skip to Main Content

I m creating a website and it works fine on Chrome and FireFox, but i m getting a error on Safari:

“NSPOSIXErrorDomain:100”

I found a post telling about apparently Safari doesn’t like multiple line HTTP headers under HTTP/2, and telling to me edit my config files and remove all mutiple line config.

My server uses CPnginx, and thath is my config file:

    #:hybrid:Nginx serve static files apache serve dynamic files:2.0:
    server {
        listen    107.161.189.242:443 ssl http2 ;
        server_name  meusite.com.br www.meusite.com.br;

        ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
        ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  5m;

        #.............. Cpnginx OCSP stapling protection for security start ....................
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl.ca.d/meusite.com.br_ca-bundle;
        resolver 127.0.0.1 8.8.8.8 4.2.2.1 8.8.4.4 4.2.2.2  valid=300s;
        resolver_timeout 5s;
        #.............. Cpnginx OCSP stapling protection for security end....................
        location = /favicon.ico {
            log_not_found off;
        }




        access_log /usr/local/apache/domlogs/meusite.com.br-bytes_log bytes_log buffer=32k flush=5m;
        access_log /usr/local/apache/domlogs/meusite.com.br-ssl_log combined buffer=32k flush=5m;

        referer_hash_bucket_size 512;
        # Static files directly from nginx
        location ~* ^.+.(jpg|jpeg|gif|png|svg|webp|ico|zip|tgz|gz|rar|bz2|iso|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|ogv|ogg|flv|swf|mpeg|mpg|mpeg4|mp4|avi|wmv|js|css|3gp|sis|sisx|nth)$ {
            expires 30d;
            add_header Pragma public;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
            root /home/meusitecom/public_html;
            error_page  404 = @apache;
            log_not_found  off;
        }
        keepalive_requests 100;
        keepalive_timeout 60s;
        # Symlink attack
        disable_symlinks on from=$document_root;


        autoindex on;
        # Disable direct access to .ht files and folders
        location ~ /.ht {
              deny all;
        }
        # Access all cpanel services
        location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
            proxy_pass   https://107.161.189.242:9443;
            proxy_set_header   Host   $host;
            proxy_set_header   X-Real-IP  $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        # Enabled MP4 streaming
        location ~ .mp4$ {
            mp4;
            mp4_buffer_size 4M;
            mp4_max_buffer_size 10M;
        }






        # X-FRAME attach protection
        add_header X-Frame-Options "SAMEORIGIN";



        # Protect sql injections
        set $block_sql_injections 0;
        if ($query_string ~ "union.*select.*(") {
            set $block_sql_injections 1;
        }
        if ($query_string ~ "union.*all.*select.*") {
            set $block_sql_injections 1;
        }
        if ($query_string ~ "concat.*(") {
            set $block_sql_injections 1;
        }
        if ($block_sql_injections = 1) {
            return 403;
        }



        # common exploit protection
         set $block_common_exploits 0;
        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "proc/self/environ") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") {
            set $block_common_exploits 1;
        }
        if ($query_string ~ "base64_(en|de)code(.*)") {
            set $block_common_exploits 1;
        }
        if ($block_common_exploits = 1) {
            return 403;
        }

        # Hot Link protections
        location ~ .(jpe?g|png|gif|svg|tiff|bmp|webp|bpg)$ {
            valid_referers none blocked meusite.com.br *.meusite.com.br;
            if ($invalid_referer) {
                return   403;
            }
        }

       location @apache {
            internal;
            # Internal 404 redirect of static file to apache
            access_log off;
            log_not_found  off;
            client_max_body_size    2000m;
            client_body_buffer_size 512k;
            proxy_buffering on;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
            proxy_buffer_size 64k;
            proxy_buffers 32 64k;
            proxy_busy_buffers_size 128k;
            proxy_temp_file_write_size 128k;
            proxy_connect_timeout 300s;
            proxy_http_version 1.1;
            proxy_pass   https://107.161.189.242:9443;
            proxy_set_header   Host   $host;
            proxy_set_header   X-Real-IP  $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_redirect     off;

        }


        location / {
        access_log off;
            # include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.rewrite;
            log_not_found  off;
            client_max_body_size    2000m;
            client_body_buffer_size 512k;
            proxy_buffering on;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
            proxy_buffer_size 64k;
            proxy_buffers 32 64k;
            proxy_busy_buffers_size 128k;
            proxy_temp_file_write_size 128k;
            proxy_connect_timeout 300s;
            proxy_http_version 1.1;
            proxy_pass   https://107.161.189.242:9443;
            proxy_set_header   Host   $host;
            proxy_set_header   X-Real-IP  $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_redirect     off;

        }
        # include /usr/local/nginx/conf/vhost.ssl.d/meusite.com.br.include;

    }
    server {
        listen    107.161.189.242:443 ssl http2 ;
        server_name cpanel.meusite.com.br whm.meusite.com.br webmail.meusite.com.br webdisk.meusite.com.br cpcalendars.meusite.com.br cpcontacts.meusite.com.br mail.meusite.com.br;
        ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl.cert.d/meusite.com.br_cert;
        ssl_certificate_key /usr/local/nginx/conf/ssl.key.d/meusite.com.br_key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  5m;
        access_log off;
        location / {
                location ~ /.well-known{
                    root /home/meusitecom/public_html;
                }
            proxy_pass   https://127.0.0.1:9443;
            proxy_set_header   Host   $host;
            proxy_set_header   X-Real-IP  $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

What i m need to change on this file?

2

Answers


  1. Chosen as BEST ANSWER

    Well, after many tests, i found a solution to my problem.

    I have add the directive "proxy_hide_header Upgrade;" on my nginx.conf, to ignore the header Upgrade, for some reason it's crashing on Safari.


  2. I can’t answer your question; but, I can help you with strategy to diagnose your problem.

    First, the nginx config (as big as it is) does not contain the answer. What I do see are several proxy_pass lines. One (or more) of these upstream servers are returning content that violates RFC7230.

    You can prove that nginx is not causing your problem by pointing you bowser directly at https://107.161.189.242:9443. Or you can stop nginx and move the process serving port 9443 to port 443.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search