system/nginx/02/etherpad.conf

server {
	listen			202.61.255.116:443 ssl http2;
	listen			[2a03:4000:55:d20::]:443 ssl http2;

	server_name		pad.hugz.io pad.lsd25.dev pad.lysergic.dev;

	ssl_certificate		/etc/ssl/lysergic/fullchain.pem;
	ssl_certificate_key	/etc/ssl/lysergic/private/privkey.pem;

	ssl_session_timeout		1d;
	ssl_session_cache		shared:MozSSL:10m;  # about 40000 sessions
	ssl_session_tickets		off;
	ssl_protocols			TLSv1.3 TLSv1.2;
	ssl_prefer_server_ciphers	off;
	add_header			Strict-Transport-Security "max-age=63072000" always;
	ssl_stapling			on;
	ssl_stapling_verify		on;
	ssl_trusted_certificate		/etc/ssl/ca-bundle.pem;
	resolver			127.0.0.4;


	location		/ {
				proxy_pass	http://127.0.0.2:9001;
				proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
				proxy_set_header   Host $host;
				proxy_pass_header  Server;

				# Note you might want to pass these headers etc too.
				proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
				proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
				proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
				proxy_http_version  1.1; # recommended with keepalive connections

				# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
				proxy_set_header  Upgrade $http_upgrade;
				proxy_set_header  Connection "Upgrade";

	}
}