I have working SSL enabled domain , server and it's up and running HTTP as default. explicitly when I request https://domain.tld it works fine but How to make it as default instead of HTTP
right now I have the following directives of my nginx vhost
server {
listen 80 ;
listen 443 ssl default_server;
ssl on ;
ssl_certificate /etc/nginx/ssl/XX.crt;
ssl_certificate_key /etc/nginx/ssl/XX.key;
server_name x.me www.x.me;
root /usr/share/nginx/www/x/site;
index index.html index.php;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
redirect http requests to https. This can be done with scripting, but also with nginx using 'return'.
Tutorial: https://christiaanconover.com/blog/how-to-redirect-http-to-https-in-nginx
Add a separate server, that will redirect to https:
server {
listen 80;
server_name x.me www.x.me;
return 301 https://$host$request_uri;
}
and remove listen 80 from your existing code block
Related
I am using CakePHP 2.9 in Ubuntu 16, and nginx, and I have a vps with a ssl certificate installed on it, and I want to use javascript websockets with php ratchet. The problem is that they don't work, out of the box. For example, without changing a certain setting in firefox about:config, I can't use ws websockets in the browser (that's no good, if I want other people to be able to use it). But I also can't get PHP Ratchet to accept wss websockets. So, I'm trying to redirect the page where the websockets are going to run back to http, so I can use regular ws and connect to PHP ratchet.
The problem is, that I can't seem to get my nginx config file to do that smoothly. I have it redirecting on the page I want to use websockets for, but it seems to give a 404 error. This could be an issue with my DNS for the site perhaps, but here is the nginx config I am using:
server {
listen 80;
listen [::]:80;
server_name server.com;
location /websocket_path {
}
location / {
return 301 https://$server_name/web/$request_uri/;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm index.php;
ssl on;
ssl_certificate /ssl_path/cert_chain.crt;
ssl_certificate_key /ssl_path/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
location /web {
alias /usr/share/nginx/html/web/app/webroot;
try_files $uri $uri/ /web/app/webroot/index.php;
}
server_name server.com;
location = / {
return 301 https://$server_name/web/$request_uri/;
}
location /websocket_path {
return 301 http://$server_name/websocket_path;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
#include fastcgi_params;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ /.well-known {
allow all;
}
location ~ /.sandbox {
}
location ~* \.(?:manifest:appcache|htm?|xml|json)$ {
expires -1;
}
}
Any help on this matter would be greatly appreciated. Thank you.
Here is my /etc/sites-available/default
server {
listen 443 default_server;
server_name _;
ssl on;
ssl_certificate /etc/ssl/certs/example/example.com.crt;
ssl_certificate_key /etc/ssl/certs/example/example.com.key;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}
The first block is what I've added recently. I host multiple sub-domains on this server. This is an example of sites-available/my.example.com:
server {
server_name my.example.com;
access_log /var/data/log/nginx/my.example.com.log;
error_log /var/data/log/nginx/my.example.com.log;
root /var/data/www/lmy.example.com/htdocs;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
}
Whenever I used to go to http://my.example.com, the website would load fine. But now, going to https://my.example.com just goes to the default page. The my.example.com file is symlinked from sites-enabled. The config seems fine, because if I comment the line return 301 ... from the port 80 block, http://my.example.com works again, but https://my.example.com shows the default nginx page.
I'm trying to serve multiple TLS-secured domains out of a single VPS with Nginx v1.8.0, but for some reason it's just not taking the certificate configuration in the server block. When I put the ssl_certificate and ssl_certificate_key directives in the http block, it works fine. But when I try to put them into the server block instead, there are no errors at startup, nothing in the logs, but chrome gives me an ERR_CONNECTION_CLOSED message. This has to be easier than it seems....
Here's the setup that works:
nginx -V output:
nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
My main nginx.conf:
user http;
worker_processes 3;
pid /var/run/nginx.pid;
error_log /var/log/nginx_error.log error;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type text/plain;
sendfile on;
keepalive_timeout 65;
index index.php index.html;
log_format main '$remote_addr - $remote_user [$time_local], "$scheme://$host$request_uri", '
'file: "$request_filename", http: $status, sent: $body_bytes_sent, ref: "$http_referer", '
'"$http_user_agent", "$http_x_forwarded_for"';
access_log /var/log/nginx_access.log main;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server {
listen 80;
server_name "";
return 410;
}
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
include vhosts/*.conf;
}
My vhosts directory listing:
site1.conf
site2.conf
And finally, my site1.conf file (site2.conf is essentially the same):
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443;
server_name www.site1.com;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com;
server {
listen 443 ssl;
server_name site1.com;
root /srv/www/site1/public_html;
index index.php index.html index.htm;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
As you can see, the ssl... directives are in the main configuration file http block. That configuration works fine. If I remove them from that location, however, and put them into the server block of the site1.conf vhost file, as indicated below, I get the ERR_CONNECTION_CLOSED error.
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443;
server_name www.site1.com;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com;
server {
listen 443 ssl;
server_name site1.com;
root /srv/www/site1/public_html;
index index.php index.html index.htm;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
I just can't figure it out!
Thanks for any help you can offer.
Just got back to this after more than a month (ok, so my launch is a little delayed, whatever! ;) ).
Indeed, the answer was as easy as I supposed it had to be.
I had viewed those little "www." redirect blocks as simple bounces, and for some reason didn't feel I had to include information about the certificates in those blocks. However, because of the way secure connections work, the server has to fully establish a secured connection before issuing a response (i.e. redirect instruction), so because I wasn't including the certificate information in those little redirect blocks, it was giving me errors (and frustratingly, it wasn't telling me what those errors were).
So in the end, the solution was simply to add the valid ssl_certificate and ssl_certificate_key directives in each server block that listened on port 443. All works well now!
Just to fully illustrate the point, this is my updated and WORKING site1.conf (and site2.conf, which is virtually identical):
# Server block that redirects www.site1.com requests to site1.com
server {
listen 443 ssl;
server_name www.site1.com;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
return 301 https://site1.com$request_uri;
}
# Server block that serves site1.com requests
server {
listen 443 ssl;
server_name site1.com www.site1.com;
root /srv/www/site1/public_html;
ssl_certificate /etc/letsencrypt/live/site1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site1.com/privkey.pem;
index index.php index.html index.htm;
error_log /var/log/nginx_err_site1.log error;
access_log /var/log/nginx_acc_site1.log main;
include global_restrictions.conf;
location / {
try_files $uri /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri = 404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm_site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
And my nginx.conf file now no longer has the ssl_certificate lines in it.
I'm moving my entire website from http to https
Since I have a few domains, I need to redirect then to the https version of my website.
The problem is that when I try to redirect the original domain from http to https, the nginx gives me a infinite loop.
Can you guys help me?
Here it is my config
server {
listen 80;
server_name www.domain.com.br domain.com.br w.domain.com.br ww.domain.com.br wwww.domain.com.br domain1.com.br www.domain1.com.br domain.com www.domain.com domain.net.br www.domain.net.br;
return 301 https://www.domain.com.br$request_uri;
}
server {
listen 443;
server_name domain.com.br w.domain.com.br ww.domain.com.br wwww.domain.com.br domain1.com.br www.domain1.com.br domain.com www.domain.com domain.net.br www.domain.net.br;
ssl on;
ssl_certificate /home/ssl/ssl-bundle.crt;
ssl_certificate_key /home/ssl/myserver.key;
return 301 https://www.domain.com.br$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate /home/ssl/ssl-bundle.crt;
ssl_certificate_key /home/ssl/myserver.key;
#ssl_session_timeout 5m;
#ssl_protocols SSLv2 SSLv3 TLSv1;
server_name www.domain.com.br;
root /usr/share/nginx/html2;
location / {
index index.php;
if ($request_filename !~* \.(php|gif|html|jpe?g|png|ico|js|css|flv|swf|pdf|xml)$ ) { rewrite ^ /index.php; }
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.socket;
fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
The second server entry is creating the infinite loop. It includes a return 301 to the same site on the https(443) port
Try this answer for sub domain redirects:
https://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom
I have a nginx server running with ssl enabled.
Currently I have https enabled for all directories.
How enable ssl only for www.example.com/shop/* directory and disable for other??
here is my conf file :
# Redirect everything to the main site.
server {
server_name *.example.com;
listen 80;
ssl on;
ssl_certificate /opt/nginx/conf/server.crt;
ssl_certificate_key /opt/nginx/conf/server.key;
keepalive_timeout 70;
access_log /home/example/nginx_logs/access.log ;
error_log /home/example/nginx_logs/error.log ;
root /home/example/public_html/example.com;
location ~ \.php$ {
try_files $uri $uri/ /index.php?q=$uri&$args;
root /home/example/public_html/example.com/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /opt/nginx/conf/fastcgi_params;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /home/example/public_html/example.com$fastcgi_script_name;
index index.php index.html index.htm;
}
if ($http_host != "example.com") {
rewrite ^ http://example.com$request_uri permanent;
}
include global/restrictions.conf;
# Additional rules go here.
#Only include one of the files below.
include global/wordpress.conf;
# include global/wordpress-ms-subdir.conf;
# include global/wordpress-ms-subdomain.conf;
}
tnanks,
D
It is easy to achieve in Nginx. There are two steps involved in it.
Port 443 will be used only when yourdomain.com/shop is accessed. All other requests would be redirected to port 80 (HTTP)
Port 80 will check for yourdomain.com/shop. If found, it'd be redirected to port 443 (HTTPS).
Here is a quick overview of how it could be done...
server {
listen 443;
server_name yourdomain.com;
# directives for SSL certificates
# root, index, error_log, access_log directives
location /shop {
# directives to handle what's inside /shop, for example
# try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# directives to handle PHP files
}
# leave everything else to port 80
location / {
rewrite ^ http://$host$request_uri permanent;
}
}
server {
listen 80;
server_name yourdomain.com;
# root, index, error_log, access_log directives
# redirect yourdomain.com/shop to port 443
# Please put this before location / block as
# nginx stops after seeing the first match
location /shop {
rewrite ^ https://$host$request_uri permanent;
}
location / {
# directives to handle what's inside /, for example
# try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# directives to handle PHP files
}
}