Redirect www to not-www

Francis Daly francis at daoine.org
Wed Jan 11 00:37:49 UTC 2023 

On Tue, Jan 10, 2023 at 06:45:15PM -0500, Paul wrote:

Hi there,

> BUT... for that one step further and have all server (nginx) responses go
> back to the end-client as:
>     https://a.example.com
> and NOT as:
>     https://www.a.example.com
>             ^^^
> I have written an /etc/nginx/conf.d/redirect.conf as:
> server {
>   server_name www.a.example.com;
>   return 301 $scheme://a.example.com$request_uri;
> }
> 
> which seems to work, but I would appreciate your opinion - is this the best,
> most elegant, secure way?  Does it need "permanent" somewhere?

It does not need "permanent" -- that it a signal to "rewrite" to use a http
301 not http 302 response; and you are using a http 301 response directly.

(See, for example, http://http.cat/301 or http://http.cat/302 for the
meaning of the numbers. Warning: contains cats.)

> I've never used "scheme" before today, but we've got an external advisory
> audit going on, and I'm trying to keep them happy.

$scheme is http or https depending on the incoming ssl status. That 4-line
server{} block does not do ssl, so $scheme is always http there. 

http://nginx.org/r/$scheme

Either way, this would redirect from http://www.a. to http://a., and
then the next request would redirect from http://a. to https://a.. I
suggest that you are better off just redirecting to https the first time.

You will want a server{} with something like "listen 443 ssl;" and
"server_name www.a.example.com;" and the appropriate certificate and key;
and then also redirect to https://a. in that block.

So for the four families http,https of www.a,a you will probably want
three or four server{} blocks -- you could either put http www.a and
http a in one block; or you could put https www.a and http www.a in one
block; and then one block for the other, plus one for the https a that
is the "real" config -- the other ones will be small enough configs that
"just" return 301 to https://a. Which should be simple enough to audit
for correctness.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list