question regarding ssl setting

Hi @newbie

It’s a very limited cipher list. I would recommend having a look at Mozilla’s generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/ Just ignore that the generator recommends that you place most of the ssl-configs in the server-block - they can be located in your snippet include file.

But my guess would be that you’re not including the intermediates in ssl_certificate and ssl_trusted_certificate file. Can you give your site a spin at: https://www.ssllabs.com/ssltest/

By the way, does your listen look like this listen 443 ssl http2; including the http2?

Having the full configuration would be helpful, but let’s see what jtittle writes.

@newbie

To give you an idea of what can go in nginx.conf, I just pulled this from one of the servers I have in production right now. This is from the latest mainline release, so you may or may not be able to use this specific configuration.

It’s meant to more so show what you can put in the file, and keep out of the server blocks.

pcre_jit on;

timer_resolution 100ms;
user nginx nginx;

worker_priority -10;
worker_processes 2;
worker_rlimit_nofile 260000;

events {
    accept_mutex off;
    accept_mutex_delay 200ms;
    use epoll;
    worker_connections 10000;
}


http {
    aio threads;
    charset utf-8;
    default_type application/octet-stream;
    directio 4m;
    index index.php index.html;

    include /etc/nginx/config/mime.types;

    gzip on;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.";
    gzip_static on;
    gzip_min_length 1400;
    gzip_buffers 32 8k;
    gzip_http_version 1.0;
    gzip_comp_level 5;
    gzip_proxied any;
    gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;
    
    client_body_buffer_size 256k;
    client_body_in_file_only off;
    client_body_timeout 10s;
    client_header_buffer_size 64k;
    client_header_timeout 5s;
    client_max_body_size 50m;
    
    map_hash_bucket_size 128;
    map_hash_max_size 4096;
    
    open_file_cache max=50000 inactive=60s;
    open_file_cache_errors off;
    open_file_cache_min_uses 2;
    open_file_cache_valid 120s;
    open_log_file_cache max=10000 inactive=30s min_uses=2;
    
    proxy_temp_path /etc/nginx/cache/proxy;
    proxy_buffers 16 32k;
    proxy_buffer_size 64k;
    proxy_busy_buffers_size 128k;
    proxy_cache_bypass $http_pragma $http_authorization;
    proxy_connect_timeout 59s;
    proxy_hide_header X-Powered-By;
    proxy_http_version 1.1;
    proxy_ignore_headers Cache-Control Expires;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404;
    proxy_no_cache $http_pragma $http_authorization;
    proxy_pass_header Set-Cookie;
    proxy_read_timeout 600;
    proxy_redirect off;
    proxy_send_timeout 600;
    proxy_temp_file_write_size 64k;
    proxy_set_header Accept-Encoding '';
    proxy_set_header Cookie $http_cookie;
    proxy_set_header Host $host;
    proxy_set_header Proxy '';
    proxy_set_header Referer $http_referer;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Original-Request $request_uri;
    
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;
    
    resolver 208.67.222.222 208.67.220.220 valid=300s;
    resolver_timeout 5s;

    connection_pool_size 512;
    ignore_invalid_headers on;
    keepalive_disable msie6;
    keepalive_requests 500;
    keepalive_timeout 5;
    large_client_header_buffers 8 64k;
    lingering_time 20s;
    lingering_timeout 5s;
    max_ranges 1;
    output_buffers 8 256k;
    postpone_output 1460;
    request_pool_size 32k;
    reset_timedout_connection on;
    sendfile on;
    sendfile_max_chunk 512k;
    send_timeout 10s;
    server_names_hash_bucket_size 128;
    server_names_hash_max_size 2048;
    server_name_in_redirect off;
    server_tokens off;
    tcp_nodelay on;
    tcp_nopush on;
    types_hash_max_size 2048;
    variables_hash_max_size 2048;

    include /etc/nginx/sites/enabled/*.conf;
}

In the above – SSL, Proxy, Resolver, and Index – all common things most stick in their server blocks – all of it can be put in the main configuration file without any issues.

I prefer to keep my server blocks as clean as physically possible. It helps with troubleshooting but it also makes it easier to read as just the basics are there, with a few includes for various other things such as caching, blocking bots or access to specific files/directories, etc.

I know the above works with 1.11.x and up, though it should work on 1.10.x as well.

I normally have Brotli configured as well, though I pulled it from the above as that requires a bit more work to get up and running and repository packages don’t provide it.

Keep in mind, I normally compile from source, so there’s two things above that you will need to change if you use the above:

include /etc/nginx/config/mime.types;

and

include /etc/nginx/sites/enabled/*.conf;

My source compiles use a more organized directory structure than what the default repositories use, so you’d need to change those lines to match your installation.

@newbie

Open up wp-config.php and find:

/* That's all, stop editing! Happy blogging. */

Below it, add:

define( 'WP_ALLOW_MULTISITE', true );

Now login to ./wp-admin and navigate to Tools => Network Setup and choose Sub-Directories.

We’ll need to open wp-config.php up once again and below the above define(), we’ll add:

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'yourdomain.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

So what you end up with is:

/* That's all, stop editing! Happy blogging. */

define( 'WP_ALLOW_MULTISITE', true );

define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', 'yourdomain.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

Note: Make sure you change yourdomain.com in the above.

Once you add the above, you’ll be asked to log back in to your WordPress Dashboard and you’ll see a new option in the admin bar called ‘My Sites’. You can add new sites by navigating to:

My Sites => Network Admin => Sites 

For NGINX, you’ll want to add the following rewrites to your server block.

if ( !-e $request_filename ) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;	
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;                     
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;                   
}

I added the snippet above location /, so what I ended up with is:

if ( !-e $request_filename ) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;	
    rewrite ^(/[^/]+)?(/wp-.*) $2 last;                     
    rewrite ^(/[^/]+)?(/.*\.php) $2 last;                   
}

location / {
    try $uri $uri/ /index.php?$args;
}

You’d then restart NGINX for the changes to take. I just tested this on a demo Droplet and it’s working as expected, so hopefully that’ll help you to get things running :-).