Here's how I do it, it's the simplest way I've found.
Make a directory for your certificates like /etc/nginx/certs Use "tailscale certs YourDomainName.ts.net" Put the certificate in the certificate directory. The nginx config:
server { listen 80; server_name YourDomainName.ts.net;
location / { return 301 https://$host$request_uri; } }
server { listen 443 ssl http2; server_name YourDomainName.ts.net;
ssl_certificate /etc/nginx/certs/YourDomainName.ts.net.crt;
ssl_certificate_key /etc/nginx/certs/YourDomainName.ts.netkey;
location / { proxy_pass http://127.0.0.1:8080; //Change it for the port you want to forward proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; } }