DianaM
By:
DianaM

http-https redirect / Positive SSL on nginx

October 8, 2014 88.5k views

Hi guys,

This is my first time here asking questions, untill now I read and learned from the best of you.
So, I installed Ubuntu 14.04 on my Droplet, configured EasyEngine on it with nginx / php5-fpm and fastcgi.
I bought a Positive SSL from namecheap and now I want to use it on my Wordpress site.
So I put the ssl-bundle.crt and the domain_com.key in /var/www/domain.com/cert and after that I modified the file in /etc/nginx/sites-available/domain.com and put the following configuration:

# WPSINGLE FAST CGI NGINX CONFIGURATION

server {
        listen 80;
        listen 443 ssl;
        server_name devly.co www.devly.co;
        ssl on;
        ssl_certificate /var/www/devly.co/cert/ssl-bundle.crt;
        ssl_certificate_key /var/www/devly.co/cert/devly_co.key;
        access_log   /var/log/nginx/devly.co.access.log rt_cache;
        error_log    /var/log/nginx/devly.co.error.log;
        root /var/www/devly.co/htdocs;
        index index.php index.htm index.html;

        include common/wpfc.conf;
        include common/wpcommon.conf;
        include common/locations.conf;

# force https-redirects
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
}


}

The thing is, the redirect doesn't work, if I enter http://domain.com it won't automaticaly redirect to https.
What did I do wrong ?
Also any recomendations ? My first time using SSL on a server.

1 comment
  • Make sure you're using www.devly.co and not "domain.com"

    Also, right now, your webserver is listening to port 80 using SSL, so the config you pasted above seems inaccurate or incomplete. (Possibly you didn`t reload nginx after editing it?)

4 Answers

Instead of specifying your http and https sites in the same server block I would recommend formatting your configuration in two server blocks, one for http and one for https.

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;

       [....]
}
  • @ryanpq Do I need to add to the separate server block the same settings like the first one ?
    Let's say if I want to include some *.conf, do I need to duplicate it to the other server block ?
    I managed to get it working using this configuration:

    # WPSINGLE FAST CGI NGINX CONFIGURATION
    
    server {
            listen 80;
            listen 443 ssl spdy;
            server_name devly.co www.devly.co;
            ssl_certificate /var/www/devly.co/cert/ssl-bundle.crt;
            ssl_certificate_key /var/www/devly.co/cert/devly_co.key;
            access_log   /var/log/nginx/devly.co.access.log rt_cache;
            error_log    /var/log/nginx/devly.co.error.log;
            root /var/www/devly.co/htdocs;
            index index.php index.htm index.html;
    
            include common/wpfc.conf;
            include common/wpcommon.conf;
            include common/locations.conf;
    # force https-redirects
        if ($scheme = http) {
            return 301 https://$server_name$request_uri;
    
    }
    
    
    }
    

    Can you check if it redirects you to https ?

    Thank you so much guys !

  • The server block for port 80 can be used as it is in my example since any traffic handled by this server block would simply be redirected to the other (https) one. Any other configuration you need would be added only to the server block for port 443.

  • Ok Ryan, I'm trying to do the setup now.

    As of right now the config for the domain shows like this:

    server {
           listen         80;
           server_name    devly.co www.devly.co;
           return         301 https://$server_name$request_uri;
    }
    
    
    server {
            listen 443 ssl spdy;
            server_name devly.co www.devly.co;
            ssl on;
            ssl_certificate /var/www/devly.co/cert/ssl-bundle.crt;
            ssl_certificate_key /var/www/devly.co/cert/devly_co.key;
            access_log   /var/log/nginx/devly.co.access.log rt_cache;
            error_log    /var/log/nginx/devly.co.error.log;
            root /var/www/devly.co/htdocs;
            index index.php index.htm index.html;
    
            include common/wpfc.conf;
            include common/wpcommon.conf;
            include common/locations.conf;
    
    }
    
  • OK WORKS GREAT.

    Thanks a lot :)
    Can you verify if it shows you https and if not, redirects you ?
    Also, do you have any suggestions how to tweak the SSL settings for performance ?

    Thanks :D

  • Confirmed :)

    There are a few things you can do to optimize your ssl configuration on nginx. A quick search returned several blog posts and articles on the subject. This one looks like a good place to start.

If you are using CloudFlare HTTPS

server {
   ...
   if ($**http_x_forwarded_proto** = "http") {
     return 301 https://$server_name$request_uri;
   }
   ... 
}

Peace!

hello, more one question about redirect

when put ip address for example http://ipofsitewithssl rediret to https://mysite but whe try access https://the ip address not redirect and load the site

this is my config

server {
listen 80;
servername mydomain.com.br www.mydomain.com.br;
return 301 https://www.mydomaincom.br$request
uri;
}

server {
listen 80;
servername my ip xx.xx.xx.xx;
return 301 https://www.mydomain.com.br$request
uri;
}

server {
listen 443;
servername www.mydomain.com.br;
ssl on;
ssl
certificate /var/www/mydomain.com.br/cert/wwwselfboxcombr.crt;
ssl
certificatekey /var/www/mydomain.com.br/cert/wwwselfboxcombr.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  • This seems to be something technically impossible at the moment. You get SSLERRORBADCERTDOMAIN error when you request https://your-ip-address
    Even google.com and several other top sites have this error when you request as above.
    If anybody is expert in this and something to share, please!!

    • Definitely not impossible by any stretch. I just setup my reverse proxy with NGINX to allow one site only to always redirect to SSL, and the other site to only use HTTP. Very simple setup and works like a charm.

Have another answer? Share your knowledge.