2

I've just set up an nginx server and letsencrypt, and I think some of the changes certbot has made to my config has messed things up.

I want my website to use HTTPS by default, and to serve all files with HTTPS to avoid mixed content errors like:

Mixed Content: The page at 'https://example.org/login' was loaded over HTTPS, but requested an insecure stylesheet 'http://example.org/css/auth.css?v=1'. This request has been blocked; the content must be served over HTTPS.

Here is my Nginx config - I'm concerned with the level of duplication I see since adding the SSL certificate, but not experienced enough to know if that is causing any problems. I've replaced my domain with "example.org".

server {

    listen 80;
    listen 443 default_server ssl;
    listen [::]:443 ssl ipv6only=on;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    server_name example.org;
    charset   utf-8;

    root /home/www/example.org/public;
    index index.php index.html index.htm;

    gzip on;
        gzip_vary on;
        gzip_disable "msie6";
        gzip_comp_level 6;
        gzip_min_length 1100;
        gzip_buffers 16 8k;
        gzip_proxied any;
        gzip_types
            text/plain
            text/css
            text/js
            text/xml
            text/javascript
            application/javascript
            application/x-javascript
            application/json
            application/xml
            application/xml+rss;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|svg|woff|woff2|ttf) {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    location ~* \.(?:css|js) {
        expires 7d;
        access_log off;
        add_header Cache-Control "public";
    }

    location ~ /\.ht {
        deny all;
    }
}

server {

    root /home/www/example.org/public;
    index index.php index.html index.htm;
    server_name example.org www.example.org; # managed by Certbot
    charset   utf-8;

    gzip on;
        gzip_vary on;
        gzip_disable "msie6";
        gzip_comp_level 6;
        gzip_min_length 1100;
        gzip_buffers 16 8k;
        gzip_proxied any;
        gzip_types
            text/plain
            text/css
            text/js
            text/xml
            text/javascript
            application/javascript
            application/x-javascript
            application/json
            application/xml
            application/xml+rss;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|svg|woff|woff2|ttf) {
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    location ~* \.(?:css|js) {
        expires 7d;
        access_log off;
        add_header Cache-Control "public";
    }

    location ~ /\.ht {
        deny all;
    }
}

server {
    if ($host = www.example.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 ;
    listen [::]:80  ;
    server_name example.org www.example.org;
    return 404; # managed by Certbot

}
Matadeleo
  • 121
  • 2
  • 5
    This sounds like less of a problem of `nginx` but more of your content. If you load a page that then wants to load resources (e.g. a CSS file) via HTTP, you'll get this warning. FIx your content. – Sven Apr 04 '19 at 11:09
  • @Sven I believe it is my `nginx` configuration responsible for this. My CSS/JS files are referenced using HTTPS however the server seems to be defaulting to HTTP when the opposite is what I am trying to achieve. The content is tested and working with SSL on local and testing environments. – Matadeleo Apr 04 '19 at 11:19
  • The server will try to deliver what the client requests and not alter it. – Sven Apr 04 '19 at 11:23
  • I managed to deploy the app using a service that configures nginx for you, and everything is working fine. All requests are properly redirected to HTTPS. Even if I change the references to HTTP they are successfully altered and returning HTTPS. I apologise if this comes across stubborn, but would this not suggest the config is at fault? – Matadeleo Apr 04 '19 at 11:43
  • 3
    First: The duplicate configuration blocks should not exist. Second, nothing in all those config blocks would rewrite anything either from HTTP to HTTPS nor vice versa. The error message you show *clearly* indicates that the content the server delivers (likely generated by some PHP code) is including resources from a HTTP URL. This is (again: most likely) a problem within that PHP code (e.g. due to a hardcoded absolute URL, not a relative one). – Sven Apr 04 '19 at 11:55
  • If you read and understand the comments by Sven you will probably solve your problem. Nginx is just a proxy. Fix the application that is generating the http links. – Tim Apr 05 '19 at 08:37

2 Answers2

0

Couldn't figure out an elegant solution on my own. "Dirty solution" was to enable cloudflare on the domain then set Always Use HTTPS: ON and Automatic HTTPS Rewrites: ON

Matadeleo
  • 121
  • 2
0

why don't you try changing this 

if ($host = example.org) {
    return 301 https://$host$request_uri;

to this

if ($scheme = http) {
    return 301 https://example.org$request_uri;

change the other redirection also

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Abhijith
  • 15
  • 8