From b2a67c4f86f52d17e4848054ec166e9b374d30ca Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Tue, 31 Aug 2021 23:12:56 +0200
Subject: [PATCH] https redirect: don't include app conf snippets if https
 redirect is enabled

---
 data/templates/nginx/server.tpl.conf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 7133dfba2..379b597a7 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -12,8 +12,6 @@ server {
 
     include /etc/nginx/conf.d/acme-challenge.conf.inc;
 
-    include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
-
     location ^~ '/.well-known/ynh-diagnosis/' {
         alias /tmp/.well-known/ynh-diagnosis/;
     }
@@ -22,10 +20,14 @@ server {
         alias /var/www/.well-known/{{ domain }}/autoconfig/mail/;
     }
 
+    {# Note that this != "False" is meant to be failure-safe, in the case the redrect_to_https would happen to contain empty string or whatever value. We absolutely don't want to disable the HTTPS redirect *except* when it's explicitly being asked to be disabled. #}
     {% if redirect_to_https != "False" %}
     location / {
         return 301 https://$http_host$request_uri;
     }
+    {# The app config snippets are not included in the HTTP conf unless HTTPS redirect is disabled, because app's location may blocks will conflict or bypass/ignore the HTTPS redirection. #}
+    {% else %}
+    include /etc/nginx/conf.d/{{ domain }}.d/*.conf;
     {% endif %}
 
     access_log /var/log/nginx/{{ domain }}-access.log;