44

I'm hosting a website behind a Cloudflare proxy, which means that all requests to my server are over port 80, even though Cloudflare handles HTTP (port 80) and HTTPS (port 443) traffic.

To distinguish between the two, Cloudflare includes an X-Forwarded-Proto header which is set to "http" or "https" based on the user's connection.

I would like to redirect every request with an X-Forwarded-Proto: http header to the SSL version of my site. How can I achieve this with an nginx configuration?

Kevin Burke
  • 61,194
  • 76
  • 188
  • 305
  • Just a quick note that CloudFlare doesn't host your site's content. Note:PageRules might have worked here as well, since it looks like you're just trying to forward http:// to https://. Information about PageRules: https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-Page-Rules- – damoncloudflare Oct 07 '14 at 01:13

2 Answers2

62

The simplest way to do this is with an if directive. If there is a better way, please let me know, as people say the if directive is inefficient. Nginx converts dashes to underscores in headers, so X-Forwarded-Proto becomes $http_x_forwarded_proto.

server {
    listen 80;
    server_name example.com; # Replace this with your own hostname
    if ($http_x_forwarded_proto = "http") {
        return 301 https://example.com$request_uri;
    }

    # Rest of configuration goes here... 
}
Kevin Burke
  • 61,194
  • 76
  • 188
  • 305
  • 4
    Not sure what people you talk to, but if is not inefficient. It's error prone when abused for purposes outside the realm of rewrites. Read the if is evil article properly to understand it's shortcomings. Your solution is what it was designed for, so it should work just fine. –  Oct 09 '14 at 17:42
  • 13
    Just a small note: If you have multiple server_name values, it's better to replace return string with more generic version: return 301 https://$host$request_uri; – Alekc Oct 06 '16 at 13:51
  • 1
    Man, if is evil within nginx ;) "if" generates number of instances, so nginx get slower and need more memory. – user989840 Oct 16 '18 at 16:04
  • 2
    If is not evil in this case: "The only 100% safe things which may be done inside if in a location context are: return and rewrite" https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ – Matthias Baumgart Sep 26 '19 at 13:28
10

Try using map directive: http://nginx.org/en/docs/http/ngx_http_map_module.html#map

Something like that...

map $http_x_forwarded_proto     $php_backend {
    "https"          "https_php_backend named loc";
    default        "default_php_backend named loc";
}
server{
    location / {
         proxy_pass http://$php_backend;
    }
}

This code is abstract, but you can try tht way...

user989840
  • 179
  • 3
  • 9