Too many redirects

Hello,

I try to force SSL redirect on my website, but I’m getting a
ERR_TOO_MANY_REDIRECTS.

I can’t figure what’s wrong, here is my vhost .conf file :

server {
listen *:80;
listen *:443 ssl;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /var/www/clients/client2/web1/ssl/domain.tld.crt;
ssl_certificate_key
/var/www/clients/client2/web1/ssl/domain.tld.key;

Disables all weak ciphers

ssl_ciphers
“ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”;
ssl_prefer_server_ciphers on;
server_name web-plus.pro www.web-plus.pro;

rewrite ^ https://$server_name$request_uri? permanent;

    root   /var/www/domain.tld/web;
    index index.html index.htm index.php index.cgi index.pl 

index.xhtml;

    location ~ \.shtml$ { ssi on; }

    error_page 400 /error/400.html;
    error_page 401 /error/401.html;
    error_page 403 /error/403.html;
    error_page 404 /error/404.html;
    error_page 405 /error/405.html;
    error_page 500 /error/500.html;
    error_page 502 /error/502.html;
    error_page 503 /error/503.html;
    recursive_error_pages on;
    location = /error/400.html {

        internal;
    }
    location = /error/401.html {

        internal;
    }
    location = /error/403.html {

        internal;
    }
    location = /error/404.html {

        internal;
    }
    location = /error/405.html {

        internal;
    }
    location = /error/500.html {

        internal;
    }
    location = /error/502.html {

        internal;
    }
    location = /error/503.html {

        internal;
    }

    error_log /var/log/ispconfig/httpd/domain.tld/error.log;
    access_log /var/log/ispconfig/httpd/domain.tld/access.log 

combined;

    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location /stats/ {

        index index.html index.php;
        auth_basic "Members Only";
        auth_basic_user_file

/var/www/clients/client2/web1/web/stats/.htpasswd_stats;
}

    location ^~ /awstats-icon {
        alias /usr/share/awstats/icon;
    }

    location ~ \.php$ {
        try_files /8861c6a67e54f5712a3f7875c91adaf9.htm @php;
    }

    location @php {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME

$document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}

    location /cgi-bin/ {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        root /var/www/clients/client2/web1;
        gzip off;
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
        fastcgi_index index.cgi;
        fastcgi_param SCRIPT_FILENAME

$document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}

    pagespeed on;

    pagespeed RewriteLevel PassThrough;
    pagespeed EnableFilters

inline_css,inline_javascript,combine_css,extend_cache,rewrite_images;
pagespeed EnableFilters rewrite_css,rewrite_javascript;
pagespeed EnableFilters add_head,inline_import_to_link;

    location /blog {
    try_files $uri $uri/ /blog/index.php?$args;
    }

rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
        add_header "" "";
    }
    location ~ "^/ngx_pagespeed_static/" {
    }
    location ~ "^/ngx_pagespeed_beacon$" {
    }
    location /ngx_pagespeed_statistics {
    allow 127.0.0.1; deny all;
    }
    location /ngx_pagespeed_global_statistics {
    allow 127.0.0.1; deny all;
    }
    location /ngx_pagespeed_message {
    allow 127.0.0.1; deny all;
    }
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|ttf|otf|svg|webp)$ {
    expires 365d;
    }

}

Thanks in advance for your help !

It’s looks like wordpress problem. Not your conf. Did you figure it out
the
problem if set your wordpress into https mode?

On Thursday, November 20, 2014, JACK LINKERS [email protected]
wrote:

rewrite ^ https://$server_name$request_uri? permanent;

​This looks highly suscpicious to me: unconditional rewrite of any
request?

Try to either:

  • match the regex against HTTP requests
  • enclose a ‘return 301 […]’ in an ‘if’ directive checking for the
    HTTP
    scheme
    I am not 100% certain what would be the best alternative to go for.

If the problem comes from there, I do not really get how the backend
gets
to serve any (error) page… So maybe Wordpress trouble as stated
before.

B. R.

Hi guys,

Thanks for your fast reply and input.
I didn’t think of wordpress at all.

I’ll try some tuning and keep you posted.

Thanks again
Le 20 nov. 2014 09:52, “B.R.” [email protected] a écrit :

I completely lost…
I tried everything (of my understanding) with no success.
I didn’t know you could include a condition with if and came across
sites
like :
http://publications.jbfavre.org/web/nginx-vhosts-automatiques-avec-SSL-et-authentification.fr
This is way beyond my skills… I didn’t managhe to enclose the 301 in
if
statements
I think i’m gonna givin up

2014-11-20 10:27 GMT+01:00 JACK LINKERS [email protected]:

Maybe start over your configuration, one step at a time, checking
everything you do has the desirect effect?
Step by step, gently, no pressure. That is the way you learn! Do not
give
up, if you need specific help people are here to help you :o)

As you just realized, copy-pasting ‘magic’ configuration snippets from
other people does not always works out of the box. That demosntrates the
fact that copy-pasting != learning :o)

By the way, the ‘if’ directive is tricky and to be avoided as much as
possible. It is used for very speicifc cases, when you cannot do anyway
else. I have not read thoroughly the link you provided, however by
having a
quick look it seemed to me I saw a lot of (too much?) ‘if’…

Start with a simple, but working configuration, and solve one
requirement/issue at a time!
Good luck,

B. R.

On Thu, Nov 20, 2014 at 10:07 PM, JACK LINKERS [email protected]

Here’s a basic example of one of my configs that redirect example.wp.com
to https://www.example.wp.com… update and example.wp.com as
necessary, and ensure the site is set up as www.example.wp.com as well.

It may need the odd tweak to restore to standard use of fastcgi
includes, as I’ve modified mine. Also care on folded lines.

server {
listen :80;
server_name example.wp.com www.example.wp.com;

  return 301 https://www.example.wp.com$request_uri;

}

server {
listen :443 ssl;
server_name example.wp.com;

    ssl_certificate         /etc/nginx/ssl/www.example.wp.com.crt;
    ssl_certificate_key     /etc/nginx/ssl/www.example.wp.com.key;

  return 301 https://www.example.wp.com$request_uri;

}

server {
listen :443 ssl;

    server_name www.example.wp.com;
    server_name_in_redirect off;

    ssl_certificate         /etc/nginx/ssl/www.example.wp.com.crt;
    ssl_certificate_key     /etc/nginx/ssl/www.example.wp.com.key;

    access_log /var/log/nginx/www.example.wp.com.access.log main;
    error_log /var/log/nginx/www.example.wp.com.error.log notice;

    root /www/www.example.wp.com/public_html;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.1 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

Firefox cross site font face

    add_header Access-Control-Allow-Origin *;

    autoindex off;

    #index index.php index.html index.htm default.html default.htm;
    index index.php;

    # Support Clean (aka Search Engine Friendly) URLs
    location / {
            try_files $uri $uri/ /index.php?q=$request_uri;
    }

    # deny running scripts inside writable directories
    location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|

asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}

    location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root

$fastcgi_script_name;
fastcgi_pass backend;

    }

    # caching of files
    location ~* \.(ico|woff|pdf|flv|js|css|png|jpg|jpeg|gif|swf|xml|

txt)$ {
access_log off;
expires 30d;
}

}

On Thu, 2014-11-20 at 22:07 +0100, JACK LINKERS wrote:

2014-11-20 10:27 GMT+01:00 JACK LINKERS [email protected]:
écrit :
Try to either:
maybe Wordpress trouble as stated before.
[email protected]
nginx Info Page


nginx mailing list
[email protected]
nginx Info Page


Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

Hi guys,

This is not the first time I use this mailing list for support and it
has
always been very helpful.

I might have forget to tell I’m using ISPConfig to setup my vhosts
The .conf file is automaticaly generated, I only add some tuning to make
different things work such as WordPress, PrestaShop, PageSpeed and so
on.

When I say i’m completely lost, I mean there is indeed plenty tutorials
on
how to set up a vhost manually and each tutorial is different (almost).

You are right when you say something may work on some setup and not on
mine, because it’s not a part of a whole thing.

I’ll read everything you posted and try to figure out how to combine it
with default vhost template in ISPConfig, because everytime I reload the
server all changes made directly in vhost .conf files is rewritten with
defaults.

On ISPConfig admin panel, I have an “Option” Tab where I can add custom
nginx directives. All these directives are added at the end of the vhost
.conf file. This is the only way I have in order to have my custom
directives saved even after a reboot.

For now, I need to fix my idividual vhost and then try to modify the
vhost
template from ispconfig.

As you can see, the template doesn’t make separate server blocks for
each
HTTP & HTTPS protocole :

And once again, thanks for your time / patience / help.

Regards

2014-11-21 1:09 GMT+01:00 Francis D. [email protected]:

Hi guys,

if ($scheme = “http”) {
return 301 https://$server_name$request_uri;
}

Did the job indeed !

Thanks again all for your time and patience !

All the best !

2014-11-21 20:29 GMT+01:00 Francis D. [email protected]:

On Fri, Nov 21, 2014 at 09:02:01AM +0100, JACK LINKERS wrote:

Hi there,

As you can see, the template doesn’t make separate server blocks for each
HTTP & HTTPS protocole :

This part is still true:

What you probably want is:

listen on http; redirect everything to https.
listen on https; process requests normally.

but your particular access to configure nginx does not appear to allow
you do that.

The right answer is for you to change your access to configure nginx;
but that is unlikely to happen in the short term.

You can use an alternative config, along the lines of:

listen on http and https; if the request was http, redirect to https;
else process requests normally

That will probably fit your restricted configuration model.

Add a stanza at server{} level, outside all location{}s

if ($scheme = “http”) {
return 301 https://$server_name$request_uri;
}

and reload, and see if that does what you want.

You may want to replace $server_name with $host or your preferred host
name directly, depending on what exactly you want.

But it should get over the infinite loop of your original config.

f

Francis D. [email protected]

On Thu, Nov 20, 2014 at 10:07:22PM +0100, JACK LINKERS wrote:

You probably already have the answer now, but just in case not…

I completely lost…
I tried everything (of my understanding) with no success.

Your original config was:

listen on http and https; redirect everything to https.

That’s a recipe for an infinite loop, as your browser reported.

What you probably want is:

listen on http; redirect everything to https.
listen on https; process requests normally.

which is most easily done with two separate server{} blocks.

f

Francis D. [email protected]