There is a top-level `nginx.conf` and then in `conf.d`, we have a `default.conf` for HTTP and a `gateway.conf` for HTTPS. Removed some stanzas about domain-specific redirects and legacy rewrite rules.

conf_d_default_conf

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name _;

  add_header 'Access-Control-Allow-Origin' '*' always;
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
  add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
  add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;

  add_header X-IPFS-POP $hostname always;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }
}

server {
  listen 80;
  listen [::]:80;

  server_name ipfs.io gateway.ipfs.io;

  add_header 'Access-Control-Allow-Origin' '*' always;
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
  add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
  add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;

  add_header X-IPFS-POP $hostname always;

  location ~ "^/(ipfs|ipns|api)(/|$)" {
    proxy_set_header Host "";
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }

  location / {
    return 301 https://$http_host$request_uri;
  }
}

conf_d_gateway_conf

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name 
{% for domain in nginx_gateway_server_names %}
              {{ domain }}
{% endfor %}  ;

  add_header 'Access-Control-Allow-Origin' '*' always;
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
  add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
  add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;

  add_header X-IPFS-POP $hostname always;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  ssl_certificate           /etc/nginx/gateway.crt;
  ssl_certificate_key       /etc/nginx/gateway.key;
  ssl_dhparam               /etc/nginx/dhparam.pem;
  ssl_trusted_certificate   /etc/nginx/trustchain.pem;

  ssl on;
  ssl_session_cache shared:SSL:10m;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 1d;

  ssl_stapling on;
  ssl_stapling_verify on;

  resolver {{ dns_nameserver }};

  if ($http_host ~ ^archives\.ipfs\.io$) {
    return 307 https://awesome.ipfs.io/datasets/;
  }

  location ~ ^/(ipfs|ipns)/.*\.sxg$ {
    proxy_hide_header Content-Type;
    add_header Content-Type "application/signed-exchange;v=b3";
    add_header X-Content-Type-Options "nosniff";
    proxy_pass http://backend;
  }

  location /refs/ {
    rewrite "^/refs(/.*)$" $1 break;
    proxy_set_header Host refs.ipfs.io;
    proxy_set_header X-Ipfs-Gateway-Prefix /refs;
    proxy_pass http://backend;
  }

  location ~ "^/api(/|$)" {
    proxy_set_header Host "";
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }

  location ~ "^/ipfs(/|$)" {
    proxy_set_header Host "";
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }

  location ~ "^/ipns(/|$)" {
    proxy_set_header Host "";
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Ipfs-Gateway-Prefix "";
    proxy_pass http://backend;
  }
}

nginx_conf

user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 10240;
  # multi_accept on;
}

http {

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;

  server_tokens off;
  server_names_hash_bucket_size 64;
  server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  # copied from https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/web_performance/compression.conf
  # ----------------------------------------------------------------------
  # | Compression                                                        |
  # ----------------------------------------------------------------------

  # https://nginx.org/en/docs/http/ngx_http_gzip_module.html

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;

  ##
  # go-ipfs config
  ##

  proxy_connect_timeout 5s;
  proxy_buffering off;

  proxy_read_timeout 600s;
  proxy_send_timeout 600s;

  include blacklist.conf;
  include denylist.conf;

  # These are unfortunately still hardcoded in go-ipfs.
  # We're removing them from the upstream response so they
  # don't mess with the additional header we set.
  proxy_hide_header Access-Control-Allow-Headers;
  proxy_hide_header Access-Control-Expose-Headers;

  # We have to set this header in go-ipfs because otherwise
  # it'll do it's origin check based on its defaults (localhost et al).
  proxy_hide_header Access-Control-Allow-Origin;

  upstream backend {
    server 127.0.0.1:8080;
    keepalive 64;
  }
}