NGINX force www and https causes too many redirects

Question

I'm trying to force www and https on my nginx server.

Like other questions here suggest, I implemented the following.

server_name example.com www.myexample.com
return 301 https://www.example.com$request_uri;

Then below that I have the following which was added by let's encrypt:

if ($scheme != "https") {
    return 301 "https://www.$host$request_uri";
}

When I go to the site, it goes to https://www,example.com, but I get the message "www.example.com redirected you too many times."

If I comment out the bit added by Let's Encrypt, I still get the redirect message.

Only when I comment out the following it works:

return 301 https://www.example.com$request_uri;

Anyone have a better idea on how to set this up?

I've seen one other answer to this but that OP was using cloudflare. I'm not using any CDN.

Thanks

Here is all my info. I have my first return 301 line commented out as it was causing too many redirects: NGINX: version 1.10.3 Ubuntu: 16.04.3 LTS (xenial)

# Default server configuration
#
server {

     listen 80;
          listen [::]:80;

    client_max_body_size 25M;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/example.com/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name example.com www.example.com;
    # return 301 https://www.example.com$request_uri;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    # hide user.ini file
    location ~ ^/\.user\.ini {
    deny all;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
    #
    #   # With php7.0-cgi alone:
    #   fastcgi_pass 127.0.0.1:9000;
    #   # With php7.0-fpm:
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny all;
    }

     location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$ {
         expires 365d;
     }

    location ~*  \.(pdf)$ {
        expires 30d;
    }





    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot



    if ($scheme != "https") {
        return 301 https://www.$host$request_uri;
    } # managed by Certbot


}

Answer 1

If you are using certbot for Let's Encrypt, and it's inserting lines in the web server configuration, it's because you are avoiding the certonly option, either intentionally or by accident.

If you don't want certbot to modify your config files, then use it like:

certbot certonly --standalone --preferred-challenges http -d example.com

Regarding your redirects, you can remove yours and leave the one from Certbot, as that one is checking if the protocol is https and if it isn't it will apply the redirect.

if ($scheme != "https") {
    return 301 "https://www.$host$request_uri";
}

I would use it like this thought, replacing the $host variable if you want to make sure it's redirected to a specific domain and not leave it to the header request:

if ($scheme != "https") {
    return 301 "https://www.example.com$request_uri";
}

ps. You should post the full virtualhost config, with both server blocks for http and https to see if there is any other issue.