+upstream datadriven-investment-loadbalance {
+ server_name datadriven-investment.com;
+ # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
+ location ^~ /.well-known/acme-challenge/ {
+ # No HTTP authentication
+ # Set correct content type. According to this:
+ # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
+ # Current specification requires "text/plain" or no content header at all.
+ # It seems that "text/plain" is a safe option.
+ default_type "text/plain";
+ # Change document root: this path will be given to certbot as the
+ # `-w` param of the webroot plugin.
+ root /var/lib/letsencrypt/datadriven-investment.com;
+ # Hide /acme-challenge subdirectory and return 404 on all requests.
+ # It is somewhat more secure than letting Nginx return 403.
+ # Ending slash is important!
+ location = /.well-known/acme-challenge/ {
+ # redirect from http to https
+ return 301 https://$host$request_uri;
+ server_name datadriven-investment.com;
+ ssl_certificate /etc/letsencrypt/live/datadriven-investment.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/datadriven-investment.com/privkey.pem;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass http://datadriven-investment-loadbalance;
+ # No acme ACME Challenge stuff here: Let's Encrypt API uses HTTP for validation