Alexlii
November 17, 2018, 5:51am
21
Sorry, I did not fine 443 port
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
rg305
November 17, 2018, 5:55am
22
Show:
ls -l /etc/nginx/sites-enabled/
grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/
2 Likes
Alexlii
November 17, 2018, 5:56am
23
Last login: Fri Nov 16 13:29:41 2018 from 118.247.236.163 root@101:~# ls -l /etc/nginx/sites-enabled/ total 0 lrwxrwxrwx 1 root root 32 May 17 2018 22222 -> /etc/nginx/sites-available/22222 lrwxrwxrwx 1 root root 34 May 17 2018 default -> /etc/nginx/sites-available/default lrwxrwxrwx 1 root root 38 May 17 2018 lovcour.com -> /etc/nginx/sites-available/lovcour.com root@101:~#
Alexlii
November 17, 2018, 5:56am
24
root@101:~# grep -Ei ālisten|cipherā /etc/nginx/sites-enabled/
grep: /etc/nginx/sites-enabled/: Is a directory
root@101:~#
rg305
November 17, 2018, 5:58am
25
Please show:
cat /etc/nginx/sites-available/default
grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/*
2 Likes
Alexlii
November 17, 2018, 5:59am
26
oot@101:~# cat /etc/nginx/sites-available/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
# include snippets/snakeoil.conf;
#
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # donāt use SSLv3 ref: POODLE
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /stub_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# Status pages
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# phpfpm pool monitoring
location ~ ^/(status|ping) {
include fastcgi_params;
fastcgi_pass php7;
include common/acl.conf;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
root@101:~#
Alexlii
November 17, 2018, 6:01am
27
root@101:~# grep -Ei 'listen|cipher' /etc/nginx/sites-enabled/*
/etc/nginx/sites-enabled/22222: listen 22222 default_server ssl http2;
/etc/nginx/sites-enabled/default: listen 80 default_server;
/etc/nginx/sites-enabled/default: listen [::]:80 default_server;
/etc/nginx/sites-enabled/default: # listen 443 ssl default_server;
/etc/nginx/sites-enabled/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-enabled/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-enabled/default: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-enabled/default: # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
/etc/nginx/sites-enabled/default:# listen 80;
/etc/nginx/sites-enabled/default:# listen [::]:80;
/etc/nginx/sites-enabled/lovcour.com: # listen 80 default_server;
root@101:~#
rg305
November 17, 2018, 6:03am
28
Please show:
cat /etc/nginx/sites-available/lovcour.com
2 Likes
Alexlii
November 17, 2018, 6:05am
29
root@101:~# cat /etc/nginx/sites-available/lovcour.com
server {
# Uncomment the following line for domain mapping
# listen 80 default_server;
server_name lovcour.com www.lovcour.com *.lovcour.com;
# Uncomment the following line for domain mapping
#server_name_in_redirect off;
access_log /var/log/nginx/lovcour.com.access.log rt_cache_redis;
error_log /var/log/nginx/lovcour.com.error.log;
root /var/www/lovcour.com/htdocs;
index index.php index.html index.htm;
# Added Later
if ($request_uri ~* "/store.*|/cart.*|/my-account.*|/checkout.*|/addons.*") {
set $skip_cache 1;
}
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
# End of Added Later
#Added Later redis to redisphp72
include common/redis-php72.conf;
include common/wpcommon-php72.conf;
include common/locations-php72.conf;
include /var/www/lovcour.com/conf/nginx/*.conf;
location /netdata {
return 301 /netdata/;
}
location ~ /netdata/(?<ndpath>.*) {
include common/acl.conf;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
proxy_pass http://netdata/$ndpath$is_args$args;
gzip on;
gzip_proxied any;
gzip_types *;
}
}
root@101:~#
rg305
November 17, 2018, 6:06am
30
There is no listen with 443
Please show:
ls -l /var/www/lovcour.com/conf/nginx/*.conf
2 Likes
Alexlii
November 17, 2018, 6:07am
31
root@101:~# ls -l /var/www/lovcour.com/conf/nginx/*.conf
-rwxr-xr-x 1 www-data www-data 247 May 17 2018 /var/www/lovcour.com/conf/nginx/ssl.conf
root@101:~#
rg305
November 17, 2018, 6:08am
32
Please show:
cat /var/www/lovcour.com/conf/nginx/ssl.conf
2 Likes
Alexlii
November 17, 2018, 6:08am
33
root@101:~# cat /var/www/lovcour.com/conf/nginx/ssl.conf
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/acme.sh/lovcour.com/fullchain.pem;
ssl_certificate_key /etc/nginx/acme.sh/lovcour.com/key.pem;
ssl_trusted_certificate /etc/nginx/acme.sh/lovcour.com/cert.pem;root@101:~#
rg305
November 17, 2018, 6:11am
34
That seems OKā¦
But where are the ciphers?
Please show:
grep -Eri 'cipher' /etc/nginx/
grep -Eri 'cipher' /var/www/
2 Likes
Alexlii
November 17, 2018, 6:11am
35
root@101:~# grep -Eri 'cipher' /etc/nginx/
/etc/nginx/nginx.conf.default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/nginx.conf.default: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/default: # ssl_ciphers HIGH:!aNULL:!MD5;
/etc/nginx/sites-available/default: # ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf: ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
root@101:~#
rg305
November 17, 2018, 6:14am
36
TLS13-CHACHA20-POLY1305-SHA256
TLS13-AES-256-GCM-SHA384
TLS13-AES-128-GCM-SHA256
Requires compatible SSL libraries.
Please show:
openssl version
also I donāt see where the protocol is specifiedā¦
Please show:
grep -Eri 'protocol' /etc/nginx/
grep -Eri 'protocol' /var/www/
2 Likes
Alexlii
November 17, 2018, 6:15am
37
But here are so manny messages:
ies imap_client_buffer index ip_hash keepalive_requests keepalive_timeout kqueue_changes kqueue_events large_client_header_buffers limit_conn limit_conn_log_level limit_rate limit_rate_after limit_req limit_req_log_level limit_req_zone limit_zone lingering_time lingering_timeout lock_file log_format log_not_found log_subrequest map_hash_bucket_size map_hash_max_size master_process memcached_bind memcached_buffer_size memcached_connect_timeout memcached_next_upstream memcached_read_timeout memcached_send_timeout memcached_upstream_fail_timeout memcached_upstream_max_fails merge_slashes min_delete_depth modern_browser modern_browser_value msie_padding msie_refresh multi_accept open_file_cache open_file_cache_errors open_file_cache_events open_file_cache_min_uses open_file_cache_valid open_log_file_cache output_buffers override_charset perl perl_modules perl_require perl_set pid pop3_auth pop3_capabilities port_in_redirect postpone_gzipping postpone_output protocol proxy proxy_bind proxy_buffer proxy_buffer_size proxy_buffering proxy_buffers proxy_busy_buffers_size proxy_cache proxy_cache_key proxy_cache_methods proxy_cache_min_uses proxy_cache_path proxy_cache_use_stale proxy_cache_valid proxy_connect_timeout proxy_headers_hash_bucket_size proxy_headers_hash_max_size proxy_hide_header proxy_ignore_client_abort proxy_ignore_headers proxy_intercept_errors proxy_max_temp_file_size proxy_method proxy_next_upstream proxy_pass_error_message proxy_pass_header proxy_pass_request_body proxy_pass_request_headers proxy_read_timeout proxy_redirect proxy_send_lowat proxy_send_timeout proxy_set_body proxy_set_header proxy_ssl_session_reuse proxy_store proxy_store_access proxy_temp_file_write_size proxy_temp_path proxy_timeout proxy_upstream_fail_timeout proxy_upstream_max_fails random_index read_ahead real_ip_header recursive_error_pages request_pool_size reset_timedout_connection resolver resolver_timeout rewrite_log rtsig_overflow_events rtsig_overflow_test rtsig_overflow_threshold rtsig_signo satisfy secure_link_secret send_lowat send_timeout sendfile sendfile_max_chunk server_name_in_redirect server_names_hash_bucket_size server_names_hash_max_size server_tokens set_real_ip_from smtp_auth smtp_capabilities smtp_client_buffer smtp_greeting_delay so_keepalive source_charset ssi ssi_ignore_recycled_buffers ssi_min_file_chunk ssi_silent_errors ssi_types ssi_value_length ssl ssl_certificate ssl_certificate_key ssl_ciphers ssl_client_certificate ssl_crl ssl_dhparam ssl_engine ssl_prefer_server_ciphers ssl_protocols ssl_session_cache ssl_session_timeout ssl_verify_client ssl_verify_depth starttls stub_status sub_filter sub_filter_once sub_filter_types tcp_nodelay tcp_nopush thread_stack_size timeout timer_resolution types_hash_bucket_size types_hash_max_size underscores_in_headers uninitialized_variable_warn use user userid userid_domain userid_expires userid_mark userid_name userid_p3p userid_path userid_service valid_referers variables_hash_bucket_size variables_hash_max_size worker_connections worker_cpu_affinity worker_priority worker_processes worker_rlimit_core worker_rlimit_nofile worker_rlimit_sigpending worker_threads working_directory xclient xml_entities xslt_stylesheet xslt_typesdrew@li229-23"
Alexlii
November 17, 2018, 6:16am
39
root@101:~# grep -Eri 'protocol' /etc/nginx/
/etc/nginx/fastcgi.conf.default:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/scgi_params:scgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/fastcgi_params.default:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/sites-available/default: # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # donāt use SSLv3 ref: POODLE
/etc/nginx/uwsgi_params.default:uwsgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/nginx.conf: ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/nginx.conf:# protocol pop3;
/etc/nginx/nginx.conf:# protocol imap;
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_PROTOCOL $server_protocol;
/etc/nginx/scgi_params.default:scgi_param SERVER_PROTOCOL $server_protocol;
root@101:~#
root@101:~#
rg305
November 17, 2018, 6:17am
40
Sorry try:
openssl version
grep -Eri 'ssl_cipher' /etc/nginx/
grep -Eri 'ssl_cipher' /var/www/
[And delete the really long posts]
2 Likes
Alexlii
November 17, 2018, 6:18am
41
rg305:
openssl version
root@101:~# openssl version
OpenSSL 1.1.0h 27 Mar 2018
root@101:~#