After using cerbot to leave an HTTP fallback, how can I force all traffic through HTTPS?


#1

Hey there! I setup Let’s Encrypt a while ago. I was given the choice of either forcing all traffic through HTTPS or allowing an HTTP fallback. At the time, I choose to allow an HTTP fallback. Now I’m ready to put all traffic through HTTPS. Usually I would use an nginx config like:

return 301 https://$host$request_uri;

But I believe the listen 443 ssl line in my nginx config which is managed by certbot is causing an infinite redirect loop. Advice?

Thanks a bunch in advance.


#2

Hi @deysu,

Could you please post the nginx conf for your domain?.

If you have some include in your conf, please, post it too.

Cheers,
sahsanu


#3

Sure thing.
https://pastebin.com/YiFJVQjK


#4

Hi @deysu,

As you are using listen 80 and listen 443 in the same server block, you should use an if condition to redirect to https site only if the scheme is http to avoid those loops:

if ( $scheme = http )
{
  return 301 https://$host$uri;
}

Your conf would look like this:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        if ( $scheme = http )
        {
            return 301 https://$host$uri;
        }
        index index.html index.htm index.php;
        server_name mysite.org www.mysite.org;
 
        client_max_body_size 20m;
        server_tokens off;
 
        location / {
                proxy_pass http://localhost:8080;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
                proxy_set_header X-Forwarded-For $remote_addr;
        }
 
        # Security Configuration
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        # TODO: CSP config
 
    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.org/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot
 
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
 
}

Hope this helps.

Cheers,
sahsanu


#5

Thanks a bunch! Solved.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.