diff --git a/nginx/nginx.conf b/nginx/nginx.conf index d7f59f81..8c6beb9d 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -88,6 +88,22 @@ http { return 301 https://$host$request_uri; } + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name primary.grapheneos.org; + + root /var/empty; + + location /.well-known/acme-challenge/ { + root /srv/certbot; + } + + location / { + return 301 https://grapheneos.org$request_uri; + } + } + server { listen 443 ssl http2 backlog=4096; listen [::]:443 ssl http2 backlog=4096; @@ -98,7 +114,13 @@ http { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; - return 301 https://grapheneos.org$request_uri; + location ^~ /.well-known/acme-challenge/ { + return 301 https://primary.grapheneos.org$request_uri; + } + + location / { + return 301 https://grapheneos.org$request_uri; + } } server { @@ -111,7 +133,13 @@ http { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; - return 302 https://github.com/GrapheneOS/Vanadium; + location ^~ /.well-known/acme-challenge/ { + return 301 https://primary.grapheneos.org$request_uri; + } + + location / { + return 302 https://github.com/GrapheneOS/Vanadium; + } } server { @@ -243,6 +271,10 @@ http { try_files $uri.html =404; } + location ^~ /.well-known/acme-challenge/ { + return 301 https://primary.grapheneos.org$request_uri; + } + location ^~ /fonts/ { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; @@ -352,6 +384,10 @@ http { location = /.well-known/mta-sts.txt {} + location ^~ /.well-known/acme-challenge/ { + return 301 https://primary.grapheneos.org$request_uri; + } + location / { return 404; }