Improve handling of startup (pre-certs) and 404 on unknown domains

Dockerfile

@@ -11,6 +11,7 @@ CMD ["/bin/sh", "/entrypoint.sh"]
 RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         tini nginx supervisor gettext-base libjs-bootstrap4 libjs-jquery \
+    && rm /etc/nginx/sites-enabled/default \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get autoremove -y \
     && rm -rf /var/cache/*

cert-monitor.sh

@@ -4,6 +4,9 @@ CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
 
 while sleep 10; do
 	if test -f "$CERT_PATH"; then
+		if test -f /etc/nginx/sites-enabled/startup; then
+			rm /etc/nginx/sites-enabled/startup;
+		fi
 		/usr/local/bin/render-template.sh "/etc/nginx/templates/snikket-common" "/etc/nginx/snippets/snikket-common.conf"
 		for proto in http https; do
 			/usr/local/bin/render-template.sh "/etc/nginx/templates/$proto" "/etc/nginx/sites-enabled/$proto";

entrypoint.sh

@@ -8,6 +8,8 @@ if test -f "$CERT_PATH"; then
 	for proto in http https; do
 		/usr/local/bin/render-template.sh "/etc/nginx/templates/$proto" "/etc/nginx/sites-enabled/$proto";
 	done
+else
+	/usr/local/bin/render-template.sh "/etc/nginx/templates/startup.template" "/etc/nginx/sites-enabled/startup";
 fi
 
 exec supervisord -c /etc/supervisord/supervisord.conf

error-pages/404.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:xlink="http://www.w3.org/1999/xlink">
+	<head>
+		<meta charset="utf-8">
+		
+		<title>Snikket | Page not found</title>
+
+		<meta name="viewport" content="width=device-width, initial-scale=1">
+
+		<link rel="stylesheet" href="/static/css/snikket.css">
+		
+		<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
+		<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
+		<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
+		<link rel="manifest" href="/site.webmanifest">
+		<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">
+		<meta name="msapplication-TileColor" content="#fbd308">
+		<meta name="theme-color" content="#fbd308">
+	</head>
+	<body style="background-color: #eee">
+		<div style="width: 80%; margin-top: 10%; margin-left: auto; margin-right: auto; background-color: #f8f8f8; padding: 3em;">
+			<img src="/static/img/snikket-logo-text.svg" alt="Snikket" style="width: 60%">
+			<h1>Oops! We couldn't find what you were looking for.</h1>
+			<p>Check the address you entered, perhaps?</p>
+			<code>404 Not Found</code>
+		</div>
+	</body>
+</html>

error-pages/404_site.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:xlink="http://www.w3.org/1999/xlink">
+	<head>
+		<meta charset="utf-8">
+		
+		<title>Snikket | Unknown domain</title>
+
+		<meta name="viewport" content="width=device-width, initial-scale=1">
+
+		<link rel="stylesheet" href="/static/css/snikket.css">
+		
+		<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
+		<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
+		<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
+		<link rel="manifest" href="/site.webmanifest">
+		<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">
+		<meta name="msapplication-TileColor" content="#fbd308">
+		<meta name="theme-color" content="#fbd308">
+	</head>
+	<body style="background-color: #eee">
+		<div style="width: 80%; margin-top: 10%; margin-left: auto; margin-right: auto; background-color: #f8f8f8; padding: 3em;">
+			<img src="/static/img/snikket-logo-text.svg" alt="Snikket" style="width: 60%">
+			<h1>Oops! Site not found.</h1>
+			<p>The web address you entered does not seem to match the domain of your Snikket installation.</p>
+			<p>If this is unexpected, check your DNS settings and your Snikket configuration are both correct.</p>
+			<code>404 Not Found</code>
+		</div>
+	</body>
+</html>

error-pages/504.html

@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:xlink="http://www.w3.org/1999/xlink">
+	<head>
+		<meta charset="utf-8">
+		
+		<title>Snikket | Temporarily unavailable</title>
+
+		<meta name="viewport" content="width=device-width, initial-scale=1">
+
+		<link rel="stylesheet" href="/static/css/snikket.css">
+		
+		<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
+		<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
+		<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
+		<link rel="manifest" href="/site.webmanifest">
+		<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">
+		<meta name="msapplication-TileColor" content="#fbd308">
+		<meta name="theme-color" content="#fbd308">
+	</head>
+	<body style="background-color: #eee">
+		<div style="width: 80%; margin-top: 10%; margin-left: auto; margin-right: auto; background-color: #f8f8f8; padding: 3em;">
+			<img src="/static/img/snikket-logo-text.svg" alt="Snikket" style="width: 60%">
+			<h1>Oops! A technical glitch.</h1>
+			<p>There was a problem connecting to the Snikket service of this site.</p>
+			<p>If you just started this service, please wait a moment and reload the page.</p>
+			<p>If the problem continues, please check your Snikket configuration for problems.</p>
+			<code>504 Gateway Timeout</code>
+		</div>
+	</body>
+</html>

nginx/http.template

@@ -14,3 +14,13 @@ server {
         return 301 https://$host$request_uri;
     }
 }
+
+# Fail requests to unknown domains
+server {
+    listen ${SNIKKET_TWEAK_HTTP_PORT};
+    listen [::]:${SNIKKET_TWEAK_HTTP_PORT};
+
+    error_page 404 /_errors/404_site.html;
+
+    return 404;
+}

nginx/https.template

@@ -32,6 +32,8 @@ server {
 
     server_name share.${SNIKKET_DOMAIN};
 
+    root /var/www/html;
+
     location /upload/ {
         proxy_pass http://localhost:${SNIKKET_TWEAK_INTERNAL_HTTP_PORT};
         proxy_set_header  Host            $host;
@@ -39,3 +41,22 @@ server {
         proxy_set_header  X-Forwarded-Proto https;
     }
 }
+
+# Fail requests to unknown domains
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate     /snikket/letsencrypt/live/snikket.chat/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/snikket.chat/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+
+    error_page 404 /_errors/404_site.html;
+
+    return 404;
+}

nginx/startup.template

@@ -0,0 +1,28 @@
+server {
+    listen ${SNIKKET_TWEAK_HTTP_PORT};
+    listen [::]:${SNIKKET_TWEAK_HTTP_PORT};
+
+    server_name ${SNIKKET_DOMAIN};
+    server_name groups.${SNIKKET_DOMAIN};
+    server_name share.${SNIKKET_DOMAIN};
+
+    location /.well-known/acme-challenge {
+        alias /var/www/html/.well-known/acme-challenge;
+    }
+
+    root /var/www/html;
+
+    error_page 404 /_errors/404.html;
+}
+
+# Fail requests to unknown domains
+server {
+    listen ${SNIKKET_TWEAK_HTTP_PORT};
+    listen [::]:${SNIKKET_TWEAK_HTTP_PORT};
+
+    root /var/www/html;
+
+    error_page 404 /_errors/404_site.html;
+
+    return 404;
+}