nginx proxy+tls termination nginx feedbacks?


I have a host machine running nginx as proxy + TLS termination to the nginx instance running in jail IP address (proxy_pass

I'd be much grateful if someone with knowledge here give me feedbacks on my "location /" proxy configuration.

Is there anything completely unnecessary that I should remove?

Thank you.

server {
listen ssl;
http2 on;

root /usr/local/www/mysite;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

ssl_certificate /root/;
ssl_certificate_key /root/;
ssl_trusted_certificate /root/;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

location / {
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;

proxy_buffering off;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;

#What to do with these three ones?
#proxy_ssl_session_reuse off;
#proxy_intercept_errors off;
#proxy_ssl_server_name on;

proxy_hide_header Strict-Transport-Security;
proxy_set_header X-Scheme https;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Url-Scheme https;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Early-Data $ssl_early_data;

This is my production example for the same case.
It works for me more than 10 years without any issues

If you have mix HTTP/HTTPS sites then may be useful to have this enabled:
server {
    listen ssl default_server;
    ssl_reject_handshake on;
    server_name default.server;
It will reject HTTPS requests for hosts without configured HTTPS