semi-optimal setup; ip_hash might give you issues if you have to server a lot of mobile-clients (at least here in europe), because of central proxies used by mobile-providers. this one might help if you need stickyness: <a href="https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/overview" rel="nofollow">https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/o...</a><p>instead of "if ($host !~ ^(api.yourdomain.com)$ )" you should use a "server_name api.yourdomain.com;" - directive for your proxy_config and a catch_all - server{} block that consist only of "return 444;" to avoid that "if"-processing on any request.<p>oh, and you might want to use "ssl_session_cache shared:SSL:1440m;" for better performance (adjust the timeframe accordingly, i've seen values from 10 minutes up to 48hours like google)<p>> SSL certs tend to be rather confusing ... no not, really, but i leave it up to you to figure out what a key is and what a cert :D