nginx rewrite rules for only SSL - redirect

I want to redirect evry traffic of a domain to to one target:
https://example.com
We want to change http to https and www to nonwww.
Nginx 1.8.1 is the server
This is the vhost:
server {
listen xxx.xxx.xxx.xxx:80;
listen xxx.xxx.xxx.xxx:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /www/clients/client1/web2/ssl/example.com.crt;
ssl_certificate_key /www/clients/client1/web2/ssl/example.com.key;
server_name example.com www.example.com;
root /var/www/example.com/web;
#This is a rewrite from www.example.com -> example.com
if ($http_host = "www.example.com") {
rewrite ^ $scheme://example.com$request_uri? permanent;
}
......
......
}
The Problem that we have is, that every redirects and rewrite rules we checked out, worked well for this three cases:
https://example.com --> is right target works
http://www.example.com --> https://example.com works
http://example.com --> https://example.com works
but
https://**www**.example.com ---> https://example.com don't works
In Browsers we see https://www.example.com instead the target SSL
domain https://example.com
In this case our SL Cert shows an "untrusted" - message
The configiguration of the vhost is preset by ISPConfig.
Has anybody the same experiences? And maybe a solution.

Your certificate is most likely only issued for example.com and is not valid for www.example.com. Redirections, like the one you have in your NGINX config, happen only after the TLS/ HTTPS handshake which is what your browser is complaining about.
You will need to request your certificate issuer to issue a new certificate that is valid for both example.com and www.example.com. Most issuers should have done this to begin with and do not charge any fees.

Here is what I have done with one my domain.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri$is_args$args;
root /var/www/public_html;
index index.php index.html index.htm;
server_name domain.com www.domain.com;
add_header Strict-Transport-Security "max-age=31536000";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
expires 2d;
}
}
server {
listen 443;
add_header Strict-Transport-Security "max-age=31536000";
root /var/www/public_html;
index index.php index.html index.htm;
server_name domain.com www.domain.com;
ssl on;
ssl_certificate /etc/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/myserver.key;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
client_max_body_size 20M;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
expires 30d;
}
}
By the way, This settings make my domain ssl as A+ in ssltestlab

Related

Nginx Subdomains: Redirect /.well-known path for Let's Encrypt

I have an Nginx Server running with two sub-domains. One of them uses a proxy_pass to redirect everything to a Meteor Application and the other sub-domain just uses Laravel but in a diffrent directory than the normal domain.
So, when I start ./letsencrypt-auto I get the following error-message for both sub-domains:
Failed authorization procedure. subdomain.mydomain.com (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Invalid response from http://subdomain.mydomain.com/.well-known/acme-challenge/xyzxyzxy_xzyzxyxyyx_xyzyxzyxz: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
My interpretation of that is, that it doesn't work because my Laravel-Subdomain is not in /var/www/domain.com/html but in /var/www/laravel/html and my Meteor-Application is somwhere else and ngnix just does the proxy passing.
So my question is: Can I redirect /.well-known/acme-challenge for both subdomains to the real /.well-known so that letsencrypt-auto doesn't throw this error?
More Information:
I've tried
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /tmp/letsencrypt-auto;
}
but it didn't work...
Config for my Meteor sub-domain:
server {
listen 80;
listen [::]:80;
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
[…] SSL stuff […]
server_name meteor.domain.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ /.well-known {
allow all;
}
}
Config for my Laravel sub-domain:
server {
listen 80;
server_name laravel.domain.com;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
[…] SSL stuff […]
root /var/www/laravel/html;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ /.well-known {
allow all;
}
location ~ \.(hh|php)$ {
fastcgi_keep_conn on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Your location ~ /.well-known blocks are regex locations and will take precedence over the prefix location you are attempting to add.
You need to delete them.
See this document on the location directive.
Okay, thanks to the tips from Richard Smith I solved it:
I kept this in the Config-Part for the domain.com-Part as described in this tutorial.
location / {
try_files $uri $uri/ =404;
}
but put that into the Config-Part for subdomain.domain.com instead:
location /.well-known/ {
root /var/www/domain.com/html;
}
What it does is handling any request to subdomain.domain.com/.well-known/[anything] as domain.com/.well-known/[anything], thus no error from letsencrypt-auto.

Nginx Redirect https to non-www not working

I've looked on Stack Overflow and other sites but cannot seem to get this redirect working. Everything is working as expected, except:
The following work:
http://example.com -> https://example.com
http://www.example.com -> https://example.com
This does NOT redirect to the non-www (it keeps the www in place):
https://www.example.com -> https://example.com
Both the www and non-www https versions seem resolve as is. Any ideas?
Here is the current config:
# Redirect WWW to NON-WWW
server {
# Server host
server_name www.example.com;
# Server ports
listen 80;
listen 443;
listen [::]:80;
listen [::]:443;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Redirect
return 301 https://example.com$request_uri;
}
# Redirect HTTP to HTTPS
server {
# Server host
server_name example.com;
# Server port
listen 80;
listen [::]:80;
# Redirect
return 301 https://example.com$request_uri;
}
# Main Block
server {
# Server host
server_name example.com;
# Server port
listen 443 ssl;
listen [::]:443;
# SSL
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
root /var/www/example.com;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /.well-known {
allow all;
}
}

Nginx Config Endless Loop (redirect HTTP to HTTPS)

I'm a bit stuck. I'm setting up a new installation of JTL-Shop3 on Nginx. But whenever I call https://www.domain.tld/ it becomes http://www.domain.tld/ and the other way around and ends up showing an error because the webpage is redirecting in a loop.
Here is my nginx config for Non-SSL
# redirect non www to www
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name trendboxx.eu www.trendboxx.eu;
return 301 https://www.trendboxx.eu$request_uri;
}
And here the config for the SSL vhost
server {
listen 443 ssl;
ssl on;
ssl_certificate /srv/www/trendboxx.eu/certificates/www.trendboxx.eu.crt;
ssl_certificate_key /srv/www/trendboxx.eu/certificates/www.trendboxx.eu.key;
server_name www.trendboxx.eu;
access_log /srv/www/trendboxx.eu/logfiles/nginx.access.log;
error_log /srv/www/trendboxx.eu/logfiles/nginx.error.log;
root /srv/www/trendboxx.eu/public_html;
index index.php;
location / {
# try file => folder => JTL-Shop3 Search
try_files $uri $uri/ /index.php?q=$uri$args;
}
# error pages
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# JTL-Shop3 expires for static files
location ~* \.(eot|ttf|woff|css|less)$ {
expires max;
add_header Access-Control-Allow-Origin *;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
access_log off;
log_not_found off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
access_log off;
log_not_found off;
}
# PHP handler
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 180;
proxy_read_timeout 180;
}
# deny access to hidden files
location ~ /\. {
deny all;
}
}
I am gratefull for every hint on how to solve this problem.

Ningx non-www to www redirect causing site to show as "not available"/"server not found"

Running LEMP stack: nginx version: nginx/1.4.6 (Ubuntu)
I've tried a number of different configurations to get my non-www domain to prepend www. onto all URLs and despite double checking the following configuration against many others I continue to get errors ("not available"/"server not found"). Maybe it has something to do with the fact that I'm using a 301 redirect and not 302.
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /var/www/laravel/mysite/public;
index index.php index.html index.htm;
server_name mysite.com;
return 301 $scheme://www.mysite.com$request_uri;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
I define server_name then I define the rewrite directly below it. This has worked in the past but not working now. I remove the "return" line and the domain without www. works perfectly. There are no other configurations running. Can someone tell me if this configuration contains an error or if I'm attempting to do this incorrectly? Thanks.
You have to separate it into 2 server blocks like this
server {
listen 80;
server_name site.com;
return 301 $scheme://www.site.com$request_uri;
}
server {
listen 80 default_server;
server_name www.site.com;
root /var/www;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
...

Nginx redirection to https://www.domain.tld

I am trying to make my domain name only work with a https:// and www in front of it. It's important that domain.com without the www. redirects to the www, and it's also important that https:// is always enabled. I am having a lot of trouble achieving this. I've removed all the redirects from the config because they all just give me errors.
server {
listen 80;
default_type text/html;
server_name epicmc.us;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
root /usr/share/nginx/html;
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on the php-fpm socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
default_type text/html;
server_name www.epicmc.us;
root /usr/share/nginx/html;
index index.php index.html index.htm;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
ssl_certificate /etc/nginx/ssl/cert.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
}
EDIT: I am now using a PHP redirect, but there has to be a better option...
You should define additional virtualhost, and there redirect all clients to desired method+host.
Add to your config (tune to your taste, of course) :
# redirection vhost
server {
listen 10.1.2.3:80;
server_name www.epicmc.us epicmc.us;
access_log /logs/access.log full;
error_log /logs/error.log notice;
location / {
rewrite ^/(.*)$ https://www.epicmc.us/$1 permanent;
}
}
There are two ways of doing this, simple redirect return 301
server {
server_name www.example.com;
listen 80;
return 301 https://$host$request_uri;
}
or using rewrite rules, check the answer for this question it might be helpful
server {
listen 80;
server_name www.example.com ;
location{
rewrite ^(.*)$ https://www.example.com/$1 permanent;
}
}
check answers for this question it might be helpful
Hey guys I'm using Cloudflare's flexible SSL, so my problem was that I had to do the page rules on their site and not in my config. That's why I was getting redirect errors.