0

I'm trying to point a subdomain to a different IP address on a different server, but for some reason it's only working every once in awhile (say 1 out of 20 times). Browsing to http//galera.domain.com throws a "took to long to respond" error and changes the URL to https//galera.domain.com. Browsing directly to the IP address works fine all the time.

Here's my current setup:

Server 1 (nginx):
IP_ADDRESS_1 .
HSTS is enabled [Strict Transport Security (max-age=63072000; includeSubdomains)]
DNS for domain.com / www.domain.com points to IP_ADDRESS_1 

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name domain.com www.domain.com;
    return 301 https://$server_name$request_uri;
}

server {

    # SSL configuration
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-domain.com.conf;
    include snippets/ssl-params.conf;

    root /var/www/html;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name domain.com;

    location / {
            try_files $uri $uri/ =404;
    }


    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
            deny all;
    }

}

Here is Server 1's /etc/nginx/snippets/ssl-params.conf file:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Server 2 (galera cluster #1 with phpmyadmin running on apache):
IP_ADDRESS_2
DNS for galera.domain.com points to IP_ADDRESS_2 

<VirtualHost *:80>

    ServerAdmin me@domain.com
    ServerName galera.domain.com
    DocumentRoot /usr/share/phpmyadmin

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Hoping you can all help shed some light on this most likely simple problem.

edit: HSTS [Strict Transport Security (max-age=63072000; includeSubdomains) ] is enabled on domain.com

edit 2: added the code for /etc/nginx/snippets/ssl-params.conf

edit 3: SOLVED. HSTS was preventing the insecure content from the subdomain from loading. fixed by installing an SSL cert on galera.domain.com using the same protocols (including HSTS) as is used by domain.com

iisor
  • 41
  • 4
  • The first snippet being nginx, ... It is unclear how are these two configurations related. Note that your apache virtualhost could use some `ServerName` directive. – SYN Mar 12 '17 at 03:49
  • We'd have to know the actual domain to troubleshoot. For example, the whole domain may have strict transport security configured, including all subdomains. (For example, connecting to `domain.com` on port 443 and retrieving `/` may tell you to implement strict transport security on all subdomains of `domain.com`. Did you check?) – David Schwartz Mar 12 '17 at 05:42
  • Please include the configuration in the question itself, not behind a link where it can disappear at some point. – Tero Kilkanen Mar 12 '17 at 12:30
  • @SYN the first config file is the nginx config on the first server, with IP_ADDRESS_1 (dns -> domain.com). The second config file is the apache config on the second server (dns -> galera.domain.com). – iisor Mar 12 '17 at 21:39
  • @DavidSchwartz Strict Transport Security (max-age=63072000; includeSubdomains) / HSTS is enabled on domain.com – iisor Mar 12 '17 at 22:03
  • Well then there you go. There's no reason this should work because you are violating the domain's security policy. – David Schwartz Mar 12 '17 at 22:04

1 Answers1

1

You need to coordinate with whoever sets the domain's security policy. This domain has opted to use strict transport security and you should not have been allowed to even create a subdomain for web server use until you coordinated.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • I appreciate the advice, but it doesn't help solve the problem. Would an SSL certificate need to be installed on the subdomain's server – iisor Mar 12 '17 at 22:31
  • That will almost certainly be a minimum requirement. But you have to talk to whoever sets/maintains the domain's security policy. There are probably other requirements as well. It is quite strange that you were allowed to create a subdomain with a web server without being at least informed about the policy requirements. – David Schwartz Mar 12 '17 at 22:33
  • I set the policy -- or at least created the domain and configured the SSL settings, though clearly without 100% knowledge of the consequences. ssl-params.conf included in question – iisor Mar 12 '17 at 22:43
  • Well then whatever policy you set applies to subdomains as well since that's what the policy says. – David Schwartz Mar 12 '17 at 22:50