The typical recomendation when using a proxy such as nginx in front of sks it to have sks listen on something like 127.0.0.1:11373 and the proxy listen on 0.0.0.0:11371 and/or [::1]:11371 (and :11372 for hkps).
But op=stats and recon then advertize the internal port number, which blocks key exchange with errors like:
Requesting 100 missing keys from <ADDR_INET [2607:fcd0101:0:1:4a2c:3b61]:11373>, starting with 00A5BA1DA13C116D775D9CFE0EF04298 Error getting missing keys: Unix error: Connection refused - connect()
Having sks listen(2) on 127.0.0.1:11371 and the proxy listen on the list of public address(es) would work around this, but is fragile in the face of renumbering. (I would note here than ipv6 was designed to facilitate potentially frequent renumbering of the /64s; resiliance in the face of such renumbering is important.)
Were sksconf to support separate directives for the listen(2) port and the port advertized in stats and by recon, things would Just Work™.