diff --git a/playbooks/services/nginx-proxy.yml b/playbooks/services/nginx-proxy.yml
index a5f7299..e35fc93 100644
--- a/playbooks/services/nginx-proxy.yml
+++ b/playbooks/services/nginx-proxy.yml
@@ -2,7 +2,7 @@
   hosts: proxy-clean
   become: true
   vars:
-    bool_create_vhost: false
+    bool_create_vhost: true
     bool_cert_dry_run: false
   roles:
     - nginx-proxy
diff --git a/roles/nginx-proxy/templates/force-ssl.conf b/roles/nginx-proxy/templates/force-ssl.conf
new file mode 100644
index 0000000..aa52f33
--- /dev/null
+++ b/roles/nginx-proxy/templates/force-ssl.conf
@@ -0,0 +1,10 @@
+set $test "";
+if ($scheme = "http") {
+	set $test "H";
+}
+if ($request_uri = /.well-known/acme-challenge/test-challenge) {
+	set $test "${test}T";
+}
+if ($test = H) {
+	return 301 https://$host$request_uri;
+}
diff --git a/roles/nginx-proxy/templates/ssl-cache.conf b/roles/nginx-proxy/templates/ssl-cache.conf
new file mode 100644
index 0000000..aa7ba2c
--- /dev/null
+++ b/roles/nginx-proxy/templates/ssl-cache.conf
@@ -0,0 +1,2 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;
diff --git a/roles/nginx-proxy/templates/ssl-ciphers.conf b/roles/nginx-proxy/templates/ssl-ciphers.conf
new file mode 100644
index 0000000..b5dacfb
--- /dev/null
+++ b/roles/nginx-proxy/templates/ssl-ciphers.conf
@@ -0,0 +1,4 @@
+# intermediate configuration. tweak to your needs.
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+ssl_prefer_server_ciphers off;