> So it sounds like if I want to decrypt incoming traffic and upstream > traffic I would put them in the same block like this ? Seems fine. p.s. just if you trust your backend there is in general no need to use proxy_ssl_verify on; When it’s off (by default) nginx will be fine with whatever certificate the backend server provides as far the the connection is via ssl/tls. rr