From b4b5d63fe899881539b04cb9c7463cad7a4030ca Mon Sep 17 00:00:00 2001
From: Daniel Carrera <daniel.carrera@bycarrera.com>
Date: Sat, 14 Dec 2019 21:47:54 -0500
Subject: [PATCH] virtual_host_alias & ssl redirects with single 301

---
 README.md  |  4 ++--
 nginx.tmpl | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 60 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 1883ca6..16bb48c 100644
--- a/README.md
+++ b/README.md
@@ -101,8 +101,8 @@ If you are using [letsencrypt-nginx-proxy-companion](https://github.com/JrCs/doc
 
 This will setup the following redirects:
  - `http://example.com` &#8594; `https://example.com`
- - `http://www.example.com` &#8594; `https://www.example.com` &#8594; `https://example.com`
- - `http://old.example.com` &#8594; `http://example.com` &#8594; `https://example.com`
+ - `http://www.example.com` &#8594; `https://example.com`
+ - `http://old.example.com` &#8594; `https://example.com`
  - `https://www.example.com` &#8594; `https://example.com`
  - `https://old.example.com` &#8594; `https://example.com`
 
diff --git a/nginx.tmpl b/nginx.tmpl
index 4e52f7f..d221859 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -404,18 +404,21 @@ server {
 # VIRTUAL_HOST_ALIAS
 {{ range $host_alias, $containers := groupByMulti $ "Env.VIRTUAL_HOST_ALIAS" "," }}
 
+{{ $host_alias := trim $host_alias }}
+
 {{ $first_host := (first (groupByKeys $containers "Env.VIRTUAL_HOST")) }}
+{{ $first_host := trim $first_host }}
+
 # First Host {{ $first_host }}
 
 #Alias:  {{ $host_alias }}
-server {
-  server_name {{ $host_alias }};
-  return 301 $scheme://{{ $first_host }}$request_uri;
-}
 
 {{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
 {{ $default_server := index (dict $host_alias "" $default_host "default_server") $host_alias }}
 
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
+
 {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
 {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
 
@@ -442,6 +445,17 @@ server {
 
 {{ if $is_https }}
 
+{{ if eq $https_method "redirect" }}
+server {
+	server_name {{ $host_alias }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 301 https://{{ $first_host }}$request_uri;
+}
+{{ end }}
 server {
 	server_name {{ $host_alias }};
 	listen 443 ssl http2 {{ $default_server }};
@@ -484,4 +498,44 @@ server {
 
 {{ end }}
 
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
+
+server {
+	server_name {{ $host_alias }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host_alias)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host_alias }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	return 301 http://{{ $first_host }}$request_uri;
+}
+
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name {{ $host_alias }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 500;
+
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ end }}
 {{ end }}
\ No newline at end of file