{% set domain_name      = item.nginx_domain_name %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
    ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;

    ssl_session_timeout 24h;            # 24 hour timeout
    ssl_session_cache shared:SSL:1m;    # 1MB -> 4,000 sessions
    ssl_buffer_size 1400;               # 1400 bytes to fit in one MTU

    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols {{ nginx_tls_protocols }};
    ssl_ciphers "{{ tls_cipher_suite }}";
    ssl_prefer_server_ciphers on;

    # OCSP stapling...
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 109.74.192.20 109.74.193.20;

    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;

    # enable SPDY header compression
    spdy_headers_comp 6;

    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
    # See: https://hstspreload.appspot.com/
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;