Hi.

i have a setting problem.

I want all request “http” → “https”
But, some location is “https” → “http”.

ALL Location : https
/companyBrand.do : http only

i saw error that “too many redirects”

What’s problem?

map $uri $example_org_preferred_proto {
default “https”;
~^/companyBrand.do “http”;
}

server {
listen 80;
server_name www.aaa.com;

if ($example_org_preferred_proto = “https”) {
return 301 https://$server_name$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwaaacom;
}

}

# HTTPS server
#

server {
listen 443;
server_name www.aaa.com;

charset utf-8;

    ssl                  on;
    ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
    ssl_certificate_key  D:/nginx-1.7.10/ssl/key.pem;

if ($example_org_preferred_proto = “http”) {
return 301 http://$server_name$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwaaacom;
proxy_ssl_session_reuse off;
}

}

Posted at Nginx Forum:

You can merge both servers into one and try something like this:

map $request_uri $example_org_preferred_proto {
default “https”;
/companyBrand.do “http”;
}

server {
listen 80;
listen 443 ssl;
…

if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}
…
}

20.03.15 5:29, jinwon42 пишет:

i saw error that “too many redirects”
server {
proxy_set_header X-Forwarded-Host $host;
}
charset utf-8;
proxy_set_header Host $host;
proxy_read_timeout 60;
[email protected]
nginx Info Page

–
br,
Dmitry Pryadko

Thanks for reply!

But, I still saw error.

400 Bad Request
The plain HTTP request was sent to HTTPS port

this setting is wrong?

map $request_uri $example_org_preferred_proto {

default “https”;
~^/mobile/PayOnlyResult.do “http”;
~^/kor/companyBrand.do “http”;
}

server {
    listen  443 ssl;

listen 80;
server_name www.aaa.com;

charset utf-8;

    ssl                  on;
    ssl_certificate      D:/nginx-1.5.2/ssl/cert.pem;
    ssl_certificate_key  D:/nginx-1.5.2/ssl/key.pem;

ssl_verify_client off;

if ($scheme != $example_org_preferred_proto) {
return 301
$example_org_preferred_proto://$server_name:88$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwaaaacom;
proxy_ssl_session_reuse off;
}
}

Posted at Nginx Forum:

Why 88?

20.03.15 11:08, jinwon42 пишет:

return 301 $example_org_preferred_proto://$server_name:88$request_uri;

–
br,
Dmitry Pryadko

Correct, you give the HSTS header on the SSL/TLS port. So if any
connection in the past has gone to the SSL/TLS port, the browser is
forced
to use https:// for any future connection. You should set it to 1 for a
while and then disable it.

Sorry.

80 port is right.

if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}

Still saw error. “ERR_TOO_MANY_REDIRECTS”

map $request_uri $example_org_preferred_proto {

default “https”;
~^/mobile/PayOnlyResult.do “http”;
~^/kor/tel.do “http”;
}

server {
    listen  443 ssl;

listen 80;
server_name www.aaaa.com;

charset utf-8;

    #ssl                  on;
    ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
    ssl_certificate_key  D:/nginx-1.7.10/ssl/key.pem;

ssl_verify_client off;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
    ssl_prefer_server_ciphers   on;

HSTS (ngx_http_headers_module is required) (15768000 seconds = 6

months)
add_header Strict-Transport-Security max-age=15768000;

error_page 400 /error/error.html;
error_page 403 /error/error.html;
error_page 404 /error/error.html;

if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwaaaacom;
proxy_ssl_session_reuse off;
}
}

Posted at Nginx Forum:

You said that in your configuration, you have the following line:

HSTS (ngx_http_headers_module is required) (15768000 seconds = 6

months)
add_header Strict-Transport-Security max-age=15768000;

This makes nginx send a HSTS header to browsers that visit the website.
With this, you tell the browser to always use https:// and never use
http://, for the whole website.
If you do not disable this, any and all requests done to the site will
make sure that any requests for the next 6 months of that visit (you set
it to 6 months), will always, no matter what the user or redirect
types/does, use https://.

If you want to avoid this behaviour, you should first reduce the
duration of the header (max-age=) to 1 second, so that browsers will
reduce the remaining time to 1 second.
Then disable it after a few days/a week, depending on how long you think
users take to return to your website.

jinwon42 schreef op 20-3-2015 om 10:20:

You should set it to 1 for a while and then disable it.

What’s mean?

How can i do? Please teach me.

Thanks

Posted at Nginx Forum:

On 20.03.2015 11:35, Daniël Mostertman wrote:

it to 6 months), will always, no matter what the user or redirect
types/does, use https://.

If you want to avoid this behaviour, you should first reduce the
duration of the header (max-age=) to 1 second, so that browsers will
reduce the remaining time to 1 second.
Then disable it after a few days/a week, depending on how long you think
users take to return to your website.

HSTS is good thing and should not be disabled.

if you need http only for some uri - better create separate server,
on different server_name, which works only on http, and leave https
server for all rest https uri. for example:

server {
listen 443 ssl;
server_name www.example.com;

HSTS (15768000 seconds = 6 months)

add_header Strict-Transport-Security max-age=15768000;

… # HTTPS-only
}

server {
listen 80;
server_name www.example.com;
location / { return 301 https://www.example.com$request_uri; }
}

server {
listen 80;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }

location = /mobile/PayOnlyResult.do {
… # HTTP-only
}
location = /kor/tel.do {
… # HTTP-only
}
}

www.example.com - HTTPS-only, example.com - HTTP-only.

–
Best regards,
Gena

On 20.03.2015 12:36, Dewangga Bachrul Alam wrote:

You’ll never reach http request since you set HSTS configuration
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).

1. HSTS enabled only on domain name www.example.com
   on domain name example.com - no HSTS, no https and no redirects.

2. disabling HSTS is bad idea.
   HSTS should be enabled on https servers.

3. please do not top post.
   thank you.

HSTS (15768000 seconds = 6 months)

}
}

www.example.com - HTTPS-only, example.com - HTTP-only.

–
Best regards,
Gena

Gena M. schreef op 20-3-2015 om 12:05:

HSTS should be enabled on https servers.

3. please do not top post.
   thank you.

1. Any website will want www. and non-www to show the same website. This
   can not be done in your configuration.

2. If any user goes to https://example.com/ instead of
   https://www.example.com/ it goes to the default website on 443, being
   www.example.com in this case. If that certificate is valid for
   example.com, the connection is built, and the HSTS is re-set in any
   browser for example.com and you will end up on SSL time and time again.

3. I never said I thought it should be disabled. In fact, I think
   https:// should always be used if possible, and http:// should be
   avoided at pretty much all times.

4. HSTS does not need to be enabled for secure connections to work,
   it’s a “very nice to have”. But not mandatory. In his case, it probably
   gives more trouble than it’s worth. However, I do agree that it
   should, like you said. But again, in his configuration that might not
   be possible to have the best possible solution for what’s being wished
   for.

Hi!

You’ll never reach http request since you set HSTS configuration
If you still want some http request on your web server, disable your
HSTS directive. (see Daniel statement on previous email).

On 20.03.2015 13:13, Daniël Mostertman wrote:

3. please do not top post.
   thank you.

1. Any website will want www. and non-www to show the same website. This
   can not be done in your configuration.

http://example.com and http://www.example.com show the same site:

server {
listen 80;
server_name example.com;
location / { return 301 https://www.example.com$request_uri; }

location = /mobile/PayOnlyResult.do {
… # HTTP-only
}
location = /kor/tel.do {
… # HTTP-only
}
}

exception are done only for two uri, which are HTTP-only.

2. If any user goes to https://example.com/ instead of
   https://www.example.com/ it goes to the default website on 443, being
   www.example.com in this case. If that certificate is valid for
   example.com, the connection is built, and the HSTS is re-set in any
   browser for example.com and you will end up on SSL time and time again.

No problem,

server {
listen 443 default_server;
server_name example.com;

location / { return 301 https://www.example.com$request_uri; }

location = /mobile/PayOnlyResult.do {
return 301 http://example.com$request_uri;
}
location = /kor/tel.do {
return 301 http://example.com$request_uri;
}
}

server {
listen 443 ssl;
server_name www.example.com;

HSTS (15768000 seconds = 6 months)

add_header Strict-Transport-Security max-age=15768000;

… # HTTPS-only
}

HTTPS-site example.com is default site and does not have HSTS.

3. I never said I thought it should be disabled. In fact, I think
   https:// should always be used if possible, and http:// should be
   avoided at pretty much all times.

Agree, I don’t know why topic starter need such strange configuration.

4. HSTS does not need to be enabled for secure connections to work,
   it’s a “very nice to have”. But not mandatory. In his case, it probably
   gives more trouble than it’s worth. However, I do agree that it
   should, like you said. But again, in his configuration that might not
   be possible to have the best possible solution for what’s being wished for.

I can’t agree with you what disabling HSTS
on HTTPS-sites is the best possible way.

My way of solution may be more simple, if for HTTP-only server
use other name, for example, public.example.com
or legacy.example.com or static.example.com
or something like this.

In this case, www.example.com and example.com
can be both HTTPS-sites, without exceptions.

–
Best regards,
Gena