Sunday, 15 January 2012

nginx - SSL/HTTPS issue (no padlock icon) on Safari when using ngixn+unicorn -



nginx - SSL/HTTPS issue (no padlock icon) on Safari when using ngixn+unicorn -

i have application runs on nginx+unicorn. how server block looks like

upstream rtdev{ # fail_timeout=0 means retry upstream if failed # homecoming http response (in case unicorn master nukes single worker timing out). server unix:/tmp/rtapp.sock fail_timeout=0; } server{ hear 443 ssl; # default; server_name devapp.resolutiontweet.com; root /home/xxxxxxx/xxxxxxxxx/public; client_max_body_size 12m; ssl on; ssl_certificate xxxxxxxx/xxxxxxxxx.crt; ssl_certificate_key xxxxxxxx/xxxxxxxxx.key; ssl_ciphers "aes256+eecdh:aes256+edh"; ssl_protocols tlsv1 tlsv1.1 tlsv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:ssl:10m; add_header strict-transport-security "max-age=63072000; includesubdomains"; add_header x-frame-options deny; add_header x-content-type-options nosniff; ssl_stapling on; # requires nginx >= 1.3.7 ssl_stapling_verify on; # requires nginx => 1.3.7 location / { access_log off; proxy_set_header host $host; proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header x-forwarded-proto $scheme; proxy_redirect off; proxy_headers_hash_max_size 8192; proxy_headers_hash_bucket_size 256; proxy_pass http://rtdev; #proxy_redirect http://rtdev https://devapp.resolutiontweet.com; } }

i'm running weird issue safari doesn't show "lock" symbol secure site. other browsers show (tested on chrome , firefox). attaching screenshots reference.

mozilla firefox google chrome safari modifying few things in server block fixes issue, site doesn't load. illustration changing,

proxy_pass http://rtdev; --> proxy_pass https://rtdev; resolves issue, nginx throws 501 error.

i appreciate if can throw lite on how resolve/debug issue. thanks.

edit: certificates chained properly. verified settings couple of 3rd party sites , seems fine.

i figured out reason , has got nil server configuration.

apparently, unsafe script injected dynamically 1 of libraries using. script using http not https.

firefox , chrome give indication page contains unsafe scripts, safari on other hand, doesn't give user feedback , shows page unsecure.

i don't know say, whether applaud apple beingness overly cautious or blame lack of visual feedback.

references:

find out resources not going on https

https://www.whynopadlock.com/

ssl nginx https safari unicorn

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)