From f999e3de083094816cb860da233cb474ffd1fc50 Mon Sep 17 00:00:00 2001
From: Wolfgang Jung <w.jung@polyas.de>
Date: Thu, 3 Sep 2020 23:13:40 +0200
Subject: [PATCH 1/2] Adds own server on port 80 for letsencrypt and redirect

---
 core/nginx/conf/nginx.conf          | 26 +++++++++++++++++++++++---
 towncrier/newsfragments/1564.bugfix |  1 +
 2 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 towncrier/newsfragments/1564.bugfix

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 46db324f..924f978f 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -34,6 +34,25 @@ http {
       ''      $scheme;
     }
 
+    {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] and not TLS_ERROR %}
+    # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
+    # 
+    server {
+      # Listen over HTTP
+      listen 80;
+      listen [::]:80;
+      {% if TLS_FLAVOR == 'letsencrypt' %}      
+      location ^~ /.well-known/acme-challenge/ {
+          proxy_pass http://127.0.0.1:8008;
+      }
+      {% endif %}
+      # redirect to https
+      location / {
+        return 301 https://$host$request_uri;
+      }
+    }
+    {% endif %}
+
     # Main HTTP server
     server {
       # Favicon stuff
@@ -48,9 +67,11 @@ http {
       set $webdav {{ WEBDAV_ADDRESS }};
       {% endif %}
 
-      # Always listen over HTTP
+      # Listen on HTTP only in kubernetes or behind reverse proxy
+      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] or TLS_ERROR %}
       listen 80;
       listen [::]:80;
+      {% endif %}
 
       # Only enable HTTPS if TLS is enabled with no error and not on kubernetes
       {% if KUBERNETES_INGRESS != 'true' and TLS and not TLS_ERROR %}
@@ -78,8 +99,7 @@ http {
       add_header X-XSS-Protection '1; mode=block';
       add_header Referrer-Policy 'same-origin';
 
-      # In any case, enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
-      {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'mail-letsencrypt' ] %}
+      {% if TLS_FLAVOR == 'mail-letsencrypt' %}      
       location ^~ /.well-known/acme-challenge/ {
           proxy_pass http://127.0.0.1:8008;
       }
diff --git a/towncrier/newsfragments/1564.bugfix b/towncrier/newsfragments/1564.bugfix
new file mode 100644
index 00000000..5c189b80
--- /dev/null
+++ b/towncrier/newsfragments/1564.bugfix
@@ -0,0 +1 @@
+Fixes certbot renewal

From 1f4e9165fa9aacbc39465ba956e95bdd6caf98c0 Mon Sep 17 00:00:00 2001
From: Wolfgang Jung <w.jung@polyas.de>
Date: Wed, 9 Sep 2020 21:35:08 +0200
Subject: [PATCH 2/2] Disables unencrypted http on TLS_ERROR

---
 core/nginx/conf/nginx.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 924f978f..a2b3d981 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -34,7 +34,7 @@ http {
       ''      $scheme;
     }
 
-    {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] and not TLS_ERROR %}
+    {% if KUBERNETES_INGRESS != 'true' and TLS_FLAVOR in [ 'letsencrypt', 'cert' ] %}
     # Enable the proxy for certbot if the flavor is letsencrypt and not on kubernetes
     # 
     server {
@@ -68,7 +68,7 @@ http {
       {% endif %}
 
       # Listen on HTTP only in kubernetes or behind reverse proxy
-      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] or TLS_ERROR %}
+      {% if KUBERNETES_INGRESS == 'true' or TLS_FLAVOR in [ 'mail-letsencrypt', 'notls',  'mail' ] %}
       listen 80;
       listen [::]:80;
       {% endif %}