This is the config that did the trick:
server {
server_name svn. ;
location /.well-known/acme-challenge {
root /var/lib/acme/acme-challenge;
auth_basic off;
}
ssl_certificate fullchain.pem;
ssl_certificate_key key.pem;
ssl_trusted_certificate chain.pem;
# Do not allow this site to be displayed in iframes
more_set_headers "X-Frame-Options: SAMEORIGIN";
# Do not permit Content-Type sniffing.
more_set_headers "X-Content-Type-Options: nosniff";
# Reenable XSS Filter even when disabled by user
more_set_headers "X-XSS-Protection: 1; mode=block";
# Do not send referrer header when navigating from HTTPS to HTTP
more_set_headers "Referrer-Policy: no-referrer-when-downgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
proxy_hide_header X-Powered-By;
set $fixed_destination $http_destination;
if ( $http_destination ~* ^https://[^/]*(.*)$ ) {
set $fixed_destination http://127.0.0.1:3690$1;
}
proxy_set_header Destination $fixed_destination;
client_max_body_size 5000M;
}
location = /.well-known/security.txt {
alias /nix/store/wwagqhcncrsms6ipnlgai23719xxa3xv-security.txt;
}
allow
10.64.0.0/12;
deny all;
client_max_body_size 5000M;