The below nginx conf is working fine on 443 with a working redirect from 80 to 443.
My issue is that the Let's Encrypt certbot didn't auto-renew. I want to force a manual update so I just need to change the nginx config file to allow access to 80, without a good response on 80, certbot -d my-site.com www.my-site.com --force-renewal fails.
I've tried a 100 ways to try to get 80 live and for some reason it's just not working for me. Everything I do just has http:// hanging... Below is my conf with the original working setup - with port 80 redirecting to 443.
How can I correctly change this to have 80 serving http so that I can run the certbot force-renewal command?
my_site.conf
server {
server_name 12.34.56.789 my-site.com www.my-site.com;
root /srv/www/html/;
location #proxy {
uwsgi_pass unix://srv/www/server.sock;
include uwsgi_params;
}
location / {
uwsgi_pass unix://srv/www/server.sock;
include uwsgi_params;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my-site.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my-site.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name 12.34.56.789 my-site.com www.my-site.com;
return 301 https://$host$request_uri;
}
Related
I want Nginx to redirect all connections to: https://domain.xyz (remove www prefix if needed and always force https), so that for example:
http://wwww.domain.xyz/param and domain.xyz/param should redirect me to https://domain.xyz. To do that i made the following config in default server:
server {
return 301 https://$host$request_uri;
listen 80 default_server;
listen [::]:80 default_server;
}
and "sub servers":
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name domain.xyz;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name subdomain.domain.xyz;
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
So i assumed the default server will do both for me (remove www prefix and force https), however when i try to open www.domain.xyz I'm getting this error in Chrome console:
Redirecting navigation www.domain.xyz -> domain.xyz because the server presented a certificate valid for domain.xyz but not for www.domain.xyz. To disable such redirects launch Chrome with the following flag: --disable-features=SSLCommonNameMismatchHandling
Except that everything works as expected. Also, as you can see i used letsencrypt to generate certs (for domain.xyz and subdomain.domain.xyz -- without wwww prefix (!) -- maybe that is the reason). So to sum it up:
Is my config correct for the things i want to achieve?
Should i be worried about that Chrome message?
I have a server on a restricted vps. I only have access to port 80, and some higher ports - no 443.
I was able to redirect all http to https on port 11111 [with return 301], OR redirect https request made on port 443 to 11111 [with error_page 497].
I would like to redirect http to https on custom port, and 'redirect' https to https custom port. I cannot listen on 443.
This is what I have so far:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.org;
return 301 https://$server_name:11111$request_uri;
#error_page 497 https://$server_name:11111$request_uri;
}
server{
# SSL configuration
#
listen 11111 ssl default_server;
listen [::]:11111 ssl default_server;
}
Thanks in advance!
I'm having issues with this config:
#=========================#
# domain settings #
#=========================#
# Catch http://domain, and http://www.domain
server {
listen 80;
server_name www.domain domain;
# Redirect to https://domain
return 301 https://domain$request_uri;
}
# Catch https://www.domain
server {
listen 443;
server_name www.domain;
# Redirect to https://domain
return 301 https://domain$request_uri;
}
# Catch https://domain
server {
listen 443;
server_name domain;
root /usr/share/nginx/domain;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
}
Something is wrong with the 3rd server directive. I get a SSL connection error. But when I comment our that section everything works fine. But I want www to redirect to non-www over https also
Can anyone spot the problem?
The Nginx configuration snippet below will enable you effectively redirect all http traffic to https while stripping any eventual www prefix.
As such, your site will strictly be available over https and without the www prefix.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name www.example.com example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
if ($host = www.example.com) {
return 301 https://example.com$request_uri;
}
server_name www.example.com example.com;
# SSL configuration
# Other configurations
}
With reference to if is evil, do note that it is safe to use the if directive as it is not used in a location context.
Adding the
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
In the 3rd server directive fixed this issue.
I followed the instructions at https://stackoverflow.com/a/11733363/2532070 to redirect www to non-www. I'm trying to redirect the following formats:
http://example.com
http://www.example.com
https://www.example.com
all to:
https://example.com
http://example.com is redirecting to https. However, the other two, with www., are not. Here is my nginx.conf:
upstream app_server {
server 127.0.0.1:9000 fail_timeout=0;
}
#
# Redirect all www to non-www
#
server {
server_name www.example.com;
ssl_certificate /src/bin/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/STAR_example_com.key;
listen *:80;
listen *:443 ssl spdy;
listen [::]:80 ipv6only=on;
listen [::]:443 ssl spdy ipv6only=on;
return 301 https://example.com$request_uri;
}
#
# Redirect all non-encrypted to encrypted
#
server {
server_name example.com;
listen *:80;
listen [::]:80;
return 301 https://example.com$request_uri;
}
#
# There we go!
#
server {
server_name example.com;
ssl_certificate /src/bin/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/STAR_example_com.key;
listen *:443 ssl spdy;
listen [::]:443 ssl spdy;
# rest goes here...
root /usr/share/nginx/html;
index base.html index.html index.htm;
client_max_body_size 4G;
keepalive_timeout 5;
# Your Django project's media files - amend as required
location /media {
alias /src/media;
expires 1y;
add_header Cache-Control "public";
}
# your Django project's static files - amend as required
location /static {
alias /src/static;
expires 1y;
add_header Cache-Control "public";
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
I'm not seeing anything in the nginx log file to indicate the error. Is there somewhere to look for the error when I try to access a www. version? Thanks!
You are most likely experiencing problems with browser caching. Try purging your cache, e.g. check the disable cache in Chrome dev tools network tab or in Firefox's dev tools settings. That should fix it.
I am trying to redirect non www to www but making sure to keep the requested protocol so 80 would go to http://www. and 443 would go to https://www.
I have gotten this far..
server {
listen 80;
listen 443;
server_name domain.com;
# add ssl settings
return 301 $scheme://www.domain.com$request_uri;
}
separate http and https server config.
change return 301 ... to rewrite ^(.*) http://www.domain.com/$1 permanent; (http or https)
change listen 443; to listen 443 ssl;