refactor: remove port 80 listeners and enforce HTTPS-only in tests

Removes the listen 80 / listen [::]:80 blocks from cdn.conf since
port 80 is blocked at the firewall. Updates test 6 to enforce that
no custom server block listens on port 80 at all.

nginx/nginx/sites-available/cdn.conf

@@ -1,6 +1,4 @@
 server {
-    listen 80;
-    listen [::]:80;
     listen 443 ssl;
     listen [::]:443 ssl;
 

test.sh

@@ -101,21 +101,19 @@ done
 echo ""
 
 # ──────────────────────────────────────────────────────────────────
-# 6. Any port-80 listener must also have a port-443 listener in the
-#    same file (HTTP-only serving is not acceptable for real sites)
+# 6. No port-80 listeners in any custom server block
+#    (port 80 is blocked at the firewall; all traffic is HTTPS only)
 # ──────────────────────────────────────────────────────────────────
-echo "--- HTTP-only server block check ---"
-http_only_errors=0
-for conf in "$NGINX_DIR/sites-available/"*.conf; do
-  [ "$(basename "$conf")" = "default" ] && continue
-  has_80=$(grep -cP 'listen\s.*\b80\b' "$conf" 2>/dev/null || true)
-  has_443=$(grep -c 'listen 443' "$conf" 2>/dev/null || true)
-  if [ "${has_80:-0}" -gt 0 ] && [ "${has_443:-0}" -eq 0 ]; then
-    fail "$(basename "$conf"): listens on port 80 but has no port-443 listener"
-    http_only_errors=1
-  fi
-done
-[ "$http_only_errors" -eq 0 ] && pass "No HTTP-only server blocks in custom sites"
+echo "--- Port 80 listener check ---"
+http_blocks=$(grep -rnP 'listen\s.*\b80\b' "$NGINX_DIR/sites-available/" \
+  | grep -v 'sites-available/default' \
+  | grep -v '^\s*#' || true)
+if [ -n "$http_blocks" ]; then
+  fail "Port 80 listeners found in custom site configs:"
+  printf '%s\n' "$http_blocks" | sed 's/^/    /'
+else
+  pass "No port 80 listeners in custom server blocks"
+fi
 echo ""
 
 # ──────────────────────────────────────────────────────────────────