Nginx 301 domain redirect not working
Firstly, you don't have to set IPv6 unless you want to use it specifically. Use your config like this:
server {
listen 80;
server_name example2.com www.example2.com example.com www.example.com;
return 301 https://www.example2.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example2.com;
return 301 https://www.example2.com$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example2.com;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_certificate /etc/nginx/ssl/example2.com.crt;
ssl_certificate_key /etc/nginx/ssl/example2.com.key;
client_max_body_size 100M;
location ~ ^/\.well-known {
root /var/www/ghost;
allow all;
}
location / {
proxy_pass http://127.0.0.1:2368;
proxy_buffering off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Referer "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
}
Also, do not forget to create the /etc/nginx/ssl folder and the dhparam.pem file.
sudo mkdir /etc/nginx/ssl && sudo openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096
Related videos on Youtube
cphill
Updated on September 18, 2022Comments
-
cphill over 1 year
I am trying to redirect (or I guess forward) my old domain (
example.com
) to my new domain (example2.com
) now that I have updated my server config to accommodate the new domain. However, it doesn't appear that the 301 redirect clause in my Nginx config is working properly because I'm still able to accessexample.com
, which redirects tohttps://www.example.com
like the configuration that was set up prior to pointing this server to the new domain. Whenhttps://www.example.com
is accessed it rendersYour connection is not private
which makes sense as I changed the SSL config to point to the certificates forexample2.com
. Is there something wrong with my 301 configuration? If there isn't, could it be that I still have anA record (example.com)
andCNAME record (www.example.com)
pointing to my IP address that is allow access to the site through the old domain to exist?Note: I have no problem accessing
example2.com
which redirect tohttps://www.example2.com
as expectedHere is my Nginx config:
server { listen 80; listen [::]:80; server_name example2.com www.example2.com example.com www.example.com; return 301 https://www.example2.com$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; include snippets/ssl-www.example2.com.conf; include snippets/ssl-params.conf; server_name example2.com; return 301 https://www.$server_name$request_uri; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include snippets/ssl-www.example2.com.conf; include snippets/ssl-params.conf; server_name www.example2.com; client_max_body_size 100M; location ~ ^/\.well-known { root /var/www/ghost; allow all; } location / { proxy_pass http://127.0.0.1:2368; proxy_buffering off; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Referer ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; } }
-
Admin about 6 yearsHave you cleared the browser cache? Also, there's no point forwarding domains where you've given up the A/CNAME record.
-
Admin about 6 yearsIt's not this config that's redirecting example.com to example.com.
-
Admin about 6 years@RichardSmith I cleared my cache, but I still run into the issue mentioned in the question and have not deleted A/CNAME records yet
-
Admin about 6 years@GerardH.Pille can you elaborate? I'm not sure I follow
-
Admin about 6 yearsI can't elaborate. The config you've added to your question, would not redirect example.com to H T T P S : / / w w w . example.com. (in my previous comment, you need to put the cursor above the link).
-
Admin about 6 yearsWhere is your configuration for the old domain?
-
Admin about 6 yearsDid your old domain specify an HSTS header? You may need to reset the browser to destroy that association.
-
Admin about 6 years@RichardSmith so I think it might have needed a browser rest to destroy the association. If I navigate to
example.com
then it redirects tohttps://www.example2.com
, but if I navigate tohttps://www.example.com
it doesn't redirect and tries to access a server at that location (www.example.com
) with theunsafe connection
warning. Any thoughts? -
Admin about 6 yearsBy
unsafe connection
I meantYour connection is not private
.This server could not prove it is www.example.com; its security certificate is from example2.com
-
Admin about 6 yearsAs has previously been stated: you do not have a redirection set up for
https://example.com
- it will be handled by the thirdserver
block (the default server for port 443). Move thedefault_server
from the third block to the second block. See this link for more. All this is probably pointless if you do not have a certificate for the old domain. -
Admin about 6 years@RichardSmith I still have the certificate for the old domain and now I understand what you are saying. For some reason I interpreted the
http
port block to be a a global redirect when in reality it only will redirect when someone accesses the previous website withhttp
. Based on your suggestion, should I remove the top toserver_name www.example2.com;
in the third block and appenddefault_server
to the end of the twolisten
lines in the second server block?
-
-
cphill about 6 yearsThanks for the answer. Can you briefly summarize the changes you propose and how my config was wrong? This will make it easier to understand why I should follow your answer.
-
cphill about 6 yearsI believe I am following along now. I used Let's Encrypt so the ssl server block you have set up is already referenced in files in another directory. As a result should I just reference those paths in my server block? For instance
/etc/letsencrypt/ssl-dhparams.pem
is the path forssl_dhparam
and/etc/letsencrypt/options-ssl-nginx.conf
containsssl_protocols
,ssl_prefer_server_ciphers
, andssl_ciphers
-
Bert about 6 yearsWhat I've modified is: removed IPv6 | removed those includes from server blocks | added a proper ssl key setting for the last server block | enhanced your SSL config with the dhparam, protocol, chipers etc.... Also, the
allow all
can be removed as well, unless you want to deny some specific addresses.