1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Force SSL/Https

Discussion in 'Server Configuration and Hosting' started by Glockie, Sep 4, 2015.

  1. Glockie

    Glockie Well-Known Member

    Hello all,

    I have recently purchased an SSL certificate for our site, and installed everything correctly (I think!).
    So I have added a re-write to .htaccess and https to board information, but our users are still able to connect to http without secure, thus when clicking links etc, they get logged out and shown the Nginx 'Permission Denied' error.

    I am hoping someone can help with a bit of advice on this.
    Completely new to Nginx and Centos after changing our droplet with the help of a server guru from here.

    here's my .htaccess I hope I have it right but if not perhaps someone can show me the way?

    Code:
    #    Mod_security can interfere with uploading of content such as attachments. If you
    #    cannot attach files, remove the "#" from the lines below.
    #<IfModule mod_security.c>
    #    SecFilterEngine Off
    #    SecFilterScanPOST Off
    #</IfModule>
    
    ErrorDocument 401 default
    ErrorDocument 403 default
    ErrorDocument 404 default
    ErrorDocument 405 default
    ErrorDocument 406 default
    ErrorDocument 500 default
    ErrorDocument 501 default
    ErrorDocument 503 default
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
    
            RewriteCond %{SERVER_PORT} 443
        RewriteRule ^(.*)$ https://oursite.com$1 [R,L]
       
        #    If you are having problems with the rewrite rules, remove the "#" from the
        #    line that begins "RewriteBase" below. You will also have to change the path
        #    of the rewrite to reflect the path to your XenForo installation.
        #RewriteBase /xenforo
    
        #    This line may be needed to enable WebDAV editing with PHP as a CGI.
        #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>
    
    
    For instance, I removed the S from XenForo.com - and it redirected me to https
    I can't do that on our site and actually can use the site on both.. Very frustrating
    Many thanks in advance for any help you can offer.
    Thank you
     
  2. Set3sh

    Set3sh Active Member

    Hello,

    Basically when you are making a request via http protocol you are making a server request to port 80 (by default).
    And when using the https protocol you are making a server request to port 443 (by default).

    You wish to redirect every user from http to https.
    This mean you need to add this above:


    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://oursite.com$1 [R,L]


    RewriteCond %{SERVER_PORT} 443
    RewriteRule ^(.*)$ https://oursite.com$1 [R,L]


    Kind regards,
    George.
     
    Glockie likes this.
  3. Glockie

    Glockie Well-Known Member

    Hmmm I've done this, restarted Nginx, php and memcached, I can still remove the s and use the site with no redirect.
    Just to clarify the .htaccess is in the forum root, and looks like so now;


    Code:
    #    Mod_security can interfere with uploading of content such as attachments. If you
    #    cannot attach files, remove the "#" from the lines below.
    #<IfModule mod_security.c>
    #    SecFilterEngine Off
    #    SecFilterScanPOST Off
    #</IfModule>
    
    ErrorDocument 401 default
    ErrorDocument 403 default
    ErrorDocument 404 default
    ErrorDocument 405 default
    ErrorDocument 406 default
    ErrorDocument 500 default
    ErrorDocument 501 default
    ErrorDocument 503 default
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{SERVER_PORT} 80
        RewriteRule ^(.*)$ https://Our-Site.com$1 [R,L]
    
    
       
        #    If you are having problems with the rewrite rules, remove the "#" from the
        #    line that begins "RewriteBase" below. You will also have to change the path
        #    of the rewrite to reflect the path to your XenForo installation.
        #RewriteBase /xenforo
    
        #    This line may be needed to enable WebDAV editing with PHP as a CGI.
        #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>
    
    
    I hope this is correct now?
    :confused:
    Does the redirect take time to kick in? Should be instant shouldn't it?
     
  4. RoldanLT

    RoldanLT Well-Known Member

    So you said you were using Nginx ? :D
    Then your code will not really work.
    Nginx has different configuration.

    Usually at /etc/nginx/.
     
  5. Set3sh

    Set3sh Active Member

    Hello,

    Try this:

    if ($scheme = http) {
    return 301 https://$server_name$request_uri;
    }

    And make sure server_name designates your website address.

    EDIT:
    Lol... I thought you were also using apache as a backend since you said your server was configured by a "server guru".
    Of course .htaccess files are not working because you are not using apache, but nginx.


    Kind regards,
    George.
     
    Glockie likes this.
  6. Glockie

    Glockie Well-Known Member

    Yes Nginx..
    Okay, I've edited the our site.conf files in the nginx/conf.d/config files as so;


    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
                listen   80;
                listen  443 ssl;
               server_name www.MYSite.com
                return 301 $scheme://MYSite.com$request_uri;
            ssl_certificate      /home/nginx/domains/MYSite.com/private/MYSite.com.chained.crt;
                ssl_certificate_key  /home/nginx/domains/MYSite.com/private/MYSite.com.key;
           }
    
    server {
      server_name MYSite.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/MYSite.com/log/access.log combined;
      error_log /home/nginx/domains/MYSite.com/log/error.log;
    
      root /home/nginx/domains/MYSite.com/public;
    
      location / {
                    try_files $uri $uri/ /index.php?$uri&$args;
                    location /internal_data {
                            location ~ \.(data|html|php)$ {
                                    internal;
                            }
                            internal;
                    }
                    location /library {
                            location ~ \.(default|html|php|txt|xml)$ {
                                    internal;
                            }
                            internal;
                    }
    
      }
    
      location /phpmyadmin/ {
             auth_basic "Private";
            auth_basic_user_file /usr/local/nginx/conf/htpasswd;
            }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      #include /usr/local/nginx/conf/vts_server.conf;
    }
    
    I just need to stop the loading of http now and redirect to https.
     
  7. Set3sh

    Set3sh Active Member

    Glockie likes this.
  8. Glockie

    Glockie Well-Known Member

    Right okay.. so should I edit the domain.com.conf files in nginx/etc./conf.d/
    Is that where I need to make changes?
    Now I am well & truly confused hehe :D
     
  9. Glockie

    Glockie Well-Known Member

    Like so George?


    Code:
    server {
                listen   80;
                listen  443 ssl;
               server_name oursite.com;
                return 301 $scheme://oursite.com$request_uri;
            ssl_certificate      /home/nginx/domains/oursite.com/private/oursite.com.chained.crt;
                ssl_certificate_key  /home/nginx/domains/oursite.com/private/oursite.com.key;
    # force https-redirects
    if ($scheme = http) {
    return 301 https://$server_name$request_uri;
    }
    many thanks & kind regards
     
  10. Set3sh

    Set3sh Active Member

    Hello,

    Yes, that is correct.
    Don't forget to close the bracket of the server section: server { ... }
    Nginx has different configuration files compared to apache.
    So to answer your question: Yes. Those .conf files are the ones you need to edit now.

    Kind regards,
    George.
     
    Glockie likes this.
  11. RoldanLT

    RoldanLT Well-Known Member

  12. Glockie

    Glockie Well-Known Member

    Thanks Roldan. Have followed it, the SSL is installed, and working when ON https but the redirect is not.
    So added the code George mentioned, and then also edited my domain.conf file with a 302 redirect.
    Still won't redirect from http to https :(
     
  13. Set3sh

    Set3sh Active Member

    Hello,

    Please modify server_name and listen variables to:
    listen 443 ssl spdy;
    server_name oursite.com www.oursite.com;

    And add # in front of return 301 $scheme://oursite.com$request_uri;

    Kind regards,
    George.
     
  14. eva2000

    eva2000 Well-Known Member

    should work fine if you follow guide at Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS. Make sure to restart nginx web server after making changes

    Code:
    server {
      server_name domain.com www.domain.com;
       return 302 https://$server_name$request_uri;
    }
    
    server {
      listen 443 ssl spdy;
      server_name domain.com www.domain.com;
    Or pop on by the Centmin Mod forums for SSL stuff Domains, DNS, Email & SSL Certificates ;)
     
    RoldanLT likes this.
  15. Glockie

    Glockie Well-Known Member

    Hello George,
    To clarify;
    Drop the listen 80?

    So it would read;
    server {

    listen 443 ssl spdy;
    server_name oursite.com www.oursite.com;
    #return 301 $scheme://socialswinging.com$request_uri;
    ssl_certificate /home/nginx/domains/oursite.com www.oursite.com;/private/oursite.com www.oursite.com;.chained.crt;
    ssl_certificate_key /home/nginx/domains/oursite.com www.oursite.com;/private/oursite.com www.oursite.com;.key;
    # force https-redirects
    if ($scheme = http) {
    return 301 https://$server_name$request_uri;
    }


    Many thanks
    Regards
    Kris
     
  16. eva2000

    eva2000 Well-Known Member

    Glockie likes this.
  17. Glockie

    Glockie Well-Known Member

    Okay will do.
    I used several guides 3 days ago when I bought the ssl and it installed fine, only had some minor changes (links) on the site afterwards to fix.
    The thorn in my side is this redirect. Just cannot get her moving..
    Will try again, thank you all so much for your help. I appreciate it immensely!! :)
     
  18. RoldanLT

    RoldanLT Well-Known Member

    @Glockie This basic config should work for you:
    Code:
    server {
        listen 80;
        server_name phcorner.net www.phcorner.net;
        return 301 https://www.phcorner.net$request_uri;
    }
    
    server {
        listen 443 ssl spdy reuseport;
        server_name phcorner.net www.phcorner.net;
        keepalive_timeout 300;
       
        add_header X-Content-Type-Options "nosniff";
        add_header Alternate-Protocol 443:npn-spdy/3;
           
        ssl_certificate /usr/local/nginx/conf/ssl/phcorner/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcorner/phcorner_net.key;
       
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 24h;
        spdy_headers_comp 6;
        spdy_keepalive_timeout 300;
        ssl_buffer_size 1400;
        ssl_session_tickets on;
    
        root /home/nginx/domains/phcorner.net/public;
       
        ### Start Xenforo
        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }      
    
        location /internal_data {
            location ~ \.(data|html|php)$ {
            internal;
            }
        internal;
        }
    
        location /library {
            location ~ \.(default|html|php|txt|xml)$ {
            internal;
            }
        internal;
        }
                   
        location /install {
            index index.php index.html index.htm;
            include /usr/local/nginx/conf/php.conf;
            auth_basic "Private";
            auth_basic_user_file /usr/local/nginx/conf/htpasswd;
        }
    
        location ~ ^/(admin.php) {
            include /usr/local/nginx/conf/php.conf;
            auth_basic "Private";
            auth_basic_user_file /usr/local/nginx/conf/htpasswd;
        }
        ### End Xenforo
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
    }
    
    Just modify the domain used, root path, certificate path/file.
    And just adjust some of it's config or add more from here: Nginx SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS
     
    eva2000 likes this.
  19. eva2000

    eva2000 Well-Known Member

  20. Glockie

    Glockie Well-Known Member

    Okay pass.... Can't get it working. Think it's above my skill levels.. :cautious: :oops:
     

Share This Page