Learn about Centmin Mod LEMP Stack today
Become a Member

Magento I have Install magento 2, and it working 1 day

Discussion in 'Ecommerce / Shopping cart usage' started by computer19852007, Jun 1, 2018.

  1. computer19852007

    computer19852007 Member

    82
    8
    8
    Jun 25, 2014
    Ratings:
    +8
    Local Time:
    2:59 AM
    Centmin Mod 1.2.3-eva2000.06
    MariaDB 5.5.34
    I have Install magento 2.2.4, it working 1 day, and today it show error:
    403 Forbidden

    i have check Log, it show:

    Code:
    2018/05/31 16:13:04 [crit] 7832#7832: *4496 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 184.105.xxx.70, server: 0.0.0.0:443
    2018/06/01 02:07:04 [error] 10026#10026: *2 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: abcd.okkkk.pro, request: "GET /favicon.ico HTTP/2.0", host: "abcd.okkkk.pro", referrer: "https://abcd.okkkk.pro/"
    2018/06/01 02:07:04 [error] 10026#10026: *2 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: abcd.okkkk.pro, request: "GET / HTTP/2.0", host: "abcd.okkkk.pro"
    2018/06/01 02:07:04 [error] 10026#10026: *2 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: abcd.okkkk.pro, request: "GET / HTTP/2.0", host: "abcd.okkkk.pro"
    2018/06/01 02:07:04 [error] 10026#10026: *2 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: abcd.okkkk.pro, request: "GET /favicon.ico HTTP/2.0", host: "abcd.okkkk.pro", referrer: "https://abcd.okkkk.pro/"
    2018/06/01 02:07:04 [error] 10026#10026: *2 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: abcd.okkkk.pro, request: "GET /favicon.ico HTTP/2.0", host: "abcd.okkkk.pro", referrer: "https://abcd.okkkk.pro/"

    and my vhost config

    Code:
    #x# HTTPS-DEFAULT
     server {
      
       server_name abcd.okkkk.pro;
       return 302 https://abcd.okkkk.pro$request_uri;
     }
    
    #       listen   80;
    #       server_name upm2.wbuy.pro www.upm2.wbuy.pro;
    #       return 302 https://$server_name$request_uri;
    
    server {
      listen 443 ssl http2;
      server_name abcd.okkkk.pro;
    
      include /usr/local/nginx/conf/ssl/abcd.okkkk.pro/abcd.okkkk.pro.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/upm2.wbuy.pro/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      # resolver 8.8.8.8 8.8.4.4 valid=10m;
      # resolver_timeout 10s;
      # ssl_stapling on;
      # ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/abcd.okkkk.pro/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/abcd.okkkk.pro/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/abcd.okkkk.pro/autoprotect-abcd.okkkk.pro.conf;
      set $MAGE_ROOT /home/nginx/domains/abcd.okkkk.pro/public;
      root $MAGE_ROOT/pub;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    index index.php;
    autoindex off;
    charset UTF-8;
    error_page 404 403 = /errors/404.php;
    #add_header "X-UA-Compatible" "IE=Edge";                 
    # PHP entry point for setup application
    location ~* ^/setup($|/) {
        root $MAGE_ROOT;
        location ~ ^/setup/index.php {
            include /usr/local/nginx/conf/php.conf;
        }
    
        location ~ ^/setup/(?!pub/). {
            deny all;
        }
    
        location ~ ^/setup/pub/ {
            add_header X-Frame-Options "SAMEORIGIN";
        }
    }
    
    # PHP entry point for update application
    location ~* ^/update($|/) {
        root $MAGE_ROOT;
    
        location ~ ^/update/index.php {
            fastcgi_split_path_info ^(/update/index.php)(/.+)$;
            include /usr/local/nginx/conf/php_magento.conf;
        }
    
        # Deny everything but index.php
        location ~ ^/update/(?!pub/). {
            deny all;
        }
    
        location ~ ^/update/pub/ {
            add_header X-Frame-Options "SAMEORIGIN";
        }
    }
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
      try_files $uri $uri/ /index.php$is_args$args;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
     
      location /pub/ {
        location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
            deny all;
        }
        alias $MAGE_ROOT/pub/;
        add_header X-Frame-Options "SAMEORIGIN";
    }
    
    location /static/ {
        # Uncomment the following line in production mode
        expires max;
    
        # Remove signature of the static files that is used to overcome the browser cache
        location ~ ^/static/version {
            rewrite ^/static/(version\d*/)?(.*)$ /static/$2 last;
        }
        location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css)$ {
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options "SAMEORIGIN";
            expires 30d;
    
            if (!-f $request_filename) {
                rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
            }
        }
        location ~* \.(swf|eot|ttf|otf|woff|woff2)$ {
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options "SAMEORIGIN";
            expires +1y;
    
            if (!-f $request_filename) {
                rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
            }
        }
        location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
            add_header Cache-Control "no-store";
            add_header X-Frame-Options "SAMEORIGIN";
            expires    off;
    
            if (!-f $request_filename) {
               rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
            }
        }
        if (!-f $request_filename) {
            rewrite ^/static/?(.*)$ /static.php?resource=$1 last;
        }
        add_header X-Frame-Options "SAMEORIGIN";
    }
    
    location /media/ {
        try_files $uri $uri/ /get.php$is_args$args;
    
        location ~ ^/media/theme_customization/.*\.xml {
            deny all;
        }
        location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css)$ {
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options "SAMEORIGIN";
            expires 30d;
            try_files $uri $uri/ /get.php$is_args$args;
        }
        location ~* \.(swf|eot|ttf|otf|woff|woff2)$ {
            add_header Cache-Control "public";
            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options "SAMEORIGIN";
            expires +1y;
            try_files $uri $uri/ /get.php$is_args$args;
        }
        location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
            add_header Cache-Control "no-store";
            add_header X-Frame-Options "SAMEORIGIN";
            expires    off;
            try_files $uri $uri/ /get.php$is_args$args;
        }
        add_header X-Frame-Options "SAMEORIGIN";
    }
    
    location /media/customer/ {
        deny all;
    }
    
    location /media/downloadable/ {
        deny all;
    }
    
    location /media/import/ {
        deny all;
    }
    
    # Deny cron and files with the obvious names. favorite entry points for hackers and script kiddie
    location ~* ^/(cron|phpminiadmin|pma|sqlyog|adminer.+)\.php { deny all; }
    
    # Deny auth and composer
    location ~ (auth|package|composer)\.(json|lock)$ { deny all; }
    
    # PHP entry point for main application
    location ~ (index|get|static|report|404|503|health_check)\.php$ {
        try_files $uri =404;
        add_header X-Processing-Time $request_time always;
        add_header X-Request-ID $request_id always;
        #add_header Strict-Transport-Security $mag_hstsheader always;
        add_header X-UA-Compatible 'IE=Edge,chrome=1';
        add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;
        fastcgi_buffers 1024 4k;
    
        fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
        fastcgi_param  PHP_VALUE "memory_limit=4096M \n max_execution_time=18000 \n max_input_time=18000";
        fastcgi_read_timeout 600s;
        fastcgi_connect_timeout 600s;
        include /usr/local/nginx/conf/503include-only.conf;
        include /usr/local/nginx/conf/php.conf;
    }
    
    # Banned locations (only reached if the earlier PHP entry point regexes don't match)
    location ~* (\.php$|\.htaccess$|\.git) {
        deny all;
    }                                                                                   
      include /usr/local/nginx/conf/pre-staticfiles-local-abcd.okkkk.pro.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      #include /usr/local/nginx/conf/staticfiles.conf;
      #include /usr/local/nginx/conf/php.conf;
     
      #include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Please Help me:
    1) Error: 403 Forbidden
    2) SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low
     
  2. computer19852007

    computer19852007 Member

    82
    8
    8
    Jun 25, 2014
    Ratings:
    +8
    Local Time:
    2:59 AM
    Centmin Mod 1.2.3-eva2000.06
    MariaDB 5.5.34
    I have fix it, it have block by:
    Code:
    include /usr/local/nginx/conf/autoprotect/...autoprotect-abc.pro.conf;
    and i have add # this line and restart nginx, it working

    Please help me, fix error:

    Code:
    2018/05/31 16:13:04 [crit] 7832#7832: *4496 SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking, client: 184.105.xxx.70, server: 0.0.0.0:443
    
    Thanks
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,919
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    5:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,919
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    5:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    for SSL error

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  5. computer19852007

    computer19852007 Member

    82
    8
    8
    Jun 25, 2014
    Ratings:
    +8
    Local Time:
    2:59 AM
    Centmin Mod 1.2.3-eva2000.06
    MariaDB 5.5.34
    Thank, but my Magento 2 with show error: 500

    Code:
    2018/06/18 11:53:15 [error] 25954#25954: *4077 access forbidden by rule, client: 149.28.130.xxx, server: domain.com, request: "POST /app/etc/config.php HTTP/1.1", host: "domain.com"
    Please Help me
     
  6. eva2000

    eva2000 Administrator Staff Member

    36,919
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    5:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  7. computer19852007

    computer19852007 Member

    82
    8
    8
    Jun 25, 2014
    Ratings:
    +8
    Local Time:
    2:59 AM
    Centmin Mod 1.2.3-eva2000.06
    MariaDB 5.5.34
..