fix nginx config for disallowing default IP access

etc/nginx/sites-available/default.conf

@@ -1,15 +1,24 @@
-# don't respond to direct IP address requests:
-# https://www.codedodle.com/disable-direct-ip-access-nginx.html
+# catch-all nginx server
 
 server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
+	listen 80 default_server;
+	listen [::]:80 default_server;
 
-  listen 443 default_server;
-  listen [::]:443 default_server;
-
-  ssl_reject_handshake on;
-
-  server_name _;
-  return 444;
+	server_name _;
+	return 444;
+}
+
+server {
+	listen 443 default_server;
+	listen [::]:443 default_server;
+
+	# intentionally cause an SSL error. this requires a snakeoil certificate, see:
+	# https://docs.j7k6.org/nginx-default-ssl-site/
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+	ssl_reject_handshake on;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+
+	server_name _;
+	return 444;
 }