server {
  listen      443 ssl http2;
  server_@name *.<%= @name %> <%= @name %>;

  ssl on;
  ssl_certificate     /etc/letsencrypt/live/<%= @name %>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<%= @name %>/privkey.pem;

  ssl_session_timeout 5m;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;

  # enable HSTS header
  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";

  location / {
    # preserve http header and set forwarded proto
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;

    # default proxy pass
    proxy_pass       http://<%= backend %>:80;
  }
}