webserver: allow only a single cipher setting

The documentation allows setting ssl_protocols in both http and server
blocks. However, setting different protocols on the same socket that is
used across servers is unsupported. This is only clear from a five year
old bug report, referencing even older mailing list posts. All our
setups use different server blocks on the same IP address and ports,
thus the possibility to configure different settings per server is
removed to be more clear in what is supported.

See: https://trac.nginx.org/nginx/ticket/766

webserver/templates/nginx-proxy.conf

@@ -59,6 +59,12 @@ http {
     ##
     # SSL Settings
     ##
+    ssl_protocols {{protocols[cipher_strength]}};
+    ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[cipher_strength] else 'off'}};
+    {% if ciphers[cipher_strength] is not none %}
+    ssl_ciphers '{{ciphers[cipher_strength]}}';
+    {% endif %}
+
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;

webserver/templates/ssl-certificate

     ssl_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
     ssl_trusted_certificate {{server.certificate|default("/etc/ssl/acmebot/cert/" + server.server_name + ".pem")}};
     ssl_certificate_key {{server.private_key|default("/etc/ssl/acmebot/privkey/" + server.server_name + ".pem")}};
-
-    {% set strength = server.cipher_strength|default(cipher_strength) %}
-    ssl_protocols {{protocols[strength]}};
-    ssl_prefer_server_ciphers {{'on' if prefer_server_ciphers[strength] else 'off'}};
-    {% if ciphers[strength] is not none %}
-    ssl_ciphers '{{ciphers[strength]}}';
-    {% endif %}