fix nginx config for disallowing default IP access

etc/nginx/nginx.conf

@@ -31,6 +31,11 @@ http {
 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;
 
+	# https://github.com/doorkeeper-gem/doorkeeper/issues/1554#issuecomment-1304606633
+	# proxy_buffers 4 16k;
+	# proxy_buffer_size 16k;
+	# proxy_busy_buffers_size 32k;
+
 	# stats for prometheus nginx exporter
 	server {
 		listen 9181;

etc/nginx/sites-available/default.conf

@@ -1,14 +1,23 @@
-# don't respond to direct IP address requests:
-# https://www.codedodle.com/disable-direct-ip-access-nginx.html
+# catch-all nginx server
 
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
 
+	server_name _;
+	return 444;
+}
+
+server {
 	listen 443 default_server;
 	listen [::]:443 default_server;
 
+	# intentionally cause an SSL error. this requires a snakeoil certificate, see:
+	# https://docs.j7k6.org/nginx-default-ssl-site/
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	ssl_reject_handshake on;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
 
 	server_name _;
 	return 444;

scripts/upgrade.sh

@@ -32,6 +32,10 @@ fi
 # pull & apply latest patches
 . "$SCRIPTS_ROOT/scripts/apply_patches.sh"
 
+# create blank custom.css (this overrides any CSS set in the admin panel, but if that's not being used, then
+# this quickly saves a request to the backend)
+sudo -u mastodon "$APP_ROOT/public/custom.css"
+
 # set new ruby version
 RUBY_VERSION="$(sudo -u mastodon cat $APP_ROOT/.ruby-version)"
 sudo -u mastodon RUBY_CONFIGURE_OPTS=--with-jemalloc "$RBENV_ROOT/bin/rbenv" install "$RUBY_VERSION" || true