http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; tcp_nopush on; tcp_nodelay on; sendfile on; types_hash_max_size 4096; index index.html; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; output_buffers 1 32k; postpone_output 1460; keepalive_timeout 75 20; ignore_invalid_headers on; # General catch-all for HTTPS redirection, we don't like serving plain HTTP server { listen 80 default_server; return 301 https://$host$request_uri; } proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; server { server_name *.mydomain.com; listen 443 ssl; access_log /var/log/nginx/mydomain.com_access_log main; error_log /var/log/nginx/mydomain.com_error_log info; location / { proxy_pass https://10.100.0.1:8443/; # this is the home server address on the wireguard link } proxy_set_header Host $host; proxy_set_header ProxyHost $proxy_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Ssl on; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } server { server_name www.mydomain.com; listen 443 ssl; index index.php; root /home/web/htdocs; access_log /var/log/nginx/www.mydomain.com_access_log main; error_log /var/log/nginx/www.mydomain.com_error_log info; } include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; }