diff --git a/fastcgi_params b/fastcgi_params
index ff643d35..8d7c2be7 100644
--- a/fastcgi_params
+++ b/fastcgi_params
@@ -30,3 +30,6 @@ fastcgi_param REDIRECT_STATUS 200;
 fastcgi_param HTTPS $fastcgi_https if_not_empty;
 ## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above.
 #fastcgi_param HTTPS $fastcgi_https;
+
+## Fix HTTPoxy vulnerability https://httpoxy.org/#mitigate-nginx
+fastcgi_param HTTP_PROXY "";
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
index 35d58b34..88caadb2 100644
--- a/sites-available/example.com.conf
+++ b/sites-available/example.com.conf
@@ -56,6 +56,12 @@ server {
     ## Uncomment if you're proxying to Apache for handling PHP.
     #proxy_http_version 1.1; # keep alive to the Apache upstream
 
+    # Allow "Well-Known URIs" as per RFC 5785.
+    # Necessary for Let’s Encrypt validation server.
+    location ~* ^/.well-known/ {
+        allow all;
+    }
+
     ################################################################
     ### Generic configuration: for most Drupal 7 sites.
     ################################################################