Nginx with ssl always returning 301

301-redirectnginxssl

I am trying to setup nginx with ssl, to serve some static HTML and the output of some Python scripts (through uwsgi). It works fine with HTTP, but I am not able to make it run on HTTPS, as nginx is returning a "301 Moved Permanently" matter the URI (i.e., even for those that do not exist).

I am currently using a self-signed certificate and my idea is to force HTTPS connections. What am I doing wrong? Does it look like an nginx configuration problem?

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

server {
  listen 443 ssl;
  server_name myserver.com;
  ssl_certificate /srv/ssl/nginx.pem;
  ssl_certificate_key /srv/ssl/nginx.key;
  location / {
    rewrite ^ https://$server_name$request_uri? permanent;
  }
}

(obviusly, myserver.com stands for the actual server name).

Edit: Typos.

Best Answer

Your rewrite rule is in the wrong place: it applies (only) to the server block which does SSL already. Your browser might have been already complaining about a never-ending redirect.

Put the rewrite rule in the server block which listens on Port 80, without SSL.

Related Solutions

Nginx has ssl module, but thinks it doesn’t

You are missing the SSL on directive.

http://wiki.nginx.org/HttpSslModule

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

Nginx has ssl module, but thinks it doesn’t

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic