Learn about Centmin Mod LEMP Stack today
Become a Member

Letsencrypt SSL sub domain with lets encrypt, issues...

Discussion in 'Domains, DNS, Email & SSL Certificates' started by externalflaw, May 8, 2017.

  1. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Hello everyone,

    someone asked me to migrate a project from a hosting site to a VPS, I said yes, since I made a few migrations already, but I currently struggle and stuck really hard.

    What I want to accomplish:

    project.com -> Main site, blog, stories
    forum.project.com -> forums (Software used: IPB)

    Both with SSL (Lets encrypt), project.com works without issues so far, but forum.project.com wont be working.

    Domain is at godaddy and the settings are:

    Code:
    Type: A | Name: @ | Value: VPS IP
    Type: CNAME | Name: forum | Value: @
    
    No other nameserver in between, such as cloudflare, using the godaddy nameserver here.

    I have removed the forum vhost for now, since I want to start over fresh on this.

    What I also noticed, when I want to reach forum.project.com, it seems it redirects me to the default nginx file (/usr/local/nginx/html/index.html)

    I don't know what is needed, but I will provide the config files first, if more is needed, let me know.

    Code:
    /etc/hosts
    
    XXX.XXX.XXX.XXX vpsxxxxxx.vps    vpsxxxx
    127.0.0.1       localhost
    127.0.0.1       vpsxxxxxx.vps    vpsxxxx
    XXX.XXX.XXX.XXX project.com
    XXX.XXX.XXX.XXX forum.project.com
    
    Code:
    project.com.ssl.conf
    
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
           listen   80;
           server_name project.com www.project.com;
           return 302 https://$server_name$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name project.com www.project.com;
    
      include /usr/local/nginx/conf/ssl/project.com/project.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:                                                                                                                                                                        !PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/project.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/project.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/project.com/autoprotect-project.com.conf;
      root /home/nginx/domains/project.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    When I try to generate a new vhost with lets encrypt:

    Code:
    forum.project.com is not a top level domain
    your server IP address: XXX.XXX.XXX.XXX
    current DNS A record IP address for forum.project.com is: project.com.
    XXX.XXX.XXX.XXX
    
    !! Error: DNS A record IP doesn't match any found on this server
    
    I tried with certbot (yum -y install certbot) and tried to generate which seems fine?!

    So, what I am doing wrong here?

    I think it is the to miss the forest for the trees game here...

    PS: I am using centmin mod beta 123.09beta01

    PSS: Would it be hard to add cloudlfare aswell? Asking for nginx setup especially.

    Thanks for your help.

    Much appreciated
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    What does your /usr/local/nginx/conf/conf.d/virtual.conf and /usr/local/nginx/conf/conf.d/yourdomain.com.conf contents look like ? Make sure virtual.conf main hostname's server_name isn't same as any added nginx vhost site's domain name as per Getting Started Guide step 1, the main hostname needs to be unique.
     
  3. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  4. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Code:
    virtual.conf
    
    server {
                listen 80 default_server backlog=2048 reuseport;
                server_name vpsxxx.vps;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
                }
    
    include /usr/local/nginx/conf/phpmyadmin.conf;
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    
    /usr/local/nginx/conf/conf.d/yourdomain.com.conf is renamed to /usr/local/nginx/conf/conf.d/yourdomain.com.conf-disabled

    but if you still need it:

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name project.com;
    #            return 301 $scheme://www.project.com$request_uri;
    #       }
    
    server {
    
      server_name project.com www.project.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/project.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/project.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/project.com/autoprotect-project.com.conf;
      root /home/nginx/domains/project.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files            $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
         
    server_name is unique, it is set to the vps name.
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    those look fine

    You'd get redirected to main vhost if you don't have a valid DNS A record for
    forum.project.com + a nginx vhost setup for forum.project.com i.e. via centmin.sh menu option 2, 22 or nv commands.

    Also use https://www.whatsmydns.net/ to double check your DNS A records for forum.project.com
     
  6. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Certificate was obtained via:

    Code:
    3. issue live cert with HTTP + HTTPS
    
    whatsmydns:

    A record: VPS IP
    CNAME: project.com
     
  7. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    You should have DNS A records for both
    • project.com to server IP
    • forum.project.com to server IP
    you mean you have forum.project.com using CNAME to project.com ? my letsencrypt check is looking for a DNS A record not CNAME for forum.project.com probably why.
     
  8. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Alright, adding it as a A Record and trying again, thanks so far!
     
  9. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Used option 2 from centmin menu, then "y" at lets encrypt and then option 3 (
    3. issue live cert with HTTP + HTTPS), thats what I get:

    Code:
    nginx: [emerg] SSL_CTX_load_verify_locations("/usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-trusted.crt") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-trusted.crt', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file error:0BFFF002:x509 certificate routines:CRYPTO_internal:system lib)
    
    The whole process went fine, no errors now, except when I want to start nginx.

    renamed forum.project.conf to forum.project.conf-disabled, thats the config for forum.project.ssl.conf now:

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
           listen   80;
           server_name forum.project.com www.forum.project.com;
           return 302 https://$server_name$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name forum.project.com www.forum.project.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/forum.project.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-trusted.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/forum.project.com/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/forum.project.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/forum.project.com/autoprotect-forum.project.com.conf;
      root /home/nginx/domains/forum.project.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    
    Edit: Fixed!

    Followed the migration guide https://centminmod.com/migrating-to-https.html, working now for both project.com and forum.project.com, both having SSL :)
     
    Last edited: May 8, 2017
  10. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like you're seeing the self-signed ssl cert details could be because DNS A record update for forum.project.com hasn't propagated yet fully - you can check for forum.project.com A record via https://www.whatsmydns.net/
    Code (Text):
      ssl_certificate      /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com.key;
    
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-trusted.crt;
    


    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  11. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    So far it works, except some broken images (mixed content) and most important: ALL links giving me 404 for the forums.

    Using IPB, the forum.project.ssl.conf looks like this:

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For HTTP/2 SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name forum.project.com www.forum.project.com;
        return 302 https://forum.project.com$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name forum.project.com www.forum.project.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/forum.project.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-acme.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/forum.project.com/forum.project.com-acme.cer;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/forum.project.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/forum.project.com/log/error.log;
    
      root /home/nginx/domains/forum.project.com/public;
    
    
        # IP.Board PHP/CGI Protection
    
        # Allow Access to Interface Files
        # Add Your Specific Application to the List if you Add New Applications
        location ~ ^/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus|pastebin|companydirectory|rules|videos|notes|iawards|links|pmviewer|readthattopic|rules)/interface/.*\.(?:php\d*|phtml)$ {
            allow all;
            include /usr/local/nginx/conf/php.conf;
        }
    
        # Block Access to PHP / PHTML Files
        location ~ ^/(uploads|datastore|system|plugins)/.*\.(?:php\d*|phtml)$ {
            allow 127.0.0.1;
            deny all;
        }
    
    
    location ~^(/page/).*(\.php)$ {
            try_files  $uri $uri/ /index.php;
    
    #  location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files    $uri $uri/ /index.php;
    
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Since I never worked with IPB, I think I am missing something here?
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
  13. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
  14. eva2000

    eva2000 Administrator Staff Member

    28,971
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    9:10 PM
    Nginx 1.13.x
    MariaDB 5.5
  15. externalflaw

    externalflaw New Member

    11
    1
    3
    May 5, 2017
    Ratings:
    +3
    Local Time:
    1:10 PM
    Yep, restarted.

    Alright thanks. Will take a look at that thread.