Previous Message Next Message
Forum List Message List New Topic Print View
Francis Daly
January 10, 2023 07:38PM
On Tue, Jan 10, 2023 at 06:45:15PM -0500, Paul wrote:

Hi there,

> BUT... for that one step further and have all server (nginx) responses go
> back to the end-client as:
> https://a.example.com
> and NOT as:
> https://www.a.example.com
> ^^^
> I have written an /etc/nginx/conf.d/redirect.conf as:
> server {
> server_name www.a.example.com;
> return 301 $scheme://a.example.com$request_uri;
> }
>
> which seems to work, but I would appreciate your opinion - is this the best,
> most elegant, secure way? Does it need "permanent" somewhere?

It does not need "permanent" -- that it a signal to "rewrite" to use a http
301 not http 302 response; and you are using a http 301 response directly.

(See, for example, http://http.cat/301 or http://http.cat/302 for the
meaning of the numbers. Warning: contains cats.)

> I've never used "scheme" before today, but we've got an external advisory
> audit going on, and I'm trying to keep them happy.

$scheme is http or https depending on the incoming ssl status. That 4-line
server{} block does not do ssl, so $scheme is always http there.

http://nginx.org/r/$scheme

Either way, this would redirect from http://www.a. to http://a., and
then the next request would redirect from http://a. to https://a.. I
suggest that you are better off just redirecting to https the first time.

You will want a server{} with something like "listen 443 ssl;" and
"server_name www.a.example.com;" and the appropriate certificate and key;
and then also redirect to https://a. in that block.

So for the four families http,https of www.a,a you will probably want
three or four server{} blocks -- you could either put http www.a and
http a in one block; or you could put https www.a and http www.a in one
block; and then one block for the other, plus one for the https a that
is the "real" config -- the other ones will be small enough configs that
"just" return 301 to https://a. Which should be simple enough to audit
for correctness.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Redirect www to not-www

Paul January 10, 2023 12:04PM

Re: Redirect www to not-www

Francis Daly January 10, 2023 01:44PM

Re: Redirect www to not-www

Paul January 10, 2023 06:46PM

Re: Redirect www to not-www

Francis Daly January 10, 2023 07:38PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 319
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready