• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Some 404 pages do not display XenForo error pages, instead just showing the nginx error

shawn

Well-known member
#2
Without seeing your conf files, I'd guess that static assets are served directly from nginx. PHP is getting passed to some backend (fastcgi, apache, etc), which is where the xenforo 404 page is generated (because the decision to send a 404 is made in the application software). If you just ask for a .jpg that doesn't exist, xenforo never comes into the picture.

I'd suggest creating a custom 40x error page that looks like the Xenforo page (you could even copy/paste most of the code right out of one), or possibly figure out a rewrite rule that would load index.php or something like that if the requested static asset wasn't found.
 

RoldanLT

Well-known member
#6
Paste the 404 error rules you have in your config.
This is my domain config:
Code:
server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        resolver 8.8.8.8;
        ssl_stapling on;

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}
We're using CentMin Mod.
I don't remember I have 404 error rules.
 

RoldanLT

Well-known member
#7
Removing this include:
include /usr/local/nginx/conf/staticfiles.conf;
Fixed this problem.

And this is staticfiles.conf content:
Code:
    location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|si)$ {
    gzip_static off;
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 90d;
    break;
        }

    location ~* \.(js)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(css)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(html|htm|txt)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 7d;
    break;
        }

    location ~* \.(eot|svg|ttf|woff)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 1y;
    break;
        }
 

Floren

Well-known member
#10
Check the documentation. Here it is a quick example:
Code:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ocsp.certificate.crt;
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
I presume your cert is bundled... If proper, you should get a response like:
Code:
$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:
Right now, you have:
Code:
$ openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
            OCSP No Check:
                OCSP Signing
In other words, it does not verifies OCSP responses.
 
Last edited:

p4guru

Well-known member
#11
@Floren don't you have to run the check a few times as the first response might not have the OCSP response stapled https://community.qualys.com/message/21126#21126 ????

when i check axivo.com i get

Code:
openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
depth=2 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
verify return:1
depth=0 O = www.axivo.com, OU = Domain Control Validated, CN = www.axivo.com
verify return:1
OCSP response: no response sent
 
Last edited:

Floren

Well-known member
#12
Last edited:

Floren

Well-known member
#15
OK, OCSP stapling will start working once ALL workers cached the info. :)
If you restart the service, the cache process will be reinitialized but the important part is it will always stay enabled.
Result
Code:
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initated Renegotiation No
BEAST attack Mitigated server-side TLS 1.0: 0xc011
TLS compression No
RC4 Yes NOT DESIRABLE
Forward Secrecy Yes (with most browsers) ROBUST
Next Protocol Negotiation Yes  spdy/2 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling Yes
Strict Transport Security Yes max-age=31536000
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance TLS 2.98
SSL 2 handshake compatibility Yes
 
Last edited:

RoldanLT

Well-known member
#16
About the OSCP @Floren
Here's my domain config:
Code:
server {
    server_name phcorner.net www.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

     ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
        ssl_prefer_server_ciphers  on;
        add_header Alternate-Protocol 443:npn-spdy/2;
        # enable ocsp stapling
        #resolver 8.8.8.8;
        #ssl_stapling on;
       ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;

  # ngx_pagespeed & ngx_pagespeed handler
  include /usr/local/nginx/conf/pagespeed.conf;
  include /usr/local/nginx/conf/pagespeedhandler.conf;
  include /usr/local/nginx/conf/pagespeedstatslog.conf;

  access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
  error_log /home/nginx/domains/phcorner.net/log/error.log;

  root /home/nginx/domains/phcorner.net/public;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Start XenForo
  location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$uri&$args;
        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        deny all;
        }
        location = /data/taigachat/ {
     open_file_cache off;
        }
       
  # End Xenforo

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
}
But it didn't work, what's wrong with it?
 

Floren

Well-known member
#17
You can't use the same certificate, you need to create a new with the root and intermediary certs inside.
Those certs are provided by your SSL seller.