Connection timeout on SSL with shared hosting

Francis Daly francis at daoine.org
Mon Aug 24 13:02:13 UTC 2020 

On Mon, Aug 24, 2020 at 07:35:24AM -0400, nathanpgibson wrote:

Hi there,

> Just wondering if anyone has further thoughts on what to try here?

You wrote:

"""
When I try nmap from my local machine I get some results I can't
explain. Notice the discrepancy between ports 80 and ports 443 and
between IPv4 and IPv6

$ nmap -A -T4 -p443 example.org 
443/tcp filtered https 

$ nmap -A -T4 -p443 my.server.ip.address 
443/tcp filtered https 

$ nmap -A -T4 -p443 -6 my:server:ip::v6:address 
443/tcp open ssl/http nginx 1.10.3 

$ nmap -A -T4 -p80 example.org 
80/tcp open http nginx 1.10.3 

$ nmap -A -T4 -p80 my.server.ip.address 
80/tcp open http nginx 1.10.3 
"""

For nmap, filtered means: Nmap cannot determine whether the port is
open because packet filtering prevents its probes from reaching the
port. The filtering could be from a dedicated firewall device, router
rules, or host-based firewall software.

(From https://nmap.org/book/man-port-scanning-basics.html)

That means that something in between your nmap testing client and your
nginx server is interfering with the IPv4 https/port 443 traffic. Find
and fix that something, and things will probably work better.


You also indicate that most visitors get a connection timeout message,
while some get through.

Do your nginx logs indicate that all of the ones that get through are
using IPv6, not IPv4? That might also point at IPv4 being blocked.

(Or: do your nginx logs indicate that all of the ones that get through
are coming from similar IP addresses? Perhaps there is wonky routing
involved? Although that would not explain the difference between ports
80 and 443 of the same IPv4 address.)

If you "tcpdump" on the nginx server for the port 443 traffic, do you
see anything? If tcpdump sees the traffic but nginx does not, there is
probably a local (on the same server as nginx) network control device
("firewall") involved. If tcpdump does not see the traffic, then there
is an external network control device involved.

If you, for example, "tcptraceroute" to your IPv4 address, port 443,
from a remote client, how far does the traffic get? That might hint at
where the first block is happening.

But right now, there is nothing obviously related to nginx in this
diagnosis.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list