# # Default Server catch all requests ... # ... without hostname # ... with a numeric IP-Address as hostname # ... to any hostname not defined elsewhere # # Don't send HSTS and HKP headers, respect other/later servers on this dynamic # address which do not have TLS/SSL enabled. server { # IPv4 private address # Port-forwarded connections from firewall-router listen 192.0.2.10:80 deferred default_server bind; listen 192.0.2.10:443 ssl http2 deferred default_server bind; # Enable stapling of online certificate status protocol (OCSP) response include ocsp-stapling.conf; # TLS certificate of signing CA (validate OCSP repsonse when stapling) ssl_trusted_certificate /etc/dehydrated/certs/default_server/chain.pem; # OCSP staping repsonse file (pre-generated) ssl_stapling_file /etc/dehydrated/certs/default_server/ocsp_response.der; # TLS certificate (chained) and key ssl_certificate /etc/dehydrated/certs/default_server/fullchain.pem; ssl_certificate_key /etc/dehydrated/certs/default_server/privkey.pem; # TLS session cache (type:name:size) ssl_session_cache shared:default_server:10m; # TLS session ticket key ssl_session_ticket_key /etc/nginx/tls_session_keys/default_server.1.key; ssl_session_ticket_key /etc/nginx/tls_session_keys/default_server.2.key; ssl_session_ticket_key /etc/nginx/tls_session_keys/default_server.3.key; # Public Documents Root root /var/www/default_site/public_html/; # Allow access for Let's Encrypt to domain validation tokens location /.well-known/acme-challenge { allow all; } location / { # Return nothing and close connection (useful against malware). return 444; } # Path, format, and configuration for buffered log writes access_log /var/log/nginx/default-access.log main; log_not_found off; log_subrequest off; }