Answer the question
In order to leave comments, you need to log in
After upgrading to nginx 1.10, browsers show that the connection is not secure. How to fix?
There was a site for experiments on the home computer. Initially, nginx 1.8 was installed. After updating the system, nginx has been updated to 1.10. At the same time, there were problems with logging into the site via https.
Initially, the default ssl_ciphers value was used (just did not specify it in the configs). However, after the update, I began to receive ERR_SPDY TRANSPORT_SECURITY. in Chrome and a blank page in Firefox. Having poked around on the Internet with different options for values, I achieved that the site began to work in Chrome, but refuses to work in Firefox due to the connection being unsecured. It just displays a blank page. The debugger has the content of the request, but not a line of the response. Oddly enough, the nginx logs are empty. I even completely cleared the folder and looked at which logs would be updated with new information.
Additional information. I have another "server" - a home file washer on the same Gentoo operating system. There is also an https site and it works fine even after the update. In addition, there is a virtual server on FreeBSD on the Internet. There, too, nginx was updated to 1.10 and this certificate works without problems on another domain (2 domains are registered in the certificate).
I tried to set the same USE flags as on the working nignx. Did not help. I even downloaded the configuration from a running nginx and uploaded it to the problematic one.
What else could be the problem? Where to catch the error, in what logs?
PS: I used spdy on 1.8, after the update I fixed it on http2. Tried to disable, still a problem with the certificate.
Site config. TLS SNI support enabled
server {
listen 443 ssl http2;
server_name ecample.com;
ssl_certificate /etc/ssl/nginx/ecample.com.crt;
ssl_certificate_key /etc/ssl/nginx/ecample.com.key;
charset utf-8;
access_log /var/log/nginx/ecample.com_access.log;
error_log /var/log/nginx/ecample.com_error.log;
root /home/fsa/www/ecample.com;
location / {
index index.php index.html;
}
location ~ \.php$ {
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name ecample.com www.ecample.com;
return 301 https://ecample.com$request_uri;
}
server {
listen 443 ssl http2;
server_name www.ecample.com;
ssl_certificate /etc/ssl/nginx/ecample.com.crt;
ssl_certificate_key /etc/ssl/nginx/ecample.com.key;
return 301 https://ecample.com$request_uri;
}
user fsa fsa;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
upstream php-fpm {
server unix:/var/run/php.socket;
}
ssl_password_file /etc/ssl/nginx/ssl.passwd;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECOM:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
include /etc/nginx/sites/*;
}
Answer the question
In order to leave comments, you need to log in
Use the excellent analyzer , it will show what exactly there are problems with. There are also links to additional information, with the help of which it will be possible to eliminate the comments.
Try this
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128 -GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA :ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE -DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256 :AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK: !SRP:!SSLv:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question