upstream fe { server 127.0.0.1:8080; } server { server_name real.domain; listen [::]:443 ssl ipv6only=on; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/real.domain/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/real.domain/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_x_forwarded_host; proxy_set_header X-Forwarded-Port $http_x_forwarded_port; proxy_redirect off; proxy_pass http://fe/; } } server { if ($host = real.domain) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name real.domain; return 404; }