NGINX is a popular, open-source web server that sits in front of your website and offers you many options to control what happens when a user visits the site. In this blog post, we’ll show how NGINX can be used to redirect HTTP traffic to HTTPS on your server without requiring any changes or configuration on the client side.
The “nginx redirect http to https reverse proxy” is a process that allows users to use NGINX as a reverse proxy to redirect HTTP traffic to HTTPS.
NGINX is a high-performance web server with a lot of flexibility. You’re doing your users a disservice if you’re still delivering unencrypted HTTP traffic. Set up a cheap (or free) certificate and start redirecting HTTP to HTTPS using NGINX!
In this video, you’ll learn how to generate a self-signed certificate and have all HTTP traffic automatically redirected to HTTPS, ensuring that your data is always protected.
Prerequisites
Make sure you have the following items in order to follow along with this tutorial:
- A server that runs Linux — Although this guide utilizes Ubuntu 20.04 LTS, the same procedures may be followed with any other Linux system.
- NGINX
- A user account that has sudo access.
How to Setup OpenSSL
You must to install an SSL certificate on your web server before you can use HTTPS. All traffic sent and received over HTTPS will be encrypted with the certificate. However, you’ll need OpenSSL to produce a self-signed certificate, so let’s get it installed first.
On your NGINX web server, do the following:
1. Navigate to the /usr/local/src folder. This is the place where OpenSSL will be installed. cd /usr/local/src
2. Use wget to get the OpenSSL tarball.
How to Use Python Wget to Download Files
wget sudo https://www.openssl.org/source/openssl-1.1.1g.tar.gz
OpenSSL is available for download.
3. Open the OpenSSL tarball and extract the contents.
tar -xf OpenSSL-1.1.1g.tar.gz sudo tar -xf OpenSSL-1.1.1g.tar.gz
4. Set up OpenSSL to link the shared libraries required by the executable file when it is run.
./config -Wl,—enable-new-dtags,-rpath,’$(LIBRPATH)’ sudo./config -Wl,—enable-new-dtags,-rpath,’$(LIBRPATH)’
OpenSSL should be extracted and configured.
5. Run the scripts below to compile and install OpenSSL.
sudo mkdir mkdir mkdir mkdir mk
How to Create a Self-Signed Certificate
Now that you’ve installed OpenSSL, you’ll need a certificate to use with HTTP. You’ll be making a self-signed certificate in this lesson.
Self-signed certificates are not signed by trustworthy certificate authority and should only be used for testing; they should never be used in production. You can acquire an SSL certificate from a Certificate Authority like Let’s Encrypt if you require one for production.
1. Make a directory named local ssl with an open ssl.conf configuration file inside. This file will be used to produce a self-signed certificate as a certificate request.
cd local ssl touch open ssl.conf mkdir local ssl
2. Copy/paste the following text into the open ssl.conf configuration file produced in step six. Since it is a self-signed certificate and you are serving as the Certificate Authority, this file includes the certificate issuer’s information as well as additional information such as your domain name and, in this example, your information (CA).
distinguished name = req distinguished name x509 extensions = v3 req prompt = no [req] distinguished name = req distinguished name x509 extensions = v3 req prompt = no [req distinguished name] C = /Country code, any two-letter country code, e.g. US ST = /State (insert any state here) L = /City/City/City/City/City/ O = /Name of the organization, which can be anything you want. OU = /Department, which may be anything. CN = /Certificate Issuer, which might be anything. [v3 req] dataEncipherment extended, keyUsage = keyEncipherment subjectAltName = @alt names [alt names] KeyUsage = serverAuth DNS.1 = /Domain name 1; DNS.2 = /Domain name 2; DNS.3 = /Domain name 3; DNS.4 = /Domain name 4; DNS.5 = /
3. Using the OpenSSL command, create the SSL certificate. The following command will create a certificate as well as a key that will be used to sign it.
- req – This command instructs OpenSSL to create a certificate request.
- nodes – Tells OpenSSL to bypass the option of using a password to safeguard the private key.
- days — The certificate validity term is specified in days.
- newkey rsa: 2048 – Generates a new private key with a key length of 2048 bits using the RSA algorithm.
- keyout – Indicates where the newly produced private key should be saved.
- out – Indicates where the newly produced certificate should be kept.
- config — This parameter specifies the location of the configuration file.
req openssl -x509 -nodes -days 1024 -newkey rsa:2048 openssl req -x509 -nodes -days 1024 -newkey rsa:2048 -config open ssl.conf -extensions ‘v3 req’ -keyout localhost.key -out localhost.crt
SSL Certificate Generator
Using a Certificate in NGINX Configuration
Now that you have a certificate, let’s set up NGINX to utilize it.
1. As shown below, copy the certificate and key to the /etc/ssl/certs and /etc/ssl/private folders. This is required so that Ubuntu can locate them when needed.
cp localhost.crt /etc/ssl/certs/localhost.crt sudo cp localhost.crt /etc/ssl/certs/localhost.crt cp localhost.key /etc/ssl/private/localhost.key sudo cp localhost.key /etc/ssl/private/localhost.key
2. Copy/paste the following code into the server block of your NGINX configuration file, which is located at /etc/nginx/sites-enabled/default. The lines below guarantee that NGINX listens on port 443, attaches the previously generated certificate to NGINX, and enables TLS v1.2 and 1.3.
443 ssl; 443 ssl; 443 ssl; 443 ssl; 443 ssl; 443 ssl; ssl certificate /etc/ssl/certs/localhost.crt; ssl certificate key /etc/ssl/private/localhost.key; ssl protocols /etc/ssl/protocols/localhost.key; ssl certificate key /etc/ssl/private/localhost.key TLSv1.2 TLSv1.3; TLSv1.2 TLSv1.3; TLSv1.2 TLSv
3. Restart NGINX to compel the webserver to read the newly changed configuration file from step 10.
4. On the Linux host, open a web browser and go to http://localhost. As seen below, the connection to the webserver should fail.
Using a Non-Secure Version of the Website
5. Now go to https://localhost, and you should see the default NGINX page.
View the localhost’s https version
Putting Your Faith in a Self-Signed Certificate
Despite the fact that the site is rendered via HTTPS, the browser still indicates that it is not safe. Because the browser does not have the public key for the self-signed certificate, it nevertheless shows a Not secure label.
The browser must have access to the certificate’s public key in order to trust the self-signed certificate. You’ll need the certutil software, which is included in the libnss3-tools package, to perform this.
1. First, execute the following commands to install the libnss3-tools package:
apt-get update sudo install libnss3-tools sudo apt-get
2. Once the installation is complete, go to the certificate file’s location (in this example, /etc/ssl/certs) and execute the command to add the certificate.
-A -t “CT,c,c” -n “localhost” -i localhost.crt certutil -d sql:$HOME/.pki/nssdb -A -t “CT,c,c” -n “localhost”
3. Finally, shut the browser and reopen it. The certificate should now be trusted by the browser.
displaying the secure connection
From HTTP to HTTPS redirection
You should now have a certificate that is tied to NGINX, and NGINX should be providing HTTPS traffic. It’s now time to automatically redirect all HTTP traffic to HTTPS.
You may set HTTP to HTTPS redirection in a few different methods in the NGINX configuration file. You may set up redirection for individual sites or for all of them as once. Let’s go through each approach one by one.
Always restart NGINX after making changes to the NGINX configuration file (systemctl restart Nginx).
If your web server hosts many sites, you may choose which ones to switch HTTP traffic to HTTPS. Configure the NGINX configuration file as indicated below to do this.
The code below tells NGINX to listen on port 80 (HTTP) and make a redirect request (HTTP/301) to the user with the same $request uri as before, but via HTTPS.
server { listen 80; listen [::]:80; server_name <Your server name goes here>; return 301 https://<Your server name goes here>$request_uri; }
When you go to http://localhost, you’ll see that you’re instantly routed to the same website, but with HTTPS encryption.
Replace the server name parameter from the server name to just if you want to convert all HTTP traffic to your webserver to HTTPS. For all incoming hostnames, the value acts as a wildcard.
You’ll also notice that the redirection statement (return 301) has been altered to https://$host$request uri, indicating that you wish to forward whatever hostname is entered in since the $host variable gives the request’s domain name.
return 301 https://$host$request uri; server listen 80; listen [::]:80; server name ;
Conclusion
You should now have a functional NGINX HTTP to HTTPS redirection solution. Using HTTP, go to your web server and see how it automatically redirects you!
What are the regions that you believe would benefit the most from this strategy?
NGINX is a free, open-source web server that can be used to redirect HTTP to HTTPS traffic. NGINX can also be configured to serve multiple sites on the same port. Reference: nginx redirect http to https not working.
Related Tags
- nginx redirect http to https on same port
- nginx stop redirect to https
- nginx force https
- nginx redirect http to https localhost
- nginx redirect 80 to 443
