Nginx reverse proxy for HTTPS/SSL: how to pass certificates

I am trying to convert an old infrastructure featuring several webservers into a virtualized environment with a single public IP address.

All servers are relatively low-traffic, so performance isn't an issue.

I currently have nginx installed directly on my firewall/bastion-host reverse proxying to a few servers (three, at the moment).

I have everything working with plain HTTP.

My current HTTP configuration is (simplified):

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        listen 80;
        server_name mydom.com www.mydom.com;
        location / {
            proxy_pass http://192.168.99.20:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 80;
        server_name redmine.mydom.com git.mydom.com;
        location / {
            proxy_pass http://192.168.99.30:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 80;
        server_name mail.mydom.com email.mydom.com webmail.mydom.com;
        location / {
            proxy_pass http://192.168.99.10:80;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Question is: How should I configure nginx to forward HTTPS/SSL?

I tried something along the lines:

server {
    listen       443 ssl;
    server_name mydom.com www.mydom.com;
    location / {
        proxy_pass https://192.168.99.20;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

but this does not work for lack of ssl_… stanzas.

The "real" (proxyed) servers already have their certificates, but nginx seems to need "local" certificates (which I wouldn't like to provide).

What is "best practice" in this usage case?

NOTE: as said I need to deploy the reverse-proxy on my firewall (IPFire) so I'm rather limited in my choices; nginx and haproxy are supprted, sniproxy isn't.