All login credentials transferred over plain HTTP can easily be sniffed by a MITM attacker, but it is not enough to encrypt the login forms. If you are visiting plain HTTP pages while logged in, your session can be hijacked, and not even two-factor authentication will protect you. To protect all info sent between your visitors – which includes you – and your web server, we will redirect all requests that are coming over plain HTTP to the HTTPS equivalent.

Redirect All Sites

server_name _;

return 301 https://$host$request_uri;

}

Redirect Specific Sites

server_name foo.com;
return 301 https://foo.com$request_uri;

}

Optional: App Configuration

server { listen 443 ssl; server_name bar.com; }

and so on…