Cloudflare SSL Fails when using Cloudflare Full Strict

I just transferred my site to a new server. Setup the vhost with ssl signed certificate. I was using Full Strict with my domain through Cloudflare. I get a host error when using Full Strict. If I change to Full I can access my site just fine on the new server. I did find this error but don't know how to fix it.

Code (Text):

nginx -t
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /usr/local/nginx/conf/conf.d/domain1.com.ssl.conf:17
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /usr/local/nginx/conf/conf.d/domain2.com.ssl.conf:17
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

How do I fix the above error?

Thanks,
Itworx4me

---

 

Thank You. This fixed the above error

 

@eva2000 I am still not able to use Full Strict. Full works just fine. Do I just keep that setting?

Thanks,
Itworx4me

 

Full strict worked just fine on my old server. Using centmin beta.

 

I found that my hostname was set wrong. So I fixed the hostname. Now why would my host.domain.com goto the first vhost site I created? Shouldn't it go to the centmin tools page?

 

Here is my virtual.conf

Code (Text):

server {
            listen 80 default_server backlog=131070 reuseport;
            server_name host.my-domain-name.com;
            root   html;

        access_log              /var/log/nginx/localhost.access.log     combined buffer=256k flush=5m;
        #access_log              /var/log/nginx/localhost.access.json    main_json buffer=256k flush=5m;
        error_log               /var/log/nginx/localhost.error.log      error;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

# limit_conn limit_per_ip 16;
# ssi  on;

        location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        #allow youripaddress;
        deny all;
        }

            location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

#Enables directory listings when index file not found
#autoindex  on;

#Shows file listing times as local time
#autoindex_localtime on;

# Wordpress Permalinks example
#try_files \$uri \$uri/ /index.php?q=\$uri&\$args;

            }

include /usr/local/nginx/conf/php.conf;
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/include_opcache.conf;

#include /usr/local/nginx/conf/phpstatus.conf;
include /usr/local/nginx/conf/drop.conf;
#include /usr/local/nginx/conf/errorpage.conf;
#include /usr/local/nginx/conf/vts_mainserver.conf;

       }

Code (Text):

 hostnamectl status
   Static hostname: host.my-domain-name.com
         Icon name: computer-server
           Chassis: server
        Machine ID: ************************
           Boot ID: *************************
  Operating System: Rocky Linux 8.9 (Green Obsidian)
       CPE OS Name: cpe:/o:rocky:rocky:8:GA
            Kernel: Linux 4.18.0-513.11.1.el8_9.x86_64
      Architecture: x86-64

To me it looks like everything is set correctly.

Thanks,
Itworx4me

 

Setup my test server tonight. Went through all the install process on the getting started guide. The same thing happened. The host addy pulls up a vhost account. Something fishy is going on...lol

 

Code (Text):

Server

curl -I https://insidepromod.com
HTTP/2 200
date: Fri, 02 Feb 2024 15:17:45 GMT
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-content-type-options: nosniff
last-modified: Fri, 02 Feb 2024 15:17:45 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
vary: Accept-Encoding
set-cookie: xf_csrf=rPX1up0iADI_Xjkc; path=/; secure
x-powered-by: centminmod
x-xss-protection: 1; mode=block
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kCQcReGwwLelw48Y9OzUMk14ISpxDfPPj%2F7Uzdu783Mj9C%2F1InUqBEbn%2F7hh7ojy1lOwqPmzXtHbOBDJMIEe8ffWjitrLaVprhE7R948kLen54XToTikzHAVsJOP8vn32eXx"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 84f3671dad1c4940-TPA
alt-svc: h3=":443"; ma=86400

curl -I https://www.insidepromod.com
HTTP/2 200
date: Fri, 02 Feb 2024 15:18:39 GMT
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-content-type-options: nosniff
last-modified: Fri, 02 Feb 2024 15:18:39 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
vary: Accept-Encoding
set-cookie: xf_csrf=le8M5riHA1KDbpIS; path=/; secure
x-powered-by: centminmod
x-xss-protection: 1; mode=block
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HGOmJ9Qkfa2bfKAiv06EaV%2FQnOpApUhRH2S5SmMfIaLGOef9mePJNmzQqEInVLKUOwvfJiQbpix3EG0WRFTpTpw%2Bw6GlrnMi3cBvINgqPFjOOqLRdf3VbIWVjxguDa%2BE7HDcLmW89g%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 84f3687149524944-TPA
alt-svc: h3=":443"; ma=86400

curl -I http://insidepromod.com
HTTP/1.1 200 OK
Date: Fri, 02 Feb 2024 15:19:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Last-Modified: Fri, 02 Feb 2024 15:19:39 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Vary: Accept-Encoding
Set-Cookie: xf_csrf=9e5amZhxWA0W6k28; path=/
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4UfZtYGYP1MB9J1xyjCc0f5LVLAKAVQTkDz%2F%2BUBwC4jBSrvmEn%2F%2Btg6s%2BaPf%2BcP7ncnfSB5EwkCM0lOCsSTIYwt%2FqL93lw3sxlO1h%2BvagAnMwZtbuMWQ1nJG6FSr4LovRF1u"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84f369e60e364948-TPA
alt-svc: h3=":443"; ma=86400

curl -I http://www.insidepromod.com
HTTP/1.1 200 OK
Date: Fri, 02 Feb 2024 15:20:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Last-Modified: Fri, 02 Feb 2024 15:20:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Vary: Accept-Encoding
Set-Cookie: xf_csrf=PTh9cQ3HmPLgh57a; path=/
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DYuMcPEMwgJPkIEaPPOriM5ZNu%2Bs9ClW%2FeewuoitMoRW0sXKPfnree9dZ9Z3OIbBwW0NNbGWFUQG9Q76IzNl7vYqArnpkbkCp9I7zfAGbvq35Y8CBvg0uAj7bMZ16MOwK5JmxVzV3w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84f36ac36967494c-TPA
alt-svc: h3=":443"; ma=86400

 

Code (Text):

Server

curl -I https://nitromater.com
HTTP/2 200
date: Fri, 02 Feb 2024 15:11:40 GMT
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-content-type-options: nosniff
last-modified: Fri, 02 Feb 2024 15:11:40 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
vary: Accept-Encoding
set-cookie: xf_csrf=4EfWYxi86PRIoTop; path=/; secure
x-powered-by: centminmod
x-xss-protection: 1; mode=block
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G4Wz2zRVQVCq9hfvNNlcwpZQrLt5b4GUvtOZOx76o31D60ApfoAOV1lvZB7WR8oeQ7TuOmE9GOc2aQOu9%2B0ixDwzOFRp5JAzmxmPR3RisYTOQ2WwWRZYdHBlyC%2FfVFT%2B"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 84f35e373e5d494c-TPA

curl -I https://www.nitromater.com
HTTP/2 200
date: Fri, 02 Feb 2024 15:13:54 GMT
content-type: text/html; charset=utf-8
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-content-type-options: nosniff
last-modified: Fri, 02 Feb 2024 15:13:54 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
vary: Accept-Encoding
set-cookie: xf_csrf=Z0ENOxCUXfLwlFuJ; path=/; secure
x-powered-by: centminmod
x-xss-protection: 1; mode=block
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=51UoJQE7pomoEpLDI%2Bs6d1OXnKanwt67rwCBIlDaY1q142GVNY5rVyPFt44%2BgoMo6qyKb9neVvZEm71vrQXjZDVzC52KZuc18ydETfGv54sH2aaSmrMjzlgMwaHZy%2BlK6rNAlg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 84f36178df004942-TPA

curl -I http://nitromater.com
HTTP/1.1 200 OK
Date: Fri, 02 Feb 2024 15:14:43 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Last-Modified: Fri, 02 Feb 2024 15:14:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Vary: Accept-Encoding
Set-Cookie: xf_csrf=emA2NqWoN8zjGAUT; path=/
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HtE%2BHvQJ%2FF51h9bamMguemwZVJM2uzdvVfdZeIjhMyNSR0SvhRCpTT3%2BtfyZpktUQw5b7H9vzT9Wgp7Ntril3lLixj7JNPOcdJqOYqRusjq4Av8DSsiKiKXGbip3PGdz"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84f362b01ea7494e-TPA

curl -I http://www.nitromater.com
HTTP/1.1 200 OK
Date: Fri, 02 Feb 2024 15:16:45 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Last-Modified: Fri, 02 Feb 2024 15:16:45 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Vary: Accept-Encoding
Set-Cookie: xf_csrf=tzo5ztmUOjq2aMNE; path=/
X-Powered-By: centminmod
X-Xss-Protection: 1; mode=block
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=90fqcAJfQ6k3ndGnuaEmc4k2mKnsm2r8EqgbnANpbeu9NPuvd5ZrMHjjT3O9ju2Wa5NC%2BKXaRFoqdLUfSqMfuWhK55wUKeFaJM9EdItZEuTuuaoakT%2FxVbkiWitkihqzQLOsDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84f365a82f31494c-TPA

 

I have found the issue as to why its happening but I have know idea why its happening.
When I have cloudflare set to SSL/TLS Full it pulls the vhost. If I change it to SSL/TLS Flexible the hostname.domain.com comes up like it should.

 

I have found the issue as to why its happening but I have know idea why its happening.
When I have cloudflare set to SSL/TLS Full it pulls the vhost. If I change it to SSL/TLS Flexible the hostname.domain.com comes up like it should.

 

@eva2000 what should I check next in order to fix this issue?

 

I am now getting users complaining that they can’t connect to our site using Mac and safari 16.3. They are getting a bad gateway message. Any ideas??