From 85b96a33aa38437f5a4ca668373a1258f2dee2fa Mon Sep 17 00:00:00 2001
From: "John D. Rowell" <me@jdrowell.com>
Date: Sat, 29 Jul 2017 14:27:51 -0300
Subject: [PATCH] The ACME spec says that http validation should be done via
 http, not https.

---
 nginx/nginx.conf.default | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/nginx/nginx.conf.default b/nginx/nginx.conf.default
index 797df0a9..1e2fb4ae 100644
--- a/nginx/nginx.conf.default
+++ b/nginx/nginx.conf.default
@@ -26,8 +26,19 @@ http {
 
     server {
       listen 80;
-      listen 443 ssl;
       listen [::]:80;
+
+      location /.well-known/acme-challenge {
+        proxy_pass http://admin:8081;
+      }
+
+      location / {
+        return 301 https://$host$request_uri;
+      }
+    }
+
+    server {
+      listen 443 ssl;
       listen [::]:443 ssl;
 
       # TLS configuration hardened according to:
@@ -43,10 +54,6 @@ http {
 
       add_header Strict-Transport-Security max-age=15768000;
 
-      if ($scheme = http) {
-    		return 301 https://$host$request_uri;
-    	}
-
       # Load Lua variables
       set_by_lua $webmail 'return os.getenv("WEBMAIL")';
       set_by_lua $webdav 'return os.getenv("WEBDAV")';
@@ -93,9 +100,5 @@ http {
           return 403;
         }
       }
-
-      location /.well-known/acme-challenge {
-        proxy_pass http://admin:8081;
-      }
     }
 }