## $HOSTNAME

# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
# domain validation challenges) path, which must be served over HTTP per the ACME spec
# (due to some Apache vulnerability).
server {
	listen 80;
	listen [::]:80;

	server_name $HOSTNAME;
	root /tmp/invalid-path-nothing-here;

	# Improve privacy: Hide version an OS information on
	# error pages and in the "Server" HTTP-Header.
	server_tokens off;

	location / {
		# Redirect using the 'return' directive and the built-in
		# variable '$request_uri' to avoid any capturing, matching
		# or evaluation of regular expressions.
		return 301 https://$HOSTNAME$request_uri;
	}

	location /.well-known/acme-challenge/ {
		# This path must be served over HTTP for ACME domain validation.
		# We map this to a special path where our TLS cert provisioning
		# tool knows to store challenge response files.
		alias $STORAGE_ROOT/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
	}
}

# The secure HTTPS server.
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name $HOSTNAME;

	# Improve privacy: Hide version an OS information on
	# error pages and in the "Server" HTTP-Header.
	server_tokens off;

	ssl_certificate $SSL_CERTIFICATE;
	ssl_certificate_key $SSL_KEY;

	# ADDITIONAL DIRECTIVES HERE
}