Skip to content

Instantly share code, notes, and snippets.

@maier-stefan

maier-stefan/Solution of SSL

Last active August 29, 2015 14:07
Show Gist options
  • Save maier-stefan/db8a2390b08358bd1d28 to your computer and use it in GitHub Desktop.
Save maier-stefan/db8a2390b08358bd1d28 to your computer and use it in GitHub Desktop.
Download ZIP
SSL Error - ssl_error_rx_record_too_long
Raw
gistfile1.nginxconf
user nginx;
worker_processes {{ workers }};
error_log {{ deploy_to }}/shared/log/nginx_error.log;
events
{
worker_connections 1024;
{% if passenger != true %}
accept_mutex off;
{% endif %}
}
http
{
gzip on;
gzip_min_length 100;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml text/css application/x-javascript text/javascript;
gzip_disable "MSIE [1-6]\.";
add_header X-Powered-By cloud66;
{% if has_ha_proxy_load_balancer == true and supports_realip_module == true %}
set_real_ip_from {{ load_balancer_address }};
real_ip_header X-Forwarded-For;
{% endif %}
{% if passenger != true %}
tcp_nopush on;
tcp_nodelay off;
{% else %}
passenger_root {{ passenger_location }};
passenger_friendly_error_pages off;
{% if use_ruby_shell == true %}
passenger_ruby {{ ruby_shell }};
{% endif %}
passenger_user nginx;
passenger_pool_idle_time 0;
passenger_max_pool_size {{ passenger_pool_max }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if perfect_forward_secrecy == true %}
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
# alternate ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
{% endif %}
underscores_in_headers on;
{% if passenger != true %}
types_hash_max_size 2048;
{% endif %}
include mime.types;
default_type application/octet-stream;
client_max_body_size 50m;
sendfile on;
server_tokens off;
keepalive_timeout 65;
{% if passenger != true %}
upstream socket_server
{
server unix:/tmp/web_server.sock fail_timeout=0;
{% if ports != empty %}
{% for port in ports %}
server localhost:{{ port }} fail_timeout=0;
{% endfor %}
{% endif %}
}
{% endif %}
server
{
listen 80;
server_name www.draimond.com;
return 301 https://draimond.com$request_uri;
}
server
{
listen 443 default_server;
{% for ip in blacklist %}
deny {{ ip }};
{% endfor %}
{% if red_http_to_https == true %}
{% if has_load_balancer %}
if ($http_x_forwarded_proto = "http") {
rewrite ^(.*) https://$host$1 permanent;
}
{% else %}
rewrite ^(.*) https://$host$1 permanent;
{% endif %}
{% endif %}
{% if red_www == 0 %}
server_name _;
{% endif %}
{% if red_www == 2 %}
if ($http_host ~ ^(?!www\.)(.*)) {
return 301 $scheme://www.$1$request_uri;
}
{% endif %}
{% if red_www == 1 %}
if ($http_host ~ ^www\.(.*)$) {
return 301 $scheme://$1$request_uri;
}
{% endif %}
{% if passenger == true %}
rails_env {{ environment }};
passenger_enabled on;
{% else %}
keepalive_timeout 5;
{% endif %}
root {{ deploy_to }}/current/public;
# ban known tor ip address ranges
include /etc/cloud66/nginx_tor*.conf;
client_max_body_size 50m;
# redirect to 503 if maintenance page present
if (-f $document_root/cloud66_maintenance.html)
{
return 503;
}
# redirect on errors
error_page 500 502 504 /50x.html;
error_page 503 @maintenance;
# handle error redirect
location = /50x.html
{
root html;
}
location @maintenance
{
error_page 405 = /cloud66_maintenance.html;
if (-f $document_root/cloud66_maintenance.html)
{
rewrite ^(.*)$ /cloud66_maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
{% if cors_enabled == true %}
# Cross domain resource
add_header Access-Control-Allow-Origin "{{ cors_origin }}";
add_header Access-Control-Allow-Methods "{{ cors_methods }}";
{% endif %}
{% if passenger == true %}
try_files $uri /cloud66_maintenance.html @passenger;
location @passenger
{
passenger_enabled on;
passenger_min_instances 5;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
}
{% else %}
location /
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename)
{
proxy_pass http://socket_server;
break;
}
}
{% endif %}
location ~ \.php$
{
deny all;
}
}
{% if allow_ssl == true %}
server
{
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
ssl_certificate /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;
{% for ip in blacklist %}
deny {{ ip }};
{% endfor %}
{% if red_www == 0 %}
server_name {{ ssl_certificate_servernames }};
{% endif %}
{% if red_www == 2 %}
if ($http_host ~ ^(?!www\.)(.*)) {
return 301 $scheme://www.$1$request_uri;
}
{% endif %}
{% if red_www == 1 %}
if ($http_host ~ ^www\.(.*)$) {
return 301 $scheme://$1$request_uri;
}
{% endif %}
client_max_body_size 50m;
{% if passenger == true %}
rails_env {{ environment }};
{% endif %}
root {{ deploy_to }}/current/public;
# ban known tor ip address ranges
include /etc/cloud66/nginx_tor*.conf;
# redirect to 503 if maintenance page present
if (-f $document_root/cloud66_maintenance.html)
{
return 503;
}
# redirect on errors
error_page 500 502 504 /50x.html;
error_page 503 @maintenance;
# handle error redirect
location = /50x.html
{
root html;
}
location @maintenance
{
error_page 405 = /cloud66_maintenance.html;
if (-f $document_root/cloud66_maintenance.html)
{
rewrite ^(.*)$ /cloud66_maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
{% if cors_enabled == true %}
# Cross domain resource
add_header Access-Control-Allow-Origin "{{ cors_origin }}";
add_header Access-Control-Allow-Methods "{{ cors_methods }}";
{% endif %}
{% if passenger == true %}
try_files $uri /cloud66_maintenance.html @passenger;
location @passenger
{
passenger_enabled on;
passenger_min_instances 5;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
}
{% else %}
location /
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
if (!-f $request_filename)
{
proxy_pass http://socket_server;
break;
}
}
{% endif %}
location ~ \.php$
{
deny all;
}
}
{% endif %}
}
Raw
Solution of SSL
user nginx;
worker_processes {{ workers }};
error_log {{ deploy_to }}/shared/log/nginx_error.log;
events
{
worker_connections 1024;
{% if passenger != true %}
accept_mutex off;
{% endif %}
}
http
{
gzip on;
gzip_min_length 100;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml text/css application/x-javascript text/javascript;
gzip_disable "MSIE [1-6]\.";
add_header X-Powered-By cloud66;
{% if has_ha_proxy_load_balancer == true and supports_realip_module == true %}
set_real_ip_from {{ load_balancer_address }};
real_ip_header X-Forwarded-For;
{% endif %}
{% if passenger != true %}
tcp_nopush on;
tcp_nodelay off;
{% else %}
passenger_root {{ passenger_location }};
passenger_friendly_error_pages off;
{% if use_ruby_shell == true %}
passenger_ruby {{ ruby_shell }};
{% endif %}
passenger_user nginx;
passenger_pool_idle_time 0;
passenger_max_pool_size {{ passenger_pool_max }};
{% endif %}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
{% if perfect_forward_secrecy == true %}
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
# alternate ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
{% endif %}
underscores_in_headers on;
{% if passenger != true %}
types_hash_max_size 2048;
{% endif %}
include mime.types;
default_type application/octet-stream;
client_max_body_size 50m;
sendfile on;
server_tokens off;
keepalive_timeout 65;
{% if passenger != true %}
upstream socket_server
{
server unix:/tmp/web_server.sock fail_timeout=0;
{% if ports != empty %}
{% for port in ports %}
server localhost:{{ port }} fail_timeout=0;
{% endfor %}
{% endif %}
}
{% endif %}
server
{
listen 80 default_server;
return 301 https://$host$request_uri;
{% for ip in blacklist %}
deny {{ ip }};
{% endfor %}
{% if red_http_to_https == true %}
{% if has_load_balancer %}
if ($http_x_forwarded_proto = "http") {
rewrite ^(.*) https://$host$1 permanent;
}
{% else %}
rewrite ^(.*) https://$host$1 permanent;
{% endif %}
{% endif %}
{% if red_www == 0 %}
server_name _;
{% endif %}
{% if red_www == 2 %}
if ($http_host ~ ^(?!www\.)(.*)) {
return 301 $scheme://www.$1$request_uri;
}
{% endif %}
{% if red_www == 1 %}
if ($http_host ~ ^www\.(.*)$) {
return 301 $scheme://$1$request_uri;
}
{% endif %}
{% if passenger == true %}
rails_env {{ environment }};
passenger_enabled on;
{% else %}
keepalive_timeout 5;
{% endif %}
root {{ deploy_to }}/current/public;
# ban known tor ip address ranges
include /etc/cloud66/nginx_tor*.conf;
client_max_body_size 50m;
# redirect to 503 if maintenance page present
if (-f $document_root/cloud66_maintenance.html)
{
return 503;
}
# redirect on errors
error_page 500 502 504 /50x.html;
error_page 503 @maintenance;
# handle error redirect
location = /50x.html
{
root html;
}
location @maintenance
{
error_page 405 = /cloud66_maintenance.html;
if (-f $document_root/cloud66_maintenance.html)
{
rewrite ^(.*)$ /cloud66_maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
{% if cors_enabled == true %}
# Cross domain resource
add_header Access-Control-Allow-Origin "{{ cors_origin }}";
add_header Access-Control-Allow-Methods "{{ cors_methods }}";
{% endif %}
{% if passenger == true %}
try_files $uri /cloud66_maintenance.html @passenger;
location @passenger
{
passenger_enabled on;
passenger_min_instances 5;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
}
{% else %}
location /
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename)
{
proxy_pass http://socket_server;
break;
}
}
{% endif %}
location ~ \.php$
{
deny all;
}
}
{% if allow_ssl == true %}
server
{
listen 443;
ssl on;
ssl_certificate_key /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
ssl_certificate /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;
{% for ip in blacklist %}
deny {{ ip }};
{% endfor %}
{% if red_www == 0 %}
server_name {{ ssl_certificate_servernames }};
{% endif %}
{% if red_www == 2 %}
if ($http_host ~ ^(?!www\.)(.*)) {
return 301 $scheme://www.$1$request_uri;
}
{% endif %}
{% if red_www == 1 %}
if ($http_host ~ ^www\.(.*)$) {
return 301 $scheme://$1$request_uri;
}
{% endif %}
client_max_body_size 50m;
{% if passenger == true %}
rails_env {{ environment }};
{% endif %}
root {{ deploy_to }}/current/public;
# ban known tor ip address ranges
include /etc/cloud66/nginx_tor*.conf;
# redirect to 503 if maintenance page present
if (-f $document_root/cloud66_maintenance.html)
{
return 503;
}
# redirect on errors
error_page 500 502 504 /50x.html;
error_page 503 @maintenance;
# handle error redirect
location = /50x.html
{
root html;
}
location @maintenance
{
error_page 405 = /cloud66_maintenance.html;
if (-f $document_root/cloud66_maintenance.html)
{
rewrite ^(.*)$ /cloud66_maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
{% if cors_enabled == true %}
# Cross domain resource
add_header Access-Control-Allow-Origin "{{ cors_origin }}";
add_header Access-Control-Allow-Methods "{{ cors_methods }}";
{% endif %}
{% if passenger == true %}
try_files $uri /cloud66_maintenance.html @passenger;
location @passenger
{
passenger_enabled on;
passenger_min_instances 5;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
}
{% else %}
location /
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
if (!-f $request_filename)
{
proxy_pass http://socket_server;
break;
}
}
{% endif %}
location ~ \.php$
{
deny all;
}
}
{% endif %}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment