Discover Centmin Mod today
Register Now

I got the error "ERR_TOO_MANY_REDIRECTS" when using SSL

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Manhhailua, Jul 16, 2016.

Tags:
  1. Manhhailua

    Manhhailua Member

    39
    2
    8
    Jul 7, 2016
    Hanoi
    Ratings:
    +5
    Local Time:
    2:52 PM
    1.11.1
    10.0.x
    My wordpress home page is broken with "ERR_TOO_MANY_REDIRECTS". I'm using default nginx config from centmin installation (without any modification). I got the same error when force Ghost Blog to redirect site to https.
    My site url:
    1. http://isavn.com
    2. https://isavn.com
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
    • Like Like x 1
  3. Manhhailua

    Manhhailua Member

    39
    2
    8
    Jul 7, 2016
    Hanoi
    Ratings:
    +5
    Local Time:
    2:52 PM
    1.11.1
    10.0.x
    My domain.conf content:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   listen   80;
    #   server_name codek.org;
    #   return 301 $scheme://www.codek.org$request_uri;
    # }
    
    server {
      server_name codek.org www.codek.org;
    
      # ngx_pagespeed & ngx_pagespeed handler
      #include /usr/local/nginx/conf/pagespeed.conf;
      #include /usr/local/nginx/conf/pagespeedhandler.conf;
      #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/codek.org/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/codek.org/log/error.log;
    
      root /home/nginx/domains/codek.org/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
        deny all;
      }
    
      location / {
    
        # block common exploits, sql injections etc
        #include /usr/local/nginx/conf/block.conf;
    
        # Enables directory listings when index file not found
        #autoindex  on;
    
        # Shows file listing times as local time
        #autoindex_localtime on;
    
        # Enable for vBulletin usage WITHOUT vbSEO installed
        # More example Nginx vhost configurations at
        # http://centminmod.com/nginx_configure.html
        #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    \

    And here is domain.ssl.conf:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
      server_name codek.org www.codek.org;
      return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name codek.org www.codek.org;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/codek.org/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/codek.org/codek.org.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/codek.org/codek.org.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/codek.org/codek.org-trusted.crt;
    
      # ngx_pagespeed & ngx_pagespeed handler
      #include /usr/local/nginx/conf/pagespeed.conf;
      #include /usr/local/nginx/conf/pagespeedhandler.conf;
      #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/codek.org/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/codek.org/log/error.log;
    
      root /home/nginx/domains/codek.org/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
        deny all;
      }
    
      location / {
    
        # block common exploits, sql injections etc
        #include /usr/local/nginx/conf/block.conf;
    
        # Enables directory listings when index file not found
        #autoindex  on;
    
        # Shows file listing times as local time
        #autoindex_localtime on;
    
        # Enable for vBulletin usage WITHOUT vbSEO installed
        # More example Nginx vhost configurations at
        # http://centminmod.com/nginx_configure.html
        #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Every pages works fine but the homepage if I use a ssl force plugin (Really Simple SSL) then if I turn the plugin off... My home page will be broken.
     
    Last edited: Jul 16, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    you don't need force ssl plugin if you redirect http to https at nginx level. You only need one of the nginx vhosts if you use http to https redirect. See instructions at below

    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)
     
  5. Manhhailua

    Manhhailua Member

    39
    2
    8
    Jul 7, 2016
    Hanoi
    Ratings:
    +5
    Local Time:
    2:52 PM
    1.11.1
    10.0.x
    Great, eva! It saved my day! :cool:
     
    • Like Like x 1
  6. Manhhailua

    Manhhailua Member

    39
    2
    8
    Jul 7, 2016
    Hanoi
    Ratings:
    +5
    Local Time:
    2:52 PM
    1.11.1
    10.0.x
    Ouch! This problem continued to occur when I used cloudflare. I could not access my website. I created a file named "cloudflare.conf" at "/usr/local/nginx/conf/" containing Cloudflare's ips.
    And this is my SSL vHost config (I disabled HTTP vHost (official way)):
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
        server_name mqteam.com www.mqteam.com;
        return 301 https://$server_name$request_uri;
    }
    
    server {
        listen 443 ssl http2;
        server_name mqteam.com www.mqteam.com;
    
        ssl_dhparam /usr/local/nginx/conf/ssl/mqteam.com/dhparam.pem;
        ssl_certificate      /root/.acme.sh/mqteam.com/mqteam.com.cer;
        ssl_certificate_key  /root/.acme.sh/mqteam.com/mqteam.com.key;
        include /usr/local/nginx/conf/ssl_include.conf;
    
        # mozilla recommended
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
        ssl_prefer_server_ciphers   on;
        #add_header Alternate-Protocol  443:npn-spdy/3;
        #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        #add_header  X-Content-Type-Options "nosniff";
        #add_header X-Frame-Options DENY;
        #spdy_headers_comp 5;
        ssl_buffer_size 1400;
        ssl_session_tickets on;
      
        # enable ocsp stapling
        #resolver 8.8.8.8 8.8.4.4 valid=10m;
        #resolver_timeout 10s;
        #ssl_stapling on;
        #ssl_stapling_verify on;
        #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mqteam.com/mqteam.com-trusted.crt;
    
        # ngx_pagespeed & ngx_pagespeed handler
        #include /usr/local/nginx/conf/pagespeed.conf;
        #include /usr/local/nginx/conf/pagespeedhandler.conf;
        #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
        # limit_conn limit_per_ip 16;
        # ssi  on;
    
        access_log /home/nginx/domains/mqteam.com/log/access.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/mqteam.com/log/error.log;
    
        root /home/nginx/domains/mqteam.com/public;
    
        # uncomment cloudflare.conf include if using cloudflare for server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
    
        # prevent access to ./directories and files
        location ~ (?:^|/)\. {
            deny all;
        }
    
        location / {
    
            # block common exploits, sql injections etc
            include /usr/local/nginx/conf/block.conf;
    
            # Enables directory listings when index file not found
            #autoindex  on;
    
            # Shows file listing times as local time
            #autoindex_localtime on;
    
            # Enable for vBulletin usage WITHOUT vbSEO installed
            # More example Nginx vhost configurations at
            # http://centminmod.com/nginx_configure.html
            try_files    $uri $uri/ /index.php?$args;
        }
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
        include /usr/local/nginx/conf/vts_server.conf;
    }
    
    I've just realized that I did not allow any of cloudflare IPs from CSF. Do I have to do this step!?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    5:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    Are you using cloudflare's ssl certificate and not your own ? if you are then you actually only need the non-http nginx vhost as cloudflare looks to non-https origin for backend not the https backend unless you have full strict ssl enabled in cloudflare

    Did you also enable cloudflare to http to https redirect ?

    Centmin Mod LEMP stack installs CSF Firewall out of the box, so to be able to remotely connect to external servers, you need to whitelist and allow the remote IP address see the info below:
    If you use a reverse proxy in front of Centmin Mod Nginx, you need to setup nginx realip to be passed onto Nginx.

    See Getting Started Guide step 4 and setting correct real ip via nginx module config at Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
    You just need to setup a cronjob to run
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    and ensure your nginx.conf http{} context has the include file /usr/local/nginx/conf/cloudflare.conf and/or your individual nginx vhost's server contexts has the same include file
    Code (Text):
    http {
    map_hash_bucket_size 128;
    map_hash_max_size 2048;
    server_names_hash_bucket_size 128;
    server_names_hash_max_size 2048;
    
    limit_req_zone $binary_remote_addr zone=xwplogin:16m rate=40r/m;
    #limit_conn_zone $binary_remote_addr zone=xwpconlimit:16m;
    
    more_set_headers "Server: nginx centminmod";
    more_set_headers "X-Powered-By: centminmod";
    
    include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/maintenance.conf;
    include /usr/local/nginx/conf/vts_http.conf;
    include /usr/local/nginx/conf/geoip.conf;
    #include /usr/local/nginx/conf/pagespeedadmin.conf;
    include /usr/local/nginx/conf/fastcgi_param_https_map.conf;

    Then restart nginx server via command shortcut
    Code (Text):
    ngxrestart

    or
    Code (Text):
    service nginx restart