Search form

Nginx: Redirect All HTTP and HTTPS non-WWW to HTTPS WWW

One common requirement for a web site, especially in the age of mandatory SSL, is to ensure that its address is a) consistent, and b) forwards to SSL. In other words, when a visitor types in http://www.mysite.com/, http://mysite.com/, OR https://mysite.com/, they should be sent to https://www.mysite.com/.

To do this, we'll set up some Nginx server blocks in a config file located at /etc/nginx/sites-available/mysite.com (we're on Ubuntu 16 here, we're running a PHP web site using PHP7.0-FPM, and we're assuming you've got your SSL key-certificate pair ready to go).

First, we set up our forwards for http://mysite.com/ and http://www.mysite.com/:

server {
        listen       80;
        listen       [::]:80;
        server_name  mysite.com www.mysite.com;
        return       301 https://www.mysite.com$request_uri;
}

Next, we configure https://mysite.com to forward to https://www.mysite.com/ (we need our SSL cert to be working for this):

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;

        server_name  geoffstratton.com;

        ssl_certificate /etc/path/to/my/certificate.pem;
        ssl_certificate_key /etc/path/to/my/privatekey.pem;

        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparams.pem;

        return       301 https://www.mysite.com$request_uri;
}

Finally, we set up our non-forwarding server block:

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name www.mysite.com;

        error_log /var/log/nginx/mysite_error.log;
        access_log /var/log/nginx/mysite_access.log;

        ssl_certificate /etc/path/to/my/certificate.pem;
        ssl_certificate_key /etc/path/to/my/privatekey.pem;

        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparams.pem;

        root /var/www/mysite.com;

        # Add index.php to the list if you are using PHP
        index index.php;
        # index index.html index.htm index.nginx-debian.html;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                # try_files $uri $uri/ =404;
                try_files $uri @rewrite;
        }

        location @rewrite {
                rewrite ^ /index.php last;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

        location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
                expires 7d;
        }

Finally, remember to symlink your config file to /etc/nginx/sites-enabled/ (ln -s /etc/nginx/sites-available/mysite /etc/nginx/sites-enabled/mysite) and restart Nginx (systemctl restart nginx).

Looking for affordable web hosting? Try GreenGeeks for only $3.95/mo. (I'm both an affiliate and a client.)

I participate in the Amazon Associates program. Making your Amazon purchases through my affiliate links supports this site at no additional cost to you: