--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/templates/nginx.static.ssl.conf.j2	Sat Sep 15 01:24:07 2018 +0200
@@ -0,0 +1,63 @@
+upstream annotation-api {
+    server {{annotations_api_host}}:{{annotations_api_port}};
+    server 127.0.0.1 backup;
+}
+
+upstream discussion-api {
+    server {{discussions_host}}:{{discussions_port}};
+    server 127.0.0.1 backup;
+}
+
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{static_server_name}};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{static_server_name}};
+
+    access_log /var/log/nginx/{{static_server_name}}-access.log;
+    error_log /var/log/nginx/{{static_server_name}}-error.log;
+
+    ssl_certificate /etc/letsencrypt/live/{{static_server_name}}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{static_server_name}}/privkey.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+
+    root {{remote_static_path}}/;
+    index index.html index.htm;
+
+    location /.well-known/acme-challenge {
+        alias /var/lib/letsencrypt/.well-known/acme-challenge;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+    location {{annotations_api_url}}/ {
+        uwsgi_pass  annotation-api;
+        include /etc/nginx/uwsgi_params;
+    }
+
+    location {{discussions_url}}/ {
+        uwsgi_pass  discussion-api;
+        include /etc/nginx/uwsgi_params;
+    }
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ /index.html;
+        # Uncomment to enable naxsi on this location
+        # include /etc/nginx/naxsi.rules
+    }
+}