I hate you lol :)
Well i got the A+ lol Guess how....... On another topic that i create recent reporting that when i have an invision forum or a Wordpress site when i set them as offline/maintenance mode i am getting after a few refresh 502 errors ...... it seems it was related to that.... After enabling the forum no more 502 errors and then without touching anything or even restart i did the check online and i have an A+ !!! But that confirms that there is an issue when they are set as maintenance mode
maintenance mode gives 503 http status so site is not available as intended if you use Code (Text): sitestatus off as outlined at Beta Branch - sitestatus maintenance mode | Centmin Mod Community but if you mean enable by = including the maintenance include files only, then yes probably a bug somewhere.
I mean the setting at admin control panel that they have both Invision and Wordpress and not from Centminmod.... Invision has offline mode and Wordpress has Maintenance mode....
On refresh one is ok and on second refresh 502 bad gateway and on third ok again and so on...... It is going one by one....
I never success enable HSTS on Wordpress following the tutorial here. But, for index.html, it works. Since Wordpress using index.php then it's not. Finally, I add these code in my custom functions.php and I see HSTS working. PHP: add_action( 'send_headers', 'strict_transport_security' );/** * Enables the HTTP Strict Transport Security (HSTS) header. * * @since 1.0.0 */function strict_transport_security() { header( 'Strict-Transport-Security: max-age=31536000' );} Why following centminmod.com/nginx_domain_dns_setup.html#hsts tutorial not working for index page based on .php?
I confirm that it works with other index.php files (my subdomain contain php script) besides wordpress. Still in Wordpress, I should add those custom codes above to make HSTS working.
@benyhirmansyah strange it should work for HSTS on index.php When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL) Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com Vhost public web root will be at /home/nginx/domains/newdomain.com/public Vhost log directory will be at /home/nginx/domains/newdomain.com/log Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
sure, here is mydomain.com.ssl.conf file: Code: #x# HTTPS-DEFAULT server { server_name mydomain.com www.mydomain.com; return 301 https://$server_name$request_uri; include /usr/local/nginx/conf/staticfiles.conf; } # For SPDY SSL Setup # listen 80; # server_name mydomain.com www.mydomain.com; # return 302 https://$server_name$request_uri; server { listen 443 ssl http2; server_name mydomain.com www.mydomain.com; include /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; http2_max_field_size 16k; http2_max_header_size 32k; # mozilla recommended ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts add_header Strict-Transport-Security "max-age=31536000"; #add_header X-Frame-Options SAMEORIGIN; #add_header X-Xss-Protection "1; mode=block" always; #add_header X-Content-Type-Options "nosniff" always; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/mydomain.com/log/access.log combined buffer=256k flush=60m; access_log /var/log/nginx/access.cache.log cache; error_log /home/nginx/domains/mydomain.com/log/error.log; include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf; root /home/nginx/domains/mydomain.com/public; # uncomment cloudflare.conf include if using cloudflare for # server and/or vhost site #include /usr/local/nginx/conf/cloudflare.conf; include /usr/local/nginx/conf/503include-main.conf; # prevent access to ./directories and files #location ~ (?:^|/)\. { # deny all; #} location / { include /usr/local/nginx/conf/503include-only.conf; # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # More example Nginx vhost configurations at # http://centminmod.com/nginx_configure.html #try_files $uri $uri/ /index.php; try_files $uri $uri/ /index.php?q=$request_uri; } include /usr/local/nginx/conf/staticfiles-hsts.conf; include /usr/local/nginx/conf/wpsecure.conf; include /usr/local/nginx/conf/mywpcache.conf; include /usr/local/nginx/conf/wpnocache.conf; include /usr/local/nginx/conf/myphpcache.conf; #include /usr/local/nginx/conf/staticfiles.conf; #include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
Yes, really weird. It doesn't work with Wordpress. Even, I run this command: Code: curl -s -D- https://mydomain.com/ | grep Strict No results were returned. But, with other PHP script or index.html, it is working normally. As I said, when put my code above into custom functions.php in my Wordpress theme, then HSTS is working.
Not sure if it is the same issue like @benyhirmansyah had (or is having) with HSTS but i have a modx site - which from the .conf-point of view is very similiar to set up like wordpress - and getting 404s when navigating thru the site. I figured out that it's because of this location block in my staticfiles-hsts.conf: Code: . . . location ~* \.(html|htm|txt)$ { if ($server_https = 'on') { add_header Strict-Transport-Security "max-age=7776000;"; } #add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; # expires 30m; expires 30d; break; } When i comment that out then site works fine. Code: . . . index index.php; client_max_body_size 30M; location / { include /usr/local/nginx/conf/503include-only.conf; # block exploits and sql injections include /usr/local/nginx/conf/block.conf; #try to get file directly, try it as a directory or fall back to modx try_files $uri $uri/ @modx; } location @modx { include /usr/local/nginx/conf/blockbots.conf; #including ? in second rewrite argument causes nginx to drop GET params, so append them again rewrite ^/(.*)$ /index.php?q=$1&$args; } location /rest { try_files $uri $uri/ @modx_rest; } location @modx_rest { rewrite ^/rest/(.*)$ /rest/index.php?_rest=$1&$args last; } #include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/staticfiles-hsts.conf; #hsts for ssl labs test A+ : https://goo.gl/w2qEpt include /usr/local/nginx/conf/php-modx.conf; include /usr/local/nginx/conf/drop.conf; include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; # prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } Researched centmin archives but couldn't find a hint. If it's important to know.. i am 301ing from http to https. Does somebody see my error here?