50 lines
1.3 KiB
Nginx Configuration File
50 lines
1.3 KiB
Nginx Configuration File
## $HOSTNAME
|
|
|
|
#BEGIN_HTTP
|
|
# Redirect all HTTP to HTTPS *except* the ACME challenges (Let's Encrypt TLS certificate
|
|
# domain validation challenges) path, which must be served over HTTP per the ACME spec
|
|
# (due to some Apache vulnerability).
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name $HOSTNAME;
|
|
root /tmp/invalid-path-nothing-here;
|
|
|
|
# Improve privacy: Hide version an OS information on
|
|
# error pages and in the "Server" HTTP-Header.
|
|
server_tokens off;
|
|
|
|
location / {
|
|
# Redirect using the 'return' directive and the built-in
|
|
# variable '$request_uri' to avoid any capturing, matching
|
|
# or evaluation of regular expressions.
|
|
return 301 https://$HOSTNAME$request_uri;
|
|
}
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
# This path must be served over HTTP for ACME domain validation.
|
|
# We map this to a special path where our TLS cert provisioning
|
|
# tool knows to store challenge response files.
|
|
alias $STORAGE_ROOT/ssl/lets_encrypt/webroot/.well-known/acme-challenge/;
|
|
}
|
|
}
|
|
#END_HTTP
|
|
|
|
# The secure HTTPS server.
|
|
server {
|
|
listen $HTTP_SSL_PORT ssl http2;
|
|
listen [::]:$HTTP_SSL_PORT ssl http2;
|
|
|
|
server_name $HOSTNAME;
|
|
|
|
# Improve privacy: Hide version an OS information on
|
|
# error pages and in the "Server" HTTP-Header.
|
|
server_tokens off;
|
|
|
|
ssl_certificate $SSL_CERTIFICATE;
|
|
ssl_certificate_key $SSL_KEY;
|
|
|
|
# ADDITIONAL DIRECTIVES HERE
|
|
}
|