Answer the question
In order to leave comments, you need to log in
D
D
Dmitry Averin2015-09-16 13:38:58
Dmitry Averin, 2015-09-16 13:38:58
Is it possible to shorten my nginx config to redirect everything to https without www?
Hello, friends!
Can you please tell me if my nginx config can be made shorter to redirect everything to https without www? Everything works, https://globalsign.ssllabs.com/ issues A + , but I want to learn how to do it right.
Virtual host config:
# Default server configuration
#
server {
listen 80;
server_name www.DOMEN.ru DOMEN.ru;
#rewrite ^ https://DOMEN.ru$request_uri? permanent;
return 301 https://DOMEN.ru$request_uri;
}
server {
listen 443 ssl spdy;
server_name www.DOMEN.ru;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_session_cache shared:SSL:10m;
ssl_verify_client off;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1;
ssl_dhparam /etc/nginx/ssl/dh.key;
ssl_certificate /etc/nginx/ssl/DOMEN.crt;
ssl_certificate_key /etc/nginx/ssl/DOMEN.key;
ssl_trusted_certificate /etc/nginx/ssl/ca-certs.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp2.wosign.cn/ca2g2/server1/free;
#ssl_stapling_responder http://ocsp6.wosign.com/ca6/server1/free;
resolver 8.8.8.8;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/tickets/DOMEN_tik.key;
return 301 https://DOMEN.ru$request_uri;
}
server {
listen 443 ssl spdy;
server_name DOMEN.ru;
root /home/DOMEN/www/DOMEN.ru/public_html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.php;
# SSL configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_session_cache shared:SSL:10m;
ssl_verify_client off;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1;
ssl_dhparam /etc/nginx/ssl/dh.key;
ssl_certificate /etc/nginx/ssl/DOMEN.crt;
ssl_certificate_key /etc/nginx/ssl/DOMEN.key;
ssl_trusted_certificate /etc/nginx/ssl/ca-certs.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_responder http://ocsp2.wosign.cn/ca2g2/server1/free;
#ssl_stapling_responder http://ocsp6.wosign.com/ca6/server1/free;
resolver 8.8.8.8;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/tickets/DOMEN_tik.key;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_read_timeout 300;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
client_max_body_size 10m;
} 2 answer(s)
@averuga
@opium
L
Lynn "Coffee Man", 2015-09-16 @averuga
Can.
Move all `ssl_*` from the server to a higher level.
`ssl on` is not needed.
Get something like this
ssl_protocols ...
...
ssl_session...
server {
listen 80;
server_name example.ru;
return 301 https://example.ru$request_uri;
}
server {
listen 80;
listen 443 ssl spdy;
server_name www.example.ru;
return 301 https://example.ru$request_uri;
}
server {
listen 443 ssl spdy;
server_name example.ru;
root ...
add_header ...
location ...
}P
Puma Thailand, 2015-09-16 @opium
You have there generally one line makes a redirect in fact, much shorter.
Similar questions
A
P
R
B
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question