Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NGINX Redirect to HTTPS only works after refresh

I want traffic to go to https://example.com. No www prefix is allowed and SSL is required.

The problem we are experiencing is that many (though not all) first time visitors are not being redirected to HTTPS until they hit refresh.

Do you see anything in my config that would allow this behavior?

server {
    listen 80;
    listen 443 ssl;

    server_name www.example.com;

    return 301 https://example.com$request_uri;
}

server {
    listen 80;
    listen 443 ssl;

    server_name example.com;

    root /var/www/html/mm;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header Host $http_host;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    client_max_body_size 200m;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        index index.php index.html index.htm install.php;
        client_max_body_size 200m;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        #fastcgi_pass unix:/var/run/php-fpm/www.sock;
        fastcgi_pass   php-fpm;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
        fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
        include fastcgi_params;
    }
like image 364
Justin Avatar asked Oct 19 '25 15:10

Justin


1 Answers

As @PeeHaa mentioned, you are missing a redirect from http to https for www.example.com. Try this where I've rearranged the server blocks a bit to add an HSTS header to the www server and to address a potential security misconfig where http://www is directly redirected to https://(notwww) (per https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections):

# HTTP server (non-www) -- redirect to https://example.com
server {
    listen 80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}

# HTTP server (www) -- redirect to https://www.example.com
server {
    listen 80;
    server_name www.example.com;
    return 301 https://www.example.com$request_uri;
}

# HTTPS server (www) -- redirect to https://example.com -- Add HSTS header
server {
    listen 443 ssl;
    server_name www.example.com;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    return 301 https://example.com$request_uri;
}

# HTTPS server (non-www)
server {
    listen 80;
    listen 443 ssl;

    server_name example.com;

    root /var/www/html/mm;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header Host $http_host;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    client_max_body_size 200m;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        index index.php index.html index.htm install.php;
        client_max_body_size 200m;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        #fastcgi_pass unix:/var/run/php-fpm/www.sock;
        fastcgi_pass   php-fpm;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
        fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
        include fastcgi_params;
    }
like image 160
Anand Bhat Avatar answered Oct 22 '25 05:10

Anand Bhat



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!