Domain redirects to another https://domain

LambertB · October 10, 2023, 6:36pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 12reserve.nl

I ran this command: I used ploi.io

It produced this output:

My web server is (include version):
Ubuntu 22.04

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.1

I have a few domains on the server, among them:
app.sportchallenge.online
*.12reserve.nl (uses app., appx., demo)

I had a problem with certificates on 12reserve.nl, as I tried a wildcard certificate for all subdomains on 12reserve.nl

So, I removed all of 12reserve certificates

But now https://app.12reserve.nl redirects to https://app.sportchallenge.online !!

Can someone help me on this? And I would like a wildcard certificate on 12reserve.nl, with my dnsprovider transip.nl, and hosting on hetzner. Can this be done?

Thanks in advance, Lambert

rg305 · October 10, 2023, 7:30pm

Hi @LambertB, and welcome to the LE community forum

It sounds to me like a web server problem.

But this is NOT a web server:

Try showing us the output of:
nginx -T

LambertB · October 10, 2023, 9:17pm

# configuration file /etc/nginx/conf.d/upload.conf:
client_max_body_size 10M;

# configuration file /etc/nginx/sites-enabled/12reserve.nl:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/12reserve.nl/before/*;

server {
    listen 80;
    listen [::]:80;

    root /home/12reserve-mbojv/12reserve.nl/public;
    server_name 12reserve.nl app.12reserve.nl

    include /etc/nginx/ssl/12reserve.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/12reserve.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/12reserve.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-12reserve-mbojv.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/12reserve.nl/after/*;
# configuration file /etc/nginx/ploi/12reserve.nl/before/redirect.conf:
# Redirect configuration file
server {
    listen 80;
    listen [::]:80;
    server_name www.12reserve.nl;
    return 301 $scheme://12reserve.nl$request_uri;
}

# configuration file /etc/nginx/ploi/12reserve.nl/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/allunited.jovisst.nl:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/allunited.jovisst.nl/before/*;

server {
    listen 80;
    listen [::]:80;

    root /home/jovisst-6zxnq/allunited.jovisst.nl/public;
    server_name allunited.jovisst.nl;

    include /etc/nginx/ssl/allunited.jovisst.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/allunited.jovisst.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/allunited.jovisst.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-jovisst-6zxnq.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/allunited.jovisst.nl/after/*;

# configuration file /etc/nginx/ploi/allunited.jovisst.nl/before/redirect.conf:
# Redirect configuration file
server {
    listen 80;
    listen [::]:80;
    server_name www.allunited.jovisst.nl;
    return 301 $scheme://allunited.jovisst.nl$request_uri;
}

# configuration file /etc/nginx/ssl/allunited.jovisst.nl:

# configuration file /etc/nginx/ploi/allunited.jovisst.nl/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/sites-enabled/app.12reserve.nl:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.12reserve.nl/before/*;

server {
    listen 80;
    listen [::]:80;

    root /home/app-qsvtt/app.12reserve.nl/public;
    server_name appx.12reserve.nl demox.12reserve.nl;

    include /etc/nginx/ssl/app.12reserve.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/app.12reserve.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/app.12reserve.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-app-qsvtt.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.12reserve.nl/after/*;
# configuration file /etc/nginx/ploi/app.12reserve.nl/before/redirect.conf:
# Redirect configuration file
server {
    listen 80;
    listen [::]:80;
    server_name www.app.12reserve.nl;
    return 301 $scheme://app.12reserve.nl$request_uri;
}

# configuration file /etc/nginx/ssl/app.12reserve.nl:

# configuration file /etc/nginx/ploi/app.12reserve.nl/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/sites-enabled/app.sportchallenge.online:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.sportchallenge.online/before/*;

server {
    #listen 80;
    #listen [::]:80;

    root /home/app-hy77z/app.sportchallenge.online/public;
    server_name app.sportchallenge.online;

    include /etc/nginx/ssl/app.sportchallenge.online;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/app.sportchallenge.online/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/app.sportchallenge.online-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-app-hy77z.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.sportchallenge.online/after/*;

# configuration file /etc/nginx/ploi/app.sportchallenge.online/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .app.sportchallenge.online;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     ssl_certificate /etc/letsencrypt/live/app.sportchallenge.online/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/app.sportchallenge.online/privkey.pem;

     server_name www.app.sportchallenge.online;
     return 301 https://app.sportchallenge.online$request_uri;
}
# configuration file /etc/nginx/ssl/app.sportchallenge.online:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/app.sportchallenge.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.sportchallenge.online/privkey.pem;
# configuration file /etc/nginx/ploi/app.sportchallenge.online/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/sites-enabled/catch-all:
server { return 404; }
# configuration file /etc/nginx/sites-enabled/default:
server {
    server_name _;
    listen       80  default_server;
    return       404;
}

server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ploi/default/nginx.crt;
    ssl_certificate_key /etc/nginx/ploi/default/nginx.key;
    return       404;
}
# configuration file /etc/nginx/sites-enabled/jovisst.nl:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/jovisst.nl/before/*;

server {
    #listen 80;
    #listen [::]:80;

    root /home/jovisst-6zxnq/jovisst.nl/public;
    server_name jovisst.nl;

    include /etc/nginx/ssl/jovisst.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/jovisst.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/jovisst.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-jovisst-6zxnq.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/jovisst.nl/after/*;

# configuration file /etc/nginx/ploi/jovisst.nl/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .jovisst.nl;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     ssl_certificate /etc/letsencrypt/live/jovisst.nl/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/jovisst.nl/privkey.pem;

     server_name www.jovisst.nl;
     return 301 https://jovisst.nl$request_uri;
}
# configuration file /etc/nginx/ssl/jovisst.nl:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/jovisst.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jovisst.nl/privkey.pem;
# configuration file /etc/nginx/ploi/jovisst.nl/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/sites-enabled/matomo.jovisst.nl:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/matomo.jovisst.nl/before/*;

server {
    #listen 80;
    #listen [::]:80;

    root /home/matomo-tbi3s/matomo.jovisst.nl/;
    server_name matomo.jovisst.nl;

    include /etc/nginx/ssl/matomo.jovisst.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/matomo.jovisst.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/matomo.jovisst.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-matomo-tbi3s.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/matomo.jovisst.nl/after/*;

# configuration file /etc/nginx/ploi/matomo.jovisst.nl/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .matomo.jovisst.nl;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     ssl_certificate /etc/letsencrypt/live/matomo.jovisst.nl/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/matomo.jovisst.nl/privkey.pem;

     server_name www.matomo.jovisst.nl;
     return 301 https://matomo.jovisst.nl$request_uri;
}
# configuration file /etc/nginx/ssl/matomo.jovisst.nl:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/matomo.jovisst.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matomo.jovisst.nl/privkey.pem;
# configuration file /etc/nginx/ploi/matomo.jovisst.nl/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/ploi/matomo.jovisst.nl/server/robots.conf:
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# configuration file /etc/nginx/sites-enabled/phpmyadmin:
# Ploi webserver phpMyAdmin configuration, do not remove!
include /etc/nginx/ploi/phpmyadmin/before/*;

server {
    listen 80;
    listen [::]:80;

    root /var/www/html;
    index index.php;
    server_name 159.69.150.221;

    include /etc/nginx/ssl/phpmyadmin;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";

        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
    }
}

# configuration file /etc/nginx/ssl/phpmyadmin:

# configuration file /etc/nginx/sites-enabled/staging.app.sportchallenge.online:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/staging.app.sportchallenge.online/before/*;

server {
    listen 80;
    listen [::]:80;

    root /home/app-hy77z/staging.app.sportchallenge.online/public;
    server_name staging.app.sportchallenge.online;

    include /etc/nginx/ssl/staging.app.sportchallenge.online;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/staging.app.sportchallenge.online/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/staging.app.sportchallenge.online-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-app-hy77z.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/staging.app.sportchallenge.online/after/*;

# configuration file /etc/nginx/ploi/staging.app.sportchallenge.online/before/redirect.conf:
# Redirect configuration file
server {
    listen 80;
    listen [::]:80;
    server_name www.staging.app.sportchallenge.online;
    return 301 $scheme://staging.app.sportchallenge.online$request_uri;
}

# configuration file /etc/nginx/ssl/staging.app.sportchallenge.online:

# configuration file /etc/nginx/ploi/staging.app.sportchallenge.online/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}
# configuration file /etc/nginx/ploi/staging.app.sportchallenge.online/server/robots.conf:
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# configuration file /etc/nginx/sites-enabled/timetag.io:
# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/timetag.io/before/*;

server {
    #listen 80;
    #listen [::]:80;

    root /home/timetag-zzrxo/timetag.io/public;
    server_name timetag.io;

    include /etc/nginx/ssl/timetag.io;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/timetag.io/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/timetag.io-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-timetag-zzrxo.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/timetag.io/after/*;

# configuration file /etc/nginx/ploi/timetag.io/before/ssl-redirect.conf:
# Redirect every request to HTTPS...
server {
     listen 80;
     listen [::]:80;
     server_name .timetag.io;
     return 301 https://$host$request_uri;
}

# Redirect SSL to primary domain SSL...
server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     ssl_certificate /etc/letsencrypt/live/timetag.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/timetag.io/privkey.pem;

     server_name www.timetag.io;
     return 301 https://timetag.io$request_uri;
}
# configuration file /etc/nginx/ssl/timetag.io:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/timetag.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/timetag.io/privkey.pem;
# configuration file /etc/nginx/ploi/timetag.io/server/disable-basic-auth-well-known.conf:
# This location allows the SSL requests and renewals by Certbot & Let's Encrypt to go through.
# If you're not comfortable with this setting, you may remove this file and restart NGINX.
location /.well-known/acme-challenge/ {
    auth_basic off;
}

rg305 · October 10, 2023, 10:26pm

The configuration has includes for port 443 settings.
But it is using them within port 80 vhost config files.

Here is what one of the expanded includes looks like:

# configuration file /etc/nginx/sites-enabled/jovisst.nl:
# Ploi Webserver Configuration, do not remove!
server {
     listen 80;
     listen [::]:80;
     server_name .jovisst.nl;
     return 301 https://$host$request_uri;
}


server {
    #listen 80;
    #listen [::]:80;

    root /home/jovisst-6zxnq/jovisst.nl/public;
    server_name jovisst.nl;

listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/jovisst.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jovisst.nl/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
location /.well-known/acme-challenge/ {
    auth_basic off;
}

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/jovisst.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-jovisst-6zxnq.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        nclude fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

MikeMcQ · October 10, 2023, 10:28pm

Wow, do not like being harsh but you have a mess.

There are stray config files with just fragments of server blocks. You have HTTP (port 80) server blocks with HTTPS config in them and other poor config.

The specific problem with app.12reserve.nl is because of one of these problems. You are listening on port 80 with SSL config. No server block listens on port 443 for this domain name.

The reason it redirects to app.sportchallenge.online is because that is your default server block as it is the first one with a listen for port 443.

server {
    listen 80;
    listen [::]:80;

    root /home/12reserve-mbojv/12reserve.nl/public;
    server_name 12reserve.nl app.12reserve.nl

    include /etc/nginx/ssl/12reserve.nl;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    index index.php index.html;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    # Ploi Configuration, do not remove!
    include /etc/nginx/ploi/12reserve.nl/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    access_log off;
    error_log  /var/log/nginx/12reserve.nl-error.log error;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.1-fpm-12reserve-mbojv.sock;
        fastcgi_buffers 16 16k;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

LambertB · October 11, 2023, 7:14am

Thanks! The config files include 'includes' which are in the 'nginx -T' output. But these included files are not alwasy in the same order in the nginx -T output, for some reason.

Start to understand now how nginx works. Is the output from 'nginx -T' the order in which the webserver looks at incoming requests?

rg305 · October 11, 2023, 8:29am

The output of nginx -T is in a top-down tree-like order of files being processed.
But the order isn't a problem that I can see.
The problem, I see, is that there are inclusions that conflict with the vhost that is using them.

LambertB · October 11, 2023, 12:14pm

Hi thanks so far. The thing is, Ploi uses a setup probably for a good reason, and I would like to follow that, as it is a very nice and easy tool.

Taking app.sportchallenge.online as an example, there are 3 inclusions in the base-file

include before
include ssl
include after

Help Include before contains:

# Redirect every request to HTTPS...
      server {
           listen 80;
           listen [::]:80;
           server_name .app.sportchallenge.online;
           return 301 https://$host$request_uri;
      }

(what is the . in front of app.sportchallenge.online ?)

The base-file is

\# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.sportchallenge.online/before/*;

server {
listen 80;
listen [::]:80;

root /home/app-hy77z/app.sportchallenge.online/public;
server_name app.sportchallenge.online;

include /etc/nginx/ssl/app.sportchallenge.online;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;

index index.php index.html;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

charset utf-8;

# Ploi Configuration, do not remove!
include /etc/nginx/ploi/app.sportchallenge.online/server/*;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

access_log off;
error_log  /var/log/nginx/app.sportchallenge.online-error.log error;

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

error_page 404 /index.php;

location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php/php8.1-fpm-app-hy77z.sock;
    fastcgi_buffers 16 16k;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    include fastcgi_params;
}

location ~ /\.(?!well-known).* {
    deny all;
}
}

\# Ploi Webserver Configuration, do not remove!
include /etc/nginx/ploi/app.sportchallenge.online/after/*;

What is the

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EC...';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;

In the server:80 ??

Help include server contains

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/app.sportchallenge.online/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/app.sportchallenge.online/privkey.pem;

Help include after is empty

What is the suggested setup for a nginx server with let's encrypt?

And additionally, how should I configure above when handling ALL subdomains have a wildcard let'sencrypt-certificate?

MikeMcQ · October 11, 2023, 1:04pm

It is one way nginx supports stating a wildcard. See nginx docs

This server block makes no sense for various reasons.

You already have this server_name defined earlier for this same port. This is a subset of the '.' name earlier
You have SSL config (the ssl_ lines) but those are only for HTTPS. This server block is for HTTP as it is listening on port 80. Port 443 is typical for HTTPS.
You want to redirect HTTP requests to HTTPS. Because of that the HTTP server block only redirects requests (apart for maybe an ACME HTTP Challenge). So you don't need any of the other config for processing requests - like the try_files, php, index, and almost all the rest.
This is probably supposed to be listening on port 443 but you also have other server blocks listening on 443 that also include at least part of this domain name. So, you could/should combine them. A server_name can list multiple names (again see nginx docs link above)

For me, there are too many unknowns about what you are trying to do to offer specific advice. Also, much of what is wrong is just general nginx config issues not related directly to Let's Encrypt. Someone else may want to help with that but not me - at least not any day soon

Further, I don't know how ploi manages your nginx or even what method it uses for getting certs. Its docs for this are sparse.

A general guide for configuring HTTPS is below. Do not use HSTS or Stapling until you are sure you understand what they do. They are very advanced features.

LambertB · October 11, 2023, 1:13pm

Thanks Mike, I will study on the config!

system · November 10, 2023, 1:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.