bundles/nginx: only redirect to ssl for sites which actually have ssl enabled

2021-04-25 09:20:16 +02:00 · 2021-04-25 09:20:16 +02:00 · 44d42de81c
commit 44d42de81c
parent 690e56f558
3 changed files with 33 additions and 29 deletions
--- a/bundles/nginx/files/port80.conf
+++ b/bundles/nginx/files/port80.conf
@ -4,11 +4,6 @@ server {
    server_name  _;

    location / {
-        return 308 https://$host$request_uri;
+        return 404;
    }
-% if needs_le:
-    location /.well-known/acme-challenge/ {
-        alias /var/lib/dehydrated/acme-challenges/;
-    }
-% endif
 }
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -7,17 +7,40 @@ server {
    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
    index ${' '.join(index)};

+    listen       80;
+    listen       [::]:80;
+
 % if ssl:
+    location / {
+        return 308 https://$host$request_uri;
+    }
+
+%   if ssl == 'letsencrypt':
+    location /.well-known/acme-challenge/ {
+        alias /var/lib/dehydrated/acme-challenges/;
+    }
+%   endif
+}
+
+server {
+%   if domain_aliases:
+    server_name ${domain} ${' '.join(sorted(domain_aliases))};
+%   else:
+    server_name ${domain};
+%   endif
+    root ${webroot if webroot else '/var/www/{}/'.format(vhost)};
+    index ${' '.join(index)};
+
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

-% if ssl == 'letsencrypt':
+%   if ssl == 'letsencrypt':
    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
-% else:
+%   else:
    ssl_certificate /etc/nginx/ssl/${vhost}.crt;
    ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
-% endif
+%   endif
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@ -26,9 +49,6 @@ server {
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-% else:
-    listen 80;
-    listen [::]:80;
 % endif

    resolver 8.8.8.8 8.8.4.4 valid=300s;