If Safari (and possibly other browsers) fails to load a site over HTTPS served by NGINX sitting as a reverse proxy in front of Apache:
Safari can't open the page. The error is: "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)
we have a possible solution for the case.
NGINX when installed as a reverse proxy with Apache as a back-end fetches resources from Apache using HTTP/1.1, which the back-end server tries to upgrade to HTTP/2 by sending the "Upgrade: h2" header:
Upgrade: h2, h2c
And NGINX is transmitting the header Upgrade from Apache to a client, i.e. browser. And browsers on iOS (on iPhone) and on macOS High Sierra from Apple might fail here and drop a connection to such a site.
It will mostly effect CentOS 7 due to OpenSSL version 1.0.2+ which is now installed by default on this OS since September 2017 And Apache gets built against OpenSSL 1.0.2+:
# apachectl -v Server version: Apache/2.4.27 (Unix) Server built: Sep 24 2017 23:11:03
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
Older OS with Apache 2.4.x and OpenSSL 1.0.2+ might be affected too.
In order to solve the issue on a server with Directadmin we need to add the following instruction into NGINX :
So we run:
echo "proxy_hide_header Upgrade;" >> /etc/nginx/nginx-includes.conf service nginx restart
The issue should be resolved at this moment.
If you don't have Directadmin you can also use this solution, but you should add the mentioned directive into /etc/nginx.conf or try a file under /etc/nginx/conf.d/.