diff --git a/nginx.tmpl b/nginx.tmpl
index 3ee5b25..c395ef8 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -18,20 +18,18 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"';
 
-#access_log /proc/self/fd/1 vhost;
-#error_log /proc/self/fd/2;
-access_log /var/log/nginx/access_log.log;
-error_log /var/log/nginx/error_log.log;
+access_log /proc/self/fd/1 vhost;
+error_log /proc/self/fd/2;
 
 # HTTP 1.1 support
-proxy_http_version 1.1;
-proxy_buffering off;
+#proxy_http_version 1.1;
+#proxy_buffering off;
 proxy_set_header Host $http_host;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $proxy_connection;
+#proxy_set_header Upgrade $http_upgrade;
+#proxy_set_header Connection $proxy_connection;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+#proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 
 server {
 	listen 80;
@@ -94,17 +92,20 @@ server {
 }
 
 server {
-    listen 443;
 	server_name {{ $host }};
-	ssl on;
-	ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+	listen 443 ssl spdy;
 
-	#ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
-	#ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
 
-	ssl_certificate /etc/nginx/certs/server.crt;
-	ssl_certificate_key /etc/nginx/certs/server.key;
+	ssl_prefer_server_ciphers on;
+	ssl_session_timeout 5m;
+	ssl_session_cache shared:SSL:50m;
+
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+
+	add_header Strict-Transport-Security "max-age=31536000";
 
 	client_max_body_size 1m;
 
@@ -113,8 +114,8 @@ server {
 	{{ end }}
 
 	location / {
-		proxy_pass http://{{ $host }};
-		proxy_redirect http://{{ $host }}/ /;
+		proxy_pass {{ $proto }}://{{ $host }};
+		proxy_redirect {{ $proto }}://{{ $host }}/ /;
 		proxy_read_timeout 60s;
 
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}