Nginx mapping with transparent port/proxy(?)

Wayne Werner asked:

I’m not entirely sure what it is I’m looking for here, so I’m not able to effectively search for my answer.

I’m using dehydrated for LetsEncrypt’s TLS-ALPN challenges. I’m hosting the service behind nginx by using

stream {
    map $ssl_preread_alpn_protocols $tls_port {
        ~\bacme-tls/1\b 10443;
        default 3443;

    server {
        listen 443;
        listen [::]:443;
        ssl_preread on;

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;

server {
    listen 3443 ssl;
    listen [::]:3443 ssl;


    ssl_certificate /path/to/my/fullchain.pem;
    ssl_certificate_key /path/to/my/privkey.pem;

    index index.html;
    root /var/www/;

This works pretty great – I can get new certs with zero downtime, and my website is accessible. However, when I access my page it works fine. When I hover over a link it shows me

Clicking on that link, though, takes me to

This is undesirable – I’d prefer it show up as plain ol’

I’m assuming that something I have setup here in nginx is what’s causing the confusion, but I’m not positive.

Is there a way that I can update my nginx config to still allow the dehydrated server to work, but also tell the browser that :3443 isn’t really what they should be connecting to? (Or at least, don’t show it in the address bar)


When I do curl it gives me a 301 redirect. Something is definitely happening with my nginx config here.

Another Update

When I do curl it works just fine so it looks like it’s doing something with the trailing /

My answer:

The redirect you described comes from nginx when you omitted the trailing slash from a URL. You should be able to suppress it with port_in_redirect off;.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.