thanks for all your help & comments.
yes I do already have the SSL certificate via LetsEncrypt, as per the installation instructions. But it works with this configuration you have given above. I tried changing “proxy_pass” with “https” but ended up with a 502 bad gateway error.
What happens when the certificate expires?