Fix nginx "single path" location blocks

roles/archweb/templates/ipxe.archlinux.org.j2

@@ -30,7 +30,7 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
 
-    location /releng/netboot {
+    location /releng/netboot/ {
         access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
         access_log   /var/log/nginx/{{ archweb_domain }}/access.log.json json_main;
         include uwsgi_params;
@@ -38,11 +38,11 @@ server {
     }
 
     # Cache django's css, js and png files.
-    location /static {
+    location /static/ {
         expires 30d;
         add_header Pragma public;
         add_header Cache-Control "public";
-        alias /srv/http/archweb/collected_static;
+        alias /srv/http/archweb/collected_static/;
     }
 
     location / {

roles/archweb/templates/maintenance-nginx.d.conf.j2

@@ -78,12 +78,12 @@ server {
 
     error_page 503 /503.html;
 
-    location /.well-known/matrix/server {
+    location = /.well-known/matrix/server {
         default_type application/json;
         return 200 '{"m.server": "{{ matrix_domain }}:443"}';
     }
 
-    location /.well-known/matrix/client {
+    location = /.well-known/matrix/client {
         default_type application/json;
         add_header Access-Control-Allow-Origin *;
         return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';

roles/archweb/templates/nginx.d.conf.j2

@@ -38,7 +38,7 @@ server {
 
     include snippets/letsencrypt.conf;
 
-    location /.well-known {
+    location /.well-known/ {
         add_header Access-Control-Allow-Origin *;
         return 301 https://$server_name$request_uri;
     }
@@ -62,7 +62,7 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
 
-    location /.well-known {
+    location /.well-known/ {
         add_header Access-Control-Allow-Origin *;
         return 301 https://{{ archweb_domain }}{{ domain['redirect']|default('$request_uri') }};
     }
@@ -108,12 +108,12 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ archweb_domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ archweb_domain }}/chain.pem;
 
-    location /.well-known/matrix/server {
+    location = /.well-known/matrix/server {
         default_type application/json;
         return 200 '{"m.server": "{{ matrix_domain }}:443"}';
     }
 
-    location /.well-known/matrix/client {
+    location = /.well-known/matrix/client {
         default_type application/json;
         add_header Access-Control-Allow-Origin *;
         return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';

roles/dbscripts/templates/nginx.d.conf.j2

@@ -19,7 +19,7 @@ server {
     access_log   /var/log/nginx/{{ repos_domain }}/access.log reduced;
     access_log   /var/log/nginx/{{ repos_domain }}/access.log.json json_reduced;
 
-    location /lastupdate {
+    location = /lastupdate {
         allow all;
     }
 

roles/flyspray/templates/nginx.d.conf.j2

@@ -43,15 +43,15 @@ server {
         deny all;
     }
 
-    location /setup {
+    location /setup/ {
         deny all;
     }
 
-    location /attachments {
+    location /attachments/ {
         location ~ \.php$ {return 403;}
     }
 
-    location /cache {
+    location /cache/ {
         location ~ \.php$ {return 403;}
     }
 

roles/keycloak/templates/nginx.d.conf.j2

@@ -31,7 +31,7 @@ server {
     root {{ keycloak_domain }};
 
     # https://w3c.github.io/webappsec-change-password-url/
-    location /.well-known/change-password {
+    location = /.well-known/change-password {
         return 302 https://$server_name/auth/realms/archlinux/account/#/security/signingin;
     }
 

roles/mailman/templates/nginx.d.conf.j2

@@ -29,16 +29,16 @@ server {
     ssl_trusted_certificate /etc/letsencrypt/live/{{ lists_domain }}/chain.pem;
 
     # redirect old urls
-    location /mailman {
+    location /mailman/ {
         rewrite ^/mailman/(.*) /$1 permanent;
     }
 
-    location /icons {
-        alias /usr/lib/mailman/icons;
+    location /icons/ {
+        alias /usr/lib/mailman/icons/;
     }
 
-    location /pipermail {
-        alias /var/lib/mailman/archives/public;
+    location ~ ^/pipermail(?:/(.*))?$ {
+        alias /var/lib/mailman/archives/public/$1;
         add_header Cache-Control "public, no-cache";
         autoindex on;
     }

roles/mta_sts/templates/nginx.d.conf.j2

@@ -30,7 +30,7 @@ server {
     ssl_certificate_key  /etc/letsencrypt/live/{{ domain }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
 
-    location /.well-known/mta-sts.txt {
+    location = /.well-known/mta-sts.txt {
         default_type text/plain;
         return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
     }

roles/nginx/templates/letsencrypt.conf

-location /.well-known/acme-challenge {
+location /.well-known/acme-challenge/ {
     root {{ letsencrypt_validation_dir }};
     default_type "text/plain";
     try_files $uri =404;

roles/ping/templates/nginx.d.conf.j2

@@ -23,7 +23,7 @@ server {
     }
 
     # https://man.archlinux.org/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
-    location /nm-check.txt {
+    location = /nm-check.txt {
         access_log off;
         add_header Cache-Control "max-age=0, must-revalidate";
         return 200 'NetworkManager is online\n';

roles/rebuilderd/templates/nginx.d.conf.j2

@@ -47,12 +47,12 @@ server {
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
 
-    location /api {
+    location /api/ {
             proxy_set_header    X-Real-IP          $remote_addr;
 	    proxy_pass http://127.0.0.1:8484;
     }
 
-    location /api/v0/build/report {
+    location = /api/v0/build/report {
 	    client_max_body_size 25M;
             proxy_set_header    X-Real-IP          $remote_addr;
 	    proxy_pass http://127.0.0.1:8484;