HOWTO: Force https AND http2 AND Rewrite to non-www!!
-
PagesAtHome
- Posts: 8
- Joined: Tue Nov 08, 2016 12:22 pm
HOWTO: Force https AND http2 AND Rewrite to non-www!!
- SECURE! -> https / SSL enforcing
FAST! -> http2 (http/2)
MODERN! -> 'www' domains are old school
(THIS INSTRUCTION WAS TESTED AND WORKING ON DEBIAN 8, IT SHOULD WORK ON OTHER LINUX VARIANTS BUT THE FILE PATHS MAY DIFFER)
It all comes down to putting 2 template files in your /usr/local/vesta/data/templates/web/nginx/ folder:
File1 (the non-https to https rewrite file), name it http2-no-www.tpl :
Code: Select all
server {
listen %ip%:%proxy_port%;
server_name %domain_idn% %alias_idn%;
return 301 https://%domain_idn%$request_uri;
}
File2 (the https config file), name it http2-no-www.stpl :
Code: Select all
server {
listen %ip%:%proxy_ssl_port% http2 ssl;
server_name %alias_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
return 301 https://%domain_idn%$request_uri;
}
server {
listen %ip%:%proxy_ssl_port% http2 ssl;
server_name %domain_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}
Go to your VestaCP panel and apply to your domains of choice, presto!
You don't even have to purchase a SSL certificate anymore if you dont want to, with the newest version of VestaCP you just have to tick the box that says 'Use LetsEncrypt' and you're off!
go check your sites with https://tools.keycdn.com/http2-test
(optionally you can apply the additional security beef-up suggested at https://weakdh.org/sysadmin.html with the exception that you should apply the suggested rules to the abovementioned stpl file, inside the server block), check this out:
ALL RIGHT!!
(leave a comment if it also worked for you)
NB if you're a fan of speed, also check out my PHP7+opcache tutorial: viewtopic.php?t=13053
Last edited by PagesAtHome on Fri Dec 23, 2016 3:04 pm, edited 4 times in total.
Re: HOWTO: Force https AND http2 AND Rewrite to non-www!!
this did not work for me;
any other methods? it seems having anything like:
server {
listen IPNUMBERHERE:443 ssl http2;
using the ssl and http2 it doesn't allow nginx to restart. any suggestions?
using latest version with nginx as a proxy for apache.
any other methods? it seems having anything like:
server {
listen IPNUMBERHERE:443 ssl http2;
using the ssl and http2 it doesn't allow nginx to restart. any suggestions?
using latest version with nginx as a proxy for apache.
-
PagesAtHome
- Posts: 8
- Joined: Tue Nov 08, 2016 12:22 pm
Re: HOWTO: Force https AND http2 AND Rewrite to non-www!!
Hey @doughnet,
Too bad it didnt work out right away. First off, lets check out your software versions:
SSH* into your server and type:
(mine says currently nginx version: nginx/1.10.2 )
also, retry restarting your nginx server from the command line (assuming you're using Debian):
if it works, it doesnt put out any message, if it doesnt work, paste its output in a reply.
Error possibility 1:
its good to keep in mind that the template files you copied like instructed are processed by Vesta, when you apply a template in the control panel, into the 'real' config files which are located at /home/admin/conf/web/. First, Nginx will use the 'nginx.conf' for http connections and 'snginx.conf' for https connections, the other files in the folder can be ignored for this matter. I noticed a few times where Vesta screwed up this process after i adjusted some template files. If you think this might be the case with your install, remove all the server{} blocks from these two files that relate to the domain you're working on, save the files and then re-apply the templates using the Vesta control panel.
* i recommend MobaXterm if you're using Windows, i'm loving it, it doubles as FTP file client, any sort of client for that matter, it also allows for direct file editing, which allows you to skip using command line editors like VIM or nano (of which i prefer the latter in case you wonder) -> http://mobaxterm.mobatek.net
Too bad it didnt work out right away. First off, lets check out your software versions:
SSH* into your server and type:
Code: Select all
nginx -valso, retry restarting your nginx server from the command line (assuming you're using Debian):
Code: Select all
service nginx restartError possibility 1:
its good to keep in mind that the template files you copied like instructed are processed by Vesta, when you apply a template in the control panel, into the 'real' config files which are located at /home/admin/conf/web/. First, Nginx will use the 'nginx.conf' for http connections and 'snginx.conf' for https connections, the other files in the folder can be ignored for this matter. I noticed a few times where Vesta screwed up this process after i adjusted some template files. If you think this might be the case with your install, remove all the server{} blocks from these two files that relate to the domain you're working on, save the files and then re-apply the templates using the Vesta control panel.
* i recommend MobaXterm if you're using Windows, i'm loving it, it doubles as FTP file client, any sort of client for that matter, it also allows for direct file editing, which allows you to skip using command line editors like VIM or nano (of which i prefer the latter in case you wonder) -> http://mobaxterm.mobatek.net
Re: HOWTO: Force https AND http2 AND Rewrite to non-www!!
Nice guide @PagesAtHome, thanks!
In my case, I just needed to enable http2 so I didn't create a new template (.stpl file) and just edited the hosting.stpl file, adding the http2 ssl directives.
In my case, I just needed to enable http2 so I didn't create a new template (.stpl file) and just edited the hosting.stpl file, adding the http2 ssl directives.