SSL issue on iOS with Nginx reverse proxy

[vlijmenlive]

Hi All,

I just noticed that the websits on my server are experiencing an issue when the visitor tries to access a website over HTTPS on his iOS device. Both iPad and iPhones seem to have the problem. I tried a lot to figure out what happens, but I don't know where to look at any more. Does anyone have suggestions on this?

I'm running nginx reverse proxy with Letsencrypt certificates for the domains. Examples are https://boel073.nl / https://sidscrl.be

On other devices (PC, Android etc) there is no problem in opening the websites, with ssl disabled the websites are accessible from iOS. Only iOS seems to give a 502 time-out (tested in Safari and Chrome).

Thanks in advance for you tips and idees on this.

Regards,
Niels

 

[Erulezz]

Are you using Nginx 1.10.0 stable version and HTTP2?

 

[vlijmenlive]

Are you using Nginx 1.10.0 stable version and HTTP2?

Thank you for your reply. I'm using the latest stable 1.10.1 version from Nginx and HTTP2 is enabled (according to https://tools.keycdn.com/http2-test it's also working). For me the strange thing is that the issue is only on iOS.

 

[Erulezz]

I had the same problem a while ago after updating Nginx to 1.9.15 (1.9.15 mainline = 1.10.1 stable). There is a bug in HTTP2 in this version:

http://stackoverflow.com/questions/...-code-1004-for-few-seconds-after-app-start-up

If you update to the latest Mainline version (1.11.3) the problem goes away. If you are using HTTP2 is it generally recommended to use the mainline version because there are a lot of bug fixes in the mainline branch. The stable version doesn't get updated very much.

To update to the mainline branch:

http://forum.directadmin.com/showthread.php?t=52704

 

[vlijmenlive]

I had the same problem a while ago after updating Nginx to 1.9.15 (1.9.15 mainline = 1.10.1 stable). There is a bug in HTTP2 in this version:

http://stackoverflow.com/questions/...-code-1004-for-few-seconds-after-app-start-up

If you update to the latest Mainline version (1.11.3) the problem goes away. If you are using HTTP2 is it generally recommended to use the mainline version because there are a lot of bug fixes in the mainline branch. The stable version doesn't get updated very much.

To update to the mainline branch:

http://forum.directadmin.com/showthread.php?t=52704

You made my day! I changed to mainline and indeed the issue is resolved. Sometimes stables are not that stable apparently. Many thanks.

 

[Erulezz]

Glad to help so quickly Keep in mind that if you check for updates in CustomBuild you need to manually check the nginx website. CustomBuild doesn't support the mainline version, so you aren't notified on any updates.

 

[opussupport]

You made my day! I changed to mainline and indeed the issue is resolved. Sometimes stables are not that stable apparently. Many thanks.

I was curious if I could be provided any insight into this - as we're running the 1.11.3 version and are still running into the issue in which all safari or ios browsers do not POST to the access log. The entries are just non stop GET requests with no POST.

I've scoured the interwebz and forums and simply cannot get any solution to take. Thanks for any and all correspondence.


EDIT: nginx -V output


nginx version: nginx/1.11.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
configure arguments: --add-module=../modsecurity_nginx-2.9.0/nginx/modsecurity --user=nginx --group=nginx --prefix=/usr --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --http-log-path=/var/log/nginx/access_log --error-log-path=/var/log/nginx/error_log --with-ipv6 --without-mail_imap_module --without-mail_smtp_module --with-http_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_dav_module --with-cc-opt=''-D FD_SETSIZE=32768'' --with-http_mp4_module --with-http_v2_module --with-openssl=/usr/local/directadmin/custombuild/openssl-1.0.2h