Nginx – New SSL, Safari can’t open the page b/c server unexpectedly dropped the connection (subdomain)

nginxsslsubdomain

After much googling and Serverfault browsing I still have an SSL problem :

Safari can't open the page at all, Firefox gives a "secure connection fail" after 5mn of inactivity (not browsing or anything). Chrome/Chromium return a 403 error then quickly reload the page and everything works.

It happened after installing an SSL certificate by Comodo. You can see the report here : https://www.ssllabs.com/ssltest/analyze.html?d=marketplace.mercicapitaine.fr&hideResults=on

SSL Shopper is all good :
https://www.sslshopper.com/ssl-checker.html#hostname=marketplace.mercicapitaine.fr

TLS is 1.2
SSLlabs says : "The server does not support Forward Secrecy with the reference browsers." and "This server supports weak Diffie-Hellman (DH) key exchange parameters."

I did a TCPdump, but i'm having a hard time understanding it..

I'm not a server guy so any tips on how to debug/trace error is welcome. It's hosted on NGINX, nothing special on the error log.

Thanks a lot in advance for your time 🙂

Edit: nginx config:

server {
    listen *:80;
    listen *:443 ssl;
    ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt;
    ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key;
    server_name marketplace.mercicapitaine.fr;

    access_log /var/log/nginx/marketplacemercicapitainefr.access.log;
    error_log /var/log/nginx/marketplacemercicapitainefr.error.log;

    root /srv/marketapp/;
    index index.html index.htm index.php;

    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 16k;
    fastcgi_read_timeout 900;


    client_max_body_size 50M;

if ($scheme = http) {
        return 301 https://$server_name$request_uri;
}

# This order might seem weird - this is attempted to match last if rules below fail.
location / {
        try_files $uri $uri/ /index.php?$args;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
       access_log off; log_not_found off; expires max;
}
location = /favicon.ico {
        log_not_found off;
        access_log off;
}

location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|wml|swf|pdf|doc|docx|ppt|pptx|zip)$ {
        expires max;
        log_not_found off;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}

location ~* \.()$ {
        expires 31536000s;
}





    location ~ [^/]\.php(/|$) {



        fastcgi_index index.php;
        include fcgi.conf;
        fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

    }
}

Best Answer

After checking the nginx ssl config from the link in your comment, I would change some things in your config. Let me get on it:

server {
   # more_set_headers "Server: my web server :-)";
   listen 80;
   server_name marketplace.mercicapitaine.fr;
   return 301 https://$server_name$request_uri;
}



server {
   # more_set_headers "Server: my web server :-)";

   listen 443 ssl;
   server_name marketplace.mercicapitaine.fr;

   ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt;
   ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:10m;
   # ssl_session_tickets off;

   # openssl dhparam -out dhparam.pem 2048
   # ssl_dhparam /etc/nginx/SSL/dhparams.pem;

   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGC$
   ssl_prefer_server_ciphers on;

   add_header Strict-Transport-Security "max-age=15768000;includeSubdomains; preload";

   root /srv/marketapp/;
   index index.html index.htm index.php;

   client_max_body_size 20M;

   location / {
       try_files $uri $uri/ /index.php;
   }

   location ~ \.php$ {
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock;
       fastcgi_index index.php;
       include fastcgi_params;
   }

   location /doc/ {
       alias /usr/share/doc/;
       autoindex on;
       allow 127.0.0.1;
       deny all;
   }

   location ~/\.ht {
       deny all;
   }
 }

Please think about generating at least 2048 bit Diffie-Hellman parameters.
this config above tries to adopt most of your settings and path, please review it to make sure it's correct.
I'm doing a rewrite from port 80 to port 443 via permanent redirect
non ssl / ssl sections split up
see SSLLabs to check your webpage and see, if there are any additional security options you can set up.

I assume you want do setup a wordpress blog.

If there are any questions, please feel free to ask.

Related Solutions

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

By default the Nginx source does not define SCRIPT_FILENAME in the fastcgi_params file, so unless the repo you installed Nginx from does that you need to do it yourself.

Check if the following line is in your fastcgi_params file:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

and if not then add it.

Nginx – Configure php5-fpm for many concurrent users

I suspect your varnish cache is not caching anywhere near enough of the hits

here's what I would do in your situation:

Lower php max children to 100 or even 50 (if varnish does its job properly you don't need them) also remove the max requests line to allow the php processes not to respawn too quickly and thus prevent APC from being cleared too quickly which is also bad

also IF is not good according to nginx - http://wiki.nginx.org/IfIsEvil

I would change this line:

            if (!-e $request_filename) {
                    rewrite ^(.+)$ /index.php?q=$1 last;
            }

to:

try_files $uri $uri/ /index.php?$args;

If your version of nginx supports it (pretty certain if your nginx version is > 0.7.51 then it supports it)

you should also look at inserting the w3tc nginx rules direct into your vhost file to enabled proper disk enhanced caching of pages (which is faster than APC caching with nginx)

Take a look at the following varnish vcl which I use for sites - you will need to read through and edit a few things for your website - it also assumes that its only WP sites on the server and only 1 site on the server, it can easily be modified for more sites (take a look at the cookie section)

generic vcl: https://gist.github.com/b7332971a848bcb7ecef

With this config I would argue to remove fastcgi_cache to prevent any possible issues with a cache-chain occurring whereby trying locate any stray stale cache entries is more difficult

also tell w3tc that varnish is at 127.0.0.1 and it will purge it for you ;)

I deployed this to a server on Wednesday evening (with a few domain specific modifications) that was handling 2500 active site visitors it reduced load to less than 1 and the approx number of running php children was around 10-20 (this number does depend on number of logged in users and other factors like cookies) this server did have much more ram but the principle is the same, you should be able to easily handle the number of visitors you get at peaks

Best Answer

Related Solutions

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

Nginx – Configure php5-fpm for many concurrent users

Related Topic