nginx redirects non-https requests to a random https

Question

I have the latest nginx version installed on an ubuntu server 14.04. I host a few websites on it, both with and without SSL. My problem is that every time I try to setup a new website on a non-SSL host, when I try to access that host nginx does a 301 redirect to a SSL version of the same host (even though there is no server block for SSL for that specific host) and renders the content from a random web application on the same server, triggering a SSL cert mismatch as well.

Any idea what could be wrong?

Here's the nginx conf for the non-SSL host that I am trying to setup:

server {
    listen 80;
    listen [::]:80;
    server_name some.domain.eu;
    root /usr/share/nginx/some.domain.eu/html;
    index index.php index.html index.htm;

    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
          root /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server listening on the php-fpm socket
    location ~ \.php$ {
            try_files $uri @missing;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;

    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
        }
}

Here's the conf for one SSL that some.domain.eu renders content from:

server {
   listen 80;
   server_name some.ssl.domain.com www.some.ssl.domain.com;
   rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    server_name some.ssl.domain.com www.some.ssl.domain.com; 
    root /usr/share/nginx/some.ssl.domain.com/html;
    index index.php index.html index.htm;

    include /etc/nginx/snippets/ssl-params.conf;
    include /etc/nginx/snippets/ssl-some.ssl.domain.com.conf;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ /.well-known {
        allow all;
    }

    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
          root /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server listening on the php-fpm socket
    location ~ \.php$ {
            try_files $uri @missing;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;

    }

    location @missing {
        rewrite ^ $scheme://$host/index.php permanent;
    }

    location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
       expires 365d;
    }
}

And my nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
#server_tokens off;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 1000M;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
            text/plain
            text/css
            text/js
            text/xml
            text/javascript
            application/javascript
            application/x-javascript
            application/json
            application/xml
            application/xml+rss;
    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    server_tokens off;

    # config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
}

How do you check? I strongly suspect that your browser cached redirect. Check with curl or wget — Alexey Ten, Aug 24 '16 at 03:34

score 1 · Answer 1 · edited Apr 13 '17 at 12:14

1

I suspect Nginx is showing the website on the default server for the IP, which will appear somewhat random. Two possible solutions come to mind.

1, set up https for that site and forward it to http, which is really easy. You can use Let's Encrypt certificates which are free.

2, set up a default server on https and return an error code. This will need to be on a domain and marked default_server. I only do this on http because I have https for all my websites. This is covered by this question.

edited Apr 13 '17 at 12:14

Community

1

answered Aug 23 '16 at 19:48

Tim

30,383
6
47
77

Yeah, but before I can use SSL I need to set it up for non-ssl so Let's Encrypt can access it. – Comforse Aug 23 '16 at 20:07

score 0 · Answer 2 · answered Aug 23 '16 at 20:29

0

Like most of the times, the answer is behind simple things. The problem with my setup was caused by missing a symlink in sites-enabled ...

Of course, I would also need to address the default servers for http and https.

answered Aug 23 '16 at 20:29

Comforse

117
7

score 0 · Answer 3 · answered Jan 22 '17 at 14:32

If you are on Hostinger, you might want to add this to wp-config.php (if Wordpress) or index.php (if something else):

$_SERVER['REQUEST_SCHEME'] = 'http';
$_SERVER['SERVER_PORT'] = '80';

It solved the random https redirects for me, I hope it helps someone else!

nginx redirects non-https requests to a random https

3 Answers3