Konfiguration gefixt und massiv aufgeräumt

SSL Redirects funktionieren jetzt

include/formular_proxy.conf

@@ -0,0 +1,6 @@
+# Transparenter Proxy für das Formular.
+
+location / {
+    proxy_pass http://localhost:8080;
+}
+

include/graph_common.conf

@@ -0,0 +1,46 @@
+# Grundkonfiguration des Graphen / der Karte
+
+root /var/www/nodes_ffhh;
+index graph.html;
+
+if_modified_since before;
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+
+    include /etc/nginx/fastcgi_params;
+}
+
+location ~ \.cgi$ {
+    gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
+
+    fastcgi_pass  unix:/var/run/nginx/cgiwrap-dispatch.sock;
+
+    fastcgi_index index.cgi;
+
+    fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name;
+    fastcgi_param QUERY_STRING     $query_string;
+    fastcgi_param REQUEST_METHOD   $request_method;
+    fastcgi_param CONTENT_TYPE     $content_type;
+    fastcgi_param CONTENT_LENGTH   $content_length;
+    fastcgi_param GATEWAY_INTERFACE  CGI/1.1;
+    fastcgi_param SERVER_SOFTWARE    nginx;
+    fastcgi_param SCRIPT_NAME        $fastcgi_script_name;
+    fastcgi_param REQUEST_URI        $request_uri;
+    fastcgi_param DOCUMENT_URI       $document_uri;
+    fastcgi_param DOCUMENT_ROOT      $document_root;
+    fastcgi_param SERVER_PROTOCOL    $server_protocol;
+    fastcgi_param REMOTE_ADDR        $remote_addr;
+    fastcgi_param REMOTE_PORT        $remote_port;
+    fastcgi_param SERVER_ADDR        $server_addr;
+    fastcgi_param SERVER_PORT        $server_port;
+    fastcgi_param SERVER_NAME        $server_name;
+}
+
+location = /nodes.json {
+    gzip_types application/octet-stream;
+    gzip on;
+}
+

include/media_common.conf

@@ -0,0 +1,24 @@
+# Basis-Konfiguration für media.
+
+# Don't allow to get framed by sites that aren't on the same domain
+add_header X-Frame-Options SAMEORIGIN;
+
+# Tell clients never to use http or self-signed (!) certificates
+# There's no way to bypass this option after it has been cached!
+add_header Strict-Transport-Security max-age=31536000;
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
+root /var/www/media;
+
+disable_symlinks on from=$document_root;
+
+location / {
+    autoindex on;
+    autoindex_exact_size on;
+    autoindex_localtime off;
+}

include/meta_common.conf

@@ -0,0 +1,16 @@
+# Basis-Konfiguration für meta.
+
+root /var/www/meta_ffhh;
+disable_symlinks on from=$document_root;
+
+location / {
+    autoindex on;
+    autoindex_exact_size on;
+    autoindex_localtime off;
+}
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}

include/no_logging.conf

@@ -0,0 +1,8 @@
+# Deaktiviert Logging
+
+access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+
+# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
+# So stellen wir sicher, dass keine IPs geloggt werden.
+error_log /dev/null crit;
+

include/postfixadmin_common.conf

@@ -0,0 +1,18 @@
+# Basis-Konfiguration für den Postfix-Admin
+
+root /var/www/postfixadmin_ffhh;
+index index.php index.html index.htm;
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name;
+    #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+    include /etc/nginx/fastcgi_params;
+}
+
+location / {
+    index index.php;
+    try_files $uri $uri/index.php;
+}
+

include/ssl.rewrite

@@ -0,0 +1,2 @@
+# Generischer Rewrite von HTTP nach HTTPS
+rewrite	^ https://$server_name$request_uri? permanent;

include/ssl_common.conf

@@ -0,0 +1,10 @@
+# Basis Konfiguration für SSL. Wird von allen vhosts includet.
+
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+# Only strong ciphers in PFS mode
+ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+

include/ssl_hamburg_freifunk_net.conf

@@ -0,0 +1,7 @@
+# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
+
+ssl_certificate                 /etc/ssl/certs/hamburg.freifunk.net.crt;
+ssl_certificate_key             /etc/ssl/private/hamburg.freifunk.net.key;
+
+include /etc/nginx/include/ssl_common.conf;
+

include/ssl_wildcard.conf

@@ -0,0 +1,7 @@
+# Basis Konfiguration für SSL mit hamburg.freifunk.net-Zertifikat.
+
+ssl_certificate                 /etc/ssl/certs/*.hamburg.freifunk.net.crt;
+ssl_certificate_key             /etc/ssl/private/*.hamburg.freifunk.net.key;
+
+include /etc/nginx/include/ssl_common.conf;
+

include/start_common.conf

@@ -0,0 +1,13 @@
+# Basis-Konfiguration für start.
+
+root /var/www/start-ffhh/_site;
+
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
+location /feeds/hamburg.freifunk.net.rss {
+    proxy_pass https://hamburg.freifunk.net/feed;
+}

include/updates_common.conf

@@ -0,0 +1,9 @@
+# Basis-Konfiguration für updates.
+
+root /var/www/updates;
+
+location / {
+    access_log off;
+    log_not_found off;
+    autoindex on;
+}

include/wordpress_common.conf

@@ -0,0 +1,34 @@
+# Basis-Konfiguration für Wordpress
+
+client_max_body_size 16M;
+
+root /var/www/wordpress;
+index index.php index.html index.htm;
+
+# Don't allow to get framed by sites that aren't on the same domain
+add_header X-Frame-Options SAMEORIGIN;
+
+# Tell clients never to use http or self-signed (!) certificates
+# There's no way to bypass this option after it has been cached!
+add_header Strict-Transport-Security max-age=31536000;
+
+# This order might seem weird - this is attempted to match last if rules below fail.
+# http://wiki.nginx.org/HttpCoreModule
+location / {
+    index index.php;
+    try_files $uri $uri/ /index.php?$args;
+}
+
+# Directives to send expires headers and turn off 404 error logging.
+location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+    expires 24h;
+    log_not_found off;
+}
+
+location ~ \.php$ {
+    fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
+#            fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+        include /etc/nginx/fastcgi_params;
+}

nginx.conf

@@ -27,12 +27,13 @@ http {
 	##############################################
 	# Logging Settings
 	##
+	#access_log /var/log/nginx/access.log;
 	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
 
 	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
 	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
-	#error_log /var/log/nginx/error.log crit;
+	error_log /dev/null warn;
+	#error_log /var/log/nginx/error.log debug;
 
 	##############################################
 	# nginx-naxsi config

sites-available/base

@@ -0,0 +1,39 @@
+server {
+	listen   443 ssl;
+	listen   [::]:443 ssl;
+
+    
+    
+
+	access_log off;
+	error_log /dev/null crit;
+
+    
+    ssl_certificate                 /etc/ssl/certs/*.hamburg.freifunk.net.crt;
+    ssl_certificate_key             /etc/ssl/private/*.hamburg.freifunk.net.key;
+    
+
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+
+	# Only strong ciphers in PFS mode
+	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+	# Don't allow to get framed by sites that aren't on the same domain
+	add_header X-Frame-Options SAMEORIGIN;
+
+	# Tell clients never to use http or self-signed (!) certificates
+	# There's no way to bypass this option after it has been cached!
+	add_header Strict-Transport-Security max-age=31536000;
+
+	location ~ /\. {
+		deny all;
+		access_log off;
+		log_not_found off;
+	}
+
+    
+    
+}

sites-available/default_ffhh

@@ -1,6 +1,6 @@
 server {
 	listen 80 default_server;
-        listen [::]:80 default_server;
+    listen [::]:80 default_server;
 
 	root /var/www/wordpress; #/usr/share/nginx/html;
 	index index.php index.html index.htm;
@@ -17,3 +17,23 @@ server {
 #        	include /etc/nginx/fastcgi_params;
 #	}
 }
+
+#server {
+#	listen 80 default_server;
+#    listen [::]:80 default_server;
+#
+#	root /var/www/wordpress; #/usr/share/nginx/html;
+#	index index.php index.html index.htm;
+#
+#	# Make site accessible from http://localhost/
+##	server_name *.hamburg.freifunk.net;
+#
+#	return 302 http://hamburg.freifunk.net;
+#
+##	location ~ \.php$ {
+##		fastcgi_pass unix:/var/run/php5-fpm.sock;
+##        	fastcgi_index index.php;
+##        	fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
+##        	include /etc/nginx/fastcgi_params;
+##	}
+#}

sites-available/formular_ffhh

@@ -1,45 +1,35 @@
 server {
-	listen	80;
-	listen	[::]:80;
-	server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off;
+    listen   80;
+    listen   [::]:80;
 
-	return 301 https://formular.hamburg.freifunk.net$request_uri;
+    server_name formular.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl.rewrite;
 }
 
 server {
-	listen   443;
-	listen   [::]:443;
-	server_name formular.hamburg.freifunk.net formular.services.ffhh formular.ffhh;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    listen 80;
+    listen [::]:80;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    server_name formular.services.ffhh formular.ffhh;
 
-        ssl_certificate                 /etc/ssl/certs/formular.hamburg.freifunk.net.crt;
-        ssl_certificate_key             /etc/ssl/private/formular.hamburg.freifunk.net.key;
-
-	ssl_prefer_server_ciphers on;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 10m;
-
-	# Only strong ciphers in PFS mode
-	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-
-	# Don't allow to get framed by sites that aren't on the same domain
-	add_header X-Frame-Options SAMEORIGIN;
-
-	# Tell clients never to use http or self-signed (!) certificates
-	# There's no way to bypass this option after it has been cached!
-	add_header Strict-Transport-Security max-age=31536000;
-
-	#return 301 $scheme://formular.hamburg.freifunk.net:8080$request_uri;
-	location / {
-		proxy_pass http://formular.hamburg.freifunk.net:8080;
-	}
+    include /etc/nginx/include/formular_proxy.conf;
 }
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name formular.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/formular_proxy.conf;
+}
+

sites-available/graph_ffhh

@@ -1,51 +1,35 @@
 server {
-	listen			80;
-	listen			[::]:80;
-	server_name		graph.hamburg.freifunk.net knotengraph.ffhh;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    listen 80;
+    listen [::]:80;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    server_name knotengraph.ffhh;
 
-	root			/var/www/nodes_ffhh;
-	index			graph.html;
-
-	if_modified_since before;
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php5-fpm.sock;
-        	fastcgi_index index.php;
-        	fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
-		include /etc/nginx/fastcgi_params;
-	}
-
-	location ~ \.cgi$ {
-		gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
-			fastcgi_pass  unix:/var/run/nginx/cgiwrap-dispatch.sock;
-		fastcgi_index index.cgi;
-		fastcgi_param SCRIPT_FILENAME /var/www/nodes_ffhh/$fastcgi_script_name;
-		fastcgi_param QUERY_STRING     $query_string;
-		fastcgi_param REQUEST_METHOD   $request_method;
-		fastcgi_param CONTENT_TYPE     $content_type;
-		fastcgi_param CONTENT_LENGTH   $content_length;
-		fastcgi_param GATEWAY_INTERFACE  CGI/1.1;
-		fastcgi_param SERVER_SOFTWARE    nginx;
-		fastcgi_param SCRIPT_NAME        $fastcgi_script_name;
-		fastcgi_param REQUEST_URI        $request_uri;
-		fastcgi_param DOCUMENT_URI       $document_uri;
-		fastcgi_param DOCUMENT_ROOT      $document_root;
-		fastcgi_param SERVER_PROTOCOL    $server_protocol;
-		fastcgi_param REMOTE_ADDR        $remote_addr;
-		fastcgi_param REMOTE_PORT        $remote_port;
-		fastcgi_param SERVER_ADDR        $server_addr;
-		fastcgi_param SERVER_PORT        $server_port;
-		fastcgi_param SERVER_NAME        $server_name;
-	}
-
-	location = /nodes.json {
-		gzip_types application/octet-stream;
-		gzip on;
-	}
+    include /etc/nginx/include/graph_common.conf;
 }
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name graph.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl.rewrite;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name graph.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/graph_common.conf;
+}
+

sites-available/insecure

@@ -0,0 +1,9 @@
+server {
+	listen				80;
+	listen				[::]:80;
+
+	server_name         _;
+    access_log          off;
+
+    rewrite ^ https://$host$request_uri? permanent;
+}

sites-available/media_ffhh

@@ -0,0 +1,35 @@
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name media.services.ffhh;
+
+    include /etc/nginx/include/media_common.conf;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name media.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl.rewrite;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name media.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/media_common.conf;
+}
+

sites-available/meta_ffhh

@@ -1,28 +1,24 @@
 server {
-	listen   80;
-	listen   [::]:80; 
-	server_name meta.hamburg.freifunk.net;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    listen 80;
+    listen [::]:80;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    server_name meta.hamburg.freifunk.net;
 
-	root /var/www/meta_ffhh;
-
-	disable_symlinks on from=$document_root;
-
-	location / {
-		autoindex on;
-		autoindex_exact_size on;
-		autoindex_localtime off;
-	}
-
-	location ~ /\. {
-		deny all;
-		access_log off;
-		log_not_found off;
-	}
+    include /etc/nginx/include/meta_common.conf;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name meta.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/meta_common.conf;
 }
 

sites-available/opkg_ffhh

@@ -1,16 +1,13 @@
 server {
-	#listen   80;
-	listen   [::]:80;
-	server_name opkg.services.ffhh;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    #listen 80;
+    listen [::]:80;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    server_name opkg.services.ffhh;
 
-	location / {
-		proxy_pass https://downloads.openwrt.org/;
-	}
+    location / {
+        proxy_pass https://downloads.openwrt.org/;
+    }
 }
 

sites-available/postfixadmin_ffhh

@@ -1,59 +1,35 @@
-# HTTP redirect to HTTPS
-
 server {
-	listen		80;
-        listen [::]:80;
-#        listen          443; 
-	server_name	postmaster.hamburg.freifunk.net postmaster.services.ffhh;
-#    rewrite     ^ https://postmaster.hamburg.freifunk.net permanent;
-	rewrite		^ https://$server_name$request_uri? permanent;
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    include /etc/nginx/include/no_logging.conf;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    listen 80;
+    listen [::]:80;
+
+    server_name postmaster.services.ffhh;
+
+    include /etc/nginx/include/postfixadmin_common.conf;
 }
 
+server {
+    include /etc/nginx/include/no_logging.conf;
 
-# HTTPS server
+    listen 80;
+    listen [::]:80;
+
+    server_name postmaster.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl.rewrite;
+}
 
 server {
-	listen                      	443;
-	listen                      	[::]443;
-	server_name			postmaster.hamburg.freifunk.net postmaster.services.ffhh;
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
+    include /etc/nginx/include/no_logging.conf;
 
-	error_log /dev/null crit;
-#	error_log /var/log/nginx/error.log;
+    listen 443 ssl;
+    listen [::]:443 ssl;
 
-	root                        	/var/www/postfixadmin_ffhh;
-	index                       	index.php index.html index.htm;
+    server_name postmaster.hamburg.freifunk.net;
 
-	ssl                         	on;
-	ssl_certificate             	/etc/nginx/ssl/postfix_ssl/server.crt;
-	ssl_certificate_key         	/etc/nginx/ssl/postfix_ssl/server.key;
-
-	ssl_prefer_server_ciphers on;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 10m;
-
-	# Only strong ciphers in PFS mode
-	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-	location ~ \.php$ {
-                fastcgi_pass unix:/var/run/php5-fpm.sock;
-                fastcgi_index index.php;
-                fastcgi_param SCRIPT_FILENAME /var/www/postfixadmin_ffhh$fastcgi_script_name;
-                #fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
-                include /etc/nginx/fastcgi_params;
-	}
-
-	location / {
-		index index.php;  # hinzugefuegt
-		try_files $uri $uri/index.php;
-	}	# geaendert von ez am 28.02.2014; 
+    include /etc/nginx/include/ssl_wildcard.conf;
 
+    include /etc/nginx/include/postfixadmin_common.conf;
 }
+

sites-available/start_ffhh

@@ -1,24 +1,35 @@
 server {
-	listen   80;
-	listen   [::]:80;
-	server_name start.hamburg.freifunk.net start.ffhh;
+    include /etc/nginx/include/no_logging.conf;
 
-	access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    listen 80;
+    listen [::]:80;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
+    server_name start.ffhh;
 
-	root /var/www/start-ffhh/_site;
-
-	location ~ /\. {
-		deny all;
-		access_log off;
-		log_not_found off;
-	}
-
-    location /feeds/hamburg.freifunk.net.rss {
-        proxy_pass https://hamburg.freifunk.net/feed;
-    }
+    include /etc/nginx/include/start_common.conf;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name start.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl.rewrite;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name start.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/start_common.conf;
 }
 

sites-available/updates

@@ -0,0 +1,23 @@
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 80;
+    listen [::]:80;
+
+    server_name updates.hamburg.freifunk.net 1.updates.services.ffhh;
+
+    include /etc/nginx/include/updates_common.conf;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name updates.hamburg.freifunk.net 1.updates.services.ffhh;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    include /etc/nginx/include/updates_common.conf;
+}
+

sites-available/wordpress_ffhh

@@ -1,69 +1,48 @@
 server {
-	listen				80;		# ipv4 http
-	listen				[::]:80;	# ipv6 http
+    include /etc/nginx/include/no_logging.conf;
 
-	server_name			hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh;
-    access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    listen 80;
+    listen [::]:80;
 
-    rewrite ^ https://$server_name$request_uri? permanent;
+    server_name freifunk.ffhh;
+
+    include /etc/nginx/include/wordpress_common.conf;
 }
 
 server {
-	listen				443 ssl;	# ipv4 https
-	listen				[::]:443 ssl;	# ipv6 https
+    include /etc/nginx/include/no_logging.conf;
 
-	server_name			hamburg.freifunk.net www.hamburg.freifunk.net freifunk.ffhh;
+    listen 80;
+    listen [::]:80;
 
-        access_log off; # Bitte nicht aktivieren. Wir wollen ja nicht die IPs unserer Visitor loggen.
+    server_name hamburg.freifunk.net www.hamburg.freifunk.net;
 
-	# Bitte nur zum Debuggen von schweren Fehlern das Log-File temporär setzen und dann anschließend die Logs löschen.
-	# So stellen wir sicher, dass keine IPs geloggt werden.
-	error_log /dev/null crit;
-
-	client_max_body_size		16M;
-
-	root				/var/www/wordpress;
-	index				index.php index.html index.htm;
-
-
-        ssl_certificate                 /etc/ssl/certs/hamburg.freifunk.net.crt;
-        ssl_certificate_key             /etc/ssl/private/hamburg.freifunk.net.key;
-
-	ssl_prefer_server_ciphers on;
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 10m;
-
-	# Only strong ciphers in PFS mode
-	ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-
-	# Don't allow to get framed by sites that aren't on the same domain
-	add_header X-Frame-Options SAMEORIGIN;
-
-	# Tell clients never to use http or self-signed (!) certificates
-	# There's no way to bypass this option after it has been cached!
-	add_header Strict-Transport-Security max-age=31536000;
-
-	# This order might seem weird - this is attempted to match last if rules below fail.
-	# http://wiki.nginx.org/HttpCoreModule
-	location / {
-		index index.php;
-		try_files $uri $uri/ /index.php?$args;
-	}
-
-	# Directives to send expires headers and turn off 404 error logging.
-	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-		expires 24h;
-		log_not_found off;
-	}
-
-	location ~ \.php$ {
-		fastcgi_pass unix:/var/run/php5-fpm.sock;
-        	fastcgi_index index.php;
-        	fastcgi_param SCRIPT_FILENAME /var/www/wordpress$fastcgi_script_name;
-#        	fastcgi_param SCRIPT_FILENAME /var/www/default$fastcgi_script_name;
-        	include /etc/nginx/fastcgi_params;
-	}
+    rewrite	^ https://hamburg.freifunk.net$request_uri? permanent;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name www.hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_wildcard.conf;
+
+    rewrite	^ https://hamburg.freifunk.net$request_uri? permanent;
+}
+
+server {
+    include /etc/nginx/include/no_logging.conf;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name hamburg.freifunk.net;
+
+    include /etc/nginx/include/ssl_hamburg_freifunk_net.conf;
+
+    include /etc/nginx/include/wordpress_common.conf;
 }
 

sites-enabled/default_ffhh

@@ -1 +0,0 @@
-../sites-available/default_ffhh

sites-enabled/mail

@@ -1 +0,0 @@
-../sites-available/mail

sites-enabled/media_ffhh

@@ -0,0 +1 @@
+../sites-available/media_ffhh

sites-enabled/updates

@@ -0,0 +1 @@
+../sites-available/updates