Want to subscribe to topics you're interested in?
Become a Member

Nginx Dont use http2 for special location

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Lil.Tee, Jun 22, 2016.

  1. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Hi everyone,
    I am using centminmod with nginx server.
    I use ssl and http2, but some location I dont want to use http2. Example :
    location /test/ {
    }
    Can you help me, thank you very much!!!
    P/s: Sorry for my bad English.

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Don't think you can turn off http/2 protocol on per location basis? Why would you want to?
     
  3. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Thank you for your reply, eva2000.
    Because I use stream video with php. When video playing, sometime get error
    abcdef.PNG
    But when I turn off http2, it get no error.
    I use Google Chrome. But when I use Firefox, got no error.
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
  6. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's an example php video url ? what's output from these days
    Code (Text):
    curl -Ivs https://yourdomain.com/path/to/example/php/video/url
    

    Might want to use CODE tags for output code How to use forum BBCODE code tags :)

    also in chrome browser dev tools network tab right click on example php video url and copy as curl (bash)

    upload_2016-6-23_19-48-33.png

    and paste in SSH window command but add the verbose and header flags right after curl i.e. curl -vI
    Code (Text):
    curl -vI 'https://sslspdy.com/' -H 'pragma: no-cache' -H 'dnt: 1' -H 'accept-encoding: gzip, deflate, lzma, sdch, br' -H 'accept-language: en-US,en;q=0.8' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'cache-control: no-cache' -H 'authority: sslspdy.com' -H 'cookie: _ga=GA1.2.1872899997.1464426495; _gat=1' --compressed

    post output in CODE tags

    example
    Code (Text):
     curl -Iv 'https://sslspdy.com/' -H 'pragma: no-cache' -H 'dnt: 1' -H 'accept-encoding: gzip, deflate, lzma, sdch, br' -H 'accept-language: en-US,en;q=0.8' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'cache-control: no-cache' -H 'authority: sslspdy.com' -H 'cookie: _ga=GA1.2.1872899997.1464426495; _gat=1' --compressed
    *   Trying 2604:180:1::fd2c:e402...
    * Connected to sslspdy.com (2604:180:1::fd2c:e402) port 443 (#0)
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * NPN, negotiated HTTP2 (h2)
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Unknown (67):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
    * Server certificate:
    *  subject: OU=Domain Control Validated; OU=GGSSL Wildcard SSL; CN=*.sslspdy.com
    *  start date: Oct 24 00:00:00 2014 GMT
    *  expire date: Oct 23 23:59:59 2016 GMT
    *  subjectAltName: host "sslspdy.com" matched cert's "sslspdy.com"
    *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * TCP_NODELAY set
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x9b832e0)
    > HEAD / HTTP/1.1
    > Host: sslspdy.com
    > pragma: no-cache
    > dnt: 1
    > accept-encoding: gzip, deflate, lzma, sdch, br
    > accept-language: en-US,en;q=0.8
    > upgrade-insecure-requests: 1
    > user-agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 OPR/38.0.2220.31
    > accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    > cache-control: no-cache
    > authority: sslspdy.com
    > cookie: _ga=GA1.2.1872899997.1464426495; _gat=1
    > 
    * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    * HTTP 1.0, assume close after body
    < HTTP/2 200 
    HTTP/2 200 
    < server: nginx
    server: nginx
    < content-type: text/html; charset=utf-8
    content-type: text/html; charset=utf-8
    < vary: Accept-Encoding
    vary: Accept-Encoding
    < x-powered-by: centminmod
    x-powered-by: centminmod
    < public-key-pins: pin-sha256="QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE="; pin-sha256="/FG+Woz+c3n8hA694SX9ZOKS86Rq9W5+pTd6wJgZGe8="; max-age=604800; includeSubDomains
    public-key-pins: pin-sha256="QYBZo54E74EGPmprgubrqe39L01K0kkNQBfJ6hRFUyE="; pin-sha256="/FG+Woz+c3n8hA694SX9ZOKS86Rq9W5+pTd6wJgZGe8="; max-age=604800; includeSubDomains
    < strict-transport-security: max-age=31536000; includeSubdomains
    strict-transport-security: max-age=31536000; includeSubdomains
    < date: Sun, 25 Jan 1970 05:01:19 GMT
    date: Sun, 25 Jan 1970 05:01:19 GMT
    < x-page-speed: 1.11.33.2-0
    x-page-speed: 1.11.33.2-0
    < cache-control: max-age=0, no-cache
    cache-control: max-age=0, no-cache
    < content-encoding: gzip
    content-encoding: gzip
    
    < 
    * Closing connection 0
    * TLSv1.2 (OUT), TLS alert, Client hello (1):
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Also post output of command in QUOTE tags
    Code (Text):
    nginx -V
     
  8. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Code:
    [root@domain ~]# curl -Ivs https://domain.com/provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4
    * About to connect() to domain.com port 443 (#0)
    *   Trying my.ip... connected
    * Connected to domain.com (my.ip) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=domain.com,OU=PositiveSSL,OU=Domain Control Validated
    *       start date: Mar 21 00:00:00 2016 GMT
    *       expire date: Dec 21 23:59:59 2018 GMT
    *       common name: domain.com
    *       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
    > HEAD /provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4 HTTP/1.1
    > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    > Host: domain.com
    > Accept: */*
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Date: Thu, 23 Jun 2016 10:06:30 GMT
    Date: Thu, 23 Jun 2016 10:06:30 GMT
    < Content-Type: text/html; charset=UTF-8
    Content-Type: text/html; charset=UTF-8
    < Connection: keep-alive
    Connection: keep-alive
    < Vary: Accept-Encoding
    Vary: Accept-Encoding
    < Set-Cookie: PHPSESSID=lupd2fft9ekakgjh0o3chl1bq3; path=/
    Set-Cookie: PHPSESSID=lupd2fft9ekakgjh0o3chl1bq3; path=/
    < Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    < Cache-Control: no-store, no-cache, must-revalidate
    Cache-Control: no-store, no-cache, must-revalidate
    < Pragma: no-cache
    Pragma: no-cache
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < Strict-Transport-Security: max-age=31536000; includeSubdomains;
    Strict-Transport-Security: max-age=31536000; includeSubdomains;
    
    <
    * Connection #0 to host domain.com left intact
    * Closing connection #0
    You have new mail in /var/spool/mail/root
    Code:
    * getaddrinfo(3) failed for curl:80
    * Couldn't resolve host 'curl'
    * Closing connection #0
    curl: (6) Couldn't resolve host 'curl'
    * About to connect() to domain.com port 443 (#0)
    *   Trying 128.199.169.24... connected
    * Connected to domain.com (128.199.169.24) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=domain.com,OU=PositiveSSL,OU=Domain Control Validated
    *       start date: Mar 21 00:00:00 2016 GMT
    *       expire date: Dec 21 23:59:59 2018 GMT
    *       common name: domain.com
    *       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
    > HEAD /provid/fa53b77d05ce057ed7ec5da4bb57df3b-4/bai-bat-dang-thuc-dang-thanh-nam.mp4 HTTP/1.1
    > Host: domain.com
    > accept-encoding: identity;q=1, *;q=0
    > accept-language: vi-VN,vi;q=0.8,fr-FR;q=0.6,fr;q=0.4,en-US;q=0.2,en;q=0.2
    > alexatoolbar-alx_ns_ph: AlexaToolbar/alx-4.0
    > accept: */*
    > referer: https://domain.com/courses/lessons/60/stream?v=1
    > authority: domain.com
    > cookie: CKFinder_Path=Images%3A%2Falbum%2F%3A1; xf_EWRporta[RawHyperText][order]=1; xf_EWRporta[RawHyperText][position]=top-left; xf_EWRporta[LilTeeRecentSlide][order]=2; xf_EWRporta[LilTeeRecentSlide][position]=top-right; xf_EWRporta[RawHyperText2][order]=3; xf_EWRporta[RawHyperText2][position]=sidebar; xf_EWRporta[BoardTotals][order]=4; xf_EWRporta[BoardTotals][position]=disabled; xf_EWRporta[CountDown][order]=5; xf_EWRporta[CountDown][position]=disabled; xf_EWRporta[FaceBook][order]=6; xf_EWRporta[FaceBook][position]=disabled; xf_EWRporta[TaigaChat][order]=7; xf_EWRporta[TaigaChat][position]=disabled; xf_EWRporta[StatusUpdates][order]=8; xf_EWRporta[StatusUpdates][position]=disabled; xf_EWRporta[OnlineUsers][order]=9; xf_EWRporta[OnlineUsers][position]=disabled; xf_EWRporta[RecentNews][order]=10; xf_EWRporta[RecentNews][position]=disabled; xf_EWRporta[RecentNewsForum][order]=11; xf_EWRporta[RecentNewsForum][position]=disabled; xf_EWRporta[RecentThreads][order]=12; xf_EWRporta[RecentThreads][position]=disabled; xf_EWRporta[SharePage][order]=13; xf_EWRporta[SharePage][position]=disabled; xf_EWRporta[NewsCategories][order]=14; xf_EWRporta[NewsCategories][position]=disabled; xf_EWRporta[Twitter][order]=15; xf_EWRporta[Twitter][position]=disabled; __sbzid=6w7bs0ory83h8gydput1451034880974; __sbzsid=VP99aW7AjMPTFhlqn1jAEOlF; xf_FilterList_adminphplanguages0phrases=0%2Cstatus; xf_edit_language_id=2; xf_FilterList_adminphplanguages2phrases=0%2Cstatus; PHPSESSID=q7lea7l5hlssl493omkji8u2l6; xf_session_admin=b7885a167c825770b7a258b81ed21940; xf_edit_style_id=2; xf_FilterList_adminphptemplates=0%2Cview; xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; xf_session=6cb8486e95158d47d84e96ff56355709; _gat=1; _ga=GA1.2.1699638739.1450804055
    > user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
    > range: bytes=0-
    >
    < HTTP/1.1 206 Partial Content
    HTTP/1.1 206 Partial Content
    < Content-Type: video/webm
    Content-Type: video/webm
    < Content-Length: 51095752
    Content-Length: 51095752
    < Connection: keep-alive
    Connection: keep-alive
    < Set-Cookie: xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; expires=Sat, 23-Jul-2016 10:11:19 GMT; Max-Age=2592000; path=/; secure; HttpOnly
    Set-Cookie: xf_user=1%2Cc4d3be2b997887508f100bba7f6e86391ad32057; expires=Sat, 23-Jul-2016 10:11:19 GMT; Max-Age=2592000; path=/; secure; HttpOnly
    < Pragma: no-cache
    Pragma: no-cache
    < Last-Modified: Wed, 17 Feb 2016 11:00:43 GMT
    Last-Modified: Wed, 17 Feb 2016 11:00:43 GMT
    < Date: Thu, 23 Jun 2016 10:11:19 GMT
    Date: Thu, 23 Jun 2016 10:11:19 GMT
    < Expires: Thu, 23 Jun 2016 10:11:19 GMT
    Expires: Thu, 23 Jun 2016 10:11:19 GMT
    < Cache-Control: private, max-age=20987
    Cache-Control: private, max-age=20987
    < Content-Range: bytes 0-51095751/51095752
    Content-Range: bytes 0-51095751/51095752
    < Accept-Ranges: bytes
    Accept-Ranges: bytes
    < X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    < Server: nginx centminmod
    Server: nginx centminmod
    < X-Powered-By: centminmod
    X-Powered-By: centminmod
    < Strict-Transport-Security: max-age=31536000; includeSubdomains;
    Strict-Transport-Security: max-age=31536000; includeSubdomains;
    
    <
    * Connection #0 to host domain.com left intact
    * Closing connection #0                    
    Code:
    nginx version: nginx/1.11.1
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.6
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m32 -mtune=generic -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.30 --add-module=../echo-nginx-module-0.59 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_spdy_module --with-http_v2_module --with-openssl=../libressl-2.3.6       
     
  9. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what if you disable AlexaToolbar ? tried other web browsers ? i see firefox doesn't have a problem

    chrome disabled npn/spdy support so you should get http/2 served
     
  10. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    see #831 (Possible incorrect handling of invalid headers with HTTP/2.0 and POST/PUT requests) – nginx

    but issue was fixed in nginx 1.9.7
     
  11. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    I disabled AlexaToolbar and still get error. I try with Opera but still get problem.
     
  12. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  13. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name domain.com;
    #            return 301 $scheme://www.domain.com$request_uri;
    #       }
    server {
            listen 80;
            server_name domain.com www.domain.com;
            return 301 https://domain.com$request_uri;
    }
    server {
        listen 443 ssl spdy http2;
        server_name domain.com www.domain.com;
        # SSL
        ssl on;
        ssl_certificate /etc/ssl/zix-bundle.crt;
        ssl_certificate_key /etc/ssl/private/sv.domain.com.key;
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 180m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        #ssl_dhparam /etc/ssl/dhparam.pem;
        #add_header Alternate-Protocol  443:npn-spdy/3;
        #add_header Connection keep-alive;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    
        #ssl_stapling on;
       
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      } 
    
      location / {
            #auth_basic "Private";
            #auth_basic_user_file /usr/local/nginx/conf/htpasswd;
            #include /usr/local/nginx/conf/php.conf;
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files        $uri $uri/ /index.php;
        #try_files $uri $uri/ /index.php?$uri&$args;
         
    
            #try_files $uri $uri/ /index.php?$uri&$args;
    
            #if ($http_host ~* "^www.domain.com"){
            #    rewrite ^(.*)$ https://domain.com$1 redirect;
            #}
           
            #include /usr/local/nginx/conf/php.conf;
            #allow 127.0.0.1;
            #allow 113.22.1.140;
            #allow 1.54.210.83;
            #deny all;
    
            index  index.html index.htm index.php;
            try_files $uri $uri/ /index.php?$uri&$args;
                if ($http_host ~* "^www.domain.com"){
                    rewrite ^(.*)$ https://domain.com$1 redirect;
                }
      }
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
     
    
    }
     
  14. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    uncomment remove hash from
    Code (Text):
    #add_header Alternate-Protocol  443:npn-spdy/3;

    restart nginx

    though that doesn't help with chrome as it should be getting a http/2 connection
     
  15. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Thank you but still get error.
     
  16. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no idea why as chrome should get http/2 maybe real url/site would help run it through ssllabs SSL Server Test (Powered by Qualys SSL Labs)
     
  17. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What if you add these 2 settings below the exsiting ssl on ?
    Code (Text):
    # SSL ssl on;
    http2_max_field_size 16k;
    http2_max_header_size 32k;
    

    also change ssl_ciphers from - it's one line
    Code (Text):
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    

    to
    Code (Text):
    ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
    

    also ensure all your php files have correct nginx user/group permissions
     
  18. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    last thing you can do is enable nginx and php debug modes and look at and inspect the nginx and php error logs

    If you have a lot of free disk space, you can enable debug nginx version and compile a nginx debug build of nginx via centmin.sh option NGINX_DEBUG=y centminmod/centmin.sh at 123.08stable · centminmod/centminmod · GitHub

    You can place the option in persistent config /etc/centminmod/custom_config.inc outlined at centminmod.com/upgrade.html#persistent so place in file /etc/centminmod/custom_config.inc
    Code:
    NGINX_DEBUG=y
    then recompile nginx via centmin.sh menu option 4 and then in your nginx error_log directive add debug option A debugging log and restart nginx and check logs

    They will be very very very verbose and lot alot to disk usage logged to error logs, so ensure you have a lot of disk free space.

    You can minimise this by limiting it to specific ip based client connections too
    After debugging is done, reverse the debug now by setting NGINX_DEBUG=n and recompile Nginx again

    What's output for these commands - post output wrapped in CODE tags
    Code (Text):
    php -v

    Code (Text):
    php -m

    Code (Text):
    php-config --configure-options


    Examples with strace below:
    With gdb backtrace and PHP debug compiled mode where centmin.sh has a PHPDEBUGMODE variable which you can set to PHPDEBUGMODE=y and recompile php via centmin.sh menu option 5 to enable debug mode for PHP-FPM. After troubleshooting set PHPDEBUGMODE=n and recompile php via centmin.sh menu option 5 again to disable debug mode.
    Code:
    PHPDEBUGMODE=n # --enable-debug PHP compile flag
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    You'll need to tune your PHP-FPM settings and this is left up to end user to do but here's a thread for starters to enable php status page output outlined at PHP-FPM - CentminMod.com LEMP Nginx web stack for CentOS and PHP-FPM - pm.max_children | Centmin Mod Community which outlines the official PHP-FPM config documentation as well.
     
  19. Lil.Tee

    Lil.Tee New Member

    24
    1
    3
    Sep 11, 2015
    Ratings:
    +1
    Local Time:
    8:59 AM
    1.11.1
    MariaDB 10
    Thank you very much for your support, but still get error.
     
  20. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    11:59 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    last thing is nginx and php debug mode logging as outlined here