Nginx applying pieces of the same configurtion to all the vhosts

0

I have a problem with my nginx installation. In the main default.conf file i have enabled TLSv1.3 with X25519 ecdhe curve but i have a subdomain which doesn't have to use that curve. In the subdomain config i have enabled secp381r1 only but when i test the subdomain with ssllabs in the Supported Named Groups i see the three curves i have enabled in the default.conf file. The same thing happened a while back but with the enabled protocols! How can i fix this issue. I've tried to switch the file names and i have restarted nginx a billion times but it didn't work. I am running nginx 1.13.2 with Openssl 1.1.1-Dev on Ubuntu 17.04.

Here there is the ssllabs test for my main domain: https://www.ssllabs.com/ssltest/analyze.html?d=alessandroz.pro

And here there is the test for the subdomain: https://www.ssllabs.com/ssltest/analyze.html?d=ssl.alessandroz.pro

Here there is the main configuration:

map $sent_http_content_type $expires {
default                    off;
text/html                  epoch;
text/css                   max;
application/javascript     max;
~image/                    max;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_tokens off;

ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;

ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;   


#add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
#add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin; 
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/www;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires 365d;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name alessandroz.pro;


error_page  405     =200 $uri;

location ~ /.well-known {
            allow all;
    }

location ^~ / {
    try_files $uri $uri/ /index.php$is_args$args;
    include  /etc/nginx/mime.types;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
    }

}

}

server {
 listen 80;
 server_name alessandroz.pro;
 return 301 https://alessandroz.pro$request_uri;
 gzip off;
}

And here there is the subdomain configuration file:

map $sent_http_content_type $expires {
default                    off;
text/html                  epoch;
text/css                   max;
application/javascript     max;
~image/                    max;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_tokens off;

ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;

ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh4096.pem;
#ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;   

add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin; 
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

root /usr/share/nginx/www/ssl;

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires 365d;
        log_not_found off;
    }   

index index.php index.html index.htm index.nginx-debian.html;

server_name ssl.alessandroz.pro;


error_page  405     =200 $uri;

location ~ /.well-known {
            allow all;
    }

location ^~ / {
    try_files $uri $uri/ /index.php$is_args$args;
    include  /etc/nginx/mime.types;

location ~ \.php$ {
    include /etc/nginx/snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

location ~ /\.ht {
    deny all;
    }

#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    #gzip off;
#root /usr/share/nginx/tripwire;
    #autoindex on;
    #fastcgi_pass unix:/var/run/fcgiwrap.socket;
    #nclude /etc/nginx/fastcgi_params;
    #fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
    #fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}

location /doc/ {
    alias /usr/share/doc/;
    autoindex on;
    allow 127.0.0.1;
    deny all;
    }
}

}

server {
 listen 80;
 server_name ssl.alessandroz.pro;
 return 301 https://ssl.alessandroz.pro$request_uri;
 gzip off;
}

Alessandro Z.

Posted 2017-07-17T09:33:36.200

Reputation: 16

What does your configuration actually look like? What version of nginx and Ubuntu are you running? What does your file structure look like? – Seth – 2017-07-17T11:35:37.080

You probably have line such as include /etc/nginx/snippets/ssl-params.conf; that includes some common ssl parameters. Remove it and write the customized ssl configuration for that subdomain. – simlev – 2017-07-17T14:08:49.160

I have added nginx and ubuntu versions. And i have looked at my configuration file and i haven't found any references to other ssl configurations. – Alessandro Z. – 2017-07-19T08:31:17.090

No answers

Asked: 2017-07-17T09:33:36.200

Viewed: 252 times

Active: 2017-07-19T08:30:04.940