Join Log in
Score:0
J.Doe avatar Server

Misconfigured Nginx?

es flag
J.Doe

When i browse to my wordpress website it will automatically redirect to https.

However, i am getting a large TTFB and i believe it may be due to a basic configuration error.

At the moment i have the following config, (HTTPS still somehow works which i don't understand)

server {
    listen 8080 ;
    listen [::]:8080 ;

    port_in_redirect off;
    absolute_redirect off;
...

If i make the following update

server {
    listen 443 ssl;
    listen [::]:443 ssl ;

    port_in_redirect off;
    absolute_redirect off;

The site no longer is accessible.

How is SSL working when the server is listening on 8080 in the first place? I don't have any 301 in my config

EDIT: Full config - this version below somehow redirects all traffic correctly to https://


server {
    listen 8080 ;
    listen [::]:8080 ;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    large_client_header_buffers 4 64k;
    proxy_max_temp_file_size 0;

    root /home/site/wwwroot;
    index  index.php index.html index.htm;
    server_name  domain.co.uk www.domain.co.uk;

    access_log off;
    error_log  off;

    port_in_redirect off;
    absolute_redirect off;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /html/;
    }

    gzip on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types image/svg+xml image/x-icon text/plain text/html text/xml text/css text/javascript application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-font-ttf application/vnd.ms-fontobject font/opentype font/ttf font/eot font/otf image/vnd.microsoft.icon;

    location ~* \.(eot|ttf|woff|woff2|webmanifest)$ {
       add_header Access-Control-Allow-Origin *;
    }

    location ~* \.(css|js|ico|gif|jpeg|jpg|webp|png|svg|eot|otf|woff|woff2|ttf|ogg)$ {
       expires max;
    }

    location ~ [^/]\.php(/|$) {

        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
        fastcgi_pass 127.0.0.1:9000;
        include fastcgi_params;
        fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        fastcgi_connect_timeout         300;
        fastcgi_send_timeout           3600;
        fastcgi_read_timeout           3600;
        fastcgi_buffer_size 128k;
        fastcgi_buffers 4 256k;
        fastcgi_busy_buffers_size 256k;
        fastcgi_temp_file_write_size 256k;
    }
}
77
0 + 0
ssl
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
First case doesn't mention `ssl`. So at most it was working in plain text mode. For the second case to to work, you need also to specify private key and certificate chain (there is no inidication in the post that you have them). And, please, show Nginx messages during the startup and `ss -lnpt` output after startup (if it's successful) in second case.
0
Reply
us flag
Tero Kilkanen
Please add output of `nginx -T` to the question so we can see the full nginx configuration.
1
Reply
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

On the port 8080 it was woking without SSL, in plain text. For adding SSL, it is not enough to just change listen 8080 into listen 443 ssl. You need to also at least add the lines which specify certificate chain and the server private key:

listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;

Full chain is a simple concatenation of all certificates in the PEM form (which is text files with Base64-encoded data inside), the first certificate is your server's corresponding to the private key, then its immediate issuer CA, and so on, up to but not including the root CA.

If there are several names in the certificate (modern certificates always use subjectAlternativeNames which permits to specify more than a single domain name), it's up to you to specify them in the server_name option. You may only specify server names which are exist in the SAN field of the certificate, but you aren't required to use all of them. (If you specify anything other than that exists in the SAN field, your client will show an SSL certificate error that it doesn't belong to a domain when they access your server by that name.) In your case, a certificate must be valid at least for both domain.co.uk and www.domain.co.uk.

See Nginx HTTPS manual for details. If you use certbot (an ACME client) with nginx install plugin to obtain a certificate, it will configure everything automatically. If you are obtaining certificates "by hand", you have to add these configuratuion options by hand too.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.