i have a server which hosts several websites. Some normal HTML, some wordpress and some reverse proxy.
Everything is managed by nginx with conf files for each site. All is managed by Ansible which means all config files are build from the same template.
I have a nginx conf like this:
# Ansible managed
user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 16M;
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;
# MIME
include mime.types;
default_type application/octet-stream;
# Log Format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# include TLS hardening
include /etc/nginx/snippets/tls-hardening.conf;
# Load configs
include /etc/nginx/conf.d/*.conf;
server {
# catch-all server for both http and https
listen *:80 default_server;
listen *:443 default_server;
server_name _;
# SSL
ssl_certificate /etc/ssl/FQDN.bundle.crt;
ssl_certificate_key /etc/ssl/FQDN.key;
# Redirect to canonical site
#rewrite ^/(.*)$ http://example.com/$1 permanent;
# return 404
return 404;
}
}
The default part shall catch all unconfigured requests.
the configs for normal websites are looking like this:
# Ansible managed
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name FQDN www.FQDN;
root /var/www/FQDN;
index index.html index.htm;
# SSL
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/FQDN/chain.pem;
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# logging
access_log /var/log/nginx/FQDN.access.log;
error_log /var/log/nginx/FQDN.error.log warn;
# index.html fallback
location / {
#try_files $uri /index.html index.htm index.php;
}
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name FQDN www.FQDN;
# ACME-challenge
location ^~ /.well-known/acme-challenge/ {
root /var/www/_letsencrypt;
}
location / {
return 301 https://FQDN$request_uri;
}
}
So the SSL request shall be matched for FQDN and www.FQDN while http requests fro FQDN and www.FQDN shall be redirected to the SSL website.
This works fine for my wordpress websites but not for the HTML sites.
Even if I have a default server config nginx redirects the https://www.FQDN to the first config in the config folder.
Does anyone has a hint what's going on here?
I also See different behavior between Chrome and Firefox on one site and Safari on the other side.
Chrome and Firefox will be redirected to the first config in config folder while Safari shoes error that the requested https.www.FQDN website is not secure and readable.
Lets encrypt certificate is created for both domains FQDN and www.FQDN.