Simple nginx config to hide redis behind TLS proxy (includes minimal configuration to run acme.sh)

acme.sh

# Make sure to create folder /www and grant write access to nginx and yourself

$DOMAIN="your domain"
# Create file structure to serve static file with challenge
sudo mkdir /www
sudo mkdir /www/.well-known/
sudo mkdir /www/.well-known/acme-challenge
sudo chown nginx /www/.well-known/acme-challenge

#As example grant group write permission (e.g. you want www to belong to nginx user and anyone in nginx group) do:
chmod g+w /www/.well-known/acme-challenge

# Requires write access to /www/.well-known/acme-challenge
# Issue certificate (you need to make sure you put yourself into nginx group or granted write access to all users)
./acme.sh --issue -d $DOMAIN -w /www --server  letsencrypt

##Make sure to install cert with reload command
./acme.sh --install-cert -d $DOMAIN --key-file /etc/nginx/ssl/$DOMAIN/key.pem --fullchain-file /etc/nginx/ssl/$DOMAIN/cert.pem --reloadcmd "nginx -s reload"

nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

stream {
   log_format proxy '$remote_addr [$time_local] $status';
   # connection limiter by ip (cache size is 10 megabytes)
   limit_conn_zone $binary_remote_addr zone=by_ip_addr:10m;

   # For performance reasons you should run your Redis on unix socket
   # To enable it you need to modify your redis config file (default location etc/redis.conf)
   # Add following lines to enable unix socket (note that you need permissions to access it by nginx)
   # unixsocket /run/redis/redis.sock
   # unixsocketperm 770
   upstream redis {
       server unix:/run/redis/redis.sock;
   }

   # redis
   server {
       listen 6379 ssl so_keepalive=10m;
       # Max 2 connections per IP
       # This strict, but useful in low end VPC
       # Even if you password restrict your Redis, you do not want someone to overload your system
       limit_conn by_ip_addr 2;
       proxy_pass redis;
       ssl_certificate /etc/nginx/ssl/<your hostname>/cert.pem;
       ssl_certificate_key /etc/nginx/ssl/<your hostname>/key.pem;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
   }
   access_log  /var/log/nginx/redis-access.log proxy;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format http '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile on;
    access_log  /var/log/nginx/http-access.log http;
    keepalive_timeout  65;

    root /www;


    server {
        listen 80;
        server_name <your hostname>;
        #If running for the first time: meaning you do not have SSL cert yet
        # Comment this line
        return 301 https://$host$request_uri;
        # And uncomment next location
        # But once you have SSL certificate you can reverse it
        #location /.well-known/acme-challenge/ {
        #}
    }

    server {
        listen 443 ssl;
        server_name <your hostname>;
        ssl_certificate /etc/nginx/ssl/<your hostname>/cert.pem;
        ssl_certificate_key /etc/nginx/ssl/<your hostname>/key.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        location /.well-known/acme-challenge/ {
        }
    }
}