i want to force ssl on my website and redirect non-www to www. I read lots of guides and tried the sample configurations but did not fully worked.
With my config it gives me too many redirects error
This is my config
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
server_name mydomainname.com www.mydomainname.com;
return 301 https://www.mydomainname.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl default_server;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
server_name mydomainname.com;
return 301 https://www.mydomainname.com$request_uri;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/blog;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location ~ /.well-known {
allow all;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Please give me some advice.
You need to separate your 443 server block into two. For example:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
return 301 https://www.mydomainname.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-mydomainname.com.conf;
include snippets/ssl-params.conf;
server_name www.mydomainname.com;
...
}
So the default secure server redirects to your secure www server. See this document for more. This also assumes that the certificate is valid for both the www and non-www server names.
Related
I have reissue my domain Certificate , then I've update certificate and key files for my servers it works only on one of them and get ERR_SSL_PROTOCOL_ERROR problem for others although all these servers use subdomains of the same domain . I have no idea where to look and how to trubleshooting this problem .
My question is : what would make ssl certificate work on one server and not work to another Although two servers use subdomains of same domain?
would you help me please ..
nginx configuration
server {
#listen 80;
#listen [::]:80;
# SSL configuration
#
ssl on;
ssl_certificate /etc/nginx/sites-available/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/sites-available/ssl/mykey.key;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name _;
location / {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-
Requested-With, Content-Type, Accept";
try_files $uri $uri/ /index.php?$query_string;
}
server {
listen 80;
listen [::]:80 ;
server_name mydomain;
return 301 https://mydomain$request_uri;
}
I am using certbot to create a SSL for my website and use Nginx for serve. However, even if I change the server block in nginx conf and restart it, only the original http work but https will return ERR_CONNECTION_TIMED_OUT.
I've tried many way on the internet, including split the server block into two, adjust the listen 443 setting, add server_name...but all of them seems not work, using url with https will return ERR_CONNECTION_TIMED_OUT.
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
is there any want to enable the https in nginx? I'm sure the pem key is work and I think the problem is my conf setting...
Try this
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
listen [::]:443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/myasshole.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myasshole.club/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.example.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Also Note that it's better to add your domain here
server_name www.example.com example.com;
Then restart nginx
sudo service nginx restart
I have a flask app running on port 8000 of my droplet on digital ocean. I needed to enable ssl on this server with Nginx, and I can connect to my main port without any problem. But when trying to connect to funders-api.ninja:8000 I can't get access. Here's my default config
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name funders-api.ninja www.funders-api.ninja;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 8000 ssl;
listen [::]:8000 ssl;
server_name funders-api.ninja www.funders-api.ninja;
ssl_certificate /etc/letsencrypt/live/funders-api.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/funders-api.ninja/privkey.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = www.funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = funders-api.ninja) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name funders-api.ninja www.funders-api.ninja;
return 404; # managed by Certbot
}
This is basicly de config made with Cerbot, but I would like to acces port 8000 com https.
thats a misconfigured section - the example.com server section is commented out in your config file, and at port 8000 you are listening with server name of funders-api.ninja www.funders-api.ninja
I am having some problems setting up my nginx server with ssl certificate and I have somehow screwed up something. When I go to my website it redirects to an endless loop of /var/wwww. it looks like this:
And this is my cd /etc/nginx/sites-available/default file
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name molle.ws www.molle.ws;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/molle.ws/fullchain.pem; # managed by Cert$
ssl_certificate_key /etc/letsencrypt/live/molle.ws/privkey.pem; # managed by Ce$
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
Please help :/
I installed SSL on my DigitalOcean droplet following this documentation.
Inspite of this, all requests on https:// are getting refused!
I ran the following command : sudo netstat -anltp and found that NGINX isn't listening on port 443
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1337/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2315/nginx -g daemo
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1442/sshd
tcp 0 288 138.197.137.XXX:22 45.64.239.214:53476 ESTABLISHED 1590/0
tcp 0 0 138.197.137.XXX:22 218.65.30.134:65311 ESTABLISHED 2340/sshd: root [pr
tcp 0 0 138.197.137.XXX:22 45.64.239.214:53487 ESTABLISHED 1724/sshd: root#not
tcp6 0 0 :::80 :::* LISTEN 2315/nginx -g daemo
tcp6 0 0 :::22 :::* LISTEN 1442/sshd
My nginx.conf file is shown below:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
My /etc/nginx/sites-available/default is shown below :
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/ssl-torrentic.cf.conf;
include snippets/ssl-params.conf;
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Firewall status:
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
Nginx Full ALLOW Anywhere
443/tcp ALLOW Anywhere
22 (v6) LIMIT Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
What is wrong ? How do I fix it ?
Make sure to have symlinks from /etc/nginx/sites-available/* to /etc/nginx/sites-enabled/:
$ cd /etc/nginx/sites-enabled
$ sudo ln -sf ../sites-available/default .
$ sudo service nginx reload
See chat for more details.