Single VPS, multiple domains, nginx and nodejs

Icehunter · February 21, 2017, 4:17am

Please see later in the post for my config files. My issue is that when using the following site to verify ssl settings; https://ssllabs.com/ssltest; I get the following “issue”:

The “ffxiv-app.com” certificate is presented as a secondary certificate that’s not trusted for all domains.

That’s the only issue I see. With the answers to the standard template below, am I missing anything?

My domain is:

I ran this command:

Installed certbot then ran the following commads with only “default” site enabled.
Ran similar command for all domains, which were succesful:
- certbot certonly --webroot -w /opt/www -d domain.com -d www.domain.com
enabled each domains config after starting service

It produced this output:

Standard output with success.

My operating system is (include version):

Ubuntu 16.10 4.8.0-38-generic

My web server is (include version):

nginx/1.10.1, nodejs 7.5.0 (hapi, express)

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

default:

server {
    listen 80 default;
    server_name  _;

    root /opt/www;

    location / {
        try_files $uri /index.html =404;
    }

    location ~ /.well-known {
        allow all;
    }

    location @maintenance {
        try_files $uri /maintenance.html =404;
    }

    error_page 404 /;
    error_page 500 502 503 504 =200 @maintenance;
}

xivapp.com (same config except cert locations and domain name for rest):

server {
    listen 80;

    server_name www.xivapp.com;

    return 301 https://www.xivapp.com$request_uri;
}

server {
    listen 80;

    server_name xivapp.com;

    return 301 https://xivapp.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.xivapp.com;

    include snippets/ssl-xivapp.com.conf;
    include snippets/ssl-params.conf;

    return 301 https://xivapp.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    server_name xivapp.com;

    include snippets/ssl-xivapp.com.conf;
    include snippets/ssl-params.conf;

    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_intercept_errors on;

    location / {
        proxy_pass http://127.0.0.1:#####;
    }

    location @maintenance {
        root /opt/www;
        try_files $uri /maintenance.html =404;
    }

    error_page 500 502 503 504 =200 @maintenance;
}

ssl-params:

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ahaw021 · February 21, 2017, 9:25am

hmm you results seem to be ok

https://www.ssllabs.com/ssltest/analyze.html?d=ffxiv-app.com&hideResults=on

Icehunter · February 21, 2017, 7:07pm

Yup!

This is true, but if you choose another domain:
https://www.ssllabs.com/ssltest/analyze.html?d=xivapp.com&hideResults=on&latest

It has 2 certificates that show for some reason. I still get the A+ score; it’s just weird to have two show.

Osiris · February 21, 2017, 8:26pm

You mean you also see this:

“Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI”

?

IMHO it’s a very, very confusing extra feature SSL Labs has put in their server test: it shows the certificate path for clients which are not using the SNI extension to SSL.

999 of 1000 times this won’t present an issue, so besides the warning at the top of the SSL Labs test (about SNI), it won’t affect the grading.

Icehunter · February 21, 2017, 8:38pm

Oh! So in reality this isn’t going to affect security? That’s awesome then; I was just concerned I had setup my sites inappropriately.

Thanks!

Osiris · February 21, 2017, 8:42pm

Security isn't affected. The only concern might be that clients with "No SNI" in the section "Handshake Simulation" will get an error about an incorrect certificate. But as you can see from the same table, there are just 4 clients with such a problem and they are very old.

The only way to mitigate the "No SNI" problem is by having one single IP for every virtualhost. Most of the times that isn' even possible (just 1 IP for the whole server), so it isn't a problem which can be fixed nor is it a problem which has to be fixed.

Icehunter · February 21, 2017, 9:18pm

Awesome!

Thank you so much to everyone.

system · March 23, 2017, 9:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.