I've been trying to get strict ssl on and off for years....surely it can't be this difficult?

sorry i posted this in the wrong spot

You were right…it was two issues

1.) I needed to add the location and name of the pem and key in nginx configuration setup

2.) I have always added both http and https in the router setup to point to my server (took out the http)

I think it’s working now (still, that was a lot of damn learning!)

Thanks for your comment on here, the only thing that would have been more helpful is if you had placed a large carrot in front of my path

I added the following as the solution in case anybody else has a dumb moment dealing with strict full ssl

Sandro,
You were right…it was two issues

1.) I needed to add the location and name of the pem and key in nginx configuration setup

2.) I have always added both http and https in the router setup to point to my server (took out the http)

I think it’s working now (still, that was a lot of damn learning!)

Thanks for your comment on here, the only thing that would have been more helpful is if you had placed a large carrot in front of my path

USING my IP ADDRESS xx.x…x…x. works fine using 443 or 80

My domain name is not working at all now

It worked perfectly for 10 minutes using strict instead of flexible

Nothing was changed. What could do that?

Additional detail required. Nothing works means what? Is an error message returned? What does that error message say?

I am pretty sure your server’s SSL setup still is not correct.

Does your IP address end in 52?

Oh sorry, I meant there was no way to connect (but now I can). As usual it was my fault (server configuration needed to be changed to 443 port)

yes, and please tell me it’s all good now ":wink:

No, your entire server is not accessible right now.

I don’t understand, after getting your message I just finished running every ssl test found in google including qual ssl labs and 3 or 4 others most were quickly performed but one tested two ipv6 and two non and I received all A’s after a long wait (each test tool like 60 seconds). Now there was a port 80 server on earlier so maybe everything should be rebooted or something.

I am afraid I can only repeat what I wrote three days ago

This was the outcome: " Good, www.springfield-ohio-post.com is up "

If you tested this site more than an hour ago is it possible that cache…hmmm…cache?

Oh i know !!! You are testing my ip from yesterday but that all changed.

Changed? You just confirmed the IP ends in 52.

Yes but nobody can access me via ip (or that’s what I’m led to believe)…only by domain name…it’s a neat iptables trick

If nobody can, there is a good chance Cloudflare cant either.

Nope…whitelisted them in iptables
only people that go through cloudflare are allowed and only if the correct domain name is used

Nice to know it’s working ":wink:

As three days ago, can you remove that block, otherwise it is impossible for the community to verify whether it is working.

Hey Sandro, this is the block I will be removing:
sudo iptables -A INPUT -p tcp --dport http -j DROP
sudo iptables -A INPUT -m state --state INVALID -j DROP
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state INVALID -j DROP
sudo iptables -P FORWARD ACCEPT
sudo iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2400:cb00::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2405:8100::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2405:b500::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2606:4700::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2803:f800::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2c0f:f248::/32 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -s 2a06:98c0::/29 -p tcp --dport https -j ACCEPT
sudo iptables -A INPUT -p tcp --dport https -j DROP

I suspect the bottom entry is to block all other https attempts and the very topmost entry is to block all port 80 requests entirely.