+    server http;

+}

+

+server {

+    listen 8080;

+    server_name datadriven-investment.com;

+	

+	# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)

+    location ^~ /.well-known/acme-challenge/ {

+        # No HTTP authentication

+        allow all;

+    

+        # Set correct content type. According to this:

+        # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29

+        # Current specification requires "text/plain" or no content header at all.

+        # It seems that "text/plain" is a safe option.

+        default_type "text/plain";

+    

+        # Change document root: this path will be given to certbot as the 

+        # `-w` param of the webroot plugin.

+        root /var/lib/letsencrypt/datadriven-investment.com;

+    }

+

+	# Hide /acme-challenge subdirectory and return 404 on all requests.

+    # It is somewhat more secure than letting Nginx return 403.

+    # Ending slash is important!

+    location = /.well-known/acme-challenge/ {

+        return 404;

+    }

+

+	# redirect from http to https

+    location / {

+        return 301 https://$host$request_uri;

+    }

+}

+

+server {

+  listen              443 ssl;

+  server_name		  datadriven-investment.com;

+  ssl_certificate     /etc/letsencrypt/live/datadriven-investment.com/fullchain.pem;

+  ssl_certificate_key /etc/letsencrypt/live/datadriven-investment.com/privkey.pem;

+  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

+  ssl_ciphers         HIGH:!aNULL:!MD5;

+

+  location / {

+     proxy_set_header Host $host;

+     proxy_set_header X-Forwarded-For $remote_addr;

+     proxy_set_header X-Forwarded-Proto $scheme;

+     proxy_pass http://datadriven-investment-loadbalance;

+  }

+  

+  # No acme ACME Challenge stuff here: Let's Encrypt API uses HTTP for validation