diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..b545159
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,3 @@
+[**.tmpl]
+indent_style = tab
+indent_size = 2
diff --git a/Dockerfile b/Dockerfile
index 786793d..2e91034 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM nginx:1.14.2
 LABEL maintainer="Kyle McCullough <kylemcc@gmail.com>"
 
-LABEL version="0.2.1"
+LABEL version="0.2.2"
 
 # Install available package updates, wget, and install/updates certificates
 RUN apt-get update \
diff --git a/sites.tmpl b/sites.tmpl
index df25c93..510176d 100644
--- a/sites.tmpl
+++ b/sites.tmpl
@@ -116,6 +116,9 @@ upstream {{ $host }} {
 {{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) -}}
 
+{{ $location_block_header_raw := (groupByKeys $resources "ObjectMeta.Annotations.location_block_header" | first) -}}
+{{ $location_block_header := coalesce $location_block_header_raw "" -}}
+
 {{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) -}}
 
 {{- if $is_https -}}
@@ -134,15 +137,22 @@ server {
 	listen 443 ssl http2 {{ $default_server }};
 	access_log /var/log/nginx/access.log vhost;
 
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
-
-	ssl_prefer_server_ciphers on;
-	ssl_session_timeout 5m;
-	ssl_session_cache shared:SSL:50m;
+	{{ if (exists "/etc/nginx/ssl_protocols_and_ciphers") -}}
+		include /etc/nginx/ssl_protocols_and_ciphers;
+	{{ else }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+		ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+		ssl_prefer_server_ciphers on;
+		ssl_session_timeout 5m;
+		ssl_session_cache shared:SSL:50m;
+	{{ end -}}
 
-	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
-	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+	{{ if (exists "/etc/nginx/ssl_certificate_configuration") -}}
+		include /etc/nginx/ssl_certificate_configuration;
+	{{ else }}
+		ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+		ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+	{{ end -}}
 
 	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) -}}
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
@@ -160,6 +170,12 @@ server {
 
 	location / {
 		proxy_pass {{ trim $proto }}://{{ trim $host }};
+		{{ if (exists "/etc/nginx/proxy-headers.conf") -}}
+		include /etc/nginx/proxy-headers.conf;
+		{{ end -}}
+		{{ if (exists "/etc/nginx/security-headers.conf") -}}
+		include /etc/nginx/security-headers.conf;
+		{{ end -}}
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) -}}
 		auth_basic	"Restricted {{ $host }}";
 		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
@@ -169,9 +185,22 @@ server {
 		{{ else if (exists "/etc/nginx/vhost.d/default_location") -}}
 			include /etc/nginx/vhost.d/default_location;
 		{{ end -}}
-		}
+	}
+
+	{{ if (ne $location_block_header "") -}}
+	location {{ (trim $location_block_header) }} {
+		proxy_pass {{ trim $proto }}://{{ trim $host }};
+		{{ if (exists "/etc/nginx/security-headers.conf") -}}
+		include /etc/nginx/security-headers.conf;
+		{{ end -}}
+		{{ if (exists "/etc/nginx/upgrade-protocol-headers.conf") -}}
+		include /etc/nginx/upgrade-protocol-headers.conf;
+		{{ end -}}
+	}
+	{{ end -}}
 }
 
+
 {{- end -}}
 
 {{- if or (not $is_https) (eq $https_method "noredirect") -}}