map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; netbox.ccchh.net 10.31.208.29; light.ccchh.net 10.31.208.23; thinkcccore0.ccchh.net 10.31.242.3; thinkcccore1.ccchh.net 10.31.242.4; thinkcccore2.ccchh.net 10.31.242.5; thinkcccore3.ccchh.net 10.31.242.6; zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; default ""; } server { listen 80 default_server; location /.well-known/acme-challenge/ { proxy_pass http://$upstream_acme_challenge_host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # This is http in any case. proxy_set_header X-Forwarded-Proto http; } # Better safe than sorry. # Don't do a permanent redirect to avoid acme challenge pain (even tho 443 # still should work). location / { return 307 https://$host$request_uri; } } server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. set_real_ip_from 127.0.0.1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; # ssl_certificate /path/to/signed_cert_plus_intermediates; # ssl_certificate_key /path/to/private_key; # # verify chain of trust of OCSP response using Root CA and Intermediate certs # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt; ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # replace with the IP address of your resolver resolver 127.0.0.1; location /.well-known/acme-challenge/ { proxy_pass http://$upstream_acme_challenge_host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # This is http in any case. proxy_set_header X-Forwarded-Proto https; } }