginx.conf b/nginx_proxy/data/nginx.conf
index 238d0e8..fdc091f 100644
--- a/nginx_proxy/data/nginx.conf
+++ b/nginx_proxy/data/nginx.conf
@@ -36,6 +36,9 @@ http {
     server {
         server_name %%DOMAIN%%;
 
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
         ssl_certificate /ssl/%%FULLCHAIN%%;
         ssl_certificate_key /ssl/%%PRIVKEY%%;
 
@@ -44,10 +47,11 @@ http {
 
         listen 443 ssl http2;
         %%HSTS%%
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-        ssl_prefer_server_ciphers on;
-        ssl_session_cache shared:SSL:10m;
+        
+        # intermediate configuration
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
 
         proxy_buffering off;
 
diff --git a/nginx_proxy/data/run.sh b/nginx_proxy/data/run.sh
index 2c37c23..1ef0f3c 100755
--- a/nginx_proxy/data/run.sh
+++ b/nginx_proxy/data/run.sh
@@ -53,7 +53,7 @@ sed -i "s/%%FULLCHAIN%%/$CERTFILE/g" /etc/nginx.conf
 sed -i "s/%%PRIVKEY%%/$KEYFILE/g" /etc/nginx.conf
 sed -i "s/%%DOMAIN%%/$DOMAIN/g" /etc/nginx.conf
 
-[ -n "$HSTS" ] && HSTS="add_header Strict-Transport-Security \"$HSTS\";"
+[ -n "$HSTS" ] && HSTS="add_header Strict-Transport-Security \"$HSTS\" always;"
 sed -i "s/%%HSTS%%/$HSTS/g" /etc/nginx.conf
 
 # Allow customize configs from share