diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index d4fc252..fe740ee 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -15,16 +15,16 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
+
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 % else:
-    listen 80 http2;
-    listen [::]:80 http2;
+    listen 80;
+    listen [::]:80;
 % endif
 
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;
 
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-
 % if not do_not_set_content_security_headers:
     add_header Referrer-Policy same-origin;
     add_header X-Frame-Options "SAMEORIGIN";
@@ -42,7 +42,9 @@ server {
         proxy_set_header     Host ${domain};
         proxy_set_header     X-Script-Name /;
         proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
+% if node.metadata['nginx']['use_ssl_for_all_connections']:
         proxy_set_header     X-Forwarded-Proto HTTPS;
+% endif
         proxy_set_header     X-Forwarded-Host ${domain};
         proxy_buffering      off;
     }