1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some 404 pages do not display XenForo error pages, instead just showing the nginx error

Discussion in 'Server Configuration and Hosting' started by RoldanLT, Jan 3, 2014.

  1. RoldanLT

    RoldanLT Well-Known Member

    As expected error pages will display the built in XenForo error page.
    Like this : test 404 error

    But accessing an error pages with a known extension like .jpg .png .gif. will just display the nginx error notice.
    Example: test 404 error with extension

    How can I fix this?

    As I notice @Floren @p4guru and @digitalpoint which I think where both using nginx is working fine.
     
  2. shawn

    shawn Well-Known Member

    Without seeing your conf files, I'd guess that static assets are served directly from nginx. PHP is getting passed to some backend (fastcgi, apache, etc), which is where the xenforo 404 page is generated (because the decision to send a 404 is made in the application software). If you just ask for a .jpg that doesn't exist, xenforo never comes into the picture.

    I'd suggest creating a custom 40x error page that looks like the Xenforo page (you could even copy/paste most of the code right out of one), or possibly figure out a rewrite rule that would load index.php or something like that if the requested static asset wasn't found.
     
    RoldanLT likes this.
  3. digitalpoint

    digitalpoint Well-Known Member

    RoldanLT likes this.
  4. RoldanLT

    RoldanLT Well-Known Member

    As I see, @MattW is facing the same issue.
     
  5. Floren

    Floren Well-Known Member

    Paste the 404 error rules you have in your config.
     
  6. RoldanLT

    RoldanLT Well-Known Member

    This is my domain config:
    Code:
    server {
        server_name phcorner.net www.phcorner.net;
        return 301 https://www.phcorner.net$request_uri;
    }
    
    server {
        listen 192.99.1.216:443 ssl spdy default_server;
        server_name www.phcorner.net;
    
         ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
            ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
            ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
            ssl_prefer_server_ciphers  on;
            add_header Alternate-Protocol 443:npn-spdy/2;
            # enable ocsp stapling
            resolver 8.8.8.8;
            ssl_stapling on;
    
      # ngx_pagespeed & ngx_pagespeed handler
      include /usr/local/nginx/conf/pagespeed.conf;
      include /usr/local/nginx/conf/pagespeedhandler.conf;
      include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/phcorner.net/log/error.log;
    
      root /home/nginx/domains/phcorner.net/public;
    
      # block common exploits, sql injections etc
      include /usr/local/nginx/conf/block.conf;
    
      # Start XenForo
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
            location = /data/taigachat/ {
         open_file_cache off;
            }
      # End Xenforo
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
    }
    
    We're using CentMin Mod.
    I don't remember I have 404 error rules.
     
  7. RoldanLT

    RoldanLT Well-Known Member

    Removing this include:
    include /usr/local/nginx/conf/staticfiles.conf;
    Fixed this problem.

    And this is staticfiles.conf content:
    Code:
        location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|si)$ {
        gzip_static off;
        #add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 90d;
        break;
            }
    
        location ~* \.(js)$ {
        #add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 30d;
        break;
            }
    
        location ~* \.(css)$ {
        #add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 30d;
        break;
            }
    
        location ~* \.(html|htm|txt)$ {
        #add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 7d;
        break;
            }
    
        location ~* \.(eot|svg|ttf|woff)$ {
        #add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 1y;
        break;
            }
     
  8. Floren

    Floren Well-Known Member

    While there, enable the OCSP verification. :)
    ssl_stapling_verify = on;
     
    RoldanLT likes this.
  9. RoldanLT

    RoldanLT Well-Known Member

    Domain config?
    On what line should I insert it?

    Thanks @Floren
     
  10. Floren

    Floren Well-Known Member

    Check the documentation. Here it is a quick example:
    Code:
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ocsp.certificate.crt;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
    I presume your cert is bundled... If proper, you should get a response like:
    Code:
    $ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
    OCSP response:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
                    TLS Web Server Authentication, OCSP Signing
                OCSP No Check:
    Right now, you have:
    Code:
    $ openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
    OCSP response:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
                OCSP No Check:
                    OCSP Signing
    In other words, it does not verifies OCSP responses.
     
    Last edited: Jan 8, 2014
    RoldanLT and p4guru like this.
  11. p4guru

    p4guru Well-Known Member

    @Floren don't you have to run the check a few times as the first response might not have the OCSP response stapled https://community.qualys.com/message/21126#21126 ????

    when i check axivo.com i get

    Code:
    openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
    depth=2 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
    verify return:1
    depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
    verify return:1
    depth=0 O = www.axivo.com, OU = Domain Control Validated, CN = www.axivo.com
    verify return:1
    OCSP response: no response sent
     
    Last edited: Jan 7, 2014
  12. Floren

    Floren Well-Known Member

    Thanks for the link.

    Edit: @p4guru, I get this:
    Code:
    OCSP response:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
                    TLS Web Server Authentication, OCSP Signing
                OCSP No Check:
     
    Last edited: Jan 8, 2014
  13. Andy.N

    Andy.N Well-Known Member

    It should be ssl_stapling_verify on;
     
    Floren likes this.
  14. Floren

    Floren Well-Known Member

    @Andy.N, thanks and sorry for the typo. As usual, it was late at night and I was tired. :)
     
  15. Floren

    Floren Well-Known Member

    OK, OCSP stapling will start working once ALL workers cached the info. :)
    If you restart the service, the cache process will be reinitialized but the important part is it will always stay enabled.
    Result
    Code:
    Secure Renegotiation Supported
    Secure Client-Initiated Renegotiation No
    Insecure Client-Initated Renegotiation No
    BEAST attack Mitigated server-side TLS 1.0: 0xc011
    TLS compression No
    RC4 Yes NOT DESIRABLE
    Forward Secrecy Yes (with most browsers) ROBUST
    Next Protocol Negotiation Yes  spdy/2 http/1.1
    Session resumption (caching) Yes
    Session resumption (tickets) Yes
    OCSP stapling Yes
    Strict Transport Security Yes max-age=31536000
    Long handshake intolerance No
    TLS extension intolerance No
    TLS version intolerance TLS 2.98
    SSL 2 handshake compatibility Yes
     
    Last edited: Jan 8, 2014
    RoldanLT likes this.
  16. RoldanLT

    RoldanLT Well-Known Member

    About the OSCP @Floren
    Here's my domain config:
    Code:
    server {
        server_name phcorner.net www.phcorner.net;
        return 301 https://www.phcorner.net$request_uri;
    }
    
    server {
        listen 192.99.1.216:443 ssl spdy default_server;
        server_name www.phcorner.net;
    
         ssl_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
            ssl_certificate_key /usr/local/nginx/conf/ssl/phcornernet/www_phcorner_net.key;
            ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout  10m;
            ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
            ssl_prefer_server_ciphers  on;
            add_header Alternate-Protocol 443:npn-spdy/2;
            # enable ocsp stapling
            #resolver 8.8.8.8;
            #ssl_stapling on;
           ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/ssl-unified.crt;
        resolver 8.8.8.8 8.8.4.4 valid=10m;
        resolver_timeout 10s;
    
      # ngx_pagespeed & ngx_pagespeed handler
      include /usr/local/nginx/conf/pagespeed.conf;
      include /usr/local/nginx/conf/pagespeedhandler.conf;
      include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      access_log /home/nginx/domains/phcorner.net/log/access.log combined buffer=32k;
      error_log /home/nginx/domains/phcorner.net/log/error.log;
    
      root /home/nginx/domains/phcorner.net/public;
    
      # block common exploits, sql injections etc
      include /usr/local/nginx/conf/block.conf;
    
      # Start XenForo
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
            }
    
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            deny all;
            }
            location = /data/taigachat/ {
         open_file_cache off;
            }
           
      # End Xenforo
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
    }
    
    But it didn't work, what's wrong with it?
     
  17. Floren

    Floren Well-Known Member

    You can't use the same certificate, you need to create a new with the root and intermediary certs inside.
    Those certs are provided by your SSL seller.
     
    RoldanLT likes this.
  18. RoldanLT

    RoldanLT Well-Known Member

    So I will generate my own CSR here: https://www.digicert.com/easy-csr/openssl.htm ?
    And run it on ssh to generate my own .csr file?
    Thanks @Floren
     
  19. Floren

    Floren Well-Known Member

    No, you don't generate nothing. You create a .crt file and paste inside seller's root and intermediate certs.
     
  20. p4guru

    p4guru Well-Known Member

    yup

    Code:
    cat intermediate.crt root.pem > trusted.crt
    Code:
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcornernet/trusted.crt;
     
    RoldanLT likes this.

Share This Page