docs: [#28] add domain-specific HSTS behavior documentation

- Add comprehensive .dev vs .com domain behavior explanation
- Document browser HSTS preload list impact on .dev domains
- Update nginx README.md with domain-specific security considerations
- Update Hetzner cloud setup guide with domain choice guidance
- Add troubleshooting section for browser HTTPS redirect issues
- Clarify that .dev domains require HTTPS certificates for browser access
- Explain why curl works but browsers force HTTPS for .dev domains
- Provide solutions: use .com domains, install SSL, or use curl for testing
- Remove obsolete nginx template files and add Let's Encrypt template

Author: josecelano

application/scripts/configure-app.sh

@@ -208,16 +208,44 @@ process_templates() {
         log_warning "Tracker template not found: ${templates_dir}/tracker.toml.tpl"
     fi
 
-    # Process nginx configuration (choose appropriate template based on SSL settings)
+    # Process nginx configuration (choose appropriate template based on environment and SSL settings)
     local nginx_template
-    if [[ "${ENABLE_SSL:-false}" == "true" ]]; then
-        if [[ "${SSL_GENERATION_METHOD:-self-signed}" == "self-signed" ]]; then
-            nginx_template="${templates_dir}/nginx/nginx-https-selfsigned.conf.tpl"
-        else
-            nginx_template="${templates_dir}/nginx/nginx-https-letsencrypt.conf.tpl"
-        fi
-    else
+    
+    # First check if SSL is completely disabled
+    if [[ "${ENABLE_SSL:-true}" != "true" ]]; then
+        # SSL disabled: Always use HTTP-only template regardless of environment
         nginx_template="${templates_dir}/nginx/nginx-http.conf.tpl"
+        log_info "SSL disabled (ENABLE_SSL=${ENABLE_SSL:-false}), using HTTP-only template"
+    else
+        # SSL enabled: Choose template based on environment type and SSL configuration
+        # Progressive SSL configuration:
+        # - development, testing, e2e: Self-signed HTTPS (for testing HTTPS config)
+        # - staging, production: Let's Encrypt HTTPS or HTTP-only fallback
+        
+        case "${ENVIRONMENT_TYPE:-development}" in
+            development|testing|e2e)
+                # Development environments: Use self-signed HTTPS to test nginx HTTPS configuration
+                nginx_template="${templates_dir}/nginx/nginx-https-selfsigned.conf.tpl"
+                log_info "Using self-signed HTTPS template for ${ENVIRONMENT_TYPE:-development} environment"
+                ;;
+            staging|production)
+                # Production-like environments: Use Let's Encrypt if properly configured, otherwise HTTP-only
+                if [[ "${SSL_GENERATION_METHOD:-}" == "letsencrypt" ]]; then
+                    # Let's Encrypt explicitly configured
+                    nginx_template="${templates_dir}/nginx/nginx-https-letsencrypt.conf.tpl"
+                    log_info "Using Let's Encrypt HTTPS template for ${ENVIRONMENT_TYPE:-production} environment"
+                else
+                    # Default to HTTP-only for staging/production until proper SSL is configured
+                    nginx_template="${templates_dir}/nginx/nginx-http.conf.tpl"
+                    log_info "Using HTTP-only template for ${ENVIRONMENT_TYPE:-production} environment (Let's Encrypt not configured)"
+                fi
+                ;;
+            *)
+                # Unknown environment: Default to HTTP-only for safety
+                nginx_template="${templates_dir}/nginx/nginx-http.conf.tpl"
+                log_warning "Unknown environment type '${ENVIRONMENT_TYPE}', defaulting to HTTP-only template"
+                ;;
+        esac
     fi
 
     if [[ -f "$nginx_template" ]]; then

application/share/bin/ssl-configure-nginx.sh

@@ -41,7 +41,7 @@ NGINX_CONFIG_DIR="/var/lib/torrust/proxy/etc/nginx-conf"
 NGINX_CONFIG_FILE="${NGINX_CONFIG_DIR}/default.conf"
 TEMPLATES_DIR="${PROJECT_ROOT}/infrastructure/config/templates"
 HTTP_TEMPLATE="${TEMPLATES_DIR}/application/nginx/nginx-http.conf.tpl"
-HTTPS_EXTENSION_TEMPLATE="${TEMPLATES_DIR}/application/nginx/nginx-https-extension.conf.tpl"
+HTTPS_LETSENCRYPT_TEMPLATE="${TEMPLATES_DIR}/application/nginx/nginx-https-letsencrypt.conf.tpl"
 
 # Check prerequisites
 check_prerequisites() {
@@ -60,9 +60,9 @@ check_prerequisites() {
         exit 1
     fi
 
-    if [[ ! -f "${HTTPS_EXTENSION_TEMPLATE}" ]]; then
-        log_error "HTTPS extension template not found: ${HTTPS_EXTENSION_TEMPLATE}"
-        log_error "Please create the HTTPS extension template first"
+    if [[ ! -f "${HTTPS_LETSENCRYPT_TEMPLATE}" ]]; then
+        log_error "HTTPS Let's Encrypt template not found: ${HTTPS_LETSENCRYPT_TEMPLATE}"
+        log_error "Please create the HTTPS Let's Encrypt template first"
         exit 1
     fi
 
@@ -126,8 +126,8 @@ generate_nginx_config() {
     # Process HTTP template
     process_template "${HTTP_TEMPLATE}" "${http_config}"
 
-    # Process HTTPS extension template
-    process_template "${HTTPS_EXTENSION_TEMPLATE}" "${https_extension}"
+    # Process HTTPS Let's Encrypt template
+    process_template "${HTTPS_LETSENCRYPT_TEMPLATE}" "${https_extension}"
 
     # Combine HTTP and HTTPS configurations
     log_info "Combining HTTP and HTTPS configurations..."

docs/guides/providers/hetzner/hetzner-cloud-setup-guide.md

@@ -13,6 +13,22 @@ This guide covers two deployment environments:
 Both environments use **floating IPs** for stable DNS configuration and leverage
 **Hetzner DNS** for complete zone management.
 
+### Domain Choice Considerations
+
+#### `.dev` Domains (HSTS Preload Required)
+
+- **⚠️ Browser Behavior**: ALL browsers automatically redirect HTTP → HTTPS
+- **🔒 SSL Required**: HTTPS certificates mandatory for browser access
+- **✅ Security**: Enhanced security with forced encryption
+- **🧪 Testing**: Use curl for HTTP API testing during development
+
+#### `.com` Domains (Standard HTTP/HTTPS)
+
+- **🌐 Normal Behavior**: Browsers respect server HTTP/HTTPS configuration
+- **🔧 Flexibility**: Can start with HTTP and migrate to HTTPS when ready
+- **📈 Production**: Standard choice for production services
+- **🛠️ Development**: Easier for development and testing workflows
+
 ### Floating IP Architecture
 
 The deployment uses dedicated floating IPs to maintain stable DNS records across
@@ -199,6 +215,10 @@ deployment target:
 
 For testing and development using the staging domain:
 
+⚠️ **Important**: `.dev` domains are on Chrome's HSTS preload list, meaning ALL browsers
+automatically redirect HTTP to HTTPS. For testing without SSL certificates, use curl
+commands or consider using a `.com` domain instead.
+
 ```bash
 # Create staging environment configuration
 make infra-config-staging PROVIDER=hetzner
@@ -716,7 +736,55 @@ by Hetzner. Use `hcloud server-type list` for current availability.
    - `infrastructure/config/providers/hetzner.env`
    - Environment variable: `export HETZNER_API_TOKEN=your_token_here`
 
-#### 3. Provider Configuration Variable Collision
+#### 3. Browser HTTPS Redirect Issues with .dev Domains
+
+**Problem**: Web browsers automatically redirect HTTP to HTTPS for `.dev` domains, even when server
+only serves HTTP.
+
+**Root Cause**: `.dev` domains are on Chrome's HSTS preload list, which ALL browsers respect.
+
+**Symptoms**:
+
+```bash
+# These work fine with curl
+curl http://tracker.torrust-demo.dev/health      # ✅ Works
+curl https://tracker.torrust-demo.dev/health     # ❌ May fail if no SSL
+
+# But browsers automatically redirect HTTP → HTTPS
+http://tracker.torrust-demo.dev  →  https://tracker.torrust-demo.dev  (automatic)
+```
+
+**Solutions**:
+
+1. **Use .com domains for testing** (no HSTS preload):
+
+   ```bash
+   # .com domains work normally with HTTP in browsers
+   http://tracker.example.com   # Works in browsers if server serves HTTP
+   ```
+
+2. **Install SSL certificates for .dev domains**:
+
+   ```bash
+   # Deploy with HTTPS support
+   make app-deploy ENVIRONMENT_TYPE=staging ENVIRONMENT_FILE=staging-hetzner
+
+   # Access via HTTPS
+   https://tracker.torrust-demo.dev
+   ```
+
+3. **Use curl for HTTP testing with .dev domains**:
+
+   ```bash
+   # For API testing during development
+   curl http://tracker.torrust-demo.dev/api/health_check
+   curl "http://tracker.torrust-demo.dev/api/v1/stats?token=TOKEN"
+   ```
+
+**Important**: This behavior is **specific to .dev domains only**. Regular .com domains
+do not have this HSTS preload requirement.
+
+#### 4. Provider Configuration Variable Collision
 
 **Problem**: Error "Configuration script not found" in provider directory.