0

I am trying to redirect HTTP requests to HTTPS, but keep on hitting an infinite redirect with nginx.

I've tried:

  • Appending/removing the trailing slash from the nginx proxy_pass value
  • Removing/keeping proxy_set_header Host $host;
  • Changing docker to serve on the host's port 8080 (instead of 80), and updating the nginx conf accordingly. (This returns connection refused errors.)

It looks like the redirect process goes like:

  1. Client hits port 80
  2. Client is redirected to port 443
  3. The proxy_pass location in the 443 location block hits port 80
  4. This new request is redirected to port 443
  5. Repeat ad infinitum

How do I stop this from looping?

Here's my nginx.conf file:

server {
    listen 80;
    server_name sub.mydomain.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name sub.mydomain.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/sub.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.mydomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass  http://sub.mydomain.com/;
        proxy_redirect      off;
   #     proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    X-Url-Scheme        $scheme;
    }
}

(The included /etc/letsencrypt/options-ssl-nginx.conf file is auto-generated by Certbot.)

Here's my docker-compose.yml:

version: '3'
services:
  nginx:
    build: .
    ports:
      - "80:80"
      - "443:443"
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx'"
    depends_on:
      - certbot

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

The docker-compose and Let's Encrypt setup is based on this repo

greenpenguin
  • 3
  • 2
  • What is the use of location /.well-known/acme-challenge/ { root /var/www/certbot; } – Parul Aug 07 '20 at 19:14
  • And what should be the initial url that will be redirected to https? – Parul Aug 07 '20 at 19:17
  • The acme challenge files are just to verify certbot's connection between the domain and its IP ([see this](https://stackoverflow.com/questions/41803140/certbot-well-known-acme-challenge)) – greenpenguin Aug 07 '20 at 19:19
  • All http urls should be redirected to their https equivalent. The only thing that should change is the scheme. – greenpenguin Aug 07 '20 at 19:20
  • It will definitely got into infinite loop.. as you are moving from http →https → http (on same domain name). What is the need of going back to http with same sub domain name as of initial url? – Parul Aug 07 '20 at 19:25
  • @Parul I don't want to move back to http; I want to remain on https. However, docker is serving the website on port 80, so that's where I have proxy_pass pointing. – greenpenguin Aug 07 '20 at 19:28
  • Due to this line, proxy_pass http://sub.mydomain.com/ in SSL enabled server node in nginx configuration , nginx will execute first server node again because of the server_name mentioned there. – Parul Aug 07 '20 at 19:33
  • Right, I understand that @Parul...I'm wondering how I can serve the site without hitting the redirect loop. Removing that line would stop the redirect loop, but wouldn't serve the site. – greenpenguin Aug 07 '20 at 19:55

0 Answers0