diff --git a/Dockerfile b/Dockerfile
index 1cd9e0a..e25f164 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,7 +15,7 @@ ENV ASM_NGX_EXTRA_ACCESS_LOG_COMMENT="" \
   ASM_NGX_EXTRA_PROXY_CACHE_SLOW_SIZE="4096m" \
   ASM_NGX_EXTRA_PROXY_CACHE_FAST_COMMENT="" \
   ASM_NGX_EXTRA_PROXY_CACHE_SLOW_COMMENT="" \
-  ASM_NGX_EXTRA_SSL_PROFILE="modern" \
+  ASM_NGX_EXTRA_SSL_PROFILE="intermediate" \
   ASM_NGX_EXTRA_MONITORING_PORT="8127" \
   ASM_NGX_EXTRA_CLIENT_BODY_BUFFER_SIZE="256k" \
   ASM_NGX_EXTRA_CLIENT_HEADER_BUFFER_SIZE="2k" \
diff --git a/conf.d/http/default_server.conf b/conf.d/http/default_server.conf
index 40cbceb..651c619 100644
--- a/conf.d/http/default_server.conf
+++ b/conf.d/http/default_server.conf
@@ -10,7 +10,6 @@ server {
 server {
   listen 80 default_server;
   listen 443 default_server ssl http2;
-  listen 443 default_server quic reuseport;
 
   server_name _;
 
@@ -26,9 +25,6 @@ server {
   ssl_certificate_key /.defaults/cert/privkey.pem;
   ssl_trusted_certificate /.defaults/cert/chain.pem;
 
-  # add Alt-Svc header to negotiate HTTP/3.
-  add_header alt-svc 'h3=":443"; ma=86400';
-
   location = /robots.txt {
     return 200 "User-agent: *\nDisallow: /";
   }
diff --git a/nginx/.defaults/ssl/profile.intermediate.conf b/nginx/.defaults/ssl/profile.intermediate.conf
index 898ed3e..becb3e5 100644
--- a/nginx/.defaults/ssl/profile.intermediate.conf
+++ b/nginx/.defaults/ssl/profile.intermediate.conf
@@ -1,4 +1,4 @@
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 ssl_dhparam /.defaults/cert/dhparam.pem;
diff --git a/nginx/.defaults/ssl/profile.runtime.conf b/nginx/.defaults/ssl/profile.runtime.conf
index 30d2fe3..becb3e5 100644
--- a/nginx/.defaults/ssl/profile.runtime.conf
+++ b/nginx/.defaults/ssl/profile.runtime.conf
@@ -1,2 +1,4 @@
-ssl_protocols TLSv1.3;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
+ssl_dhparam /.defaults/cert/dhparam.pem;