Modern browsers warn of dangers in HTTP plaintext requests, making forced HTTPS no longer an advanced option, but a basic configuration for websites. If you use Nginx to build a website, how to elegantly and securely configure HTTPS automatic redirection?
As a high-performance reverse proxy server, Nginx can listen to different ports and protocols through server blocks. Its redirection logic usually listens to HTTP requests on port 80, detects whether the domain name access is non-HTTPS, and permanently redirects to the HTTPS address with 301. This practice is called HTTP→HTTPS forced redirection, which is beneficial to SEO and improves user access experience.
Before formal configuration, make sure you have completed the following tasks:
- Install Nginx;
- Own a domain name and correctly resolve it to the server;
- Apply for and install an SSL certificate
- Have root privileges to modify Nginx configuration.
Standard configuration method: Forced HTTPS redirection in one step
Assume that your website domain name is example.com and the SSL certificate is ready. The following is a standard two-section configuration.
HTTP request listening and redirection configuration
server {
listen 80;
server_name example.com www.example.com;
# Redirect all HTTP requests to HTTPS (permanent redirect)
return 301 https://$host$request_uri;
}
This code means that all requests to port 80 (whether the root directory or a sub-path) will be permanently redirected to the corresponding HTTPS address.
HTTPS service configuration (SSL enabled)
server {
listen 80;
server_name example.com www.example.com;
# Redirect all HTTP requests to HTTPS (permanent redirect)
return 301 https://$host$request_uri;
}
After configuration is complete:
http://example.com → automatically redirects to https://example.com
Users do not need to remember ports and protocols, and automatically enter encrypted connections
Multiple domain names, multiple ports, and HSTS settings
Scenario 1: Unified redirection of multiple domain names
server {
listen 80 default_server;
server_name _;
return 301 https://example.com$request_uri;
}
It can be used to redirect all "unknown domain name" requests to the HTTPS page of the main domain name.
Scenario 2: Add HSTS security header (force browser to use HTTPS)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
max-age=63072000: Force HTTPS for 2 years
includeSubDomains: also applies to subdomains
preload: can be submitted to the browser HSTS list (verification required)
Note: once HSTS is enabled, it cannot be rolled back in the short term, so make sure that the SSL certificate remains valid.
Configuration verification and testing method
After completing the Nginx configuration, use the following method to test whether it is correct:
Local curl to check redirection:
curl -I http://example.comThe output should contain:
HTTP/1.1 301 Moved Permanently
Location: https://example.com/Browser access:
Visit http://example.com directly to see if it automatically redirects and displays a security lock.
Enabling HTTPS in Nginx is an important step to protect user privacy and website data integrity. By simply adjusting the configuration file, you can gain browser trust, improve SEO weight, prevent man-in-the-middle attacks, and build a professional and credible website image. As a developer or operation and maintenance engineer, mastering HTTPS redirection is not only a skill, but also a responsibility to users.
