Redirect www to not-www
Francis Daly
francis at daoine.org
Wed Jan 11 00:37:49 UTC 2023
On Tue, Jan 10, 2023 at 06:45:15PM -0500, Paul wrote:
Hi there,
> BUT... for that one step further and have all server (nginx) responses go
> back to the end-client as:
> https://a.example.com
> and NOT as:
> https://www.a.example.com
> ^^^
> I have written an /etc/nginx/conf.d/redirect.conf as:
> server {
> server_name www.a.example.com;
> return 301 $scheme://a.example.com$request_uri;
> }
>
> which seems to work, but I would appreciate your opinion - is this the best,
> most elegant, secure way? Does it need "permanent" somewhere?
It does not need "permanent" -- that it a signal to "rewrite" to use a http
301 not http 302 response; and you are using a http 301 response directly.
(See, for example, http://http.cat/301 or http://http.cat/302 for the
meaning of the numbers. Warning: contains cats.)
> I've never used "scheme" before today, but we've got an external advisory
> audit going on, and I'm trying to keep them happy.
$scheme is http or https depending on the incoming ssl status. That 4-line
server{} block does not do ssl, so $scheme is always http there.
http://nginx.org/r/$scheme
Either way, this would redirect from http://www.a. to http://a., and
then the next request would redirect from http://a. to https://a.. I
suggest that you are better off just redirecting to https the first time.
You will want a server{} with something like "listen 443 ssl;" and
"server_name www.a.example.com;" and the appropriate certificate and key;
and then also redirect to https://a. in that block.
So for the four families http,https of www.a,a you will probably want
three or four server{} blocks -- you could either put http www.a and
http a in one block; or you could put https www.a and http www.a in one
block; and then one block for the other, plus one for the https a that
is the "real" config -- the other ones will be small enough configs that
"just" return 301 to https://a. Which should be simple enough to audit
for correctness.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list