struggling to get my hosts to work on port 80/HTTP and redirect to HTTPS. Discovered this when I gave out a URL and they said it didn't work but noticed a direct link to the site did work. I've done some digging and it looks like nginx isn't listening to connections on port 80 except to the localhost. Since I've primarily used Apache on this machine until now I'm not quite sure what I need to change (or what I might have changed historically).

Here is an example host file, many are the same:

  default upgrade;
  ''      close;

upstream backend_kindalame.com {
    server fail_timeout=0;

proxy_cache_path /var/cache/kindalame.com levels=1:2 keys_zone=CACHE_kindalame.com:1m inactive=7d max_size=1g;

server {
  listen *:80;
  listen [::]:80;
  server_name kindalame.com;
  root /usr/local/www/kindalame;
  index index.php index.html index.htm;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name kindalame.com;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  # Uncomment these lines once you acquire a certificate:
   ssl_certificate     /etc/letsencrypt/live/kindalame.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/kindalame.com/privkey.pem;

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /usr/local/www/kindalame;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  add_header Strict-Transport-Security "max-age=31536000";

  location / {
    try_files $uri @proxy;

  location ~ \.php$ {
          include snippets/fastcgi-php.conf;
          fastcgi_pass unix:/run/php/php7.3-fpm.sock;

  location ~ /\.ht {
    deny all;

  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
    add_header Cache-Control "public, max-age=31536000, immutable";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;

  location /sw.js {
    add_header Cache-Control "public, max-age=0";
    add_header Strict-Transport-Security "max-age=31536000";
    try_files $uri @proxy;

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend_kindalame.com;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE_kindalame.com;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;
    add_header Strict-Transport-Security "max-age=31536000";

    tcp_nodelay on;


When I run CURL on a remote machine I get:

*   Trying
* Expire in 200 ms for 4 (transfer 0x5620eda24f50)
* Connected to 4qq.org ( port 80 (#0)
> GET / HTTP/1.1
> Host: 4qq.org
> User-Agent: curl/7.64.0
> Accept: */*
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

But tried to run curl on the local host and it's what I'd expect the outside world to see:

* Expire in 149999 ms for 3 (transfer 0x55cc3f0a7f50)
* Expire in 200 ms for 4 (transfer 0x55cc3f0a7f50)
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.64.0
> Accept: */*
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.2
< Date: Sun, 15 Nov 2020 12:38:07 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://localhost/
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
* Connection #0 to host localhost left intact


# netstat -l | grep http
tcp        0      0 *               LISTEN
tcp        0      0  *               LISTEN
tcp6       0      0 [::]:https              [::]:*                  LISTEN
tcp6       0      0 [::]:http               [::]:*                  LISTEN

I just had Apache2 running as the reverse proxy on this host and moved it away to become the backend. HTTPS works fine as is, and very well actually. I'm just stumped why my connections are reset only on port 80 and not redirected to 443 as I'd expect.

EDIT to add nginx Conf;

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;

http {

    # Basic Settings

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    client_max_body_size 10000M;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # SSL Settings

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    # Logging Settings

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Gzip Settings

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # Virtual Host Configs

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

#mail {
#   # See sample authentication script at:
#   # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#   # auth_http localhost/auth.php;
#   # pop3_capabilities "TOP" "USER";
#   # imap_capabilities "IMAP4rev1" "UIDPLUS";
#   server {
#       listen     localhost:110;
#       protocol   pop3;
#       proxy      on;
#   }
#   server {
#       listen     localhost:143;
#       protocol   imap;
#       proxy      on;
#   }

  • Can you please add your nginx.conf contents to the question? – Jesús Ángel Nov 15 '20 at 12:56
  • Added at the end of the post – John Lamar Nov 15 '20 at 13:01
  • Seeing this in my error logs now `2020/11/15 13:04:56 [error] 22290#22290: *219 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client:, server:` – John Lamar Nov 15 '20 at 13:06
  • That was me making some tests. Could you please be so kind to mask my IP from the comment? As you have stated, the problem was nginx was expecting a SSL connection on port 80. – Jesús Ángel Nov 15 '20 at 13:16

1 Answers1


Discovered the issue. It was an errand file left by a text editor (conf file with ~ at the end).

It had in it:

server {
                listen 80 ssl;
                server_name     saleshorse.stream;
                return 301 https://$host$request_uri;
                #error_page 497 https://$host:$server_port$request_uri;

        location / {
                proxy_buffering off;
                proxy_pass http://localhost:9999;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_redirect off;


Notice the faulty ssl tag on port 80

I'm surprised nginx included the ~ file...

  • That's because of the line `include /etc/nginx/sites-enabled/*;` You can change it to `include /etc/nginx/sites-enabled/*.conf;`if you want to. But it's better not to have non used files in sites-enabled folder. – Jesús Ángel Nov 15 '20 at 13:12