Join the community today
Become a Member

SSL Correct Nginx Vhost ?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by nVidian, Mar 18, 2015.

  1. nVidian

    nVidian Member

    85
    8
    8
    Mar 16, 2015
    Ratings:
    +23
    Local Time:
    6:13 PM
    1.7.9
    5.5
    Hi all, I had successfully installed SSL on one of my Drupal site. But I still could not find the correct vhost to redirect from WWW to non WWW.

    This is my vhost file, please check if it could be more efficient too
    Code:
    server {
       listen IP_ADDRESS;
      server_name domain.com www.domain.com;
      return 301 https://domain.com$request_uri;
    }
    server {
         listen IP_ADDRESS:443 ssl spdy;
      server_name domain.com www.domain.com;
    #ssl  on;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate  /usr/local/nginx/conf/ssl/domain.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain_com.key;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_session_cache  shared:SSL:10m;
      ssl_session_timeout  10m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers  on;
      add_header Alternate-Protocol  443:npn-spdy/3;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      # nginx 1.5.9+ or higher
      # http://nginx.org/en/docs/http/ngx_http_spdy_module.html#spdy_headers_comp
      # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
      # spdy_headers_comp 0;
      # ssl_buffer_size 4k;
    
      # enable ocsp stapling
      resolver 8.8.8.8;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    
         root /home/nginx/domains/domain.com/public;
    
    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;
      location = /favicon.ico {
      log_not_found off;
      access_log off;
      }
      location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
      }
      # This matters if you use drush
      location = /backup {
      deny all;
      }
      # Very rarely should these ever be accessed outside of your lan
      location ~* \.(txt|log)$ {
      allow 192.168.0.0/16;
      deny all;
      }
      location ~ \..*/.*\.php$ {
      return 403;
      }
      location / {
      # This is cool because no php is touched for static content
      try_files $uri @rewrite;
      }
      location @rewrite {
      # Some modules enforce no slash (/) at the end of the URL
      # Else this rewrite block wouldn't be needed (GlobalRedirect)
      rewrite ^/(.*)$ /index.php?q=$1;
      }
    
      location @rewrite {
      # Drupal in a subdirectory
      rewrite ^/([^/]*)/(.*)(/?)$ /$1/index.php?q=$2&$args;
      }
      location ~ \.php$ {
      error_page 418 = @rewrite;
      recursive_error_pages on;
      fastcgi_split_path_info ^[^=](.+\.php)(/.+)$;
      include fastcgi_params;
      if ( $uri = /index.php ) {
      # not sure this conditional works, will have to check the debug logs
      break;
      }
      if ( !-e $document_root$fastcgi_script_name) {
      return 418;
      }
      #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      #fastcgi_intercept_errors on;
      #fastcgi_read_timeout 240;
      fastcgi_pass  127.0.0.1:9000;
      }
      # Fighting with ImageCache? This little gem is amazing.
      location ~ ^/sites/.*/files/imagecache/ {
      try_files $uri @rewrite;
      }
      # Catch image styles for D7 too.
      location ~ ^/sites/.*/files/styles/ {
      try_files $uri @rewrite;
      }
      location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;
      log_not_found off;
      }
         include /usr/local/nginx/conf/staticfiles.conf;
           include /usr/local/nginx/conf/php.conf;
           # include /usr/local/nginx/conf/drop.conf;
           include /usr/local/nginx/conf/errorpage.conf;
    }
    
     
  2. Mask

    Mask Active Member

    104
    29
    28
    Nov 10, 2014
    Ratings:
    +35
    Local Time:
    4:13 PM
    Nginx 1.9.1
    MariaDB 10.0.19
    I could be wrong ... But I think it should be like
    Code:
    server {
        server_name www.example.com example.com;
        rewrite ^ https://example.com$request_uri? permanent;
    }
    
    server {
        listen 443;
        ssl on;
        server_name www.example.com
        rewrite ^ https://example.com$request_uri? permanent;
       
        << rest of the code here > >
    
    }
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:13 PM
    Nginx 1.13.x
    MariaDB 5.5
    one minor change in your 2nd server_name instance in 2nd server context for SSL remove www entry

    Code:
    server {
       listen IP_ADDRESS;
      server_name domain.com www.domain.com;
      return 301 https://domain.com$request_uri;
    }
    server {
         listen IP_ADDRESS:443 ssl spdy;
      server_name domain.com;
    #ssl  on;
     
  4. nVidian

    nVidian Member

    85
    8
    8
    Mar 16, 2015
    Ratings:
    +23
    Local Time:
    6:13 PM
    1.7.9
    5.5
    '
    I have more than one IP thats why I think I should insert
    Code:
    server {
       listen IP_ADDRESS;
    .....
    
    Thanks for your reply
     
  5. nVidian

    nVidian Member

    85
    8
    8
    Mar 16, 2015
    Ratings:
    +23
    Local Time:
    6:13 PM
    1.7.9
    5.5
    Ok I'll try your suggestion.