Discover Centmin Mod today
Register Now

Nginx NGINX Conf (Force https-www)

Discussion in 'Install & Upgrades or Pre-Install Questions' started by frm, Dec 17, 2018.

  1. frm

    frm New Member

    18
    3
    3
    Dec 17, 2018
    Ratings:
    +4
    Local Time:
    1:35 AM
    1.15.7
    10.3.11
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.7
    • PHP Version Installed: 7.2.13
    • MariaDB MySQL Version Installed: 10.3.xx
    • When was last time updated Centmin Mod code base ? : Fresh install yesterday
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ?

      Code (Text):
      PHP_ARGON='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      NGINX_MODSECURITY='y'
      PHP_PGO='y'
      MARIADB_INSTALLTENTHREE='y'
      LETSENCRYPT_DETECT='y'
      DUALCERTS='y'
      MARCH_TARGETNATIVE='n'
    So I'm fairly new to nginx and gave up about a week ago and moved over to a LAMP stack instead because I'm fairly well versed in that to accomplish http://, http://www, and https:// to https://www. It was a PITA to say the least to do it with nginx, but I did it after a couple hours trial and error.

    This is my .conf file, which is fairly dirty and should be cleaned up (I dunno if that will speed up the server or not or if I should just leave it as is) or if there's a better method (rewrites, etc.). Ignore the 302 for now, that was for testing purposes; I will change it to 301 when I undo the basic_auth protection.
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
      
       server_name domain.com www.domain.com;
       return 302 https://domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
    
        auth_basic "Restricted";
        auth_basic_user_file /home/nginx/domains/domain.com/public/.htpasswd;
    
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      #ModSecurityEnabled on;
      #ModSecurityConfig modsecurity.conf;
    
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
    
     # XenForo Settings
        try_files $uri $uri/ /index.php?$uri&$args;
        index index.php index.html;
    
    
      }
    
    # Continued XenForo Settings
    location /install/data/ {
        internal;
    }
    location /install/templates/ {
        internal;
    }
    location /internal_data/ {
        internal;
    }
    location /library/ { #legacy
        internal;
    }
    location /src/ {
        internal;
    }
    
    
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    server {
      listen 443 ssl http2;
      server_name domain.com;
      return 302 https://www.domain.com$request_uri;
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    }

    It works as is but I'm not using WordPress and Cloudflare, so feel that removing that bloat might help. Maybe not. Keep or clean up? And is this the right syntax for server { args?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,014
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,880
    Local Time:
    2:35 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect is the correct way to set it up - pay attention to different way if you want redirect target being www version instead of non-www and vice versa and that the target version www or non-www is the only version listed in server_name for the 2nd/main server {} context.

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    


    For you, you want www version to be default, then slight change for 1st server{} context server_name entry so you redirect to www version and need to add a 3rd server{} context for https non-www to www redirect

    from
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain.com www.domain.com;
       return 302 https://domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    #       listen   80;
    #       server_name domain.com www.domain.com;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
    

    to
    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.com;
      return 302 https://www.domain.com$request_uri;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    }
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
    

    so 1st server{} context redirects non-https non-www and www to https www, 2nd server{] context redirects non-www https to www https and 3rd server{} context servers your www https site
     
  3. frm

    frm New Member

    18
    3
    3
    Dec 17, 2018
    Ratings:
    +4
    Local Time:
    1:35 AM
    1.15.7
    10.3.11
    Appreciate the time in helping clean it up and explaining some stuff to me. Left ya something in your tip jar to buy a cold one tonight.

    Learning little by little here. I'm coming from the ease of cPanel to fully-fledged management through CLI here. CMM is surely a help with the transition, and, I believe it to be a pretty decent product as is due to it still being interactive, to a degree, and putting together a lot better products to get the most bang for the buck out of a VPS.
     
    • Like Like x 1
    style="display:inline-block;min-width:400px;max-width:970px;width:95%;height:90px" data-ad-client="ca-pub-6669518204467592" data-ad-slot="4024536743" data-ad-format="auto">
  4. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,014
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,880
    Local Time:
    2:35 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x