3

I have a docker infrastructure consisting of

1 nginx reverse proxy 1 nginx web server 1 php7.0 fpm server

both the nginx reverse proxy and webserver are using the same docker image but just loaded with different site confs.

On the reverse proxy it also serves a static javascript SPA as well as reverse proxying to the webserver which serves my api.

so both the nginx containers are running the same /etc/nginx/nginx.conf

my ssl configs here are

##
# SSL Settings
##
ssl_stapling off;
ssl_session_timeout 1h;
ssl_session_tickets off;
ssl_stapling_verify off;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_certificate /srv/ssl/nginx-selfsigned.crt;
ssl_certificate_key /srv/ssl/nginx-selfsigned.key;
ssl_dhparam /srv/ssl/dhparam.pem;

my site config for the reverse proxy is like this

server {

  listen 1025 ssl http2;
  listen [::]:1025 ssl http2;

  server_name api.site.com;

  location / {

    #include /etc/nginx/naxsi.rules;
    proxy_pass  https://td-api:1025;

    proxy_buffering on;
    proxy_buffers 256 16k;
    proxy_buffer_size 128k;
    proxy_read_timeout 300;
    proxy_intercept_errors on;
    proxy_max_temp_file_size 0;
    proxy_busy_buffers_size 256k;
    proxy_temp_file_write_size 256k;
    proxy_set_header Host $host;
    proxy_set_header Accept-Encoding "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

my site config for the spa is

server {
    listen 1025 ssl http2;
    listen [::]:1025 ssl http2;

    server_name site.network;

    root /srv/agentfree-client/dist;

    limit_conn addr 10; 
    limit_req zone=one burst=15 nodelay;

    index index.html;

    autoindex off;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        if (!-e $request_filename){
            rewrite ^(.*)$ /index.html break;
        }
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }
}

my nginx config for api web server is

server {

  listen 1025 ssl http2 default_server;
  listen [::]:1025 ssl http2 default_server;

  index index.php;

  root /srv/www/public;

  server_name api.site.com;

  limit_conn addr 10; 
  limit_req zone=one burst=15 nodelay;

  location / {
    #include /etc/nginx/naxsi.rules;  
    try_files $uri $uri/ /index.php?$query_string;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass td-api-fpm:9000;
  }
}

my ssl are self signed and generated as followed 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /srv/ssl/nginx-selfsigned.key -out /srv/ssl/nginx-selfsigned.crt

openssl dhparam -out /srv/ssl/dhparam.pem 2048

in front of this i then run cloudflare ssl in full mode with the tls1.3 beta turned off

When I load up the static site I get my site and a nice green https in chrome

when I try and hit a route in my api I am presented with this error

This site can’t provide a secure connection

api.site.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH HIDE DETAILS Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.

Im on ubuntu 16.10, and the docker containers run 16.10 im getting this in chrome 57.0.2987.110 (Official Build) (64-bit) I've also tested in firefox on the same machine and ipad.

If I bypass cloudflare for the api url my site loads up albeit with the self signed ssl warning.

Can anyone explain why this is happening, im running this exact setup for multiple apps with no problem, but this one api server is driving me insane

user618509
  • 151
  • 2
  • 9
  • What OS and browser you use? – Alexander Tolkachev May 27 '17 at 07:55
  • has versions in post ubuntu16.10 for my machine and server and chrome v57 – user618509 May 27 '17 at 08:01
  • Check to see if you have any pagerules that apply to api, if you do please edit your question to include them. Next try the [legacy cypher suite](https://cipherli.st/) from this site - if it makes a difference something is probably misconfigured as it should be using CloudFlare cyphers to the browser. Please also include a screenshot of the error, I want to see if it's a CloudFlare or Nginx error. You should also include applicable Nginx log, access or Nginx, that show the problem. – Tim May 29 '17 at 01:21
  • I disabled all page rules while trying to debug, the only rules we have make sure we only use https and remove the www. will try the legacy cipher suite, but im probably going to open a ticket at cloudflare as I think it must be something wrong with their network, as said im using this exact same config on several apps deployed with docker which all work fine. The error is the default browser error so it looks like I can communicate to CF, not CF and to my server like I said I can also go direct to the IP and works fine – user618509 May 30 '17 at 02:20
  • Refs this link: [What browsers work with Cloudflare's SSL certificates?](https://support.cloudflare.com/hc/en-us/articles/203041594-What-browsers-work-with-Cloudflare-s-SSL-certificates-) – Le Dinh Dam Apr 20 '18 at 16:12

1 Answers1

11

Turns out you can not use multilevel subdomains with ssl on the free plan

user618509
  • 151
  • 2
  • 9