From 9cd24aca9b87f23146cb1a6ae598d38016c3b8e6 Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Tue, 6 Dec 2022 19:25:51 +0000
Subject: [PATCH] nginx: handle unknown hostname with some style

---
 nginx.yaml         |  1 +
 nginx/default.conf | 94 ++++++++--------------------------------------
 nginx/www.conf     | 85 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 79 deletions(-)
 create mode 100644 nginx/www.conf

diff --git a/nginx.yaml b/nginx.yaml
index 2599dcf..ea252c8 100644
--- a/nginx.yaml
+++ b/nginx.yaml
@@ -18,6 +18,7 @@ services:
       - ./nginx/etc/includes:/etc/nginx/includes:ro
       - ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./nginx/default.conf:/etc/nginx/templates/default.conf.template:ro
+      - ./nginx/www.conf:/etc/nginx/templates/www.conf.template:ro
       - ./html:/var/www/html:ro
       - ./data/nginx/certbot/www:/var/www/certbot:ro
       - ./data/nginx/certbot/conf:/etc/letsencrypt:rw
diff --git a/nginx/default.conf b/nginx/default.conf
index 89ee2eb..bcb2d14 100644
--- a/nginx/default.conf
+++ b/nginx/default.conf
@@ -38,86 +38,22 @@ server {
 }
 
 server {
-	#server_name ${DOMAIN_NAME} default;
-	client_max_body_size 128m;
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	#include /etc/nginx/mime.types;
-	#default_type application/octet-stream;
-
-	gzip on;
-	gzip_disable "msie6";
-
-	proxy_read_timeout 1800s;
-
-	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
-	chunked_transfer_encoding on;
-
-	# delegated Matrix server
-	location /.well-known/matrix {
-		#return 302 https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-	}
-
-	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
-	location = /.well-known/host-meta {
-		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-	}
-	location = /.well-known/webfinger {
-		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-	}
-
-	# OpenID services
-	location = /.well-known/openid-configuration {
-		return 302 https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}$request_uri;
-	}
-
-	# tilde club home directories
-	location ~ ^/~(.+?)(/.*)?$ {
-		alias /home/$1/public_html$2;
-		index index.html index.htm;
-		autoindex on;
-	}
-
-	# /html files are served from the static html site
-	location /html {
-		root /var/www;
-		autoindex off;
-	}
-
-	# default home page goes to hedgedoc document "Main_Page"; please add your own content!
-	location = / {
-		return 302 https://${DOMAIN_NAME}/Main_Page;
-	}
-	# rewrite /s/ links to the bare link
-	location ~ ^/s/(.*) {
-		return 302 https://${DOMAIN_NAME}/$1;
-	}
-	# normal pages go to hedgedoc static site (need to define ports in the env)
-	# need to rewrite the CSP so that it allows reframing from the main site
+	# should send them to the main page
 	location / {
-		proxy_cache mycache;
-		add_header X-Cache-Status $upstream_cache_status;
-		proxy_ignore_headers Cache-Control;
-
-		proxy_hide_header Content-Security-Policy;
-		add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
-		proxy_pass http://hedgedoc:3000/s$request_uri;
-		proxy_cache_valid any 1m;
-
-	}
-	# while javascript and config stuff goes to non-static hedgedoc site
-	location ~ ^/(js|build|config$) {
-		proxy_cache mycache;
-		add_header X-Cache-Status $upstream_cache_status;
-		proxy_ignore_headers Cache-Control;
-		proxy_cache_valid any 1m;
-
-		proxy_pass http://hedgedoc:3000$request_uri;
+		default_type text/html;
+		return 200 '<html>
+<body>
+<h1>Unknown hostname "$host"</h1>
+Try <a href="https://${DOMAIN_NAME}/">${DOMAIN_NAME}</a> instead
+<pre style="white-space: pre-wrap">
+$request
+Host: $host
+Referer: $http_referer
+User-Agent: $http_user_agent
+Accept: $http_accept
+</pre>
+</body></html>
+';
 	}
 
 	# this one can't include ssl.conf since it must be default server
diff --git a/nginx/www.conf b/nginx/www.conf
new file mode 100644
index 0000000..b062b67
--- /dev/null
+++ b/nginx/www.conf
@@ -0,0 +1,85 @@
+server {
+	server_name www www.${DOMAIN_NAME} ${DOMAIN_NAME};
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	# delegated Matrix server
+	location /.well-known/matrix {
+		#return 302 https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+		proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
+
+	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
+	location = /.well-known/host-meta {
+		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
+	location = /.well-known/webfinger {
+		return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
+
+	# OpenID services
+	location = /.well-known/openid-configuration {
+		return 302 https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}$request_uri;
+	}
+
+	# tilde club home directories
+	location ~ ^/~(.+?)(/.*)?$ {
+		alias /home/$1/public_html$2;
+		index index.html index.htm;
+		autoindex on;
+	}
+
+	# /html files are served from the static html site
+	location /html {
+		root /var/www;
+		autoindex off;
+	}
+
+	# default home page goes to hedgedoc document "Main_Page"; please add your own content!
+	location = / {
+		return 302 https://${DOMAIN_NAME}/Main_Page;
+	}
+	# rewrite /s/ links to the bare link
+	location ~ ^/s/(.*) {
+		return 302 https://${DOMAIN_NAME}/$1;
+	}
+	# normal pages go to hedgedoc static site (need to define ports in the env)
+	# need to rewrite the CSP so that it allows reframing from the main site
+	location / {
+		proxy_cache mycache;
+		add_header X-Cache-Status $upstream_cache_status;
+		proxy_ignore_headers Cache-Control;
+
+		proxy_hide_header Content-Security-Policy;
+		add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
+		proxy_pass http://hedgedoc:3000/s$request_uri;
+		proxy_cache_valid any 1m;
+
+	}
+	# while javascript and config stuff goes to non-static hedgedoc site
+	location ~ ^/(js|build|config$) {
+		proxy_cache mycache;
+		add_header X-Cache-Status $upstream_cache_status;
+		proxy_ignore_headers Cache-Control;
+		proxy_cache_valid any 1m;
+
+		proxy_pass http://hedgedoc:3000$request_uri;
+	}
+
+	include /etc/nginx/includes/ssl.conf;
+}