NGiNX SSL Setup and 301 Redirects
NGiNX SSL setup and 301 redirects, this is how is called our next tutorial where we will explain in just a few easy steps how to setup a SSL certificate on NGiNX and also how to force client browser to use HTTPS by managing all necessary 301 redirects served from HTTP protocol on port 80 to HTTPS protocol on port 443. The journey from a non-secured domain to a secured one is quite easy to implement with NGiNX and also very easy to maintain and renew in the future. This solution was tested using a CentOS 7 server but it can be easily applied for different operating systems and even with container solutions, NGiNX syntax in terms of SSL remains the same no matter of the deployment.
Table of contents
Main task
Preparation
NGiNX 301 Redirects
NGiNX Main Server Configuration
NGiNX SSL Setup and Configuration
Test NGiNX 301 redirect to HTTPS
Main task
As we have said in the beginning our main goal with this tutorial is to make sure that all connection between two points, client and server in this case is it and stays a secure connection all the time. In our example we will be using a domain name called dummy-domain.com and we have to secure it using NGiNX so our visitors can say that their data is safely passed between their laptop for example and the server where our website is hosted. Having a secure site also helps in terms SEO, this being a very important factor nowadays but is a must to secure the data between Browser Client (visitors) and Website.
Below we have detailed a quick scenario of what redirects we need in place:
http://www.dummy-domain.com 301 -> https://dummy-domain.com
https://www.dummy-domain.com 301 -> https://dummy-domain.com
http://dummy-domain.com 301 -> https://dummy-domain.com
https://dummy-domain.com 200 [OK]
Preparation
Assuming that we already have a SSL certificate issued for our domain name, NGiNX is installed and is running properly we can proceed to prepare the code needed for NGiNX. In this tutorial we will assume that we are editing directly the configuration file for dummy-domain.com that can be found on /etc/nginx/conf.d/dummy-domain.com.conf and also our SSL certificate PEM and KEY has been copied to /etc/nginx/ssl/.
NGiNX 301 Redirects
First thing on our list is to make sure that all requests from www being initiated via HTTP or HTTPS would be redirected to our non-www domain endpoint in a secure fashion using just a simple 301 return rule to enforce this. The code listed below will help us to achieve this so please use it as a reference by replacing only the domain name and also the paths for SSL files.
#
# Redirects for:
# http://www.dummy-domain.com 301 -> https://dummy-domain.com AND
# https://www.dummy-domain.com 301 -> https://dummy-domain.com
#
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.dummy-domain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/dummy-domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/dummy-domain.com.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
return 301 https://dummy-domain.com$request_uri;
server_tokens off;
}
In simple terms the above code basically says that any request initiated being http://www.dummy-domain.com or https://www.dummy-domain.com to be automatically redirected permanently (301) to https://dummy-domain.com including all leading URIs ($request_uri).
NGiNX Main Server Configuration
Here once again we have to deal with another 301 redirect but this time from http://dummy-domain.com only to https://dummy-domain.com which is actually our main goal with this tutorial.
#
# Server configuration
#
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dummy-domain.com;
server_tokens off;
if ($scheme = http) {
return 301 https://dummy-domain.com$request_uri;
}
As you can see on this particular section we have added now a condition in place to perform the desired 301 redirect, shortly we are asking NGiNX to perform a redirect only if the request is coming via HTTP.
Please note that the server block code has not been enclosed using }, no worries this will be closed at the end of our next step.
NGiNX SSL Setup and Configuration
On this particular step we will be focusing on SSL configuration as we have already set up all 301 redirects needed for our domain name. Here we have a simple NGiNX configuration for SSL which give us the option to tweak the most important flags and values like SSL file location, protocols to be used, ciphers and many more.
#
# SSL Setup
#
ssl on;
ssl_certificate /etc/nginx/ssl/dummy-domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/dummy-domain.com.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
#
# Headers
#
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#
# Below this line you can add your NGiNX config
#
...
}
Please make sure you adjust ssl_protocols and ssl_ciphers values for your specific user case, these two options can influence browser compatibility and usability.
If you don’t have already a SSL Certificate you can obtain on for free using Let’s Encrypt, more details about hot to get a free SSL certificate and also how to configure NGiNX with it can be found on our tutorial Secure NGiNX with Let’s Encrypt SSL on CentOS 7.
Having all these settings in place we can now save and close the configuration file before moving forward to our next step where we have to test our solution.
Test NGiNX 301 redirect to HTTPS
Before reloading or restarting NGiNX lets run a quick configuration test using the command listed below:
$ nginx -t
A successful output should look like this:
...
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
...
Once our configuration test is successfully passed then we can safely reload NGiNX, in this tutorial we will be using systemctl:
$ systemctl reload nginx.service
Knowing now that we have everything in place we can finally test our solution, we will be using curl in order to capture the header response from our NGiNX server.
$ curl -I -L www.dummy-domain.com
A successful output will look like this one listed below, meaning that our 301 redirect works as expected.
HTTP/1.1 301 Moved Permanently
...
Location: https://dummy-domain.com/
HTTP/2 200
...
We can notice that 301 redirect from http://www. to https:// has been triggered and also our request has been enforced as well from HTTP/1.1 on port 80 to HTTP/2 on port 443.
Our short tutorial about NGiNX SSL Setup and 301 Redirects ends here, various approaches can be taken but we hope we showed you how easy is to set up 301 redirects with NGiNX.