Join the community today
Become a Member

SSL ssl forcing

Discussion in 'Domains, DNS, Email & SSL Certificates' started by dooma, Jul 4, 2017.

  1. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    hello,
    I have 2 small issues :

    I wanna redirect all www or non-www to MyDomain | Domain Names, Web Hosting, and Free Domain Services so I edit the ssl conf file by un-commenting the redirect lines and restarting my nginx but nothing happened please check the bash. Also, when I use friendly urls for my xenforo forums some links at the website goes down.. Thanks

    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
       server {
             listen   80;
             server_name mydomain.com www.mydomain.com;
             return 301 https://mydomain.com$request_uri;
       }
    
    server {
      listen 443 ssl http2;
      server_name mydomain.com www.mydomain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomaincom/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomaincom/mydomain_com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/mydomain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
      root /home/nginx/domains/mydomain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/pre-staticfiles-local-mydomain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    did you restart nginx server ?

    Posted at centminmod.com/nginx_domain_dns_setup.html#httpsredirect

    key to testing is using 302 temp redirect first in a private incognito browser session otherwise the problems you can experience may end up being due to browser caching or 301 permanent redirects unless you clear browser cache and reboot local computer(s) and even then some web browsers don't let go of 301 permanent redirect browser cache that willingly :)

    You can test in SSH via curl to check headers for location field (where the redirect goes) using the following commands:
    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    
     
  3. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    Yes I restarted nginx server, cleared cache and restarted windows but the same issue. Do you have suggestion? I should add manaully https:// to run the ssl successfully.

    Any suggestion @eva2000 ? :)

    Thanks
     
    Last edited: Jul 4, 2017
  4. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    I solved the ssl issue, the modification of forcing should be done in the main nginx conf file not only the ssl conf file.

    now am trying to solve xf friendly urls..
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
  6. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    Sorry, I made this changes here /usr/local/nginx/conf/conf.d/newdomain.com.conf .. is that correct ? and also at : /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

    Regarding this I'm getting this error while trying to add nginx friendly url configuration :

    Code:
    nginx: [emerg] invalid number of arguments in "location" directive in /usr/local/nginx/conf/conf.d/mydomain.com.conf:72
    nginx: invalid option: "n"
    
    Thanks
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    oh yes domain vhost like domain.com.conf and domain.com.ssl.conf - I thought you meant nginx.conf :)

    yes http to https redirect is in non-https based domain.com.conf but if you force redirect outlined at Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS you disable domain.com.conf and add http to https redirect in domain.com.ssl.conf only after disabling domain.com.conf

    what is 72nd line of /usr/local/nginx/conf/conf.d/mydomain.com.conf ?

    in ssh use cat command with -n to report line numbers
    Code (Text):
    cat -n /usr/local/nginx/conf/conf.d/mydomain.com.conf
    

    wrap output in CODE tags
     
  8. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    Nothing at 72

    Code (Text):
    1  # Centmin Mod Getting Started Guide
         2  # must read http://centminmod.com/getstarted.html
         3
         4  # redirect from non-www to www
         5  # uncomment, save file and restart Nginx to enable
         6  # if unsure use return 302 before using return 301
         7   server {
         8               listen   80;
         9               server_name mydomain.com www.mydomain.com;
        10               return 302 https://$server_name$request_uri;
        11          }
        12
        13  server {
        14
        15    server_name mydomain.com www.mydomain.com;
        16
        17  # ngx_pagespeed & ngx_pagespeed handler
        18  #include /usr/local/nginx/conf/pagespeed.conf;
        19  #include /usr/local/nginx/conf/pagespeedhandler.conf;
        20  #include /usr/local/nginx/conf/pagespeedstatslog.conf;
        21
        22    #add_header X-Frame-Options SAMEORIGIN;
        23    #add_header X-Xss-Protection "1; mode=block" always;
        24    #add_header X-Content-Type-Options "nosniff" always;
        25
        26    # limit_conn limit_per_ip 16;
        27    # ssi  on;
        28
        29    access_log /home/nginx/domains/mydomain.com/log/access.log combined buffer=256k flush=5m;
        30    error_log /home/nginx/domains/mydomain.com/log/error.log;
        31
        32    include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
        33    root /home/nginx/domains/mydomain.com/public;
        34    # uncomment cloudflare.conf include if using cloudflare for
        35    # server and/or vhost site
        36    #include /usr/local/nginx/conf/cloudflare.conf;
        37    include /usr/local/nginx/conf/503include-main.conf;
        38
        39    # prevent access to ./directories and files
        40    #location ~ (?:^|/)\. {
        41    # deny all;
        42    #}
        43
        44    location / {
        45    include /usr/local/nginx/conf/503include-only.conf;
        46
        47  # block common exploits, sql injections etc
        48  #include /usr/local/nginx/conf/block.conf;
        49
        50    # Enables directory listings when index file not found
        51    #autoindex  on;
        52
        53    # Shows file listing times as local time
        54    #autoindex_localtime on;
        55
        56    # Wordpress Permalinks example
        57    #try_files $uri $uri/ /index.php?q=$uri&$args;
        58
        59    }
        60
        61    include /usr/local/nginx/conf/pre-staticfiles-local-mydomain.com.conf;
        62    include /usr/local/nginx/conf/pre-staticfiles-global.conf;
        63    include /usr/local/nginx/conf/staticfiles.conf;
        64    include /usr/local/nginx/conf/php.conf;
        65
        66    include /usr/local/nginx/conf/drop.conf;
        67    #include /usr/local/nginx/conf/errorpage.conf;
        68    include /usr/local/nginx/conf/vts_server.conf;
        69  }
        70
        71
    


    I wanna add xf friendly urls, please check this after modifying the paths as my forums in the root folder.

    Code (Text):
    location  {
        try_files $uri $uri/ index.php?$uri&$args;
        index index.php index.html;
    }
    
    location /xf/install/data/ {
        internal;
    }
    location /install/templates/ {
        internal;
    }
    location /internal_data/ {
        internal;
    }
    location /library/ {
        internal;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }


    Thanks
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
  10. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    hi thanks a lot but why admin panel gives me forbidden although I ran this command :

    Code:
    /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_admin_php USERNAME PASSWORD
    
    and i replaced username and password

    thanks
     
  11. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    did you restart nginx + php-fpm after ?
    Code (Text):
    nprestart
    

    also if you did the following including allow/deny directives, ensure your ISP ip is added where YOURIPADDRESS is mentioned
    Code (Text):
           location /admin.php {
                auth_basic "Private";
                auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                   include /usr/local/nginx/conf/php.conf;
                   allow 127.0.0.1;
                   allow YOURIPADDRESS;
                   deny all;
           }
    
           location /install/ {
                auth_basic "Private";
                auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                   include /usr/local/nginx/conf/php.conf;
                   allow 127.0.0.1;
                   allow YOURIPADDRESS;
                   deny all;
           }
    

    If you don't have static ISP ip, remove the allow and deny directives which restrict access by ip address for added security. So you need both the whitelisted allow IP + user/password to gain access.
     
    Last edited: Jul 5, 2017
  12. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    I made it, thank you so much. But I think it got saved by browser and it requires the username and password for the first time use only. correct ?
     
  13. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    for 1st session, so if you closed and reopened browser, will need to enter again
     
  14. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    I have a question please why the forcing to https:// requires the disabling of mydomain.com.conf ?
     
  15. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    because mydomain.com.conf is for non-https only
     
    • Like Like x 1
  16. dooma

    dooma Premium Member Premium Member

    222
    22
    18
    Oct 15, 2016
    Cairo
    Ratings:
    +27
    Local Time:
    8:46 PM
    Thanks