diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index 51dd27e..0a70a56 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -12,22 +12,20 @@ server {
 
 % if ssl:
     location / {
-        return 308 https://$host$request_uri;
+        return 301 https://${domain}$request_uri;
     }
 
-%   if ssl == 'letsencrypt':
+%  if ssl == 'letsencrypt':
     location /.well-known/acme-challenge/ {
         alias /var/lib/dehydrated/acme-challenges/;
     }
-%   endif
+%  endif
 }
 
+%  if domain_aliases:
 server {
-%   if domain_aliases:
-    server_name ${domain} ${' '.join(sorted(domain_aliases))};
-%   else:
-    server_name ${domain};
-%   endif
+    server_name ${' '.join(sorted(domain_aliases))};
+
     root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
     index ${' '.join(index)};
 
@@ -48,6 +46,43 @@ server {
     ssl_session_cache shared:SSL:10m;
     ssl_session_tickets off;
 
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+%  if ssl == 'letsencrypt':
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/dehydrated/acme-challenges/;
+    }
+%  endif
+
+    location / {
+        return 301 https://${domain}$request_uri;
+    }
+}
+
+%  endif
+server {
+    server_name ${domain};
+
+    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
+    index ${' '.join(index)};
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+%  if ssl == 'letsencrypt':
+    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
+%  else:
+    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
+    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
+%  endif
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 % endif