nginx переписывает с www на без www

Относится $server_nameк имени сервера, которое вы определили в блоке виртуального хоста. Поэтому ваш дополнительный блок вызывает цикл перенаправления, перенаправляя обратно на себя.

Вместо переменной вам придется использовать буквальное доменное имя.

Для домена SSL с wwwнеобходимо добавить listen 443 ssl;значения блока и сертификата.

Итак, это должен быть ваш третий блок:

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    return 301 https://example.com$request_uri;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;
    ...
}

Вот как я делаю переадресацию с http на https. Ключевая часть — три блока сервера внизу.

server {
  server_name www.example.com;

  listen 443 ssl http2;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  # This is a cache for SSL connections
  ssl_session_cache shared:SSL:2m;
  ssl_session_timeout 60m;

  root     /var/www/***rootdir;

  # First line is a cached access log, second logs immediately
  access_log  /var/log/nginx/mrwild.access.log main buffer=32k flush=1m if=$log_ua;
  # access_log  /var/log/nginx/mrwild.access.log main;

  # Default location to serve
  location / {
    log_not_found off;

    # This is a static site, so set the cache control headers to allow caching
    # for a day  
    add_header Cache-Control "public";
    expires 1d;

    valid_referers none blocked server_names ~($host) ~(googleusercontent|google|bing|yahoo);
    if ($invalid_referer) {
      rewrite (.*) /stop-stealing-images.png redirect;
    }
  }
  # Let the hotlink detection image be hotlinked
  # *** Find yourself a suitable graphic
  location = /stop-stealing-images.png { 
    add_header Cache-Control "public"; expires 4h;
  }

  # Don't log robots errors but log access
  location = /robots.txt {
    allow all; log_not_found off; 
  }

  location ~ /favicon.ico {
    access_log off; log_not_found off;
  }

  # This is for issuing certificates
  location /.well-known/acme-challenge/ {
    root /var/www/acme-challenge/;
  }

}

# This server simply redirects the requested to the https version of the page
server {
  listen 80;
  server_name example.com;
  return 301 https://www.example.com$request_uri;
}

server {
  listen 80;
  server_name www.example.com;
  return 301 https://www.example.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name example.com;

  ssl_certificate /var/lib/acme/certs/***CERT_DIRECTORY/fullchain;
  ssl_certificate_key /var/lib/acme/certs/***CERT_DIRECTORY/privkey;

  # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  access_log  /var/log/nginx/mrwild.access.log main buffer=32k flush=1m if=$log_ua;

  return 301 https://www.example.com$request_uri;
}