# www.example.com website
server {
    listen 80;
    listen 443 ssl;
    server_name admin.example.com;
    
    # general vhost settings
    access_log /srv/logs/nginx/admin.example.com.access.log combined;
    error_log /srv/logs/nginx/admin.example.com.error.log error;
    
    # ssl keycert
    ssl_certificate     /srv/data/secrets/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem;
    
    # TLS settings
    add_header Strict-Transport-Security "max-age=31536000";

    # basic proxy params
    import snippets/proxy_headers_general.conf;

    # tls letsencrypt stateless acme config
    # no need for webroot and stuff
    # 
    # this is described for acme.sh,
    # but should work with any LE client
    # https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
    location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
        default_type text/plain;
        return 200 "$1.<ACME_THUMBPRINT>";
    }

    # set proxy zone to off
    # we want no caching of the admin interface
    proxy_cache off;

    # reverse proxy to upstream
    location / {
        # debugging
        add_header X-Proxy-Cache $upstream_cache_status;
        #include snippets/security.conf;
        proxy_pass http://127.0.0.1:10080;
    }

}