Nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored

gusto1 · September 12, 2023, 6:38pm

I use nginx 1.25.2 as a reverse proxy server. I need to change the server block configuration to work on HTTP/3.
This is my flood config file where everything works great on HTTP/2

server {
    server_name example.com;
    return 301 http://www.example.com$request_uri;
 
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
     
}
  
server {
    server_name www.example.com;
  
    location / {
        proxy_pass http://192.168.20.11;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
 
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
     
}
 
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name example.com;
    return 404; # managed by Certbot
 
 
}
  
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name www.example.com;
    return 404; # managed by Certbot
 
 
}

For HTTP/3 I made the following changes in the config. I commented on the directives

#   listen 443 ssl http2; # managed by Certbot

I added http headers

    add_header Alt-Svc 'h3=":$server_port"; ma=86400';

I added the following directives to the server block

    listen 443 quic reuseport; # QUIC
    listen 443 ssl;             # TCP
    http2 on;

The whole edited config file looks like this

server {
    server_name example.com;
    return 301 http://www.example.com$request_uri;
 
#   listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         
}
  
server {
    server_name www.example.com;
  
    location / {
        proxy_pass http://192.168.20.11;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 quic reuseport; # QUIC
    listen 443 ssl;             # TCP
    http2 on;


 
#   listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         
}
 
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name example.com;
    return 404; # managed by Certbot
 
 
}
  
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name www.example.com;
    return 404; # managed by Certbot
 
 
}

Everything seems to work correctly, but if I want to check the nginx configuration

sudo nginx -t

nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

Even if everything works, this is what bothers me

nginx: [warn] conflicting server name "example.com" on 0.0.0.0:80, ignored

Osiris · September 12, 2023, 7:37pm

I'm sorry, but this is not a generic "how to configure nginx" Community. While we often help people with stuff barely related to Let's Encrypt/certificates, IMO HTTP/3 is really outside of the scope of this forum.

Bruce5051 · September 12, 2023, 7:40pm

Ditto!
For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

gusto1 · September 12, 2023, 8:00pm

I understand, nginx also has its own forum, but it's hard to find an answer there (many questions without answers there). Nginx is a half-dead forum.

When generating certificates from Let's encrypt, certbot also adjusts the nginx configuration. I thought it would be appropriate to ask on this forum, because I see life here.

9peppe · September 12, 2023, 8:09pm

Check the nginx documentation

HTTP/3 support is pretty recent for nginx and there should be some tutorials around. (Maybe somewhere in the cloudflare quic docs?)

rg305 · September 13, 2023, 2:58am

gusto1:

server {
    server_name example.com;
    return 301 http://www.example.com$request_uri;
 
#   listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         
}

That block now has no defined listen statement.
[ I doubt certbot commented that line out ]

gusto1 · September 13, 2023, 5:21am

This directive can be in the config file only once, otherwise nginx reports a failed duplicate directive.

gusto1 · September 13, 2023, 7:02am

If I remove from the config file

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name example.com;
    return 404; # managed by Certbot
 
 
}
  
server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name www.example.com;
    return 404; # managed by Certbot
 
 
}

Then everything seems to be OK, but there is one problem. My goal is when the client writes in the url

example.com
http://example.com
https://example.com
http://www.example.com
https://www.example.com
www.example.com

To always be redirected to

https://www.example.com

If the client writes in the url

http://example.com
http://www.example.com

He is always redirected to the default page of the proxy server.

gusto1 · September 13, 2023, 7:20am

I'm not an expert in configuring nginx, but I managed to solve it like this. It works exactly as I want it to. However, I can't tell if everything is correct.

server {
    server_name example.com www.example.com;
    return 301 https://www.example.com$request_uri;
 
#   listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         
}
  
server {
    server_name www.example.com;
  
    location / {
        proxy_pass http://192.168.20.11;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 quic reuseport; # QUIC
    listen 443 ssl;             # TCP
    http2 on;


 
#   listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
         
}

sudo nginx -t && sudo systemctl reload nginx
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

9peppe · September 13, 2023, 7:35am

this works but you shouldn't redirect http to https on a different fqdn.

first redirect http to https on the same domain, then redirect https to https on the other domain.

rg305 · September 13, 2023, 1:20pm

Now you show two listen statements that have been commented out:

MikeMcQ · September 13, 2023, 2:27pm

This has two domain names

This has just one

The second is using port 443 so when you add a listen for 443 for the first one you duplicated the domain name and port. That is why nginx complains when you do that.

I doubt very much your nginx is doing what you want it to for each of your domain names. But, without knowing the actual domains it is not possible to be more specific.

gusto1 · September 13, 2023, 3:48pm

As I already wrote, I am not an expert in configuring nginx. How should I set it when the client writes in the url

example.com
http://example.com
https://example.com
http://www.example.com
https://www.example.com
www.example.com

To always be redirected to

https://www.example.com

rg305 · September 13, 2023, 3:49pm

If the client writes:

It should NOT redirect them to:

Depending on which browser is in use, these two may be the same thing:

system · October 13, 2023, 3:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.