2014-08-12 11:00:54 +00:00
|
|
|
## $HOSTNAME
|
2014-07-06 12:16:50 +00:00
|
|
|
|
2016-01-02 23:01:20 +00:00
|
|
|
# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
|
2015-10-10 22:03:55 +00:00
|
|
|
# domain validation challenges) path, which must be served over HTTP per the ACME spec
|
|
|
|
# (due to some Apache vulnerability).
|
2013-09-01 14:24:49 +00:00
|
|
|
server {
|
|
|
|
listen 80;
|
2014-06-20 01:16:38 +00:00
|
|
|
listen [::]:80;
|
2013-09-01 14:24:49 +00:00
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
server_name $HOSTNAME;
|
2014-05-14 12:15:11 +00:00
|
|
|
root /tmp/invalid-path-nothing-here;
|
2015-02-01 19:13:03 +00:00
|
|
|
|
|
|
|
# Improve privacy: Hide version an OS information on
|
|
|
|
# error pages and in the "Server" HTTP-Header.
|
|
|
|
server_tokens off;
|
|
|
|
|
2015-10-10 22:03:55 +00:00
|
|
|
location / {
|
|
|
|
# Redirect using the 'return' directive and the built-in
|
|
|
|
# variable '$request_uri' to avoid any capturing, matching
|
|
|
|
# or evaluation of regular expressions.
|
|
|
|
return 301 https://$HOSTNAME$request_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
|
|
# This path must be served over HTTP for ACME domain validation.
|
2016-01-02 23:01:20 +00:00
|
|
|
# We map this to a special path where our TLS cert provisioning
|
2015-10-10 22:03:55 +00:00
|
|
|
# tool knows to store challenge response files.
|
2018-05-13 00:02:25 +00:00
|
|
|
alias $STORAGE_ROOT/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
|
2015-10-10 22:03:55 +00:00
|
|
|
}
|
2013-09-07 20:53:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# The secure HTTPS server.
|
|
|
|
server {
|
2018-07-07 18:41:41 +00:00
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
2013-09-01 14:24:49 +00:00
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
server_name $HOSTNAME;
|
2013-09-07 20:53:25 +00:00
|
|
|
|
2015-02-01 19:13:03 +00:00
|
|
|
# Improve privacy: Hide version an OS information on
|
|
|
|
# error pages and in the "Server" HTTP-Header.
|
|
|
|
server_tokens off;
|
|
|
|
|
2014-06-20 01:16:38 +00:00
|
|
|
ssl_certificate $SSL_CERTIFICATE;
|
|
|
|
ssl_certificate_key $SSL_KEY;
|
2013-09-14 14:11:47 +00:00
|
|
|
|
2014-07-09 12:31:32 +00:00
|
|
|
# ADDITIONAL DIRECTIVES HERE
|
2013-09-01 14:24:49 +00:00
|
|
|
}
|