env/nginx/default.conf

vhost_traffic_status_zone;

log_format cache_log '$server_name $upstream_cache_status - '
	'$remote_addr [$time_local] '
	'"$request" $status $body_bytes_sent '
	'"$http_referer" "$http_user_agent" '
	'$upstream_response_time $request_time';
access_log /var/log/nginx/access.log cache_log;

server {
	listen 80 default_server;

	# this works on the docker container with http_stub built in
	# only allow from localhost
	location /nginx_status {
		stub_status on;
		access_log off;
		allow 127.0.0.1;
		deny all;
	}

	# this works with the vts module
        location /status {
		vhost_traffic_status_display;
		vhost_traffic_status_display_format html;
		access_log off;
		#allow 127.0.0.1;
		#deny all;
	}

	# forward certbot challenges to the certbot directory
	include /etc/nginx/includes/challenge.conf;

	# Redirect *all other* port 80 traffic to the same thing on port 443
	location / {
		return 301 https://$host$request_uri;
	}
}

server {
	# should send them to the main page
	location / {
		default_type text/html;
		return 404 '<html>
<body>
<h1>Unknown hostname "$host"</h1>
<p>Try <a href="https://${DOMAIN_NAME}/">${DOMAIN_NAME}</a> instead

<pre style="white-space: pre-wrap">
$request
Host: $host
Referer: $http_referer
User-Agent: $http_user_agent
Accept: $http_accept
</pre>
</body></html>
';
	}

	# this one can't include ssl.conf since it must be default server
	listen 443 ssl http2 default_server;
	ssl_certificate /etc/nginx/fullchain.pem;
	ssl_certificate_key /etc/nginx/privkey.pem;
	include /etc/nginx/includes/options-ssl-nginx.conf;
	include /etc/nginx/includes/challenge.conf;
	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}