Discourse site not working on iOS


(Brad Robinson) #1

Hi All,

I’m hoping someone can help me with a problem I’m having with Discourse and iOS. The site in question (here) seems to work fine everywhere except on iOS. It’s fine on Windows, OSX, Android in any browser, but on my iPhone and on iOS devices of at least several users it doesn’t work in Safari nor Chrome.

The error reported by Safari is:

Safari cannot open the page because the network connection was lost.

Other discourse sites (eg: meta.discourse.org) work on the same device. Other non-discourse sites on the same server work (eg: this one).

I’ve tried looking at the server side nginx log but it seems to never record anything from that device. I’ve tried using Web Inpector to check out the network requests from the client side, but it doesn’t show anything (just a data:text/html entry for the safari generated error page).

The site used to work on iOS but I’m not sure when it stopped working.

Other info:

Server OS: Ubuntu 14.04
Nginx: 1.4.6 (nginx config shown below)
iOS version: 11.3 (15E216)
Discourse: v2.1.0.beta2 +58 (upgraded today).

Any help greatly appreciated.

Brad

Nginx Config:

server {
    listen 80;
    listen [::]:80;
    server_name community.cantabilesoftware.com;
    return 301 https://community.cantabilesoftware.com$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    ssl_certificate /var/www/cantabilesoftware_com.chained.crt;
    ssl_certificate_key /var/www/cantabilesoftware_com.key;
    server_name community.cantabilesoftware.com;
    access_log /var/log/community.cantabilesoftware.com.access.log;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Referer $http_referer;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header HOST $http_host;
        proxy_pass http://127.0.0.1:3099;
        proxy_redirect off;
        client_max_body_size    6m;
    }
}

(Sam Saffron) #2

Running the outer proxy thing there is not ideal, you are opting for pain, my guess is you are using SSL ciphers that are insecure and support is stripped from iOS


(Brad Robinson) #3

Hi @sam

Thanks for the fast answer. Not sure I’m following what you mean exactly. The same certificate is used on this site and it works fine on iOS.

Could you elaborate on how I can fix this?

Brad


(Andrew Schleifer) #4

The HTTP version redirects to HTTPS:

$ curl -I http://community.cantabilesoftware.com

HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 26 Jun 2018 13:42:15 GMT
Content-Type: text/html
Content-Length: 193
Connection: keep-alive
Location: https://community.cantabilesoftware.com/

But the HTTPS version does not work at all:

$ curl https://community.cantabilesoftware.com
curl: (52) Empty reply from server

(Brad Robinson) #5

Hi @sam / @Andrew,

Could I get some clarification on this:

Are you saying discourse shouldn’t be run behind nginx, or that there’s something about the way I’ve got it configured that’s problematic. Also, some explanation or reference on why this not a good idea would be great.

Anyway I’m getting the feeling this isn’t related to discourse, so I’ll probably stop posting about it here, but if anyone can shed some light, I’d really appreciate it. I’m kinda stumped here.

I just tried some similar tests to @Andrew with curl but using -v…

On Windows, I get back the home page and the site works in Chrome, Edge and Firefox

On OSX, I get this error and the site works in Chrome but not Safari (didn’t realize that yesterday)

Brads-MBP:~ brad$ curl -v https://community.cantabilesoftware.com/
*   Trying 173.255.196.118...
* TCP_NODELAY set
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: cantabilesoftware.com
* Server certificate: SSL.com DV CA
* Server certificate: USERTrust RSA Certification Authority
> GET / HTTP/1.1
> Host: community.cantabilesoftware.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
* SSLRead() return error -9806
* Closing connection 0
curl: (56) SSLRead() return error -9806

On Ubuntu 14.04 Desktop, I get this error from curl but the site works in Chrome and Firefox.

brad@localhost:~$ curl https://community.cantabilesoftware.com
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
brad@localhost:~$ curl https://community.cantabilesoftware.com -v
* Rebuilt URL to: https://community.cantabilesoftware.com/
* Hostname was NOT found in DNS cache
*   Trying 173.255.196.118...
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: OU=Domain Control Validated; CN=cantabilesoftware.com
* 	 start date: 2018-01-03 00:00:00 GMT
* 	 expire date: 2021-01-02 23:59:59 GMT
* 	 subjectAltName: community.cantabilesoftware.com matched
* 	 issuer: C=US; O=SSL.com; OU=www.ssl.com; CN=SSL.com DV CA
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: community.cantabilesoftware.com
> Accept: */*
> 
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

On Ubuntu on another Linode server, I get this error: (no browsers to test with)

brad@localhost:~$ curl -v https://community.cantabilesoftware.com/
* Hostname was NOT found in DNS cache
*   Trying 173.255.196.118...
* Connected to community.cantabilesoftware.com (173.255.196.118) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: OU=Domain Control Validated; CN=cantabilesoftware.com
*        start date: 2018-01-03 00:00:00 GMT
*        expire date: 2021-01-02 23:59:59 GMT
*        subjectAltName: community.cantabilesoftware.com matched
*        issuer: C=US; O=SSL.com; OU=www.ssl.com; CN=SSL.com DV CA
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: community.cantabilesoftware.com
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

Also, on all machines/browsers and with curl the (non-discourse) site http://www.cantabilesoftware.com which uses exactly the same certificate file works - although that site runs on a different server, but pretty much identically configured.

Obviously there’s something about the server side configuration for just this discourse site, or something about the certificate and that sub-domain that some clients don’t like. Could it be that community.cantabilesoftware.com is the subjectAltName in the certificate and some clients don’t like this?

Searching the above error codes, the best I could come up with this this post on stackoverflow, but the solutions revolve around client side fixes (eg: rebuilding curl).

Any help greatly appreciated.

Brad


(Rafael dos Santos Silva) #6

The latter one.

Our Discourse image has nginx built-in and we ensure you run an up to date version of it. For example, you are running nginx that is more than 4 years old.

Our default config should give you an A+, while yours is here: SSL Server Test: community.cantabilesoftware.com (Powered by Qualys SSL Labs)


(Brad Robinson) #7

Follow up… I got this sorted, but reinstalling on a fresh Ubuntu 18.04 LTS, with all updates and a fresh Let’s Encrypt certificate. I guess it was either the old SSL.com certificate or the old version of nginx.

Thanks everyone for the help.


(Joffrey Jaffeux) #8