server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ${server_name};

    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;

    location / {
        proxy_set_header   X-Real-IP          $remote_addr;
        # Always set Upgrade + Connection via the $connection_upgrade map:
        #   WS client (Upgrade header sent)  -> Connection: upgrade
        #   non-WS client (no Upgrade)       -> Connection: "" (keep-alive)
        # Lets every vhost serve both WS and SSE without per-vhost flags.
        proxy_http_version 1.1;
        proxy_set_header   Upgrade            $http_upgrade;
        proxy_set_header   Connection         $connection_upgrade;
        # SSE-safe pass-through (also fine for non-SSE traffic):
        proxy_buffering    off;
        proxy_read_timeout 1h;
        proxy_pass ${target};
    }
}