feat(pm): block missing nginx host connections #98

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!

We previously returned One Of The Websites when nginx was accessed from
a host that we didn't know about. That included direct IP address access
as well as things which have been CNAMEd to us (either through a starred
record or due to past services) but which aren't actually hosted by us.

This leads to a number of undesireable effects:
- User confusion ("why does the aux docs website have Stalwart?")
- Incorrect SSL certificates ("your blog seems to have an invalid
certificate")
- SSL being offered via direct IPs, which isn't possible to sign on the
public internet

We can block this by making a default server to take control whenever
nothing matches, and setting that default server to block all
connections and reject all SSL handshakes

We need to have a certificate for this, but it needn't actually be valid
for anything so let's self sign stuff...

There's no need for us to be listening for silverbullet on our
clicks.domains host, nor should we be listening for plain HTTP anymore

Grocy is a stock tracking application for groceries. I'd like to use it
to keep track of some of my stuff, so let's host it on umber!