Redirect all HTTP Requests to HTTPS with Nginx

All login details exchanged over plain HTTP can without much of a stretch be sniffed by a MITM attacker, yet is isn’t sufficient to encode the login forms. On the off chance that you are going to plain HTTP pages while logged in, your session can be captured, and not in any case two-factor verification will secure you. To ensure all data sent between your visitors – which incorporates you – and your web server, we will divert all requests that are coming over plain HTTP to the HTTPS proportionate.

It isn’t generally important to utilize HTTPS for completely all requests, yet it makes your life substantially less demanding to simply deal with one plan and redirect all plain HTTP movement to the proportionate HTTPS resource. So please ensure you setup HTTPS for the same hostname that you use for plain HTTP. Try not to utilize secure.example.com if your normal hostname is example.com or www.example.com. The main contrast ought to be the plan – nothing else. This will spare you from a great deal of migraines additionally not far off.

Redirect all HTTP traffic to HTTPS

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

Now all traffic for http://example.com/index.php is redirected to https://example.com/index.php. Please note that while this works fine for GET requests, the postdata is not sent to the new URL for POST requests. This is usually not an issue if you’re using WordPress – at least not if your website is coded somewhat properly – as all your forms should use the URL WordPress is configured to use.

The redirect response is sent with the HTTP status code 301, which tells the browser (and search engines) that this a permanent redirect. This makes the browser remember the redirect, so that next time they visit, the browser will do the redirect internally. If you set the HSTS header – which you should – the browser will even do this for every single request to your domain.