diff --git a/nginx.tmpl b/nginx.tmpl
index fc6bca8..fb0766b 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -429,6 +429,7 @@ proxy_set_header Proxy "";
 server {
     server_name _; # This is just an invalid value which will never trigger on a real hostname.
     server_tokens off;
+    http2 on;
         {{- if $fallback_http }}
     listen {{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
                 {{- if $globals.enable_ipv6 }}
@@ -436,9 +437,9 @@ server {
                 {{- end }}
         {{- end }}
         {{- if $fallback_https }}
-    listen {{ $globals.external_https_port }} ssl http2; {{- /* Do not add `default_server` (see comment above). */}}
+    listen {{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
             {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.external_https_port }} ssl http2; {{- /* Do not add `default_server` (see comment above). */}}
+    listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
             {{- end }}
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
@@ -548,6 +549,7 @@ server {
     {{- if $server_tokens }}
     server_tokens {{ $server_tokens }};
     {{- end }}
+    http2 on;
     {{ $globals.access_log }}
     {{- if or (eq $https_method "nohttps") (not $cert_ok) (eq $https_method "noredirect") }}
     listen {{ $globals.external_http_port }} {{ $default_server }};
@@ -556,9 +558,9 @@ server {
         {{- end }}
     {{- end }}
     {{- if ne $https_method "nohttps" }}
-    listen {{ $globals.external_https_port }} ssl http2 {{ $default_server }};
+    listen {{ $globals.external_https_port }} ssl {{ $default_server }};
         {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.external_https_port }} ssl http2 {{ $default_server }};
+    listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }};
         {{- end }}
 
         {{- if $cert_ok }}