Question

Ngnix SSL server block not to force https

Posted on December 18, 2016
Let's Encrypt LEMP Ubuntu
Asked by bgslvsky

Hello digitalocean users,

Is it possible to NOT force HTTPS. I have a Multi Wordpress site setup and I’m attempting to perform domain mapping that will allow me to have HTTPS and none SSL sites running from the same IP. My current SSL setup works but everytime I add a domain I’m required to create a SSL certificate to my project… what if I want to have a regular HTTP site instead?

So while my domain mapping plugin from WPMUDev has https forcing OFF. My server block does the opposite.

My port 80 server block looks like this

server { listen 80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; }

If I remove the 301 redirect from the server block then all none SSL just redirect to example.com instead of the appropriate domain.

Any help would be appreciated.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

bgslvsky • December 21, 2016

Accepted Answer

I got it working and my virtualhost file ended up looking like this

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /var/www/html/wordpress;
        index index.php index.html index.htm;

        server_name maindomain.com www.maindomain.com *.maindomain.com;
        ssl_certificate /etc/letsencrypt/live/maindomain.com-0001/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/maindomain.com-0001/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S$';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
    location / {
        try_files $uri $uri/ /index.php?$args ;
    }
    location ~ /favicon.ico {
        access_log off;
        log_not_found off;
    }
        location ~ /.well-known {
                allow all;
        }

Is there anything else that can be done?

Ryan Quinn

DigitalOcean Employee

• December 21, 2016

You’ll have to do a bit more than just removing the 301 redirect since the entry doesn’t have any PHP support included.

Instead, copy the contents of the SSL virtualhost in the other file in /etc/nginx/sites-enabled/ replacing the servername and return 301 lines here. Then delete the lines covering your certificate files. Once done, restart nginx with service nginx restart

Ex. You’ll want to remove the lines that look like this:

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

as well as making sure you don’t leave anything referring to port 443. Your default-ssl.conf file will not be changed in any way, we’ll just use it as a source for the configuration directives we need.

bgslvsky • December 21, 2016

Thank you so much for responding. My two files look like this

server {
listen 443 ssl;
    server_name maindomain.com *.maindomain.com;
    ssl_certificate /etc/letsencrypt/live/maindomain.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/maindomain.com-0001/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S$
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_stapling on;
     ssl_stapling_verify on;
     add_header Strict-Transport-Security max-age=15768000;
root /var/www/html/wordpress;
    index index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$args ;
    }
    location ~ /favicon.ico {
        access_log off;
        log_not_found off;
    }
        location ~ /.well-known {
                allow all;
        }

And The second file is:

server {
listen 80;
servername maindomain.com www.maindomain.com;
return 301 https://$servername$request_uri;
}

Are you saying that I should remove all ssl related lines in my port 443? Or that I shouldn’t have anything related to port 443. Instead let the server treat everything as HTTP?

Should there be just one file that looks like this:

server {
    listen   80;
    listen   [::]:80;

    server_name maindomain.com *.maindomain.com;

    root /var/www/html/wordpress;
    index index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$args ;
    }
    location ~ /favicon.ico {
        access_log off;
        log_not_found off;
    }
        location ~ /.well-known {
                allow all;
    }
}