Re: how to properly deployDiffie-Hellman on my server
To piggyback onto what Joakim says, I would really recommend using a separate TLS termination point. It's much easier to maintain and patch as various vulnerabilities in the protocol are made public and fixed.
And as he says, stay updated. Both the server OS and any packages/programs listening on public-facing ports.