diff --git a/roles/mastodon-nginx/templates/mastodon-nginx.conf b/roles/mastodon-nginx/templates/mastodon-nginx.conf
index b97b868..8a4df24 100644
--- a/roles/mastodon-nginx/templates/mastodon-nginx.conf
+++ b/roles/mastodon-nginx/templates/mastodon-nginx.conf
@@ -3,11 +3,20 @@ map $http_upgrade $connection_upgrade {
   ''      close;
 }
 
+upstream backend {
+    server 127.0.0.1:3000 fail_timeout=0;
+}
+
+upstream streaming {
+    server 127.0.0.1:4000 fail_timeout=0;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
+
 server {
   listen 80;
   listen [::]:80;
   server_name {{ LOCAL_DOMAIN }};
-  # Useful for Let's Encrypt
   root /home/mastodon/live/public;
   location /.well-known/acme-challenge/ { allow all; }
   location / { return 301 https://$host$request_uri; }
@@ -18,7 +27,7 @@ server {
   listen [::]:443 ssl http2;
   server_name {{ LOCAL_DOMAIN }};
 
-  ssl_protocols TLSv1.2;
+  ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
@@ -28,7 +37,7 @@ server {
 
   keepalive_timeout    70;
   sendfile             on;
-  client_max_body_size 0;
+  client_max_body_size 80m;
 
   root /home/mastodon/live/public;
 
@@ -49,11 +58,13 @@ server {
 
   location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
     add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Strict-Transport-Security "max-age=31536000";
     try_files $uri @proxy;
   }
 
   location /sw.js {
     add_header Cache-Control "public, max-age=0";
+    add_header Strict-Transport-Security "max-age=31536000";
     try_files $uri @proxy;
   }
 
@@ -65,13 +76,20 @@ server {
     proxy_set_header Proxy "";
     proxy_pass_header Server;
 
-    proxy_pass http://127.0.0.1:3000;
-    proxy_buffering off;
+    proxy_pass http://backend;
+    proxy_buffering on;
     proxy_redirect off;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
 
+    proxy_cache CACHE;
+    proxy_cache_valid 200 7d;
+    proxy_cache_valid 410 24h;
+    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+    add_header X-Cached $upstream_cache_status;
+    add_header Strict-Transport-Security "max-age=31536000";
+
     tcp_nodelay on;
   }
 
@@ -82,7 +100,7 @@ server {
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header Proxy "";
 
-    proxy_pass http://127.0.0.1:4000;
+    proxy_pass http://streaming;
     proxy_buffering off;
     proxy_redirect off;
     proxy_http_version 1.1;