diff --git a/src/freedombone b/src/freedombone
index bf676799..b0578873 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -58,6 +58,9 @@ VERSION="1.01"
 # if yes then this minimises the number of descisions presented during install
 MINIMAL_INSTALL="yes"
 
+# Whether web sites will be .onion addresses only
+ONION_ONLY="no"
+
 # Different system variants which may be specified within
 # the SYSTEM_TYPE option
 VARIANT_FULL="full"
@@ -875,6 +878,9 @@ function read_configuration {
         if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then
             cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg
         fi
+        if grep -q "ONION_ONLY" $CONFIGURATION_FILE; then
+            ONION_ONLY=$(grep "ONION_ONLY" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
+        fi
         if grep -q "IRC_PASSWORD" $CONFIGURATION_FILE; then
             IRC_PASSWORD=$(grep "IRC_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
         fi
@@ -4378,12 +4384,14 @@ function configure_imap_client_certs {
         echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
         echo '}' >> /etc/dovecot/conf.d/10-auth.conf
     fi
-    # make a CA cert
-    if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
-        if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-            ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
-        else
-            ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH
+    if [[ $ONION_ONLY == "no" ]]; then
+        # make a CA cert
+        if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then
+            if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+                ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH
+            else
+                ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH
+            fi
         fi
     fi
     # CA configuration
@@ -5775,98 +5783,102 @@ quit" > $INSTALL_DIR/batch.sql
 
     ln -s /usr/share/owncloud /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs
 
-    echo 'server {' > /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${OWNCLOUD_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${OWNCLOUD_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    # add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        log_not_found off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location ~ ^/(data|config|\.ht|db_structure\.xml|README) {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        # The following 2 rules are only needed with webfinger' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        try_files $uri $uri/ index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location ~ ^(.+?\.php)(/.*)?$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        try_files $1 =404;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$1;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_param PATH_INFO $2;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        fastcgi_param HTTPS on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    # Optional: set long EXPIRES header on static assets' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo "        # Optional: Don't log access to assets" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${OWNCLOUD_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${OWNCLOUD_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    # add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        log_not_found off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location ~ ^/(data|config|\.ht|db_structure\.xml|README) {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        # The following 2 rules are only needed with webfinger' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        try_files $uri $uri/ index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location ~ ^(.+?\.php)(/.*)?$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        try_files $1 =404;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$1;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_param PATH_INFO $2;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        fastcgi_param HTTPS on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    # Optional: set long EXPIRES header on static assets' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo "        # Optional: Don't log access to assets" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '        access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
     echo "    listen 127.0.0.1:${OWNCLOUD_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
     echo "    root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME
@@ -5942,13 +5954,15 @@ quit" > $INSTALL_DIR/batch.sql
 
     configure_php
 
-    if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
-        if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-            ${PROJECT_NAME}-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-        else
-            ${PROJECT_NAME}-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam ]; then
+            if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+                ${PROJECT_NAME}-addcert -h $OWNCLOUD_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+            else
+                ${PROJECT_NAME}-addcert -e $OWNCLOUD_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            fi
+            check_certificates $OWNCLOUD_DOMAIN_NAME
         fi
-        check_certificates $OWNCLOUD_DOMAIN_NAME
     fi
 
     # Ensure that the database gets backed up locally, if remote
@@ -6201,65 +6215,69 @@ quit" > $INSTALL_DIR/batch.sql
         rm -rf /var/www/$GIT_DOMAIN_NAME/htdocs
     fi
 
-    echo 'server {' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    location ^~ /user/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    location ^~ /admin/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$GIT_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$GIT_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '        access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    location ^~ /user/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    location ^~ /admin/ {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$GIT_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$GIT_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '        access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
     echo "    listen 127.0.0.1:${GIT_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
     echo "    root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME
@@ -6294,13 +6312,15 @@ quit" > $INSTALL_DIR/batch.sql
 
     configure_php
 
-    if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
-        if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-            ${PROJECT_NAME}-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-        else
-            ${PROJECT_NAME}-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$GIT_DOMAIN_NAME.dhparam ]; then
+            if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+                ${PROJECT_NAME}-addcert -h $GIT_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+            else
+                ${PROJECT_NAME}-addcert -e $GIT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            fi
+            check_certificates $GIT_DOMAIN_NAME
         fi
-        check_certificates $GIT_DOMAIN_NAME
     fi
 
     nginx_ensite $GIT_DOMAIN_NAME
@@ -6912,174 +6932,178 @@ function install_wiki {
         echo 'webm    video/webm' >> /etc/dokuwiki/mime.conf
     fi
 
-    echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '      deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '      deny  all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
     echo "    listen 127.0.0.1:${WIKI_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
     echo "    root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
@@ -7161,13 +7185,15 @@ function install_wiki {
     echo '    }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
     echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME
 
-    if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
-        if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-            ${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-        else
-            ${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam ]; then
+            if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+                ${PROJECT_NAME}-addcert -h $WIKI_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+            else
+                ${PROJECT_NAME}-addcert -e $WIKI_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            fi
+            check_certificates $WIKI_DOMAIN_NAME
         fi
-        check_certificates $WIKI_DOMAIN_NAME
     fi
 
     configure_php
@@ -7277,179 +7303,183 @@ function install_blog {
 
     chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs
 
-    echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # Always redirect the login page to https' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location /login {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # Always redirect the login page to https' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location /login {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        rewrite ^ https://$server_name$request_uri?;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$FULLBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '      deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '      deny  all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
     echo "    listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
     echo "    root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
@@ -7531,13 +7561,15 @@ function install_blog {
     echo '    }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
     echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
 
-    if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
-        if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
-            ${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
-        else
-            ${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$FULLBLOG_DOMAIN_NAME.dhparam ]; then
+            if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
+                ${PROJECT_NAME}-addcert -h $FULLBLOG_DOMAIN_NAME --dhkey $DH_KEYLENGTH
+            else
+                ${PROJECT_NAME}-addcert -e $FULLBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            fi
+            check_certificates $FULLBLOG_DOMAIN_NAME
         fi
-        check_certificates $FULLBLOG_DOMAIN_NAME
     fi
 
     configure_php
@@ -7720,73 +7752,77 @@ quit" > $INSTALL_DIR/batch.sql
     CURRENT_DDNS_DOMAIN=$MICROBLOG_DOMAIN_NAME
     add_ddns_domain
 
-    echo 'server {' > /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${MICROBLOG_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    index index.php index.html index.htm;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '  location / {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    break;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '  }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '  location ~* ^/(.*)\.(ico|css|js|gif|png|jpg|bmp|JPG|jpeg)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    rewrite ^/(.*)$ /$1 break;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '    expires max;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '  }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '  client_max_body_size      15m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo "  error_log /var/log/nginx/${MICROBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${MICROBLOG_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    index index.php index.html index.htm;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '  location / {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    break;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '  }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '  location ~* ^/(.*)\.(ico|css|js|gif|png|jpg|bmp|JPG|jpeg)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "    root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    rewrite ^/(.*)$ /$1 break;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '    expires max;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '  }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '  client_max_body_size      15m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo "  error_log /var/log/nginx/${MICROBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
     echo "    listen 127.0.0.1:${MICROBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
     echo "    server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME
@@ -7832,9 +7868,11 @@ quit" > $INSTALL_DIR/batch.sql
 
     configure_php
 
-    if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
-        ${PROJECT_NAME}-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-        check_certificates $MICROBLOG_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam ]; then
+            ${PROJECT_NAME}-addcert -e $MICROBLOG_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            check_certificates $MICROBLOG_DOMAIN_NAME
+        fi
     fi
 
     # Ensure that the database gets backed up locally, if remote
@@ -8058,105 +8096,109 @@ quit" > $INSTALL_DIR/batch.sql
     CURRENT_DDNS_DOMAIN=$HUBZILLA_DOMAIN_NAME
     add_ddns_domain
 
-    echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    listen 80;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    ssl on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    ssl_certificate /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.bundle.crt;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    ssl_certificate_key /etc/ssl/private/$HUBZILLA_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    ssl_dhparam /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '      deny  all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
-    echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    listen 80;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    client_max_body_size 20m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    limit_conn conn_limit_per_ip 10;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    limit_req zone=req_limit_per_ip burst=10 nodelay;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    ssl on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    ssl_certificate /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.bundle.crt;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    ssl_certificate_key /etc/ssl/private/$HUBZILLA_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    ssl_dhparam /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    ssl_session_timeout 60m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    ssl_session_cache  builtin:1000  shared:SSL:10m;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "    # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "        # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "        # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo "        # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '        deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '      deny  all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '    }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+        echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+    else
+        echo -n '' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
+    fi
     echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
     echo "    listen 127.0.0.1:${HUBZILLA_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
     echo "    root /var/www/$HUBZILLA_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME
@@ -8235,9 +8277,11 @@ quit" > $INSTALL_DIR/batch.sql
 
     configure_php
 
-    if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then
-        ${PROJECT_NAME}-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
-        check_certificates $HUBZILLA_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        if [ ! -f /etc/ssl/certs/$HUBZILLA_DOMAIN_NAME.dhparam ]; then
+            ${PROJECT_NAME}-addcert -e $HUBZILLA_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
+            check_certificates $HUBZILLA_DOMAIN_NAME
+        fi
     fi
 
     if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME/htdocs/view/tpl/smarty3 ]; then