diff --git a/roles/nginx/templates/header.conf.j2 b/roles/nginx/templates/header.conf.j2
index ea8c7d9..eb6557a 100644
--- a/roles/nginx/templates/header.conf.j2
+++ b/roles/nginx/templates/header.conf.j2
@@ -1,5 +1,6 @@
-	listen *:443 ssl http2;
-	listen [::]:443 ssl http2;
+	listen *:443 ssl;
+	listen [::]:443 ssl;
+	http2 on;
 	
 	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
 	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
diff --git a/roles/nginx/templates/nginx.ssl.conf.j2 b/roles/nginx/templates/nginx.ssl.conf.j2
index 5d93ccf..89c7b30 100644
--- a/roles/nginx/templates/nginx.ssl.conf.j2
+++ b/roles/nginx/templates/nginx.ssl.conf.j2
@@ -4,13 +4,13 @@
 ##########
 	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:10m;
-	ssl_session_tickets off;
 
 	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 	ssl_dhparam /etc/nginx/dhparam.pem;
 
 	# intermediate configuration. tweak to your needs.
 	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ecdh_curve X25519:prime256v1:secp384r1;
 	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 	ssl_prefer_server_ciphers off;