Redirect non-www to www over SSL with Nginx

nginx https ssl ssl-certificate

I'm having an error when trying to redirect https://example.com to https://www.example.com.

When I go to https://example.com, it doesn't redirect and returns the page/200 status.

I don't want this, I want it to redirect to https://www.example.com.

When I go to http://example.com, it redirects to https://www.example.com

Can somebody tell me where I am going wrong?

This is my default and default-ssl configuration files:

default.conf

server {
    listen 80;
    server_name example.com;
    return 301 https://www.example.com$request_uri;
}

default-ssl.conf

upstream app_server_ssl {
    server unix:/tmp/unicorn.sock fail_timeout=0;
}

server {
    server_name example.com;
    return 301 https://www.example.com$request_uri
}
server {
    server_name www.example.com;

    listen 443;
    root /home/app/myproject/current/public;
    index index.html index.htm;

    error_log /srv/www/example.com/logs/error.log info;
    access_log /srv/www/example.com/logs/access.log combined;

    ssl on;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /srv/www/example.com/keys/ssl.crt;
    ssl_certificate_key /srv/www/example.com/keys/www.example.com.key;
    ssl_ciphers AES128-SHA:RC4-MD5:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5:AES128-SHA;
    ssl_prefer_server_ciphers on;

    client_max_body_size 20M;


    try_files $uri/index.html $uri.html $uri @app;


    # CVE-2013-2028 http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
    if ($http_transfer_encoding ~* chunked) {
            return 444;
        }

    location @app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://app_server_ssl;
    }

    error_page 500 502 503 504 /500.html;

    location = /500.html {
        root /home/app/example/current/public;
    }
}

You are missing listen directive in file default-ssl.conf. Add listen 443; in this directive

server {
    server_name example.com;
    return 301 https://www.example.com$request_uri;
}

By default, if you omit this directive, nginx assume that you want listen on port 80. Here the documentation of this default behavior.

Edit: Thanks for comment from @TeroKilkanen.

Here the complete config for your default-ssl.conf

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /srv/www/example.com/keys/ssl.crt;
    ssl_certificate_key /srv/www/example.com/keys/www.example.com.key;
    return 301 https://www.example.com$request_uri;
}

Sidenote: You can replace ssl on; directive with listen 443 ssl; as recommendation from nginx documentation.


Just throw in an if statement and you should be on your way. I checked the results in curl.exe -I and all cases besides https://www.example.com get treated as 301. SSL is tricky because it gets checked before you get 301 URL redirection. Hence, you get certificate errors.

Personally, I like removing the www's from the domain but I wrote my code below to answer your question.

server {
listen 443 ssl;
listen [::]:443 ssl; # IPV6

server_name example.com www.example.com; # List all variations here

# If the domain is https://example.com, lets fix it!

if ($host = 'example.com') {
  return 301 https://www.example.com$request_uri;
}

# If the domain is https://www.example.com, it's OK! No changes necessary!

... # SSL .pem stuff
...
}

server {
  listen 80;
  listen [::]:80;

  # If the domain is http://example.com or http://www.example.com, then let's change it to https!

  server_name example.com www.example.com;
  return 301 https://www.example.com$request_uri;
}

The way I do it is to use an if statement inside the ssl server block that redirects to https of www

ssl_certificate /srv/www/example.com/keys/ssl.crt;
ssl_certificate_key /srv/www/example.com/keys/www.example.com.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:RC4-MD5:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5:AES128-SHA;
ssl_prefer_server_ciphers on;
client_max_body_size 20M;

upstream app_server_ssl {
    server unix:/tmp/unicorn.sock fail_timeout=0;
}

server {
    server_name example.com;
    return 301 https://www.example.com$request_uri
}

server {
    listen 443 default_server ssl;
    server_name www.example.com;

    # redirect https://example.com to https://www.example.com
    # mainly for SEO purposes etc
    #we will use a variable to do that
    set $redirect_var 0;

    if ($host = 'example.com') {
      set $redirect_var 1;
    }
    if ($host = 'www.example.com') {
      set $redirect_var 1;
    }

    if ($redirect_var = 1) {
      return 301 https://www.example.com$request_uri;
    } 

    try_files $uri/index.html $uri.html $uri @app;

    # CVE-2013-2028 http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
    if ($http_transfer_encoding ~* chunked) {
            return 444;
        }

    location @app {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://app_server_ssl;
    }

    error_page 500 502 503 504 /500.html;

    location = /500.html {
        root /home/app/example/current/public;
    }
}

Of course, whenever you want to use an if statement in an nginx config file; you should have read: https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

Related

Is Configuration Management useable for a small number of servers?
LVM Performance overhead?
rsync 'cannot delete non-empty directory' errors, even with --force option
How to install mod_headers
ssh-copy-id specifying which key and without password
Is it a Best Industry practice to restart web servers periodically? [closed]
How to zip files with a size limit?
LV Status: Not available. How to make it available?
How can I handle spaces in file names when using xargs on find results?
Find out who disabled a Windows service
How do I determine the size of my SQL Server database?
Restart SSH on a machine where SSH is the only mode of access