upstream application01 {
  server 10.0.0.10:443;
}

server {
  listen 80 proxy_protocol;
  server_name subdomain.example.com;

  # proxy protocol settings
  set_real_ip_from  10.0.0.1/32;
  real_ip_header    proxy_protocol;
  real_ip_recursive on;

  # logging
  access_log  syslog:server=log.example.local vhost;
  error_log   syslog:server=log.example.local;

  location ^~ /.well-known/acme-challenge {
    alias /mnt/certs/challenge;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 proxy_protocol ssl http2;
  server_name subdomain.example.com;

  # proxy protocol settings
  set_real_ip_from  10.0.0.1/32;
  real_ip_header    proxy_protocol;
  real_ip_recursive on;

  # logging
  access_log  syslog:server=log.example.local vhost;
  error_log   syslog:server=log.example.local;

  # certificates
  ssl_certificate     /mnt/certs/certs/subdomain.example.com/fullchain.pem;
  ssl_certificate_key /mnt/certs/certs/subdomain.example.com/privkey.pem;

  # tls settings
  ssl_dhparam /etc/nginx/dhparam.pem;
  ssl_session_timeout 4h;
  ssl_session_tickets off;
  ssl_session_cache shared:SSL:20m;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers off;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_stapling on;
  ssl_stapling_verify on;

  location / {

    # set headers
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For   $proxy_protocol_addr;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    # pass upstream
    proxy_pass https://application01;
  }
}