2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
11 listen 443 ssl default_server http2;
12 listen [::]:443 ssl default_server http2;
15 ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
16 ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
17 ssl_protocols TLSv1.2 TLSv1.3;
18 ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384;
19 ssl_prefer_server_ciphers on;
20 # ssl_dhparam /etc/nginx/dhparams.pem;
21 ssl_session_cache shared:SSL:10m;
24 location ^~ /.well-known/acme-challenge {
25 alias /var/www/html/dehydrated;
29 location /nginx_status {
36 ### <dotfile protection>
37 location ~ /\.(?!well-known\/).* {
40 ### </dotfile protection>
42 location = /robots.txt {
44 try_files /html/$uri =404;
48 location ^~ /awstats-icon {
49 alias /usr/share/awstats/icon/;
51 auth_pam_service_name "nginx-awstats";
54 location = /awstats.pl {
55 root /usr/lib/cgi-bin/;
57 auth_pam_service_name "nginx-awstats";
61 include fastcgi_params;
62 fastcgi_pass unix:/var/run/fcgiwrap.socket;
63 fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl;
70 listen 80 default_server;
71 listen [::]:80 default_server;
75 location ^~ /.well-known/acme-challenge {
76 alias /var/www/html/dehydrated;
80 location /nginx_status {
88 # redirect everything to https except for /.well-known/acme-challenge and /nginx_status
90 return 301 https://$host$request_uri;