2

i found already some q&a's here regards this topic but none was helping me to solve the problem. I installed a debian 8 server just today and every request to my domain is redirected to https. Now i was playing around to create a new ssl certificate for a subdomain which was failing because the certbot was accessing the .well-known directory with http. As this request was redirected to https it wasn't working. My idea was to exclude this hidden directory from redirects.

For testing i was putting a simple text into the .well-known/acme-challenge/ directory. Everytime im doing a request to this file im still redirected. Here is my current nginx config:

server {
    listen 80 default_server;
    #listen [::]:80 default_server;
    server_name test.de www.test.de;

    root /var/www/html;

    location /.well-known/acme-challenge {
        root /var/www/html;
        allow all;
    }
    location / {
        return 301 https://test.de$request_uri;
    }
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    include snippets/ssl-test.de.conf;
    include snippets/ssl-params.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

#    location ~ /.well-known {
#        allow all;
#    }
}

Anyone any ideas?

StephanM
  • 123
  • 1
  • 4
  • 1
    If your included ssl configuration includes an [HSTS header](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), your browser is forbidden to access your site using `http`. – Richard Smith Apr 19 '17 at 10:36

1 Answers1

7

When I did a similar thing, I needed to add the following:

location /.well-known {
    root /var/www/html;
    allow all;
    try_files $uri =404;
}

location / {
    return 301 https://example.com$uri;
}

Without the try_files, nginx has no information on what to do (there is no default for try_files).

Also, when testing it, you need to use curl or wget, that doesn't care about HSTS setting for the site.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • It looks like its working now. The recommendation about testing it with curl or wget: is it because of browsers behavior? When testing it with firefox it works only if i request the text file right after starting the browser request the text file with http. As soon as i request any other https resource i will always get redirected to https for the test file. Very strange behavior...Is there anything what is cached by the browser regards these redirects? – StephanM Apr 19 '17 at 11:23
  • If your server sends HSTS headers, then it forces all resources to load via HTTPS, that is, the browser doesn't even try to load anything via HTTP. This is to prevent man-in-the-middle attacks. You can Google more information about HSTS to find more details. – Tero Kilkanen Apr 19 '17 at 13:17