Thanks so much for responding with so much detail Jules, it's really appreciated.
When I asked for the Nginx config I meant the actual Nginx server config i.e. the Nginx config inside the container that NPM generated for your reverse proxy. One of my guesses is that it's missing a directive, or including one that it shouldn't.
It does appear that under specific circumstance (i.e. Apache behind a Nginx reverse proxy with specific config when accessed via Safari) there is a bug in Nginx and/or Apache and/or Safari? Who's problem it is appears to depend on your perspective - see here and here.
If you can easily access the Nginx config (or perhaps NPM has some way to manually set/adjust the config?), then look for the section that should start something like this:
Then within that location block (i.e. after the 'location / {' line and before the closing '}' line) try adding this line:
proxy_hide_header Upgrade;
Then you'll need to restart Nginx to apply the updated config. Sorry but I have no idea on the best way to do that (if you have cli access into the container; then 'systemctl restart nginx' should do the trick - otherwise, whatever you normally do to to apply new Nginx config).
If that doesn't help, assuming that your site is publicly available, could you please share the domain with me? If you'd rather not post it publicly, please email to support AT turnkeylinux.org. If I can access your server, then I can run some (external) tests and gather some more info, I'm not sure it will help, but perhaps...
Another option is to run one of the common SSL testing sites (e.g. SSL Labs) and share the result. TBH, I'm not sure if that will pick up the backend server issues, but worth a try IMO.
One other question, have you connected directly to the server via it's domain name (i.e. before, or without the reverse proxy)? If so, then could you please try clearing all cache and cookies from your browser and try connecting again. (It may not make any difference, but I have a hunch that there may be some old cache from the original connection that may be causing issues?).
Thanks so much Jules!
Thanks so much for responding with so much detail Jules, it's really appreciated.
When I asked for the Nginx config I meant the actual Nginx server config i.e. the Nginx config inside the container that NPM generated for your reverse proxy. One of my guesses is that it's missing a directive, or including one that it shouldn't.
It does appear that under specific circumstance (i.e. Apache behind a Nginx reverse proxy with specific config when accessed via Safari) there is a bug in Nginx and/or Apache and/or Safari? Who's problem it is appears to depend on your perspective - see here and here.
If you can easily access the Nginx config (or perhaps NPM has some way to manually set/adjust the config?), then look for the section that should start something like this:
location / { proxy_pass https://BACKEND_SERVER_IP:443; [...] }Then within that location block (i.e. after the 'location / {' line and before the closing '}' line) try adding this line:
Then you'll need to restart Nginx to apply the updated config. Sorry but I have no idea on the best way to do that (if you have cli access into the container; then 'systemctl restart nginx' should do the trick - otherwise, whatever you normally do to to apply new Nginx config).
If that doesn't help, assuming that your site is publicly available, could you please share the domain with me? If you'd rather not post it publicly, please email to support AT turnkeylinux.org. If I can access your server, then I can run some (external) tests and gather some more info, I'm not sure it will help, but perhaps...
Another option is to run one of the common SSL testing sites (e.g. SSL Labs) and share the result. TBH, I'm not sure if that will pick up the backend server issues, but worth a try IMO.
One other question, have you connected directly to the server via it's domain name (i.e. before, or without the reverse proxy)? If so, then could you please try clearing all cache and cookies from your browser and try connecting again. (It may not make any difference, but I have a hunch that there may be some old cache from the original connection that may be causing issues?).
Good luck and I look forward to hearing more.