So, my current configuration enables me to access:
www.screen.shizuoka-kikoesupport.jp with no problems (Note - I put the server_name all on one line and that didn't change anything...still good there.
The problem is that I cannot access my other site at the main domain (www.shizuoka-kikoesupport.jp) if I try to use SSL. When doing that, I have a sites-enabled config file pointing to a subdirectory in my html directory. As we have noticed here, for some reason, that does not work.
The only way I can serve the site is if I put it in the root html directory and use the default config. Maybe there is something fundamentally wrong with the way I am doing it.
I don't think the problem has anything to do with the certs you have.
Although I do think you may need to cover more of those names (with additional certs).
You can review the covered names with: certbot certificates
I have failed to set up the screen.shizuoka-kikoesupport.jp block so that one doesn't currently work. I think (fingers crossed) I can get that one fixed fairly easily.
As for the other two, that's where I'm running into trouble. Both www.shizuoka-kikoesupport.jp and shizuoka-kikoesupport.jp are accessible now when served from 80.
certbot certificates shows me certificates for:
www.screen.shizuoka-kikoesupport.jp
and
www.shizuoka-kikoesupport.jp
Hmm. Very odd. The only thing I noticed was your first nginx -T display had a server that was missing the IPv6 listen. All your other server blocks had a listen for IPv6. Even though you are not using that (your DNS has no AAAA record) it might be changing how nginx is selecting your server blocks. I think you should make sure they are all the same.
This is the only one missing it and is the one being selected by default (it looks like to me anyway). So, try adding a listen [::]:443 ssl; to this server block. It can't hurt and might help.
server {
listen 443 ssl;
server_name
www.screen.shizuoka-kikoesupport.jp
;
root /home/frappe/frappe-bench/sites;
Thanks. You were right, it didn't hurt anything but unfortunately also didn't have any impact on my inability to serve www.shizuoka-kikoesupport.jp via SSL.
RIght now I am able to connect HTTPS to that domain. It returns an incorrect cert (one for www.screen.shizu... and it gives a 404 Not Found for a "home page" request. But, the HTTPS connection succeeds. This still seems like a similar problem that looks like the correct server block is not being chosen by nginx for some reason.
Can you show the latest nginx -T ?
And, it looks like you are bouncing your server as it frequently is going off-line to return just a short bit later. But, when it is up I can make the https connects
I'm willing to do anything it takes so long shots are welcome.
My current setup is as follows:
www.shizuoka-kikoesupport.jp is being served without SSL (via port 80)
www.screen.shizuoka-kikoesupport.jp is being served with SSL using a Letsencrypt certificate
If I enable the config file for www.shizuoka-kikoesupport.jp that includes the SSL certificate, my site is inaccessible which is why I am currently serving the way I am (via 80).
Given all of that information, the current output of nginx -T is:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
# keepalive_timeout 10;
# keepalive_requests 10;
gzip on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/font-woff
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
;
server_names_hash_max_size 4096;
open_file_cache max=65000 inactive=1m;
open_file_cache_valid 5s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
client_max_body_size 50m;
large_client_header_buffers 4 32k;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m;
# include /etc/nginx/conf.d/*.conf;
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.php index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# configuration file /etc/nginx/sites-enabled/erpnext:
upstream frappe-bench-frappe {
server 127.0.0.1:8000 fail_timeout=0;
}
upstream frappe-bench-socketio-server {
server 127.0.0.1:9000 fail_timeout=0;
}
# setup maps
map $host $site_name_hicnffj {
www.screen.shizuoka-kikoesupport.jp site1.local;
[www.screen.shizuoka-kikoesupport.jp] site1.local;
default $host;
}
# server blocks
server {
server_name screen.shizuoka-kikoesupport.jp;
rewrite ^(.*) http://www.screen.shizuoka-kikoesupport.jp$1 permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
#server_name
# www.screen.shizuoka-kikoesupport.jp
# ;
server_name www.screen.shizuoka-kikoesupport.jp;
root /home/frappe/frappe-bench/sites;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
ssl_certificate /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";
location /assets {
try_files $uri =404;
}
location ~ ^/protected/(.*) {
internal;
try_files /$host/$1 =404;
}
location /socket.io {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Origin $scheme://$http_host;
proxy_set_header Host $host;
proxy_pass http://frappe-bench-socketio-server;
}
location / {
rewrite ^(.+)/$ $1 permanent;
rewrite ^(.+)/index\.html$ $1 permanent;
rewrite ^(.+)\.html$ $1 permanent;
location ~ ^/files/.*.(htm|html|svg|xml) {
add_header Content-disposition "attachment";
try_files /$host/public/$uri @webserver;
}
try_files /$host/public/$uri @webserver;
}
location @webserver {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Host $host;
proxy_set_header X-Use-X-Accel-Redirect True;
proxy_read_timeout 120;
proxy_redirect off;
proxy_pass http://frappe-bench-frappe;
}
# error pages
error_page 502 /502.html;
location /502.html {
root /home/frappe/.local/lib/python3.8/site-packages/bench/config/templates;
internal;
}
# optimizations
sendfile on;
keepalive_timeout 15;
client_max_body_size 50m;
client_body_buffer_size 16K;
client_header_buffer_size 1k;
# enable gzip compresion
# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/font-woff
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
;
# text/html is always compressed by HttpGzipModule
}
# http to https redirect
server {
if ($host = www.screen.shizuoka-kikoesupport.jp) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name
www.screen.shizuoka-kikoesupport.jp
;
return 301 https://$host$request_uri;
}
I see that I only fixed one of the instances where information is not on the same line...I'll fix the other one now.
I'm not sure if I know what "bouncing your server" means. I did notice yesterday, when accessing the www.shizuoka-kikoesupport.jp site served via port 80, that it appeared to be intermittently going offline but then I realized it was my browser accessing cached content. Once I cleared the cache the problem disappeared, or so I thought. ;-_
Sorry. Means rebooting or stopping/starting or similar. I am using curl requests which do not use a cache. It did not look like a comms problem but it could be. I was able to see some open ports at your domain but not ones for nginx. Let's put that aside then.
Connections can be made using HTTPS to www.shizuoka-kikoesupport.jp (*1). But, it returns the cert for your default SSL server - the one for www.screen. And, a 404 Not Found which is a result of the try_files in that default server failing (I suppose). Just wanted you to be aware that you are not preventing problems by removing its SSL server block. You are just changing the problem. It also makes it harder to debug as we can't poke at it for clues.
I do see a missing semi-colon in the server block that is not working right. See the index statement:
server {
set $host_path /var/www/html/oldkikoesupport;
server_name www.shizuoka-kikoesupport.jp;
root /var/www/html/oldkikoesupport;
index index.html index.php index.htm index.nginx-debian.html
I have seen cases where that does not matter. And, I would think it would result in some different syntax error. But, it's worth fixing. This is even a longer-shot than the other
Wow! I think I fixed the problem. I commented out the following two lines (referenced in my interaction here yesterday but I guess I overlooked them).
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - not sure what this line is but it only appears in this congif
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - not sure what this line is but it only appears in this congif
Then enabled the config file and now the site seems to be accessible via SSL (https).
I don't know what those two lines do but it seems they aren't necessary...? And/or are the root of the problem...?
The lines in that included file (options-ssl-nginx) are important. You should review what is missing to see if they are specified anywhere else. I am signing off for night so can't review. Now that you have something more viable, a fresh nginx -T would be helpful if you want help finishing the config.
Note that SSL Labs is only granting your shizuoka site a B (looks like lots of weak ciphers and perhaps other items?).
But, your www.screen.kyouikulogistics.com site gets an A+ (nice).
Thanks again for your help and sorry for the brief silence...had to step away for lunch.
I'll poke around more...with a bit more focus now that I found the culprit...intermediate as it may be.
Also, thanks for the scoring information too. Yes, currently the shizuoka-kikoesupport.jp site and config requires improvement. It's actually about to be entirely revamped so all of this work to get the old site up and running feels a bit of a waste of time but since it's still the only viable site, I had no choice.
I'll post the results of nginx -T later today after brushing things up a bit.
Thanks again for all your help and for prodding me with those SSL labs report cards. I couldn't put up with one being an A+ and the other a B. They should both get A+ now. although I'm going to have to read a bit more to learn about DNS CAA.
Also, here is the current output of nginx -T
There is still some clutter in there (commented out lines that can be removed) and things I don't fully understand but it's a huge amount of progress over just a few days ago.
Thanks again to the letsencrypt team and community. I am solidly motivated to make a contribution now and embarrassed that I haven't done so sooner.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
# keepalive_timeout 10;
# keepalive_requests 10;
gzip on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/font-woff
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
;
server_names_hash_max_size 4096;
open_file_cache max=65000 inactive=1m;
open_file_cache_valid 5s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
client_max_body_size 50m;
large_client_header_buffers 4 32k;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=web-cache:8m max_size=1000m inactive=600m;
# include /etc/nginx/conf.d/*.conf;
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.php index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# configuration file /etc/nginx/sites-enabled/erpnext:
upstream frappe-bench-frappe {
server 127.0.0.1:8000 fail_timeout=0;
}
upstream frappe-bench-socketio-server {
server 127.0.0.1:9000 fail_timeout=0;
}
# setup maps
map $host $site_name_hicnffj {
www.screen.shizuoka-kikoesupport.jp site1.local;
[www.screen.shizuoka-kikoesupport.jp] site1.local;
default $host;
}
# server blocks
server {
listen 80;
server_name screen.shizuoka-kikoesupport.jp;
rewrite ^(.*) http://www.screen.shizuoka-kikoesupport.jp$1 permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
#server_name
# www.screen.shizuoka-kikoesupport.jp
# ;
server_name www.screen.shizuoka-kikoesupport.jp;
root /home/frappe/frappe-bench/sites;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
ssl_certificate /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.screen.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";
location /assets {
try_files $uri =404;
}
location ~ ^/protected/(.*) {
internal;
try_files /$host/$1 =404;
}
location /socket.io {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Origin $scheme://$http_host;
proxy_set_header Host $host;
proxy_pass http://frappe-bench-socketio-server;
}
location / {
rewrite ^(.+)/$ $1 permanent;
rewrite ^(.+)/index\.html$ $1 permanent;
rewrite ^(.+)\.html$ $1 permanent;
location ~ ^/files/.*.(htm|html|svg|xml) {
add_header Content-disposition "attachment";
try_files /$host/public/$uri @webserver;
}
try_files /$host/public/$uri @webserver;
}
location @webserver {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frappe-Site-Name $host;
proxy_set_header Host $host;
proxy_set_header X-Use-X-Accel-Redirect True;
proxy_read_timeout 120;
proxy_redirect off;
proxy_pass http://frappe-bench-frappe;
}
# error pages
error_page 502 /502.html;
location /502.html {
root /home/frappe/.local/lib/python3.8/site-packages/bench/config/templates;
internal;
}
# optimizations
sendfile on;
keepalive_timeout 15;
client_max_body_size 50m;
client_body_buffer_size 16K;
client_header_buffer_size 1k;
# enable gzip compresion
# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/font-woff
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
;
# text/html is always compressed by HttpGzipModule
}
# http to https redirect
server {
if ($host = www.screen.shizuoka-kikoesupport.jp) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.screen.shizuoka-kikoesupport.jp;
return 301 https://$host$request_uri;
}
# configuration file /etc/nginx/sites-enabled/oldkikoesupport:
server {
set $host_path /var/www/html/oldkikoesupport;
server_name www.shizuoka-kikoesupport.jp;
root /var/www/html/oldkikoesupport;
#charset utf-8;
try_files $uri $uri/ /index.php?r=$uri&$args;
index index.html index.php index.htm index.nginx-debian.html;
# index index.html;
location / {
try_files $uri $uri/ /index.php?$args;
#try_files $uri $uri/ =404;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.shizuoka-kikoesupport.jp/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - not sure what this line is but it only appears in this congif
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - not sure what this line is but it only appears in this congif
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";
}
server {
if ($host = www.shizuoka-kikoesupport.jp) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name www.shizuoka-kikoesupport.jp;
return 404; # managed by Certbot
}
Sorry for delay. I finally set aside some time to review your config.
First, I used the wrong domain name in my SSL Labs links a few posts back. In any event, I see your www.shizuoka and your www.screen.shizuoka both get an A+ now. And, the nginx conf for each are identical so that makes sense
I only see 2 ciphers for TLS v1.2 though. I do not know the practical implications of that. The SSL Labs test of client connects don't show obvious problems. It may mean that some clients won't be able to connect but I do not know for sure or which ones would be affected. Or, if any were affected whether it mattered for your sites.
The certbot nginx plug-in created a file to be included which contained a cipher list (and a file for dhparam). That was causing an odd protocol violation so you now hand-code those options. Which is fine too if you get the result you want. The certbot plug-in follows the guidelines by mozilla which has a configurator for those here. Enter your openssl version, nginx version, and choose the level of clients to support (intermediate is good).
Your sites work with HTTPS and the certs look good. I don't have the expertise to recommend about ciphers. Besides the mozilla configurator you could use SSL Labs to look at the ciphers used by this forum as a comparison.