I am having an issue with a client mangento2 site upon attempting to transition from Apache to Nginx.
The first security block works as intended, but secondary blocks are being immediately 302 redirected to the first one, and all sites are being prefixed with www regardless of Nginx or Apache configuration.
The two different sites are separate domains and configured as such in Cloudflare.
My current suspicions given the configuration was functional for Apache it might be an SNI issue with the origin certificates or the server blocks are misconfigured. The first server block looks like the following (Note the code has been partially anonymized by replacing some values but is otherwise accurate):
server {
listen 80;
listen [::]:80;
server_name .example.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .example.com;
set $MAGE_ROOT /var/.../example.com;
include /var/.../example.com/nginx.conf.sample;
ssl_certificate .../example.com.pem;
ssl_certificate_key .../example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
for the second site:
server {
listen 80;
listen [::]:80;
server_name .example.org;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .example.org;
set $MAGE_ROOT /var/.../example.com/example.org;
include /var/.../example.org/nginx.conf.sample;
ssl_certificate .../example.org.pem;
ssl_certificate_key .../example.org.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Additional notes:
Config files in Apache don’t reference any MAGE_RUN_TYPE or MAGE_RUN_CODE environment variables, rather a DocumentRoot pointing to the corresponding site.
To summarize, the question I am asking here is if Cloudflare might be providing different SNI values than I initially anticipated, and if so, what steps might be needed to resolve this for Nginx. In my specific case if I need to alter other aspects of the stack for Magento I would likely need approval, so I am inclined to exhaust solutions with Cloudflare and Nginx first.
I sorry but I am not familiar with a setup like Nginx running as reverse proxy over Apache. Only with Nginx as a “standalone”.
Furthermore, which Nginx version are you running?
Is the TLS supported with it?
Nevertheless, does your Nginx version support SNI?
Therefore, regarding about SSL certificate, are you using a valid one which covers your naked domain and any other sub-domain?
May I also ask which SSL option have you got selected under SSL/TLS tab at Cloudflare dashboard for your domain? (Flexible, Full, Full Strict)
Regarding 301 redirects and SEO, I usually go with www setup for my domain and therefore redirect non-www (HTTP) to HTTPS www like below:
NOTE: Using Cloudflare CA Origin Certificate + Authenticated Origin Pull with Full (Strict) SSL, Always Use HTTPS and Automatic HTTPS Rewrites option at Cloudflare dashboard with HSTS option being enabled too
server {
listen *:80;
listen [::]:80;
listen *:443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
listen [::]:443 ssl http2;
ssl_certificate /path/domain.crt;
ssl_certificate_key /path/domain.key;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
if ($scheme != "https") {
rewrite ^ https://$http_host$request_uri? permanent;
}
if ($http_host = "domain.com") {
rewrite ^ $scheme://www.domain.com$request_uri? permanent;
}
# If using Cloudflare Authenticated Origin Pulls
ssl_client_certificate /etc/origin-pull-ca.pem; # download it first and place where you want
ssl_verify_client on;
# Usefull stuff from MozSSL
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/dhparam-mozilla.pem;
...
}
There are some online tools, but not working good as far as I have tested back in 2015.
To clarify, the server is migrating from Apche to Nginx. The desired end result is to not need to use Apache, I am merely referencing the configuration files as a means to translate the Apache vhosts to the corresponding Nginx server blocks.
The lack of TLS 1.3 is an oversight, thanks for pointing that out.
Nginx is 1.8 and confirmed able to use SNI according to nignx -v.
Cloudflare is operating with Full SSL, not Strict.
for additional context the apache vhost config for each site is along the lines of:
Note that the above config for this and the similar second site apache config are currently in production and do not have any domain redirection issues.