diff --git a/README.md b/README.md
index 63cc3816139e3e59acdcd7132999ce6141abb3cb..eee6b819739ea5f507428eadd7db03783821cefe 100644
--- a/README.md
+++ b/README.md
@@ -134,6 +134,7 @@ Role Variables
 | `funkwhale_media_path`                  | `/srv/funkwhale/data/media`   | Path where audio and uploaded files should be stored (**no trailing slash**)  |
 | `funkwhale_music_path`                  | `/srv/funkwhale/data/music`   | Path to your existing music library, to use with [CLI import](https://docs.funkwhale.audio/admin/importing-music.html) (**no trailing slash**) |
 | `funkwhale_nginx_managed`               | `true`                        | If `true`, will install and configure nginx |
+| `funkwhale_nginx_tls_configure_ciphers` | `true`                        | Set TLS ciphers, curves, etc, overriding any settings in http{} |
 | `funkwhale_nginx_max_body_size`         | `100M`                        | Value of nginx's `max_body_size` parameter to use |
 | `funkwhale_protocol`                    | `https`                       | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
 | `funkwhale_redis_managed`               | `true`                        | If `true`, will install and configure redis |
diff --git a/defaults/main.yml b/defaults/main.yml
index 96c5c55a6935b5d03530b7036db9eaccee73f650..8279261bdf1f773ae78bbcfaafa2938861887674 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,8 +26,9 @@ funkwhale_database_port: 5432
 #funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
 
 funkwhale_nginx_managed: true
-# If you have an hTTPS reverse proxy higher up, set this to true
+# If you have an HTTPS reverse proxy higher up, set this to true
 funkwhale_nginx_tls_termination: true
+funkwhale_nginx_tls_configure_ciphers: true
 funkwhale_nginx_max_body_size: 100M
 funkwhale_nginx_use_compression: true
 funkwhale_ssl_cert_path:
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index e1e6ac72a2dd97a407194005c946629e36ae14d5..b7f24beb62297ff7b5104cc26bf7a1cf5391bd13 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -20,6 +20,7 @@ server {
     ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
     {% endif -%}
+    {% if funkwhale_nginx_tls_configure_ciphers -%}
     # from https://cipherli.st/
     ssl_prefer_server_ciphers on;
     ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
@@ -29,6 +30,7 @@ server {
     ssl_session_tickets off;
     ssl_stapling on;
     ssl_stapling_verify on;
+    {% endif -%}
     add_header Strict-Transport-Security "max-age=63072000; preload";
     {% endif -%}
 
@@ -67,9 +69,9 @@ server {
         text/x-cross-domain-policy;
     {% else -%}
     gzip off;
-    {% endif %}
-
+    {% endif -%}
     # end of compression settings
+
     location / {
         include /etc/nginx/funkwhale_proxy.conf;
         # this is needed if you have file import via upload enabled