diff --git a/roles/dl/templates/nginx.conf.j2 b/roles/dl/templates/nginx.conf.j2
index 7d1b879..99e17cc 100644
--- a/roles/dl/templates/nginx.conf.j2
+++ b/roles/dl/templates/nginx.conf.j2
@@ -26,10 +26,13 @@ server {
 {% if dl_ssl_enabled is defined and
       dl_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
     server_name {{ dl_server_name }};
     access_log {{ dl_access_log }} main;
     error_log {{ dl_error_log }} warn;
@@ -46,6 +49,10 @@ server {
     ssl_dhparam {{ dl_ssl_dhparam }};
 {% endif %}
 
+    location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
+    }
+
     location ~ ^\/~(.+?)(\/.*)?$ {
         alias /home/$1/public_html$2;
         index index.html index.htm;
diff --git a/roles/gitea/templates/nginx.conf.j2 b/roles/gitea/templates/nginx.conf.j2
index e6fcd2b..7d59765 100644
--- a/roles/gitea/templates/nginx.conf.j2
+++ b/roles/gitea/templates/nginx.conf.j2
@@ -37,10 +37,13 @@ server {
 {% if gitea_ssl_enabled is defined and
       gitea_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
     server_name {{ gitea_domain }};
 
     access_log /var/log/nginx/gitea.access.log main;
@@ -62,6 +65,7 @@ server {
     }
 
     location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         limit_req zone=req_bad_actors burst=10 nodelay;
         proxy_pass http://gitea_backend;
     }
diff --git a/roles/grafana/templates/nginx.conf.j2 b/roles/grafana/templates/nginx.conf.j2
index cb8f6b2..a0f888f 100644
--- a/roles/grafana/templates/nginx.conf.j2
+++ b/roles/grafana/templates/nginx.conf.j2
@@ -6,6 +6,11 @@ upstream grafana_backend {
     server 127.0.0.1:{{ grafana_port }};
 }
 
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 server {
     listen 80;
 {% if ansible_all_ipv6_addresses | length %}
@@ -32,10 +37,13 @@ server {
 {% if grafana_ssl_enabled is defined and
       grafana_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
     server_name {{ grafana_domain }};
 
     access_log /var/log/nginx/grafana.access.log main;
@@ -59,7 +67,12 @@ server {
     }
 
     location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         limit_req zone=req_bad_actors burst=10 nodelay;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $http_host;
         proxy_pass http://grafana_backend;
     }
 }
diff --git a/roles/prometheus/templates/nginx.conf.j2 b/roles/prometheus/templates/nginx.conf.j2
index a45f442..83c7f61 100644
--- a/roles/prometheus/templates/nginx.conf.j2
+++ b/roles/prometheus/templates/nginx.conf.j2
@@ -38,10 +38,13 @@ server {
 {% if prometheus_ssl_enabled is defined and
       prometheus_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
     server_name {{ prometheus_hostname }};
 
     auth_basic           "Prometheus";
@@ -73,6 +76,7 @@ server {
     }
 
     location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         return 301 /prometheus/;
     }
 }