server {
    listen 443 ssl; # IPv4
    listen [::]:443 ssl; # IPv6
    server_name my.hostname.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ssl_dhparam /path/to/ssl-dhparams.pem;

    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_read_timeout         600;

    location /.well-known/matrix/server {
        return 200 '{ "m.server": "my.hostname.com:443" }';
    }

    location /.well-known/matrix/client {
        # If your sever_name here doesn't match your matrix homeserver URL
        # (e.g. hostname.com as server_name and matrix.hostname.com as homeserver URL)
        # add_header Access-Control-Allow-Origin '*';
        return 200 '{ "m.homeserver": { "base_url": "https://my.hostname.com" } }';
    }

    # route requests to:
    # /_matrix/client/.*/sync
    # /_matrix/client/.*/user/{userId}/filter
    # /_matrix/client/.*/user/{userId}/filter/{filterID}
    # /_matrix/client/.*/keys/changes
    # /_matrix/client/.*/rooms/{roomId}/messages
    # to sync_api
    location ~ /_matrix/client/.*?/(sync|user/.*?/filter/?.*|keys/changes|rooms/.*?/messages)$  {
        proxy_pass http://sync_api:8073;
    }

    location /_matrix/client {
        proxy_pass http://client_api:8071;
    }

    location /_matrix/federation {
        proxy_pass http://federation_api:8072;
    }

    location /_matrix/key {
        proxy_pass http://federation_api:8072;
    }

    location /_matrix/media {
        proxy_pass http://media_api:8074;
    }
}