Welcome to Centmin Mod Community
Become a Member

Nginx SSL Old CMM vs New CMM Force HTTPS WWW

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by frm, Aug 25, 2020.

  1. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: nginx/1.19.2
    I'm attempting to force non-https www and https to https-www.

    I followed this guide the first server instance and it worked:
    Nginx - NGINX Conf (Force https-www)

    However, it seems like the config files to do this have updated as I no longer see the .crt/.key lines in the config (still using LE though).

    It appears like this:
    Code:
     server {
       
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    ##### how to force to www as the below fails? ####
    server {
      listen 443 ssl http2 reuseport;
      server_name domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
      return 302 https://www.domain.com$request_uri;
    }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
    ....
    Thanks!
     
  2. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    @eva2000, a donation your way if you can help solve this for me as the old config works like a charm... but a fresh install with newer NGINX and PHP7.4 makes this config for a new vhost, which is out of my league to understand. :)

    I'd like [ICODE]www.domain.com[/ICODE], [ICODE]http://domain.com[/ICODE], and [ICODE]https://domain.com[/ICODE] to redirect to [ICODE]https://www.domain.com[/ICODE]. Also, everything can be stripped from it (WordPress and Cloudflare as I won't be using those; it will be for an XF2.2 install). i do want to run ngx_pagespeed with it so I think I need to uncomment those... that's about all I can do here.

    301'ing is fine to the [ICODE]https://www.[/ICODE] version as I'm sure if you touch it, it will be perfect.

    Thank you for looking this default config over for me in advance.
    Code:
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:19 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Remove reuseport directive from added redirect as it can only be applied once per ip and port pairing for entire server
     
  4. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    Then:
    Code:
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
      return 301 https://www.domain.com$request_uri;
    }
    Above the next 443, but remove the reuseport there too?
     
  5. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    Still failing...
    Code:
    #x# HTTPS-DEFAULT
     server {
     
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.com;
    
      return 302 https://www.domain.com$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
    Last edited: Aug 25, 2020
  6. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:19 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    still need ssl cert include file
    Code (Text):
     server {
       
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    ##### how to force to www as the below fails? ####
    server {
      listen 443 ssl http2;
      server_name domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
      return 302 https://www.domain.com$request_uri;
    }
    
    server {
      listen 443 ssl http2 reuseport;
      server_name www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    


    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  7. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    Couldn't wrap my head around that and it was stalling me. Thanks, @eva2000. Enjoy the beer next weekend!

    Now to just find out where the new file is for the 1 IP address and redirect it from the CMM holding page to the domain. :)

    Hopefully, I can get it on my own. However, a hint of which config file that's in would help (or if it can be put in the same SSL config file). ;)
     
  8. frm

    frm Member

    33
    4
    8
    Dec 17, 2018
    Ratings:
    +5
    Local Time:
    8:19 PM
    1.15.7
    10.3.11
    Did it in virtual.conf. Thanks again, @eva2000!
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:19 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x