Need to stop Magento running on nginx from redirecting from http to https on front end.

Question

Below is my current nginx configuration. I'm running php 5.5 with opcache and magento 1.9.2.2

It has 2 issues:

1. The website keeps redirecting to https for everything.

2. I keep getting net::ERR_SPDY_PROTOCOL_ERROR when I update a javascript or css file. I'm able to get around this issue by restarting nginx, but thats just a workaround...

Magento settings are:

Use Secure URLs in Frontend "No"

Use Secure URLs in Admin "Yes"

http://WEBSITENAME.com for unsecure base url

https://WEBSITENAME.com for secure base url.

I would like the website frontend (except for the cart) to be http and the backend to be https. What changes do I need to make? I've pieced the nginx conf together from several sources.

Any suggestions or help would be appreciated. I've also included a link to a gist for these files. https://gist.github.com/btray77/8867aa2fddc1803bfee0

Thanks

configuration file /etc/nginx/conf.d/export.conf:

location ~ /var/export {
                satisfy all;
                allow 1.2.3.4;
                deny all;
                auth_basic "Restricted";
                auth_basic_user_file .htpasswd;
                autoindex off;
            }

configuration file /etc/nginx/conf.d/extra_protect.conf:

## Extra protection

location ~ /(dev/tests/|errors/local.xml|cron\.php) { deny all; }

location ~ ^/.*\.(sh|pl|swp|phar|sql|conf|zip|tar|.+gz)$ { return 444; }

location ~ /\.(svn|git|hg|htpasswd|bash|ssh) { return 444; }

location ~* /(lib|media|shell|skin)/.*\.php$ { deny all; }

location ~ /(wishlist|customer|contact|review|catalogsearch|newsletter|(fire|one.+)?checkout)/  {
        limit_req zone=goeasy burst=5;
        limit_req_status 429;
        if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|YandexBot") { return 410; }
        try_files $uri $uri/ @rewrite;
        }

## Wordpress files and locations protection
location ~ /wp-config\.php { deny all; }
location ~ /wp-includes/(.*)\.php { deny all; }
location ~ /wp-admin/includes(.*)$ { deny all; }
location ~ /xmlrpc\.php { deny all; }
location ~ /wp-content/uploads/(.*)\.php(.?) { deny all; }

configuration file /etc/nginx/conf.d/headers.conf:

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-UA-Compatible 'IE=Edge,chrome=1';
add_header X-Processing-Time $request_time;

configuration file /etc/nginx/conf.d/pagespeed.conf:

pagespeed  on;
pagespeed  FileCachePath  "/var/tmp/ngx_pagespeed_cache";
pagespeed  LogDir "/var/log/pagespeed";

#to optimize images use: https://github.com/mikebrittain/Wesley
#pagespeed  EnableFilters convert_gif_to_png;
#pagespeed  EnableFilters insert_image_dimensions;
#pagespeed  EnableFilters lazyload_images;

#pagespeed  EnableFilters collapse_whitespace;
#pagespeed  EnableFilters remove_comments;
#pagespeed  EnableFilters flatten_css_imports;

#pagespeed  EnableFilters insert_dns_prefetch;
#pagespeed  EnableFilters extend_cache;

#pagespeed EnableFilters  canonicalize_javascript_libraries;
pagespeed EnableFilters  extend_cache;
pagespeed EnableFilters  extend_cache_pdfs; 
pagespeed EnableFilters  combine_css; 
pagespeed EnableFilters  combine_javascript; 
pagespeed EnableFilters  move_css_above_scripts; 
pagespeed EnableFilters  insert_dns_prefetch; 
pagespeed EnableFilters  rewrite_images; 
pagespeed EnableFilters  prioritize_critical_css; 
pagespeed EnableFilters  rewrite_css; 
pagespeed EnableFilters  rewrite_style_attributes; 
pagespeed EnableFilters  convert_meta_tags; 
pagespeed EnableFilters  lazyload_images; 
pagespeed EnableFilters  collapse_whitespace; 
#pagespeed EnableFilters  move_css_to_head; 
pagespeed EnableFilters  remove_quotes; 
pagespeed EnableFilters  inline_css; 
pagespeed EnableFilters  inline_javascript;
pagespeed  EnableFilters convert_gif_to_png;
pagespeed  EnableFilters insert_image_dimensions;
pagespeed  EnableFilters lazyload_images;

pagespeed  EnableFilters collapse_whitespace;
pagespeed  EnableFilters remove_comments;
pagespeed  EnableFilters flatten_css_imports;
#pagespeed EnableFilters defer_javascript;

pagespeed EnableFilters  rewrite_javascript;
#pagespeed UseExperimentalJsMinifier on;


pagespeed  StatisticsLogging on;

pagespeed  RetainComment "esi*";

# magento admin
pagespeed  Disallow "*index.php/admin/*"; 
pagespeed  Disallow "*/admin/*";

pagespeed  Disallow "*/phpMyAdmin/*";

# configuration file /etc/nginx/conf.d/spider.conf:
# BLACKBOT
if ($http_user_agent ~* "360Spider|aiHitBot|Exabot|AhrefsBot|betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG|CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo|Default|DIIbot|DISCo|discobot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE|FlashGet|Findxbot|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack|ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot|JetCar|larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|lwp-trivial|Maxthon$|Mail.RU_Bot|MegaIndex.ru|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Microsoft|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage|Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch|Octopus|PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|PHPCrawl|PleaseCrawl|psbot|python-requests|RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler|SBIder|Scrapy|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|sitecheck.internetseer.com|SiteSnagger|SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap|tAkeOut|Teleport|Toata|TwengaBot|Typhoeus|URI::Fetch|User-Agent|voltron|Vagabondo|VoidEYE|webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE|zermelo|Zeus|Zeus.*Webster|ZyBorg")
{ return 444; }

configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
#fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# magento
fastcgi_connect_timeout 65;
fastcgi_send_timeout 7200;
fastcgi_read_timeout 7200;

configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

/etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;
worker_rlimit_nofile 100000;

pid        /var/run/nginx.pid;

events {
    worker_connections  2000;
    multi_accept on;
    use epoll;
       }

http   {
    index         index.html index.php;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ';
    log_format  error403  '$remote_addr - [$time_local] "$request"';                                      

    keepalive_timeout   5;
    autoindex           off;
    server_tokens       off;
    port_in_redirect    off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    client_max_body_size 64m;

    ## Flood protection example
    limit_req_zone $binary_remote_addr zone=goeasy:25m rate=1r/s;

    ## Cache open FD
    open_file_cache max=10000 inactive=3600s;
    open_file_cache_valid 7200s;
    open_file_cache_min_uses 2;

    ## Gzipping is an easy way to reduce page weight
    gzip                on;
    gzip_vary           on;
    gzip_proxied        any;
    gzip_types          application/javascript application/x-javascript text/javascript text/css;
    gzip_buffers        16 8k;
    gzip_comp_level     6;

    ##  SSL global settings
    #ssl_session_cache          shared:SSL:25m;
    #ssl_session_timeout        15m;
    #ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    #ssl_ciphers                "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
    #ssl_prefer_server_ciphers  on;
    #ssl_dhparam                /etc/ssl/certs/dhparams.pem;

    #ssl_stapling on;
    #resolver 8.8.8.8 8.8.4.4 valid=3600s;
    #resolver_timeout 5s;

    ## Use when Varnish in front
    #set_real_ip_from 127.0.0.1;
    #real_ip_header X-Forwarded-For;

    ## Multi shop code configuration
    #include /etc/nginx/conf.d/multishop.conf;

    ## Map status to exclude from access log
    map $status $writelog { 404  0; 410  0; 444  0; default 1; }

    ## Main domain configuration
    include /etc/nginx/sites-enabled/*.conf;

}

configuration file /etc/nginx/sites-enabled/default.conf:

server {
    listen 80;
    return 444;
}

#server {
#    listen 443 ssl default;
#       ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
#       ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
#    return 444;
#}

configuration file /etc/nginx/sites-enabled/magento.conf:

##   Add www
server {
    listen 80;
    server_name WEBSITENAME.com;
    return 301 $scheme://www.WEBSITENAME.com$request_uri;
}

server {
    listen 80;
    listen 443 http2 ssl;
    #ssl on;

    #Had issues with nginx sending only partial files
    sendfile off; 

    server_name www.overnightsupplements.com;
    root /var/www/html/overnight;
    access_log  /var/log/nginx/access_www.WEBSITENAME.com.log  main if=$writelog;
    error_log   /var/log/nginx/error_www.WEBSITENAME.com.log  error;

    ## Pagespeed module
       include /etc/nginx/conf.d/pagespeed.conf;

    ## Bots trap
       include /etc/nginx/conf.d/spider.conf;

    ## SSL CONFIGURATION
        ssl_certificate /etc/nginx/ssl/WEBSITENAME_com/ssl-bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/WEBSITENAME_com/WEBSITENAME_com.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        #resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;


    location = /js/index.php/x.js {
       rewrite ^(.*\.php)/ $1 last;
       }

    ## Main Magento @location
    location / {
       try_files $uri $uri/ @rewrite;
       }

    ## Server maintenance block.
       #include /etc/nginx/conf.d/maintenance.conf;
    ## Error log/page
       #include /etc/nginx/conf.d/error_page.conf;

    ## Export folder
       include /etc/nginx/conf.d/export.conf;

    ## These locations are protected
    location ~ /(app|var|includes|pkginfo)/ {
       deny all;
       }

    ## Extra protection and limits
       include /etc/nginx/conf.d/extra_protect.conf;

    ## Images
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
       expires max;
       log_not_found off;
       access_log off;
       add_header ETag "";
       add_header Accept-Ranges bytes;
       }

    location @rewrite {
       rewrite / /index.php?$args;
       }

    ## Execute PHP scripts
    location ~ \.php$ {
       include /etc/nginx/conf.d/headers.conf;
       try_files $uri =404;
       fastcgi_pass 127.0.0.1:9000;
       #fastcgi_pass 127.0.0.1:$port_switch;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       ## Store code with multi domain
       #fastcgi_param MAGE_RUN_CODE $mage_code;
       #fastcgi_param MAGE_RUN_TYPE $mage_type;
       include fastcgi_params;
       }
    }

Answer 1

When you say "frontend", it sounds like you mean public parts of the website, while for "backend" part you mean areas of the site that are meant only for administrators.

Having considered this design vs "https-everywhere", it ends up being simpler to be "https-everywhere". Here's why:

• When you have boundary between "http" and "https" on your site, you have to manage that boundary. All links across the boundary need to be sure to have the protocol changed.
• Problems with "Mixed Active Content" are more likely, when insecure assets are loaded into the secure part of the site.
• Your admins may still be vulnerable to cookie sidejacking attacks when they browse the cleartext parts of the site, if the browser is still sending back a cookie that is intended to be used only to access the secure parts of the site.

SSL certificates are cheap, and you have set up and manage one either way.

So the first suggestion to the problem of getting redirected to HTTPS is to go ahead and by HTTPS-everywhere. It's the direction the web is headed with HTTPS/2.0, so it's good forward-compatible planning.

Secondly, make sure the server wasn't using HSTS in the past. If it was setting the "Strict-Transport-Security" header, then browsers may have cached it, and are immediately switching to HTTPS without checking with the server. If that's the case, this will disable HSTS:

 add_header  Strict-Transport-Security "max-age=0;";