Join the community today
Register Now

Nginx Proper redirects

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Derek, Oct 27, 2016.

  1. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    7:23 PM
    I guess this goes in the install question. Other redirect questions seemed to be here...

    Anyway, here's where I am:
    • Production site running along happily
    • Installed SSL recently, that runs well
    • Ready to redirect all traffic to https://www.mysite.org
    • Not sure the best way to do that.
    The problem is that I've got Server {} blocks in two files - mysite.org.conf and mysite.org.ssl.conf.

    So I'm assuming it's safe to make this change:

    Code:
    server {
                listen   80;
                server_name mysite.org;
                return 301 $schemehttps://://www.mysite.org$request_uri;
           }
    
    And I guess I leave this block unchanged in mysite.org.conf:

    Code:
    ]
    server {
      server_name mysite.org www.mysite.org;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mysite.org/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/mysite.org/log/error.log;
    
      root /home/nginx/domains/mysite.org/public;
    
    # Rewrite Archive Requests
    rewrite ^/archive/index.php/t-([0-9]+).html$ /index.php?threads/$1/ permanent;
    rewrite ^/mobile/archive/index.php/t-([0-9]+).html$ /index.php?threads/$1/ permanent;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      }
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    Then in the mysite.org.ssl.conf file this one is safe:

    Code:
     server {
       server_name mysite.org;
        return 301 https://www.mysite.org$request_uri;
     }
    
    And then this chunk can stay unchanged? Maybe delete the strikethrough part?

    Code:
    server {
      listen 443 ssl http2;
      server_name mysite.org www.mysite.org;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mysite.org/dhparam.pem;
      ssl_certificate      /etc/letsencrypt/live/mysite.org/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/mysite.org/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
    Is that it? Those couple of changes, and folks connecting to http://mysite.org, https://mysite.org, and http://www.mysite.org all go to the ssl
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,835
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    10:23 AM
    Nginx 1.13.x
    MariaDB 5.5
    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)
     
    • Like Like x 1
  3. Derek

    Derek New Member

    28
    9
    3
    Aug 5, 2016
    Ratings:
    +16
    Local Time:
    7:23 PM
    Aaaaand, there was the answer:

    Thanks. :D
     
    • Like Like x 1