[FEATURE] Prevent default certificate exposure during service restart

[jojolll]

What's needed and why?

When restarting the Bunkerweb service, the default certificate (www.example.com) is briefly served to clients before Bunkerweb has fully loaded its configuration and the correct certificate for my domain (e.g., domain.com) is enabled.

As a result, users—especially those using desktop clients that automatically probe for service availability (e.g., Nextcloud Desktop application)—are exposed to certificate errors. These clients display warnings indicating the certificate is invalid or does not match the domain, causing unnecessary concern among users every time Bunkerweb is restarted.

Previously, using Nginx as a reverse proxy, I did not encounter this issue. Nginx would only bring the website back online once the correct certificate had been loaded and the configuration was fully applied.

Is it possible to disable the exposure of the site until Bunkerweb has finished loading its configuration and the correct certificates are ready to serve?

Implementations ideas (optional)

I would like to request an option or improved mechanism in Bunkerweb to prevent the website from coming back online (or from accepting new TLS connections) until the full configuration has been loaded and the correct certificate is in place. The goal is to ensure that, upon restart, there is never a moment when users might receive the default/placeholder certificate rather than the appropriate one for the requested domain.

Benefits:

Prevents client-side certificate errors and security warnings. Avoids confusing or alarming users with incorrect certificate information.

Thank you for considering this feature request!

Code of Conduct

• [x] I agree to follow this project's Code of Conduct