Ngnix SSL server block not to force https

Hello WPMUDEV,

I know this is a bit outside WPMUDEV related. I have my domain mapping plugin not forcing HTTPS redirect but my ngnix server block does. If anybody has any experience and can help me write my server block properly that would be amazing.

Is it possible to NOT force HTTPS. I have a Multi Wordpress site setup and I'm attempting to perform domain mapping that will allow me to have HTTPS and none SSL sites running from the same IP. My current SSL setup works but everytime I add a domain I'm required to create a SSL certificate to my project... what if I want to have a regular HTTP site instead?

So while my domain mapping plugin from WPMUDev has https forcing OFF. My server block does the opposite.

My port 80 server block looks like this

server {
listen 80;
servername example.com http://www.example.com;
return 301 https://$servername$request_uri;
}

If I remove the 301 redirect from the server block then all none SSL just redirect to example.com instead of the appropriate domain.

Any help would be appreciated.

  • Adam Czajczyk

    Hello OnlineBDesign,

    I hope you're well today and thank you for your question!

    I'm not an nginx expert but let me try :slight_smile:

    It looks like you are currently forcing HTTPS redirect on a webserver level. Which is fine but only if you are sure that all the traffic will be served via HTTPS connection and you are able to provide valid SSL certification for that.

    The steps that you already tried seems to be a heading in a right direction. If you remove the

    return 301 https://$servername$request_uri;

    line you'll stop forcing that redirect. You will however need to also tweak that configuration because currently you only create "server block" that works that way:

    - it listens to all the traffic that comes to it via port 80
    - it works only for example.com domain
    - with "redirect line" active it then returns original request with only protocol prefix changed to https but if there's no redirect line it just serves what it's set to serve: the example.com domain.

    What you could try would be to remove the "redirect" line entirely and then either:

    - list all the domains (including mapped ones) in the "server_name" line like this:

    server_name example.com http://www.example.com domain.com anotherdomain.com

    - or you can try to set "catch all" server which is created by specifying a "non-existent" domain name like this:

    server {
    listen 80 default_server;
    server_name _;
    }

    Take a look here and into linked in articles for more information on this:

    http://nginx.org/en/docs/http/server_names.html

    Once you got that working, you will probably want to create similar server block for "443" port which is a port used for SSL traffic. That way you site should respond for both "http://" and "https://" calls with no redirects.

    Then, you could use either Domain Mapping built-in options or .htaccss or both to force SSL redirect where necessary.

    Please note: before making any suggested changes please make a backup of your current nginx configuration file. I'm not an expert in that field and even though I did use nginx for quite some time on a production servers that I managed it was a really long time ago (years back!) so I"m not that confident with it now :slight_smile:

    Best regards,
    Adam

  • OnlineBDesign

    Thanks for responding

    I got it working and my virtualhost file ended up looking like this

    <code></code>

    server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    listen 443 ssl;

    root /var/www/html/wordpress;
    index index.php index.html index.htm;

    server_name maindomain.com http://www.maindomain.com *.maindomain.com;
    ssl_certificate /etc/letsencrypt/live/maindomain.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/maindomain.com-0001/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:smiley:HE-RSA-AES128-GCM-S$';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    location / {
    try_files $uri $uri/ /index.php?$args ;
    }
    location ~ /favicon.ico {
    access_log off;
    log_not_found off;
    }
    location ~ /.well-known {
    allow all;
    }
    `
    `

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.