BTW, I just checked my config and it's basically the same as your newly posted
one.
> How does the ssl configuration look?
I'm not familiar with ssl security configuration so sorry I can't give suggestions
On Sunday, July 16, 2023 12:34 AM, Ming Kuang wrote:
> Hello, back to the mailing list
>
> For your new configuration, I think the redirection should work fine. If it still
> shows the redirect too many times error, try clearing your browser cache,
> or open a incognito mode browser to verify it.
>
> In fact I used to do the same thing, the only difference was that I needed
> to redirect from www to no-www.
>
> On Saturday, July 15, 2023 11:26 PM, David Mehler wrote:
> > Hello,
> >
> > Can I get a sanity check this is on the redirects?
> >
> > Thanks.
> > Dave.
> >
> > #cat example.com.conf
> > server {
> > listen 80;
> > server_name example.com www.example.com;
> > access_log off;
> > error_log off;
> > return 301 https://www.example.com$request_uri;
> > }
> >
> > server {
> > listen 443 ssl http2;
> > server_name example.com;
> > ssl_certificate /etc/ssl/example.com/example.com.crt;
> > ssl_certificate_key /etc/ssl/example.com/example.com.key;
> > return 301 https://www.example.com$request_uri;
> > }
> >
> > server {
> > listen 443 ssl http2;
> > server_name www.example.com;
> > root /var/www/example.com;
> >
> > ssl_certificate /etc/ssl/example.com/example.com.crt;
> > ssl_certificate_key /etc/ssl/example.com/example.com.key;
> > ssl_dhparam /etc/ssl/example.com/dhparams.pem;
> > ssl_prefer_server_ciphers on;
> > ssl_session_cache shared:SSL:10m;
> > ssl_session_timeout 10m;
> > ssl_stapling on;
> > ssl_stapling_verify on;
> > ssl_trusted_certificate /etc/ssl/example.com/example.com.fullchain.crt;
> > add_header Strict-Transport-Security "max-age=31536000;
> > includeSubDomains" always;
> > }
> >
> >
> > On 7/15/23, David Mehler <dave.mehler@gmail.com> wrote:
> > > Hello,
> > >
> > > Thanks for your reply. Yah these redirects are not working. The
> > > example.com to www.example.com totally either doesn't work or gives me
> > > the error example.com nginx redirected you to many times.
> > >
> > > I'm still not seeing it, help still appreciated.
> > > How does the ssl configuration look?
> > >
> > > Thanks.
> > > Dave.
> > >
> > >
> > > On 7/15/23, Ming Kuang <ming@imkuang.com> wrote:
> > >> Hi,
> > >>
> > >> If you go to http://example.com, you now need two redirects, maybe each
> > >> redirect could be directed to the final destination?
> > >>
> > >> # Redirect http://example.com port 80 to https://www.example.com port
> 443
> > >> server {
> > >> listen 80;
> > >> access_log off;
> > >> error_log off;
> > >> server_name example.com;
> > >> return 301 https://www. example.com /$request_uri;
> > >> }
> > >>
> > >> On Saturday, July 15, 2023 3:21 PM,
> > >> David Mehler <dave.mehler@gmail.com> wrote
> > >>>
> > >>> Hello,
> > >>>
> > >>> Can I get a sanity check on this config? I'm running Debian 12, Nginx
> > >>> 1.24.0, and PHP 8.2.
> > >>>
> > >>> My goal is to have all non-www traffic redirected to the equivalent
> > >>> www, then all that redirected to https, basically no https no www no
> > >>> work. I'd also appreciate an assessment of my ssl ciphers, running
> > >>> protocols 1.2 and 1.3 only and want to ensure I've got the best
> > >>> security setup.
> > >>>
> > >>> Thanks.
> > >>> Dave.
> > >>>
> > >>> #
> > >>> # example.com virtual host configuration
> > >>> #
> > >>> # enforce HTTPS
> > >>> # Redirect www.example.com port 80 to www.example.com port 443
> > >>> server {
> > >>> listen 80;
> > >>> server_name www.example.com;
> > >>> access_log off;
> > >>> error_log off;
> > >>> return 301 https://$host$request_uri;
> > >>> }
> > >>>
> > >>> # Redirect https://example.com port 80 to https://example.com port 443
> > >>> server {
> > >>> listen 80;
> > >>> access_log off;
> > >>> error_log off;
> > >>> server_name example.com;
> > >>> return 301 https://$server_name$request_uri;
> > >>> }
> > >>>
> > >>> ### redirect https example.com to https www.example.com
> > >>> server {
> > >>> listen 443 ssl http2;
> > >>> server_name example.com;
> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key;
> > >>> return 301 https://www.example.com$request_uri;
> > >>> }
> > >>>
> > >>> # The www.example.com https virtual host
> > >>> server {
> > >>> listen 443 ssl http2;
> > >>>
> > >>> server_name www.example.com;
> > >>>
> > >>> access_log /var/log/nginx/www.example.com_access.log;
> > >>> error_log /var/log/nginx/www.example.com_error.log;
> > >>>
> > >>> # TLS/SSL CONFIG
> > >>> # RSA certificates (dual config)
> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key;
> > >>>
> > >>> # ECC/ECDSA certificates (dual config)
> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt.ecc;
> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key.ecc;
> > >>>
> > >>> # A little bit of optimization
> > >>> #ssl_session_timeout 1d;
> > >>> #ssl_session_cache shared:GoofyPizzaSSL:50m;
> > >>> #ssl_session_tickets off;
> > >>> #ssl_dhparam /etc/ssl/example.com/dhparams.pem;
> > >>>
> > >>> # TLS version 1.2 and 1.3 only
> > >>> #ssl_protocols TLSv1.2 TLSv1.3;
> > >>> #ssl_ciphers
> > >>>
> >
> 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E
> > >>>
> >
> CDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AE
> > >>>
> >
> S128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA
> > >>>
> >
> 384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES
> > >>> 128-SHA256';
> > >>> #ssl_ciphers
> > >>>
> >
> 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-E
> > >>>
> >
> CDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE
> > >>>
> >
> S256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH
> > >>>
> >
> A256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
> > >>>
> >
> AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
> > >>>
> >
> RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECD
> > >>>
> >
> HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-A
> > >>>
> >
> ES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-
> > >>>
> >
> DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA
> > >>>
> >
> 384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!D
> > >>> SS';
> > >>> #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
> > >>> #ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
> > >>> #ssl_prefer_server_ciphers on;
> > >>>
> > >>> # HSTS (ngx_http_headers_module is required)
> > >>> #
> > >>>
> >
> *****************************************************************
> > >>> ********
> > >>> # WARNING - Wrong headers can create problems. Read docs otherwise
> > >>> # all 3rd party scripts/ads won't load and in some case
> > >>> # browser won't work. Read docs @
> > >>> https://developer.mozilla.org
> > >>> #
> > >>>
> >
> *****************************************************************
> > >>> ********
> > >>> #add_header Strict-Transport-Security "max-age=63072000" always;
> > >>> #add_header X-Content-Type-Options "nosniff" always;
> > >>> #add_header X-Frame-Options "SAMEORIGIN" always;
> > >>> #add_header X-Xss-Protection "1; mode=block" always;
> > >>> #add_header Referrer-Policy strict-origin-when-cross-origin always;
> > >>> #add_header Feature-policy "accelerometer 'none'; camera 'none';
> > >>> geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
> > >>> 'none'; payment 'none'; usb 'none'" always;
> > >>> #
> > >>>
> >
> *****************************************************************
> > >>> **********************************
> > >>> # WARNING: The HTTP Content-Security-Policy response header allows
> > >>> sysadmin/developers
> > >>> # to control resources the user agent is allowed to load for a given
> > >>> page.
> > >>> # Wrong config can create problems for third party scripts/ad
> > >>> networks. Hence read the following url:
> > >>> #
> > >>>
> >
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-
> > >>> Policy
> > >>> #
> > >>>
> >
> *****************************************************************
> > >>> ***********************************
> > >>> #add_header content-security-policy "default-src
> > >>> https://www.example.com:443"; always;
> > >>> #ssl_stapling on;
> > >>> #ssl_stapling_verify on;
> > >>> # Replace with the IP address of your resolver
> > >>> #resolver 1.1.1.1;
> > >>> #ssl_buffer_size 8k;
> > >>>
> > >>> root /var/www/example.com;
> > >>>
> > >>> index index.php index.html index.nginx-debian.html;
> > >>>
> > >>> location / {
> > >>> try_files $uri $uri/ /index.php?$query_string;
> > >>> }
> > >>>
> > >>> # Directives to send expires headers and turn off 404 error logging.
> > >>> #location ~*
> > >>>
> >
> ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|pn
> > >>> g|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
> > >>> {
> > >>> #access_log off; log_not_found off; expires max;
> > >>> #}
> > >>>
> > >>> # Pass PHP Scripts To FastCGI Server
> > >>> location ~ \.php$ {
> > >>> fastcgi_split_path_info ^(.+\.php)(/.+)$;
> > >>> fastcgi_pass unix:/run/php/php8.2-fpm.sock; #depends on PHP versions
> > >>> fastcgi_index index.php;
> > >>> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> > >>> include fastcgi_params;
> > >>> }
> > >>>
> > >>> # Password-protected directory with autoindex
> > >>> #location /quickdir/ {
> > >>> #auth_basic "Quickdir Access";
> > >>> #auth_basic_user_file /var/www/quickdir/htpasswd;
> > >>> #root /var/www/quickdir/;
> > >>> #autoindex on;
> > >>> #}
> > >>> }
> > >>
> > >
Attachment:
openpgp-digital-signature.asc
Description: PGP signature