ConfigClarityFix GuidesProxy Fix Guides › Missing SSL Redirect

Fix: Nginx Missing HTTP to HTTPS Redirect

Without an HTTP to HTTPS redirect, visitors who type your domain without https:// land on an unencrypted page. Browsers don't always auto-upgrade. The fix is a one-block Nginx config addition.

The Fix — HTTP to HTTPS Redirect

Add this server block to your Nginx config
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;

    # Let's Encrypt ACME challenge — must come before redirect
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # Redirect everything else to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}
Your HTTPS server block (keep as-is)
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name yourdomain.com www.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # ... rest of your config
}
# Validate and reload:
nginx -t && systemctl reload nginx

Why the ACME challenge block matters

If you redirect all port 80 traffic before the ACME challenge location, Let's Encrypt's HTTP-01 challenge will fail when certbot tries to renew. The challenge request hits port 80, gets redirected to HTTPS, and certbot can't complete the validation. Always put the .well-known/acme-challenge/ location before the redirect.

Paste your nginx.conf to detect missing SSL redirects and get the exact fix block.

Open Reverse Proxy Mapper →

Frequently Asked Questions

Should I use return 301 or rewrite for HTTP to HTTPS redirect in Nginx?
Use return 301 https://$host$request_uri. It is faster than a rewrite rule, generates no regex overhead, and is the recommended approach in the Nginx documentation. Avoid rewrite ^(.*)$ https://$host$1 permanent — it is slower and error-prone.
Does the HTTP to HTTPS redirect break Let's Encrypt renewal?
Only if you redirect before the ACME challenge location. Always add location /.well-known/acme-challenge/ { root /var/www/certbot; } before the redirect location / block. This lets certbot complete HTTP-01 challenges even with the redirect active.
How do I redirect www to non-www and HTTP to HTTPS at the same time?
Use two server blocks: one for port 80 that redirects everything to https://yourdomain.com (non-www), and one for port 443 www that redirects to the non-www HTTPS. The main HTTPS server block then handles yourdomain.com only.

Related Glossary Terms