How to Redirect HTTP to HTTPS in Nginx on a VPS

1. Redirect HTTP to HTTPS in Nginx

• HTTP vs. HTTPS:
  • The web data transfer protocol is HTTP, which is encrypted. However, this protocol is not encrypted, leaving data exposed while in transit.
  • HTTPS incorporates encryption through SSL/TLS (Secure Sockets Layer/Transport Layer Security), Making sure of secure communication between a client and server and protecting user data.
• Why Use HTTPS:
  • HTTPS is vital for securing data, boosting search engine rankings, and building trust with users. Many modern browsers flag non-HTTPS sites as “Not Secure,” which can deter visitors.
• Nginx and VPS Overview:
  • Nginx is a web server that’s capable of handling traffic loads easily. As it is very flexible and easy to configure it is widely in use on VPS (Virtual Private Server) setups.

What is a Redirect in Websites?

Redirect is a technique used in web development to send users from one URL to another. It’s usually used whenever a webpage is moved, deleted or redirects traffic for a better user experience and SEO. Common redirection types are 301 Redirect (permanent), indicating a page moved to a new URL permanently, and 302 Redirect (temporary) when a page was temporarily moved. Redirects make sure that even if the original URL changes, users get the right content and help search engines know to update the index so SEO rankings are not lost. Proper use of redirects prevents “404 Not Found” errors and improves site navigation.

2. Getting Started with SSL/TLS Certificates

• What is SSL/TLS:
  • SSL/TLS certificates encrypt data between the web server and the client, providing an authenticated connection. Most browsers now require this encryption to indicate a site as secure.
• Choosing the Right SSL Certificate:
  • Domain Validation (DV): Basic level, verifying domain ownership. Ideal for blogs and small business sites.
  • Organization Validation (OV): Intermediate level, verifying organizational identity. Suitable for larger businesses.
  • Extended Validation (EV): Highest validation standard often used by financial institutions.
• Where to Obtain SSL Certificates:
  • Basic security usage comes for free with free options such as Let’s Encrypt, while paid certificates offer extra for higher trust applications.

3. Preparing Your VPS and Installing Nginx

• Connecting to Your VPS:

To start, access your VPS through SSH. Using the following command

ssh username@server_ip

• Updating System Packages:

It’s a good idea to update the package list and install any available updates before starting:

sudo apt update && sudo apt upgrade -y

Installing Nginx:

• Install Nginx on your VPS. The command depends on the operating system:

Ubuntu/Debian:

sudo apt install nginx -y

CentOS/RHEL:

sudo yum install nginx -y

• Starting Nginx:

Enable Nginx to start on boot and verify it’s running:

sudo systemctl start nginx

sudo systemctl enable nginx

sudo systemctl status nginx

4. Acquiring an SSL Certificate

Using Let’s Encrypt and Certbot:

Let’s Encrypt is a free certificate provider, and Certbot automates the process of obtaining and configuring certificates.

First, install Certbot:

sudo apt install certbot python3-certbot-nginx -y

Requesting a Certificate:

Use Certbot to generate an SSL certificate and configure Nginx automatically:

sudo certbot --nginx -d your_domain -d www.your_domain

Configuring a Paid SSL Certificate:

For a paid certificate, upload your certificate files (your_domain.crt and your_domain.key) to the VPS, typically placing them in /etc/ssl/.

• Adding SSL Certificate Paths to Nginx:

Edit the Nginx configuration file to specify the SSL certificate paths:

server {
    listen 443 ssl;
    server_name your_domain www.your_domain;

    ssl_certificate /etc/ssl/your_domain.crt;
    ssl_certificate_key /etc/ssl/your_domain.key;
}

5. Configuring HTTPS in Nginx

• Configuration Files:
  • Nginx configuration files are generally located in /etc/nginx/nginx.conf or /etc/nginx/sites-available/ for site-specific settings.
• Setting Up HTTPS Server Block:

Create a server block for HTTPS in /etc/nginx/sites-available/your_domain:

server {
    listen 443 ssl;
    server_name your_domain www.your_domain;

    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

    location / {
        root /var/www/your_domain;
        index index.html index.htm;
    }
}

Testing Configurations:

Always check configuration syntax with the following:

sudo nginx -t

Reload Nginx if there is no error:

sudo systemctl reload nginx

6. Implementing HTTP to HTTPS Redirection

• Why Redirect HTTP to HTTPS:

Redirect HTTP to HTTPS in Nginx is a recommended practice to keep all communications secure and consistent.

• Setting Up a Basic HTTP to HTTPS Redirect:

Add a 301 redirect to force HTTP traffic to HTTPS:

server {
    listen 80;
    server_name your_domain www.your_domain;
    return 301 https://$host$request_uri;
}

Complete Configuration Example:

A full example of both HTTP redirect and HTTPS server blocks:

server {
    listen 80;
    server_name your_domain www.your_domain;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name your_domain www.your_domain;

    ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

    location / {
        root /var/www/your_domain;
        index index.html index.htm;
    }
}

Verifying the Redirect:

Use curl to confirm the redirect:

curl -I http://your_domain

7. Enhancing HTTPS Security

• Enforcing HTTP Strict Transport Security (HSTS):

HSTS forces browsers always to use HTTPS, enhancing security by preventing access via HTTP. Add this directive to your HTTPS server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Configuring Strong SSL Ciphers and Protocols:

Make sure Nginx uses only secure protocols and ciphers:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;

Using OCSP Stapling:

OCSP stapling speeds up SSL certificate validation:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

8. Troubleshooting Common Issues

• Redirect Loops:
  • Check for duplicate or conflicting redirects in the Nginx configuration.
• SSL Certificate Problems:

Use OpenSSL to diagnose issues with SSL certificates:

openssl s_client -connect your_domain:443

• Mixed Content Warnings:
  • Look at your site for HTTP resources you can make HTTPS. Mixed content warnings can sometimes be identified by using browser developer tools.

9. Testing and Verifying HTTPS Configuration

• Browser Verification:
  • Open your website and confirm that the HTTPS padlock icon is displayed.

Using cURL to Check Redirects:

curl -I http://your_domain

SSL Analysis Tools:

• Services like SSL Labs SSL Test can analyze HTTPS security and point out weaknesses.

10. Maintaining SSL and Nginx Configuration

• Automating SSL Renewals:

Set up an automated renewal for Let’s Encrypt certificates:

sudo certbot renew

• Backing Up Configurations:

It’s wise to back up configuration files regularly:

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

Best Practices and Tips

• Regularly Update Nginx and Certbot: Keeping software up-to-date is critical for security and performance.
• Use Strong Ciphers and TLS Protocols Only: Avoid old protocols like TLS 1.0 and weak ciphers. TLS 1.2 and 1.3 are recommended.
• Monitor Certificate Expiry: Make sure to set up notifications or automatic renewals for SSL certificates to prevent expiration.
• Test Configurations Frequently: You use tools like nginx -t to check for syntax errors and reload Nginx after any changes to the configuration.
• Regular Security Audits: Security checks of existing SSL configurations with security tools will help keep an environment secure.

Conclusion

Setting up HTTPS and redirect HTTP to HTTPS in Nginx is a necessary step for a secure web presence. By following these steps, maintaining regular backups, and staying updated with security practices, Check for a robust configuration that serves users securely and reliably.

 

About the writer

Vinayak Baranwal wrote this article. Use the provided link to connect with Vinayak on LinkedIn for more insightful content or collaboration opportunities.