Hello, I have a working drupal 8 configuration here. Everything seems in order, except the non-www to www redirection only when https is used! Specifically: Code: http://www.example.com --> [301] https://www.example.com OK http://example.com --> [301] https://www.example.com OK https://example.com --> [200] https://example.com NOT OK (creates duplicate content for google) https://www.example.com --> [200] https://www.example.com OK The configuration bellow works fine for wordpress but for some reason it is not working with drupal. I have tried different redirection methods with rewrite, i get the same result. Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # For HTTP/2 SSL Setup # read http://centminmod.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name example.com www.example.com; include /usr/local/nginx/conf/ssl/example.com/example.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/example.com/origin.crt; #ssl_verify_client on; http2_max_field_size 16k; http2_max_header_size 32k; # mozilla recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Frame-Options SAMEORIGIN; #add_header X-Xss-Protection "1; mode=block" always; #add_header X-Content-Type-Options "nosniff" always; #add_header Referrer-Policy "strict-origin-when-cross-origin"; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/example.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/example.com/log/error.log; root /home/nginx/domains/example.com/public/web; # uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf; include /usr/local/nginx/conf/503include-main.conf; location / { include /usr/local/nginx/conf/503include-only.conf; # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; try_files $uri /index.php?$query_string; } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } # Fighting with Styles? This little gem is amazing. location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. Private file's path can come # with a language prefix. # location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 # try_files $uri /index.php?$query_string; # } include /usr/local/nginx/conf/pre-staticfiles-local-example.com.conf; include /usr/local/nginx/conf/pre-staticfiles-global.conf; include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands: Code (Text): curl -I http://domain.com Code (Text): curl -I http://www.domain.com In your case it's due to 2nd server{} context having extra server_name entry for www version of the domain so you should change it from Code (Text): server { server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name example.com www.example.com; to Code (Text): server { server_name example.com www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name www.example.com; You're telling nginx for port 80 non-https example.com and www version to redirect via 301 STATUS permanently to https www version of the domain that listens on port 443.
Hey, thanx for the reply! I am using curl for testing, i believe it does not cache requests. It doesn't seem logical to me that it didn't work in the first place since i explicitly set the www version in the redirect. Anyway i tried the way you suggested i still get a 200 response at the non-www version: Code: $ curl -I https://example.com HTTP/2 200 content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: max-age=3600, public date: Fri, 20 Apr 2018 08:35:32 GMT x-drupal-dynamic-cache: UNCACHEABLE x-ua-compatible: IE=edge content-language: tr x-content-type-options: nosniff x-frame-options: SAMEORIGIN expires: Sun, 19 Nov 1978 05:00:00 GMT last-modified: Fri, 20 Apr 2018 08:35:31 GMT etag: "1524213331" vary: Cookie x-generator: Drupal 8 (https://www.drupal.org) x-drupal-cache: HIT server: nginx
Yes of cource, i restart nginx with every try. Something strange is happening here. I removed the non-www version from the conf file. Nginx shouldn't respond at all this way, but i still get a 200 code. Is there any caching mechanism that i am unaware of? Code: server { server_name www.example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name www.example.com;
check if you don't have more than one non-https vhost config file in play by using a recursive grep filtered search of nginx /usr/local/nginx/conf/conf.d vhost directory what's output for SSH command Code (Text): grep -rn 'server_name' /usr/local/nginx/conf/conf.d | grep 'example.com'
Nope, just that one config file i use for the domain: Code: $grep -rn 'server_name' /usr/local/nginx/conf/conf.d | grep 'example.com' /usr/local/nginx/conf/conf.d/example.com.ssl.conf:10: server_name www.example.com; /usr/local/nginx/conf/conf.d/example.com.ssl.conf:16: server_name www.example.com; I have redis enabled for the rest of the wordpress sites on the server, but redis is not used at the drupal config as you can see in my first post. Here is some more info about nginx: Code: # nginx -V nginx version: nginx/1.13.10 built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC) built with OpenSSL 1.1.0g 2 Nov 2017 TLS SNI support enabled configure arguments: --with-ld-opt='-L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.31 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0g --with-openssl-opt='enable-ec_nistp_64_gcc_128' I have tried regex redirects didn't work either, really stuck here...
strange then.. no reason why it you should get a 301 redirect .. nginx 1.13.12 and openssl 1.1.0h are latest but that shouldn't make a difference either
Something else that may or may not matter. The A record of the site is not pointing at the main IP of the server but at an additional IP. Nginx is listening on all interfaces but maybe i need some extra configuration?
Is the additional IP properly configured network wise on CentOS ? shows up in ipconfig output ? Though shouldn't matter for 301 redirects at nginx web server level IF the additional IP has been properly configured on CentOS. And your curl output above at Drupal - Any nginx gurus here? (Drupal 8) suggests it has as the header output goes to correct drupal site at least. Do you have any Drupal code level configs forcing HTTPS or doing a redirect ?
The IPs are set up properly, as you said the site resolves correctly. I will ask the site administrator if there is such code, but that shouldn't be the problem because the nginx redirect should occur before the php code is run.
Problem resolved with inspiration from serverfault: I split up the $server_name in different server blocks. I still am not sure why this works and the original configuration didn' t. Code: server { server_name www.example.com example.com; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name example.com; include /usr/local/nginx/conf/ssl/example.com/example.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; return 301 https://www.example.com$request_uri; } server { listen 443 ssl http2; server_name www.example.com; include /usr/local/nginx/conf/ssl/example.com/example.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/example.com/origin.crt; [...]
On closer inspection the https://non-www.site.com --> https://www.site.com does even work with the rest of my wordpress site. The virtual hosts are created with option 22 in centmin.sh: Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # For HTTP/2 SSL Setup # read http://centminmod.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name wordpress-site.com www.wordpress-site.com; return 301 https://www.wordpress-site.com$request_uri; } server { listen 443 ssl http2; server_name wordpress-site.com www.wordpress-site.com; include /usr/local/nginx/conf/ssl/wordpress-site.com/wordpress-site.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/ #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/wordpress-site.com/origin.crt; #ssl_verify_client on; http2_max_field_size 16k; http2_max_header_size 32k; # mozilla recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Frame-Options SAMEORIGIN; #add_header X-Xss-Protection "1; mode=block" always; #add_header X-Content-Type-Options "nosniff" always; #add_header Referrer-Policy "strict-origin-when-cross-origin"; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; #add_header X-Frame-Options SAMEORIGIN; #add_header X-Xss-Protection "1; mode=block" always; #add_header X-Content-Type-Options "nosniff" always; #add_header Referrer-Policy "strict-origin-when-cross-origin"; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/wordpress-site.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/wordpress-site.com/log/error.log; #include /usr/local/nginx/conf/autoprotect/wordpress-site.com/autoprotect-wordpress-site.com.conf; root /home/nginx/domains/wordpress-site.com/public; # uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf; include /usr/local/nginx/conf/503include-main.conf; #include /usr/local/nginx/conf/wpincludes/wordpress-site.com/wpcacheenabler_wordpress-site.com.conf; #include /usr/local/nginx/conf/wpincludes/wordpress-site.com/wpsupercache_wordpress-site.com.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/wpincludes/wordpress-site.com/rediscache_wordpress-site.com.conf; location / { include /usr/local/nginx/conf/503include-only.conf; # Enables directory listings when index file not found #autoindex on; # for wordpress super cache plugin #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args; # for wp cache enabler plugin #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args; # Wordpress Permalinks #try_files $uri $uri/ /index.php?q=$uri&$args; # Nginx level redis Wordpress # https://community.centminmod.com/posts/18828/ try_files $uri $uri/ /index.php?$args; } location ~* /(wp-login\.php) { limit_req zone=xwplogin burst=1 nodelay; #limit_conn xwpconlimit 30; #auth_basic "Private"; #auth_basic_user_file /home/nginx/domains/wordpress-site.com/htpasswd_wplogin; #include /usr/local/nginx/conf/php-wpsc.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/php-rediscache.conf; } location ~* /(xmlrpc\.php) { limit_req zone=xwprpc burst=45 nodelay; #limit_conn xwpconlimit 30; #include /usr/local/nginx/conf/php-wpsc.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/php-rediscache.conf; } location ~* /wp-admin/(load-scripts\.php) { limit_req zone=xwprpc burst=5 nodelay; #limit_conn xwpconlimit 30; #include /usr/local/nginx/conf/php-wpsc.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/php-rediscache.conf; } location ~* /wp-admin/(load-styles\.php) { limit_req zone=xwprpc burst=5 nodelay; #limit_conn xwpconlimit 30; #include /usr/local/nginx/conf/php-wpsc.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/php-rediscache.conf; } include /usr/local/nginx/conf/wpincludes/wordpress-site.com/wpsecure_wordpress-site.com.conf; #include /usr/local/nginx/conf/php-wpsc.conf; # https://community.centminmod.com/posts/18828/ include /usr/local/nginx/conf/php-rediscache.conf; include /usr/local/nginx/conf/pre-staticfiles-local-wordpress-site.com.conf; include /usr/local/nginx/conf/pre-staticfiles-global.conf; include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; } And this is the curl output: Code: curl -I https://wordpress-site.com HTTP/2 301 date: Thu, 26 Apr 2018 14:16:04 GMT content-type: text/html; charset=UTF-8 location: https://www.wordpress-site.com/ expires: Thu, 26 Apr 2018 15:16:04 GMT cache-control: max-age=3600 server: nginx x-cache: MISS x-cache-2: BYPASS It looks that the redirect is correct at first sight, but notice the "x-cache" headers at the bottom. Those headers have been added by redis cache config. It seems to me that the redirect is done at the wordpress level instead of nginx.
but isn't that your intended result, non-www https to redirect to www domain https too ? but do you mean you split the vhost into 3 server{} contextes and that 301 is retained for non-www https? If redis server is only used on this instance's wordpress caching and nothing else, you can try flushing redis cache and restarting nginx + php to verify Code (Text): redis-cli flushall nprestart again you have on 2nd server_name an extra non-www domain wordpress-site.com - remove it if you want only www domain being main redirected HTTPS site Code (Text): server { server_name wordpress-site.com www.wordpress-site.com; return 301 https://www.wordpress-site.com$request_uri; } server { listen 443 ssl http2; server_name wordpress-site.com www.wordpress-site.com; though is works too to cover non-www domain redirect to www domain
Maybe we should start this on another thread because it is more of a general issue than drupal, but that's up to you. My goal is to create a one-step 301 redirect to the https canonical domain. With the suggested nginx config the SSL redirect to the canonical domain is not possible, for example Example Domain --> (301) Example Domain . The problem was not obvious to me until now because i use mostly wordpress sites and wordpress has an internal redirection mechanism. Drupal on the other hand doesn't and that's why i faced this problem. The only possible solution was to create 3 server{} blocks as i posted above. This doesn't really work. If i remove non-www version from the second server_name i get the following error: curl -I https://wordpress-site.com curl: (51) SSL: no alternative certificate subject name matches target host name 'wordpress-site.com' Which makes sense because the hostname doesn't exist in the SSL server{} block.
Ok i see had to re-read your first post you talking about 2 site apps wordpress and drupal. So yes for non-www domain non-https redirect to non-www domain https you can either split to 3 server{} contexts which is more correct way. I'll need to update instructions at centminmod.com/nginx_domain_dns_setup.html#httpsredirect
Hello, I'll try not to open new thread, because this one seems to be very similar with my situation. Never used ssl with wordpress on centminmod, so I guess I'm missing something. Please help if possible. I installed wordpress+ssl with centmin menu, and everything went very well, except non-www/www question/ This test shows that alternative name is invalid, but not sure what can I do with it for now. I guess the cert is on non-www, but site redirects to www version. Code: #x# HTTPS-DEFAULT server { server_name mydomain.ru www.mydomain.ru; return 302 https://www.mydomain.ru$request_uri; include /usr/local/nginx/conf/staticfiles.conf; } server { listen 443 ssl http2; server_name www.mydomain.ru mydomain.ru; include /usr/local/nginx/conf/ssl/mydomain.ru/mydomain.ru.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; that the start of the mydomain.ru.ssl.conf Any direction how to fix this, will be greatly appreciated.
Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect is the correct way to set it up - pay attention to different way if you want redirect target being www version instead of non-www and vice versa and that the target version www or non-www is the only version listed in server_name for the 2nd/main server {} context. key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands: Code (Text): curl -I http://domain.com Code (Text): curl -I http://www.domain.com
Many thanks George, its checked and redirects now as should be, but doesn't pass test on validness of cert. I guess now it's about old openssl or libressl libraries... Maybe )) I'll try to upgrade for now. Also switched on LIBRESSL_SWITCH='y' in custom_config.inc not sure what it's about...
Test domain via ssllabs SSL Server Test (Powered by Qualys SSL Labs) to see if ssl cert is valid. If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost. If using paid ssl cert and see invalid, then you setup the ssl cert incorrectly.