listen       443 ssl http2;

ssl_certificate      /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem;

# Allow TLS version 1.2 only, which is a recommended default these days
# by international information security standards.
ssl_protocols        TLSv1.2;

ssl_session_cache    shared:SSL:1m;
ssl_session_timeout  5m;

ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;