map $host $upstream_acme_challenge_host {
    # Something like this should be here at some point:
    # aes.ccchh.net 10.31.206.14:31820;
    default "";
}

server {
    listen 80 default_server;

    location /.well-known/acme-challenge/ {
        proxy_pass http://$upstream_acme_challenge_host;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # This is http in any case.
        proxy_set_header X-Forwarded-Proto http;
    }

    # Better safe than sorry.
    # Don't do a permanent redirect to avoid acme challenge pain (even tho 443
    # still should work).
    location / {
        return 307 https://$host$request_uri;
    }
}