config Errors
32 error patterns
Nginx 502 Bad Gateway - upstream unavailable
502 Bad Gateway|upstream prematurely closed connection
- •Verify the upstream server is running and listening on the expected address/port
- •Increase proxy_read_timeout and proxy_connect_timeout for slow backends
Nginx 504 Gateway Timeout
504 Gateway Time-?out|upstream timed out.*reading response
- •Increase proxy_read_timeout (default 60s): proxy_read_timeout 300s
- •Optimize the backend endpoint that's taking too long to respond
Nginx redirect loop
rewrite or internal redirection cycle|return 301.*too many redirects
- •Check for conflicting rewrite rules that redirect back and forth (HTTP→HTTPS→HTTP)
- •Use 'return 301' instead of 'rewrite' for simple redirects to avoid rule interaction
Nginx SSL certificate loading error
SSL_CTX_use_PrivateKey.*failed|cannot load certificate
- •Verify the certificate file path and that nginx user has read permission
- •Ensure the certificate file contains the full chain (server cert + intermediates) in PEM format
Nginx location block configuration error
location.*directive is not allowed here|duplicate location
- •Ensure location blocks are inside a server block, not at the http level
- •Remove duplicate location blocks — merge their contents into one
Nginx proxy_pass DNS resolution failure
proxy_pass.*no resolver defined|could not be resolved
- •Add resolver directive: resolver 8.8.8.8 valid=30s for dynamic upstream DNS
- •Use a variable in proxy_pass to force runtime resolution: set $backend http://host; proxy_pass $backend
Nginx 413 payload too large
client intended to send too large body|413 Request Entity Too Large
- •Increase client_max_body_size: client_max_body_size 100m in http/server/location block
- •For file uploads, also set it in the specific location block that handles uploads
Nginx upstream connection refused
connect\(\) failed.*Connection refused.*upstream
- •Verify the backend service is running: systemctl status app or check the process
- •Check the upstream port matches what the backend is actually listening on
Nginx permission denied serving static files
open\(\).*failed.*Permission denied|forbidden.*directory index
- •Ensure nginx worker process user (typically www-data/nginx) can read the files: chmod -R o+r /path
- •Check all parent directories have execute permission: chmod o+x on each directory in the path
Nginx all upstream servers marked down
no live upstreams while connecting to upstream
- •Check health of upstream servers — all have failed health checks or max_fails threshold
- •Increase max_fails or fail_timeout to be more tolerant: server backend1 max_fails=5 fail_timeout=30s
Apache 403 Forbidden - directory access denied
AH01630.*client denied by server configuration|403 Forbidden
- •Update Directory directive: <Directory /path> Require all granted </Directory>
- •In Apache 2.4+, use Require instead of Order/Allow/Deny (2.2 syntax)
Apache request body size limit exceeded
AH00124.*request exceeded.*LimitRequestBody|413.*entity too large
- •Increase LimitRequestBody in the Directory or Location block: LimitRequestBody 104857600
- •For PHP uploads, also set php.ini: upload_max_filesize and post_max_size
Apache 503 Service Unavailable - backend down
AH01114.*HTTP:.*retry|503 Service (Temporarily )?Unavailable
- •Verify the backend application is running on the ProxyPass target
- •Increase ProxyTimeout and timeout settings for slow backends
Apache SSL certificate hostname mismatch
AH02572.*certificate.*does not match server name|SSL.*hostname mismatch
- •Ensure the certificate's CN or SAN matches the ServerName in the VirtualHost
- •Use a certificate with Subject Alternative Names covering all domains
Nginx worker connections limit reached
worker_connections are not enough|worker_connections exceed open file
- •Increase worker_connections in events block: worker_connections 4096
- •Also increase system open file limit: ulimit -n 65536 and worker_rlimit_nofile directive
Nginx connection reset by upstream
recv\(\).*failed.*Connection reset by peer
- •Enable proxy_next_upstream to retry on another server: proxy_next_upstream error timeout http_502
- •Investigate backend stability — it's forcibly closing connections
Nginx SSL handshake failure with upstream
SSL_do_handshake.*failed|SSL.*handshake.*timed out
- •Ensure proxy_ssl_protocols and proxy_ssl_ciphers are compatible with the upstream
- •For self-signed upstream certs: proxy_ssl_verify off or provide proxy_ssl_trusted_certificate
Nginx upstream response header too large
upstream sent too big header|upstream sent invalid header
- •Increase proxy_buffer_size: proxy_buffer_size 16k (handles large headers/cookies)
- •Also increase proxy_buffers: proxy_buffers 4 32k
Apache configuration syntax error
AH00526.*Syntax error.*line \d+|apache.*config.*test.*failed
- •Run apachectl configtest to see the exact line and error
- •Check for missing closing tags (</Directory>, </VirtualHost>)
Apache reverse proxy permission denied
AH01797.*client denied by server configuration.*proxy|ProxyPass.*permission denied
- •Enable mod_proxy and mod_proxy_http: a2enmod proxy proxy_http
- •Add <Proxy *> Require all granted </Proxy> for the proxy target
SSL/TLS certificate expired
certificate has expired|SSL_ERROR_EXPIRED_CERT_KEY|CERT_HAS_EXPIRED
- •Renew the certificate immediately — use certbot renew for Let's Encrypt or request from your CA
- •Set up auto-renewal cron job: 0 0 1 * * certbot renew --post-hook 'systemctl reload nginx'
Self-signed certificate rejected
self.signed certificate|DEPTH_ZERO_SELF_SIGNED_CERT|unable to verify the first certificate
- •Replace with a certificate from a trusted CA (Let's Encrypt is free)
- •For internal services, add the self-signed CA to the client's trust store
HSTS forcing HTTPS causing access issues
Strict-Transport-Security.*max-age|HSTS.*redirect|307.*Internal Redirect
- •Clear the HSTS cache in browser: chrome://net-internals/#hsts → delete domain
- •Ensure HTTPS is fully working before enabling HSTS — once set, browsers won't use HTTP
Certificate authority not trusted by client
ERR_CERT_AUTHORITY_INVALID|MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
- •Include intermediate certificates in the server's certificate chain file
- •Verify the chain order: server cert first, then intermediates, root last (or omit root)
SSL/TLS cipher or protocol version mismatch
ERR_SSL_VERSION_OR_CIPHER_MISMATCH|no shared cipher|handshake failure
- •Update cipher suite to include modern ciphers: ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:...'
- •Enable TLS 1.2 and 1.3: ssl_protocols TLSv1.2 TLSv1.3 (disable SSLv3, TLS 1.0, TLS 1.1)
SSL client cannot find issuer certificate locally
UNABLE_TO_GET_ISSUER_CERT_LOCALLY|unable to get local issuer certificate
- •Install the CA certificate bundle: apt install ca-certificates && update-ca-certificates
- •Set the CA bundle path in your client: NODE_EXTRA_CA_CERTS=/path/to/ca-bundle.crt
SSL certificate hostname doesn't match
ERR_CERT_COMMON_NAME_INVALID|hostname.*mismatch|does not match certificate
- •Get a new certificate with the correct hostname in the Subject Alternative Name (SAN) field
- •If using a wildcard cert (*.domain.com), it only covers one subdomain level — not sub.sub.domain.com
OCSP stapling failure
OCSP.*response.*error|OCSP stapling.*failed
- •Ensure the server can reach the CA's OCSP responder URL (check firewall/DNS)
- •Add resolver directive in nginx for OCSP: resolver 8.8.8.8 valid=300s
SSL certificate verification failed
SSL routines.*certificate verify failed|CERT_UNTRUSTED
- •Check the full certificate chain is present and in correct order
- •Ensure the CA root certificate is in the trust store of the verifying system
SSL protocol error - likely HTTP on HTTPS port
ERR_SSL_PROTOCOL_ERROR|SSL_ERROR_RX_RECORD_TOO_LONG
- •Ensure the server is actually configured for SSL on the port — not serving plain HTTP on 443
- •Check that ssl_certificate and ssl_certificate_key are configured in the server block for port 443
Certificate Transparency requirement not met
net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED
- •Ensure your CA provides SCTs (Signed Certificate Timestamps) embedded in the certificate
- •Use a CA that supports Certificate Transparency (most public CAs do since 2018)
HTTP Public Key Pinning validation failure
HPKP.*pin.*validation failed|Public-Key-Pins.*mismatch
- •HPKP is deprecated — remove Public-Key-Pins header from your server configuration
- •If still using HPKP, add a backup pin and ensure the pinned key matches current or backup cert