I am trying to make nginx redirect all url to https://www.example.com
But the config I write with other reference wont work without www.
http://example.com -> https://www.example.com # not working
http://www.example.com -> https://www.example.com
https://example.com -> https://www.example.com # not working
https://www.example.com -> https://www.example.com
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
root /home/user/example.com/public;
index index.php;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
Any help is apprecaited. Thank you.
Related
I have a WordPress site and trying to set up subdomains using Nginx and Let's Encrypt SSL to have prod and test environments.
For example:
prod site --> abc.com www.abc.com
dev site --> dev.abc.com
I have set up Nginx using this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-on-centos-7.
My Server blocks look as following:
/site-available/abc.com.conf
server {
root /var/www/wordpress;
index index.php index.html index.htm;
server_name abc.com www.abc.com;
client_max_body_size 100M;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_connect_timeout 300s;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 300s;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 15m;
ssl_session_tickets on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/abc.com/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
ssl_certificate /etc/letsencrypt/live/abc.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/abc.com/privkey.pem; # managed by Certbot
}
server {
if ($host = www.abc.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = abc.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name abc.com www.abc.com;
return 404; # managed by Certbot
}
/site-available/dev.abc.com.conf
server {
root /var/www/dev.abc.com;
index index.php index.html index.htm index.nginx-debian.html;
server_name dev.abc.com;
location / {
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_connect_timeout 300s;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 300s;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 15m;
ssl_session_tickets on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/dev.abc.com/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
ssl_certificate /etc/letsencrypt/live/dev.abc.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dev.abc.com/privkey.pem; # managed by Certbot
}
I have successfully enabled A records on Cloudflare and Digital ocean for dev domain name.
Problem is, whenever I try to access dev.abc.com it is getting redirect to abc.com no matter what.
Then I tried to remove the abc.com.conf server block and tested, then it was working fine with dev.abc.com.conf; however, when I try to put both blocks together then this time it was only working on dev.abc.com.
I am not sure what I am missing in this Nginx configuration. I also have both SSL certificate to match the exact domains. I have exact Nginx configuration on Ubuntu server and its working fine for my another site.
I have a static page in my wordpress,
https://www.mrtrobotics.com/naplan
and I would like to use subdomain for this page
edu.mrtrobotics.com
now when I use edu.mrtrobotics.com ---> it goes to https://www.mrtrobotics.com/naplan
but it shows in the url of browser as https://www.mrtrobotics.com/naplan
I want it to be shown as edu.mrtrobotics.com to user.
what should I do ??
server {
listen 80;
listen [::]:80;
server_name mrtrobotics.com www.mrtrobotics.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name edu.mrtrobotics.com;
ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
rewrite ^ https://mrtrobotics.com/naplan permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mrtrobotics.com www.mrtrobotics.com;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
# Set client upload size - 100Mbyte
client_max_body_size 100M;
# to avoid 504 time out error - defalut is 60s
proxy_send_timeout 180s;
proxy_read_timeout 180s;
fastcgi_send_timeout 180s;
fastcgi_read_timeout 180s;
Your server that handles edu.mrtrobotics.com should not have that rewrite rule, once you do a permanent rewrite you will send a 301 back to the browser and the URL will change. If /naplan really is the only thing that should be served from the edu subdomain, then perhaps you want something like this?
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name edu.mrtrobotics.com;
ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
root /var/www/html;
location / {
try_files /naplan/$uri /naplan =404;
}
}
Update, as /naplan is a folder, try...
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name edu.mrtrobotics.com;
ssl_certificate /etc/letsencrypt/live/mrtrobotics.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mrtrobotics.com/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
root /var/www/html;
location / {
root /var/www/html/naplan;
}
}
Good luck :-)
My Nginx config file:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.example.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.example.com;
root /home/forge/www.example.com;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/www.example.com/616559/server.crt;
ssl_certificate_key /etc/nginx/ssl/www.example.com/616559/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.example.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/www.example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.example.com/after/*;
Site domain is www.example.com
Aliases: example.com
Any idea?
Just posting the solution to anyone in the same situation:
The problem was not with posted Nginx configuration at all, which is correct.
After a while searching for a solution, I realised that I had two DNS records (in DNS table of my web and domain hosting) pointing to www.example.com in DNS table, resulting in that behaviour when accessing the web.
Thanks.
I have nginx setup to redirect all HTTP requests to HTTPS like so:
# Redirect every request to HTTPS...
server {
listen 80;
listen [::]:80;
server_name .sub.example.com;
return 301 https://$host$request_uri;
}
I have a requirement for a specific route to not be forced to HTTPS /iot/{token}/weather.
I tried updating the nginx config like so:
# Redirect every request to HTTPS...
server {
listen 80;
listen [::]:80;
location ~* ^/iot/[0-9a-z]/weather$ {
break;
}
server_name .sub.example.com;
return 301 https://$host$request_uri;
}
However the HTTP request was still being forced to HTTPS.
So I tried doing this:
# Redirect every request to HTTPS...
server {
listen 80;
listen [::]:80;
server_name .sub.example.com;
location ~* ^/iot/[0-9a-z]/weather$ {
break;
}
location / {
return 301 https://$host$request_uri;
}
}
However this still isn't working.
The above is the only file imported in the before section below:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sub.example.com/before/*;
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.example.com;
root /home/forge/sub.example.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/sub.example.com/467330/server.crt;
ssl_certificate_key /etc/nginx/ssl/sub.example.com/467330/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sub.example.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/sub.example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/sub.example.com/after/*;
I'd appreciate some help setting this up so that I can specify a URL to match that should not be redirected to HTTPS and then have all other URLs redirect to HTTPS.
So I have set up two domains with each of there repositories on one server with forge. It looks like this:
DomainA.com (179.x.x.x)
DomainB.com (179.x.x.x)
In my DNS I have pointed them both to the same ip, and forge has handled everything else and it works great.
On the server there's two folders.
DomainA.com
DomainB.com
So now I want to create a subdomain on DomainB which "loads" the code of DomainA, example: code.domainb.com will load show the contents which in on domaina.com.
I'm not sure how I can do that? So far I understand that I need to change something in the nginx config, hopefully someone can give me some pointers :)
Nginx config for domainb:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domainb.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .domainb.com;
root /home/forge/domainb.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/domainb.com/471043/server.crt;
ssl_certificate_key /etc/nginx/ssl/domainb.com/471043/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers XXX;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domainb.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/domainb.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domainb.com/after/*;
Nginx conf for domain A:
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domaina.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .domaina.com;
root /home/forge/domaina.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/domaina.com/470443/server.crt;
ssl_certificate_key /etc/nginx/ssl/domaina.com/470443/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers XXX;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domaina.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/domaina.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/domaina.com/after/*;
The server_name directive can have more than one value. The exact match HOST name takes precedence. See this document for details.
If code.domainb.com uses the same document root as the server block for .domaina.com, simply add its name to the server_name directive.
For example:
server {
...
server_name .domainb.com;
root /home/forge/domainb.com/public;
...
}
server {
...
server_name .domaina.com code.domainb.com;
root /home/forge/domaina.com/public;
...
}
See this document for more.