diff --git a/ext/nginx.conf.d/production.conf.template b/ext/nginx.conf.d/production.conf.template
new file mode 100644
index 0000000..43ca6de
--- /dev/null
+++ b/ext/nginx.conf.d/production.conf.template
@@ -0,0 +1,89 @@
+# PRODUCTION nginx conf
+# The point of this config file is to have near-identical setup in PRODUCTION.
+# Use it in production or copy it over
+
+upstream puma {
+  server production:$PUMA_PORT;
+  # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
+}
+
+# root-level -> www redirect
+server {
+  listen *:$PRODUCTION_PORT;
+  listen *:$PRODUCTION_PORT_SSL ssl;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate /etc/ssl/ensl/fullchain.pem;
+  ssl_certificate_key /etc/ssl/ensl/privkey.pem;
+
+  server_name $PRODUCTION_ROOT_DOMAIN;
+  root $APP_PATH_PUBLIC;
+  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+}
+
+# HTTP -> HTTPS redirect
+#server {
+#  listen *:$PRODUCTION_PORT;
+#  server_name $PRODUCTION_DOMAIN;
+#  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+#}
+
+server {
+  listen *:$PRODUCTION_PORT default_server;
+  listen *:$PRODUCTION_PORT_SSL ssl default_server;
+
+  # Redirect to HTTPS
+  error_page 497 https://$host:$server_port$request_uri;
+
+  server_name $PRODUCTION_DOMAIN;
+  root $APP_PATH_PUBLIC;
+  index index.html index.htm index.php;
+
+  ssl_certificate /etc/ssl/ensl/fullchain.pem;
+  ssl_certificate_key /etc/ssl/ensl/privkey.pem;
+
+  # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
+  # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  # add_header Strict-Transport-Security max-age=15768000;
+
+  # Fixme: add logs as volume
+  access_log /var/log/nginx/ensl.production.access.log;
+  error_log /var/log/nginx/ensl.production.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+
+  # FIXME: use env. var
+  location ^~ /assets/ {
+    gzip_static on;
+    expires 1m;
+    add_header Cache-Control public;
+  }
+
+  # FIXME: use env. var
+  location /files/ {
+    # try_files $uri $uri/ @puma;
+    # alias root $APP_PATH_PUBLIC/files/;
+    autoindex on;
+  }
+  location @puma {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://puma;
+  }
+
+  try_files $uri/index.html $uri @puma;
+}