There is no index.html here on purpose: to block bad guys.

A http request only comes here if the IP address was
specified in the URL instead of the name of one of the
sites supported on this VPS.

That means 
1) a hacker, or 
2) (as near as I can tell) a web browser that was given 
   a proper URL but uses the IP address from the URL for 
   side projects.
   - i believe this happens with the default Android browser,
     because I have been blocked using it to access my web 
     site.

So we moved index.html out of the way, so the HTTP/HTTPS 
request will fail and fail2ban will catch these guys.