How to Redirect HTTP to HTTPS in Nginx

How to Redirect HTTP to HTTPS in Nginx

That little padlock icon in the browser address bar? It's more than just a symbol—it's a promise of security to your users. In today's digital landscape, HTTPS isn't optional anymore; it's essential for user trust, SEO rankings, and data protection.

But here's the thing: users will inevitably try to access your site using HTTP, either out of habit or through old links. If those requests don't automatically redirect to HTTPS, you're missing out on the security benefits and potentially confusing your visitors.

I've helped countless websites make the transition to HTTPS, and getting the redirect right is crucial for both security and user experience. In this guide, I'll show you the most effective ways to redirect HTTP to HTTPS in Nginx, with different methods for different scenarios.

Let's secure your website! 🔒

Why HTTP to HTTPS Redirects Matter

Before we dive into the technical details, let's understand why proper redirects are so important:

• Security compliance: Modern browsers mark HTTP sites as "Not Secure"
• SEO benefits: Google gives priority to HTTPS sites in search rankings
• User trust: The padlock icon builds confidence in your website
• Data protection: Encrypts all data between users and your server

Prerequisites: What You Need Before Starting

Before setting up redirects, make sure you have:

• SSL Certificate: Let's Encrypt is free and easy to set up
• Nginx installed: Obviously, you need Nginx running
• Server access: Root or sudo privileges to edit configuration files
• Domain name: Pointed to your server's IP address

Need an SSL certificate? Run this command:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

Method 1: The Simple Server Block Redirect

This is the most straightforward approach—create a separate server block for HTTP that redirects to HTTPS.

Step 1: Create HTTP Server Block

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;

    return 301 https://$server_name$request_uri;
}

Step 2: Your HTTPS Server Block

server {
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Your website configuration here
    root /var/www/yourdomain;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Step 3: Test and Reload Nginx

sudo nginx -t
sudo systemctl reload nginx

Why this works: The HTTP server block catches all port 80 traffic and permanently redirects it to the equivalent HTTPS URL, preserving the exact path and query string.

Method 2: The Conditional Redirect

This method handles both HTTP and HTTPS in a single server block, which some find cleaner.

Configuration

server {
    listen 80;
    listen 443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Redirect HTTP to HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    # Your website configuration
    root /var/www/yourdomain;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Note: While this works, Nginx documentation recommends using separate server blocks (Method 1) for better performance.

Method 3: The Catch-All Redirect

Perfect for servers hosting multiple domains—this redirects any HTTP request to HTTPS.

Configuration

server {
    listen 80 default_server;
    server_name _;

    return 301 https://$host$request_uri;
}

# Your actual HTTPS server blocks go here
server {
    listen 443 ssl http2;
    server_name yourdomain.com;
    # ... rest of your configuration
}

Method 4: www to non-www (or vice versa) with HTTPS

Many sites want to redirect between www and non-www versions while also enforcing HTTPS.

Redirect www to non-www

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.yourdomain.com;

    # SSL certificate for www version
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    return 301 https://yourdomain.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # Your main site configuration
    # ...
}

Advanced Configuration: HSTS and Security Headers

For maximum security, add these headers to your HTTPS server block:

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;

    # Your site configuration
    # ...
}

HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS for your site, preventing downgrade attacks.

Testing Your Redirects

Always test your redirects to ensure they're working correctly.

Command Line Testing

# Test HTTP to HTTPS redirect
curl -I http://yourdomain.com

# Expected output should include:
# HTTP/1.1 301 Moved Permanently
# Location: https://yourdomain.com/

# Test specific pages
curl -I http://yourdomain.com/about-us
# Should redirect to https://yourdomain.com/about-us

Browser Testing

1. Clear your browser cache
2. Type http://yourdomain.com in the address bar
3. Verify it redirects to https://yourdomain.com
4. Check that the padlock icon appears
5. Test a few different pages to ensure all paths redirect correctly

Troubleshooting Common Issues

Sometimes redirects don't work as expected. Here are the most common problems and solutions:

"Redirect Loop" Error

Cause: Your HTTPS server block is also trying to redirect.

Solution: Make sure only your HTTP server block contains redirect logic.

# Wrong - causes redirect loop
server {
    listen 443 ssl http2;
    return 301 https://$host$request_uri;  # This shouldn't be here!
}

# Correct - only HTTP redirects
server {
    listen 80;
    return 301 https://$host$request_uri;
}

Mixed Content Warnings

Cause: Your HTTPS page loads HTTP resources (images, scripts, CSS).

Solution: Update all resource URLs to use HTTPS or relative paths.

<img src="http://yourdomain.com/image.jpg">


<img src="https://yourdomain.com/image.jpg">


<img src="/image.jpg">

Certificate Not Trusted

Cause: Self-signed certificate or certificate chain issues.

Solution: Use Let's Encrypt or purchase from a trusted CA.

Port 80 Not Listening

Cause: Firewall blocking port 80 or Nginx not listening on port 80.

Solution: Check firewall and Nginx configuration.

# Check if Nginx is listening on port 80
sudo netstat -tulpn | grep :80

# Check firewall status
sudo ufw status

# Allow HTTP traffic if needed
sudo ufw allow 80/tcp

WordPress-Specific Considerations

If you're running WordPress, you'll need additional configuration:

Update WordPress URLs

Add these lines to your `wp-config.php`:

define('FORCE_SSL_ADMIN', true);
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['HTTP_HOST'] = 'yourdomain.com';
}

Update Database URLs

Run this SQL query to update hardcoded URLs in your database:

UPDATE wp_options SET option_value = replace(option_value, 'http://yourdomain.com', 'https://yourdomain.com') WHERE option_name = 'home' OR option_name = 'siteurl';
UPDATE wp_posts SET guid = replace(guid, 'http://yourdomain.com','https://yourdomain.com');
UPDATE wp_posts SET post_content = replace(post_content, 'http://yourdomain.com', 'https://yourdomain.com');

Performance Considerations

Redirects are generally fast, but here are some tips to keep them efficient:

• Use 301 redirects (permanent) instead of 302 (temporary)
• Avoid redirect chains - redirect directly to the final destination
• Cache SSL sessions to reduce handshake overhead
• Enable HTTP/2 for better performance over HTTPS

Final Checklist

Before declaring victory, run through this checklist:

• ✅ SSL certificate installed and valid
• ✅ HTTP requests redirect to HTTPS
• ✅ All pages and subpages redirect correctly
• ✅ No mixed content warnings
• ✅ HSTS header configured
• ✅ Redirect testing passes
• ✅ WordPress URLs updated (if applicable)

Wrapping Up

Setting up proper HTTP to HTTPS redirects is a critical step in securing your website. Not only does it protect your users' data, but it also builds trust and improves your SEO rankings.

The key is to choose the right method for your setup and test thoroughly. Start with Method 1 (separate server blocks) for most cases—it's clean, efficient, and easy to understand.

Remember, HTTPS isn't just about encryption; it's about showing your users that you take their security seriously. That padlock icon is more than just a symbol—it's your commitment to protecting their data.

Happy securing! 🔒 Your users will thank you for it.