Well, for starters. Having a separate web server in front offers you more features, such as an extra layer of security, load balancing, easier TLS management and rate limits. Here's an example configuration for that:
# http context
upstream backend_hosts {
server 12.34.56.78:8384;
server 98.76.54.32:8384;
}
# Secure configuration section https
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Define server name
server_name syncthing.example.com;
# Access files or rewrite to pretty url
location / {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://backend_hosts;
}
# SSL/TLS configuration
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
}
This is what I'm using, but for a nodejs application and not syncthnig. I'm guessing the principle would be the same.