Redirection non-www to www problem

tonyfranco · February 12, 2023, 5:50pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eter7.com

I ran this command:

It produced this output:

My web server is (include version): LEMP

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Dear Sirs,

I´m very sorry to disturb you.

I have tried several things to fix this situation, but without success.

I have a server with 4 domains and this problem only happens with one domain. All other domains are managed by Certbot also with the SAME configuration.

The problem is with Redirection, there are 4 situations:
(Redirection Target: https://www.eter7.com)

1- http://www.eter7.com - WORKS!
2- https://www.eter7.com - WORKS!
3- http://eter7.com - DOESN´T WORK
4- https://eter7.com - DOESN´T WORK

Below, the config of certbot:

server {

listen 80;
listen [::]:80;
server_name www.eter7.com eter7.com;

if ($host = www.eter7.com) {
    return 301 https://$server_name$request_uri;
} # managed by Certbot

if ($host = formasparaqueijo.com) {
    return 301 https://$server_name$request_uri;
} # managed by Certbot

}

server {
listen 443 ssl http2; # managed by Certbot
listen [::]:443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/eter7.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/eter7.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server_name www.eter7.com eter7.com;
root /var/www/eter7.com/;

index index.php index.html index.htm;
...

}

I have tried to deploy a new instance trying to fix, but also no way.

Searching helping at web, tried other config setup, neither... several hours of looking and nothing...

The problem is with eter7.com, it can´t redirects with 'http' or 'https' to https://www.eter7.com, if someone type in browser eter7.com it doesn´work...

Please, could you help me?

Thanks and Regards,
Tony

Osiris · February 12, 2023, 6:23pm

You probably want to change

to

if ($host = www.eter7.com | $host = eter7.com) {

Note: I don't have experience with nginx, but it seems the pipe symbol (|) is also a logical "OR" within nginx according to some documents I saw using Google.

Although.. Some other sites say it isn't possible? Hmm, YMMV

MikeMcQ · February 12, 2023, 6:23pm

tonyfranco:

server {

listen 80;
listen [::]:80;
server_name www.eter7.com eter7.com;

if ($host = www.eter7.com) {
    return 301 https://$server_name$request_uri;
} # managed by Certbot

if ($host = formasparaqueijo.com) {
    return 301 https://$server_name$request_uri;
} # managed by Certbot

}

You don't have a redirect for eter7.com from http to https in the above server block. You just have a redirect for www and a different domain name entirely.

You probably tried many combinations of certbot and ended up with poor results

As for redirecting eter7.com to the www domain that is normal redirect logic you can learn about in the nginx docs or probably many google sources

MikeMcQ · February 12, 2023, 6:30pm

I don't think so. I don't see it in nginx docs and I get this when trying that

nginx[2066]: nginx: [emerg] invalid condition "$host" in /etc/nginx/sites-enabled/mike:62
nginx[2066]: nginx: configuration file /etc/nginx/nginx.conf test failed

Osiris · February 12, 2023, 6:45pm

Zeh internet lied to me

Well, I guess OP needs to put 2 if {} blocks for both hostnames then, right?

MikeMcQ · February 12, 2023, 6:57pm

Yes, one for each just like Certbot would have done it if both names in the server block and both requested with cert request. I think there was manual intervention here rather than certbot doing what we see

tonyfranco · February 12, 2023, 8:05pm

Hi @Osiris,

Thank you by your reply!

It doesn´t work, gives an error at nginx when restarting it...

Regards,
Tony

tonyfranco · February 12, 2023, 8:09pm

Hi @MikeMcQ,

Thank you by your reply.

About that different domain, sorry i wrote it wrong at time i was writing message here...

I have gone to nginx docs, and tested this codes below:
(https://www.nginx.com/blog/creating-nginx-rewrite-rules/)

1-
server {

listen 80;
listen [::]:80;
server_name eter7.com;

location = / {
    return 301 $scheme://www.eter7.com$request_uri;
}

}

2-
server {

listen 80;
listen [::]:80;
server_name eter7.com;

location / {
    return 301 $scheme://www.eter7.com$request_uri;
}

}

3-
server {

listen 80;
listen [::]:80;
server_name eter7.com;

if ($host = eter7.com) {
    return 301 https://$server_name$request_uri;
} # managed by Certbot

}

4-
server {

listen 80;
listen [::]:80;
server_name eter7.com;

if ($host = eter7.com) {
    return 301 $scheme://www.eter7.com$request_uri;
} # managed by Certbot

}

5-
server {

listen 80;
listen [::]:80;
server_name eter7.com;
return 301 $scheme://www.eter7.com$request_uri;

}

6-
server {

listen 80;
listen [::]:80;
server_name eter7.com;
rewrite ^ $scheme://www.eter7.com$request_uri permanent;

}

7-
server {

listen 80 default_server;
listen [::]:80 default_server;
server_name eter7.com;
return 301 $scheme://www.eter7.com;

}

8-
server {

listen 80 default_server;
listen [::]:80 default_server;
server_name eter7.com;
rewrite ^(.*)$ $scheme://www.eter7.com$1 permanent;

}

9-
server {

listen 80;
listen [::]:80;
server_name eter7.com;
return 301 https://www.eter7.com$request_uri;

}

No one worked here...

Regards,
Tony

tonyfranco · February 12, 2023, 8:12pm

It's unbelievable!

These solutions worked for a lot of people, but here doesn´t...

I´m lost!

Bruce5051 · February 12, 2023, 8:18pm

How is this not working?

Using this online tool https://www.redirect-checker.org/ with an input of https://eter7.com produces
Result

CONGRATULATION. Everything seems to be fine.

301 Moved Permanently

200 OK



>>> https://eter7.com

> --------------------------------------------
> 301 Moved Permanently
> --------------------------------------------
Status:	301 Moved Permanently
Code:	301
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 12 Feb 2023 20:16:11 GMT
Content-Type:	text/html; charset=UTF-8
Connection:	close
X-UA-Compatible:	IE=edge
X-Redirect-By:	WordPress
Location:	https://www.eter7.com/
X-FastCGI-Cache:	EXPIRED
Strict-Transport-Security:	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options:	nosniff
X-XSS-Protection:	1; mode=block
X-Frame-Options:	SAMEORIGIN
Referrer-Policy:	no-referrer-when-downgrade
Content-Security-Policy:	Upgrade-Insecure-Requests



>>> https://www.eter7.com/

> --------------------------------------------
> 200 OK
> --------------------------------------------
Status:	200 OK
Code:	200
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 12 Feb 2023 20:16:12 GMT
Content-Type:	text/html; charset=UTF-8
Connection:	close
Vary:	Accept-Encoding
X-UA-Compatible:	IE=edge
Link:	<https://www.eter7.com/>; rel=shortlink
X-FastCGI-Cache:	HIT
Strict-Transport-Security:	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options:	nosniff
X-XSS-Protection:	1; mode=block
X-Frame-Options:	SAMEORIGIN
Referrer-Policy:	no-referrer-when-downgrade
Content-Security-Policy:	Upgrade-Insecure-Requests

MikeMcQ · February 12, 2023, 8:33pm

Those all looked fine. There must be a different server block taking precedence.

Pick one, say #5 from above, then show result of this (omit sudo if not needed)

(capital T)

sudo nginx -T

Please add 3 backticks before and after output when posting here like:
```
output of: nginx -T
```

MikeMcQ · February 12, 2023, 8:35pm

Yeah, an HTTPS request to that domain gets redirected by a Wordpress config.

But, the server blocks shown were for HTTP (port 80)

Bruce5051 · February 12, 2023, 8:39pm

But from here:

MikeMcQ · February 12, 2023, 8:51pm

Oh, I see. Yeah, they were mistaken about the https redirection.

I don't think the nginx they keep showing is the one processing the inbound requests. Because not only is the port 80 block not working as shown but the port 443 shows no redirect yet it does.

We will prove this soon when we see the nginx -T

tonyfranco · February 12, 2023, 9:02pm

Hi Bruce,

Thank you by your reply!

It´s strange that if i type http://eter7.com at browser it doesn´t access...

Regards,
Tony

tonyfranco · February 12, 2023, 9:05pm

Hi @MikeMcQ,

As you asked:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        multi_accept on;
        use epoll;
}

http {

server {

    server_name "~^(?!www\.).*" ;

    return 301 $scheme://www.$host$request_uri;

}

        set_real_ip_from 199.27.128.0/21;
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 104.16.0.0/12;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 131.0.72.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 199.27.128.0/21;
        set_real_ip_from 2400:cb00::/32;
        set_real_ip_from 2405:8100::/32;
        set_real_ip_from 2405:b500::/32;
        set_real_ip_from 2606:4700::/32;
        set_real_ip_from 2803:f800::/32;
        real_ip_header CF-Connecting-IP;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        # keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        #       limit_req_zone $binary_remote_addr zone=one:50m rate=90r/s;
        #       limit_conn_zone $binary_remote_addr zone=addr:50m;

        fastcgi_cache_path /usr/share/nginx/fastcgi_cache levels=1:2 keys_zone=phpcache:100m max_size=10g inactive=7d use_temp_path=off;
        fastcgi_cache_key "$scheme$request_method$host$request_uri";
        fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
        #fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        client_body_buffer_size 128k;
        client_header_buffer_size 1k;
        client_max_body_size 10m;
        large_client_header_buffers 4 4k;
        output_buffers 1 32k;
        postpone_output 1460;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;

        client_body_timeout 3m;
        client_header_timeout 3m;
        keepalive_timeout 65s;
        keepalive_requests 100000;
        send_timeout 3m;

        open_file_cache max=10000 inactive=240s;
        open_file_cache_valid 360s;
        open_file_cache_min_uses 5;
        open_file_cache_errors off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        gzip_vary on;
        gzip_proxied expired no-cache no-store private auth;
        gzip_comp_level 4;
        gzip_min_length  1000;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types
           application/atom+xml
           application/x-javascript
           application/javascript
           application/json
           application/rss+xml
           application/vnd.ms-fontobject
           application/x-font-ttf
           application/x-web-app-manifest+json
           application/xhtml+xml
           application/xml
           font/opentype
           image/svg+xml
           image/x-icon
           text/css
           text/plain
           text/x-component
           text/xml
           text/javascript;

        ##
        # Virtual Host Configs
        ##

        map $http_accept $webp_suffix {
           default "";
           "~*webp" ".webp";
        }

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-cache-purge.conf:
load_module modules/ngx_http_cache_purge_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/eter7.com:
map $http_accept $webp_suffix {
    default "";
    "~*webp" ".webp";
}

server {

    listen 80;
    listen [::]:80;
    server_name eter7.com;
    return 301 $scheme://www.eter7.com$request_uri;

}


server {
        listen 443 ssl http2; # managed by Certbot
        listen [::]:443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/eter7.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/eter7.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    server_name www.eter7.com eter7.com;
    root /var/www/eter7.com/;

    index index.php index.html index.htm;

#    fastcgi_hide_header "Set-Cookie";
    fastcgi_hide_header "Expires";
    fastcgi_hide_header "Pragma";
    fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

    set $skip_cache 0;

    # POST requests and urls with a query string should always go to PHP
    if ($request_method = POST) {
        set $skip_cache 1;
    }
    if ($query_string != "") {
        set $skip_cache 1;
    }

    # Don't cache uris containing the following segments
    if ($request_uri ~* "/wp-admin/|/taioba/|/xmlrpc.php|wp-.*.php|^/feed/*|/tag/.*/feed/*|index.php|/.*sitemap.*\.(xml|xsl)") {
        set $skip_cache 1;
    }

    # Don't use the cache for logged in users or recent commenters
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
        set $skip_cache 1;
    }

#       location ~* ^/wp-content/.+\.(png|gif|jpe?g)$ {
#               add_header Vary Accept;
#               add_header X-Content-Type-Options "nosniff" always;
#               try_files $uri$webp_suffix $uri =404;
#       }


    location / {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
       # required to be able to read Authorization header in frontend
       # add_header 'Access-Control-Expose-Headers' 'Authorization' always;
       # add_header "Access-Control-Allow-Origin"  *;
        try_files $uri $uri/ /index.php$is_args$args;
        include /etc/nginx/blockips.conf;

        #DESABILITADO PORQUE ESTAVA TRAVANDO A APRESENTAÇÃO DAS IMAGENS WEBP
        #prevent image hotlinking
       # location ~ .(jpe?g|png|gif|ico|webp)$ {
       # valid_referers none blocked eter7.com *.eter7.com eter7.b-cdn.net *.google.com *.google.com.br *.googleusercontent.com *.bing.com;
       # valid_referers *.yahoo.com *.facebook.com *.twitter.com *.pinterest.com *.tumblr.com;
       # valid_referers *.linkedin.com *.youtube.com *.reddit.com *.wordpress.com;
       # valid_referers *.soundcloud.com *.instagram.com *.fbcdn.net fbcdn.net *.twimg.com twimg.com facebook.com twitter.com;
       # if ($invalid_referer) {
       # return 403;
       # }
       # }
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        access_log off;
        log_not_found off;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        include snippets/fastcgi-php.conf;

        fastcgi_cache_bypass $skip_cache;
        fastcgi_no_cache $skip_cache;

        fastcgi_cache phpcache;
        fastcgi_cache_valid 200 301 302 60m;
        fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
        fastcgi_cache_min_uses 1;
        fastcgi_cache_lock on;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        fastcgi_read_timeout 600;
        fastcgi_send_timeout 600;
        fastcgi_connect_timeout 600;
        add_header X-FastCGI-Cache $upstream_cache_status;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Frame-Options SAMEORIGIN always;
        add_header 'Referrer-Policy' 'no-referrer-when-downgrade';

# Esse add_header content-security estava quebrando o site na troca de servidor
        add_header Content-Security-Policy "Upgrade-Insecure-Requests";
#        add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.eter7.com https://pagead2.googlesyndication.com https://adservice.google.com.br https://connect.facebook.net https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.facebook.com https://partner.googleadservices.com https://adservice.google.com.br https://adservice.google.com https://googleads.g.doubleclick.net https://www.googletagservices.com https://www.google.com https://static.addtoany.com https://www.gstatic.com https://tpc.googlesyndication.com https://google.com https://pagead2.googlesyndication.com;";

        # Restrict access to WordPress LOGIN page
        location ~ \wp-login.php$ {
                allow 189.31.213.209;
                deny all;
               # LIMITA A FREQUÊNCIA DE ACESSO CONTRA ATAQUES - VERIFICAR /ETC/NGINX/NGINX.CONF
               # limit_req zone=one burst=1 nodelay;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        }

        # Restrict access to WordPress ADMIN dashboard
        location ~ \wp-admin {
                allow 189.31.213.209;
                deny all;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        }

        # Restrict access to WordPress wp-config.php page
        location ~* wp-config.php {
                deny all;
        }

        # Restrict access to WordPress XMLRPC.PHP
        location ~ \xmlrpc.php$ {
                allow 189.31.213.209;
                deny all;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        }

        # Restrict access to PHPMYADMIN
        location ~* phpmyadmin {
                allow 189.31.213.209;
                deny all;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        }

        # Deny access to uploads that aren’t images, videos, music, etc.
        location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
                deny all;
        }

        #----- include snippets/fastcgi-php.conf;
        #----- fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
     }

    location ~ /purge(/.*) {
        fastcgi_cache_purge phpcache "$scheme$request_method$host$1";
    }

    location ~* ^/wp-content/.+\.(png|gif|jpe?g)$ {
        add_header Vary Accept;
        try_files $uri$webp_suffix $uri =404;
        expires 365d;
       # add_header X-Content-Type-Options "nosniff" always;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
    }

    # A long browser cache lifetime can speed up repeat visits to your page
    location ~*.(ogg|ogv|svg|svgz|eot|otf|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2|webp)$ {
   # location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
   # location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
        access_log        off;
        log_not_found     off;
        expires           365d;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
    }

    location ~*  \.(pdf)$ {
        expires 365d;
        log_not_found off;
        access_log off;
    }

    # disable access to hidden files
    location ~ /\.ht {
        access_log off;
        log_not_found off;
        deny all;
    }

    include /var/www/eter7.com/nginx.conf;

    # redirect server error pages to the static page
    error_page   403  /eter7.com/error403.html;
    location = /eter7.com/error403.html {
        root   /var/www;
    }

}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/blockips.conf:
deny 188.213.49.210;
deny 188.240.208.26;
deny 5.189.140.25;
deny 188.213.49.210;
deny 216.244.66.243;
deny 188.138.41.102;
deny 111.202.100.85;
deny 111.229.246.143;
deny 111.229.81.5;
deny 132.232.109.224;
deny 54.236.231.29;
deny 111.202.100.85;
deny 111.231.198.37;
deny 216.244.66.243;
deny 13.82.139.145;
deny 190.19.93.98;
deny 203.133.168.53;
deny 190.219.129.128;
deny 212.76.127.225;
deny 212.76.127.10;
deny 54.160.232.176;
deny 85.204.246.240;
deny 47.75.177.195;
deny 179.193.50.55;
deny 5.9.104.30;
deny 170.150.3.35;
deny 138.117.62.96;
deny 192.99.15.15;
deny 192.99.34.42;
deny 148.70.239.50;
deny 129.28.39.234;
deny 50.236.19.102;
deny 89.35.39.180;
deny 178.137.82.147;
deny 216.218.191.228;
deny 216.218.141.229;
deny 64.62.210.34;
deny 42.51.34.155;
deny 46.119.174.102;
deny 163.172.110.152;
deny 47.75.186.204;
deny 194.72.238.12;
deny 37.228.250.174;
deny 182.55.245.77;
deny 212.76.127.224;
deny 141.226.232.250;
deny 217.129.242.1;
deny 187.48.165.134;
deny 148.70.7.7;
deny 47.75.76.54;
deny 168.196.201.101;
deny 51.89.175.187;
deny 132.232.2.249;
deny 13.65.100.244;
deny 129.213.64.179;
deny 198.27.80.123;
deny 129.28.61.66;
deny 168.196.155.181;
deny 178.137.135.156;
deny 5.22.128.25;
deny 216.218.191.226;
deny 64.62.210.40;
deny 189.188.3.34;
deny 118.24.19.111;
deny 216.218.191.195;
deny 64.62.158.115;
deny 216.218.141.227;
deny 103.93.57.12;
deny 52.201.174.43;
deny 203.205.141.48;
deny 201.150.121.60;
deny 177.104.197.63;
deny 85.241.126.24;
deny 52.162.211.179;
deny 51.255.76.62;
deny 47.244.113.177;
deny 186.206.26.53;
deny 129.213.67.237;
deny 157.55.87.32;
deny 51.255.76.62;
deny 157.55.87.32;
deny 177.76.229.202;
deny 47.56.227.92;
deny 201.230.37.175;
deny 167.249.72.60;
deny 20.188.204.1;
deny 111.231.194.239;
deny 222.87.198.78;
deny 221.235.184.101;
deny 148.70.93.108;
deny 142.44.251.104;
deny 188.165.239.119;
deny 212.102.33.44;
deny 195.154.207.19;
deny 198.100.145.155;
deny 195.154.174.135;
deny 158.101.14.253;
deny 195.154.104.6;
deny 198.245.61.69;
deny 103.8.12.100;
deny 192.95.30.59;
deny 198.245.61.116;
deny 118.123.6.216;
deny 31.28.162.55;
deny 62.149.29.187;
deny 62.210.188.222;
deny 175.27.165.17;
deny 113.111.80.210;
deny 42.193.36.136;
deny 139.155.172.190;
deny 59.42.123.104;
deny 192.42.116.17;
deny 193.31.24.154;
deny 185.31.175.213;
deny 199.195.252.18;
deny 193.57.40.55;
deny 185.31.175.215;
deny 185.220.102.247;
deny 193.57.40.55;
deny 185.38.175.130;
deny 199.195.252.18;
deny 193.189.100.197;
deny 45.155.204.6;
deny 121.5.70.57;
deny 113.111.80.210;
deny 59.42.123.104;
deny 45.155.204.6;
deny 47.196.106.163;
deny 185.220.102.247;
deny 23.129.64.147;
deny 185.225.68.102;
deny 193.218.118.156;
deny 198.98.62.74;
deny 185.233.100.23;
deny 51.15.235.211;
deny 119.91.77.10;
deny 119.91.80.214;
deny 121.5.70.57;
deny 119.91.87.45;
deny 185.220.102.4;
deny 185.233.100.23;
deny 91.219.237.21;
deny 51.15.235.211;
deny 103.164.113.26;
deny 18.197.106.70;

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /var/www/eter7.com/nginx.conf:
location = /nginx.conf {
    deny all;
}

Regards,
Tony

MikeMcQ · February 12, 2023, 9:11pm

Will look at that later. Just got called away. Thanks for info

MikeMcQ · February 12, 2023, 9:51pm

@tonyfranco I was just going to ask questions about what other software is running on that system and to check your DNS.

But, HTTP requests to eter7.com are now being redirected.

What did you do to fix that?

tonyfranco · February 12, 2023, 10:00pm

Hi @MikeMcQ,

Here still not working... have you tried http://eter7.com ?

For a moment i think, would it be fixed? hehehe

I have a Linux Ubuntu 22.04, Nginx, MariaDB and PHP8.1, also using nginx fastcgi cache.

Osiris · February 12, 2023, 10:04pm

Looks like you have some kind of redirect loop which keeps prepending www:

osiris@erazer ~ $ curl -LIv http://eter7.com/
*   Trying 216.238.106.248:80...
* Connected to eter7.com (216.238.106.248) port 80 (#0)
> HEAD / HTTP/1.1
> Host: eter7.com
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 12 Feb 2023 22:04:17 GMT
Date: Sun, 12 Feb 2023 22:04:17 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Location: http://www.eter7.com/
Location: http://www.eter7.com/

< 
* Connection #0 to host eter7.com left intact
* Issue another request to this URL: 'http://www.eter7.com/'
*   Trying 216.238.106.248:80...
* Connected to www.eter7.com (216.238.106.248) port 80 (#1)
> HEAD / HTTP/1.1
> Host: www.eter7.com
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 12 Feb 2023 22:04:18 GMT
Date: Sun, 12 Feb 2023 22:04:18 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Location: http://www.www.eter7.com/
Location: http://www.www.eter7.com/

< 
* Connection #1 to host www.eter7.com left intact
* Issue another request to this URL: 'http://www.www.eter7.com/'
* getaddrinfo(3) failed for www.www.eter7.com:80
* Could not resolve host: www.www.eter7.com
* Closing connection 2
curl: (6) Could not resolve host: www.www.eter7.com
osiris@erazer ~ $

And it's not redirecting to HTTPS.

This dynamic piece is the issue I think.