Resolved PLESK 12.5 - NGINX Redirect https / Let's Encrypt

[P_heck]

Hello!

I have searched for a solution, but didn't found one - so if this question has already been answered, please just direct me to the thread.

12.5.30 Update #47 running on Debian Wheezy, using NGINX with fpm-php on PHP 7.0.10
I have now updated all my customer websites to SSL using the Let's Encrypt extension which works fine.
Now I want to redirect all http traffic to https. First try was to use the following statement:

if ($scheme = http) {
return 301 https://$server_name$request_uri;
}

This one works fine for the redirect, but breaks the renewal of certificate within the Let's Encrypt extensions as it looks at http and seems not to follow the redirection. Error code I got (customer data blacklisted):

Domain: domain.tld
Type: unauthorized
Detail: Invalid response from http://domain.tld/.well-known
/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[xxx.xxx.xxx.xxx]: 404

I also tried to put the following directive in the Plesk Panel:

location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /path/to/your/root/dir;
    }
  
    location / {
        return 301 https://$server_name$request_uri;
    }

But got the error, that I can't define the root ("/") location as it's already defined.

Don't think it's a good idea to edit the nginx.conf file by myself as Plesk will revert the change at the next update.

In the meanwhile, I'm using below statement, which only redirects the root to https, but I'm not happy with it as it still allows unencrypted traffic outside the root directory.

if ($request_uri = /) {
set $test A;
}
if ($scheme = 'http') {
set $test "${test}B";
}
if ($test = AB) {
rewrite ^/(.*)$ https://domain.tld/$1 permanent;
}

So anybody has an idea, how to redirect all http traffic to https but not the one for "/.weel-know/acme-challenge" ?

Cheers Peter

 

[Lloyd_mcse]

Hi P_Heck,

try with this...

if ($scheme != https) {
    return 301 https://domain.tld$request_uri;
}

That's what I use, but I use Apache FPM.
I have tested the statement you tried and get the same issue.
I hope that helps
Kind regards

Lloyd

 

[P_heck]

Hello Lloyd,

thanks - this works!

Cheers Peter

 

[trialotto]

@P_heck

Your code

if ($scheme = http) { return 301 https://$server_name$request_uri; }

is "breaking" Let´s Encrypt due to the $server_name variable.

The issues will or not occur if you replace $server_name with $host (read: the domain that Let´s Encrypt secures).

With respect to the "if ($scheme = http)" versus "if ($scheme != https)" you should be aware that

- the "if ($scheme = http)" is somewhat more performant,
- for WordPress installations, you should simply change the base URL in WordPress (and not create a redirect)
- some modern browsers still serve http (irregardless of any redirect to https), in specific circumstances (mostly related to the cipher suites chosen)

and so on.

The most important part that you have to take into account is the following: any redirect to https with Nginx still implies that the first round of requests is made over http (read: that is the request leading to the redirect) and that can create a vulnerability, allowing hackers to "sniff secure connections" (read: the "secure" connections after the redirects to https).

In short, in most cases it is best to configure applications to disallow http traffic, instead of (only) creating a https redirect.

Hope the above helps and explains a bit.

Regards.....