diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 9d07933..c48a12f 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -87,8 +87,8 @@ nginx_default_vhost: "{{ nginx_default_vhost_base | combine(nginx_default_vhost_
 # List of IP addresses which won't be affected by maintenance redirections
 nginx_maintenance_ip: []
 
-nginx_ssl_ciphers_modern: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
-nginx_ssl_ciphers_compat: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
+nginx_ssl_ciphers_modern: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+nginx_ssl_ciphers_compat: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
 nginx_ssl_protocols:
   - TLSv1.2
   - TLSv1.3
diff --git a/roles/nginx/templates/ansible_conf.d/10-ssl.conf.j2 b/roles/nginx/templates/ansible_conf.d/10-ssl.conf.j2
index 30b41c1..7022b37 100644
--- a/roles/nginx/templates/ansible_conf.d/10-ssl.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/10-ssl.conf.j2
@@ -1,8 +1,9 @@
 ssl_certificate {{ nginx_cert_path }};
 ssl_certificate_key {{ nginx_key_path }};
 ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-ssl_ciphers {{ nginx_ssl_ciphers_compat }};
+ssl_ciphers {{ nginx_ssl_ciphers_modern }};
 ssl_protocols {{ nginx_ssl_protocols | join(' ') }};
+ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 1h;
 ssl_session_tickets off;
diff --git a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
index 4d0afd9..3acb4d4 100644
--- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
@@ -43,6 +43,7 @@ server {
   ssl_protocols TLSv1.2 TLSv1.3;
 {% endif %}
 {% endif %}
+  ssl_prefer_server_ciphers on;
 
   server_name {{ vhost.name }} {{ vhost.aliases | join(' ') }};
 
diff --git a/roles/squid/files/acl/software_almalinux.domains b/roles/squid/files/acl/software_almalinux.domains
index 6cdf119..2bc27fe 100644
--- a/roles/squid/files/acl/software_almalinux.domains
+++ b/roles/squid/files/acl/software_almalinux.domains
@@ -8,3 +8,4 @@ almalinux.mirror.liteserver.nl
 almalinux.uib.no
 almalinux.slaskdatacenter.com
 almalinux.mirror.katapult.io
+alma.mirror.ate.info