Question posted in 
I m creating a website and it works fine on Chrome and FireFox, but i m getting a error on Safari:
“NSPOSIXErrorDomain:100”
I found a post telling about apparently Safari doesn’t like multiple line HTTP headers under HTTP/2, and telling to me edit my config files and remove all mutiple line config.
My server uses CPnginx, and thath is my config file:
#:hybrid:Nginx serve static files apache serve dynamic files:2.0:
server {
listen 107.161.189.242:443 ssl http2 ;
server_name meusite.com.br www.meusite.com.br;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#.............. Cpnginx OCSP stapling protection for security start ....................
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/meusite.com.br_ca-bundle;
resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2 valid=300s;
resolver_timeout 5s;
#.............. Cpnginx OCSP stapling protection for security end....................
location = /favicon.ico {
log_not_found off;
}
access_log /usr/local/apache/domlogs/meusite.com.br-bytes_log bytes_log buffer=32k flush=5m;
access_log /usr/local/apache/domlogs/meusite.com.br-ssl_log combined buffer=32k flush=5m;
referer_hash_bucket_size 512;
# Static files directly from nginx
location ~* ^.+.(jpg|jpeg|gif|png|svg|webp|ico|zip|tgz|gz|rar|bz2|iso|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|ogv|ogg|flv|swf|mpeg|mpg|mpeg4|mp4|avi|wmv|js|css|3gp|sis|sisx|nth)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
root /home/meusitecom/public_html;
error_page 404 = @apache;
log_not_found off;
}
keepalive_requests 100;
keepalive_timeout 60s;
# Symlink attack
disable_symlinks on from=$document_root;
autoindex on;
# Disable direct access to .ht files and folders
location ~ /.ht {
deny all;
}
# Access all cpanel services
location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Enabled MP4 streaming
location ~ .mp4$ {
mp4;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
}
# X-FRAME attach protection
add_header X-Frame-Options "SAMEORIGIN";
# Protect sql injections
set $block_sql_injections 0;
if ($query_string ~ "union.*select.*(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*(") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
# common exploit protection
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code(.*)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
# Hot Link protections
location ~ .(jpe?g|png|gif|svg|tiff|bmp|webp|bpg)$ {
valid_referers none blocked meusite.com.br *.meusite.com.br;
if ($invalid_referer) {
return 403;
}
}
location @apache {
internal;
# Internal 404 redirect of static file to apache
access_log off;
log_not_found off;
client_max_body_size 2000m;
client_body_buffer_size 512k;
proxy_buffering on;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 64k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_connect_timeout 300s;
proxy_http_version 1.1;
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
location / {
access_log off;
# include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.rewrite;
log_not_found off;
client_max_body_size 2000m;
client_body_buffer_size 512k;
proxy_buffering on;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
proxy_buffer_size 64k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_connect_timeout 300s;
proxy_http_version 1.1;
proxy_pass https://107.161.189.242:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
# include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.include;
}
server {
listen 107.161.189.242:443 ssl http2 ;
server_name cpanel.meusite.com.br whm.meusite.com.br webmail.meusite.com.br webdisk.meusite.com.br cpcalendars.meusite.com.br cpcontacts.meusite.com.br mail.meusite.com.br;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log off;
location / {
location ~ /.well-known{
root /home/meusitecom/public_html;
}
proxy_pass https://127.0.0.1:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What i m need to change on this file?
2
Answers
Well, after many tests, i found a solution to my problem.
I have add the directive
"proxy_hide_header Upgrade;"on my nginx.conf, to ignore the header Upgrade, for some reason it's crashing on Safari.I can’t answer your question; but, I can help you with strategy to diagnose your problem.
First, the nginx config (as big as it is) does not contain the answer. What I do see are several proxy_pass lines. One (or more) of these upstream servers are returning content that violates RFC7230.
You can prove that nginx is not causing your problem by pointing you bowser directly at https://107.161.189.242:9443. Or you can stop nginx and move the process serving port 9443 to port 443.