An opinionated nginx default server configuration block

default.conf

# An opinionated nginx default server configuration block
# Author: Ryan Castellucci https://rya.nc/ @ryancdotorg
# Revision: 2021-02-07

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;

	# Send ACME (LetsEncrypt) requests to a special directory
	location /.well-known/acme-challenge/ { root /var/www/acme; }

	location / {
		# Redirect valid looking domains to HTTPS (stripping www if present)
		if ($host ~ "^(www\.)?(?<domain>.+\.[a-z][a-z0-9-]*[a-z0-9])$") {
			return 301 https://$domain$request_uri;
		}

		# Anything else (e.g. an IP address) gets "Bad Request".
		return 400;
	}
}

server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name _;
	# Generate RSA certificate and key with the following command:
	#
	# openssl req -new -newkey rsa:2048 \
	# -nodes -x509 -batch -subj / \
	# -keyout /etc/nginx/snakeoil.pem \
	# -out /etc/nginx/snakeoil.pem
	#
	# Do *not* use a default cert generated by your distro, it
	# may leak information such as your hostname or IP address.
	ssl_certificate snakeoil.pem;
	ssl_certificate_key snakeoil.pem;

	# Avoid error messages in log
	ssl_stapling off;

	# Prevents TLSv1 to TLSv1.2 from seeing the cert due to lack of
	# matching cipher suites.
	ssl_ciphers aNULL;

	# SNI has been well supported since 2015. Anything not using it and/or
	# not sending us a configured hostname is probably up to no good.
	return 400;
}