1

I have the same configuration on all my blocks yet only this one redirects to www while all my other redirects to non www. I think it may have to do something with the hsts that I've recently added but am not sure, because like I said the other blocks have the same config and this is the config file:

server {

        root /var/www/mydomain;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name mydomain.es www.mydomain.es;


        location / {
                #try_files $uri $uri/ =404;
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }

        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
                expires max;
                log_not_found off;
        }

                location = /favicon.ico { log_not_found off; access_log off; }
                location = /robots.txt { log_not_found off; access_log off; allow all; }
                location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|woff)$ {
                expires 2d;
                add_header Cache-Control "public, no-transform";
        }

                location ~* \.(jpg|jpeg|gif|png|svg|woff)$ {
                        expires 365d;
        }

                location ~* \.(pdf|css|html|js|swf)$ {
                        expires 2d;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.es/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.es/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

}

server {
    if ($host = www.mydomain.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        server_name mydomain.es www.mydomain.es;
    listen 80;
    return 404; # managed by Certbot
}

What am I doing wrong?

i6x86
  • 111
  • 3

1 Answers1

1

Both of your blocks listen on the same ports for the same domains - note your listen and server_name statements. You're also using if statements which aren't optimal. It's also odd to accept visitors on either www or non-www, most sites choose one or the other and redirect to that.

Here's the standard pattern for redirecting to the www site, including the security headers I use

# Main server block serving content
server {
  server_name example.com;

  listen 443 ssl http2;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  # Generate at https://cipherli.st/
  # NB: I had to comment out session tockets, stapling, and resolver to get this to work, but I didn't try very hard.
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off; # Requires nginx >= 1.5.9
  ssl_stapling on; # Requires nginx >= 1.3.7
  ssl_stapling_verify on; # Requires nginx => 1.3.7
  resolver ****** $DNS-IP-1 $DNS-IP-2 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  etc
}

# This server simply redirects the requested to the https version of the page
server {
  listen 80;
  server_name www.example.com example.com;

  location /.well-known/acme-challenge/ {
    alias /var/www/.well-known/acme-challenge/;
  }

  location / {
    return 301 https://www.example.com$request_uri;
  }
}

server {
  listen 443 ssl http2;
  server_name www.example.com;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

  access_log  /var/log/nginx/access.log main buffer=32k flush=1m if=$log_ua;

  return 301 https://www.example.com$request_uri;
}
Tim
  • 30,383
  • 6
  • 47
  • 77
  • Thanks Tim, but I'm afraid I didn't explain my issue clearly. The cofig file I posted there is of the domain that redirects to www, now I have the same config file on another domain (two more to be exact) and it returns non-www domain and I have no idea why. – i6x86 Oct 31 '18 at 18:13
  • also I want to redirect it to the non-www like the other – i6x86 Oct 31 '18 at 20:06
  • It's a trivial change to have it redirect to non-www rather than www, you just change the server_name in the main and ssl redirection server blocks. I'll edit the post to show you. The reason it doesn't work as you expect is at the top of my answer. – Tim Oct 31 '18 at 20:35
  • thank you, I'll give it a try later this night, but I just have to ask: why the other configuration works as I expect. I just don't get it :( It's literally the same config just with other domain name. – i6x86 Oct 31 '18 at 20:50
  • You haven't show us the other configuration so I can't really comment. – Tim Oct 31 '18 at 22:38
  • Ok I’ll edit the question to add the another block. – i6x86 Nov 01 '18 at 01:23
  • Suggest you edit the post from a computer when you can format it properly. It was too difficult to read, and since you weren't logged in it's only visible to admins. I already told you why this config doesn't work as expected. – Tim Nov 01 '18 at 07:36
  • When I delete the www.domain.name for server_name I get error message saying that the connection is not secure. And still it redirects to the www.domain.name – i6x86 Nov 01 '18 at 15:17
  • You have www.domain.name in multiple server blocks so it's unclear what you've done. I'm pretty sure I've provided a working solution for you, and this comment thread is getting long. I suggest you check this works for you, and if you want comments on something else ask another question. I also noticed you tried to edit my answer to provide more information, rather than editing your question - put that in a new question. – Tim Nov 01 '18 at 18:09
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/85199/discussion-between-i6x86-and-tim). – i6x86 Nov 01 '18 at 18:21