On Tue, Jan 10, 2023 at 06:45:15PM -0500, Paul wrote: Hi there,
> BUT... for that one step further and have all server (nginx) responses go > back to the end-client as: > https://a.example.com > and NOT as: > https://www.a.example.com > ^^^ > I have written an /etc/nginx/conf.d/redirect.conf as: > server { > server_name www.a.example.com; > return 301 $scheme://a.example.com$request_uri; > } > > which seems to work, but I would appreciate your opinion - is this the best, > most elegant, secure way? Does it need "permanent" somewhere? It does not need "permanent" -- that it a signal to "rewrite" to use a http 301 not http 302 response; and you are using a http 301 response directly. (See, for example, http://http.cat/301 or http://http.cat/302 for the meaning of the numbers. Warning: contains cats.) > I've never used "scheme" before today, but we've got an external advisory > audit going on, and I'm trying to keep them happy. $scheme is http or https depending on the incoming ssl status. That 4-line server{} block does not do ssl, so $scheme is always http there. http://nginx.org/r/$scheme Either way, this would redirect from http://www.a. to http://a., and then the next request would redirect from http://a. to https://a.. I suggest that you are better off just redirecting to https the first time. You will want a server{} with something like "listen 443 ssl;" and "server_name www.a.example.com;" and the appropriate certificate and key; and then also redirect to https://a. in that block. So for the four families http,https of www.a,a you will probably want three or four server{} blocks -- you could either put http www.a and http a in one block; or you could put https www.a and http www.a in one block; and then one block for the other, plus one for the https a that is the "real" config -- the other ones will be small enough configs that "just" return 301 to https://a. Which should be simple enough to audit for correctness. Good luck with it, f -- Francis Daly fran...@daoine.org _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx