Welcome to Centmin Mod Community
Register Now

SSL Cloudflare SSL Issues When Enable Cloudflare's SSL/TSL in "Full" or "Full (Strict)" Mode

Discussion in 'Domains, DNS, Email & SSL Certificates' started by tommy2024, Aug 30, 2024.

  1. tommy2024

    tommy2024 New Member

    5
    0
    1
    Aug 22, 2024
    Ratings:
    +0
    Local Time:
    4:49 AM
    140.00beta01
    MariaDB Ver
    Hi Guys,

    I just tried out CMM and successfully set up Vhost for my website. However, when I was trying to use Self-Signed SSL Certificate (Paid SSL certificate from Namecheap.com) with Cloudflare's DNS, i was able to access the default: hostname.domain.com (Centmin Mod Nginx Test Page) or any other Centmin Tools pages such as: Memcached, etc only when using Cloudflare's SSL/TSL in "Flexible" Mode. If I change the Cloudflare's SSL/TSL in "Full" or "Full (Strict)" Mode, the hostname.domain.com (Centmin Mod Nginx Test Page) or other Centmin Tools pages when I typed will automatically redirected back to the vhost site (where my website is installed) instead.

    Here are all based steps I tried, could you have a look to see if i was missed out something:

    I) I used Digital Ocean with Centos 9 Stream x64 (2 vCPUs 4GB / 120GB Disk) to install CMM

    II) Before setup the "Add Nginx Vhost Domain" (Centmin Mod Menu - Step 2), I was followed the instructions on this page to create Nginx SPDY SSL Vhost for self signed SSL certificates (method 1):

    Nginx HTTP/2 & SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS, AlmaLinux, Rocky Linux

    - My domain purchased on Godaddy, I already transferred the Nameservers to Cloudflare
    - My SSL purchased from Namecheap.com (just DV only, not Wildcard one)
    - I used Digicert.com CSR wizard to generates a openssl command

    All above steps are done well as even after created my own self signed SSL certificate, the "CSR Code" I input on the Namecheap for Domain Validation, it was stated as "valid" status.

    After that, when set up the Nginx Vhost Domain (Centmin Mod Menu - Step 2):

    Code:
    "Create a self-signed certificate Nginx host?"
    > I chosen "y" (Yes) (not sure if it is correct or not when I choose "Yes" again even I already created my own self signed SSL certificate with valid "CSR Code" before the host setup)

    Code:
    Get Letsencrypt SSL certificate Nginx host? 
    >I chosen "n" (No).

    Then CMM displaying 4 options for me to choose on how I wanna issue the cer, I chosen the number (3), which was:

    "3. Issue live cert with HTTP + HTTPS (trusted)"

    And continuing until successfully vhost creation.


    Once everything is done, I successfully installed Xenforo Forum on the vhost I just created under the public folder (root).

    The "https" with valid certificate has no issues at all for Xenforo site in all Cloudflare's SSL/TSL modes: "Flexible"/ "Full"/ or "Full (Strict)". The only issue here is that If I change the Cloudflare's SSL/TSL in "Full" or "Full (Strict)" Mode, the hostname.domain.com (Centmin Mod Nginx Test Page) or other Centmin Tools pages, such as such as: Memcached, etc when I typed on browser will automatically redirected back to the vhost site (Xenforo) instead, unless I change the Cloudflare's SSL/TSL mode to "Flexible", which I am not prefer since I don't want the connection from Cloudflare to Origin Server is not encrypted (even though my Xenforo site still displaying in "https" when I changed to this option).

    Here is my virtual.conf file:

    Code:
    server {
                listen 80 default_server backlog=131070 reuseport;
                server_name turbosv;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     combined buffer=256k flush=5m;
            #access_log              /var/log/nginx/localhost.access.json    main_json buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
    
    #Shows file listing times as local time
    #autoindex_localtime on;
    
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
                
                }
    
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    Hope anyone or @eva2000 - you could spend sometimes to have a look on above issues and advise if i did something wrong with the set up.

    Really appreciated your help!
    Thank you very much.
     
  2. tommy2024

    tommy2024 New Member

    5
    0
    1
    Aug 22, 2024
    Ratings:
    +0
    Local Time:
    4:49 AM
    140.00beta01
    MariaDB Ver
    Hello,

    Updating something that you may ask:

    (Note: mydomain.net >> sorry for hiding my real domain as this is for testing only, but the real domain was used)

    Code (Text):
    [root@turbosv ~]# curl -I https://mydomain.net
    HTTP/2 301
    date: Fri, 30 Aug 2024 13:39:59 GMT
    content-type: text/html; charset=utf-8
    location: https://mydomain.net/index.php
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 30 Aug 2024 13:39:59 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Z%2FD87dTHTyheJ7b%2FxaPsosFRZGiCafgrtdEe1Ajw42fmSTD0eOCSDk1cC0GxM7iILxP11aC1YVU1KdgzqQErZ8OK38Ob0YYxkIYKY7Lp4rQ54MCpCCdGh3Vg0dnjPQDw7M%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8bb530a60cc85647-SIN
    alt-svc: h3=":443"; ma=86400


    Code (Text):
    [root@turbosv ~]# curl -I https://www.mydomain.net
    HTTP/2 301
    date: Fri, 30 Aug 2024 13:45:09 GMT
    content-type: text/html; charset=utf-8
    location: https://www.mydomain.net/index.php
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Fri, 30 Aug 2024 13:45:09 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RRgb2%2BzjD0fVZiTyWjBBWmfLAG0x38Zb86TNec%2FNLZ6FBmqbyUczy%2F6bnfDww0qghbpwtPuwl7vzgMiWmBAWaTnRRtsfkhBSOlwvOi0CiQw1Or4TyfQ26n4eMJhiTAGH0eTu%2FOmA"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8bb53838da55604b-SIN
    alt-svc: h3=":443"; ma=86400
    


    Code (Text):
    [root@turbosv ~]# curl -I http://mydomain.net
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 30 Aug 2024 13:46:58 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 30 Aug 2024 14:46:58 GMT
    Location: https://mydomain.net/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zeMdQqefFzbIHwLm0GPWjqPtOwYG2DcVBo%2FVRvlgYRLKPmdcEszZD0ZS%2BrvGISXfg1rIPu3HtBYW2QPgGtwtPf33m5AYesS%2FJMXj0pZ0jPjh2ewWT6wyfJy3RjT2jE7m%2FNA%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bb53ae23dde81ea-SIN
    alt-svc: h3=":443"; ma=86400


    Code (Text):
    [root@turbosv ~]# curl -I http://www.mydomain.net
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 30 Aug 2024 13:49:10 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 30 Aug 2024 14:49:10 GMT
    Location: https://www.mydomain.net/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=szKf04DknZhifksQGhr05OvlBKJQsiNhtuxdTIokYhTdIqJMFlczn7V%2BRvCJenxHgU3j408rObCqbq4o9so1t2qt7P1RGytjXZfpfin6bIxaLvj%2BJh81hg8UHl%2F5SiFOxyEBcngD"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bb53e1f2d70ce32-SIN
    alt-svc: h3=":443"; ma=86400


    Thank you!
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    7:49 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you disable Cloudflare settings for always use HTTPS and auto redirect non-https to https with Cloudflare Full sll mode does it work?

    Is hostname.domain.com's domain.com the same as mydomain.net domain?

    What does mydomain.net nginx vhost config files look like?

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    what is output of these commands in ssh if you disable Cloudflare settings for always use HTTPS and auto redirect non-https to https with Cloudflare Full sll mode
    Code (Text):
    curl -I https://domain.com
    

    Code (Text):
    curl -I https://www.domain.com
    

    Code (Text):
    curl -I http://domain.com
    

    Code (Text):
    curl -I http://www.domain.com
    

    wrap output in CODE tags
     
  4. tommy2024

    tommy2024 New Member

    5
    0
    1
    Aug 22, 2024
    Ratings:
    +0
    Local Time:
    4:49 AM
    140.00beta01
    MariaDB Ver
    Hi @eva2000 ,

    Thank you for your response :)

    My apologize, yes. It is the same domain. Let's say we use this one from now: "mydomain.net"
    (as my real domain also .net's domain).

    > I tried to DISABLE both of setting under Cloudflare's Edge Certificates:

    - Always Use HTTPS: Off
    - Automatic HTTPS Rewrites: Off

    While still remain the Cloudflare's SSL/TLS encryption mode in "Full" mode. Still the same, the hostname.mydomain.net (Centmin Mod Nginx Test Page) or other Centmin Tools pages, such as such as: Memcached, etc when I typed on browser will automatically redirected back to the vhost site (Xenforo) instead.

    > Please see the contents of the mentioned file as below:

    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read https://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #           
    #            server_name mydomain.net;
    #            return 301 $scheme://www.mydomain.net$request_uri;
    #       }
    
    server {
      listen   80;
     
      server_name mydomain.net www.mydomain.net;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.net/log/access.log combined buffer=256k flush=5m;
      #access_log /home/nginx/domains/mydomain.net/log/access.json main_json buffer=256k flush=5m;
      error_log /home/nginx/domains/mydomain.net/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mydomain.net/autoprotect-mydomain.net.conf;
      root /home/nginx/domains/mydomain.net/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/pre-staticfiles-local-mydomain.net.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    > Please see the contents of the mentioned file as below:

    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read https://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read https://centminmod.com/letsencrypt-freessl.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #       listen   80;
    #       
    #       server_name mydomain.net www.mydomain.net;
    #       return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl;
      http2 on;
     
      server_name mydomain.net www.mydomain.net;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.net/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.net/mydomain.net.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.net/mydomain.net.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mydomain.net/origin.crt;
      #ssl_verify_client on;
     
     
     
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.net/mydomain.net-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/mydomain.net/log/access.log combined buffer=256k flush=5m;
      #access_log /home/nginx/domains/mydomain.net/log/access.json main_json buffer=256k flush=5m;
      error_log /home/nginx/domains/mydomain.net/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/mydomain.net/autoprotect-mydomain.net.conf;
      root /home/nginx/domains/mydomain.net/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
          
      try_files $uri $uri/ /index.php?$uri&$args;
      index index.php index.html;     
    
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
     
    
    
    location ^~ /install/data/ {
        internal;
    }
    location ^~ /install/templates/ {
        internal;
    }
    location ^~ /internal_data/ {
        internal;
    }
    location ^~ /library/ { #legacy
        internal;
    }
    location ^~ /src/ {
        internal;
    }
    
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
    
     
    
      include /usr/local/nginx/conf/php.conf;
     
      include /usr/local/nginx/conf/pre-staticfiles-local-mydomain.net.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    


    Please see below:

    Code (Text):
    [11:16][root@turbosv ~]# curl -I https://mydomain.net
    HTTP/2 301
    date: Sat, 31 Aug 2024 11:37:16 GMT
    content-type: text/html; charset=utf-8
    location: https://mydomain.net/index.php
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Sat, 31 Aug 2024 11:37:16 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jLjHrOLd6nSVmyWKlhiMnKpq4IbBPT55Yw05wrgTbuBvzKxhXLWegknwiXv3Y5Wc0OOZL%2BU%2FUOXsV0lyFMtY4SeTscD%2FnP0ymm8l6XiYeLYgmWOR44dBw60oZbStejlunWk%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8bbcba451dc29f7a-SIN
    alt-svc: h3=":443"; ma=86400
    
    You have new mail in /var/spool/mail/root


    Code (Text):
    [11:37][root@turbosv ~]# curl -I https://www.mydomain.net
    HTTP/2 301
    date: Sat, 31 Aug 2024 11:39:46 GMT
    content-type: text/html; charset=utf-8
    location: https://www.mydomain.net/index.php
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-content-type-options: nosniff
    last-modified: Sat, 31 Aug 2024 11:39:46 GMT
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: private, no-cache, max-age=0
    x-powered-by: centminmod
    x-xss-protection: 1; mode=block
    cf-cache-status: DYNAMIC
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RVMTns4YKbGNopR42HRvicCpZwS4YFK3zvOLNXbsT5yRMumZfCICBUvpE11ap4lrKKcg7lWMB3m1trrXMHHa%2ByZKpLsKIbmhd2LmoRNQpud1JQYegaVkCfM%2F%2BxeLxC50OUf48L8E"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    server: cloudflare
    cf-ray: 8bbcbdeeaa049d08-SIN
    alt-svc: h3=":443"; ma=86400


    Code (Text):
    [11:39][root@turbosv ~]# curl -I http://mydomain.net
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 31 Aug 2024 11:41:28 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Sat, 31 Aug 2024 11:41:28 GMT
    Location: http://mydomain.net/index.php
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vXcy2jk3UsH3fgNDNcVHKskP7iWkWQ5Yx2BIE3b5KoIVRRCljHHf%2B3h7t5YSC8CAldLIEFQrR%2FXO0HViUVYkdUudChlY5Z%2BSB2LAgDZEjIRP1%2FDGF7POFjwap8amX1b3F1o%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bbcc069dfdfa8f7-SIN
    alt-svc: h3=":443"; ma=86400


    Code (Text):
    [11:41][root@turbosv ~]# curl -I http://www.mydomain.net
    HTTP/1.1 301 Moved Permanently
    Date: Sat, 31 Aug 2024 11:45:48 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Last-Modified: Sat, 31 Aug 2024 11:45:48 GMT
    Location: http://www.mydomain.net/index.php
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: private, no-cache, max-age=0
    X-Powered-By: centminmod
    X-Xss-Protection: 1; mode=block
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WeewJg1ROqo%2Fw9SijGw27NTxcxMhDrVG9y5TPIe56OgQIvAVYSNYaU1JRevWucs1m7Siz%2FWGfLoD32YVlUN2ZdZW7BQkn2yUTWXGCq9dgtdz4xuxoBQqj1AJ4JRAN6MtX5qVOee%2F"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bbcc6c4acd99b9d-SIN
    alt-svc: h3=":443"; ma=86400


    Lastly, this is the "virtual.conf" file contents after i changed the setting you advised as above, just pasted it here incase if you need:

    Code (Text):
    server {
                listen 80 default_server backlog=131070 reuseport;
                server_name turbosv;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     combined buffer=256k flush=5m;
            #access_log              /var/log/nginx/localhost.access.json    main_json buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
    
    #Shows file listing times as local time
    #autoindex_localtime on;
    
    # Wordpress Permalinks example
    #try_files \$uri \$uri/ /index.php?q=\$uri&\$args;
                
                }
    
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }


    Really appreciated your help!
    Have a nice weekend.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    7:49 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Make sure virtual.conf main hostname's server_name isn't same as any added nginx vhost site's domain name as per Getting Started Guide step 1, the main hostname needs to be unique.

    You can check via recursive grep filter of your domain name in vhost directory at /usr/local/nginx/conf/conf.d
    Code (Text):
    grep -rnw 'yourdomain.com' /usr/local/nginx/conf/conf.d
    

    Also check DNS is correct use dig to check DNS for domain
    Code (Text):
    dig +short A @8.8.8.8 yourdomain.com
    dig +short A @8.8.8.8 www.yourdomain.com
    dig +short A @8.8.8.8 hostname.yourdomain.com
    

    check HTTP headers via curl for both HTTP (and HTTPS if you have HTTPS/SSL)
    Code (Text):
    curl -I http://yourdomain.com
    curl -I http://www.yourdomain.com
    curl -I https://yourdomain.com
    curl -I https://www.yourdomain.com
    curl -I http://hostname.yourdomain.com
    

    In your case what is output for virtual.conf main hostname's server_name
    Code (Text):
    curl -I http://hostname.yourdomain.com
     
  6. tommy2024

    tommy2024 New Member

    5
    0
    1
    Aug 22, 2024
    Ratings:
    +0
    Local Time:
    4:49 AM
    140.00beta01
    MariaDB Ver
    Hi @eva2000 ,

    Thank you for your reply, but still i could not able to fix the issue yet even done with all steps you advised as above :(.

    I am about to delete everything and set up a new server to run Centminmod (ver 140.00beta01) to ensure i will not miss out any important steps, especially those related to SSL. Before doing that, could you help to clarify some of following:

    As mentioned above:
    - My domain purchased on Godaddy, I already transferred the Nameservers to Cloudflare
    - My SSL purchased from Namecheap.com (just DV only, not Wildcard one)

    Once the new Centminmod (ver 140.00beta01) is installed, when creating the new vHost, i wanna create my own self signed SSL certificate and notice that there is a question while adding a new Vhost:

    >> After a few testings and i found that when i chosen "y" (yes) to create my own self-signed certificate Nginx host, by the fault CMM will automatically generated all following 4 files under this path: /usr/local/nginx/conf/ssl/mydomain.com (let's say mydomain.com is the domain i am installing)

    Then, after those files created by CMM >> Should i just open, copy the contents from the file "mydomain.com.csr" to paste directly into the Namecheap SSL (CSR Input) as below image?

    namecheap-csr.png

    Will the default CSR work with Cloudflare SSL's "Full"/ "Full (Strict)" mode if validated by Namecheap?

    The reason why i am asking because i also saw some other instructions here to generated CSR file (OpenSSL CSR) and also "Creating your own self signed SSL certificate" instead (method 1):

    Nginx HTTP/2 & SPDY SSL Configuration - CentminMod.com LEMP Nginx web stack for CentOS, AlmaLinux, Rocky Linux

    namecheap-ssl.png

    Which made me confused as if by default CMM already automatically generated the CSR while creating my own self signed SSL certificate when adding a new Vhost, should i use that default generated CSR file contents to provide to Namecheap for SSL validation? or i have to follow the above mentioned article to generate OpenSSL CSR to provide for Namecheap instead?

    Really appreciate your help in advance :).
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    7:49 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    To simplify the setup if behind Cloudflare, you do not need paid Name heap DV SSL certificate to use Cloudflare Full SSL.

    If your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled, it's recommended you use Cloudflare DNS API domain validation method for issuing free Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side. This way you can ensure every website domain and subdomain you add has its own free Letsencrypt SSL certificate automatically issued and configured in Nginx Nginx Vhost & NSD DNS Setup - CentminMod.com LEMP Nginx web stack for CentOS, AlmaLinux, Rocky Linux

    Yes you can use the Centmin Mod Nginx generated self-signed SSL certificate's CSR but you have to also use its paired private key that is generated and NOT select Letsencrypt SSL options when creating Nginx vhost site. Again, for best trouble free setup use Letsencrypt option instead of Namecheap's DV SSL certificate via Cloudflare DNS API domain validation method Letsencrypt Free SSL Certificates Integration For Centmin Mod LEMP Stack. Paid SSL certificates are no longer needed.