user nginx; worker_processes auto; events { worker_connections 1024; } http { server { listen 80; location /.well-known/acme-challenge/ { # init-certificate.sh uses --standalone, so we must proxy renewals to the certbot server proxy_pass http://certbot:80; } location / { return 404; } } } stream { upstream relay { server nginx-relay:4433; } server { listen 443 ssl; proxy_pass relay; access_log off; error_log /dev/null; ssl_certificate /etc/letsencrypt/active/fullchain.pem; ssl_certificate_key /etc/letsencrypt/active/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } }