You are here
I'm using proxmox 7.1-7, Turnkey Linux WordPress containers 17.1-1. I have nginx proxy manager in front. No errors in Nginx logs. The issue started when I moved my websites to 17.1 from 16.1. I made the move because I needed php7.4. I still have 1 website on 16.1 and it works fine on all devices. Getting connection refused. Like it can't parse the response. I spun up a brand new container with no plugins installed to test, it does the same thing. I assume it has something to do with TLS.
Apache System logs show this when an iOS device tries to connect:
Service [webmin] connected remote server from 127.0.0.1:42382
transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Connection closed: 578 byte(s) sent to TLS, 828 byte(s) sent to socket
I suspect that you are right!
I'm not 100% sure, but I suspect that you may be right. One way that you might be able to double check is if you can connect via plain http? (IIRC you should be able to access vanilla http if you explicitly browse to it).
FYI, we use the Mozilla SSL Configuration Generator "Intermediate" settings. It sounds like you might need the "Old" settings (that link should take you to a page that I've pre-filled Apache and OpenSSL versions and selected "old").
The parts from that which you'll want to copy are "SSLCipherSuite" and possibly "SSLProtocol" (you might also want to update "SSLHonorCipherOrder" too). The file on your server that you'll need to edit is /etc/apache2/mods-available/ssl.conf. Once you've updated as desired, then be sure to restart Apache:
Hopefully that helps?!
I have the same problem and
This seems to be a problem
Hi Gareth, thanks for taking the time to post your feedback
Hi Gareth, thanks for taking the time to share your experience.
Whilst I'm still not sure of the specific cause, as I've mentioned, I'm guessing that the issue is our tightened security defaults (our website is running on an older version of TurnKey that isn't quite so locked down - and obviously our site is working for you). If you experienced the issue with WordPress, I'm not super surprised that you hit this issue on other TurnKey appliances you tested. About 70-80% of the library uses Apache as the webserver and it seems that it's our locked down Apache config (that all apps that use Apache inherit) that is causing you this issue.
Could you please give me some more info about the device(s) that failed? I don't have any Apple devices and it only appears to affect them (or at least I can't reproduce with any of the devices that I have access to)?! Assuming that it's only affecting Apple devices for you too, then I'd be particularly interested in what device in particular and ideally what OS and browser version too. If it affects other devices, if you could please share what they are (and OS and browser versions too ideally). Armed with that info I'm almost certain that I can get to the bottom of this issue.
I will also think about developing a tool to tighten and/or loosen security config so these issues are easier to work around.
You also noted that you went a different path and it "just worked", so I'd also be interested to know what you are using now? Perhaps we should reduce the default security a little to ensure better compatibility?
After reinstalling from
Thanks Jules
Sorry to hear of your ongoing frustration with TurnKey servers. That's certainly not what we're going for!
Thanks too for reporting back (although it sucks that my advice wasn't useful). And apologies that I didn't previously respond to your earlier post (I've been a bit scattered and things have been a bit crazy behind the scenes with my colleague Alon being based in Israel...).
If you could help me out by sharing the same info I asked Gareth for. I.e. the device(s) that failed to connect and what OS & browser versions they have. If you had any success with other devices, please share as much info about them too. If you've also had success with some other server, I'd be interested in what that is/was (so I can compare our config).
The fact that you 3 are the only reports we've had of this issue suggests that it is limited to specific devices and even though my advice didn't help, the fact that defaults seem to work fine for Gareth, suggests to me that I'm on the right track re Apache security being too locked down.
Look forward to any further info you can share so I can try to work this one out. Thanks in advance.
More thoughts...
Hi again to all of you.
If any of you have the patience and inclination, I'd be super interested if any of you still have the same issues with the new v18.0 release. They're only available as ISOs at the moment (so would need to be installed to a VM) but it would be interesting to know whether the issue still hits you on the newer release (I suspect so, but it'd be good to be sure).
Also, re-reading through this thread, I note that the OP was using it behind a Nginx reverse proxy. Are either of you guys also trying to do that?
And actually, now I think of it, by chance are any of you using Nginx Proxy Manager? If so, could you please share the Nginx config (that is generated by Nginx Proxy Manager)? I have had another user having similar issues and it was a Nginx config issue. It was easily fixed by manually configuring the reverse proxy. So I'm wondering if perhaps that is the issue for you guys too? (Sorry I didn't think of that sooner). If I can confirm it again and document it a bit better, I'll open a bug report against Nginx Proxy Manager.
Hello Jeremy,
Hello Jeremy,
I am also behind a Nginx reverse proxy. I can reach the Wordpress-Server through its Network-IP-Address from all sources including Safari on Mac and from my iPhone. However, if I try to access the website through its domain it does not work (Safari on Mac and iPhone). “The network connection was lost”. Other people experience the same problem when trying to access my site.
None of my browsers on iPhone work: Safari (17.0.3), Brave (1.57.2)
On macOS only Safari (16.4) does not work, but Brave does work (1.59.117)
On Windows and Android everything works.
This problem has been persisting for month, my website is only a placeholder, so I didn’t care that much. But now I want to replace it with a real website, so it’s a huge problem.
Which Nginx config do you mean exactly? Sorry, I’m not an expert in these things and I set up my NPM a long time ago with docker compose. Do you need this config or one from inside the container:
version: "3"
services:
app:
image: jc21/nginx-proxy-manager:latest
restart: always
ports:
- 80:80
- 81:81
- 443:443
volumes:
- ./config.json:/app/config/production.json
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- db
environment:
# if you want pretty colors in your docker logs:
- FORCE_COLOR=1
db:
image: mariadb:latest
restart: always
environment:
MYSQL_ROOT_PASSWORD: "XXXX"
MYSQL_DATABASE: "XXXX"
MYSQL_USER: "XXXX"
MYSQL_PASSWORD: "XXXX"
volumes:
- ./data/mysql:/var/lib/mysql
Thanks so much Jules!
Thanks so much for responding with so much detail Jules, it's really appreciated.
When I asked for the Nginx config I meant the actual Nginx server config i.e. the Nginx config inside the container that NPM generated for your reverse proxy. One of my guesses is that it's missing a directive, or including one that it shouldn't.
It does appear that under specific circumstance (i.e. Apache behind a Nginx reverse proxy with specific config when accessed via Safari) there is a bug in Nginx and/or Apache and/or Safari? Who's problem it is appears to depend on your perspective - see here and here.
If you can easily access the Nginx config (or perhaps NPM has some way to manually set/adjust the config?), then look for the section that should start something like this:
Then within that location block (i.e. after the 'location / {' line and before the closing '}' line) try adding this line:
Then you'll need to restart Nginx to apply the updated config. Sorry but I have no idea on the best way to do that (if you have cli access into the container; then 'systemctl restart nginx' should do the trick - otherwise, whatever you normally do to to apply new Nginx config).
If that doesn't help, assuming that your site is publicly available, could you please share the domain with me? If you'd rather not post it publicly, please email to support AT turnkeylinux.org. If I can access your server, then I can run some (external) tests and gather some more info, I'm not sure it will help, but perhaps...
Another option is to run one of the common SSL testing sites (e.g. SSL Labs) and share the result. TBH, I'm not sure if that will pick up the backend server issues, but worth a try IMO.
One other question, have you connected directly to the server via it's domain name (i.e. before, or without the reverse proxy)? If so, then could you please try clearing all cache and cookies from your browser and try connecting again. (It may not make any difference, but I have a hunch that there may be some old cache from the original connection that may be causing issues?).
Good luck and I look forward to hearing more.
By adding "
Thanks for confirming!
Thanks for confirming. I've opened an issue as well, hopefully more people will find there way there/here.
It seems to be a specific issue between an Nginx reverse proxy and Apache backend server. It appears that Nginx directive is required to work around it. Out of interest, here's the relevant NPM issue.
Hi,
Hi,
Thanks for this fix. My conf file has more than one location section with a similar proxy pass section as well. I tried inserting the command below to the first section but that didn't fix the problem. I don't want to keep modifying randomly as I am new to this. nginx is running on a synology nas via docker container. Any help would be appreciated, thanks
Hi Michael
Hi Michael. Firstly, I've enabled your TurnKey website user account, so please feel free to log in and your posts should be published straight away. (I.e. you shouldn't need to wait for me to publish).
When you say "more than one location section with a similar proxy pass section", how similar? Assuming mostly the same, I'd recommend moving all the config that is common to all your proxies into it's own config snippet file (call it proxy.conf and put it in /etc/nginx/snippets/). Add that 'proxy_hide_header Upgrade;' line this common proxy.conf. Then whenever you want to reuse that proxy conf within a server block, add the line 'include snippets/proxy.conf;'.
Hopefully that is clear enough and makes sense? If you're still a bit confused, check out our default Nginx ssl.conf config snippet file and see how we include that in our default landing page config.
It's perhaps not the best example (as the ssl.conf is only used once in the default landing page). But the point of doing it that way is the same. It allows a shared/default config snippet (in this case for TLS/SSL) that can easily be reused by any site.
If you have additional config for a specific proxy (that is not common), just add that after the include line.
Good luck.
Thank you Jeremy, I will look
Thank you Jeremy, I will look into this. It's all going over my head at the moment but hopefully I can make sense of it. Thank you.
You're most welcome! :)
Although not sure how much you should be thanking me if it hasn't actually helped yet!
But seriously, you are welcome. And if you need more explanation and/or things aren't working as expected, please do not hesitate to start new thread and we can go as far down the rabbit hole as you want! :)
Thanks all for sharing those
Thanks all for sharing those insights!
For me adding the following to npm worked (partially).
Now, I can access the website via iOS devices, but pictures and other elements are not shown (again, the problem is only on iOS devices; works fine on PC browser, Android etc.)
Are you aware of any other workarounds?
Would much appreciate the help
Hi Ben.
Hi Ben. FYI I deleted your other post as it was essentially the same. Also if you want to be able to post without waiting for me to publish it and/or start a new thread (for any other issues, or general feedback, etc), please feel free to sign up and let me know and I will enable your user account ASAP.
Regarding the issue you're hitting - as I'm pretty sure I mentioned previously - unfortunately I don't have any iOS devices, so I can't test myself. Although if images are missing, then I would expect that there are explicit errors occurring in your browser. I assume you're using Safari? And assuming that on iOS it is possible to enable "web developer tools" then enable that and check for what errors are occurring and post back. It may not help me to know exactly how to resolve them, but it will be more info - which is always good IMO. And my googlefu is pretty strong so we may be able to find some fix/workaround! :)
From Ben
I'm not sure why, but the "auto post from email reply" didn't work when Ben replied via email?! Regardless, here is Ben's response (posted as a guest):
Hi Jeremy,
Many thanks for the note! I was not sure whether my first comment went through; hence, I commented twice. Also thanks for your thoughts on the issue. In fact the problem appears independent of the browser I use on iOS (Safari, Chrome, Firefox, Brave). Really bizarre as the is exclusively happening on iOS...
Best
Ben
Hmm, so it must be something at a lower level in iOS.
Hmm, so it must be something at a lower level in iOS.
I almost wish that I did have an iOS device so I could dig into this a bit more. I'm almost certain that it's something to do with the headers that is upsetting iOS. No doubt some "security" feature. Unfortunately, without a clear idea of what it's actually choking on, it's really hard to know how it might be worked around.
Another way to try to debug this (without using browser "web dev tools") would be to use curl from the CLI. To compare headers, get the headers from each server (use the '--insecure switch to skip checking cert validity):
It's an interesting problem that I'd really love to understand. So also allowing me to recreate it would be useful. If possible, could you share the proxy config and the backend webserver config? Also knowing what software (and versions) you're using (both the proxy and the webserver behind it) would be useful to try to recreate it.
To be clear, I'm pretty snowed under at the moment, so even if you give me all the above info, I'm not sure when I'd get to this. There is also a good chance it'll keep getting pushed down my "todo" list - so no promises...
I had the same problem. For
I had the same problem. For something truly "turnkey" I ended up downloading an older version and then updating everything was the image was flashed. It has been working great so far.
Ah, so it works ok with iOS on an older TurnKey version!?
So it works ok via iOS using an older TKL version - when behind a reverse proxy!?
Assuming so, could you please confirm which specific TurnKey version? I was going to suggest that it's likely the v17.x release, but the original report was related to v17.x, so probably not? FYI I only need to major version but if you're unsure, you can get it via CLI with:
It would also be awesome if you could also confirm the software you're using as a reverse proxy and what version that is (e.g. Nginx and the version). The reverse proxy config and setup would also be greatly appreciated.
Regardless, just knowing that it works as expected with a previous version should give me something to work with re this issue - especially if I know which version. I can compare our default config and what has changed between major versions. If nothing there jumps out, I can also look through the changelogs of major software components which may highlight the specific issue? If it seems that it's not specifically related to our config, I can lodge a bug report upstream.
Even if the core issues is outside of what we can do, if we can find a workaround, we can at least document it.
FWIW with this extra info, I suspect that it may be related to some security hardening that we did in v17.x and perhaps v18.x. There is always a risk that tightening the security screws will create issues in some scenarios. And if you are behind a reverse proxy, then our hardening is almost certainly irrelevant as the hardening would best be applied to the outwards facing server - which is obviously outside our control.
Also, if anybody else experiencing this issue could also try an older TurnKey version and confirm that it works as expected with iOS would be awesome.
NPM to turnkey-wordpress-18.0-bookworm-amd64 Issue
Hi Jeremy,
Running latest NPM v2.11.2 to your latest turnkey-wordpress-18.0-bookworm-amd64 and encountering the same issue(s).
I added the directive
The website loads, however, photos/media/pictures are not loading. I have some 10+ other sites behind the NPM are working fine. The turnkey-wordpress-18.0-bookworm-amd64 is the only LXC failing. All the other servers are running various flavours of Ubuntu (I was trying to standardize on your excellent images moving forward.
Any other ideas would be very helpful, as I really do not want to move this semi-production site to a whole new Wordpress LXC built from scratch.
Update
Hey Jeremy,
I was able to fix my issue by placing the website behind Cloudflare.
I am using Strict SSL, with NPM, and your turnkey image works excellently (100%).
Thank You.
Add new comment