Nginx https Redirect Loop, Not Using Port 443

centosnginxredirectssl

I have a Nginx web server running on a CentOS 7 VM with the default site disabled and two server blocks within /etc/nginx/conf.d/mysite.conf

/etc/nginx/conf.d/mysite.conf

server {
    listen 443 ssl;
    server_name community.mysite.com;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES128+EECDH:AES128+EDH';
    ssl_certificate /media/www/mysite_com/community_cert/community_mysite_com.crt;
    ssl_certificate_key /media/www/mysite_com/community_cert/community_mysite_com.key;

    add_header Strict-Transport-Security "max-age=31536000";

    access_log  /media/www/community_mysite_com/requests.log main;
    location / {
       #This proxy forwards to a NodeBB Installation running on Node.JS
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;
       proxy_pass http://127.0.0.1:4567;
       proxy_redirect off;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
    }
}
server {
    listen 80;
    server_name community.mysite.com;
    return 301 https://$host$request_uri;
}

/etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    server_tokens       off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

}

The goal here, is that non https requests are redirected to https. The issue seems to be that https requests are being received on port 80. I believe this to be true because,

  1. All https page requests result in an infinite loop.
  2. netstat shows no established connections on port 443.
  3. netstat shows established connections on port 80.

I have services http as well as https allowed in iptables. Ports 443 and 80 allowed in firewalld. Ports 443 and 80 are forwarded within the network firewall as well.

netstat outputs:

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4128/nginx: master
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4128/nginx: master
tcp        0      0 192.168.1.53:80         111.231.123.11:10471    ESTABLISHED 4129/nginx: worker
tcp        0      0 192.168.1.53:80         111.231.123.11:10116    ESTABLISHED 4129/nginx: worker
tcp        0      0 192.168.1.53:80         111.231.123.11:29768    ESTABLISHED 4129/nginx: worker
tcp        0      0 192.168.1.53:80         111.231.123.11:36415    ESTABLISHED 4129/nginx: worker
tcp        0      0 192.168.1.53:80         111.231.123.11:11619    ESTABLISHED 4129/nginx: worker
tcp        0      0 192.168.1.53:80         111.231.123.11:33847    ESTABLISHED 4129/nginx: worker

iptables output:

ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-dgm ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tram ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http ctstate NEW

firewalld public zone:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dhcpv6-client http https samba ssh
  ports: 443/tcp 80/tcp 4567/tcp 80/udp
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

How would I go about debugging why Nginx seems to be receiving port 443 requests on port 80? Is there something I may have missed?

I've disabled the reverse proxy by removing it from the server block and it still does the same thing. I've tried multiple web browsers. I've tried clearing the cache in Chrome. I've rebooted the VM.

https://community.mysite.com -> Redirect loop.
http://community.mysite.com Redirects to https://community.mysite.com -> Redirect loop.
https://community.mysite.com:443-> Redirect loop.

:EDIT:

I've installed a different web server, which has the exact same result. My guess is this is either CentOS or ESXI related.

Best Answer

After a day and a half of searching, I found this issue to not be caused by my internal network, nor to be caused by any OS.

I completely forgot I had my DNS routed through CloudFlare which was set to "Flexible" mode for SSL. Setting this to "Full" or "Full (Strict)" fixed this issue.

Related Topic