Hello, back to the mailing list For your new configuration, I think the redirection should work fine. If it still shows the redirect too many times error, try clearing your browser cache, or open a incognito mode browser to verify it. In fact I used to do the same thing, the only difference was that I needed to redirect from www to no-www. On Saturday, July 15, 2023 11:26 PM, David Mehler wrote: > Hello, > > Can I get a sanity check this is on the redirects? > > Thanks. > Dave. > > #cat example.com.conf > server { > listen 80; > server_name example.com www.example.com; > access_log off; > error_log off; > return 301 https://www.example.com$request_uri; > } > > server { > listen 443 ssl http2; > server_name example.com; > ssl_certificate /etc/ssl/example.com/example.com.crt; > ssl_certificate_key /etc/ssl/example.com/example.com.key; > return 301 https://www.example.com$request_uri; > } > > server { > listen 443 ssl http2; > server_name www.example.com; > root /var/www/example.com; > > ssl_certificate /etc/ssl/example.com/example.com.crt; > ssl_certificate_key /etc/ssl/example.com/example.com.key; > ssl_dhparam /etc/ssl/example.com/dhparams.pem; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > ssl_session_timeout 10m; > ssl_stapling on; > ssl_stapling_verify on; > ssl_trusted_certificate /etc/ssl/example.com/example.com.fullchain.crt; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains" always; > } > > > On 7/15/23, David Mehler <dave.mehler@gmail.com> wrote: > > Hello, > > > > Thanks for your reply. Yah these redirects are not working. The > > example.com to www.example.com totally either doesn't work or gives me > > the error example.com nginx redirected you to many times. > > > > I'm still not seeing it, help still appreciated. > > How does the ssl configuration look? > > > > Thanks. > > Dave. > > > > > > On 7/15/23, Ming Kuang <ming@imkuang.com> wrote: > >> Hi, > >> > >> If you go to http://example.com, you now need two redirects, maybe each > >> redirect could be directed to the final destination? > >> > >> # Redirect http://example.com port 80 to https://www.example.com port 443 > >> server { > >> listen 80; > >> access_log off; > >> error_log off; > >> server_name example.com; > >> return 301 https://www. example.com /$request_uri; > >> } > >> > >> On Saturday, July 15, 2023 3:21 PM, > >> David Mehler <dave.mehler@gmail.com> wrote > >>> > >>> Hello, > >>> > >>> Can I get a sanity check on this config? I'm running Debian 12, Nginx > >>> 1.24.0, and PHP 8.2. > >>> > >>> My goal is to have all non-www traffic redirected to the equivalent > >>> www, then all that redirected to https, basically no https no www no > >>> work. I'd also appreciate an assessment of my ssl ciphers, running > >>> protocols 1.2 and 1.3 only and want to ensure I've got the best > >>> security setup. > >>> > >>> Thanks. > >>> Dave. > >>> > >>> # > >>> # example.com virtual host configuration > >>> # > >>> # enforce HTTPS > >>> # Redirect www.example.com port 80 to www.example.com port 443 > >>> server { > >>> listen 80; > >>> server_name www.example.com; > >>> access_log off; > >>> error_log off; > >>> return 301 https://$host$request_uri; > >>> } > >>> > >>> # Redirect https://example.com port 80 to https://example.com port 443 > >>> server { > >>> listen 80; > >>> access_log off; > >>> error_log off; > >>> server_name example.com; > >>> return 301 https://$server_name$request_uri; > >>> } > >>> > >>> ### redirect https example.com to https www.example.com > >>> server { > >>> listen 443 ssl http2; > >>> server_name example.com; > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt; > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key; > >>> return 301 https://www.example.com$request_uri; > >>> } > >>> > >>> # The www.example.com https virtual host > >>> server { > >>> listen 443 ssl http2; > >>> > >>> server_name www.example.com; > >>> > >>> access_log /var/log/nginx/www.example.com_access.log; > >>> error_log /var/log/nginx/www.example.com_error.log; > >>> > >>> # TLS/SSL CONFIG > >>> # RSA certificates (dual config) > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt; > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key; > >>> > >>> # ECC/ECDSA certificates (dual config) > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt.ecc; > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key.ecc; > >>> > >>> # A little bit of optimization > >>> #ssl_session_timeout 1d; > >>> #ssl_session_cache shared:GoofyPizzaSSL:50m; > >>> #ssl_session_tickets off; > >>> #ssl_dhparam /etc/ssl/example.com/dhparams.pem; > >>> > >>> # TLS version 1.2 and 1.3 only > >>> #ssl_protocols TLSv1.2 TLSv1.3; > >>> #ssl_ciphers > >>> > 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E > >>> > CDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AE > >>> > S128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA > >>> > 384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES > >>> 128-SHA256'; > >>> #ssl_ciphers > >>> > 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-E > >>> > CDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE > >>> > S256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH > >>> > A256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > >>> > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- > >>> > RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECD > >>> > HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-A > >>> > ES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA- > >>> > DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA > >>> > 384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!D > >>> SS'; > >>> #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; > >>> #ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; > >>> #ssl_prefer_server_ciphers on; > >>> > >>> # HSTS (ngx_http_headers_module is required) > >>> # > >>> > ***************************************************************** > >>> ******** > >>> # WARNING - Wrong headers can create problems. Read docs otherwise > >>> # all 3rd party scripts/ads won't load and in some case > >>> # browser won't work. Read docs @ > >>> https://developer.mozilla.org > >>> # > >>> > ***************************************************************** > >>> ******** > >>> #add_header Strict-Transport-Security "max-age=63072000" always; > >>> #add_header X-Content-Type-Options "nosniff" always; > >>> #add_header X-Frame-Options "SAMEORIGIN" always; > >>> #add_header X-Xss-Protection "1; mode=block" always; > >>> #add_header Referrer-Policy strict-origin-when-cross-origin always; > >>> #add_header Feature-policy "accelerometer 'none'; camera 'none'; > >>> geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone > >>> 'none'; payment 'none'; usb 'none'" always; > >>> # > >>> > ***************************************************************** > >>> ********************************** > >>> # WARNING: The HTTP Content-Security-Policy response header allows > >>> sysadmin/developers > >>> # to control resources the user agent is allowed to load for a given > >>> page. > >>> # Wrong config can create problems for third party scripts/ad > >>> networks. Hence read the following url: > >>> # > >>> > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security- > >>> Policy > >>> # > >>> > ***************************************************************** > >>> *********************************** > >>> #add_header content-security-policy "default-src > >>> https://www.example.com:443" always; > >>> #ssl_stapling on; > >>> #ssl_stapling_verify on; > >>> # Replace with the IP address of your resolver > >>> #resolver 1.1.1.1; > >>> #ssl_buffer_size 8k; > >>> > >>> root /var/www/example.com; > >>> > >>> index index.php index.html index.nginx-debian.html; > >>> > >>> location / { > >>> try_files $uri $uri/ /index.php?$query_string; > >>> } > >>> > >>> # Directives to send expires headers and turn off 404 error logging. > >>> #location ~* > >>> > ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|pn > >>> g|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ > >>> { > >>> #access_log off; log_not_found off; expires max; > >>> #} > >>> > >>> # Pass PHP Scripts To FastCGI Server > >>> location ~ \.php$ { > >>> fastcgi_split_path_info ^(.+\.php)(/.+)$; > >>> fastcgi_pass unix:/run/php/php8.2-fpm.sock; #depends on PHP versions > >>> fastcgi_index index.php; > >>> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; > >>> include fastcgi_params; > >>> } > >>> > >>> # Password-protected directory with autoindex > >>> #location /quickdir/ { > >>> #auth_basic "Quickdir Access"; > >>> #auth_basic_user_file /var/www/quickdir/htpasswd; > >>> #root /var/www/quickdir/; > >>> #autoindex on; > >>> #} > >>> } > >> > >
Attachment:
openpgp-digital-signature.asc
Description: PGP signature