Force NGINX WordPress site to use SSL

[Hefin]

I'm trying to figure out how to force a WordPress site running on NGINX in cPanel to only use SSL. I updated the sites nginx conf file with the following line shown in bold below:


server {
server_name mysite.com www.mysite.com mail.mysite.com;
listen 80;
listen [::]:80;

return 301 https://mysite.com$request_uri;

include conf.d/includes-optional/cloudflare.conf;

set $CPANEL_APACHE_PROXY_PASS $scheme://apache_backend_${scheme}_11_222_333_44;


I restarted NGINX but the site fell over with a message saying too many redirects

 

[ffeingol]

You have to make sure that WordPress is configured to go to https or you'll end up with loops like your seeing. We usually suggest a plugin called Really Simple SSL.

 

[Hefin]

I don't like using plugins where I don't really need them. When I used apache for the webserver I could just edit the .htaccess file, but obviously NGINX doesn't use that file.

 

[cPRex]

I also use ReallySimpleSSL on my personal WordPress sites and it takes care of things. The issue isn't just with Nginx but with all internal WordPress code as well, so the plugin likely really is the best option here.

 

[ffeingol]

You can certainly do it only with the web server, as long as the URL's for the site (in WordPress settings) are set to https and not http. If they are, you'll see the loops like you are currently seeing.

 

[Hefin]

You can certainly do it only with the web server, as long as the URL's for the site (in WordPress settings) are set to https and not http. If they are, you'll see the loops like you are currently seeing.

Yeah, that would make sense, but in practice, it didn't make a difference. I updated the general settings to include HTTPS as the protocol prefix (not the real site name) and made the necessary changes to the Nginx configuration again. However, I encountered the same issue again with the browser complaining about too many redirects.




Strange thing is, though, that now it's set in the WordPress general settings tab, the site effectively behaves like it's got HTTPS forced, as you can't load the HTTP version of the site.

It would be nice to know why the config update didn't work, though. Your explanation does make sense, but it's not what I see on the site. Either way, the end result has been achieved.

 

[Hefin]

For anyone else bumping up against this issue, I found this worked in the end

# Force https
if ($scheme = http) {
return 301 https://$host$request_uri;
}