Crontab HS Made Docker Image Certificate renewal Nginx reload

I want to use GitHub - hsmade/certbot-dns-transip: Certbot plugin to authenticate using dns TXT records via Transip API so the Certbot DNS TransIP plugin. I have renewed successfully using the command:

docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.site.com' -d 'site.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@site.com \
    --agree-tos \
    --eff-email

Now I am working on the shell script to run in crontab as root user. I wonder about the post renewal reload of the Nginx server

My domain is: smart48.com

I want to run this ssh script for renewal via crontab as root once a day at 5 am:

#!/bin/bash

# Log file location
LOG_FILE="/var/log/letsencrypt/renew.log"

# Run the Docker command to renew certificates
docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.smart48.com' -d 'smart48.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@site.com \
    --agree-tos \
    --eff-email >> $LOG_FILE 2>&1

# Check the exit code of the Docker command
if [ $? -eq 0 ]; then
    echo "[$(date)] Certificate renewal successful. Reloading Nginx..." >> $LOG_FILE
    # Use systemctl reload command
    systemctl reload nginx >> $LOG_FILE 2>&1
else
    echo "[$(date)] Certificate renewal failed. Check the logs for more details." >> $LOG_FILE
    # Collect additional system info
    echo -e "\nSystem Info:" >> $LOG_FILE
    uname -a >> $LOG_FILE
    df -h >> $LOG_FILE
    free -m >> $LOG_FILE

    # Send an email notification on failure with detailed information
    SUBJECT="Certbot Renewal Failed for smart48.com"
    EMAIL="admin@smart48.com"
    BODY="The automatic renewal of the SSL certificate for smart48.com has failed.\n\nLog Details:\n$(cat $LOG_FILE)"
    echo -e $BODY | mail -s "$SUBJECT" $EMAIL
fi

Is this a good idea this way? Does this if [ $? -eq 0 ]; then work just as well as a

0 5 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

?

More details:

My web server is (include version):

nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled

The operating system my web server runs on is (include version):

uname -a
Linux smt-prod-w1 5.15.0-84-generic #93-Ubuntu 
SMP Tue Sep 5 17:16:10 UTC 2023 
x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
TransIP
I can login to a root shell on my machine (yes or no, or I don't know): I can ssh in as sudo capable user and switch to root

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 2.11.0

But I run the Docker image by HS Made GitHub - hsmade/certbot-dns-transip: Certbot plugin to authenticate using dns TXT records via Transip API

Personally I would not rely on the exit-code from that docker command running certbot/certonly using a DNS challenge plug-in

Mainly because the exit-code is not defined in the Certbot docs for certonly. And, I wouldn't want to rely on problems in the plug-in populating exit-code as you expect.

I would just do an nginx reload daily always. And, find some other way to test the validity of the cert.

Other volunteers may feel differently.

Another comment is that certbot/certonly isn't the same as a "renew" command. When I run a similar command I get prompted for what to do (below). It takes some care to use certonly like that hands-free. I'm not sure what happens inside a container. Perhaps Certbot detects lack of console and behaves different - not sure.

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Thanks for the feedback @MikeMcQ .

Did notknow about the exit code not being defined in certonly docs:

Mainly because the exit-code is not defined in the Certbot docs for certonly. And, I wouldn't want to rely on problems in the plug-in populating exit-code as you expect.

And I would also prefer the Certbot plugin to email me when issues occur.

I agree could just do a cronjob to run the Docker command and then reload Nginx daily too. Should work. Or I add it to:

root@smt-prod-w1:/etc/letsencrypt/renewal# cat smart48.com.conf
# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/letsencrypt/archive/smart48.com
cert = /etc/letsencrypt/live/smart48.com/cert.pem
privkey = /etc/letsencrypt/live/smart48.com/privkey.pem
chain = /etc/letsencrypt/live/smart48.com/chain.pem
fullchain = /etc/letsencrypt/live/smart48.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxx
authenticator = dns-transip
dns_transip_propagation_seconds = 240
dns_transip_credentials = /etc/letsencrypt/transip.ini
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Read somewhere I could tell it to reload nginx here too. But not sure how anymore and whether that would work with me using this Docker setup.

Whether I want to use certbot/certonly or certbot/renew I am not sure of yet. Thought for renewals of certificate certonly would do, but it has been a while since I worked with LE SSL this level

Update

For now I have done this setup

I added

0 4 * * * /usr/local/bin/certbot-renew-transip.sh >> /var/log/letsencrypt/renew.log 2>&1

via user ploi

0 5 * * * systemctl reload nginx 

via user ploi

And initial shell script has

ploi@smt-prod-w1:~/smart48.com/current$ sudo cat /usr/local/bin/certbot-renew-transip.sh#!/bin/bash

# Log file location
LOG_FILE="/var/log/letsencrypt/renew.log"

# Run the Docker command to renew certificates
docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n \
    -d '*.smart48.com' -d 'smart48.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@smart48.com \
    --agree-tos \
    --eff-email >> $LOG_FILE 2>&1

And in visudo I added

ploi ALL = NOPASSWD: /bin/systemctl reload nginx

You should avoid using the 0 minute for Certbot requests. From the LE FAQ

We ask that ACME clients perform routine renewals at random times to avoid spikes in traffic at set times of the day, such as exactly midnight UTC, or the first second of each hour or minute. When the service is too busy, clients will be asked to try again later, so randomizing renewal times can help avoid unnecessary retries.

See: FAQ - Let's Encrypt

Will use

7 4 * * * via user ploi

with 7 minuts past 4 am this way then. Thanks for the heads up on that one @MikeMcQ . Did not know about that.

Are renewal hooks not viable to restart nginx here?

Did just try a dry run using a post hook @linkp , but it seems it fails:

docker run -ti --rm \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -w /etc/letsencrypt \
    hsmade/certbot-transip \
    certonly -n --dry-run \
    -d '*.smart48.com' -d 'smart48.com' \
    -a dns-transip \
    --dns-transip-credentials /etc/letsencrypt/transip.ini \
    --dns-transip-propagation-seconds 240 \
    -m admin@domain.com \
    --agree-tos \
    --eff-email \
    --post-hook "nginx -s reload"

It stated

Unable to find post-hook command nginx in the PATH.
(PATH is /usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-lkjjcwsr/log or re-run Certbot with -v for more details.

And that is probably because the image looks for Nginx in the container and not on the host system. And the host system's Nginx needs to reload.

thought of using the hook in /etc/letsencrypt/renewal/example.com.conf on the host Ubuntu system:

...
[renewalparams]:
...
renew_hook = systemctl reload nginx
...

But Docker image won't be able to read that either.

The docker image with certbot is using DNS challenge.
That means it doesn't need to use a web server.
To me, that could mean it doesn't even have a web server.

Where is the nginx [that uses the cert and needs to be reloaded] installed?
[in that docker image? in another docker image? in the host system?]

The Nginx server is on the host system.

Then it's not likely to be controlled by anything outside that host.
[nor from inside a docker image]

I would recommend that you schedule a reload periodically [on the host].
Somewhere between every 10 minutes to every 10 days.

thanks @rg305 . Agreed. I set up a cronjob for reloading Nginx every day at 5AM

0 5 * * * sudo systemctl reload nginx

via the web user ploi. Also made sure the command can be loaded without password using this line in visudo

ploi ALL = NOPASSWD: /bin/systemctl reload nginx

Then all that's left to do is:

• confirm the certbot image executes properly [without --dry-run]
  [you might want to run certbot certificates (before and after to compare)]

• confirm the cron job reloads nginx daily
  [you can check the nginx PID in use (on two separate days)]

I checked logs as the crontab for Docker command was 4 am. Did see this in logs

root@smt-prod-w1:/etc/letsencrypt/live# cat /var/log/letsencrypt/letsencrypt.log
2024-09-21 04:30:03,921:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2024-09-21 04:30:04,488:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-09-21 04:30:04,488:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3834/bin/certbot
2024-09-21 04:30:04,488:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2024-09-21 04:30:04,488:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-21 04:30:04,542:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-21 04:30:04,544:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/smart48.com.conf
2024-09-21 04:30:04,576:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-09-21 04:30:04,610:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e6.o.lencr.org:80
2024-09-21 04:30:04,637:DEBUG:urllib3.connectionpool:http://e6.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-09-21 04:30:04,638:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/smart48.com/cert1.pem is signed by the certificate's issuer.
2024-09-21 04:30:04,649:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/smart48.com/cert1.pem is: OCSPCertStatus.GOOD
2024-09-21 04:30:04,655:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-09-21 04:30:04,656:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-transip and installer None
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/smart48.com/fullchain.pem expires on 2024-12-18 (skipped)
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-09-21 04:30:04,657:DEBUG:certbot._internal.renewal:no renewal failures

So that seems to have gone well. Did read this in Docker sent Certbot logs:

2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-09-21 04:30:04,656:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Did not get an email however. Not sure why.

The Nginx logs showed

cat /var/log/nginx/error.log
2024/09/21 01:25:47 [crit] 1103694#1103694: *11159 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 138.68.183.12, server: 0.0.0.0:443
2024/09/21 03:47:23 [crit] 1103694#1103694: *11496 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 138.68.179.149, server: 0.0.0.0:443
2024/09/21 03:54:32 [crit] 1103694#1103694: *11510 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 2620:96:e000::cb, server: [::]:443
2024/09/21 05:00:01 [warn] 1154998#1154998: conflicting server name ".smart48.com" on 0.0.0.0:80, ignored
2024/09/21 05:00:01 [warn] 1154998#1154998: conflicting server name ".smart48.com" on [::]:80, ignored
2024/09/21 05:00:01 [notice] 1154998#1154998: signal process started

So did restart with signal process started. SSL The hanshaking issue I am not clear on. And the other warnings I have thus far ignored.

certbot doesn't [normally] send emails.

What shows?:
nginx -t
and then upload
nginx -T

There are sometimes faulty bots which fail their handshake. The 3rd one, the IPv6 address, belongs to Censys which is a "friendly" scanner that inventories status of "things" across the internet. Their database is often used by security researchers and such. Probably an intentional scan looking for systems that tolerate malformed or obsolete types of connections. See Censys page: https://support.censys.io/hc/en-us/articles/25692846962708-Censys-Internet-Scanning-Introduction

In short, don't worry about those unless you suffer failures connecting.

nginx -t
nginx: [warn] conflicting server name ".smart48.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".smart48.com" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

and

nginx -T
nginx: [warn] conflicting server name ".smart48.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".smart48.com" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user ploi;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	server_tokens off;

	server_names_hash_bucket_size 128;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	include /home/ploi/smart48.com/shared/storage/tls/sites.d/*.conf;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/font-woff2                woff2;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/cloudflare.conf:
# Set Cloudflare IP addresses, this file has been added from Ploi
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header X-Forwarded-For;
# configuration file /etc/nginx/conf.d/fastcgi-max-excecution-time.conf:
fastcgi_read_timeout 300;
# configuration file /etc/nginx/conf.d/gzip.conf:
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;

# configuration file /etc/nginx/conf.d/media.conf:
# ----------------------------------------------------------------------
# | Cache expiration                                                   |
# ----------------------------------------------------------------------

# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based cache busting, you
# should consider lowering the cache times to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires

map $sent_http_content_type $expires {
  default                                 1M;

  # No content
  ""                                      off;

  # CSS
  ~*text/css                              1y;

  # Data interchange
  ~*application/atom\+xml                 1h;
  ~*application/rdf\+xml                  1h;
  ~*application/rss\+xml                  1h;

  ~*application/json                      0;
  ~*application/ld\+json                  0;
  ~*application/schema\+json              0;
  ~*application/geo\+json                 0;
  ~*application/xml                       0;
  ~*text/calendar                         0;
  ~*text/xml                              0;

  # Favicon (cannot be renamed!) and cursor images
  ~*image/vnd.microsoft.icon              1w;
  ~*image/x-icon                          1w;

  # HTML
  ~*text/html                             0;

  # JavaScript
  ~*application/javascript                1y;
  ~*application/x-javascript              1y;
  ~*text/javascript                       1y;

  # Manifest files
  ~*application/manifest\+json            1w;
  ~*application/x-web-app-manifest\+json  0;
  ~*text/cache-manifest                   0;

  # Markdown
  ~*text/markdown                         0;

  # Media files
  ~*audio/                                1M;
  ~*image/                                1y;
  ~*video/                                1M;

  # WebAssembly
  ~*application/wasm                      1y;

  # Web fonts
  ~*font/                                 1y;
  ~*application/vnd.ms-fontobject         1y;
  ~*application/x-font-ttf                1y;
  ~*application/x-font-woff               1y;
  ~*application/font-woff                 1y;
  ~*application/font-woff2                1y;

  # Other
  ~*text/x-cross-domain-policy            1w;
}

expires $expires;

# configuration file /etc/nginx/conf.d/upload.conf:
client_max_body_size 1024M;

# configuration file /etc/nginx/sites-enabled/catch-all:
server { return 404; }
# configuration file /etc/nginx/sites-enabled/default:
server {
    server_name _;
    listen       80  default_server;
    return       404;
}

server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ploi/default/nginx.crt;
    ssl_certificate_key /etc/nginx/ploi/default/nginx.key;
    return       404;
}
# configuration file /etc/nginx/sites-enabled/smart48.com:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/smart48.com/before/*;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name .smart48.com;
    root /home/ploi/smart48.com/current/public;

    # Use the Let's Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/smart48.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smart48.com/privkey.pem;
    # ssl_certificate /etc/nginx/ssl/certificates/smart48.com.crt;
    # ssl_certificate_key /etc/nginx/ssl/certificates/smart48.com.key;

    client_max_body_size 1024M;

    # include /etc/nginx/ssl/smart48.com;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Content-Type-Options "application/json";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/smart48.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/smart48.com-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
        fastcgi_read_timeout 300;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/smart48.com/after/*;
# configuration file /etc/nginx/ploi/smart48.com/before/redirect.conf:
# Redirect To Primary Domain...
server {
    listen 80;
    listen [::]:80;
    server_name .smart48.com;
    return 301  https://$host$request_uri;
}
# configuration file /etc/nginx/ploi/smart48.com/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .smart48.com;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     ssl_certificate /etc/nginx/ssl/certificates/smart48.com.crt;
     ssl_certificate_key /etc/nginx/ssl/certificates/smart48.com.key;

     server_name www.smart48.com;
     return 301 https://smart48.com$request_uri;
}
# configuration file /etc/nginx/ploi/smart48.com/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/smart48go.com:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/smart48go.com/before/*;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name .smart48go.com;
    server_tokens off;
    root /home/ploi/smart48.com/current/public;

    ssl_certificate /etc/nginx/ssl/certificates/smart48go.com.crt;
    ssl_certificate_key /etc/nginx/ssl/certificates/smart48go.com.key;

    # include /etc/nginx/ssl/smart48go.com;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/smart48go.com/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/smart48go.com-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    #Bugsnag crossorigin
    location ~ \.js {
      add_header Access-Control-Allow-Origin "*";
    }

    #modulesettings remove cache
    location /modulesettings/ {
	expires 0;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/smart48go.com/after/*;
# configuration file /etc/nginx/ploi/smart48go.com/before/redirect.conf:
# Redirect HTTP to HTTPS for all domains and subdomains
server {
    listen 80;
    listen [::]:80;
    server_name .smart48go.com;

    return 301 https://$host$request_uri;
}

# Redirect To Primary Domain...
server {
    listen 80;
    listen [::]:80;
    server_name www.smart48go.com;
    return 301 $scheme://smart48go.com$request_uri;
}
# configuration file /etc/nginx/ploi/smart48go.com/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /home/ploi/smart48.com/shared/storage/tls/sites.d/cafejpcoen.nl.conf:
server {
    listen 80;
    listen [::]:80;
    server_name cafejpcoen.nl www.cafejpcoen.nl;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/ploi/smart48.com/shared/storage/tls/challenges/cafejpcoen.nl;
    }

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cafejpcoen.nl www.cafejpcoen.nl;
    root /home/ploi/smart48.com/current/public;

    ssl_certificate     /home/ploi/smart48.com/shared/storage/tls/le-storage/1327c597/rsa/certificate-fullchained.crt;
    ssl_certificate_key /home/ploi/smart48.com/shared/storage/tls/le-storage/1327c597/rsa/private.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/ploi/smart48.com/shared/storage/tls/le-storage/1327c597/rsa/certificate-fullchained.crt;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/cafejpcoen.nl-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }
}

# configuration file /home/ploi/smart48.com/shared/storage/tls/sites.d/imagewize.com.conf:
server {
    listen 80;
    listen [::]:80;
    server_name imagewize.com www.imagewize.com;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/ploi/smart48.com/shared/storage/tls/challenges/imagewize.com;
    }

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name imagewize.com www.imagewize.com;
    root /home/ploi/smart48.com/current/public;

    ssl_certificate     /home/ploi/smart48.com/shared/storage/tls/le-storage/2dd406e7/rsa/certificate-fullchained.crt;
    ssl_certificate_key /home/ploi/smart48.com/shared/storage/tls/le-storage/2dd406e7/rsa/private.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/ploi/smart48.com/shared/storage/tls/le-storage/2dd406e7/rsa/certificate-fullchained.crt;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/imagewize.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }
}

# configuration file /home/ploi/smart48.com/shared/storage/tls/sites.d/positivesound.nl.conf:
server {
    listen 80;
    listen [::]:80;
    server_name positivesound.nl www.positivesound.nl;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/ploi/smart48.com/shared/storage/tls/challenges/positivesound.nl;
    }

    # Reset connection
    location / {
        return 444;
    }
}


# configuration file /home/ploi/smart48.com/shared/storage/tls/sites.d/thaiconomics.com.conf:
server {
    listen 80;
    listen [::]:80;
    server_name thaiconomics.com www.thaiconomics.com;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/ploi/smart48.com/shared/storage/tls/challenges/thaiconomics.com;
    }

    # Redirect to HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name thaiconomics.com www.thaiconomics.com;
    root /home/ploi/smart48.com/current/public;

    ssl_certificate     /home/ploi/smart48.com/shared/storage/tls/le-storage/04c6c240/rsa/certificate-fullchained.crt;
    ssl_certificate_key /home/ploi/smart48.com/shared/storage/tls/le-storage/04c6c240/rsa/private.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/ploi/smart48.com/shared/storage/tls/le-storage/04c6c240/rsa/certificate-fullchained.crt;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/thaiconomics.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }
}

These two files overlap server_name:

# configuration file /etc/nginx/ploi/smart48.com/before/redirect.conf:
# Redirect To Primary Domain...
server {
    listen 80;
    listen [::]:80;
    server_name .smart48.com;
    return 301  https://$host$request_uri;
}

# configuration file /etc/nginx/ploi/smart48.com/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .smart48.com;
     return 301 https://$host$request_uri;
}

True, it seems

• redirect.conf
• ssl-redirect.conf
  both have

# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .smart48.com;
     return 301 https://$host$request_uri;
}

File /etc/nginx/ploi/smart48.com/before/redirect.conf has

# Redirect To Primary Domain...
server {
    listen 80;
    listen [::]:80;
    server_name .smart48.com;
    return 301  https://$host$request_uri;
}

and /etc/nginx/ploi/smart48.com/before/ssl-redirect.conf has

# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .smart48.com;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/smart48.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smart48.com/privkey.pem;
    # ssl_certificate /etc/nginx/ssl/certificates/smart48.com.crt;
    # ssl_certificate_key /etc/nginx/ssl/certificates/smart48.com.key;

     server_name www.smart48.com;
     return 301 https://smart48.com$request_uri;
}

Perhaps I can drop /etc/nginx/ploi/smart48.com/before/redirect.conf ?

Update

I removed /etc/nginx/ploi/smart48.com/before/redirect.conf and reloaded with sudo systemctl reload nginx

2024/09/21 07:25:27 [notice] 1157736#1157736: signal process started
2024/09/21 10:19:00 [notice] 1162145#1162145: signal process started
2024/09/21 10:21:30 [notice] 1162209#1162209: signal process started

and on check no issues now

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

and redirect is still fine

curl -I http://smart48.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 21 Sep 2024 08:29:13 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://smart48.com/
Expires: Sat, 21 Sep 2024 08:29:13 GMT
Cache-Control: max-age=0

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.