Join the community today
Become a Member

SSL http and https

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Francisco Esteves, Sep 4, 2014.

  1. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Hello,
    About Nginx HTTPS / SSL Google SPDY configuration

    This how to appers to be the only site with SSL and redirect http to https right?
    My client need http and https works (only want use ssl in a few pages). How to make this configuration right?

    Thanks,

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah the config outlined in that link is for http redirect to https only

    For http and https, you'd need to remove the redirect and have listen 80 port along with listen 443 spdy ssl in same server context for your domain VHOST

    so remove

    Code:
    server {
      server_name domain.com www.domain.com;
      return 301 https://$server_name$request_uri;
    }
    and use

    Code:
    server {
            listen 80;
            listen 443 ssl spdy;
                server_name domain.com;
     
    Last edited: Sep 7, 2014
  3. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Hello,
    Thanks for help but have a new problem.

    When try enter in a http page all runs fine. When open a https page and then try open again a http page the page redirects do https and cant access again http page. Its not related to scripts or browser cache.

    Any idea?

    Have see this in headers of http page

    alternate: :443:npn-spdy/3

    Using Google as example in http alternate is port 80.
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    sounds like still browser cache from previous http to https 301 permanent redirects as they are cached into browser

    you can try a totally different browser and check to see if it is the case
     
  5. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Hello,
    Its not related to browser.

    In clean browser i can access http. When access https i cant open again http because browser redirect to https.
    Can i send the url via pm for you to check?
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah pm me the domain

    but post contents of your nginx vhost conf file here masking domain name
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    got pm,

    works fine for me in IE11

    going http works
    going https works
    going back to http works

    you probably didn't clear your browser cache properly, cache and browser history needs clearing and closing browser..

    you'd have to google search for proper ways to clear browser of 301 permanent redirects

    try a different browser altogether to confirm
     
  8. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Hello,
    # https SSL SPDY vhost
    server {
    listen 80;
    listen 443 ssl spdy;
    server_name xxxx.net www.xxxx.net;

    ssl_certificate /usr/local/nginx/conf/ssl/xxxx.net/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/xxxx.net/ssl.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kEDH:!EDH:!CAMELLIA;
    ssl_prefer_server_ciphers on;
    add_header Alternate-Protocol 443:npn-spdy/3;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # enable ocsp stapling
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/xxxx.net/ssl-trusted.crt;

    access_log /home/nginx/domains/xxxx.net/log/access.log combined buffer=32k;
    error_log /home/nginx/domains/xxxx.net/log/error.log;
    root /home/nginx/domains/xxxx.net/public;

    # ngx_pagespeed & ngx_pagespeed handler
    include /usr/local/nginx/conf/pagespeed.conf;
    include /usr/local/nginx/conf/pagespeedhandler.conf;
    include /usr/local/nginx/conf/pagespeedstatslog.conf;

    error_page 404 /index.php?controller=404;

    # PrestaShop rewrites
    rewrite "^/pt/" /$1 last;
    rewrite "^/es/" /$1 last;
    rewrite "^/en/" /$1 last;
    rewrite "^/fr/" /$1 last;
    rewrite "^/it/" /$1 last;

    rewrite ^/([a-z0-9]+)\-([a-z0-9]+)(\-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1-$2$3.jpg last;
    rewrite ^/([0-9]+)\-([0-9]+)/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1-$2.jpg last;
    rewrite ^/([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$1$2.jpg last;
    rewrite ^/([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$1$2$3.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$1$2$3$4.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$4/$1$2$3$4$5.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8.jpg last;
    rewrite ^/([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?/[_a-zA-Z0-9-]*\.jpg$ /img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9.jpg last;
    rewrite ^/c/([0-9]+)(\-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*\.jpg$ /img/c/$1$2.jpg last;
    rewrite ^/c/([a-zA-Z-]+)/[a-zA-Z0-9-]+\.jpg$ /img/c/$1.jpg last;
    rewrite ^/([0-9]+)(\-[_a-zA-Z0-9-]*)/[_a-zA-Z0-9-]*\.jpg$ /img/c/$1$2.jpg last;
    rewrite ^/([0-9]+)\-[a-zA-Z0-9-]*\.html /product.php?id_product=$1 last;
    rewrite ^/[a-zA-Z0-9-]*/([0-9]+)\-[a-zA-Z0-9-]*\.html /product.php?id_product=$1 last;
    rewrite ^/([0-9]+)\-[a-zA-Z0-9-]*(/[a-zA-Z0-9-]*)+ /category.php?id_category=$1&noredirect=1 last;
    rewrite ^/([0-9]+)\-[a-zA-Z0-9-]* /category.php?id_category=$1 last;
    rewrite ^/([0-9]+)__([a-zA-Z0-9-]*) /supplier.php?id_supplier=$1 last;
    #rewrite ^/([0-9]+)_([a-zA-Z0-9-]*) /manufacturer.php?id_manufacturer=$1 last;

    rewrite ^/content/([0-9]+)\-([a-zA-Z0-9-]*) /cms.php?id_cms=$1 last;
    rewrite ^/content/category/([0-9]+)\-([a-zA-Z0-9-]*) /cms.php?id_cms_category=$1 last;
    rewrite ^/page-not-found$ /404.php last;
    rewrite ^/address$ /address.php last;
    rewrite ^/addresses$ /addresses.php last;
    rewrite ^/authentication$ /authentication.php last;
    rewrite ^/best-sales$ /best-sales.php last;
    rewrite ^/cart$ /cart.php last;
    rewrite ^/contact-us$ /contact-form.php last;
    rewrite ^/discount$ /discount.php last;
    rewrite ^/guest-tracking$ /guest-tracking.php last;
    rewrite ^/order-history$ /history.php last;
    rewrite ^/identity$ /identity.php last;
    rewrite ^/manufacturers$ /manufacturer.php last;
    rewrite ^/my-account$ /my-account.php last;
    rewrite ^/new-products$ /new-products.php last;
    rewrite ^/order$ /order.php last;
    rewrite ^/order-follow$ /order-follow.php last;
    rewrite ^/quick-order$ /order-opc.php last;
    rewrite ^/order-slip$ /order-slip.php last;
    rewrite ^/password-recovery$ /password.php last;
    rewrite ^/prices-drop$ /prices-drop.php last;
    rewrite ^/search$ /search.php last;
    rewrite ^/sitemap$ /sitemap.php last;
    rewrite ^/stores$ /stores.php last;
    rewrite ^/supplier$ /supplier.php last;

    #COMPRESS
    location ~* .(gif|jpg|jpeg|png)$ {
    expires 3M;
    add_header Pragma public;
    add_header Cache-Control "max-age=7776000, public";
    add_header Access-Control-Allow-Origin *;
    }
    location ~* .(ico)$ {
    expires 1y;
    add_header Pragma public;
    add_header Cache-Control "max-age=31536000, public";
    add_header Access-Control-Allow-Origin *;
    }
    location ~* .(mp4)$ {
    expires 1y;
    add_header Pragma public;
    add_header Cache-Control "max-age=31536000, public";
    add_header Access-Control-Allow-Origin *;
    }
    location ~* .(woff|otf|eot|ttf)$ {
    expires 1y;
    add_header Pragma public;
    add_header Cache-Control "max-age=31536000, public";
    add_header Access-Control-Allow-Origin *;
    }
    location ~* .(css|js|jsonp)$ {
    expires 1M;
    add_header Pragma public;
    add_header Cache-Control "max-age=2592000, public";
    add_header Access-Control-Allow-Origin *;
    }

    location ~* .(dat)$ {
    expires 1y;
    add_header Pragma public;
    add_header Cache-Control "max-age=31536000, public";
    add_header Access-Control-Allow-Origin *;
    }
    #Dont Index Sitemap
    location ~* ^.+.(xml|xml.gz)$ {
    add_header X-Robots-Tag "noindex";
    }

    #Disallow TPL
    location ~* .(tpl)$ {
    deny all;
    }
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    }
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    better to use [CODE][/CODE] tags for the vhost contents ;)

    but nothing in the Nginx vhost I see can cause that other than your browser's caching the 301 permanent redirects.

    you'd have to google search for proper ways to clear browser of 301 permanent redirects

    ie. masking yourdomain.com

    working no 301 redirects

    Code:
    curl -I http://www.yourdomain.com/isaque.php
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Sun, 07 Sep 2014 12:25:11 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Alternate-Protocol: 443:npn-spdy/3
    Strict-Transport-Security: max-age=31536000; includeSubdomains;
    
    Code:
    curl -I https://www.yourdomain.com/isaque.php
    HTTP/1.1 200 OK
    Server: nginx centminmod
    Date: Sun, 07 Sep 2014 12:25:20 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Alternate-Protocol: 443:npn-spdy/3
    Strict-Transport-Security: max-age=31536000; includeSubdomains;
    
     
  10. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Hello,
    Very stange because we never access the site with my smartphone because is new..
    But alternate protocol is correct?

    Example for Google:

    google.pt:80 -> alternate google.pt:80:quic
    google.com:443 -> alternate google.com:443:quic
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes correct, it tells browser that server supports SPDY/3.1 SSL and should use it

    Code:
    Alternate-Protocol: 443:npn-spdy/3
    @Tracy Perry is currently working on a forum with http to https 301 redirect cached in browser too and it's working for me when he has temp removed https to http. Maybe he has more tips for proper browser cache clearing ?

    google search has alot on it too Let me google that for you

    oh some things to try web development - How can I make Chrome stop caching redirects? - Super User

     
    Last edited: Sep 7, 2014
  12. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Maybe find the problem?

    Strict-Transport-Security Supporteded

    Excellent! This website is using HSTS, also known as Strict Transport Security. This tells the browser to always use SSL when talking to this website, allows more of your visitors the opportunity to both be secure and to use SPDY. The server is sending the header Strict-Transport-Security: max-age=31536000; includeSubdomains; which tells the web browser to always use SSL to access this website for the next 365 days.

    Code:
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    Try remove this?
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes you might want to remove it or instead create 2 separate server {} contexts on for listen 80 and one for listen 443 spdy ssl in the same Nginx vhost file
     
  14. Francisco Esteves

    Francisco Esteves New Member

    23
    2
    3
    Sep 4, 2014
    Ratings:
    +2
    Local Time:
    2:30 AM
    Removing Strict-Transport-Security have any benefict using two server{}?
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,190
    12,113
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,649
    Local Time:
    11:30 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    only need to remove it from non-https server {} if you separate the server {} contexts on for listen 80 and one for listen 443 spdy ssl in the same Nginx vhost file
     
  16. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    8:30 PM
    1.21.6
    MariaDB 10.3.36
    For xenadmins.com, here is the vhost I was using
    Code:
    server {
        listen   80;
        server_name xenadmins.com;
        return 301 http://$server_name$request_uri;
            }
    server {
            server_name xenadmins.com;
    #        listen   443 ssl spdy;
    #        ssl on;
    #        ssl_certificate     /usr/local/nginx/conf/ssl/ssl-bundle.crt;
    #        ssl_certificate_key /usr/local/nginx/conf/ssl/xenadmins_com.key;
     #       ssl_ciphers #ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    #        add_header Alternate-Protocol 443:npn-spdy/3;
    #        ssl_protocols   SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    #        ssl_prefer_server_ciphers   on;
    #        ssl_session_cache    shared:SSL:10m;
    #        ssl_session_timeout  10m;
    #        add_header X-Content-Type-Options "nosniff";
    #        add_header X-Frame-Options SAMEORIGIN;
    #        spdy_headers_comp 5;
    #        ssl_buffer_size 4k;
    #        ssl_session_tickets on;
    #        ssl_stapling_verify on;
    #        ssl_stapling on;
    #        ssl_trusted_certificate /usr/local/nginx/conf/ssl/ssl-bundle.crt;
    #        resolver 8.8.8.8 8.8.4.4 valid=10m;
    #        resolver_timeout 10s;
    #        add_header Strict-Transport-Security max-age=31536000;
    #        add_header X-Cache $upstream_cache_status;
    #        spdy_keepalive_timeout 180s; # inactivity timeout after which the SPDY connection is closed
     #       spdy_recv_timeout        4s; # timeout if nginx is currently expecting data from the client but nothing arrives
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
    #  ssi  on;
    
      access_log /home/nginx/domains/xenadmins.com/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/xenadmins.com/log/error.log;
    
      root /home/nginx/domains/xenadmins.com/public;
    
    location /nginx_status {
                    stub_status on;
                    access_log   off;
                    allow 127.0.0.1;
                    allow 204.44.114.103;
                    allow 64.188.254.247;
                    deny all;
        }
    
    
      location / {
    
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
        location /internal_data/ {
                internal;
                allow 127.0.0.1;
                deny all;
                }
        location /library/ {
                internal;
                allow 127.0.0.1;
                deny all;
                }
            
            
                location /monitorix {
                        auth_basic "Restricted";
                        auth_basic_user_file /etc/monitorix/monitorix-users;
                        include /usr/local/nginx/conf/proxy.conf;
                        proxy_pass          http://localhost:8080/monitorix;
                        allow               127.0.0.0/8;
                        # for old versions up to 3.4.0
                        #    location ~* \.png$ {
                        #       root /usr/share;
                            }
                        # since 3.5.0 version
                location ~ ^/monitorix/(.+\.png)$ {
                        alias /var/lib/monitorix/www/$1;
                }
            
            
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
    }