diff --git a/puppet/zulip/files/nginx/nginx.conf b/puppet/zulip/files/nginx/nginx.conf
new file mode 100644
index 0000000..98f7c8b
--- /dev/null
+++ b/puppet/zulip/files/nginx/nginx.conf
@@ -0,0 +1,47 @@
+user zulip;
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+worker_rlimit_nofile 40000;
+events {
+    worker_connections 40000;
+
+    use epoll;
+
+    multi_accept on;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    client_max_body_size 25m;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    reset_timedout_connection on;
+    server_tokens off;
+
+    gzip on;
+    gzip_disable "msie6";
+
+    # Select a Connection header for sockjs reverse-proxying
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+    # These are the official ciphers as of 2014-10-14
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers  EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
+
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/puppet/zulip/files/supervisor/conf.d/nginx.conf b/puppet/zulip/files/supervisor/conf.d/nginx.conf
index 045084f..8552440 100644
--- a/puppet/zulip/files/supervisor/conf.d/nginx.conf
+++ b/puppet/zulip/files/supervisor/conf.d/nginx.conf
@@ -1,5 +1,5 @@
 [program:nginx]
-command = /usr/sbin/nginx -g 'daemon off;server_tokens off;'
+command = /usr/sbin/nginx -g 'daemon off;'
 stdout_events_enabled=true
 stderr_events_enabled=true
 autorestart = true