Want more timely Centmin Mod News Updates?
Become a Member

Nginx SSL URL exception (SSL)

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Jota, Aug 19, 2017.

Tags:
  1. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    5:49 AM
    I have a WP site installed with SSL only option (let's encrypt) and now I just need to make an exception for Redsys gateway doesn't use SSL.

    I know I must apply this converted code from apache to nginx:

    Code:
    location / {
      if ($query_string !~ "wc-api=WC_MyRedsys"){
        rewrite ^(.*)$ https://domain.com/$1 redirect;
      }
    }
    So I need to allow URL http://site.com/?wc-api=WC_MyRedsys to use SSL and non SSL.

    How to apply this in to nginx config ?

    Code:
    CentOS Version: CentOS Linux 6.9 x86_64
    Centmin Mod Version Installed: 123.09beta01
    Nginx Version Installed: nginx/1.13.3
    PHP Version Installed: 7.0.18
    MariaDB MySQL Version Installed: 10.1.25
    When was last time updated Centmin Mod code base ? : Last week
    Persistent Config: LETSENCRYPT_DETECT='y'
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    Have you enabled HSTS in HTTPS vhost config Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS ? if you have you can't punch a whole in HTTPS requests as HSTS tells browser to always use HTTPS for the domain (and subdomains if you set include subdomain directive in HSTS).

    You can't use that rewrite rule in HTTPS only vhost which has HTTP to HTTPS redirect in place. It wouldn't work. Best to create a separate non-HTTPS vhost config file for your /usr/local/nginx/conf/conf.d/domain.com.conf you can use official vhost generator for Centmin Mod at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS and make sure your domain.com.ssl.conf web app specific rules are duplicated in non-HTTPS vhost config file for your /usr/local/nginx/conf/conf.d/domain.com.conf

    Then in your HTTPS vhost /usr/local/nginx/conf/conf.d/domain.com.ssl.conf set those specific requests to force redirect to non-HTTPS vhost /usr/local/nginx/conf/conf.d/domain.com.conf

    Code (Text):
    location / {
      if ($query_string !~ "wc-api=WC_MyRedsys"){
        rewrite ^(.*)$ http://domain.com/$1 redirect;
      }
    }
     
  3. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    5:49 AM
    I never enabled enabled HSTS, since I have other vhosts using HTTP only (non HTTPS).

    But anyway, I understand that I must create HTTP vhost and I must add in domain.com.ssl.conf the force redirect code.

    After I created new file domain.com.conf (I ignored autoprotect-domain.com.conf file coz already exists) and applying this, I get the error in nginx:

    Code:
    nginx: [emerg] "location" directive is not allowed here in /usr/local/nginx/conf/conf.d/domain.com.ssl.conf:122
    nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
    
    Why ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    domain.com.ssl.conf look like ?
     
  5. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    5:49 AM
    Something like this:

    Code:
    #x# HTTPS-DEFAULT
     server {
      
       server_name domain.com www.domain.com;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
    #  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      include /usr/local/nginx/conf/wpincludes/domain.com/wpcacheenabler_domain.com.conf;
      #include /usr/local/nginx/conf/wpincludes/domain.com/wpsupercache_domain.com.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/domain.com/rediscache_domain.com.conf; 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args; 
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/domain.com/htpasswd_wplogin;   
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/domain.com/wpsecure_domain.com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
     
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    location / {
      if ($query_string !~ "wc-api=WC_MyRedsys"){
        rewrite ^(.*)$ http://domain.com/$1 redirect;
      }
    }
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:49 PM
    Nginx 1.13.x
    MariaDB 5.5
    that's incorrect
    Code (Text):
    location / {
      if ($query_string !~ "wc-api=WC_MyRedsys"){
       rewrite ^(.*)$ http://domain.com/$1 redirect;
      }
    }
    

    is example of using location / context that already exists in your vhost, so you just need to add this
    Code (Text):
      if ($query_string !~ "wc-api=WC_MyRedsys"){
       rewrite ^(.*)$ http://domain.com/$1 redirect;
      }
    

    to appropriate location context
     
    • Like Like x 2
  7. Jota

    Jota Member

    77
    18
    8
    Oct 9, 2014
    Barcelona
    Ratings:
    +20
    Local Time:
    5:49 AM
    Perfect, working now !

    eva2000, u're my hero ;)
     
    • Like Like x 1