Date: Fri, 16 Sep 2022 06:44:33 -0700 From: paul beard <paulbeard@gmail.com> To: Waitman Gobble <gobble.wa@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: any nginx/letsencrypt experts out there? Message-ID: <CAMtcK2pMJJJb866Ob6L=QjVE3-upuigvOTV-hjQ7uFLQ_o9Ahg@mail.gmail.com> In-Reply-To: <CAMtcK2pi=m8m0SCqe0%2Bg2uaW8Nry3xgYTR%2BULdVJuxM=riXC8Q@mail.gmail.com> References: <CAMtcK2reN%2BDGjvdaJJ=3ppz4uK0RU8gJ1f4BY1kvJ%2B5xHqgOsg@mail.gmail.com> <1832f40c8af.10b332ee2406187.6375306777861801560@eye-of-odin.com> <CAMtcK2oo_5vS8AAyd6jPgniggKvYNWbiJwpQZvPb5yeAPENJGA@mail.gmail.com> <1832f85d371.10bae82d3411853.462587170353998748@eye-of-odin.com> <CAFuo_fwRcLRaSb9bDOe3BV_W0dUkbAjL3_P=TpifYQrxjXD5rQ@mail.gmail.com> <1832fe45fb5.df336718422020.6612482456577931531@eye-of-odin.com> <CAMtcK2qW=ih8w6UgkxPL_Fp62=b%2BPzCSFN4u-uR15tnPm5=3oQ@mail.gmail.com> <CAMtcK2ogAN_5BnuXtDyvdt=-mcJ4fNw53e05cq0O_hGGSYqp=A@mail.gmail.com> <CAFuo_fwkgS4emq9cOaWMi6cuHaqXGEnkXVNFfou63c_xT326cg@mail.gmail.com> <CAMtcK2qFcNaqJy1sQhqpzDTQN=bfZ3SCyqNa%2BbE0xwwZM5xL5g@mail.gmail.com> <CAMtcK2qSoKNMZHQUfUaCQoVEN3-y-KOTX=d_9QZsmDYQ%2BRw-tA@mail.gmail.com> <CAFuo_fxb0Tb5FRSbBPLD-XnjMgAUp2nb-k7sUxVD2f7doOmQiw@mail.gmail.com> <CAMtcK2pi=m8m0SCqe0%2Bg2uaW8Nry3xgYTR%2BULdVJuxM=riXC8Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000008fb72705e8cb9027 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Sep 12, 2022 at 6:39 PM paul beard <paulbeard@gmail.com> wrote: > > > On Mon, Sep 12, 2022 at 5:30 PM Waitman Gobble <gobble.wa@gmail.com> > wrote: > >> On Mon, Sep 12, 2022 at 11:46 PM paul beard <paulbeard@gmail.com> wrote: >> > >> > >> > >> > On Mon, Sep 12, 2022 at 11:45 AM paul beard <paulbeard@gmail.com> >> wrote: >> >> >> >> >> >> >> >> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <gobble.wa@gmail.com> >> wrote: >> >>> >> >>> On Mon, Sep 12, 2022 at 2:01 PM paul beard <paulbeard@gmail.com> >> wrote: >> >>> > >> >>> > >> >>> > >> >>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <paulbeard@gmail.com> >> wrote: >> >>> >> >> >>> >> >> >>> >> >> >>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <ty-ml@eye-of-odin.com> >> wrote: >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman Gobble wrote --= - >> >>> >>> >> >>> >>> > On Mon, Sep 12, 2022 at 2:42 AM Ty John ty-ml@eye-of-odin.com= > >> wrote: >> >>> >>> > > >> >>> >>> > > That order should be fine. The more specific locations >> should be listed first which is what you have. The redirect will trigger= a >> new request which will match the first stanza. >> >>> >>> > > >> >>> >>> > > Anyway, it looks fine to me as long as the certs themselves >> are right. >> >>> >>> > > I just checked the certs on https://paulbeard.org, >> https://www.paulbeard.org and https://cloud.paulbeard.org and they all >> seem fine to me. >> >>> >>> > > I suspect it might be a browser issue as you mentioned. Wha= t >> happens in safari? >> >>> >>> >> >>> >> >> >>> > >> >>> > Hmm. So Safari is still having issues. It is able to load the root >> as www.paulbeard.org but not without it. And the link to wordpress >> explicitly uses www but it gets rewritten without and then fails for lac= k >> of a secure connection. I'll need to track down how that rewriting is >> happening. Who knew Safari was so rigorous? >> >>> > >> >>> > This is the unadorned/non-www stanza: do I even need that in the >> year 2022? >> >>> > >> >>> > 71 server { >> >>> > >> >>> > 72 #listen 443 ssl http2; >> >>> > >> >>> > 73 listen [::]:443 ssl http2; >> >>> > >> >>> > 74 server_name paulbeard.org; >> >>> > >> >>> > 75 # if ($request ~* https://paulbeard.org) { >> >>> > >> >>> > 76 # return 301 https://www.paulbeard.org; >> >>> > >> >>> > 77 # } >> >>> > >> >>> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/ >> paulbeard.org/fullchain.pem; # managed by Certbot >> >>> > >> >>> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ >> paulbeard.org/privkey.pem; # managed by Certbot >> >>> > >> >>> > 80 include >> /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot >> >>> > >> >>> > 81 ssl_dhparam >> /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot >> >>> > >> >>> > 82 >> >>> > >> >>> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >> >>> > >> >>> > 84 # add Strict-Transport-Security to prevent man in the >> middle attacks >> >>> > >> >>> > 85 add_header Strict-Transport-Security "max-age=3D155520= 00; >> includeSubDomains" always; >> >>> > >> >>> > 86 #rewrite ^(.*) https://www.paulbeard.org$1 permanent; >> #+ >> >>> > >> >>> > 87 #return 301 https://$host$request_uri; >> >>> > >> >>> > 88 >> >>> > >> >>> > 89 >> >>> > >> >>> > 90 root /usr/local/www/; >> >>> > >> >>> > 91 disable_symlinks off; >> >>> > >> >>> > 92 >> >>> > >> >>> > 93 } >> >>> > >> >>> > >> >>> > >> >>> >> >>> >> >>> >> >>> Maybe your certs are kinda jumbled up? >> >>> >> >> >> >> This is pretty accurate. I realized I wasn't pulling a certificate fo= r >> the base domain/host name, since i had commented it out in the config. >> Seems like things have gotten jumbled indeed. I don't touch any of the >> config that certbot adds so I am wary of how I can unmuddle it. I have >> since restored that but now I see what I think is the real problem. >> >> >> >> This is the full list of certs I have=E2=80=A6I seem to have gotten h= ost and >> domain mixed up here, as these are hosts, not domains, and ideally shoul= d >> have just one certificate for all of them. Some cleanup seems to be >> required. >> >> >> >> Found the following certs: >> >> >> >> Certificate Name: cloud.paulbeard.org >> >> >> >> Serial Number: 4bdb35a6e5308f47e7934453b6d1552a330 >> >> >> >> Key Type: RSA >> >> >> >> Domains: paulbeard.org cloud.paulbeard.org www.paulbeard.org >> >> >> >> Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: 82 days) >> >> >> >> Certificate Path: /usr/local/etc/letsencrypt/live/ >> cloud.paulbeard.org/fullchain.pem >> >> >> >> Private Key Path: /usr/local/etc/letsencrypt/live/ >> cloud.paulbeard.org/privkey.pem >> >> >> >> Certificate Name: paulbeard.org >> >> >> >> Serial Number: 44c82383b1da739543404608a77c9174d79 >> >> >> >> Key Type: RSA >> >> >> >> Domains: paulbeard.org >> >> >> >> Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: 59 days) >> >> >> >> Certificate Path: /usr/local/etc/letsencrypt/live/ >> paulbeard.org/fullchain.pem >> >> >> >> Private Key Path: /usr/local/etc/letsencrypt/live/ >> paulbeard.org/privkey.pem >> >> >> >> Certificate Name: www.paulbeard.org-0001 >> >> >> >> Serial Number: 4a865592d7d31d1465df0e7245eb88d9d13 >> >> >> >> Key Type: RSA >> >> >> >> Domains: www.paulbeard.org >> >> >> >> Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: 89 days) >> >> >> >> Certificate Path: >> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/fullchain.pem >> >> >> >> Private Key Path: >> /usr/local/etc/letsencrypt/live/www.paulbeard.org-0001/privkey.pem >> >> >> >> Certificate Name: www.paulbeard.org >> >> >> >> Serial Number: 4a730b954fead25d08fb8281c374c11014e >> >> >> >> Key Type: RSA >> >> >> >> Domains: cloud.paulbeard.org www.paulbeard.org >> >> >> >> Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: 89 days) >> >> >> >> Certificate Path: /usr/local/etc/letsencrypt/live/ >> www.paulbeard.org/fullchain.pem >> >> >> >> Private Key Path: /usr/local/etc/letsencrypt/live/ >> www.paulbeard.org/privkey.pem >> > >> > >> > Some things about this are not making sense=E2=80=A6sometimes the word= press >> pages will load but not always. Sometimes different servers answer to th= e >> generic "paulbeard.org" URI (the cloud instance, for some reason, would >> be served). Something to do with listen [::]:443 ssl http2; being se= t >> which makes no sense at all. I have removed it everywhere for now. IP6 >> traffic is far down my list of things to be bothered with. >> > >> > My main issue seems to be URI rewriting that I can't seem to find in >> the config. I get an error about 20 redirects and I don't see where that= is >> happening. The rewrites are being logged=E2=80=A6 >> > >> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: " >> https://www.paulbeard.org/wordpress/", client: 192.168.0.5, server: >> paulbeard.org, request: "GET /wordpress/ HTTP/2.0", host: "paulbeard.org= ", >> referrer: "https://www.paulbeard.org/" >> > >> > >> > This is the paulbeard.org stanza: >> > >> > 74 server { >> > >> > 75 listen 443 ssl http2; >> > >> > 76 server_name paulbeard.org; >> > >> > 77 root /usr/local/www/; >> > >> > 78 ssl_certificate /usr/local/etc/letsencrypt/live/ >> paulbeard.org/fullchain.pem; # managed by Certbot >> > >> > 79 ssl_certificate_key /usr/local/etc/letsencrypt/live/ >> paulbeard.org/privkey.pem; # managed by Certbot >> > >> > 80 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; >> # managed by Certbot >> > >> > 81 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # >> managed by Certbot >> > >> > 82 >> > >> > 83 add_header X-Clacks-Overhead "GNU Terry Pratchett"; >> > >> > 84 # add Strict-Transport-Security to prevent man in the >> middle attacks >> > >> > 85 add_header Strict-Transport-Security "max-age=3D15552000; >> includeSubDomains" always; >> > >> > 86 rewrite ^(.*) https://www.paulbeard.org$1 permanent; >> > >> > 87 #return 301 https://$host$request_uri; >> > >> > 88 >> > >> > 89 >> > >> > 90 disable_symlinks off; >> > >> > 91 >> > >> > 92 } >> > >> > >> > The only active thing that looks like a rewrite is on line 86 and if I >> comment that out, the php pages are downloaded, rather than parsed and >> displayed. That's not what I want. >> > >> > I have no idea how this got so messed up. I am working from a config >> that worked 3-4 days ago. I tried ripping out that stanza but something >> somewhere depends on it. >> > -- >> > Paul Beard / www.paulbeard.org/ >> >> >> It looks like you just want to redirect traffic to your www. ? 034 >> This is all you need for that. I don't know what that Terry Pratchett >> header is but whatevers, and I think you don't really need http2 for a >> redirect but it probably shouldn't break anything. >> >> You don't presently have an AAAA record for your domain in DNS so IPv6 >> isn't going to be an issue. >> >> server { >> listen 443 ssl http2; >> server_name paulbeard.org; >> ssl_certificate >> /usr/local/etc/letsencrypt/live/paulbeard.org/fullchain.pem; # managed >> by Certbot >> ssl_certificate_key >> /usr/local/etc/letsencrypt/live/paulbeard.org/privkey.pem; # managed >> by Certbot >> include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # >> managed by Certbot >> ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed >> by Certbot >> add_header X-Clacks-Overhead "GNU Terry Pratchett"; >> add_header Strict-Transport-Security "max-age=3D15552000; >> includeSubDomains" always; >> return 301 https://www.paulbeard.org$request_uri; >> } >> >> >> >> -- >> Waitman Gobble >> >> You know, I tried that very thing. It *should* work. It doesn't. And I > can't see where the "more than 20 redirects" are creeping in. I assume it= 's > ping ponging back and forth between www and non-ww but I can't see where > that is explicitly declared/defined. After 20 or so it quits. > > > grep redi nginx.conf > > rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; > > rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; > > rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; > > rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; > > rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; > > > grep rewr nginx.conf > > rewrite_log on; > > rewrite ^(.*) https://www.paulbeard.org$1 permanent; > > rewrite ^/wp-json/(.*?)$ /?rest_route=3D/$1 last; > > rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; > > rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; > > rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; > > #rewrite ^/.well-known/host-meta /public.php?service=3Dhost-meta last= ; > > #rewrite ^/.well-known/host-meta.json > /public.php?service=3Dhost-meta-json last; > > rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; > > rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; > > rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; > > and I see traffic being logged so this is partly an nginx mystery and a > Safari bug. Firefox has the same issue. > > I also don't understand why this breaks the php interpreter: > rewrite ^(.*) https://www.paulbeard.org$1 permanent; > > Ideally, the redirect would push the request to the www. listener and all > the work would get done there. But that doesn't seem to be the case. > > Almost to the point where I copy in the last known-good config and see > where I am but that doesn't seem to make much difference. Occasionally it > will work but not consistently over time. > Resolved by making the certificates and hosts/stanzas match the DNS records. The unadorned host/domain name gets the "logic" in the config file and CNAME www redirects to that. I guess Safari caught up with my lazy/short-sighted thinking. --=20 Paul Beard / www.paulbeard.org/ --0000000000008fb72705e8cb9027 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Mon, Sep 12, 2022 at 6:39 PM paul = beard <<a href=3D"mailto:paulbeard@gmail.com">paulbeard@gmail.com</a>>= ; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px= 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:= rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></= div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On= Mon, Sep 12, 2022 at 5:30 PM Waitman Gobble <<a href=3D"mailto:gobble.w= a@gmail.com" target=3D"_blank">gobble.wa@gmail.com</a>> wrote:<br></div>= <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);p= adding-left:1ex">On Mon, Sep 12, 2022 at 11:46 PM paul beard <<a href=3D= "mailto:paulbeard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> = wrote:<br> ><br> ><br> ><br> > On Mon, Sep 12, 2022 at 11:45 AM paul beard <<a href=3D"mailto:paul= beard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> wrote:<br> >><br> >><br> >><br> >> On Mon, Sep 12, 2022 at 7:23 AM Waitman Gobble <<a href=3D"mail= to:gobble.wa@gmail.com" target=3D"_blank">gobble.wa@gmail.com</a>> wrote= :<br> >>><br> >>> On Mon, Sep 12, 2022 at 2:01 PM paul beard <<a href=3D"mail= to:paulbeard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> wrote= :<br> >>> ><br> >>> ><br> >>> ><br> >>> > On Sun, Sep 11, 2022 at 9:27 PM paul beard <<a href=3D= "mailto:paulbeard@gmail.com" target=3D"_blank">paulbeard@gmail.com</a>> = wrote:<br> >>> >><br> >>> >><br> >>> >><br> >>> >> On Sun, Sep 11, 2022 at 9:11 PM Ty John <<a href= =3D"mailto:ty-ml@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-odin.com</= a>> wrote:<br> >>> >>><br> >>> >>><br> >>> >>><br> >>> >>><br> >>> >>><br> >>> >>><br> >>> >>> ---- On Mon, 12 Sep 2022 13:21:30 +0930 Waitman G= obble=C2=A0 wrote ---<br> >>> >>><br> >>> >>>=C2=A0 > On Mon, Sep 12, 2022 at 2:42 AM Ty Joh= n <a href=3D"mailto:ty-ml@eye-of-odin.com" target=3D"_blank">ty-ml@eye-of-o= din.com</a>> wrote:<br> >>> >>>=C2=A0 > ><br> >>> >>>=C2=A0 > > That order should be fine. The mo= re specific locations should be listed first which is what you have. The re= direct will trigger a new request which will match the first stanza.<br> >>> >>>=C2=A0 > ><br> >>> >>>=C2=A0 > > Anyway, it looks fine to me as lo= ng as the certs themselves are right.<br> >>> >>>=C2=A0 > > I just checked the certs on <a hr= ef=3D"https://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://p= aulbeard.org</a>, <a href=3D"https://www.paulbeard.org" rel=3D"noreferrer" = target=3D"_blank">https://www.paulbeard.org</a>; and <a href=3D"https://clou= d.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://cloud.paulbea= rd.org</a> and they all seem fine to me.<br> >>> >>>=C2=A0 > > I suspect it might be a browser i= ssue as you mentioned. What happens in safari?<br> >>> >>><br> >>> >><br> >>> ><br> >>> > Hmm. So Safari is still having issues. It is able to load= the root as <a href=3D"http://www.paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">www.paulbeard.org</a> but not without it. And the link to wordp= ress explicitly uses www but it gets rewritten without and then fails for l= ack of a secure connection. I'll need to track down how that rewriting = is happening. Who knew Safari was so rigorous?<br> >>> ><br> >>> > This is the unadorned/non-www stanza: do I even need that= in the year 2022?<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 71=C2=A0 =C2=A0 =C2=A0server {<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 72=C2=A0 =C2=A0 =C2=A0#listen 443 ssl= http2;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 73=C2=A0 =C2=A0 =C2=A0listen [::]:443= ssl http2;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 74=C2=A0 =C2=A0 =C2=A0server_name=C2= =A0 <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">p= aulbeard.org</a>;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 75 #=C2=A0 =C2=A0 if ($request ~* <a = href=3D"https://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https:/= /paulbeard.org</a>) {<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 76 #=C2=A0 =C2=A0 return 301 <a href= =3D"https://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https:/= /www.paulbeard.org</a>;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 77 #=C2=A0 =C2=A0 }<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 78=C2=A0 =C2=A0 =C2=A0ssl_certificate= /usr/local/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.= pem" rel=3D"noreferrer" target=3D"_blank">paulbeard.org/fullchain.pem</a>; = # managed by Certbot<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 79=C2=A0 =C2=A0 =C2=A0ssl_certificate= _key /usr/local/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privke= y.pem" rel=3D"noreferrer" target=3D"_blank">paulbeard.org/privkey.pem</a>; = # managed by Certbot<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 80=C2=A0 =C2=A0 =C2=A0include /usr/lo= cal/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 81=C2=A0 =C2=A0 =C2=A0ssl_dhparam /us= r/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 82<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 83=C2=A0 =C2=A0 =C2=A0add_header X-Cl= acks-Overhead "GNU Terry Pratchett";<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 84=C2=A0 =C2=A0 =C2=A0# add Strict-Tr= ansport-Security to prevent man in the middle attacks<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 85=C2=A0 =C2=A0 =C2=A0add_header Stri= ct-Transport-Security "max-age=3D15552000; includeSubDomains" alw= ays;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 86=C2=A0 =C2=A0 =C2=A0#rewrite ^(.*) = <a href=3D"https://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">= https://www.paulbeard.org</a>$1 permanent; #+<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 87=C2=A0 =C2=A0 =C2=A0#return=C2=A0 = =C2=A0 =C2=A0 301 https://$host$request_uri;<br>; >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 88<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 89<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 90=C2=A0 =C2=A0 =C2=A0root=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/usr/local/www/;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 91=C2=A0 =C2=A0 =C2=A0disable_symlink= s off;<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 92<br> >>> ><br> >>> >=C2=A0 =C2=A0 =C2=A0 93 }<br> >>> ><br> >>> ><br> >>> ><br> >>><br> >>><br> >>><br> >>> Maybe your certs are kinda jumbled up?<br> >>><br> >><br> >> This is pretty accurate. I realized I wasn't pulling a certifi= cate for the base domain/host name, since i had commented it out in the con= fig. Seems like things have gotten jumbled indeed. I don't touch any of= the config that certbot adds so I am wary of how I can unmuddle it. I have= since restored that but now I see what I think is the real problem.<br> >><br> >> This is the full list of certs I have=E2=80=A6I seem to have gotte= n host and domain mixed up here, as these are hosts, not domains, and ideal= ly should have just one certificate for all of them. Some cleanup seems to = be required.<br> >><br> >> Found the following certs:<br> >><br> >>=C2=A0 =C2=A0Certificate Name: <a href=3D"http://cloud.paulbeard.or= g" rel=3D"noreferrer" target=3D"_blank">cloud.paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Serial Number: 4bdb35a6e5308f47e7934453b6d1552a= 330<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Key Type: RSA<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Domains: <a href=3D"http://paulbeard.org" rel= =3D"noreferrer" target=3D"_blank">paulbeard.org</a> <a href=3D"http://cloud= .paulbeard.org" rel=3D"noreferrer" target=3D"_blank">cloud.paulbeard.org</a= > <a href=3D"http://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank"= >www.paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Expiry Date: 2022-12-04 16:14:05+00:00 (VALID: = 82 days)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Certificate Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://cloud.paulbeard.org/fullchain.pem" rel=3D"noreferrer" = target=3D"_blank">cloud.paulbeard.org/fullchain.pem</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Private Key Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://cloud.paulbeard.org/privkey.pem" rel=3D"noreferrer" ta= rget=3D"_blank">cloud.paulbeard.org/privkey.pem</a><br> >><br> >>=C2=A0 =C2=A0Certificate Name: <a href=3D"http://paulbeard.org" rel= =3D"noreferrer" target=3D"_blank">paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Serial Number: 44c82383b1da739543404608a77c9174= d79<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Key Type: RSA<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Domains: <a href=3D"http://paulbeard.org" rel= =3D"noreferrer" target=3D"_blank">paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Expiry Date: 2022-11-11 10:45:26+00:00 (VALID: = 59 days)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Certificate Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://paulbeard.org/fullchain.pem" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org/fullchain.pem</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Private Key Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://paulbeard.org/privkey.pem" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org/privkey.pem</a><br> >><br> >>=C2=A0 =C2=A0Certificate Name: www.paulbeard.org-0001<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Serial Number: 4a865592d7d31d1465df0e7245eb88d9= d13<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Key Type: RSA<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Domains: <a href=3D"http://www.paulbeard.org" r= el=3D"noreferrer" target=3D"_blank">www.paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Expiry Date: 2022-12-10 23:29:48+00:00 (VALID: = 89 days)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Certificate Path: /usr/local/etc/letsencrypt/li= ve/www.paulbeard.org-0001/fullchain.pem<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Private Key Path: /usr/local/etc/letsencrypt/li= ve/www.paulbeard.org-0001/privkey.pem<br> >><br> >>=C2=A0 =C2=A0Certificate Name: <a href=3D"http://www.paulbeard.org"= rel=3D"noreferrer" target=3D"_blank">www.paulbeard.org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Serial Number: 4a730b954fead25d08fb8281c374c110= 14e<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Key Type: RSA<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Domains: <a href=3D"http://cloud.paulbeard.org"= rel=3D"noreferrer" target=3D"_blank">cloud.paulbeard.org</a> <a href=3D"ht= tp://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">www.paulbeard.= org</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Expiry Date: 2022-12-10 21:33:36+00:00 (VALID: = 89 days)<br> >><br> >>=C2=A0 =C2=A0 =C2=A0Certificate Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://www.paulbeard.org/fullchain.pem" rel=3D"noreferrer" ta= rget=3D"_blank">www.paulbeard.org/fullchain.pem</a><br> >><br> >>=C2=A0 =C2=A0 =C2=A0Private Key Path: /usr/local/etc/letsencrypt/li= ve/<a href=3D"http://www.paulbeard.org/privkey.pem" rel=3D"noreferrer" targ= et=3D"_blank">www.paulbeard.org/privkey.pem</a><br> ><br> ><br> > Some things about this are not making sense=E2=80=A6sometimes the word= press pages will load but not always. Sometimes different servers answer to= the generic "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" targ= et=3D"_blank">paulbeard.org</a>" URI (the cloud instance, for some rea= son, would be served). Something to do with=C2=A0 =C2=A0 =C2=A0listen [::]:= 443 ssl http2; being set which makes no sense at all. I have removed it eve= rywhere for now. IP6 traffic is far down my list of things to be bothered w= ith.<br> ><br> > My main issue seems to be URI rewriting that I can't seem to find = in the config. I get an error about 20 redirects and I don't see where = that is happening. The rewrites are being logged=E2=80=A6<br> ><br> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:57 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> > 2022/09/12 16:41:58 [notice] 5920#100651: *1742 rewritten redirect: &q= uot;<a href=3D"https://www.paulbeard.org/wordpress/" rel=3D"noreferrer" tar= get=3D"_blank">https://www.paulbeard.org/wordpress/</a>", client: 192.= 168.0.5, server: <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>, request: "GET /wordpress/ HTTP/2.0"= ;, host: "<a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a>", referrer: "<a href=3D"https://www= .paulbeard.org/" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard= .org/</a>"<br> ><br> ><br> > This is the <a href=3D"http://paulbeard.org" rel=3D"noreferrer" target= =3D"_blank">paulbeard.org</a> stanza:<br> ><br> >=C2=A0 =C2=A0 =C2=A0 74=C2=A0 =C2=A0 =C2=A0server {<br> ><br> >=C2=A0 =C2=A0 =C2=A0 75=C2=A0 =C2=A0 =C2=A0listen 443 ssl http2;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 76=C2=A0 =C2=A0 =C2=A0server_name=C2=A0 <a href=3D= "http://paulbeard.org" rel=3D"noreferrer" target=3D"_blank">paulbeard.org</= a>;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 77=C2=A0 =C2=A0 =C2=A0root=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0/usr/local/www/;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 78=C2=A0 =C2=A0 =C2=A0ssl_certificate /usr/local/e= tc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.pem" rel=3D"n= oreferrer" target=3D"_blank">paulbeard.org/fullchain.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 79=C2=A0 =C2=A0 =C2=A0ssl_certificate_key /usr/loc= al/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem" rel=3D= "noreferrer" target=3D"_blank">paulbeard.org/privkey.pem</a>; # managed by = Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 80=C2=A0 =C2=A0 =C2=A0include /usr/local/etc/letse= ncrypt/options-ssl-nginx.conf; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 81=C2=A0 =C2=A0 =C2=A0ssl_dhparam /usr/local/etc/l= etsencrypt/ssl-dhparams.pem; # managed by Certbot<br> ><br> >=C2=A0 =C2=A0 =C2=A0 82<br> ><br> >=C2=A0 =C2=A0 =C2=A0 83=C2=A0 =C2=A0 =C2=A0add_header X-Clacks-Overhead= "GNU Terry Pratchett";<br> ><br> >=C2=A0 =C2=A0 =C2=A0 84=C2=A0 =C2=A0 =C2=A0# add Strict-Transport-Secur= ity to prevent man in the middle attacks<br> ><br> >=C2=A0 =C2=A0 =C2=A0 85=C2=A0 =C2=A0 =C2=A0add_header Strict-Transport-= Security "max-age=3D15552000; includeSubDomains" always;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 86=C2=A0 =C2=A0 =C2=A0rewrite ^(.*) <a href=3D"htt= ps://www.paulbeard.org" rel=3D"noreferrer" target=3D"_blank">https://www.pa= ulbeard.org</a>$1 permanent;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 87=C2=A0 =C2=A0 =C2=A0#return=C2=A0 =C2=A0 =C2=A0 = 301 https://$host$request_uri;<br>; ><br> >=C2=A0 =C2=A0 =C2=A0 88<br> ><br> >=C2=A0 =C2=A0 =C2=A0 89<br> ><br> >=C2=A0 =C2=A0 =C2=A0 90=C2=A0 =C2=A0 =C2=A0disable_symlinks off;<br> ><br> >=C2=A0 =C2=A0 =C2=A0 91<br> ><br> >=C2=A0 =C2=A0 =C2=A0 92 }<br> ><br> ><br> > The only active thing that looks like a rewrite is on line 86 and if I= comment that out, the php pages are downloaded, rather than parsed and dis= played. That's not what I want.<br> ><br> > I have no idea how this got so messed up. I am working from a config t= hat worked 3-4 days ago.=C2=A0 I tried ripping out that stanza but somethin= g somewhere depends on it.<br> > --<br> > Paul Beard / <a href=3D"http://www.paulbeard.org/" rel=3D"noreferrer" = target=3D"_blank">www.paulbeard.org/</a><br> <br> <br> It looks like you just want to redirect traffic to your www. ? 034<br> This is all you need for that. I don't know what that Terry Pratchett<b= r> header is but whatevers, and I think you don't really need http2 for a<= br> redirect but it probably shouldn't break anything.<br> <br> You don't presently have an AAAA record for your domain in DNS so IPv6<= br> isn't going to be an issue.<br> <br> server {<br> =C2=A0 =C2=A0 listen 443 ssl http2;<br> =C2=A0 =C2=A0 server_name=C2=A0 <a href=3D"http://paulbeard.org" rel=3D"nor= eferrer" target=3D"_blank">paulbeard.org</a>;<br> =C2=A0 =C2=A0 ssl_certificate<br> /usr/local/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/fullchain.p= em" rel=3D"noreferrer" target=3D"_blank">paulbeard.org/fullchain.pem</a>; #= managed<br> by Certbot<br> =C2=A0 =C2=A0 ssl_certificate_key<br> /usr/local/etc/letsencrypt/live/<a href=3D"http://paulbeard.org/privkey.pem= " rel=3D"noreferrer" target=3D"_blank">paulbeard.org/privkey.pem</a>; # man= aged<br> by Certbot<br> =C2=A0 =C2=A0 include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; #<= br> managed by Certbot<br> =C2=A0 =C2=A0 ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # ma= naged<br> by Certbot<br> =C2=A0 =C2=A0 add_header X-Clacks-Overhead "GNU Terry Pratchett";= <br> =C2=A0 =C2=A0 add_header Strict-Transport-Security "max-age=3D15552000= ;<br> includeSubDomains" always;<br> =C2=A0 =C2=A0 return=C2=A0 =C2=A0 =C2=A0 301 <a href=3D"https://www.paulbea= rd.org" rel=3D"noreferrer" target=3D"_blank">https://www.paulbeard.org</a>$= request_uri;<br> }<br> <br> <br><br> -- <br> Waitman Gobble<br> <br> </blockquote></div><div>You know, I tried that very thing. It *should* work= . It doesn't. And I can't see where the "more than 20 redirect= s" are creeping in. I assume it's ping ponging back and forth betw= een www and non-ww but I can't see where that is explicitly declared/de= fined. After 20 or so it quits.=C2=A0<br></div><div><br></div><div><br></di= v><p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:nor= mal;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatur= es:no-common-ligatures">grep redi nginx.conf</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/caldav(.*)= $ /remote.php/caldav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/carddav(.*= )$ /remote.php/carddav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/webdav(.*)= $ /remote.php/webdav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^/.well-known/card= dav /remote.php/carddav/ redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^/.well-known/cald= av /remote.php/caldav/ redirect;</span></p><p style=3D"margin:0px;font-stre= tch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,= 0,0)"><span style=3D"font-variant-ligatures:no-common-ligatures"><br></span= ></p><div><p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-he= ight:normal;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant= -ligatures:no-common-ligatures">grep rewr nginx.conf</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite_log on;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^(.*) <a href=3D"h= ttps://www.paulbeard.org" target=3D"_blank">https://www.paulbeard.org</a>$1= permanent;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^/wp-json/(.*?)$ /= ?rest_route=3D/$1 last;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/caldav(.*)= $ /remote.php/caldav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/carddav(.*= )$ /remote.php/carddav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0=C2=A0 =C2=A0 </span>rewrite ^/webdav(.*)= $ /remote.php/webdav$1 redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>#rewrite ^/.well-known/hos= t-meta /public.php?service=3Dhost-meta last;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>#rewrite ^/.well-known/hos= t-meta.json /public.php?service=3Dhost-meta-json last;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^/.well-known/card= dav /remote.php/carddav/ redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^/.well-known/cald= av /remote.php/caldav/ redirect;</span></p> <p style=3D"margin:0px;font-stretch:normal;font-size:11px;line-height:norma= l;font-family:Menlo;color:rgb(0,0,0)"><span style=3D"font-variant-ligatures= :no-common-ligatures"><span>=C2=A0 =C2=A0 </span>rewrite ^(/core/doc/[^\/]+= /)$ $1/index.html;</span></p> </div><div><br></div><div>and I see traffic being logged so this is partly = an nginx mystery and a Safari bug. Firefox has the same issue.=C2=A0</div><= div><br></div><div>I also don't understand why this breaks the php inte= rpreter:=C2=A0</div><div>=C2=A0 =C2=A0 rewrite ^(.*) <a href=3D"https://www= .paulbeard.org" target=3D"_blank">https://www.paulbeard.org</a>$1 permanent= ;<br></div><div><br></div><div>Ideally, the redirect would push the request= to the www. listener and all the work would get done there. But that doesn= 't seem to be the case.=C2=A0</div><div><br></div><div>Almost to the po= int where I copy in the last known-good config and see where I am but that = doesn't seem to make much difference. Occasionally it will work but not= consistently over time.=C2=A0</div></div></blockquote><div><br></div><div>= Resolved by making the certificates and hosts/stanzas match the DNS records= . The unadorned host/domain name gets the "logic" in the config f= ile and CNAME www redirects to that. I guess Safari caught up with my lazy/= short-sighted thinking.=C2=A0</div></div><br clear=3D"all"><div><br></div>-= - <br><div dir=3D"ltr" class=3D"gmail_signature">Paul Beard / <a href=3D"ht= tp://www.paulbeard.org/" target=3D"_blank">www.paulbeard.org/</a><br></div>= </div> --0000000000008fb72705e8cb9027--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMtcK2pMJJJb866Ob6L=QjVE3-upuigvOTV-hjQ7uFLQ_o9Ahg>