I'm trying to point a subdomain to a different IP address on a different server, but for some reason it's only working every once in awhile (say 1 out of 20 times). Browsing to http//galera.domain.com throws a "took to long to respond" error and changes the URL to https//galera.domain.com. Browsing directly to the IP address works fine all the time.
Here's my current setup:
Server 1 (nginx):
IP_ADDRESS_1 .
HSTS is enabled [Strict Transport Security (max-age=63072000; includeSubdomains)]
DNS for domain.com / www.domain.com points to IP_ADDRESS_1
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name domain.com www.domain.com;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-domain.com.conf;
include snippets/ssl-params.conf;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name domain.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Here is Server 1's /etc/nginx/snippets/ssl-params.conf file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Server 2 (galera cluster #1 with phpmyadmin running on apache):
IP_ADDRESS_2
DNS for galera.domain.com points to IP_ADDRESS_2
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName galera.domain.com
DocumentRoot /usr/share/phpmyadmin
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Hoping you can all help shed some light on this most likely simple problem.
edit: HSTS [Strict Transport Security (max-age=63072000; includeSubdomains) ] is enabled on domain.com
edit 2: added the code for /etc/nginx/snippets/ssl-params.conf
edit 3: SOLVED. HSTS was preventing the insecure content from the subdomain from loading. fixed by installing an SSL cert on galera.domain.com using the same protocols (including HSTS) as is used by domain.com
You need to coordinate with whoever sets the domain's security policy. This domain has opted to use strict transport security and you should not have been allowed to even create a subdomain for web server use until you coordinated.