Hi everyone, I am using centminmod with nginx server. I use ssl and http2, but some location I dont want to use http2. Example : location /test/ { } Can you help me, thank you very much!!! P/s: Sorry for my bad English.
Thank you for your reply, eva2000. Because I use stream video with php. When video playing, sometime get error But when I turn off http2, it get no error. I use Google Chrome. But when I use Firefox, got no error.
sounds like php compiled against system openssl 1.0.1e which doesn't support ALPN protocol only NPN and that is deprecated and support removed for NPN in Chrome as outlined here SSL - Google Chrome turning of NPN negotiation protocol for HTTPS support | Centmin Mod Community Or could be at Nginx level if turning off HTTP/2 fixes it
what's an example php video url ? what's output from these days Code (Text): curl -Ivs https://yourdomain.com/path/to/example/php/video/url Might want to use CODE tags for output code How to use forum BBCODE code tags also in chrome browser dev tools network tab right click on example php video url and copy as curl (bash) and paste in SSH window command but add the verbose and header flags right after curl i.e. curl -vI Code (Text): curl -vI 'https://sslspdy.com/' -H 'pragma: no-cache' -H 'dnt: 1' -H 'accept-encoding: gzip, deflate, lzma, sdch, br' -H 'accept-language: en-US,en;q=0.8' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'cache-control: no-cache' -H 'authority: sslspdy.com' -H 'cookie: _ga=GA1.2.1872899997.1464426495; _gat=1' --compressed post output in CODE tags example Code (Text): curl -Iv 'https://sslspdy.com/' -H 'pragma: no-cache' -H 'dnt: 1' -H 'accept-encoding: gzip, deflate, lzma, sdch, br' -H 'accept-language: en-US,en;q=0.8' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'cache-control: no-cache' -H 'authority: sslspdy.com' -H 'cookie: _ga=GA1.2.1872899997.1464426495; _gat=1' --compressed * Trying 2604:180:1::fd2c:e402... * Connected to sslspdy.com (2604:180:1::fd2c:e402) port 443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * NPN, negotiated HTTP2 (h2) * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Unknown (67): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384 * Server certificate: * subject: OU=Domain Control Validated; OU=GGSSL Wildcard SSL; CN=*.sslspdy.com * start date: Oct 24 00:00:00 2014 GMT * expire date: Oct 23 23:59:59 2016 GMT * subjectAltName: host "sslspdy.com" matched cert's "sslspdy.com" * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * TCP_NODELAY set * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x9b832e0) > HEAD / HTTP/1.1 > Host: sslspdy.com > pragma: no-cache > dnt: 1 > accept-encoding: gzip, deflate, lzma, sdch, br > accept-language: en-US,en;q=0.8 > upgrade-insecure-requests: 1 > user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31 > accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > cache-control: no-cache > authority: sslspdy.com > cookie: _ga=GA1.2.1872899997.1464426495; _gat=1 > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * HTTP 1.0, assume close after body < HTTP/2 200 HTTP/2 200 < server: nginx server: nginx < content-type: text/html; charset=utf-8 content-type: text/html; charset=utf-8 < vary: Accept-Encoding vary: Accept-Encoding < x-powered-by: centminmod x-powered-by: centminmod < public-key-pins: pin-sha256="QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE="; pin-sha256="/FG+Woz+c3n8hA694SX9ZOKS86Rq9W5+pTd6wJgZGe8="; max-age=604800; includeSubDomains public-key-pins: pin-sha256="QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE="; pin-sha256="/FG+Woz+c3n8hA694SX9ZOKS86Rq9W5+pTd6wJgZGe8="; max-age=604800; includeSubDomains < strict-transport-security: max-age=31536000; includeSubdomains strict-transport-security: max-age=31536000; includeSubdomains < date: Sun, 25 Jan 1970 05:01:19 GMT date: Sun, 25 Jan 1970 05:01:19 GMT < x-page-speed: 1.11.33.2-0 x-page-speed: 1.11.33.2-0 < cache-control: max-age=0, no-cache cache-control: max-age=0, no-cache < content-encoding: gzip content-encoding: gzip < * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1):
Code: [root@domain ~]# curl -Ivs https://domain.com/provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4 * About to connect() to domain.com port 443 (#0) * Trying my.ip... connected * Connected to domain.com (my.ip) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=domain.com,OU=PositiveSSL,OU=Domain Control Validated * start date: Mar 21 00:00:00 2016 GMT * expire date: Dec 21 23:59:59 2018 GMT * common name: domain.com * issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > HEAD /provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4 HTTP/1.1 > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: domain.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 23 Jun 2016 10:06:30 GMT Date: Thu, 23 Jun 2016 10:06:30 GMT < Content-Type: text/html; charset=UTF-8 Content-Type: text/html; charset=UTF-8 < Connection: keep-alive Connection: keep-alive < Vary: Accept-Encoding Vary: Accept-Encoding < Set-Cookie: PHPSESSID=lupd2fft9ekakgjh0o3chl1bq3; path=/ Set-Cookie: PHPSESSID=lupd2fft9ekakgjh0o3chl1bq3; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache Pragma: no-cache < Server: nginx centminmod Server: nginx centminmod < X-Powered-By: centminmod X-Powered-By: centminmod < Strict-Transport-Security: max-age=31536000; includeSubdomains; Strict-Transport-Security: max-age=31536000; includeSubdomains; < * Connection #0 to host domain.com left intact * Closing connection #0 You have new mail in /var/spool/mail/root Code: * getaddrinfo(3) failed for curl:80 * Couldn't resolve host 'curl' * Closing connection #0 curl: (6) Couldn't resolve host 'curl' * About to connect() to domain.com port 443 (#0) * Trying 128.199.169.24... connected * Connected to domain.com (128.199.169.24) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=domain.com,OU=PositiveSSL,OU=Domain Control Validated * start date: Mar 21 00:00:00 2016 GMT * expire date: Dec 21 23:59:59 2018 GMT * common name: domain.com * issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > HEAD /provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4 HTTP/1.1 > Host: domain.com > accept-encoding: identity;q=1, *;q=0 > accept-language: vi-VN,vi;q=0.8,fr-FR;q=0.6,fr;q=0.4,en-US;q=0.2,en;q=0.2 > alexatoolbar-alx_ns_ph: AlexaToolbar/alx-4.0 > accept: */* > referer: https://domain.com/courses/lessons/60/stream?v=1 > authority: domain.com > cookie: CKFinder_Path=Images%3A%2Falbum%2F%3A1; xf_EWRporta[RawHyperText][order]=1; xf_EWRporta[RawHyperText][position]=top-left; xf_EWRporta[LilTeeRecentSlide][order]=2; xf_EWRporta[LilTeeRecentSlide][position]=top-right; xf_EWRporta[RawHyperText2][order]=3; xf_EWRporta[RawHyperText2][position]=sidebar; xf_EWRporta[BoardTotals][order]=4; xf_EWRporta[BoardTotals][position]=disabled; xf_EWRporta[CountDown][order]=5; xf_EWRporta[CountDown][position]=disabled; xf_EWRporta[FaceBook][order]=6; xf_EWRporta[FaceBook][position]=disabled; xf_EWRporta[TaigaChat][order]=7; xf_EWRporta[TaigaChat][position]=disabled; xf_EWRporta[StatusUpdates][order]=8; xf_EWRporta[StatusUpdates][position]=disabled; xf_EWRporta[OnlineUsers][order]=9; xf_EWRporta[OnlineUsers][position]=disabled; xf_EWRporta[RecentNews][order]=10; xf_EWRporta[RecentNews][position]=disabled; xf_EWRporta[RecentNewsForum][order]=11; xf_EWRporta[RecentNewsForum][position]=disabled; xf_EWRporta[RecentThreads][order]=12; xf_EWRporta[RecentThreads][position]=disabled; xf_EWRporta[SharePage][order]=13; xf_EWRporta[SharePage][position]=disabled; xf_EWRporta[NewsCategories][order]=14; xf_EWRporta[NewsCategories][position]=disabled; xf_EWRporta[Twitter][order]=15; xf_EWRporta[Twitter][position]=disabled; __sbzid=6w7bs0ory83h8gydput1451034880974; __sbzsid=VP99aW7AjMPTFhlqn1jAEOlF; xf_FilterList_adminphplanguages0phrases=0%2Cstatus; xf_edit_language_id=2; xf_FilterList_adminphplanguages2phrases=0%2Cstatus; PHPSESSID=q7lea7l5hlssl493omkji8u2l6; xf_session_admin=b7885a167c825770b7a258b81ed21940; xf_edit_style_id=2; xf_FilterList_adminphptemplates=0%2Cview; xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; xf_session=6cb8486e95158d47d84e96ff56355709; _gat=1; _ga=GA1.2.1699638739.1450804055 > user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 > range: bytes=0- > < HTTP/1.1 206 Partial Content HTTP/1.1 206 Partial Content < Content-Type: video/webm Content-Type: video/webm < Content-Length: 51095752 Content-Length: 51095752 < Connection: keep-alive Connection: keep-alive < Set-Cookie: xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; expires=Sat, 23-Jul-2016 10:11:19 GMT; Max-Age=2592000; path=/; secure; HttpOnly Set-Cookie: xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; expires=Sat, 23-Jul-2016 10:11:19 GMT; Max-Age=2592000; path=/; secure; HttpOnly < Pragma: no-cache Pragma: no-cache < Last-Modified: Wed, 17 Feb 2016 11:00:43 GMT Last-Modified: Wed, 17 Feb 2016 11:00:43 GMT < Date: Thu, 23 Jun 2016 10:11:19 GMT Date: Thu, 23 Jun 2016 10:11:19 GMT < Expires: Thu, 23 Jun 2016 10:11:19 GMT Expires: Thu, 23 Jun 2016 10:11:19 GMT < Cache-Control: private, max-age=20987 Cache-Control: private, max-age=20987 < Content-Range: bytes 0-51095751/51095752 Content-Range: bytes 0-51095751/51095752 < Accept-Ranges: bytes Accept-Ranges: bytes < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Server: nginx centminmod Server: nginx centminmod < X-Powered-By: centminmod X-Powered-By: centminmod < Strict-Transport-Security: max-age=31536000; includeSubdomains; Strict-Transport-Security: max-age=31536000; includeSubdomains; < * Connection #0 to host domain.com left intact * Closing connection #0 Code: nginx version: nginx/1.11.1 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.3.6 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m32 -mtune=generic -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.30 --add-module=../echo-nginx-module-0.59 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_spdy_module --with-http_v2_module --with-openssl=../libressl-2.3.6
what if you disable AlexaToolbar ? tried other web browsers ? i see firefox doesn't have a problem chrome disabled npn/spdy support so you should get http/2 served
see #831 (Possible incorrect handling of invalid headers with HTTP/2.0 and POST/PUT requests) – nginx but issue was fixed in nginx 1.9.7
When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL) Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com Vhost public web root will be at /home/nginx/domains/newdomain.com/public Vhost log directory will be at /home/nginx/domains/newdomain.com/log Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
Code: # Centmin Mod Getting Started Guide # must read http://centminmod.com/getstarted.html # redirect from non-www to www # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 #server { # listen 80; # server_name domain.com; # return 301 $scheme://www.domain.com$request_uri; # } server { listen 80; server_name domain.com www.domain.com; return 301 https://domain.com$request_uri; } server { listen 443 ssl spdy http2; server_name domain.com www.domain.com; # SSL ssl on; ssl_certificate /etc/ssl/zix-bundle.crt; ssl_certificate_key /etc/ssl/private/sv.domain.com.key; ssl_session_cache shared:SSL:20m; ssl_session_timeout 180m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #ssl_dhparam /etc/ssl/dhparam.pem; #add_header Alternate-Protocol 443:npn-spdy/3; #add_header Connection keep-alive; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #ssl_stapling on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m; error_log /home/nginx/domains/domain.com/log/error.log; root /home/nginx/domains/domain.com/public; # prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { #auth_basic "Private"; #auth_basic_user_file /usr/local/nginx/conf/htpasswd; #include /usr/local/nginx/conf/php.conf; # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # More example Nginx vhost configurations at # http://centminmod.com/nginx_configure.html #try_files $uri $uri/ /index.php; #try_files $uri $uri/ /index.php?$uri&$args; #try_files $uri $uri/ /index.php?$uri&$args; #if ($http_host ~* "^www.domain.com"){ # rewrite ^(.*)$ https://domain.com$1 redirect; #} #include /usr/local/nginx/conf/php.conf; #allow 127.0.0.1; #allow 113.22.1.140; #allow 1.54.210.83; #deny all; index index.html index.htm index.php; try_files $uri $uri/ /index.php?$uri&$args; if ($http_host ~* "^www.domain.com"){ rewrite ^(.*)$ https://domain.com$1 redirect; } } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
uncomment remove hash from Code (Text): #add_header Alternate-Protocol 443:npn-spdy/3; restart nginx though that doesn't help with chrome as it should be getting a http/2 connection
no idea why as chrome should get http/2 maybe real url/site would help run it through ssllabs SSL Server Test (Powered by Qualys SSL Labs)
What if you add these 2 settings below the exsiting ssl on ? Code (Text): # SSL ssl on; http2_max_field_size 16k; http2_max_header_size 32k; also change ssl_ciphers from - it's one line Code (Text): ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; to Code (Text): ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA; also ensure all your php files have correct nginx user/group permissions
last thing you can do is enable nginx and php debug modes and look at and inspect the nginx and php error logs If you have a lot of free disk space, you can enable debug nginx version and compile a nginx debug build of nginx via centmin.sh option NGINX_DEBUG=y centminmod/centmin.sh at 123.08stable · centminmod/centminmod · GitHub You can place the option in persistent config /etc/centminmod/custom_config.inc outlined at centminmod.com/upgrade.html#persistent so place in file /etc/centminmod/custom_config.inc Code: NGINX_DEBUG=y then recompile nginx via centmin.sh menu option 4 and then in your nginx error_log directive add debug option A debugging log and restart nginx and check logs They will be very very very verbose and lot alot to disk usage logged to error logs, so ensure you have a lot of disk free space. You can minimise this by limiting it to specific ip based client connections too After debugging is done, reverse the debug now by setting NGINX_DEBUG=n and recompile Nginx again What's output for these commands - post output wrapped in CODE tags Code (Text): php -v Code (Text): php -m Code (Text): php-config --configure-options Examples with strace below: Debugging Stuck PHP-FPM Process With Strace - Coffee Coder Why you should be using strace – Brandon Wamboldt Linux application/script debugging with 'strace' markus-perl/php-strace · GitHub With gdb backtrace and PHP debug compiled mode where centmin.sh has a PHPDEBUGMODE variable which you can set to PHPDEBUGMODE=y and recompile php via centmin.sh menu option 5 to enable debug mode for PHP-FPM. After troubleshooting set PHPDEBUGMODE=n and recompile php via centmin.sh menu option 5 again to disable debug mode. Code: PHPDEBUGMODE=n # --enable-debug PHP compile flag PHP :: Generating a gdb backtrace Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such. You'll need to tune your PHP-FPM settings and this is left up to end user to do but here's a thread for starters to enable php status page output outlined at PHP-FPM - CentminMod.com LEMP Nginx web stack for CentOS and PHP-FPM - pm.max_children | Centmin Mod Community which outlines the official PHP-FPM config documentation as well.