nginx HTTPS serving with same config as HTTP

Question

Is there a way to share configuration directives across two nginx server {} blocks? I'd like to avoid duplicating the rules, as my site's HTTPS and HTTP content are served with the exact same config.

Currently, it's like this:

server {
  listen 80;
  ...
}

server {
  listen 443;

  ssl on; # etc.
  ...
}

Can I do something along the lines of:

server {
  listen 80, 443;
  ...

  if(port == 443) {
    ssl on; #etc
  }
}

score 318 · Accepted Answer · edited Jul 14 '17 at 08:50

318

You can combine this into one server block like so:

server {
    listen 80;
    listen 443 default_server ssl;

    # other directives
}

Official How-To

edited Jul 14 '17 at 08:50

Drifter104

3,773
2
25
39

answered May 21 '09 at 18:54

Jauder Ho

5,507
2
19
17

8

Ah, I had no idea nginx was intelligent enough to ignore the SSL directives if loaded over port 80. Awesome! – ceejayoz May 21 '09 at 19:34
78

nginx is all sorts of WIN. – Jauder Ho May 21 '09 at 19:38
7

and if you have several sites at one server, it's worth mentioning that "default" is not obligatory – luchaninov Jul 01 '11 at 15:32
7

So elegant it hurts... – Alix Axel Nov 24 '12 at 01:39
1

I believe this works best "listen 443 default ssl;" not "listen 443 default_server ssl;" } – Andres Mar 31 '13 at 07:52
1

How do you configure 'proxy_pass' for load balancing using this solution? – Mike Purcell Apr 24 '13 at 23:34
5

not working here... "The plain HTTP request was sent to HTTPS port" – gcstr Aug 18 '14 at 03:55
1

@goo You need to omit line `SSL on;` as sugguested by user below. – ish1301 Nov 05 '14 at 15:58
1

For some reason this does not work anymore in recent Nginx 1.10.1 (regardless of `SSL on` line existence). I was forced to split ssl and non-ssl servers to separate `server{}` blocks) – Artur Bodera Aug 01 '16 at 10:57
I am using both in the same directive in nginx 1.14, but nginx is not intelligent enough because over http I get the SSL headers – user1156544 Aug 10 '18 at 18:07
1

Is there a way to redirect http to https while still keeping a single `server` block. – rmn Sep 18 '18 at 12:09
Ubuntu 22.04 + Nginx 1.18.0 keep warning with 404 on 80 but 443 works fine. – Gemini Keith May 09 '23 at 08:21

score 95 · Answer 2 · answered Jun 13 '12 at 06:19

95

To clarify the accepted answer, you need to omit

SSL on;

and you just need the following for nginx version after 0.8.21

listen 443 ssl;

Reference:

Nginx Docs - Configuring A single HTTP/HTTPS server

answered Jun 13 '12 at 06:19

Sean Tan

1,051
7
2

2

Thank you! I could not figure out why nothing on http was working. Removing SSL on; worked. – Chris Cummings Feb 14 '14 at 16:27

score 32 · Answer 3 · edited Aug 01 '16 at 13:24

32

I don't know of a way like you suggest, but there's certainly an easy and maintainable way.

Move common server settings into a separate file, i.e. "serverFoo.conf" and then include it in separate server {} blocks like so:

server {
    listen 80;
    include serverFoo.conf;
}
server {
    listen 443 ssl;
    include serverFoo.conf;
}

edited Aug 01 '16 at 13:24

Artur Bodera

224
2
7

answered May 21 '09 at 18:38

dwc

1,528
12
10

2

+1 = works for me. (Couldn't get it to work with the other method.) – Jul 03 '09 at 15:44
Also, the other example doesn't account for 'proxy_pass' if acting as a load balancer. – Mike Purcell Apr 24 '13 at 23:34
This option is great if your `server_name` is different for each port – iDev247 Oct 03 '13 at 06:40
5

Don't use ssl on, use ```listen 443 ssl;``` from now one. – Melroy van den Berg Mar 22 '16 at 21:47
This seems to be the only solution that is working with recent nginx 1.10.1. For some reason two `listen` lines are not interpreted correctly, but moving them to separate `server{}` fixes it. – Artur Bodera Aug 01 '16 at 10:54
This should be the accepted answer – miknik Jul 11 '18 at 01:58

Jonathan · Answer 4 · 2015-01-07T14:14:45.987

12

Expanding on the already helpful answers, here is a more complete example:

server {

    # Listen on port 80 and 443
    # on both IPv4 and IPv6
    listen 80;
    listen [::]:80 ipv6only=on;
    listen 443 ssl;
    listen [::]:443 ipv6only=on ssl;

    # Set website folder
    root /path/to/your/website;

    # Enable SSL
    ssl_certificate your-cert.pem;
    ssl_certificate_key your-cert.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;
}

edited Jan 07 '15 at 14:14

answered May 10 '13 at 17:48

Jonathan

221
2
3

2

I know this is a pretty old answer, but as it's very complete I just wanted to point out for others who may use it that you should disable the SSLv3 protocol as its vulnerable to the POODLE vulnerability: https://disablessl3.com/ Instead use: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; – user147787 Jan 06 '15 at 23:32

score 6 · Answer 5 · answered Feb 25 '11 at 13:11

6

Just to add to Igor/Jauder's post, if you're listening to a specific IP you can use:

listen xxx.xxx.xxx.xxx;
listen xxx.xxx.xxx.xxx:443 default ssl;

answered Feb 25 '11 at 13:11

Matt Bostock

61
1
1

nginx HTTPS serving with same config as HTTP

5 Answers5

Linked