I noticed that you use an improper way to redirect in nginx. When you redirect from non-SSL to SSL (i.e. for HSTS/TLS only site) for example, you now do: Code: if ($http_host ~* "^(.+)\.domain\.net$") { rewrite ^ $scheme://domain.net$request_uri? permanent; } but nginx really doesn't perform at its best with that. They recommend doing it like so, with a separate server block for port 80: Code: server { server_name domain.net; listen 80; listen [::]:80; return 301 https://domain.net$request_uri; } server { server_name domain.net; listen 443 ssl http2; listen [::]:443 ssl http2; etc.