pixelment
By:
pixelment

Nginx https to http

March 29, 2017 2.2k views
Nginx LEMP WordPress Ubuntu 16.04

I have an issue with a freshly configured Nginx setup on Ubuntu 16.04. My site loads fine using http, but I get a connection refused error when I access it using https. I don't need https at the moment, so I would like to redirect these request to http.

My server block looks almost exactly like the LEMP tutorial (https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04) with the addition of a condition that checks for https, then redirects to http. For some reason, this is not working for me. Any help would be appreciated!

See my edited down server block:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name domain.com www.domain.com;

        if ( $https = "on" ) {
                return 301 http://$host$request_uri;
        }
}
4 Answers
hansen March 29, 2017
Accepted Answer

@pixelment @jtittle
You should setup Lets Encrypt - and keep your site on HTTPS-only (with a redirect from HTTP).
There's multiple advantages to HTTPS - first is that it allows http/2, which is version 2 of the HTTP protocol. This will speed up your site a lot, since all files on the site's connection is streamed through the same tunnel.
And search engines are actually preferring HTTPS, so you'll get a lower ranking if you don't have it.

  • @pixelment @hansen

    LE is definitely a perfectly fine choice. Unless you're a business and need the protection that is offered by the higher-priced certificates, and you need something more than just the green lock (i.e. business verification/validation) -- or you need a WildCard certificate -- then LE is the best overall choice and it's free.

    If you're just running an API, Blog, Tutorial Site, etc -- LE will be just fine.

Do you have a certificate or are you using Lets Encrypt?
Can you post all the configuration - it's okay if you change your domain name to domain.com

  • Neither. Initially, I wasn't planning to use an SSL certificate but Let's Encrypt sounds intriguing.

    Here is the full server block:

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
    
        root /var/www/html;
    
        index index.php index.html index.htm index.nginx-debian.html;
    
        server_name domain.com www.domain.com;
    
        if ( $https = "on" ) {
            return 301 http://$host$request_uri;
        }
    
        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }
    
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }
    
        location ~ /\.ht {
            deny all;
        }
    
        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
            expires max;
            log_not_found off;
        }
    }
    

    That's the only thing I've updated. Everything else is default Nginx.

    • @pixelment

      Now I get it. I think I misunderstood first time.

      If you've never used HTTPS on your domain before, then there's no need to do anything.

      If you used to have HTTPS, but not anymore, then we need to setup a server block with a certificate to redirect.

      I would highly recommend that you get HTTPS and make a redirect from HTTP to HTTPS.
      https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

      By the way, remove this, since it doesn't do anything. You're asking if the connection is https, but it will never be in that server block, since it's a http-only server block.

          if ( $https = "on" ) {
              return 301 http://$host$request_uri;
          }
      
      In this tutorial, we will show you how to use Let's Encrypt to obtain a free SSL certificate and use it with Nginx on Ubuntu 16.04. We will also show you how to automatically renew your SSL certificate. If you're running a different web server, simply follow your web server's documentation to learn how to use the certificate with your setup.
      • This domain had a history of HTTPS, but with a newly developed site, we opt to go HTTP only since it's just informational content (not collecting any personal information).

        Basically, users of the old site have the old HTTPS URL bookmarked and noticed they can no longer access the site, hence the reason for me to redirect HTTPS to HTTP.

        Let's Encrypt sounds like a good solution. I'll take a look!

@pixelment

With the server block provided, SSL isn't configured, thus will not work. If you're not listening on port 443, then SSL/HTTPS is not active, thus requests for it will result in an error.

Instead of trying to trying to redirect HTTPS => HTTP, I would simply recommend setting up SSL and not worrying about redirects that are typically not standard and may cause issues.

  • Ok I think I follow. So basically I'll need to setup SSL even if I don't need it?

    • No, if you don't want https, then you don't need to do anything.

    • @pixelment

      Technically, yes.

      The reason for this is because with the server block you have now, NGINX isn't listening on port 443 -- thus requests that would normally be served on that port won't work.

      For SSL/HTTPS to work, you have to listen on 443, even if your intention is to redirect away from it. There are some use cases for such, though ultimately, and from a security POV, you want SSL as it provides security/encryption -- something normal HTTP requests on port 80 do not provide.

      • Alright, so I should create another server block to listen to 443, then apply a redirect rule there?

        server {
            listen 443 ssl default_server;
            listen [::]:443 ssl default_server;
        
            server_name domain.com www.domain.com;
        
            return 301 http://$host$request_uri;
        }
        
        • @pixelment

          You'll want to setup a certificate as well, otherwise some browsers may not actually redirect.

          Without a valid SSL Certificate, visitors will likely receive a warning telling them that the site is not secure and that they should leave (which Chrome is notorious for).

          Also consider people that have the HTTPS Everywhere plugin installed (I do). That only reinforces SSL over standard HTTP. In some cases, I may not even be able to browse your site depending on whether I've set the plugin to force SSL and block non-SSL connections.

          • Got it, for my situation I'll need to purchase an SSL certificate or generate one using Let's Encrypt correct?

            Since I'm already doing that, then I might as well just allow HTTPS and remove the redirect.

Have another answer? Share your knowledge.