[Nginx] Configuration to Redirect HTTP to HTTPS & HTTP Strict Transport Security (HSTS) Support

Tadashi Shigeoka ·  Tue, January 24, 2017

I’ll introduce two configurations for Nginx: redirecting HTTP requests to HTTPS and configuring HTTP Strict Transport Security (HSTS).

Nginx

Configuration to Redirect HTTP to HTTPS

The return 301 https://$host$request_uri; part performs a 301 redirect as shown below:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    # 'http2' requires nginx 1.9.5+. If using older nginx, replace with 'spdy'.
    listen 443 ssl http2;
    server_name example.com;
}

HTTP Strict Transport Security (HSTS) Configuration

server {
    listen 443 ssl http2;

    # HTTP Strict Transport Security: tells browsers to require https:// without first checking
    # the http:// version for a redirect. Warning: it is difficult to change your mind.
    # 
    #    max-age: length of requirement in seconds (31536000 = 1 year)
    #    includeSubdomains: force TLS for *ALL* subdomains (remove if this is not what you want)
    #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
    # 
    #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


    # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
    # add_header Strict-Transport-Security "max-age=31536000;" always;
}

Registering with the HSTS Preload List

Google provides a service to register domains on the HSTS Pre-loaded List. If you follow the described procedures and register your domain, no insecure communication will occur between browsers and that domain in the future. To register for this, you need to include the preload parameter in the Strict-Transport-Security header.

[Source] HTTP Strict Transport Security - Web Security | MDN

So let’s register via HSTS Preload List Submission.

To register for the HSTS Preload List, the following conditions are required:

  • Subdomains cannot be specified, so specify the naked domain
  • Set includeSubDomains with add_header

In today’s era, with Google’s HTTPS site preference policy being urgent, site operators who haven’t implemented this should probably address it early.

Reference Information

That’s all from the Gemba.