map $host $upstream_acme_challenge_host { cloud.hamburg.ccc.de 172.31.17.143:31820; pad.hamburg.ccc.de 172.31.17.141:31820; id.hamburg.ccc.de 172.31.17.144:31820; keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; grafana.hamburg.ccc.de 172.31.17.145:31820; wiki.ccchh.net 172.31.17.146:31820; wiki.hamburg.ccc.de 172.31.17.146:31820; onlyoffice.hamburg.ccc.de 172.31.17.147:31820; hackertours.hamburg.ccc.de 172.31.17.148:31820; netbox.hamburg.ccc.de 172.31.17.149:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; element.hamburg.ccc.de 172.31.17.151:31820; branding-resources.hamburg.ccc.de 172.31.17.151:31820; www.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; zammad.hamburg.ccc.de 172.31.17.152:31820; c3cat.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; default ""; } server { listen 80 default_server; location /.well-known/acme-challenge/ { proxy_pass http://$upstream_acme_challenge_host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # This is http in any case. proxy_set_header X-Forwarded-Proto http; } # Better safe than sorry. # Don't do a permanent redirect to avoid acme challenge pain (even tho 443 # still should work). location / { return 307 https://$host$request_uri; } }