server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name <ws-api.hostname.tld>;
    root        /path/to/api/public/;
    index       index.php;

    ssl_certificate     /etc/letsencrypt/live/<hostname.tld>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<hostname.tld>/privkey.pem;

    # This block should go into a `ssl_options` file and included inside all vhosts's server section.
    # Remove this line below if you are not using Certbot
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

    access_log /var/log/nginx/<api.hostname.tld>.access.log;
    error_log /var/log/nginx/<api.hostname.tld>.error.log;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header Scheme $scheme;
        proxy_set_header SERVER_PORT $server_port;
        proxy_set_header REMOTE_ADDR $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        proxy_pass http://0.0.0.0:8080;
    }
}

server {
    listen 80;
    listen [::]:80;

    server_name <api.hostname.tld>;
    return 301 https://$host$request_uri;
}