# CONFIGURED BY ANSIBLE server { listen 80 default_server; listen [::]:80 default_server; listen 443 default_server ssl; listen [::]:443 default_server ssl; server_name _; {% nginx_type == 'upstream' %} http2 on; {% endif %} access_log /var/log/nginx/catch-all.access.log json; error_log /var/log/nginx/catch-all.error.log warn; ssl_certificate /etc/ssl/self.crt; ssl_certificate_key /etc/ssl/self.key; # we need to define location otherwise takes over .well-known/ # --either-- redirect all to the main site location / { # wrong vhost hence no host request_uri vars return 301 https://some.domain.tld/; } # --or-- keep some vhost alone #location / { # root /data/www/html; # index index.html index.htm; # try_files $uri $uri/ =404; #} # deal with http-01 challenges (no http2 there) location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; # trailing slash matters alias /var/www/dehydrated/; } autoindex off; autoindex_exact_size off; location = /robots.txt { access_log off; log_not_found off; } location = /favicon.ico { access_log off; log_not_found off; } location ~ /apple-touch-icon { access_log off; log_not_found off; } } #server { # #access_log /var/log/nginx/catch-all.access.ssl.log json; #error_log /var/log/nginx/catch-all.error.ssl.log warn; # self-signed on purpose - there's nothing here #cd /etc/ssl/ #openssl req -x509 -days 9999 -nodes \ # -newkey ec:<(openssl ecparam -name prime256v1) \ # -keyout self.key \ # -out self.crt # ssl_certificate /etc/ssl/self.crt; # ssl_certificate_key /etc/ssl/self.key; # location / { # # wrong vhost hence no host request_uri vars # return 301 https://some.domain.tld/; # } #}