How to configure Nginx to serve https only

Question

I'm new in the web servers world, i wan't my site to serve https only (for both IPV4 & IPV6) so i implemented the following steps,

1. install letsencrypt.
2. install certbot with the Nginx plugin.
3. create the certificate using command,

sudo certbot --nginx certonly -d maarath.com -d www.maarath.com

4.manually configure my site configuration file in the etc/nginx/site-available/main like below ,

server {
        listen 80  ;
        listen [::]:80  ;
        root /var/www/main/;
        index index.php index.html index.htm;
        # Make site accessible from http://localhost/
        server_name maarath.com www.maarath.com;
        location / {
                try_files $uri $uri/ =404;
        }

# HTTPS

    listen              443 ssl;
    server_name       maarath.com  www.maarath.com;
    ssl_certificate     /etc/letsencrypt/live/maarath.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/maarath.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;




        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }
        #deny access to .htaccess files, if Apache's document root
        #concurs with nginx's one
        location ~ /\.ht {

        }
}

5. run command nginx -t with no issues.
6. restart nginx.

The issue is my site still not secure after all the above steps, did i miss something or did it wrong ? any help would be much appreciated .

Answer 1

As NullDev mentioned, I just will add the new working configuration file hope to help someone else:

server {
    listen 80;
    listen [::]:80;
    server_name maarath.com www.maarath.com;
    
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    # HTTPS
    
    listen 443 ssl;
    listen [::]:443 ssl;

    root /var/www/main/;
    index index.php index.html index.htm;
    server_name maarath.com www.maarath.com;
    
    ssl_certificate     /etc/letsencrypt/live/maarath.com/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/maarath.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    
    location / {
        try_files $uri $uri/ =404;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }
    
    #deny access to .htaccess files, if Apache's document root
    #concurs with nginx's one
    location ~ /\.ht {
        deny all;
    }
}

Answer 2

Fist off, I believe your config is missing the second server { right under # HTTPS

Just to get that right, your website https://maarath.com throws an SSL Error? Because from my perspective it works just fine. Or do you mean that http is not redirected to https?

If that's the case add

return 301 https://maarath.com$request_uri;

To your first server block. Right above

server_name ...

This should automatically redirect all requests from http to https.