diff --git a/nginx/server.conf b/nginx/server.conf
index 8f58dcc1..7e5430a2 100644
--- a/nginx/server.conf
+++ b/nginx/server.conf
@@ -15,8 +15,6 @@ server {
 
     server_name connectivitycheck.grapheneos.org www.grapheneos.org grapheneos.org;
 
-    root /var/www/html;
-
     ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
@@ -26,6 +24,12 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
+    root /var/www/html;
+
+    charset utf-8;
+    include /etc/nginx/snippets/security-headers.conf;
+    gzip_static on;
+
     if ($host != "grapheneos.org") {
         return 301 https://grapheneos.org$request_uri;
     }
@@ -91,10 +95,6 @@ server {
         add_header Cache-Control "public, max-age=31536000";
         gzip_static off;
     }
-
-    charset utf-8;
-    include /etc/nginx/snippets/security-headers.conf;
-    gzip_static on;
 }
 
 server {
@@ -114,8 +114,6 @@ server {
 
     server_name mta-sts.grapheneos.org;
 
-    root /var/www/mta-sts;
-
     ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
@@ -125,5 +123,7 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
 
+    root /var/www/mta-sts;
+
     include /etc/nginx/snippets/security-headers.conf;
 }