Nginx is best known for being a really good web server. (The page you're reading was served by it! Unless it's been a really long time and I've revamped things. Check the Server header to confirm, I guess.) It's also known for being a really good TLS-terminating reverse proxy server. It's less well known for being a non-terminating reverse proxy for TLS connections, but it's actually capable of that, too.
So I have this use case where I'd like Nginx to serve some static web sites (again, like this one); serve as a TLS-terminating reverse proxy for some other services; and serve as a non-TLS-terminating reverse proxy for yet others (specifically, I'm proxying those connections over a VPN to my LAN, but that's not important here). And this… turns out not to be straightforward.