Welcome to Centmin Mod Community
Register Now

SSL http redirection to https

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Mar 16, 2019 at 2:55 AM.

  1. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    Hello, I am trying to fix the problem with redirection.

    I want to redirect from non-ssl http to https.

    My main domain is with www >> www.myshopdomain.com
    I use also la., for backoffice only so la.myshopdomain.com/backoffice

    I read forum and I was trying to fix it but it does not help.
    Can you help to to configure it?

    Thank you in advance.

    Code:
    /usr/local/nginx/conf/conf.d
    myshopdomain.com.ssl.conf
    
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
        return 302 https://myshopdomain.com$request_uri;
     }
     server {
       #server_name la.myshopdomain.com www.la.myshopdomain.com;
       # return 302 https://la.myshopdomain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/myshopdomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
    
    
    
    /usr/local/nginx/conf/conf.d
    myshopdomain.com.conf file
    
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name myshopdomain.com;
    #            return 301 $scheme://www.myshopdomain.com$request_uri;
    #       }
    
    server {
    
      server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    

     
    Last edited: Mar 16, 2019 at 3:41 AM
  2. eva2000

    eva2000 Administrator Staff Member

    38,511
    8,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,050
    Local Time:
    5:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect is the correct way to set it up - pay attention to different way if you want redirect target being www version instead of non-www and vice versa and that the target version www or non-www is the only version listed in server_name for the 2nd/main server {} context.

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    


    so change from
    Code (Text):
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
       return 302 https://myshopdomain.com$request_uri;
     }
     server {
       #server_name la.myshopdomain.com www.la.myshopdomain.com;
       # return 302 https://la.myshopdomain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    

    to
    Code (Text):
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
       return 302 https://www.myshopdomain.com$request_uri;
     }
     server {
       server_name myshopdomain.com;
       return 302 https://www.myshopdomain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    
     
  3. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    Hello, are you sure that it is correct?

    Two times
    server_name myshopdomain.com;
    ??

    Code:
    [22:13][[email protected] ~]# curl -I http://myshopdomain.com
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.10.3
    Date: Fri, 15 Mar 2019 22:14:03 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Location: http://www.myshopdomain.com/
    
    [22:14][[email protected] ~]# curl -I http://www.myshopdomain.com
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 15 Mar 2019 22:14:08 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Cache-Control: no-cache
    Location: https://www.myshopdomain.com/
    Server: nginx centminmod
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    

    la.myshopdomain.com www.la.myshopdomain.com I want to use only as a alias as

    my main domain is geoDNS, so to connect directly to Back office I if
    la.myshopdomain.com www.la.myshopdomain.com
     
  4. eva2000

    eva2000 Administrator Staff Member

    38,511
    8,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,050
    Local Time:
    5:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  5. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    Is it correct?
    change from
    Code:
    Code (Text):
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
       return 302 https://myshopdomain.com$request_uri;
     }
     server {
       #server_name la.myshopdomain.com www.la.myshopdomain.com;
       # return 302 https://la.myshopdomain.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    
    
    change to
    Code:
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
       return 302 https://www.myshopdomain.com$request_uri;
     }
    
    
    
    server {
      listen 443 ssl http2;
      server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;



    why the response is 301 where there should be 302?
     
    Last edited: Mar 16, 2019 at 11:05 PM
  6. eva2000

    eva2000 Administrator Staff Member

    38,511
    8,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,050
    Local Time:
    5:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    should be

    Code (Text):
     server {
       server_name myshopdomain.com www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
       return 302 https://www.myshopdomain.com$request_uri;
     }
     server {
       server_name myshopdomain.com;
       return 302 https://www.myshopdomain.com$request_uri;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/myshopdomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name www.myshopdomain.com la.myshopdomain.com www.la.myshopdomain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/myshopdomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/myshopdomain.com/myshopdomain.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    

    so you have 2 port 443 server{} context one for non-www redirect to www and one for main www

    as to 301, seems maybe your dns isn't pointing to right server ? as server lists Server: nginx/1.10.3 that is non Centmin Mod Nginx as Centmin Mod uses nginx 1.15.x branch
     
  7. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    thank you for help :)
     
    • Like Like x 1
  8. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    @eva2000, one additional question how you would manage SSLs and geoDNS IP?

    E.g. I have one domain but 3 VPS in different location with different IP.

    What ways are to renew the Letsencrypt SSLs?
    Have you faced any problems with that?

    I have noticed that Letsencrypt is redirect only to one VPS as it's IP is also redirected by geolocation (geoDNS).

    At the moment I use Amazon AWS Route53 geo DNS.
     
  9. eva2000

    eva2000 Administrator Staff Member

    38,511
    8,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,050
    Local Time:
    5:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You can't use Letsencrypt and centmin mod's acmetools.sh default web root validation of domains. Letenscrypt DNS validation only way with your DNS provider's API i.e. Cloudflare DNS API setup at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01. Centmin Mod acmetools.sh underlying acme.sh client supports Amazon AWS Route53 DNS API too but it's not coded into Centmin Mod acmetool.sh right now. And then afterwards, you need to script it so you copy the obtained SSL cert to other nodes within your cluster on renewal and issuances.
     
  10. adamus007p

    adamus007p New Member

    8
    1
    3
    Feb 8, 2019
    Ratings:
    +1
    Local Time:
    8:13 PM
    @eva2000 There is some bug (or just it not works) with DNS validation as I add all entries to DNS but it not works.

    It works for one IP, not for geoDNS option.

    Is there is a chance that it will be coded?
     
  11. eva2000

    eva2000 Administrator Staff Member

    38,511
    8,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,050
    Local Time:
    5:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    make sure for domains both www and non-www versions have valid entries for ipv4 DNS A record and if you have ipv6 supported also the valid ipv6 DNS AAAA records.

    you can test domain via Let's Debug
     
..