--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/templates/nginx.static.ssl.conf.j2	Wed Nov 28 15:45:37 2018 +0100
@@ -0,0 +1,68 @@
+upstream {{backend_upstream_name}} {
+    server {{backend_host}}:{{backend_port}};
+    server 127.0.0.1 backup;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{static_server_name}};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{static_server_name}};
+
+    access_log /var/log/nginx/{{static_server_name}}-access.log;
+    error_log /var/log/nginx/{{static_server_name}}-error.log;
+
+    ssl_certificate /etc/letsencrypt/live/{{static_server_name}}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{static_server_name}}/privkey.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+    root {{remote_static_path}}/;
+    index index.html index.htm;
+
+    location /.well-known/acme-challenge {
+        alias /var/lib/letsencrypt/.well-known/acme-challenge;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+    location {{backend_url}}/api {
+        uwsgi_pass  {{backend_upstream_name}};
+        include /etc/nginx/uwsgi_params;
+    }
+
+    location {{backend_url}}/admin {
+        uwsgi_pass  {{backend_upstream_name}};
+        include /etc/nginx/uwsgi_params;
+    }
+
+    location {{backend_url}}/auth {
+        uwsgi_pass  {{backend_upstream_name}};
+        include /etc/nginx/uwsgi_params;
+    }
+
+    location /backend/static {
+        alias {{backend_nginx_static_root}}; # backend static files
+    }
+
+    location /backend/media {
+        alias {{backend_nginx_media_root}};  # backend media files
+    }
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ /index.html;
+    }
+
+}