Learn about Centmin Mod LEMP Stack today
Register Now

Cloudflare Domains SSL More issues with Cloudflare

Discussion in 'Domains, DNS, Email & SSL Certificates' started by denellum, May 2, 2017.

  1. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    Previously :
    https://community.centminmod.com/threads/cloudflare-centminmod.10399/
    I've learned to set up my domain in Cloudflare, use option 2 and select no for both SSL entries.
    Then I followed this guide :
    Migrating Existing Nginx Vhost From HTTP to HTTP/2 based HTTPS With Letsencrypt SSL Certificates

    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.13.0
    • PHP Version Installed: 7.0.18
    • MariaDB MySQL Version Installed: 10.1.22
    • When was last time updated Centmin Mod code base ? : Today
    Currently my domain is getting the following error :
    https://www.denellum.com

    Here are my .conf and .ssl.conf files :

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www 
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name denellum.com;
    #            return 301 https://www.denellum.com$request_uri;
    #       }
    
    server {
     
      server_name denellum.com www.denellum.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;  
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/denellum.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/denellum.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/denellum.com/autoprotect-denellum.com.conf;
      root /home/nginx/domains/denellum.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}  
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files            $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name denellum.com www.denellum.com;
        return 302 https://denellum.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name denellum.com www.denellum.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/denellum.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/denellum.com/denellum.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/denellum.com/denellum.com-acme.key;  
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/denellum.com/denellum.com-acme.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/denellum.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/denellum.com/log/error.log;
    
      root /home/nginx/domains/denellum.com/public;
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    I've been beating my head against the wall with this, and for some reason it's just not wanting to work. :/ Any ideas?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,157
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:21 PM
    Nginx 1.13.x
    MariaDB 5.5
    you don't need to setup ssl on centmin mod side with cloudflare as they provide free ssl cert on their end for flexible ssl

    only need to setup ssl on centmin mod side if you select to use cloudflare full or full strict ssl

    if you backup denellum.com.ssl.conf vhost and then just temp remove it from /usr/local/nginx/conf/conf.d/denellum.com.ssl.conf and restart nginx, does site come back up ?
     
  3. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    Same error after a nprestart
     
  4. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    So, when i delete the whole vhost, and disable cloudflare DNS. And then go on to recreate it, it works perfectly.

    So disabling cloudflare seems to work.
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,157
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:21 PM
    Nginx 1.13.x
    MariaDB 5.5
  6. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    Yeah, because my other domain is working fine (from the other thread) still. And it's going through cloudflare.
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,157
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:21 PM
    Nginx 1.13.x
    MariaDB 5.5
    this vhost doesn't have /usr/local/nginx/conf/cloudflare.conf include file like your other one though
     
    • Informative Informative x 1
  8. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    Would i need to do it if i already have it here :
    /usr/local/nginx/conf/nginx.conf

    I was under the impression if it's there it works for all sites.
     
  9. denellum

    denellum Member Premium Member

    79
    19
    8
    May 11, 2016
    Dallas
    Ratings:
    +24
    Local Time:
    10:21 PM
    1.11.10
    10.1.21
    For another working domain (set up at the time of last post) i also don't have this option :

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #   server_name itdb.ws www.itdb.ws;
    #    return 302 https://www.itdb.ws$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name itdb.ws www.itdb.ws;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/itdb.ws/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/itdb.ws/itdb.ws-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/itdb.ws/itdb.ws-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/itdb.ws/itdb.ws-acme.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/itdb.ws/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/itdb.ws/log/error.log;
    
      root /home/nginx/domains/itdb.ws/public;
    
      location / {
    ##WORDPRESS SHIT##
    try_files $uri $uri/ /index.php?$args;
    ##END WORDPRESS SHIT##
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,157
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:21 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you have it in nginx.conf yes you can verify in access logs for site if the visitor real ip is seen

    other than that, not sure why it ain't working - doublecheck the ip is 100% correct sometimes you can be off by a value/digit heh