P
P
Pista2021-01-06 20:05:07
Nginx
Pista, 2021-01-06 20:05:07

Why Error 525 SSL handshake failed with ssl_session_tickets off;?

Generated Nginx config under SSL
https://ssl-config.mozilla.org/#server=nginx&versi...

However, if the ssl_session_tickets off; in the Off position, (mozilla recommends turning it off) then error 525 SSL handshake failed

firefox_ucbDz9qmFw.png

Why is this happening? I use Cloudflare, SSL settings are set to FULL

chrome_B0wOcMMrnC.png

Full version of the config

server {
    listen 80;
    return 301 https://$host$request_uri;
}
server
{
  
  listen 443 ssl http2;
   
  server_name domain.ru;
    ssl_certificate /var/www/ssl/cert.pem; 
    ssl_certificate_key /var/www/ssl/privkey.pem; 
    ssl_dhparam /var/www/ssl/dhparam.pem;    
 
  # intermediate configuration
  
  <b>  ssl_session_tickets on;</b>  - если поставить OFF, то ошибка 525
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 session
  # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
  
  # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
  keepalive_timeout   70;




  root /var/www/html/domain.ru;
access_log  /dev/null;
error_log /dev/null;
  
include /root/nginx_user_locations.conf;

  location /backup/
  {
    access_log off;
    log_not_found off;
    return 404;
  }

  location /wp-content/plugins/d
  {
    access_log off;
    log_not_found off;
    return 404;
  }

  location /wp-content/plugins/d/d.php
  {
    access_log off;
    log_not_found off;
    return 404;
  }


  location ~ /\.
  {
    access_log off;
    log_not_found off;
    deny all;
  }

  location = /favicon.ico
  {
    root /var/www/html/domain.ru;
    expires max;
    access_log off;
    log_not_found off;
  }

  location = /robots.txt
  {
    try_files $uri $uri/ /index.php?$args;
    access_log off;
    log_not_found off;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$
  {
    expires max;
    log_not_found off;
  }

  location ^~ /wp-includes/
  {
    root /var/www/wp;
    location ~ \.php$
    {
      fastcgi_pass php;
      include fastcgi.conf;
      include fastcgi_params;
    }
  }

  location = /wp-admin { rewrite ^(.+)$ /wp-admin/ permanent; }
  location ^~ /wp-admin/
  {
    root /var/www/wp;
    location ~ \.php$
    {
      fastcgi_pass php;
      include fastcgi.conf;
      include fastcgi_params;
      fastcgi_param DOCUMENT_ROOT /var/www/html/domain.ru;
    }
  }

  location = /
  {
    root /var/www/wp;
    fastcgi_pass php;
    include fastcgi.conf;
    include fastcgi_params;
    fastcgi_param DOCUMENT_ROOT /var/www/html/domain.ru;
  }

  location /
  {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$
  {
    try_files $uri $uri/ @php_wp;

    root /var/www/html/domain.ru;
    fastcgi_pass php;
    include fastcgi.conf;
    include fastcgi_params;
    fastcgi_param DOCUMENT_ROOT /var/www/html/domain.ru;
  }

  location @php_wp
  {
    try_files $uri = 404;

    root /var/www/wp;
    fastcgi_pass php;
    include fastcgi.conf;
    include fastcgi_params;
    fastcgi_param DOCUMENT_ROOT /var/www/html/domain.ru;
  }

}

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question