Move server config to conf.d folder

Aligning with nginx docker image
Fix #95

sites-available/ssl.no-default → conf.d/.default.conf

@@ -1,3 +1,7 @@
+# ----------------------------------------------------------------------
+# | Default behavior for unknown hosts                                 |
+# ----------------------------------------------------------------------
+#
 # Drop requests for unknown hosts
 #
 # If no default server is defined, nginx will use the first found server.
@@ -8,7 +12,12 @@
 server {
   listen [::]:443 ssl default_server;
   listen 443 ssl default_server;
+
+  server_name _;
+
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
+
   return 444;
 }

conf.d/no-ssl.default.conf

@@ -0,0 +1,27 @@
+# ----------------------------------------------------------------------
+# | Default behavior for unknown hosts                                 |
+# ----------------------------------------------------------------------
+#
+# Drop requests for unknown hosts
+#
+# If no default server is defined, nginx will use the first found server.
+# To prevent host header attacks, or other potential problems when an unknown
+# servername is used in a request, it's recommended to drop the request
+# returning 444 "no response".
+#
+# (1) In production, only secure hosts should be used (all `no-ssl` disabled).
+#     If so, redirect first ANY request to a secure connexion before handling it
+#     even if the host is unknown.
+#
+#     https://observatory.mozilla.org/faq/
+
+server {
+  listen [::]:80 default_server deferred;
+  listen 80 default_server deferred;
+
+  server_name _;
+
+  # (1)
+  # return 301 https://$host$request_uri;
+  return 444;
+}

sites-available/ssl.example.com → conf.d/templates/example.com.conf

@@ -1,34 +1,29 @@
-# Choose between www and non-www, listen on the *wrong* one and redirect to
-# the right one -- https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
+# ----------------------------------------------------------------------
+# | Config file for example.com host                                   |
+# ----------------------------------------------------------------------
 #
-server {
-  listen [::]:80;
-  listen 80;
-
-  # listen on both hosts
-  server_name example.com www.example.com;
-
-  # and redirect to the https host (declared below)
-  # avoiding http://www -> https://www -> https:// chain.
-  return 301 https://example.com$request_uri;
-}
+# This file is a template for a nginx server.
+# This nginx server listen the `example.com` host and handle requests.
+# Remplace `example.com` with your hostname before enabling.
 
+# Choose between www and non-www, listen on the wrong one and redirect to
+# the right one.
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
 server {
   listen [::]:443 ssl http2;
   listen 443 ssl http2;
 
-  # listen on the wrong host
   server_name www.example.com;
 
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
 
-  # and redirect to the non-www host (declared below)
-  return 301 https://example.com$request_uri;
+  return 301 $scheme://example.com$request_uri;
 }
 
-server {
 
+server {
   # listen [::]:443 ssl http2 accept_filter=dataready;  # for FreeBSD
   # listen 443 ssl http2 accept_filter=dataready;  # for FreeBSD
   # listen [::]:443 ssl http2 deferred;  # for Linux
@@ -40,6 +35,7 @@ server {
   server_name example.com;
 
   include h5bp/ssl/ssl_engine.conf;
+  include h5bp/ssl/certificate_files.conf;
   include h5bp/ssl/policy_intermediate.conf;
 
   # Path for static files

conf.d/templates/no-ssl.example.com.conf

@@ -0,0 +1,40 @@
+# ----------------------------------------------------------------------
+# | Config file for non-secure example.com host                        |
+# ----------------------------------------------------------------------
+#
+# This file is a template for a non-secure nginx server.
+# This nginx server listen the `example.com` host and handle requests.
+# Remplace `example.com` with your hostname before enabling.
+
+# Choose between www and non-www, listen on the wrong one and redirect to
+# the right one.
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
+server {
+  listen [::]:80;
+  listen 80;
+
+  server_name www.example.com;
+
+  return 301 $scheme://example.com$request_uri;
+}
+
+server {
+  # listen [::]:80 accept_filter=httpready; # for FreeBSD
+  # listen 80 accept_filter=httpready; # for FreeBSD
+  # listen [::]:80 deferred; # for Linux
+  # listen 80 deferred; # for Linux
+  listen [::]:80;
+  listen 80;
+
+  # The host name to respond to
+  server_name example.com;
+
+  # Path for static files
+  root /var/www/example.com/public;
+
+  # Custom error pages
+  include h5bp/errors/custom_errors.conf;
+
+  # Include the basic h5bp config set
+  include h5bp/basic.conf;
+}

nginx.conf

@@ -111,10 +111,9 @@ http {
   # Enable gzip compression.
   include h5bp/web_performance/compression.conf;
 
-  # Include files in the sites-enabled folder. server{} configuration files should be
-  # placed in the sites-available folder, and then the configuration should be enabled
-  # by creating a symlink to it in the sites-enabled folder.
-  # See doc/sites-enabled.md for more info.
-  include sites-enabled/*;
+  # Include files in the conf.d folder.
+  # server{} configuration files should be placed in the conf.d folder.
+  # The configurations should be disabled by prefixing files with a dot.
+  include conf.d/*.conf;
 
 }