Remove http directives.

These are included within a http block, and it's illegal to nest them.

extra/hsts.conf

@@ -2,12 +2,9 @@
 # always request the resource over HTTPS, preventing a stripping/downgrade
 # attack.
 
-http {
-
-    map $scheme $hsts_header {
-        https   max-age=31536000;
-    }
+map $scheme $hsts_header {
+    https   max-age=31536000;
+}
 
-    add_header Strict-Transport-Security $hsts_header;
+add_header Strict-Transport-Security $hsts_header;
 
-}

extra/security.conf

@@ -1,20 +1,17 @@
 # General security-related directives.
 
-http {
+# Don't offer up information about the version of Nginx we use
+server_tokens      off;
 
-    # Don't offer up information about the version of Nginx we use
-    server_tokens      off;
+# Don't allow other websites to present our content in a frame/iframe.
+# This mitigates clickjacking attacks.
+add_header         X-Frame-Options "SAMEORIGIN";
 
-    # Don't allow other websites to present our content in a frame/iframe.
-    # This mitigates clickjacking attacks.
-    add_header         X-Frame-Options "SAMEORIGIN";
+# Don't allow browsers to try and sniff content types. This prevents
+# malicious user-generated content being misinterpreted.
+add_header         X-Content-Type-Options "nosniff";
 
-    # Don't allow browsers to try and sniff content types. This prevents
-    # malicious user-generated content being misinterpreted.
-    add_header         X-Content-Type-Options "nosniff";
+# Enable XSS protection, if browsers don't already have it enabled
+# by default.
+add_header         X-XSS-Protection "1; mode=block";
 
-    # Enable XSS protection, if browsers don't already have it enabled
-    # by default.
-    add_header         X-XSS-Protection "1; mode=block";
-
-}

extra/ssl.conf

@@ -15,16 +15,13 @@
 #
 # Older browsers or platforms won't be able to negotiate a connection.
 
-http {
+ssl_protocols               TLSv1.2;
+ssl_ciphers                 "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+ssl_prefer_server_ciphers   on;
+ssl_session_timeout         1d;
+ssl_session_cache           shared:SSL:50m;
+ssl_session_tickets         off;
+ssl_stapling                on;
+ssl_stapling_verify         on;
+resolver                    8.8.8.8;
 
-    ssl_protocols               TLSv1.2;
-    ssl_ciphers                 "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
-    ssl_prefer_server_ciphers   on;
-    ssl_session_timeout         1d;
-    ssl_session_cache           shared:SSL:50m;
-    ssl_session_tickets         off;
-    ssl_stapling                on;
-    ssl_stapling_verify         on;
-    resolver                    8.8.8.8;
-
-}