Nginx: Redirecting server names in one paragraph

Question

I using the Nginx configuration below and it works fine.

However, I'm using three paragraphs {...} for redirections, can this be optimized to a single paragraph or set directly in the main paragraph ?

upstream mywebsite_upstream {
    server 127.0.0.1:3003;
    keepalive 64;
}

server {

    server_name www.mywebsite.com;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass http://mywebsite_upstream;
        proxy_redirect off;
        proxy_read_timeout 240s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.mywebsite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.mywebsite.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = www.mywebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;

    server_name www.mywebsite.com;
    return 404; # managed by Certbot


}

server {
    listen       80;
    server_name  mywebsite.com;
    return 301 https://www.mywebsite.com;
}
server {
    listen       443;
    server_name  mywebsite.com;
    return 301 https://www.mywebsite.com;
}

Answer 1

Yes, sure you can:

server {
    listen       80;
    server_name  mywebsite.com www.mywebsite.com;
    return 301 https://www.mywebsite.com$request_uri;
}
server {
    listen       443;
    server_name  mywebsite.com;
    # SSL config here
    return 301 https://www.mywebsite.com$request_uri;
}

I think you'll need to copy all SSL-related configuration from your main server block to the second one.

I think (and I'm not alone, check an answer under the link) that nginx config produced by certbot is a crap and it is better to do nginx config changes manually a leave for certbot only a certificate receiving/renewing:

certbot certonly --webroot -w /var/www -d hostname -d hostname ...

Update

When your server hosts other domains (and even if ins't) it is a good practice to have an additional server block serving requests than does not contain a valid domain name (or does not have Host HTTP header at all - those are typically port scanners, vulnerability searchers etc.) To close suspicious connections on port 443 you'll need minimal SSL config within that block. It's best to use a self-signed key and certificate for that purpose. For generating a pair of self-signed key/cart in one line you can use the following command:

openssl req -nodes -new -x509 -subj "/CN=localhost" -keyout /etc/nginx/server.key -out /etc/nginx/server.crt

You can use special nginx 444 code (close connection without any response) for the suspicious connections:

server {
    listen 80;
    listen 443 ssl;

    ssl_certificate     /etc/nginx/server.crt;
    ssl_certificate_key /etc/nginx/server.key;

    return 444;
}

To simplify certbot key renewing process with the command like given above, you can add an additional section to all your server blocks for hosted domains (including that ones used for redirection too):

location /.well-known/acme-challenge/ {
    root /var/www;
}