I'd like to ask for advice about configuring nginx and https for a Flask server (Centos 7, nginx 1.20.1).
I've defined a RESTful API which works as designed. I'd now like the user to be able to use any of the following addresses when calling the API:
http://mysiteapi.com
http://www.mysiteapi.com
https://mysiteapi.com
https://www.mysiteapi.com
I set up a generic nginx.conf file which worked fine for the first two addresses (http). I then ran sudo certbot --nginx -d mysite.com -d www.mysite.com. The https addresses now work but the http addresses give a 405 error. This nginx.conf file is shown below.
Is there anything obviously wrong about the 301 redirection here? More generally, is there scope to tidy up the file and reduce the number of 'server' blocks? I'm learning my way around nginx and would appreciate any guidance.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
#include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server
{
client_max_body_size 8M;
server_name mysiteapi.com;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/home/andrew/myproject/myproject.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysiteapi.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysiteapi.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server
{
client_max_body_size 8M;
server_name www.mysiteapi.com;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://unix:/home/andrew/myproject/myproject.sock;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysiteapi.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysiteapi.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server
{
if ($host = mysiteapi.com)
{
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mysiteapi.com;
return 404; # managed by Certbot
}
server
{
if ($host = www.mysiteapi.com)
{
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.mysiteapi.com;
return 404; # managed by Certbot
}
}
I'm not sure why do you get an HTTP 405 error with the plain HTTP requests, but I can guess it can happened because of requests methods other than GET - an HTTP 301 redirect will change any request method to the GET one, and to prevent it you should use an HTTP 308 redirect instead. But as I understand from your question you don't need any redirects at all, both HTTP and HTTPS schemes should be served equally, and if that is you want to achieve, you can significantly simplify your server block:
server {
server_name mysiteapi.com www.mysiteapi.com;
listen 80;
listen 443 ssl;
... # rest of the config here
}
Here I want to refer this answer:
I don't allow certbot to create my web server configurations. I frankly don't trust it to get it right, since it's already doing some not very efficient practices.
I do the same for my servers, so I suggest you to add this location to your nginx config (you can use any suitable directory instead of /var/www):
location /.well-known/acme-challenge/ {
root /var/www;
try_files $uri =404;
}
and use a certbot for certificate issuing/renewing only:
certbot certonly --webroot -w /var/www -d mysiteapi.com -d www.mysiteapi.com
Related
Here is my nginx.conf file
What should i change to make it work and how to get certificate;
I need to redirect http to https connection with nginx on rest service and need to test it on postman or soapui.
Is there any difference in configuring nginx for website and for webservice?
user nginx;
worker_processes auto;
error log /var/log/nginx/error.log;
pid /run/nginx.pid;
#Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 80;
server_name hostname_of_virtual_machine http://ipaddress:port;
return 301 https://$ipaddress:port$request_uri;
}
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name hostname_of_virtual_machine;
root /usr/share/nginx/html;
#ssl_certificate "/etc/pki/nginx/server.crt";
#ssl_certificate_key "/etc/pki/nginx/private/server.key";
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 10m;
#ssl_ciphers PROFILE=SYSTEM;
#ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
When i try to test service in postman via http connection post method it still doesn't get any information;
Any idea what should i do?
EDIT
I have SSL Cert but don't know how to use it and where to put it. This is my conf file for now, and after talking with a colleague he told me that i just need a truststore in this file but i don't know how to create it.
So now, i need to edit existing conf file
First of all you need to remove the configuration codes after include /etc/nginx/conf.d/*.conf;
Note: The example below using Ubuntu 20.04 LTS
Go to /etc/nginx/sites-available and create a new file myapp01 and put your configuration there.
cd /etc/nginx/sites-available
sudo vi myapp01
Refer below snippet:
upstream appname-server {
server 127.0.0.1:8080;
}
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name appname.com;
access_log /var/log/nginx/appname-access.log;
error_log /var/log/nginx/appname-error.log;
location / {
proxy_pass http://appname-server;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
}
listen 443 ssl;
ssl_certificate /path/to/your/ssl/cert.pem;
ssl_certificate_key /path/to/your/ssl/cert_key.pem;
}
server {
if ($host = appname.com) {
return 301 https://$host$request_uri;
}
server_name appname.com;
listen 80;
return 404;
}
Don't for get to add include /etc/nginx/sites-enabled/*; in nginx.conf. (Thanks to Drifter104 for notifying)
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Next, go to /etc/nginx/sites-enabled and create symbolic links for myapp01, refer instructions below.
Go to sites-enabled
cd /etc/nginx/sites-enabled/
Create symbolic links for myapp01
ln -s /etc/nginx/sites-available/myapp01 .
After that, test your nginx configuration using sudo nginx -t. If everything is successful, proceed to step 5.
Reload nginx sudo systemctl reload nginx
Hope it helps you, cheers.
I have this website which i reverse proxied using nginx,
My website has CRUD operations so it uses HTTP PUT and DELETE methods to update and delete records!
I found out that using --http_dav_module solves the issue,
so i added following code into my nginx.conf file,
server {
server_name autoattendance.ml www.autoattendance.ml;
location / {
dav_methods PUT DELETE;
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
but it did not solve the issue,
these request are working fine on my local machine but not on the server!
The console error that i am getting is:
error screenshot
// ps : sorry, i'm not allowed to include images at this point it seems,
The complete nginx.conf file is:
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
server_name autoattendance.ml www.autoattendance.ml;
location / {
dav_methods PUT DELETE;
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/autoattendance.ml/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/autoattendance.ml/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
server {
if ($host = www.autoattendance.ml) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = autoattendance.ml) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name autoattendance.ml www.autoattendance.ml;
return 404; # managed by Certbot
}}
I am trying to setup tusd with Uppy on https without success. It works well on http.
Here's my nginx conf file:
server {
listen 80;
listen[::]: 80;
server_name
DOMAIN.com
www.DOMAIN.com;
root / srv / users / DOMAIN / apps / DOMAIN / public;
access_log / srv / users / DOMAIN / log / DOMAIN / DOMAIN_nginx.access.log main;
error_log / srv / users / DOMAIN / log / DOMAIN / DOMAIN_nginx.error.log;
proxy_set_header Host $host;
proxy_set_header X - Real - IP $remote_addr;
proxy_set_header X - Forwarded - For $proxy_add_x_forwarded_for;
include / etc / nginx - sp / vhosts.d / DOMAIN.d
/*.nonssl_conf;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name
DOMAIN.com
www.DOMAIN.com
;
ssl_certificate_key ssl/DOMAIN.key;
ssl_certificate ssl/DOMAIN.combined_crt;
root /srv/users/DOMAIN/apps/DOMAIN/public;
access_log /srv/users/DOMAIN/log/DOMAIN/DOMAIN_nginx.access_ssl.log main;
error_log /srv/users/DOMAIN/log/DOMAIN/DOMAIN_nginx.error_ssl.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.ssl_conf;
include /etc/nginx-sp/vhosts.d/DOMAIN.d/*.conf;
location /files/ {
#resolver 8.8.8.8 4.2.2.2;
proxy_pass http://localhost:3020/files;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# Disable request and response buffering
proxy_request_buffering off;
proxy_buffering off;
proxy_http_version 1.1;
# Add X-Forwarded-* headers so that response can reference https and
# originating host:port
proxy_set_header X-Forwarded-Host $hostname;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Allow proxying of websockets if required
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 0;
}
}
At another conf file I have this additional configuration:
location / {
proxy_pass $backend_protocol://$backend_host:$backend_port;
}
At Chrome console I have the following output:
upload.js:2 OPTIONS https://DOMAIN/files/2b775a112504ed1222c6ffdd4fbdac03+Dc99JI0Zvgh54FXVfpp5K32GAiZBjV5bY-d9tzj8fDL1FxNKKZrHP_SBE6OERG8SWAm1ZjqtjYMVWSvWCQLba0qsR8krfVBYw8ApHqIBO7DG9Bn1t_tv_a6nuuTuqlXC net::ERR_NAME_NOT_RESOLVED
Notice the domain without the .com extension!
I tried all combinations of configuration, commenting the configuration lines without success. Can you spot the mistake?
A contractor solved it for me and the solution is neat. He did it instead configuring Apache.
At the first nginx conf file he removed the "location /files/" section entirely. At the apache conf file, he added the following lines:
ProxyPass /files http://localhost:3020/files
ProxyPassReverse /files http://localhost:3020/files
And it worked.
This is pretty clearly a network issue which should be a definite mismatch between the data that is advertised in the HTTP Headers and the data transferred over the wire.
It could come from the following:
Server: If a server has a bug with certain modules that changes the content but don't update the content-length in the header or just doesn't work properly. It was the case for the Node HTTP Proxy at some point (see here)
Proxy: Any proxy between you and your server could be modifying the request and not update the content-length header.
This problem could also be the nginx docker container disk space. Just check and if full please clear the files.
Let me know if that helps.
Re-use then adapt (from companion.mywebsite.com to yourdomain.com) this working nginx configuration file :
( don't forget to change also ssl_certificate, ssl_certificate_key and ssl_dhparam )
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
server_name companion.mywebsite.com;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://0.0.0.0:3020;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/companion.mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/companion.mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = companion.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name companion.mywebsite.com;
return 404; # managed by Certbot
}}
Then try again... if you get this error:
Nginx Error: The page you are looking for is temporarily unavailable. Please try again later.
Run:
setsebool -P httpd_can_network_connect 1
To fix permission then restart apache
I have a droplet on Digital Ocean, that I am using to host a site and an API for that site.
I would like:
https://example.com to serve the website
https://example.com/api to serve the API, running on port 3000.
Here's my /etc/nginx/nginx.conf file:
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/http-error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server {
server_name example.com; # managed by Certbot
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
# SSL settings
ssl_certificate /path/to/file.pem; # managed by Certbot
ssl_certificate_key /path/to/file.pem; # managed by Certbot
include /path/to/file.conf; # managed by Certbot
ssl_dhparam /path/to/file.pem; # managed by Certbot
proxy_http_version 1.1;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
# Routes
location /api/ {
proxy_pass http://127.0.0.1:3000/;
}
location / {
root /usr/share/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {}
error_page 500 502 503 504 /50x.html;
location = /50x.html {}
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name example.com;
return 404; # managed by Certbot
}
}
Serving the static html files works great, but the https://example.com/api/ returns a 502: Bad Gateway error. I don't understand what I am doing wrong... any help would be appreciated. Thank you.
Turns out my config was totally fine. I just need to enable networking on the Droplet. I used this post to do so. Thanks, everyone!
In short:
setsebool httpd_can_network_connect on
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:3000;
}
This normally does not disappoint me. Please try.
I had my website running but SSL was only working on non-www. After I reinstalled the let's encrypt SSL certificate the site crashed. I was able to make the front run but not the api.
I moved the site to a new droplet and installed Nginx, Pm2, and certbot with python on Ubuntu 18.04 with Nodejs.
The site is not loading and it is a bit frustrating. I think the issue was that certbot rewrited the ngix default file and I am not sure how to fix it.
This is the configuration I have on /etc/nginx/sites-available/default
upstream my_app {
server 127.0.0.1:3000;
}
server {
#listen 80;
listen [::]:80;
#listen 443 ssl;
#listen [::]:443 ssl;
if ($host = www.mysite.com) {
return 301 https://mysitehere$request_uri;
}
server_name roomies.es;
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://mysite_app;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ /.well-known {
allow all;
}
}
```
I need the front to run on port 3000 and my api on port 4000.
Thanks in advance!
This is how I had to set up my NGINX configs after installing Let's Encrypt:
/etc/nginx/sites-enabled/default (which should be the same file as /etc/nginx/sites-available/default):
# Default server configuration
server {
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name example.com;
return 301 https://www.example.com$request_uri;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
To be clear, the return 301 is to ensure all non-www traffic is moved to the www version of the URL.
Remember to save your config on a notepad or something so you can quickly revert back to the original if this doesn't work.