Menu

RTCXpression

Close

Forcing your Website to use HTTPS (SSL) with the Nginx Web Server

- August 13, 2016

green lock - https Forcing a website to use HTTPS instead of HTTP is something that should be handled by the web server. The Nginx web server makes it an almost trivial task.

Some websites can be accessed using either protocol, just like some websites can be accessed with or without the “www” prefix. Neither of these things should ever be allowed.

While website software can be used to force HTTPS when it’s driven by scripting languages (like PHP or Active Server Pages), it’s easier and safer to do it with the web server itself.

Forcing HTTPS on the Nginx Web Server

I explained the lines for SSL that have to be added to the main nginx.conf file as well as the virtual host (“server”) file when I wrote about getting a free SSL certificate. I won’t repeat them here. I’m only going to show you how to force the redirects in your virtual host file. Pretend you have a single website, which starts with the “www” prefix as your preference:

server {
    listen      80;
    server_name domain.name;
    access_log  off;
    error_log   /dev/null;
    return      301 https://www.domain.name$request_uri;
    # redirects HTTP *without* the "www" to HTTPS with it
}
server {
    listen      80;
    server_name www.domain.name;
    access_log  off;
    error_log   /dev/null;
    return      301 https://www.domain.name$request_uri;
    # redirects HTTP *with* the "www" to HTTPS with it.
}
server {
    listen      443 ssl http2;
    server_name domain.name;
    access_log  off;
    error_log   /dev/null;
    (insert SSL directives here)
    return      301 https://www.domain.name$request_uri;
    # redirects HTTPS *without* the "www" to HTTPS with it.
}
server {
    listen      443 ssl http2;
    server_name domain.name;
    (continue with everything you need here because this is the destination)
}

With the main domain name (with “www” or without), it takes four stanzas to get things rolling the right way. With a subdomain other than “www” (which is still a subdomain but not treated as such), it only takes two.



Mixed HTTP and HTTPS Websites

With the HTTP/2 network protocol, there isn’t a need for mixed protocols. At one time, I and many others used HTTP on the front-end and SSL on the back-end. It’s no longer necessary and it’s ill-advised if someone tells you it is.

HTTP/2 (which only works with SSL) is as fast as HTTP with HTTP/1.1, perhaps faster. Why? Because it processes multiple requests with every TCP connection where HTTP/1.1 can only handle one at a time. Every major web browser supports it now, even though it’s relatively new.

If a particular web browser doesn’t support it, the web server and the web browser will both fall back to HTTP/1.1. It’s slower but it still works. Only obscure web browsers used by very few people (or people who refuse to upgrade their web browsers) should fall into this category.

Share:

Categories: Technology

Tags: , , ,

Previous and Next Articles (if any):

« »

More

Please read some of my more important pages if you have the time:

Comments Policy           Privacy Policy

RTCXpression established Feb 28, 2011
Copyright © 2013-2017 RT Cunningham
Hosted at Digital Ocean