I want traffic to go to https://example.com. No www prefix is allowed and SSL is required.
The problem we are experiencing is that many (though not all) first time visitors are not being redirected to HTTPS until they hit refresh.
Do you see anything in my config that would allow this behavior?
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 80;
listen 443 ssl;
server_name example.com;
root /var/www/html/mm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
client_max_body_size 200m;
location / {
try_files $uri $uri/ /index.php?$query_string;
index index.php index.html index.htm install.php;
client_max_body_size 200m;
}
location ~ \.php$ {
try_files $uri /index.php =404;
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
include fastcgi_params;
}
As @PeeHaa mentioned, you are missing a redirect from http to https for www.example.com. Try this where I've rearranged the server blocks a bit to add an HSTS header to the www server and to address a potential security misconfig where http://www
is directly redirected to https://(notwww)
(per https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Redirections):
# HTTP server (non-www) -- redirect to https://example.com
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
# HTTP server (www) -- redirect to https://www.example.com
server {
listen 80;
server_name www.example.com;
return 301 https://www.example.com$request_uri;
}
# HTTPS server (www) -- redirect to https://example.com -- Add HSTS header
server {
listen 443 ssl;
server_name www.example.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
return 301 https://example.com$request_uri;
}
# HTTPS server (non-www)
server {
listen 80;
listen 443 ssl;
server_name example.com;
root /var/www/html/mm;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $http_host;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
client_max_body_size 200m;
location / {
try_files $uri $uri/ /index.php?$query_string;
index index.php index.html index.htm install.php;
client_max_body_size 200m;
}
location ~ \.php$ {
try_files $uri /index.php =404;
#fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_param PHP_VALUE "upload_max_filesize = 150M \n upload_max_filesize=151M";
fastcgi_param PHP_VALUE "post_max_size = 150M \n post_max_size=151M";
include fastcgi_params;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With