7

Hi this must be a basic question but I haven't seen an answer with cerbot considerations (if there are any considerations). How do I get https www to redirect to non-www instead of timing out?

The https www version of my site times out instead of redirecting to non-www, whereas all other versions (http and https non-www) work fine.

Preferably I would like to future proof so that I can renew the certs through certbot and not need to manually change the nginx config afterwards.

The nginx server config is shown below:

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    server_name www.mydomain.com mydomain.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate <path_to_cert> # managed by Certbot
    ssl_certificate_key <path_to_key>; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam <path_to_this>

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}
duncangarde
  • 73
  • 1
  • 4

1 Answers1

3

You use separate server blocks for each of the four variations of http/s and www/non-www. You never use "if" statements if you can do things another way - Nginx If is Evil.

# http server, static websites        
server {            
  server_name example.com;            

  listen 443 ssl http2;            

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;            
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;            

  root     /var/www/***rootdir;            
}            

# This server simply redirects the requested to the https version of the page            
server {            
  listen 80;            
  server_name www.example.com example.com;            

  # Let's Encrypt certificates with Acmetool            
  location /.well-known/acme-challenge/ {            
    alias /var/www/.well-known/acme-challenge/;            
  }            

  location / {            
    return 301 https://example.com$request_uri;            
  }            
}            

server {            
  listen 443 ssl http2;            
  server_name www.example.com;            

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;            
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;            

  return 301 https://example.com$request_uri;            
}
Tim
  • 30,383
  • 6
  • 47
  • 77
  • 1
    Apparently certbot's nginx plugin writes this strange configuration, which is one reason I run it in webroot mode and write the configs myself. – Michael Hampton Jan 12 '18 at 23:27
  • I couldn't get certbot going in Amazon Linux back when I was trying, so I use [Acme](https://github.com/hlandau/acme) instead. – Tim Jan 13 '18 at 01:13
  • Hi thanks @tim, it looks like Acme might be the best way to go. I've managed to get myself sorted using your config as a basis. I would accept your answer but you are going from non-www to www and not from www to non-www. Wouldn't want to confuse other viewers of the question. – duncangarde Jan 15 '18 at 12:18
  • I've edited the post so it shows redirection to non-www – Tim Jan 15 '18 at 18:16