Some 404 pages do not display XenForo error pages, instead just showing the nginx error

[rdn]

As expected error pages will display the built in XenForo error page.
Like this : test 404 error

But accessing an error pages with a known extension like .jpg .png .gif. will just display the nginx error notice.
Example: test 404 error with extension

How can I fix this?

As I notice @Floren @p4guru and @digitalpoint which I think where both using nginx is working fine.

 

[shawn]

Without seeing your conf files, I'd guess that static assets are served directly from nginx. PHP is getting passed to some backend (fastcgi, apache, etc), which is where the xenforo 404 page is generated (because the decision to send a 404 is made in the application software). If you just ask for a .jpg that doesn't exist, xenforo never comes into the picture.

I'd suggest creating a custom 40x error page that looks like the Xenforo page (you could even copy/paste most of the code right out of one), or possibly figure out a rewrite rule that would load index.php or something like that if the requested static asset wasn't found.

 

[digitalpoint]

I didn't do anything special... looks like other sites that I check work the same:

http://xenforo.com/community/test.jpg
http://admin-talk.com/test.jpg
http://adminextra.com/test.jpg
http://forums.spacebattles.com/test.jpg

Maybe your Nginx conf isn't the normal setup for XF?

 

[rdn]

As I see, @MattW is facing the same issue.

 

[Floren]

How can I fix this?

Paste the 404 error rules you have in your config.

 

[rdn]

Paste the 404 error rules you have in your config.

This is my domain config:

server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        resolver 8.8.8.8;
        ssl_stapling on;

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}

We're using CentMin Mod.
I don't remember I have 404 error rules.

 

[rdn]

Removing this include:
include /usr/local/nginx/conf/staticfiles.conf;
Fixed this problem.

And this is staticfiles.conf content:

    location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|si)$ {
    gzip_static off;
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 90d;
    break;
        }

    location ~* \.(js)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(css)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(html|htm|txt)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 7d;
    break;
        }

    location ~* \.(eot|svg|ttf|woff)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 1y;
    break;
        }

 

[Floren]

While there, enable the OCSP verification.
ssl_stapling_verify = on;

 

[rdn]

While there, enable the OCSP verification.
ssl_stapling_verify = on;

Domain config?
On what line should I insert it?

Thanks @Floren

 

[Floren]

Check the documentation. Here it is a quick example:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ocsp.certificate.crt;
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;

I presume your cert is bundled... If proper, you should get a response like:

$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:

Right now, you have:

$ openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
            OCSP No Check:
                OCSP Signing

In other words, it does not verifies OCSP responses.

 

[p4guru]

@Floren don't you have to run the check a few times as the first response might not have the OCSP response stapled https://community.qualys.com/message/21126#21126 ????

when i check axivo.com i get

openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
depth=2 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
verify return:1
depth=0 O = www.axivo.com, OU = Domain Control Validated, CN = www.axivo.com
verify return:1
OCSP response: no response sent

 

[Floren]

@Floren don't you have to run the check a few times as the first response might not have the OCSP response stapled https://community.qualys.com/message/21126#21126 ????

Thanks for the link.

Edit: @p4guru, I get this:

OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:

 

[Andy.N]

Check the documentation. Here it is a quick example:

ssl_stapling_verify = on;

It should be ssl_stapling_verify on;

 

[Floren]

@Andy.N, thanks and sorry for the typo. As usual, it was late at night and I was tired.

 

[Floren]

OK, OCSP stapling will start working once ALL workers cached the info.
If you restart the service, the cache process will be reinitialized but the important part is it will always stay enabled.
Result

Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initated Renegotiation No
BEAST attack Mitigated server-side TLS 1.0: 0xc011
TLS compression No
RC4 Yes NOT DESIRABLE
Forward Secrecy Yes (with most browsers) ROBUST
Next Protocol Negotiation Yes  spdy/2 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling Yes
Strict Transport Security Yes max-age=31536000
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes

 

[rdn]

About the OSCP @Floren
Here's my domain config:

server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        #resolver 8.8.8.8;
        #ssl_stapling on;
       ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }
       
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}

But it didn't work, what's wrong with it?

 

[Floren]

You can't use the same certificate, you need to create a new with the root and intermediary certs inside.
Those certs are provided by your SSL seller.

 

[rdn]

You can't use the same certificate, you need to create a new with the root and intermediary certs inside.
Those certs are provided by your SSL seller.

So I will generate my own CSR here: https://www.digicert.com/easy-csr/openssl.htm ?
And run it on ssh to generate my own .csr file?
Thanks @Floren

 

[Floren]

No, you don't generate nothing. You create a .crt file and paste inside seller's root and intermediate certs.

 

[p4guru]

yup

cat intermediate.crt root.pem > trusted.crt

ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/trusted.crt;