server {
    listen 80;
    listen 443 ssl http2;

    server_name portal.bioserum.gr www.portal.bioserum.gr;

    # SSL (Cloudflare handles SSL termination)
    # Keep dummy certs if you terminate at Cloudflare and only need HTTPS locally for CF->origin.
    ssl_certificate     /etc/ssl/certs/localhost.crt;
    ssl_certificate_key /etc/ssl/private/localhost.key;

    # Allow big bodies
    client_max_body_size 100M;

    # -------------------------------------------------------
    # IMPORTANT: Allow Let's Encrypt / AutoSSL HTTP-01 challenge
    # This MUST be served locally (NOT proxied), otherwise AutoSSL gets 404.
    # -------------------------------------------------------
    location ^~ /.well-known/acme-challenge/ {
        root /home/bioserumgr/public_html/portal.bioserum.gr;
        default_type "text/plain";
        try_files $uri =404;
        access_log off;
        log_not_found off;
    }

    # (Optional but recommended) also allow the broader .well-known path locally
    location ^~ /.well-known/ {
        root /home/bioserumgr/public_html/portal.bioserum.gr;
        try_files $uri $uri/ =404;
    }

    # -------------------------------------------------------
    # Reverse Proxy to the external server
    # -------------------------------------------------------
    location / {
        proxy_pass http://94.64.123.162;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # If Cloudflare connects to origin with HTTPS, this is fine.
        # If CF connects via HTTP only, set this to http.
        proxy_set_header X-Forwarded-Proto https;

        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
    }
}