Hello @offirpeer ... I'm mostly a Windows cat, but my interpretation is to break it down by server ...

• Any requests that arrive on 80 are redirected to 443.
• Any requests that arrive on 443 are proxied to the server group upstream. There happens to be only one server there at localhost:5000, but there could be several servers there tho ... I think it uses round-robin by default if multiple servers are in upstream. The http:// part of http://hellomvc indicates HTTP proxying, while the hellomvc part is the name of the upstream server group. Check the Nginx docs for details. Again, I'm _not_ really a hardcore Nginx cat, so you should consult with more authoritative sources than myself.

I'm going to close this because the explanation of the configuration is best left to the Nginx docs. You did the right thing asking on Stack Overflow. You'll probably get good support there. If you need to chat with devs and not wait for SO answers, try Slack and Gitter ...

• Slack
• Gitter

I understand the part of redirecting from 80 to 443, in my case I use cloudflare and they do it automatically so I don't need that part.
I don't understand this part proxy_pass http://hellomvc; why it uses http and not https?
Also why the upstream listens on localhost:5000;

In my case I have few environments, can you take a look at my SO question?

why it uses http and not https?

The connection is internal (on the local network; not on the Net) ... there's usually no need to encrypt that traffic. I think if you want that traffic encrypted that you can follow the guidance in Configure the app for secure (HTTPS) local connections in the HTTPS configuration section. In the topic's example, you'd set location for proxy_pass https://hellomvc; and upstream for something like (since the default port for HTTPS is usually 5001) server localhost:5001;. Again tho, I have no recent firsthand knowledge. I think it would work, but I haven't tested it personally. Consult the Nginx docs.

localhost:5000 is merely a convenient convention ... it's the default for any ASP.NET Core app. You can set up the app to use a different internal host and/or port if you want. See the Kestrel topic's Endpoint configuration section.

can you take a look at my SO question?

I'm going to defer to the SO/Nginx community ... we don't have the staffing to deal with support requests. There are only a few of us here, and we're always 🏃😅 on docs issues. If you need immediate help, chat with the devs on Slack and/or Gitter. There are devs there 24/7/365 with lots of Nginx experience.

I hear you, this is not an nginx related issue, it's a Kestrel configuration that I don't understand.
I have this service and I configured it to run on ASPNETCORE_URLS=https://localhost:6001

`[Unit]
Description=staging

[Service]
WorkingDirectory=/var/www/staging
ExecStart=/usr/bin/dotnet /var/www/myapp-staging/myapp.dll
Restart=always

Restart service after 10 seconds if the dotnet service crashes:

RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=staging
User=www-data
Environment=ASPNETCORE_ENVIRONMENT=Staging
Environment=ASPNETCORE_URLS=https://localhost:6001
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

[Install]
WantedBy=multi-user.target`

Nginx configuration(I know you are not an Nginx cat):
server { listen *:443 ssl; ssl_certificate /etc/ssl/mysite.com.pem; ssl_certificate_key /etc/ssl/mysite.com.key; server_name staging.mysite.com *.staging.mysite.com; location / { proxy_pass https://localhost:6001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection keep-alive; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

Are there any other configuration I need to do so Kestrel will listen to https://localhost:6001;?

I am now reading this:
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?tabs=aspnetcore2x&view=aspnetcore-3.0#endpoint-configuration

And it's so confusing, it's just https I don't understand why it's so complicated...

Supply an X.509 certificate when configuring Kestrel's options ...

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.ConfigureKestrel(serverOptions =>
            {
                serverOptions.Listen(IPAddress.Loopback, 6001, 
                    listenOptions =>
                    {
                        listenOptions.UseHttps("testCert.pfx", 
                            "testPassword");
                    });
            })
            .UseStartup<Startup>();
        });

There's an example for binding to a Unix socket tho ... I'm not as familiar with it. Engineering says that this approach offers improved performance (the following goes inside ConfigureWebHostDefaults) ...

webBuilder.ConfigureKestrel(serverOptions =>
{
    serverOptions.ListenUnixSocket("/tmp/kestrel-test.sock", 
        listenOptions =>
        {
            listenOptions.UseHttps("testCert.pfx", 
                "testpassword");
        });
})

I didn't had the PFX certificate, after I generated one I configured it in the appsettings.json and then I updated Nginx+Cloudflare+.Netcore configuration and it worked!
Thank you!