Redirect Woes, Too Many Redirects


#1

My domain is: pibby.com

I ran this command: ./letsencrypt-auto

It produced this output: No issues

My web server is (include version): nginx version: nginx/1.15.2

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Nginx Config:

server { ## listen for ipv4; this line is default and implied
  root /var/www/pibby.com/_site;
  index index.html;

  # Make site accessible from http://localhost/
  server_name pibby.com www.pibby.com;

  access_log /var/log/nginx/access.pibby.com.log;
  error_log /var/log/nginx/error.pibby.com.log;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot


}
server {
    if ($host = www.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen   80;
  server_name pibby.com www.pibby.com;
    return 404; # managed by Certbot
}

This same config is working fine for another of my domains (pib.by), but I get too many redirects for pibby.com.


#2

https://www.pibby.com/ redirects to https://pibby.com/ but I don’t see that in your nginx configuration - is that configured elsewhere? (I’m wondering if whatever does that redirect might be misconfigured)


#3

I don’t have it anywhere else, the config I posted is the entire config that I have. I would like www.pibby.com to redirect to pibby.com.


#4

Can you try nginx -T to dump the full configuration? Maybe something in one of your other server blocks is interfering.


#5

First, I would test: For each 301 - redirect, add a # to inactivate this command. Three redirects -> three deactivated rows

# return 301 https://$host$request_uri;

If there is another domain with exact the same configuration, that should have no effect -> again a loop.

If there is again a loop: Are there other rewrite rules? Or is there a content management system?

If there is no loop - remove one of the #


#6

Do you also have a redirect in an .htaccess file ? ? ?


#7

@rg305, op is using nginx :wink:


#8
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

#9

This is the full output of nginx -T

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 15;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	#ssl_buffer_size 8k;
	#ssl_session_tickets on;

	##
	# Logging Settings
	##

	#access_log /var/log/nginx/access.log;
	access_log off;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 3;
	gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	# Compress all output labeled with one of the following MIME-types.
	gzip_types
		application/atom+xml
		application/javascript
		application/x-javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##
	
	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

#10
# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

# configuration file /etc/nginx/sites-enabled/a.pibby.com:
# You may add here your
# server {
#	...
# }
# statements for each of your virtual hosts to this file

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

server {

	root /var/www/a.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name a.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# Uncomment to enable naxsi on this location
		# include /etc/nginx/naxsi.rules
	}

	# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
	#location /RequestDenied {
	#	proxy_pass http://127.0.0.1:8080;    
	#}

	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	#error_page 500 502 503 504 /50x.html;
	#location = /50x.html {
	#	root /usr/share/nginx/html;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	#
	#	# With php5-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php5-fpm:
	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
	#	fastcgi_index index.php;
	#	include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#	listen 8000;
#	listen somename:8080;
#	server_name somename alias another.alias;
#	root html;
#	index index.html index.htm;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


# HTTPS server
#
#server {
#	listen 443;
#	server_name localhost;
#
#	root html;
#	index index.html index.htm;
#
#	ssl on;
#	ssl_certificate cert.pem;
#	ssl_certificate_key cert.key;
#
#	ssl_session_timeout 5m;
#
#	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#	ssl_prefer_server_ciphers on;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


server {
    if ($host = a.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	server_name a.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

# configuration file /etc/nginx/sites-enabled/bio.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/bio.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name bio.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

        location ~* \.html$ {
                expires -1;
        }

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = bio.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name bio.pibby.com;
    return 404; # managed by Certbot


}

#11
# configuration file /etc/nginx/sites-enabled/dev.pibby.com:
server {
	server_name dev.pibby.com;
	return 301 $scheme://pibby.com$request_uri;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot






}
server {
    if ($host = dev.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	server_name dev.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/fanfic.weallfalter.com:
server {
	listen   80; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/fanfic.weallfalter.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name fanfic.weallfalter.com;

	location / {
		proxy_pass       http://localhost:9090;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	# Specify a charset
	charset utf-8;
	error_page 404 /404.html;

  # redirect server error pages to the static page /50x.html
  #
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/www;
  }

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #
  #location ~ /\.ht {
  # deny all;
  #}

	access_log /var/log/nginx/access.fanfic.weallfalter.com.log;
	error_log /var/log/nginx/error.fanfic.weallfalter.com.log;
}

# configuration file /etc/nginx/sites-enabled/frontenddit.weallfalter.com:
server {
	listen   80; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/frontenddit.weallfalter.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name frontenddit.weallfalter.com;

	location / {
		proxy_pass       http://localhost:9292;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	# Specify a charset
	charset utf-8;
	error_page 404 /404.html;

  # redirect server error pages to the static page /50x.html
  #
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/www;
  }

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #
  #location ~ /\.ht {
  # deny all;
  #}

	access_log /var/log/nginx/access.frontenddit.weallfalter.com.log;
	error_log /var/log/nginx/error.frontenddit.weallfalter.com.log;
}

# configuration file /etc/nginx/sites-enabled/git.pib.by:
server {
    if ($host = git.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	# listen on the www host
	server_name git.pib.by;
	rewrite ^/(.*) https://git.pib.by/$1 permanent;

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot



}

server {
	listen 443 http2;
	#listen 443 ssl http2;
	#listen [::]:80 default_server ipv6only=on;

	root /var/www/git.pib.by/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	#server_name 172.245.57.115;
	server_name git.pib.by;
	ssl on;
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	#ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=15768000;
	ssl_stapling on;
	ssl_stapling_verify on;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	#ssl_trusted_certificate /etc/letsencrypt/live/git.pib.by/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;


	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	charset utf-8;
	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~* \.html$ {
		expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
	# Some basic cache-control for static files to be sent to the browser
		expires 1M;
		add_header Cache-Control public;
		add_header Vary Accept-Encoding;
	}






}

# configuration file /etc/nginx/sites-enabled/git.pibby.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/git.pibby.com/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name git.pibby.com;

	access_log /var/log/nginx/access.git.pibby.com.log;
	error_log /var/log/nginx/error.git.pibby.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = git.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name git.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/git.weallfalter.com:
server {
	listen 80;
	# listen on the www host
	server_name git.weallfalter.com;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://weallfalter.com$request_uri;
	location / {
		rewrite ^(.*)$ https://git.weallfalter.com$1 permanent;
	}
}

server {
	listen   443 http2; ## listen for ipv4; this line is default and implied
	#listen   443 ssl http2; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/git.weallfalter.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name git.weallfalter.com;

	ssl on;
  ssl_certificate /etc/letsencrypt/live/git.weallfalter.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/git.weallfalter.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	# Specify a charset
	charset utf-8;
	error_page 404 /404.html;

  # redirect server error pages to the static page /50x.html
  #
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/www;
  }

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #
  #location ~ /\.ht {
  # deny all;
  #}
}

# configuration file /etc/nginx/sites-enabled/katieharron.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/katieharron.com/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name katieharron.com www.katieharron.com;

	access_log /var/log/nginx/access.katieharron.com.log;
	error_log /var/log/nginx/error.katieharron.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot











}
server {
    if ($host = www.katieharron.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = katieharron.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name katieharron.com www.katieharron.com;
    return 404; # managed by Certbot




}

#12
# configuration file /etc/nginx/sites-enabled/milton.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/milton.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name milton.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = milton.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name milton.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/pib.by:
server { ## listen for ipv4; this line is default and implied
	root /var/www/pib.by/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name pib.by www.pib.by;

	access_log /var/log/nginx/access.pib.by.log;
	error_log /var/log/nginx/error.pib.by.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot


}
server {
    if ($host = www.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name pib.by www.pib.by;
    return 404; # managed by Certbot




}
# configuration file /etc/nginx/sites-enabled/pibby.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/pibby.com/_site;
	index index.html;

	# Make site accessible from http://localhost/
	server_name pibby.com www.pibby.com;

	access_log /var/log/nginx/access.pibby.com.log;
	error_log /var/log/nginx/error.pibby.com.log;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot


}
server {
    if ($host = www.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name pibby.com www.pibby.com;
    return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/tea.pib.by:
server {
    if ($host = tea.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	# listen on the www host
	server_name tea.pib.by;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://twt.pib.by$request_uri;
	location / {
		return 301 https://$host$request_uri;
	}

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot



}
server {
	#listen 80;
	listen 443 http2;
	#listen 443 ssl http2;
	root /var/www/tea.pib.by/public_html;
	index index.html index.htm;

	server_name tea.pib.by;

	ssl on;
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot

	ssl_session_timeout 1d;
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=15768000;
	ssl_stapling on;
	ssl_stapling_verify on;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	location / {
		proxy_pass       http://localhost:9696;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	charset utf-8;
	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~* \.html$ {
		expires -1;
	}
	client_max_body_size 10M; # Allow files up to 10MB






}

# configuration file /etc/nginx/sites-enabled/test.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/test.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name test.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

	access_log /var/log/nginx/access.test.pibby.com.log;
	error_log /var/log/nginx/error.test.pibby.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = test.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name test.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/twt.pib.by:
server {
    if ($host = twt.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	# listen on the www host
	server_name twt.pib.by;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://twt.pib.by$request_uri;
	location / {
		return 301 https://$host$request_uri;
	}

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot



}
server {
	#listen 80;
	listen 443 http2;

	root /var/www/twt.pib.by/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	#server_name 172.245.57.115;
	server_name twt.pib.by;
	ssl on;
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot

	ssl_session_timeout 1d;
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=15768000;
	ssl_stapling on;
	ssl_stapling_verify on;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	location / {
		proxy_pass       http://localhost:9494;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	charset utf-8;
	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~* \.html$ {
		expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
	# Some basic cache-control for static files to be sent to the browser
		expires 1M;
		add_header Cache-Control public;
		add_header Vary Accept-Encoding;
	}






}

# configuration file /etc/nginx/sites-enabled/weallfalter.com:
server {
	listen 80;
	# listen on the www host
	server_name weallfalter.com www.weallfalter.com;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://weallfalter.com$request_uri;
	location / {
		rewrite ^(.*)$ https://weallfalter.com$1 permanent;
	}
}
server {
	listen   443 http2; ## listen for ipv4; this line is default and implied
	#listen   443 ssl http2; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/weallfalter.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name weallfalter.com;

	ssl on;
  ssl_certificate /etc/letsencrypt/live/weallfalter.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/weallfalter.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	# Specify a charset
	charset utf-8;
	error_page 404 /404.html;

  # redirect server error pages to the static page /50x.html
  #
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/www;
  }

  # deny access to .htaccess files, if Apache's document root
  # concurs with nginx's one
  #
  #location ~ /\.ht {
  # deny all;
  #}

	access_log /var/log/nginx/access.weallfalter.com.log;
	error_log /var/log/nginx/error.weallfalter.com.log;
}

# configuration file /etc/nginx/sites-enabled/work.pibby.com:
server { ## listen for ipv4; this line is default and implied

	root /var/www/work.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name work.pibby.com;

	location / {
		proxy_pass http://localhost:4000;
		#auth_basic "Restricted";
		#auth_basic_user_file /etc/nginx/.htpasswd;
	}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = work.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name work.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 15;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	#ssl_buffer_size 8k;
	#ssl_session_tickets on;

	##
	# Logging Settings
	##

	#access_log /var/log/nginx/access.log;
	access_log off;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 3;
	gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	# Compress all output labeled with one of the following MIME-types.
	gzip_types
		application/atom+xml
		application/javascript
		application/x-javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##
	
	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}


#13
# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

# configuration file /etc/nginx/sites-enabled/a.pibby.com:
# You may add here your
# server {
#	...
# }
# statements for each of your virtual hosts to this file

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

server {

	root /var/www/a.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name a.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# Uncomment to enable naxsi on this location
		# include /etc/nginx/naxsi.rules
	}

	# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
	#location /RequestDenied {
	#	proxy_pass http://127.0.0.1:8080;    
	#}

	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	#error_page 500 502 503 504 /50x.html;
	#location = /50x.html {
	#	root /usr/share/nginx/html;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	#
	#	# With php5-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php5-fpm:
	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
	#	fastcgi_index index.php;
	#	include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#	listen 8000;
#	listen somename:8080;
#	server_name somename alias another.alias;
#	root html;
#	index index.html index.htm;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


# HTTPS server
#
#server {
#	listen 443;
#	server_name localhost;
#
#	root html;
#	index index.html index.htm;
#
#	ssl on;
#	ssl_certificate cert.pem;
#	ssl_certificate_key cert.key;
#
#	ssl_session_timeout 5m;
#
#	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#	ssl_prefer_server_ciphers on;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


server {
    if ($host = a.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	server_name a.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

# configuration file /etc/nginx/sites-enabled/bio.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/bio.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name bio.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

        location ~* \.html$ {
                expires -1;
        }

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}
server {
    if ($host = bio.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name bio.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/dev.pibby.com:
server {
	server_name dev.pibby.com;
	return 301 $scheme://pibby.com$request_uri;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

}
server {
    if ($host = dev.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	server_name dev.pibby.com;
    return 404; # managed by Certbot


}

# configuration file /etc/nginx/sites-enabled/git.pibby.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/git.pibby.com/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name git.pibby.com;

	access_log /var/log/nginx/access.git.pibby.com.log;
	error_log /var/log/nginx/error.git.pibby.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}
server {
    if ($host = git.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name git.pibby.com;
    return 404; # managed by Certbot


}

# configuration file /etc/nginx/sites-enabled/katieharron.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/katieharron.com/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name katieharron.com www.katieharron.com;

	access_log /var/log/nginx/access.katieharron.com.log;
	error_log /var/log/nginx/error.katieharron.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

}
server {
    if ($host = www.katieharron.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = katieharron.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name katieharron.com www.katieharron.com;
    return 404; # managed by Certbot




}
# configuration file /etc/nginx/sites-enabled/milton.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/milton.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name milton.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot






}
server {
    if ($host = milton.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name milton.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/pib.by:
server { ## listen for ipv4; this line is default and implied
	root /var/www/pib.by/public_html;
	index index.html;

	# Make site accessible from http://localhost/
	server_name pib.by www.pib.by;

	access_log /var/log/nginx/access.pib.by.log;
	error_log /var/log/nginx/error.pib.by.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot


}
server {
    if ($host = www.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name pib.by www.pib.by;
    return 404; # managed by Certbot




}
# configuration file /etc/nginx/sites-enabled/pibby.com:
server { ## listen for ipv4; this line is default and implied
	root /var/www/pibby.com/_site;
	index index.html;

	# Make site accessible from http://localhost/
	server_name pibby.com www.pibby.com;

	access_log /var/log/nginx/access.pibby.com.log;
	error_log /var/log/nginx/error.pibby.com.log;

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot


}
server {
    if ($host = www.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name pibby.com www.pibby.com;
    return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/tea.pib.by:
server {
    if ($host = tea.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	# listen on the www host
	server_name tea.pib.by;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://twt.pib.by$request_uri;
	location / {
		return 301 https://$host$request_uri;
	}

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

}
server {
	#listen 80;
	listen 443 ssl http2;
	root /var/www/tea.pib.by/public_html;
	index index.html index.htm;

	server_name tea.pib.by;

	#ssl on;
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot

	ssl_session_timeout 1d;
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=15768000;
	ssl_stapling on;
	ssl_stapling_verify on;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	location / {
		proxy_pass       http://localhost:9696;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	charset utf-8;
	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~* \.html$ {
		expires -1;
	}
	client_max_body_size 10M; # Allow files up to 10MB
}

# configuration file /etc/nginx/sites-enabled/test.pibby.com:
server { ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /var/www/test.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name test.pibby.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
	}

	location ~* \.html$ {
					expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		# Some basic cache-control for static files to be sent to the browser
		expires 7d;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}

	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}

	access_log /var/log/nginx/access.test.pibby.com.log;
	error_log /var/log/nginx/error.test.pibby.com.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}
server {
    if ($host = test.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen   80;
	server_name test.pibby.com;
    return 404; # managed by Certbot


}
# configuration file /etc/nginx/sites-enabled/twt.pib.by:
server {
    if ($host = twt.pib.by) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	# listen on the www host
	server_name twt.pib.by;
	# and redirect to the non-www host (declared below)
	# return 301 $scheme://twt.pib.by$request_uri;
	location / {
		return 301 https://$host$request_uri;
	}

    # Redirect non-https traffic to https
    # if ($scheme != "https") {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot



}
server {
	#listen 80;
	listen 443 http2;

	root /var/www/twt.pib.by/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	#server_name 172.245.57.115;
	server_name twt.pib.by;
	#ssl on;
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot

	ssl_session_timeout 1d;
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=15768000;
	ssl_stapling on;
	ssl_stapling_verify on;
	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	location / {
		proxy_pass       http://localhost:9494;
		proxy_set_header Host      $host;
		proxy_set_header X-Real-IP $remote_addr;
	}

	charset utf-8;
	error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~* \.html$ {
		expires -1;
	}

	# This block will catch static file requests, such as images, css, js
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
	# Some basic cache-control for static files to be sent to the browser
		expires 1M;
		add_header Cache-Control public;
		add_header Vary Accept-Encoding;
	}
}

# configuration file /etc/nginx/sites-enabled/work.pibby.com:
server { ## listen for ipv4; this line is default and implied

	root /var/www/work.pibby.com/public_html;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name work.pibby.com;

	location / {
		proxy_pass http://localhost:4000;
		#auth_basic "Restricted";
		#auth_basic_user_file /etc/nginx/.htpasswd;
	}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}
server {
    if ($host = work.pibby.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen   80;
	server_name work.pibby.com;
    return 404; # managed by Certbot
}

#14

No, using nginx here.


#15

That’s the only thing I can see that looks like it would redirect to pibby.com specifically, as opposed to whatever $host happens to be. I don’t see why that server block would be selected, though. Maybe one of the nginx experts here can chime in with some insight…


#16

I don’t use nginx. But there are warnings, that the if - statement is difficult.

If Is Evil

https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

How nginx “location if” works

There is a sample, which looks really bad:

Case 4

location /proxy {
set $a 32;
if ($a = 32) {
return 404;
}
set $a 76;
proxy_pass http://127.0.0.1:$server_port/$a;
more_set_headers “X-Foo: $a”;
}

location ~ /(\d+) {
echo $1;
}

Here, ngx_header_more’s more_set_headers will also be inherited by the implicit location created by the “if” block. So you will get:

$ curl localhost/proxy
HTTP/1.1 404 Not Found
Server: nginx/0.8.54 (without pool)
Date: Mon, 14 Feb 2011 05:24:00 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
X-Foo: 32

So the return statement doesn’t stop the execution -->> add a break after the lines with return 301.


#17

I didn’t add the Ifs, letsencrypt-auto did. Adding a break after the return 301 doesn’t seem to do anything.


#18

There is an “if scheme not https” check inside a “listen 443 ssl” block.
That should never be hit - you should remove it.


#19

Hi @pibby,

You said you are using nginx/1.15.2 which is the last development version… (if this is a production server you should use the stable version)… anyway, you ran nginx -T and you didn’t receive any error nor warning message:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

You are using ssl on; on several server blocks but ssl directive is deprecated in nginx version 1.15.x so you should have several warning messages saying this:

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/xxxxxx.conf:xxx

So, or you didn’t copy the entire output of nginx -T or you are not using nginx 1.15.2.

How did you install nginx 1.15.2 on Ubuntu 14.04.5 ?.

I’m really curious about your redirection issues and I tried to reproduce them using the conf you have posted but I can’t reproduce them, it is working fine here. Could you please package the entire nginx directory and upload it somewhere or put it in some of your working domains like milton?

tar zcvf /var/www/milton.pibby.com/public_html/nginx-pibby.tar.gz /etc/nginx/

I’ll check tomorrow, it’s time for bed here.

Cheers,
sahsanu


#20

IME mainline is safe to use in production, it’s not like running from trunk/master.