nginx.conf

http {
    
    server {
        listen 80;
        listen [::]:80;

        server_name pgadmin-xyz.dropgala.com;
        # server_name example.com www.example.com;
        
        location ~ /.well-known/acme-challenge {
            allow all;
            root /var/www/html;
        }

        location / {
            rewrite ^ https://$host$request_uri? permanent;
        }
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name pgadmin-xyz.dropgala.com;

        ssl_certificate /etc/letsencrypt/live/pgadmin-xyz.dropgala.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pgadmin-xyz.dropgala.com/privkey.pem;

        ssl_buffer_size 8k;

        ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

        ssl_session_timeout 1d;

        # Anable TLS 1.3, TLS 1.2
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_prefer_server_ciphers off; 

        ssl_ecdh_curve secp384r1;
        ssl_session_tickets off;

        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
        add_header Strict-Transport-Security "max-age=63072000" always;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        # resolver 8.8.8.8; google dns
        
        location /pgadmin {
            proxy_set_header X-Script-Name /pgadmin;
            proxy_set_header X-Scheme $scheme;    
            proxy_set_header Host $host;
            proxy_pass http://pgadmin;
            proxy_redirect off;
        }
    }
} 

stream {
    upstream postgres {
        server postgres_ef686c8a89:5432;
    }

    server {
        allow 10.104.0.2; # server IP
        deny all;
        listen 5422 so_keepalive=on;
        proxy_pass postgres;
    }
}

events {
    worker_connections 1024;
}