SSL works on Desktop not LTE Mobile

Server
1

Quite a bizarre thing, SSL certs works perfectly across the board with an A+ at SSL Labs yet it doesn’t load correctly in Safari or Chrome on iOS when using T-Mobile’s LTE network.

Here’s the Nginx configuration

server {
  listen 80;
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name mydomain;

  ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+AESGCM:EECDH+AES;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;

  ssl_stapling on;
  ssl_stapling_verify on;

  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  if ($ssl_protocol = "") {
    rewrite ^ https://$host$request_uri? permanent;
  }

  location / {
    proxy_pass http://127.0.0.1:1337;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection upgrade;
    proxy_set_header Host $host;
  }

  location '/.well-known/acme-challenge/' {
    default_type "text/plain";
    root /home/j/www/mydomain;
  }

}

Any ideas?

2

Unless you reveal your domain name, helping you is quite hard.

4

Could you please clarify the misconfiguration regarding ports? I don't see it.

5

The domain is https://critical-mass.network not that it matters.

From what I’ve gathered is that T-mobile’s LTE network is strictly ipv6, but should work via ipv6 as well with the current config right?

6

nevermind. I thought he misconfig the server by putting 80 and 443 in one config.

7

Yes, it should.
However, you definitely misconfigured the server.
Please add :port 80 ipv6 on your config, or it wont load on my phone.
(As well on SSL labs)

image
image.png3840×1830 393 KB

8 
server {
  listen 80;
  listen [::]:80;
  server_name critical-mass.network;

   location / {
    return 301 https://critical-mass.network$request_uri;
  }
}

Adding this, still doesn’t pick it up, missing something?

9

You should review your firewall rules for IPv6 or port forwarding if you are using it.

10

Hi,

you have an ipv6 record and it’s not accessible.
T-Mo prefer v6 than v4, so, please check your config.

Thank you

1 Like
11

This ought to do it right?

~ » sudo ip6tables -L                                                                                                               j@criticalmass
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere
REJECT     all      localhost            anywhere             reject-with icmp6-port-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https state NEW
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all      anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_INPUT_denied: "
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all      anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "ip6tables_FORWARD_denied: "
REJECT     all      anywhere             anywhere             reject-with icmp6-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

will the proxy pass cause issues with nginx?

12

That rule doesn't make much sense to me, especially if you are using proxy pass.

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.