Nginx https to http

March 29, 2017 13.3k views
Nginx LEMP WordPress Ubuntu 16.04
pixelment
By:
pixelment

I have an issue with a freshly configured Nginx setup on Ubuntu 16.04. My site loads fine using http, but I get a connection refused error when I access it using https. I don't need https at the moment, so I would like to redirect these request to http.

My server block looks almost exactly like the LEMP tutorial (https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04) with the addition of a condition that checks for https, then redirects to http. For some reason, this is not working for me. Any help would be appreciated!

See my edited down server block:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name domain.com www.domain.com;

        if ( $https = "on" ) {
                return 301 http://$host$request_uri;
        }
}
Log In to Comment
4 Answers
hansen March 29, 2017
Accepted Answer

@pixelment @jtittle
You should setup Lets Encrypt - and keep your site on HTTPS-only (with a redirect from HTTP).
There's multiple advantages to HTTPS - first is that it allows http/2, which is version 2 of the HTTP protocol. This will speed up your site a lot, since all files on the site's connection is streamed through the same tunnel.
And search engines are actually preferring HTTPS, so you'll get a lower ranking if you don't have it.

Reply
  • jtittle1 March 29, 2017

    @pixelment @hansen

    LE is definitely a perfectly fine choice. Unless you're a business and need the protection that is offered by the higher-priced certificates, and you need something more than just the green lock (i.e. business verification/validation) -- or you need a WildCard certificate -- then LE is the best overall choice and it's free.

    If you're just running an API, Blog, Tutorial Site, etc -- LE will be just fine.

hansen March 29, 2017

Do you have a certificate or are you using Lets Encrypt?
Can you post all the configuration - it's okay if you change your domain name to domain.com

Reply
  • pixelment March 29, 2017

    Neither. Initially, I wasn't planning to use an SSL certificate but Let's Encrypt sounds intriguing.

    Here is the full server block:

    server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name domain.com www.domain.com;

    if ( $https = "on" ) {
        return 301 http://$host$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }
}

    That's the only thing I've updated. Everything else is default Nginx.

    • hansen March 29, 2017

      @pixelment

      Now I get it. I think I misunderstood first time.

      If you've never used HTTPS on your domain before, then there's no need to do anything.

      If you used to have HTTPS, but not anymore, then we need to setup a server block with a certificate to redirect.

      I would highly recommend that you get HTTPS and make a redirect from HTTP to HTTPS.
      https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

      By the way, remove this, since it doesn't do anything. You're asking if the connection is https, but it will never be in that server block, since it's a http-only server block.

          if ( $https = "on" ) {
        return 301 http://$host$request_uri;
    }
      How To Secure Nginx with Let's Encrypt on Ubuntu 16.04
      by Mitchell Anicas
      In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 16.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
      • pixelment March 29, 2017

        This domain had a history of HTTPS, but with a newly developed site, we opt to go HTTP only since it's just informational content (not collecting any personal information).

        Basically, users of the old site have the old HTTPS URL bookmarked and noticed they can no longer access the site, hence the reason for me to redirect HTTPS to HTTP.

        Let's Encrypt sounds like a good solution. I'll take a look!

jtittle1 March 29, 2017

@pixelment

With the server block provided, SSL isn't configured, thus will not work. If you're not listening on port 443, then SSL/HTTPS is not active, thus requests for it will result in an error.

Instead of trying to trying to redirect HTTPS => HTTP, I would simply recommend setting up SSL and not worrying about redirects that are typically not standard and may cause issues.

Reply
  • pixelment March 29, 2017

    Ok I think I follow. So basically I'll need to setup SSL even if I don't need it?

    • hansen March 29, 2017

      No, if you don't want https, then you don't need to do anything.

    • jtittle1 March 29, 2017

      @pixelment

      Technically, yes.

      The reason for this is because with the server block you have now, NGINX isn't listening on port 443 -- thus requests that would normally be served on that port won't work.

      For SSL/HTTPS to work, you have to listen on 443, even if your intention is to redirect away from it. There are some use cases for such, though ultimately, and from a security POV, you want SSL as it provides security/encryption -- something normal HTTP requests on port 80 do not provide.

      • pixelment March 29, 2017

        Alright, so I should create another server block to listen to 443, then apply a redirect rule there?

        server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    server_name domain.com www.domain.com;

    return 301 http://$host$request_uri;
}
        • jtittle1 March 29, 2017

          @pixelment

          You'll want to setup a certificate as well, otherwise some browsers may not actually redirect.

          Without a valid SSL Certificate, visitors will likely receive a warning telling them that the site is not secure and that they should leave (which Chrome is notorious for).

          Also consider people that have the HTTPS Everywhere plugin installed (I do). That only reinforces SSL over standard HTTP. In some cases, I may not even be able to browse your site depending on whether I've set the plugin to force SSL and block non-SSL connections.

          • pixelment March 29, 2017

            Got it, for my situation I'll need to purchase an SSL certificate or generate one using Let's Encrypt correct?

            Since I'm already doing that, then I might as well just allow HTTPS and remove the redirect.

pixelment March 29, 2017
[deleted]
Reply
Have another answer? Share your knowledge.

Related Questions