How to Redirect HTTP to HTTPS in Nginx.
Today, we will explain how to redirect the HTTP traffic to HTTPS in Nginx. How we can secure our website by redirecting all unsecured traffic on port 80 to SSL secured port 443.
Nginx pronounced “engine x” is a free, open-source, high-performance HTTP and reverse proxy server responsible for handling the load of some of the largest sites on the Internet. Nginx is also, one of the most widely used web servers and serves around 33.3% of the websites worldwide.
That being said, if your website is hosted with NGINX and it has SSL enabled, it's best practice to disable HTTP completely and force all incoming traffic over to the HTTPS version of the website. This avoids having duplicate content and ensures that all of the site's users are only browsing the secure version of your website.
Here are many reasons of using HTTPS over HTTP:
- All the data is encrypted in both directions. As a result, sensitive information cannot be read if intercepted.
- Google Chrome and all other popular browsers will mark your website as being safe.
- HTTPS allows you to use the HTTP/2 protocol, which significantly improves the site performance.
- Google favors HTTPS websites. Your site will rank better if served via HTTPS.
There are basically two ways to setup this redirection in NGINX. One method allows you to configure the redirection for individual sites and the other method can redirect HTTP to HTTPS for all NGINX sites on your server, which is handy if you have multiple sites setup and want to avoid having to apply the exact same redirection to each one. We'll of course cover the step by step instructions for both methods below.
Let's get started!
Redirect HTTP to HTTPS for individual sites
We'll need to make changes to NGINX server configuration file in order to redirect traffic. Open it with your preferred text editor.
To redirect a single website to HTTPS open the domain configuration file and make the following changes:
sudo nano /etc/nginx/sites-available/your_conf_file
Generally when an SSL certificate is installed on a domain, you will have two server blocks for that domain. The first one for the HTTP version of the site on port 80, and the other for the HTTPS version on port 443.
server {
listen 80;
server_name your_website_.com www.your_website_.com;
return 301 https://your_website_.com$request_uri;
}
Let’s break down the code line by line:
listen 80- The server block will listen for incoming connections on port 80 for the specified domain.server_name your_website_.com www.your_website_.com- Specifies the server block’s domain names. Make sure you replace it with your domain name.return 301 https://your_website_.com$request_uri- Redirect the traffic to the HTTPS version of the site.
The$request_urivariable is the full original request URI, including the arguments.
As you can see, the code listens on port 80 for incoming connections to your_website_.com and www.your_website_.com. It then redirects those connections to the same URL but with https://.
Below the HTTP block, you'll need an HTTPS block if you haven't already made one.
server {
# redirect all HTTP to HTTPS
listen 80;
server_name your_website_.com www.your_website_.com;
return 301 https://your_website_.com$request_uri;
}
server {
# redirect HTTPS www.>>> https://www.your_website_.com
listen 443 ssl http2;
server_name www.your_website_.com;
return 301 https://your_website_.com$request_uri;
}
server {
listen 443 ssl http2;
server_name your_websites_.com;
ssl_certificate your_websites_.com.crt;
ssl_certificate_key your_websites_.com.key;
# other configuration
}
Make sure you restart or reload NGINX in order for these new changes to be taken into account.sudo systemctl reload nginx
Your site should now always and always redirect to a URL with the format of https://your_website_.com, regardless of the link being prefaced by http:// and/or www..
Redirect HTTP to HTTPS for all sites
If all of the websites hosted on the server are configured to use HTTPS, and you don’t want to create a separate HTTP server block for each site, you can create a single catch-all HTTP server block. This block will redirect all HTTP requests to the appropriate HTTPS blocks.
server {
listen 80;
server_name your_website_.com www.your_website_.com;
return 301 https://$host$request_uri;
}
Again, let’s break down the code line by line:
listen 80- Sets this server block as the default (catch-all) block for all unmatched domains.server_name your_website_.com- Specifies the server block’s domain names. Make sure you replace it with your domain name.return 301 https://$host$request_uri- Redirect the traffic to the corresponding HTTPS server block with status code 301 (Moved Permanently). The$hostvariable holds the domain name of the request.
Here for example, when visitors open http://your_website_.com/page-page in their browsers, Nginx will redirect the request to https://your_website_.com/page-page.
This method may be a bit more convenient, but you'll lose some of the smooth control you have when each site has its own server blocks.
In Nginx, the preferred way to redirect HTTP to HTTPS is to create a separate server blocks and perform 301 redirect.
Use your own discretion and pick whichever method you like.
Conclusion
In the vast majority of cases, there's no reason to continue using HTTP when your site can offer HTTPS. It's more secure, gives the user peace of mind, and the site will get a little SEO boost.