So here’s a challenging problem:
I have a domain (popupjobs.com) through GoDaddy and a server on DigitalOcean (nginx 1.15.5) that I’ve deployed through Laravel Forge (LF). I’ve also used LF to add a LetsEncrypt certificate to the domain.
Here’s what happens when trying to access the site from Iran AFTER adding the letsencrypt certificate:
Everything is fine through:
- Chrome, Firefox, IE browsers on MacOS/Windows
- Chrome, Firefox on Android devices
- Android app that hits the same server/domain
The site can ONLY BE ACCESSED WITH A VPN through:
- Safari browser on MacOS/Windows
- all browsers on the iPhone (iOS 11/12)
- iOS app that hits the same server/domain
In other words, Apple related devices/browsers/apps can only connect to the server through a VPN. The connection times out without a VPN.
Now if this were a sanctions related issue, then I’d expect to see the same problem through all devices/browsers. But the fact that this issue only arises with some Apple related devices/browsers leads me to believe that the issue is config related. In other words, there is something about the letsencrypt config that Apple doesn’t like when trying to access the server from Iranian ISPs.
I found what turned out to be a temporary fix for the iPhone app (creating default instead of shared nsurlsessions), but even that stopped working a couple of days ago.
Any assistance in helping resolve this issue is greatly appreciated. My iOS users are dropping like flies since they can’t run the app without a VPN.
Here’s a copy of my Nginx config file:
include forge-conf/popupjobs.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name popupjobs.com;
root /home/forge/popupjobs.com/public;
# if ($scheme = https) {
# return 301 http://$server_name$request_uri;
# }
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/popupjobs.com/******/server.crt;
ssl_certificate_key /etc/nginx/ssl/popupjobs.com/******/server.key;
#ADDED Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
#ADDED Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
#ADDED Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/popupjobs.com/458996/server.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/popupjobs.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/popupjobs.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/popupjobs.com/after/*;