After transferring sites on HTTPS, the following problem climbed: if the page has many pictures or other plug-in files (JS scripts, CSS files, etc.) – they are loaded. Chrome and the like show the error NET :: ERR_SPDY_PROTOCOL_ERROR When you try to download (and if you click on the link, which got out of the error – the picture opens), Firefox does not show errors, but some pictures are not displayed (and randomno are not displayed, i.e. lack of files). There are no errors in server logs, in access.log – a given picture with the status of 200. Websites 2, both on WordPress, the picture is the same on both. HTTP page opens without any problems.
I tried to reset and rearrange the browser, does not solve the problem, and these errors appear only on sites that on this server, i.e. Server problem, apparently.
On the server installed FreeBSD 11.1 with the latest updates, NGINX, PHP-FPM and MARIADB as database. All software updated to recent versions (I did not solve the issue update).
Current NGINX SSL Settings:
ssl on; ssl_certificate /usr/local/etc/letsencrypt/live/tso/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/tso/privkey.pem; SSL_SESSION_TIMEOUT 1H; SSL_SESSION_CACHE SHARED: SSL: 16M; #SSL_SESSION_TICKETS OFF; # Diffie-Hellman Parameter for Dhe Ciphersuites, Recommended 2048 Bits ssl_dhparam /usr/local/etc/nginx/dhparam.pem; # Intermediate Configuration. Tweak to your Needs. SSL_PROTOCOLS TLSV1 TLSV1.1 TLSV1.2; SSL_ciphers' ECDHE-ECDSA-chacha20-Poly1305: ECDHE-RSA-chacha20-Poly1305: ECDHE-ECDSA-AES1305-GCM-SHA256: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE- RSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128- SHA: ECDHE-RSA-AES256-SHA384: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA: ECDHE-RSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA: DHE-RSA-AES256-SHA256: DHE-RSA-AES256-SHA: ECDHE-ECDSA-DES-CBC3-SHA: ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-Des- CBC3-SHA: AES128-GCM-SHA256: AES256-GCM-SHA384: AES128-SHA256: AES256-SHA256: AES128-SHA: AES256-SHA: DES-CBC3-SHA :! DSS '; SSL_PREFER_SERVER_CIPHERS ON; # HSTS (NGX_HTTP_Headers_Module IS Required) (15768000 Seconds = 6 Monhs) Add_header Strict-Transport-Security "max-age = 15768000; includesubdomains;"; # OCSP stapling --- # Fetch OCSP Records from URL in SSL_CERTIFICATE AND CACHE THEM ssl_stapling on; SSL_STAPLING_VERIFY ON;
tried different options for ssl_ciphers and other SSL settings – the problem does not decide if you unassign the SSL_SESSION_TICETS OFF option – the site does not load with error error er_ssl_protocol_error.
If anyone came across something like that – tell me, pliz, what else could there be a problem?
figured out in the end (when there were already bypass tracks) The problem was in these 3 options:
client_body_timeout 10; reset_timedout_connection on; send_timeout 2;
and turn off them in turn and the change in the timaouts does not solve the problem, only disabling all 3 immediately.