staging

nginx/nginx.conf

@@ -55,8 +55,8 @@ http {
     ssl_prefer_server_ciphers on;
     ssl_conf_command Options PrioritizeChaCha;
 
-    ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/staging.grapheneos.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.grapheneos.org/privkey.pem;
 
     # maintained by rotate-session-ticket-keys in noswap tmpfs
     ssl_session_ticket_key /etc/session-ticket-keys/4.key;
@@ -108,28 +108,14 @@ http {
     server {
         listen 80;
         listen [::]:80;
-        server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app;
-
-        location /.well-known/acme-challenge/ {
-            return 301 http://0.grapheneos.org$request_uri;
-        }
-
-        location / {
-            return 301 https://$host$request_uri;
-        }
-    }
-
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name 0.grapheneos.org;
+        server_name staging.grapheneos.org;
 
         location /.well-known/acme-challenge/ {
             root /srv/certbot;
         }
 
         location / {
-            return 301 https://grapheneos.org$request_uri;
+            return 301 https://$host$request_uri;
         }
     }
 
@@ -149,63 +135,7 @@ http {
         listen 443 ssl;
         listen [::]:443 ssl;
         http2 on;
-        server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
-
-        keepalive_timeout 3m;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        # https://trac.nginx.org/nginx/ticket/2012
-        location / {
-            return 301 https://grapheneos.org$request_uri;
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        http2 on;
-        server_name www.vanadium.app;
-
-        keepalive_timeout 3m;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        # https://trac.nginx.org/nginx/ticket/2012
-        location / {
-            return 301 https://vanadium.app$request_uri;
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        http2 on;
-        server_name vanadium.app;
-
-        keepalive_timeout 3m;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        location = / {
-            include snippets/security-headers.conf;
-            add_header Cache-Control "public, max-age=2592000";
-            return 301 https://grapheneos.org/features#vanadium;
-        }
-
-        location / {
-            return 404;
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        http2 on;
-        server_name grapheneos.org;
+        server_name staging.grapheneos.org;
 
         include root_grapheneos.org.conf;
         error_page 403 =404 /404;

nginx/snippets/security-headers-base.conf

@@ -1,3 +1,6 @@
+# staging site (not a security header)
+add_header X-Robots-Tag "noindex" always;
+
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer" always;