I'm trying to add ssl on 8443 in nginx (For some reason I cannot use 443). The .conf file is as
server {
listen 9081;
server_name myserver.someserver.in;
return 302 https://$server_name$request_uri;
# include conf.d/gzip.conf;
location / {
root /home/some/path;
try_files $uri $uri/ /index.html =404;
}
}
server {
# SSL configuration
listen 8443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
}
But, after hitting myserver.someserver.in:9081, I'm getting error citing SSL_ERROR_RX_RECORD_TOO_LONG. Am I missing something?
UPDATE -
Content of included files are:
file -> self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
file -> ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Related
I need to use headless puppeteer for a domain with multiple users and a certificate for each user.
Nginx's proxy_pass is used to "inject" the client certificate.
I need to be able to access targetdomain.com with 3 different certificates.
My nginx configuration:
server1 name target.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 1.crt proxy_ssl_certificate_key 1.pem
server2 name target2.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 2.crt proxy_ssl_certificate_key 2.pem
server3 name target3.mydomain.com proxy_pass targetdomain.com proxy_ssl_certificate 3.crt proxy_ssl_certificate_key 3.pem
server {
listen 443 http2 ssl;
server_name target.mydomain.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://targetdomain.com/;
proxy_ssl_certificate /home/user/1.crt;
proxy_ssl_certificate_key /home/user/1.pem;
proxy_ssl_protocols TLSv1;
proxy_ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA;
proxy_ssl_server_name on;
}
}
server {
listen 443 http2 ssl;
server_name target2.mydomain.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass https://targetdomain.com/;
proxy_ssl_certificate /home/user/2.crt;
proxy_ssl_certificate_key /home/user/2.pem;
proxy_ssl_protocols TLSv1;
proxy_ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:DES-CBC3-SHA;
proxy_ssl_server_name on;
}
}
...
The problem: on each nginx restart all 3 servers use the same certificate either 1,2 or 3.
Originally a single pfx certificate (for each user) was provided to me for target domain.
Each pfx file was converted to .pem (containing a decrypted private key) and a .crt (pem format) file containing 3 certificate (I don't know why, but it seems to need all 3 of them).
So how can I fix this and make nginx use the proper cert for each server?
I'm having sudden trouble connecting to my site. I've combed through my config files quite a few times now and I'm very confused by what my site has been doing, and the fact that it randomly started to occur without changing anything.
When I try to access mysite.info, absolutely nothing happens. Request timed out and nothing appears in the access or error logs.
Here is the config file at that point:
server {
listen 80 default_server;
server_name mysite.info www. mysite.info;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mysite.info www. mysite.info;
ssl_certificate /etc/letsencrypt/live/mysite.info/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.info/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
root **Document root edited out**;
autoindex on;
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ /.well-known {
allow all;
}
}
server {
listen 80;
server_name mynewsite.com www. mynewsite.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name mynewsite.com www. mynewsite.com;
ssl_certificate /etc/letsencrypt/live/mynewsite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mynewsite.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
root **Document root edited out**;
autoindex on;
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ /.well-known {
allow all;
}
}
server {
listen 443 ssl;
server_name api.mynewsite.com;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/api.mynewsite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.mynewsite.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location =/update.php {
root **Document root edited out**;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include uwsgi_params;
uwsgi_pass unix:///tmp/billsplitter.sock;
}
location ~ /.well-known {
root **Document root edited out**;
allow all;
}
}
server {
listen 443 ssl;
server_name api.mysite.info;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/api.mysite.info/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.mysite.info/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location =/update.php {
root **Document root edited out**;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location / {
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include uwsgi_params;
uwsgi_pass unix:///tmp/billsplitter.sock;
}
location ~ /.well-known {
root **Document root edited out**;
allow all;
}
}
When I try to access mynewsite.com or api.mynewsite.com, everything works perfectly. However, trying to access my site.info, I get a request timed out. I've checked to see if the ssl certificate for that domain is expired, it was not. I've ran nginx -t and received no errors. I've checked the access log and error log, nothing appears when I access mysite.info
I tried removing the https capability, changing that section of the config to this:
server {
listen 80 default_server;
server_name mysite.info www.mysite.info;
root /var/www/html/gomeow.info;
autoindex on;
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~ /.well-known {
allow all;
}
}
Now, when I access mysite.info, it redirects my address bar to the ip address of the server, and nginx serves the site that corresponds to https://api.mynewsite.com/ which of course brings ssl errors for the server name not matching the certificate, not to mention that nginx shouldn't even be listening on port 80 for it to serve that content. Also it isn't even the default_server. If anyone can shed some light on this, I'd be happy to hear what you have to say.
If it is helpful, here is my nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 2M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
I have a working NGINX configuration for multiple sub-domains. I have enabled SSL for them by using a Let's Encrypt/ACME client. All of the sub-domains are working except one.
One of the sub-domain is served under /var/www/dir as https://dir.domain.net and another one is served under /var/www/dir/one as https://one.domain.net. For some reason I can not understand, the sub-domain served under /var/www/dir/one is being redirected to https://dir.domain.net after enabling SSL.
Configurations for this two sub-domains as follow:
/var/www/dir as http://dir.domain.net
server {
listen 80;
listen 443 ssl spdy;
root /var/www/dir;
index index.php index.html index.htm;
server_name dir.domain.net;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
ssl on;
ssl_certificate cert.crt;
ssl_certificate_key key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate trustedCA.pem;
resolver 8.8.4.4 8.8.8.8 valid=1800s;
resolver_timeout 10s;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
location / {
try_files $uri $uri/ /index.html =404;
rewrite /index.php/(topic|board),(.*).html$ /index.php?$1=$2 permanent;
rewrite /index.php/(topic|board),(.*)$ /index.php?$1=$2 permanent;
rewrite /index.php(\?|%3F)(topic|board)(=|%3D)(.*)$ /index.php?$2=$4 permanent;
rewrite /subdomains/dir/index.php/(topic|board),(.*)$ /index.php?$1=$2 permanent;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_read_timeout 90;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SSL_PROTOCOL $ssl_protocol;
fastcgi_param SSL_CIPHER $ssl_cipher;
fastcgi_param SSL_SESSION_ID $ssl_session_id;
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
include fastcgi_params;
}
}
/var/www/dir/one as https://one.domain.net:
server {
root /var/www/dir/one;
index index.php index.html index.htm;
server_name one.domain.net;
# log directives
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options SAMEORIGIN;
ssl on;
ssl_certificate cert.crt;
ssl_certificate_key key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate trustedCA.pem;
resolver 8.8.4.4 8.8.8.8 valid=1800s;
resolver_timeout 10s;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
location / {
try_files $uri $uri/ /index.html;
rewrite /index.php/(.*)$ /index.php?title=$1 permanent;
}
location ~ \.php$ {
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass phpservers;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
In order to serve /var/www/dir/one as https://one.domain.net, what should I do?
Thanks in advance.
Basically, I have created a site and purchased an SSL certificate. Everything worked fine, I linked up the certificate in the config of the site, but then it suddenly stopped working. My linked site configuration, where I replaced my site with 'example.com', is as follows:
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl;
# Get SSL setup
ssl on;
ssl_certificate /etc/nginx/ssl/site.crt;
ssl_certificate_key /etc/nginx/ssl/site.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 1d;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# Enable HSTS ( see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security )
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/site.crt;
resolver 8.8.8.8;
server_name www.example.com example.com;
root /var/www/html;
index index.php index.html index.htm;
error_log /var/www/html/logs/error.log;
access_log /var/www/html/logs/access.log;
error_page 404 /404.html;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Now, my site doesn't even work on a local IP address (192.168.1.x). Can someone please offer a solution?
Thank you.
My SSL certificate works perfectly if my URL is site.com but not www.site.com. Why is this, and how can I fix it? When I configured my CSR and certificate, it said to use mysite.com as the domain, and not www.mysite.com, as it auto-configures www.
Here is my nginx configuration:
ssl_certificate /etc/nginx/ssl/bundle.crt;
ssl_certificate_key /etc/nginx/ssl/myserver.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-$
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
server {
listen 80;
listen 443 ssl;
keepalive_timeout 70;
access_log /var/www/mysite.com/logs/access.log;
error_log /var/www/mysite.com/logs/error.log;
root /var/www/mysite.com/public_html/mysite/public/_main;
server_name www.mysite.com mysite.com;
# HSTS - 6 months
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
resolver 192.0.2.1;
location / {
try_files $uri $uri.php?$query_string;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
if ($uri !~ "^/assets/images/") {
fastcgi_pass unix:/var/run/php-fastcgi/php-fastcgi.socket;
}
fastcgi_index landing.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Usually, it's the opposite that is true. If you specify www.yoursite.com as the common name in your CSR, then the certificate will work with www.yoursite.com and yoursite.com.