Nginx not serving from root when redirected to https

Question

I'm setting up a webserver for the first time, and trying to get HTTPS to work. I've got a certificate from Let's Encrypt, and the site will load in HTTPS. I've set up the config to redirect all HTTP to HTTPS with the following blocks:

server {
    listen 80;
    server_name sulphate.me;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name sulphate.me;
    ssl_certificate /etc/letsencrypt/live/sulphate.me/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/sulphate.me/privkey.pem;
    add_header Strict-Transport-Security "max-age=31536000";
}

However, when I connect to the site (sulphate.me), it just gives me the 'Welcome to nginx!' page. Because I set it to return a 301, my browser is now always going to the permanent redirect.

Before adding these blocks, it was serving the content fine from /var/www/html, but it won't at all now. Firstly, why is it not serving the content anymore, and secondly how can I fix the permanent redirect given that it's not working?

Thanks in advance.

EDIT: When I removed the blocks and waited a bit, it is now serving the content as per usual. Just when I redirect it does it screw up.

EDIT 2: Now when I try to manually go to HTTPS through the address bar, it gives me error 521 (Web server is down), when it clearly is not.

EDIT 3: Certificate Information, Cloudflare Crypto Settings (1, 2), Nginx SSL-Related Config Settings

And just to clarify, those blocks were not in my config when I was receiving the 521, they have now been re-added and the original problem is still ocurring (not serving from root on HTTPS).

Answer 1

You have to replace the nginx default.conf with your configuration file in order for it to work. Furthermore, you have to clear your browsers cache after using return 301 to remove the permanent redirect and you can simply start using return 302, which will still redirect but will not be saved in your browsers cache.

Answer 2

That error is from CloudFlare for that domain, not nginx. If you look at the the certificate on the error page, you'll see that it's CloudFlare's, not yours.

On CloudFlare's free plan, it is probably connecting to your origin with HTTP unless you have Full / Strict HTTPS enabled in CloudFlare. So it goes like this:

Browser ---HTTPS---> CloudFlare ---HTTP---> Your Server.

So, the problem is, your server is always seeing the requests as HTTP because that is what CloudFlare is using. What you probably want to do is look at the X-Forwarded-For-Proto. It then issues a redirect, which is not valid because the browser already thinks it's SSL.

Also keep in mind that CloudFlare has your HTTPS certificate, so it doesn't really matter that you set one up on the origin unless you use Full / Strict HTTPS.

You have a few options.

1. Use X-Forwarded-For-Proto to do the redirect. But CloudFlare can already do this for you. In that case, your nginx install wouldn't do HTTPS at all. This isn't entirely recommended as that means traffic between the edge and the origin is not encrypted.

2. Use Full / Strict SSL in CloudFlare so that it can do HTTPS between their proxy and the origin.