Rewrite Rules from apache
Hi Everyone,
i try to convert some rules from apache htaccess to nginx.
This is my htaccess Rule:
RewriteCond %{DOCUMENT_ROOT}/$3 -f
RewriteRule ^(.*?)/(.*?)/(.*)$ /$3
I tried these options but it seems not working:
if (-f $document_root/$3){
set $rule_0 1$rule_0;
}
if ($rule_0 = "1"){
rewrite ^/(.*?)/(.*?)/(.*)$ /$3;
}
Anyone have a good idea?
Cheers
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Rewrite Rules from apache
Same issue.
All images CSS Files and so on are not loaded :(
> Am 07.07.2016 um 19:19 schrieb praty...@hostindya.com:
>
> July 7 2016 10:19 PM, "Daniel" wrote:
>> Hi Everyone,
>>
>> i try to convert some rules from apache htaccess to nginx.
>>
>> This is my htaccess Rule:
>>
>> RewriteCond %{DOCUMENT_ROOT}/$3 -f
>> RewriteRule ^(.*?)/(.*?)/(.*)$ /$3
>>
>> I tried these options but it seems not working:
>>
>> if (-f $document_root/$3){
>> set $rule_0 1$rule_0;
>> }
>> if ($rule_0 = "1"){
>> rewrite ^/(.*?)/(.*?)/(.*)$ /$3;
>> }
>>
>> Anyone have a good idea?
>>
>> Cheers
>>
>> Daniel
>>
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> how about
>
> location ^/(.*?)/(.*?)/(.*)/(.*)$ {
>try_files /$3 $uri =404;
> }
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
alias
hi there,
i try to setup a Alias but it seems not working and i didnt know why:
server {
listen 80;
root /var/www/d1/current/web/;
server_name localhost;
location / {
index app.php;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
if ($request_uri ~* \.(ico|css|js|gif|jpe?g|png|woff)$) {
expires 0;
break;
}
if (-f $request_filename) {
break;
}
try_files $uri @rewriteapp;
}
location @rewriteapp {
rewrite ^(.*)$ /app.php/$1 last;
}
location /en/holidays/shared/images {
alias /mnt/nfs/uat;
}
location ~ ^/proxy\.php(\?|/|$) {
fastcgi_pass unix:/var/run/php-fpm/php70u-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
#internal;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/php70u-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
I added exaclty that:
location /en/holidays/shared/images {
alias /mnt/nfs/uat;
}
but nginx tries to open the files from document root :-(
Anyone any idea what it could be?
Cheers
Daniel ___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Alias or root directive
Hi there,
i try to add a images folder but seems not work.
Could someone tell me what i am doing wrong:
location ~ ^/en/holidays/shared/images {
root /mnt/nfs/uat/;
}
When i replace root with alias it has also no effect :-(
Cheers
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Alias or root directive
>
>> i try to add a images folder but seems not work.
>> Could someone tell me what i am doing wrong:
>
> What one example http request do you want to make?
>
I wanted to load such kind of URL:
domain.de//en/holidays/shared/images/guides/germany/berlin.jpg
> What file on your filesystem do you want nginx to serve in response to
> that request?
>
on /mnt/nfs/uat/ are the folders like guides/germany/
>>location ~ ^/en/holidays/shared/images {
>>root /mnt/nfs/uat/;
>>}
>>
>> When i replace root with alias it has also no effect :-(
>
> "alias" in a regex location has special requirements.
>
I also tried with root instead of alias and i have the same behave
cheers
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Alias or root directive
As i understand the Documentation correct then my entry is correct:
location /en/holidays/shared/images/ {
alias /mnt/nfs/uat/;
}
Anyways, when i try to use root instead of alias it has same result.
Its getting ignored completely in the config.
> Am 03.11.2016 um 18:51 schrieb Daniel :
>
>>
>>> i try to add a images folder but seems not work.
>>> Could someone tell me what i am doing wrong:
>>
>> What one example http request do you want to make?
>>
>
> I wanted to load such kind of URL:
> domain.de//en/holidays/shared/images/guides/germany/berlin.jpg
>
>> What file on your filesystem do you want nginx to serve in response to
>> that request?
>>
>
> on /mnt/nfs/uat/ are the folders like guides/germany/
>
>
>>> location ~ ^/en/holidays/shared/images {
>>> root /mnt/nfs/uat/;
>>> }
>>>
>>> When i replace root with alias it has also no effect :-(
>>
>> "alias" in a regex location has special requirements.
>>
>
> I also tried with root instead of alias and i have the same behave
>
> cheers
>
> Daniel
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Alias or root directive
> > If you check your error_log, you should see an indication of what file > nginx tried to serve, if it failed. > Yes it tries to open the doc_root to open that file and this is totally wrong of course because this file is placed on /mnt/nfs/uat/guide/germany/berlin.jpg /var/www/d1/current/web/shared/images/guides/germany/berlin.jpg___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Rewrite rules
Hi there, i try to setup some rules. I have to rules which conflicts. rewrite ^/(.*?)/(.*?)/(.*)$ /$3; #rewrite ^/$ /a/b permanent; the first Rules is needed from our developer the second rules os for a request. The Goal is to redirect all request on any domain.com <http://domain.com/> to anydomain.com/a/b <http://anydomain.com/a/b> Maybe some has a hint for me. Cheers Daniel ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Wildcard docroot?
Hi there,
i wanted to try something like a Wildcard DocRoot:
server {
listen 80;
root /var/www/branches/*/current/web/;
server_name auto.deploy.fcse.int;
The Setup looks like this:
/var/www/branches/develop/current/web/
/var/www/branches/master/current/web/
/var/www/branches/feature1/current/web/
/var/www/branches/feature2/current/web/
I wanted now to open the URL like this: auto.deploy.fcse.int/master/ or
/develop and so on.
The Problem is that all „projects“ are Symfony projects so current/web must
always be set :-/
I hope you guys understand what mean ;)
Cheers
Daniel___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Move from apacht to nginx
Hi there, i still moving from Apache to nginx. I have a config part in apache which i dont understand how to convert it correct to nginx. RewriteBase / Options FollowSymLinks AllowOverride All DirectoryIndex index.php Options +FollowSymLinks -Indexes AllowOverride none i Know that this has to be done in locations what how? ;) Cheers Daniel___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Apache to nginx
Hi,
i create a vhost confuguration for a vhost but i ma not able to access /vakanz
for exmaple.
I got a 404 error on the access logs.
I Tried already with rewrite rules and i also tried with locations, no matter
what i do, nothing works.
Anyone has an idea what can i do?
Cheers
Daniel
server {
listen 80;
root /var/www/vhosts/reisen/sbo/current/web;
rewrite ^/static/(.*) /var/www/vhosts/reisen/fe/static/$1 last;
rewrite ^/hrouter.js /var/www/vhosts/reisen/fe/index.php last;
rewrite ^/router.js /var/www/vhosts/reisen/fe/index.php last;
rewrite ^/(vakanz|vrij|ajax|boek|buchen)$ /var/www/vhosts/reisen/fe/index.php
last;
rewrite ^/(vakanz|vrij|ajax|boek|buchen)/.* /var/www/vhosts/reisen/fe/index.php
last;
rewrite ^/himage/.* /var/www/vhosts/reisen/fe/index.php last;
rewrite ^/image/.* /var/www/vhosts/reisen/fe/index.php last;
rewrite ^/images/.* /var/www/vhosts/reisen/fe/index.php last;
rewrite ^/nur-flug$ /flight/destination permanent;
set $my_https "off";
if ($http_x_forwarded_proto = "https") {
set $my_https "on";
}
server_name preprod.reisen.de;
location / {
index app.php;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
if (-f $request_filename) {
break;
}
try_files $uri @rewriteapp;
}
location @rewriteapp {
if ( $request_filename !~ opcache\.php ){
rewrite ^(.*)$ /app.php/$1 last;
}
}
#rewrite ^/(vakanz|vrij|ajax|boek|buchen)$ /var/www/vhosts/reisen/fe/index.php
last;
#rewrite ^/(vakanz|vrij|ajax|boek|buchen)/.*
/var/www/vhosts/reisen/fe/index.php last;
# location /vakanz {
#alias /var/www/vhosts/reisen/fe/;
# }
location ~* .js$
{add_header Service-Worker-Allowed "/";
}
location ~ ^/app\.php/_apilogger(/|$) {
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS $my_https;
fastcgi_param SYMFONY__CMS__ENABLED false;
fastcgi_param CMS_ENABLED false;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
location ~ ^/proxy\.php(\?|/|$) {
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS $my_https;
fastcgi_param SYMFONY__CMS__ENABLED false;
fastcgi_param CMS_ENABLED false;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With,
Content-Type, Accept";
add_header Access-Control-Allow-Origin "*";
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
#internal;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS $my_https;
fastcgi_param SYMFONY__CMS__ENABLED false;
fastcgi_param CMS_ENABLED false;
fastcgi_buffer_size 128k;
fastcgi_buffe
why hardcoded /var/log/nginx/error.log in pre-built packages?
Hello all, can someone please explain to me why the location /var/log/nginx/error log is hardcoded in the official prebuilt packages? Or why nginx -t checks if this file exists even if there is another location defined in the config file? Thank you. Daniel ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Deploying django, channels and websockets with nginx and daphne
At a quick glance -- your proxy_pass statement is pointed at the nginx
listener instead of at the upstream.
Change this:
proxy_pass http://0.0.0.0:8090;
To this:
proxy_pass django;
Hope that helps,
=D
On 2/26/20, Larry Martell wrote:
> I've posted this to the django mailing list and to stack overflow,
> with no replies so trying here.
>
> I am trying to deploy a django app that uses channels and websockets,
> with nginx and daphne.
>
> When I was using uwsgi, here was my nginx file:
>
> upstream django {
> server unix:/run/uwsgi/devAppReporting.sock;
> }
>
> server {
> listen 8090;
> server_name foo.bar.com;
> charset utf-8;
>
> location /static {
> alias /var/dev-app-reporting/static;
> }
>
> location / {
>uwsgi_pass django;
>include /var/dev-app-reporting/uwsgi_params;
>uwsgi_read_timeout 3600;
>client_max_body_size 50m;
> }
> }
>
> Now I changed it to this:
>
> upstream django {
> server unix:/run/daphne/devAppReporting.sock;
> }
>
> server {
> listen 8090;
> server_name foo.bar.com;
> charset utf-8;
>
> location /static {
> alias /var/dev-app-reporting/static;
> }
>
> location / {
> proxy_pass http://0.0.0.0:8090;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_redirect off;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host $server_name;
> }
> }
>
> Started daphne like this:
>
> daphne -u /run/daphne/devAppReporting.sock app.dse.asgi:application
>
> I get a 502 bad gateway error and this in the log:
>
> 2020/02/24 22:17:26 [alert] 29169#29169: 768 worker_connections are not
> enough
> 2020/02/24 22:17:26 [error] 29169#29169: *131545 recv() failed (104:
> Connection reset by peer) while reading response header from upstream,
> client: 127.0.0.1, server:
> dse-portfolio-dev-assessments.md.virtualclarity.com, request: "GET /
> HTTP/1.1", upstream: "http://0.0.0.0:8090/";, host: "xx.xx.xx.xx"
>
> Any ideas on what I should have in my config file for this to work?
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
The key is the key you used when you generated the CSR.
The key remains on your machine at all times not sent to godaddy.
On 28/04/2020 13:46, Aran wrote:
Hi,
[emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/domain.key") failed
(SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY
PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib)
We bought ssl certificates from godaddy and tried to install their
guidance... and i get this error. Is it a private key error.
In that case private key error. Can we ask for a new key or is there a way i
can get the key with in their zip folder of ssl certificates?
Thanks in advance!
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,287867,287867#msg-287867
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Trying to config for proxying to site down page
I'm trying to get nginx to forward to my S3 bucket when my web app k8 pod
is down. So I was hoping the below config would, in the case of 50x error
or no response, forward request to bucket, then if the document doesn't
exist (very likely for first 50x request) - it would then return
sitedown.html - this would then request some css files which would fail
with same 50x then try on S3 and success.
However it just returns 404 when my application pod is down (if I remove
proxy_intercept_errors on; error_page 403 404 =200 I get the S3 404
message as expected).
I want to avoid hosting the website down error page on the nginx server.
Below is my config (everything else config wise is as in the FROM
nginxinc/nginx-unprivileged:1.21 docker image)
server {
listen 8080 default_server;
server_name _;
port_in_redirect off;
client_max_body_size 51M;
server_tokens off;
error_page 501 502 503 504 = @holding_page_proxy;
location @holding_page_proxy {
proxy_pass
https://tca-holding-pages-permits-dev.s3.eu-west-2.amazonaws.com;
proxy_intercept_errors on;
error_page 403 404 =200
https://mybucket.s3.eu-west-2.amazonaws.com/sitedown.html;
}
location / {
proxy_read_timeout 180s;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-Host "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_next_upstream error timeout invalid_header http_502
http_503 http_504 http_404;
proxy_http_version 1.1;
proxy_pass http://application:8080/;
}
# Deny access to the Spring Boot actuator.
location /actuator {
deny all;
}
# probe for kubernetes checks
location = /probe.html {
root /usr/share/nginx/html;
}
}
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
Understanding caching
Hi there,
i need to understand the caching options better. So, i have serval Questions ;)
I added some Cacherules like these:
location /js {
add_headerCache-Control public;
add_headerCache-Control must-revalidate;
expires 7d;
}
location /css {
add_headerCache-Control public;
add_headerCache-Control must-revalidate;
expires 7d;
}
location /img {
add_headerCache-Control public;
add_headerCache-Control must-revalidate;
expires 7d;
}
location /bundles {
add_headerCache-Control public;
add_headerCache-Control must-revalidate;
expires 7d;
}
location /alloyeditor {
add_headerCache-Control public;
add_headerCache-Control must-revalidate;
expires 7d;
}
No when i browser arround Chrome said „From cache“ that works fine for me but
when i reload the Website it seems that only *.JPGs comming from the cache.
Is that a Browser issue or a nginx issue? Need to know where i have to search ;)
Closing the browser and start again it dont came from cache - but as i
understand i say it will expire in 7 Days - so why nit not comming from local
cache?
Cheers
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx not spawning both ipv4 and ipv6 workers
Hi Charles,
IPv6 listeners can also accept IPv4 requests. This will result in IPs being
passed through to logs and such like :::192.168.123.101. If you do not
want this and do want both, add ipv6only=on to the IPv6 listen line.
Daniël
On Jul 26, 2016 02:25, "Charles Lawrence" wrote:
> I'm in the process of setting up a new server built on ubuntu 16.04
> using nginx 1.10.0.
>
> The specific issue is that while my new configuration essentially
> matches my old nginx configuration from an ubuntu 13.10 server using
> nginx 1.4.4, nginx 1.10.0 is only creating either ipv4 or ipv6
> workers, but not both. This behavior is not present on the old server.
> Not sure what else to try at this point.
>
> I've verified that my nginx installation was built with ipv6.
>
> > nginx version: nginx/1.10.0 (Ubuntu)
> > built with OpenSSL 1.0.2g-fips 1 Mar 2016
> > TLS SNI support enabled
> > configure arguments: --with-cc-opt='-g -O2 -fPIE
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie
> -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx
> --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log
> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
> --with-http_realip_module --with-http_auth_request_module
> --with-http_addition_module --with-http_dav_module --with-http_geoip_module
> --with-http_gunzip_module --with-http_gzip_static_module
> --with-http_image_filter_module --with-http_v2_module --with-htt
> p_sub_module --with-http_xslt_module --with-stream
> --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads
>
> Below are my current configurations for the new server:
>
> ># /etc/nginx/nginx.conf> user www-data;
> > worker_rlimit_nofile 3;
> > worker_processes 8;
> > pid /run/nginx.pid;
> >
> > events {
> > worker_connections 50;
> > }
> >
> > http {
> > sendfile on;
> > tcp_nopush on;
> > tcp_nodelay on;
> > keepalive_timeout 65;
> > types_hash_max_size 2048;
> >
> > include /etc/nginx/mime.types;
> > default_type application/octet-stream;
> >
> > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
> > ssl_prefer_server_ciphers on;
> >
> > access_log /var/log/nginx/access.log;
> > error_log /var/log/nginx/error.log;
> >
> > gzip on;
> > gzip_disable "msie6";
> > gzip_vary on;
> > gzip_proxied any;
> > gzip_comp_level 6;
> > gzip_buffers 16 8k;
> > gzip_http_version 1.1;
> > gzip_types text/plain text/css application/json application/javascript
> text/xml application/xml application/xml+rss text/javascript;
> >
> > include /etc/nginx/conf.d/*.conf;
> > include /etc/nginx/sites-enabled/*;
> > }
>
> Lastly, the weird thing is whether the workers get bound to ipv4 or
> ipv6 entirely depends on the order in which the listen directives are
> placed. In the following data, I've switched the order and tried
> different configurations multiple times. After each change to
> /etc/nginx/sites-enabled/blog I did sudo service nginx stop; sudo
> service nginx start; sudo lsof -i;to get the data.
>
> Also note that I changed the workers count to 8 after performing these
> steps. However while the number of workers increased, the same
> behavior was seen where all workers were either ipv4 or ipv6.
>
> > listen [::]:80;
> > listen 80;
> > nginx27675 root6u IPv4 204423 0t0 TCP *:http (LISTEN)
> > nginx27676 www-data6u IPv4 204423 0t0 TCP *:http (LISTEN)
> >
> > listen 80;
> > listen [::]:80;
> > nginx27747 root6u IPv6 205134 0t0 TCP *:http (LISTEN)
> > nginx27748 www-data6u IPv6 205134 0t0 TCP *:http (LISTEN)
> >
> > listen 80;
> > listen [::]:80 default ipv6only=on;
> > nginx27819 root6u IPv6 205849 0t0 TCP *:http (LISTEN)
> > nginx27820 www-data6u IPv6 205849 0t0 TCP *:http (LISTEN)
> >
> > listen 80;
> > listen [::]:80 default ipv6only=off;
> > nginx27885 root6u IPv6 206495 0t0 TCP *:http (LISTEN)
> > nginx27886 www-data6u IPv6 206495 0t0 TCP *:http (LISTEN)
> >
> > listen 80;
> > listen [::]:80 default;
> > nginx27953 root6u IPv6 207184 0t0 TCP *:http (LISTEN)
> > nginx27954 www-data6u IPv6 207184 0t0 TCP *:http (LISTEN)
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/list
invalid url - my config or invalid request?
My site is generally doing exactly what I want. Periodically I'll see some errors in the log. I'm trying to determine if these indicate problems in my config, or potential attacks, or simply a broken client. The last few lines in my log: 2016/10/05 14:38:37 [error] 17912#0: *17824 invalid url, client: 195.154.181.113, server: amfes.com, request: "HEAD /robots.txt HTTP/1.0" 2016/10/05 19:47:27 [error] 17912#0: *18315 invalid url, client: 169.56.71.56, server: amfes.com, request: "GET / HTTP/1.0" 2016/10/08 13:46:21 [error] 17910#0: *27413 invalid url, client: 212.83.162.138, server: amfes.com, request: "HEAD /robots.txt HTTP/1.0" 2016/10/09 18:05:30 [error] 17912#0: *32588 invalid url, client: 211.1.156.90, server: amfes.com, request: "HEAD / HTTP/1.0" Clients I control have no problem reaching the root or the robots.txt file - so what is this telling me? -- Daniel ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Bug? Chown of all default *_temp_path directories at startup?
Hi all I'm using nginx-full 1.10.2-1~dotdeb+8.1 from dotdeb.org on Debian. nginx -V nginx version: nginx/1.10.2 built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-file-aio --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/usr/src/builddir/debian/modules/nginx-auth-pam --add-module=/usr/src/builddir/debian/modules/nginx-dav-ext-module --add-module=/usr/src/builddir/debian/modules/nginx-echo --add-module=/usr/src/builddir/debian/modules/nginx-upstream-fair --add-module=/usr/src/builddir/debian/modules/ngx_http_substitutions_filter_module --add-module=/usr/src/builddir/debian/modules/nginx-cache-purge --add-module=/usr/src/builddir/debian/modules/ngx_http_pinba_module --add-module=/usr/src/builddir/debian/modules/nginx-x-rid-header --with-ld-opt=-lossp-uuid I do have several nginx inscances on one Server, they all run as a different users. There is one main nginx instance which runs as the user www-data. *_temp_path is set to a different location for all nginx instances excluding the main instance. The main www-data instance is still using /var/lib/nginx. Configuration example for custom temp dirs: fastcgi_temp_path /var/www/vhosts/XYZ/tmp/nginx/fcgi; scgi_temp_path /var/www/vhosts/XYZ/tmp/nginx/scgi; uwsgi_temp_path /var/www/vhosts/XYZ/tmp/nginx/wsgi; client_body_temp_path /var/www/vhosts/XYZ/tmp/nginx/body; proxy_temp_path /var/www/vhosts/XYZ/tmp/nginx/proxy; Now, let's restart the main nginx. You can see that all files/directories in /var/lib/nginx are owned by www-data:www-data: root@-web-03:/var/log/nginx# systemctl restart nginx.service root@-web-03:/var/log/nginx# ls -la /var/lib/nginx total 28 drwxr-xr-x 7 www-data www-data 4096 Oct 25 15:45 . drwxr-xr-x 43 root root 4096 Oct 6 15:15 .. drwx-- 2 www-data www-data 4096 Oct 25 15:03 body drwx-- 2 www-data www-data 4096 Oct 6 14:43 fastcgi drwx-- 9 www-data www-data 4096 Oct 25 10:18 proxy drwx-- 2 www-data www-data 4096 Oct 6 14:43 scgi drwx-- 2 www-data www-data 4096 Oct 6 14:43 uwsgi After restarting nginx-XYZ.service, all files/directories are owned by XYZ: root@-web-03:/var/log/nginx# systemctl restart nginx-XYZ.service root@-web-03:/var/log/nginx# ls -la /var/lib/nginx total 28 drwxr-xr-x 7 www-data www-data 4096 Oct 25 15:45 . drwxr-xr-x 43 root root 4096 Oct 6 15:15 .. drwx-- 2 XYZ www-data 4096 Oct 25 15:03 body drwx-- 2 XYZ www-data 4096 Oct 6 14:43 fastcgi drwx-- 9 XYZ www-data 4096 Oct 25 10:18 proxy drwx-- 2 XYZ www-data 4096 Oct 6 14:43 scgi drwx-- 2 XYZ www-data 4096 Oct 6 14:43 uwsgi root@-web-03:/var/log/nginx# I can't find the string /var/lib/nginx in any nginx Configuration file on the system: root@-web-03:/var/log/nginx# grep -r "/var/lib/nginx" /etc/nginx-XYZ/ root@-web-03:/var/log/nginx# grep -r "/var/lib/nginx" /etc/nginx/ root@-web-03:/var/log/nginx# I can set all *_temp_path directories of the www-data nginx to an other direcory, this is my current workaround for this issue. But i believe that the nginx shouldn't touch /var/lib/ngin/* if this directory isn't in the configuration file. Any idea? Should i open a bug? Best Regards Daniel __
Re: Bug? Chown of all default *_temp_path directories at startup?
On Tue, 25 Oct 2016 18:10:09 +0300
Maxim Dounin wrote:
Hi Maxim
> Make sure to define temp paths in all servers, or, better yet, at
> http{} level. If you don't redefine them in some context, nginx
> will use the default paths compiled in, resulting in the behaviour
> you've observed.
Many thanks for your answer, i had the setting at the server level,
i've moved it to the http level, and it works now.
Best Regards
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Proxying based on protocol (e.g. "ws"/"wss")?
I'm an nginx newbie, and need use use it as a front end for a website that also handles websocket connections. I have the configuration set up so that requests to a specific URI match a location section, which then proxies the request to the websocket back end server, and it all works. (Very cool.) However, I was wondering if, rather than detecting requests to a specific location, I could proxy all "ws://" or "wss:// requests, independent of the URI being requested. Is there a way to proxy all requests with a given protocol? Thanks, Dan -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx-1.4 proxy requests being continious
A request for /img/file_doesnt_exist.jpg results in the backend server
(192.168.129.90) getting continuous requests for the same file (which doesn't
exist there either so 404 each time), while the original requester waits and
nginx keeps asking the backend the same.
I'm using the nginx-1.4.1 from the debian squeeze repository.
Is there a better way do to this config? The aim for for all web servers to
have the same config so a resource that aren't synced yet still get served a
response if it exists somewhere but without the requests ending up in a
circular loop.
My current, hopefully not too cut down, config is:
upstream imgweb_other {
server 192.168.129.90;
server 173.230.136.6 backup;
}
server {
proxy_read_timeout 15;
proxy_connect_timeout 3;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503
http_504 http_404;
location ~ ^/img/(.*)
{
expires 2592000;
add_header Cache-Control public;
alias /var/www/live_site_resources/$1;
error_page 404 = @imgweb_other;
}
location @imgweb_other {
# we only want to fallback once so use user_agent as a flag
if ( $http_user_agent = IMGWEB ) {
return 404;
}
proxy_pass http://imgweb_other;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent IMGWEB;
}
}
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Proxying based on protocol (e.g. "ws"/"wss")?
... bump? (thanks, Dan) At 9:32 AM -0400 5/8/13, Daniel Griscom wrote: I'm an nginx newbie, and need use use it as a front end for a website that also handles websocket connections. I have the configuration set up so that requests to a specific URI match a location section, which then proxies the request to the websocket back end server, and it all works. (Very cool.) However, I was wondering if, rather than detecting requests to a specific location, I could proxy all "ws://" or "wss:// requests, independent of the URI being requested. Is there a way to proxy all requests with a given protocol? Thanks, Dan -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Proxying based on protocol (e.g. "ws"/"wss")?
That's great information, but now I need to figure out how to selectively proxy to my websocket backend when $http_upgrade is "websocket". I see the following choices: 1) Have nginx listen at port 80, and proxy all traffic to port if $http_upgrade is "websocket", or port if not. Then set up nginx to handle http traffic at port , and have my websocket backend handle websocket traffic at port . 2) Investigate the much-maligned "if" statement. ... any other choices? Thoughts? Thanks, Dan At 1:26 PM +0400 5/10/13, Maxim Dounin wrote: Hello! On Fri, May 10, 2013 at 09:14:04AM +1200, Steve Holdoway wrote: The scheme is available as... $scheme Yes, but WebSocket protocol uses http for handshake. So the scheme will be either "http" or "https". WebSocket requests can be identified based on Upgrade header, i.e. $http_upgrade variable. On Thu, 2013-05-09 at 14:45 -0400, Daniel Griscom wrote: > ... bump? > > (thanks, > Dan) > > > At 9:32 AM -0400 5/8/13, Daniel Griscom wrote: > >I'm an nginx newbie, and need use use it as a front end for a > >website that also handles websocket connections. I have the > >configuration set up so that requests to a specific URI match a > >location section, which then proxies the request to the websocket > >back end server, and it all works. (Very cool.) > > > >However, I was wondering if, rather than detecting requests to a > >specific location, I could proxy all "ws://" or "wss:// requests, > >independent of the URI being requested. > > > >Is there a way to proxy all requests with a given protocol? > > > > > >Thanks, > >Dan > > > >-- > >Daniel T. Griscom gris...@suitable.com > >Suitable Systems http://www.suitable.com/ > >1 Centre Street, Suite 204(781) 665-0053 > >Wakefield, MA 01880-2400 > > > >___ > >nginx mailing list > >nginx@nginx.org > >http://mailman.nginx.org/mailman/listinfo/nginx > > -- Steve Holdoway BSc(Hons) MNZCS http://www.greengecko.co.nz MSN: st...@greengecko.co.nz Skype: sholdowa ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -- Maxim Dounin http://nginx.org/en/donation.html ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.4 proxy requests being continious
Just to prove I'm not making it up (even though I'm having a hard time
replicating it).
log_format extended '$remote_addr - $remote_user [$time_local] '
'"$request" $status $request_time $body_bytes_sent '
'$upstream_cache_status $upstream_addr $upstream_status
$upstream_response_time'
'"$http_referer" "$http_user_agent"';
length of log line 3412217 characters (is that a record?)
58.169.18.35 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.1" 499 100.820 0 - 192.168.
129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80, 192.168.129.90:80,
192.168.129.90:80 (many many pages)... 404, 404, 404, 404, 404, 404, 404, 404,
404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404,
404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404,
404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404, 404,
404..., - 0.014, 0.001, 0.000, 0.001, 0.001, 0.000, 0.001, 0.001,
0.000, 0.001, 0.001, 0.001, 0.001, 0.001, 0.001.. , - "-" "Wget/1.13.4
(linux-gnu)"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB"
192.168.131.254 - - [08/May/2013:19:58:13 -0400] "GET
//img/covers/medium/587/9781844454581.jpg HTTP/1.0" 404 0.000 169 "-" "IMGWEB
- Original Message -
> A request for /img/file_doesnt_exist.jpg results in the backend server
> (192.168.129.90) getting continuous requests for the same file (which
> doesn't exist there either so 404 each time), while the original
> requester waits and nginx keeps asking the backend the same.
>
> I'm using the nginx-1.4.1 from the debian squeeze repository.
>
> Is there a better way do to this config? The aim for for all web
> servers to have the same config so a resource that aren't synced yet
> still get served a response if it exists somewhere but without the
> requests ending up in a circular loop.
>
> My current, hopefully not too cut down, config is:
>
> upstream imgweb_other {
> server 192.168.129.90;
> server 173.230.136.6 backup;
> }
>
> server {
>
> proxy_read_timeout 15;
> proxy_connect_timeout 3;
> proxy_next_upstream error timeout invalid_header http_500 http_502
> http_503 http_504 http_404;
>
> location ~ ^/img/(.*)
> {
> expires 2592000;
> add_header Cache-Control public;
> alias /var/www/live_site_resources/$1;
> error_page 404 = @imgweb_other;
> }
>
> location @imgweb_other {
> # we only want to fallback once so use user_agent as a flag
> if ( $http_user_agent = IMGWEB ) {
> return 404;
> }
> proxy_
Re: Proxying based on protocol (e.g. "ws"/"wss")?
Thanks. I've been coming to that conclusion myself.
Take care,
Dan
At 7:00 PM +0400 5/11/13, Maxim Dounin wrote:
Hello!
On Fri, May 10, 2013 at 02:35:35PM -0400, Daniel Griscom wrote:
That's great information, but now I need to figure out how to
selectively proxy to my websocket backend when $http_upgrade is
"websocket". I see the following choices:
1) Have nginx listen at port 80, and proxy all traffic to port
if $http_upgrade is "websocket", or port if not. Then set up
nginx to handle http traffic at port , and have my websocket
backend handle websocket traffic at port .
2) Investigate the much-maligned "if" statement.
... any other choices? Thoughts?
I would recommend using URI-based distinction instead (and
location{} blocks as a result). This would be most natural
solution from nginx point of view.
Thanks,
Dan
At 1:26 PM +0400 5/10/13, Maxim Dounin wrote:
>Hello!
>
>On Fri, May 10, 2013 at 09:14:04AM +1200, Steve Holdoway wrote:
>
>> The scheme is available as... $scheme
>
>Yes, but WebSocket protocol uses http for handshake. So the
>scheme will be either "http" or "https". WebSocket requests can
>be identified based on Upgrade header, i.e. $http_upgrade
>variable.
>
>>
>> On Thu, 2013-05-09 at 14:45 -0400, Daniel Griscom wrote:
>> > ... bump?
>> >
>> > (thanks,
>> > Dan)
>> >
>> >
>> > At 9:32 AM -0400 5/8/13, Daniel Griscom wrote:
>> > >I'm an nginx newbie, and need use use it as a front end for a
>> > >website that also handles websocket connections. I have the
>> > >configuration set up so that requests to a specific URI match a
>> > >location section, which then proxies the request to the websocket
>> > >back end server, and it all works. (Very cool.)
>> > >
>> > >However, I was wondering if, rather than detecting requests to a
>> > >specific location, I could proxy all "ws://" or "wss:// requests,
>> > >independent of the URI being requested.
>> > >
>> > >Is there a way to proxy all requests with a given protocol?
>> > >
>> > >
>> > >Thanks,
>> > >Dan
>> > >
>> > >--
>> > >Daniel T. Griscom gris...@suitable.com
>> > >Suitable Systems http://www.suitable.com/
>> > >1 Centre Street, Suite 204(781) 665-0053
>> > >Wakefield, MA 01880-2400
>> > >
>> > >___
>> > >nginx mailing list
>> > >nginx@nginx.org
>> > >http://mailman.nginx.org/mailman/listinfo/nginx
>> >
>> >
>>
>> --
>> Steve Holdoway BSc(Hons) MNZCS
>> http://www.greengecko.co.nz
>> MSN: st...@greengecko.co.nz
>> Skype: sholdowa
>>
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>--
>Maxim Dounin
>http://nginx.org/en/donation.html
>
>___
>nginx mailing list
>nginx@nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx
--
Daniel T. Griscom gris...@suitable.com
Suitable Systems http://www.suitable.com/
1 Centre Street, Suite 204(781) 665-0053
Wakefield, MA 01880-2400
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
--
Maxim Dounin
http://nginx.org/en/donation.html
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
--
Daniel T. Griscom gris...@suitable.com
Suitable Systems http://www.suitable.com/
1 Centre Street, Suite 204(781) 665-0053
Wakefield, MA 01880-2400
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.4 proxy requests being continious
Hi! > > > proxy_next_upstream error timeout invalid_header http_500 http_502 > > > http_503 http_504 http_404; > > What you describe looks very familiar - there was such a bug which > manifested itself with backup servers and proxy_next_upstream > http_404. It was fixed in 1.3.0/1.2.1 though: > > > *) Bugfix: nginx might loop infinitely over backends if the > "proxy_next_upstream" directive with the "http_404" parameter was > used and there were backup servers specified in an upstream block. > > Are you sure you are using 1.4.1 on your frontend (note: it's > usually not enough to check version of nginx binary on disk, as > running nginx binary may be different)? Could you please provide > frontend's debug log? Quite right. I did update to 1.4.1 just afterwards. 2013-05-08 20:16:29 upgrade nginx 0.7.67-3+squeeze3 1.4.1-1~squeeze I definitely restarted the nginx-1.4.1 with no remnants of 0.7.67 around and haven't had the troubles when I re-tested. Thanks for the fix Maxim and digging up this changelog entry. Looking forward to putting it into production in the next few hours. Any troubles and I will grab a debug log for you. -- Daniel Black ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Add [nginx] to subject lines on this mailing list?
This mailing list is run by Gnu's Mailman application. The default configuration for Mailman adds a "[NameOfMailList]" prefix to the subject of every sent email, e.g. Subject: [Congregation] Tuesday's Notes This makes it very easy to sort out my inbox, and gives my spam filter something to key on. On the nginx mailing list this has been turned off, so I find it hard to figure out why someone unknown is writing me about "bug?", and often find the list emails in my junk mail folder. I'd like to have the setting turned back on; would that be OK? Thanks, Dan -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Add [nginx] to subject lines on this mailing list?
List-Id isn't shown in my inbox listing, so that doesn't help me when I'm scanning my inbox. Even when I open the email I have to scan the headers to figure out just what the specific email is about. All (almost?) of my other mailing lists follow this convention, which makes sense since every email from the "nginx" mailing list has to do with nginx, but few people bother to put "nginx" in the subject lines of their posts. Without this there's an assumed context for the message that isn't clear from the message subject. So, personally I'd like to have it turned on, but if there's a reason to keep it off then that's fine by me. Dan At 3:59 PM +0400 5/16/13, Maxim Konovalov wrote: On 5/16/13 3:41 PM, Daniel Griscom wrote: This mailing list is run by Gnu's Mailman application. The default configuration for Mailman adds a "[NameOfMailList]" prefix to the subject of every sent email, e.g. Subject: [Congregation] Tuesday's Notes This makes it very easy to sort out my inbox, and gives my spam filter something to key on. On the nginx mailing list this has been turned off, so I find it hard to figure out why someone unknown is writing me about "bug?", and often find the list emails in my junk mail folder. I'd like to have the setting turned back on; would that be OK? > Doesn't List-Id header suit your needs? -- Maxim Konovalov +7 (910) 4293178 http://nginx.com/services.html -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Add [nginx] to subject lines on this mailing list?
At 9:18 AM -0400 5/16/13, Jim Ohlstein wrote: On 05/16/13 08:10, Daniel Griscom wrote: List-Id isn't shown in my inbox listing, so that doesn't help me when I'm scanning my inbox. Even when I open the email I have to scan the headers to figure out just what the specific email is about. All (almost?) of my other mailing lists follow this convention, which makes sense since every email from the "nginx" mailing list has to do with nginx, but few people bother to put "nginx" in the subject lines of their posts. Without this there's an assumed context for the message that isn't clear from the message subject. I think what Maxim was alluding to is that any decent email client will sort messages for you based on headers if you set it do do so. This way you don't need to scan your entire inbox for messages from a particular list and the "assumed context" can be a somewhat safe assumption. OK; I haven't seen an email client like that, but if that's most people's experience then that's fine by me. Since you mention the conventions followed in other mailing lists, and you read this one, perhaps you should note that top posting is discouraged on this list, and messages are answered inline by the developers (as your original one was). Just a thought. OK, will do. Dan So, personally I'd like to have it turned on, but if there's a reason to keep it off then that's fine by me. Dan At 3:59 PM +0400 5/16/13, Maxim Konovalov wrote: On 5/16/13 3:41 PM, Daniel Griscom wrote: This mailing list is run by Gnu's Mailman application. The default configuration for Mailman adds a "[NameOfMailList]" prefix to the subject of every sent email, e.g. Subject: [Congregation] Tuesday's Notes This makes it very easy to sort out my inbox, and gives my spam filter something to key on. On the nginx mailing list this has been turned off, so I find it hard to figure out why someone unknown is writing me about "bug?", and often find the list emails in my junk mail folder. I'd like to have the setting turned back on; would that be OK? > Doesn't List-Id header suit your needs? -- Maxim Konovalov +7 (910) 4293178 http://nginx.com/services.html -- Jim Ohlstein ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Add [nginx] to subject lines on this mailing list?
At 3:34 PM +0200 5/16/13, René Neumann wrote: Am 16.05.2013 15:18, schrieb Jim Ohlstein: I think what Maxim was alluding to is that any decent email client will sort messages for you based on headers if you set it do do so. This way you don't need to scan your entire inbox for messages from a particular list and the "assumed context" can be a somewhat safe assumption. As an alternative, use a mail-server which supports server-side sorting. For example using Sieve. Sorry; I didn't think my suggestion would be all that controversial. As a data point, I checked through my email archive for Mailman-based mailing list messages which had or didn't have a [listName] subject prefix: - 2288 messages with a [listName] subject prefix - 20 messages without a [listName] subject prefix, of which 15 were nginx postings So, omitting the prefix is an unusual choice, but if it's necessary then that's fine. Thanks for responding, Dan -- Daniel T. Griscom gris...@suitable.com Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204(781) 665-0053 Wakefield, MA 01880-2400 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: 404s logged in error.log?
- Original Message - > I was wondering if someone could confirm that requests resulting in a > 404 > response are by default logged to error.log at error level "error". > > Is that normal, or is there some piece of configuration I am missing > that > will stop them from being logged to error.log? I figured 404s would be > an > un-exceptional event that doesn't require error logging, Correct. > but perhaps > I'm > simply not handling that situation correctly in my configuration. > Worth > double-checking. > 4xx responses are a client errors and don't go in the error.log 5xx are server errors which do go in the error log. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: 404s logged in error.log?
- Original Message - > I might have misread the two answers here, but I get the impression > that > they're saying the exact opposite of each other. If you analysed the responses and what you have I suspect you would of realised that I was in error and the information you have and the directive highlighted by Piotr gives you the ability to manipulate the logging to what you want. > Here's a sample > (redacted) > error message I'm seeing in error.log when doing a GET on a file that > doesn't exist: > > 2013/05/18 02:21:27 [error] 11619#0: *417 open() > "/var/www/mysite/foo.html" > failed (2: No such file or directory), client: 123.123.123.123, > server: > my.server.com, request: "GET /foo.html HTTP/1.1", host: > "my.server.com" > > Just to confirm, should I be seeing the error message above in > error.log, or did I misconfigure something? I can see a corresponding 404 > being > logged in access.log. A misconfigure assessment depends on what you want. The logs highlight that 404 do appear in the error log though this doesn't need to be the case ( http://nginx.org/en/docs/http/ngx_http_core_module.html#log_not_found ) ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: munin plugin for nginx
- Original Message -
> I'm having some trouble getting the nginx plugin working for munin.
> I've added the following to nginx config and restarted:
>
> location /nginx_status {
> stub_status on;
> access_log off;
> allow 127.0.0.1;
> deny all;
> }
>
> I've added the following munin config:
>
> [nginx*]
> env.url http://localhost/nginx_status
>
> Unfortunately I still get:
>
> # munin-run nginx_request
> request.value U
> # munin-run nginx_status
> total.value U
> reading.value U
> writing.value U
> waiting.value U
>
> If I remove the allow/deny, I can browse to /nginx_status and I get:
>
> Active connections: 13
> server accepts handled requests
> 15 15 16
> Reading: 0 Writing: 1 Waiting: 12
>
> What could be the problem?
the munin plugin is broken or not getting the status information.
Try stracing the munin-run, network capature or turning on the access logs on
/nginx_status just to be sure.
--
Daniel Black, Engineer @ Open Query (http://openquery.com)
Remote expertise & maintenance for MySQL/MariaDB server environments.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
SSL certificate chain
Hi, I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM encoded certificate file that contains the whole chain, 3 including Root CA. But I can not get it to work. I have followed documentation at http://nginx.org/en/docs/http/configuring_https_servers.html#chains and http://www.startssl.com/?app=42, but no matter what I do it seems I can not get nginx to deliver more than one certificate. I have used both http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/ to verify. Other services (e.g. dovecot IMAP server) on the same host using same version of OpenSSL and same intermediate certificate and Root CA works works fine. How can I troubleshoot what is going wrong with nginx? Thanks in advance. -- daniel smime.p7s Description: S/MIME cryptographic signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL certificate chain
Hi, They are. I get no errors from nginx whatsoever, just that no certificate after the first is never sent. If I change order I get error about key not matching, which is to be expected. -- daniel On 1 sep 2013, at 19:25, Steve Holdoway wrote: > Make sure the server cert it first in the file, followed by the ca certs. > > Steve > > On 1/09/2013, at 11:11 PM, Daniel Lundqvist wrote: > >> Hi, >> >> I am trying to configure nginx 1.4.1 (using OpenSSL 1.0.1e) with a PEM >> encoded certificate file that contains the whole chain, 3 including Root CA. >> But I can not get it to work. I have followed documentation at >> http://nginx.org/en/docs/http/configuring_https_servers.html#chains and >> http://www.startssl.com/?app=42, but no matter what I do it seems I can not >> get nginx to deliver more than one certificate. I have used both >> http://portecle.sourceforge.net and https://www.ssllabs.com/ssltest/ to >> verify. Other services (e.g. dovecot IMAP server) on the same host using >> same version of OpenSSL and same intermediate certificate and Root CA works >> works fine. How can I troubleshoot what is going wrong with nginx? >> >> Thanks in advance. >> -- >> daniel >> >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx smime.p7s Description: S/MIME cryptographic signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL certificate chain
I have, it just says only 1 certificate is provided. Here are the test results: https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu -- daniel On 1 sep 2013, at 21:43, Sylvia wrote: > Hi. > You can try to run a diagnostics for problem discovery and recommendations > > https://www.ssllabs.com/ssltest/ > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,242410,242417#msg-242417 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx smime.p7s Description: S/MIME cryptographic signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL certificate chain
So … mysteries solved. I believe. A few things was wrong for me: 1) I had a catch all virtual host using the same certificate file as main site (configured both with a "invalid" server name and default_server for both HTTP and HTTPS) 2) It seems virtual server is also selected based on CN/SubjectAltName from certificate which I did not know (is this correct? Seem so from my testing) So I changed the certificate on catch all virtual server to self signed and now everything seems to be ok. Sorry for taking up your time with my misconfigured server. At least I learned something :) -- daniel On 2 sep 2013, at 19:12, Steve Wilson wrote: > On 2013-09-02 11:59, Daniel Lundqvist wrote: >> I have, it just says only 1 certificate is provided. Here are the test >> results: >> https://www.ssllabs.com/ssltest/analyze.html?d=www.malarhojden.nu > ... > > I note that you're using startcom for the certificate, I recall that the > intermediate certificate they say to use isn't actually the one provided and > had to complete the certificate chain myself. > > https://www.ssllabs.com/ssltest/analyze.html?d=www.stevewilson.co.uk > > To build up my pem I started with the crt and key, then running "openssl x509 > -in cert.pem -noout -text" I was then able to download the correct > intermediate using the "CA Issuers - URI" provided in the certificate. > Appending this to the pem and retesting. Repeating the process for each > certificate until it became valid. > > Authority Information Access: >OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca >CA Issuers - > URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt > > It might be worth checking if your intermediate matches the above > sub.class1.server.ca.crt one. > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx smime.p7s Description: S/MIME cryptographic signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Weird issue with relative links
Hi, I am fairly new to nginx but appear to have it working well... along with php-fpm. Working on a PHP script that uses slash arguments I'm hitting an odd problem. I am able to retrieve the argument correctly and this works fine in the script. Where my issue lies is with the links that are then displayed. The script is at: http://alpha.serverb.co.uk/debian/parser.php/gns-3 The filelist links on the page should are all relative. Testing on my local Apache server, this works perfectly. The links are like this: http://webdev.internal.serverb.co.uk/debian/parser.php/gns-3/GNS3-0.8.7-src.zip This is correct... the link includes the php script, slash argument and the file name. Now on nginx... it is returned different.. the links are missing the first slash argument so appear as: http://alpha.serverb.co.uk/debian/parser.php/GNS3-0.8.7-src.zip I have checked the values set by fastcgi, and these all appear to match what Apache returns... so I'm stumped! I know I can get around this by changing the links... but that isn't an option as the page is later parsed by other scripts and should be backwards compatible with the previous version. Any help would be most welcome Regards Daniel Lintott signature.asc Description: OpenPGP digital signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Weird issue with relative links
On 08/07/14 12:36, Francis Daly wrote: > On Tue, Jul 08, 2014 at 12:09:57PM +0100, Daniel Lintott wrote: > > Hi there, > >> The script is at: >> http://alpha.serverb.co.uk/debian/parser.php/gns-3 > > http://alpha.serverb.co.uk/debian/parser.php/gns-3 and > http://alpha.serverb.co.uk/debian/parser.php/gns-3/ are different urls, > especially when it comes to resolving relative links. > > What is the response you get to a "curl -v" request for the nginx url > and the equivalent apache url? > > I suspect that your apache is configured to issue a redirect and your > nginx is not. > > Copy-paste the first 20 lines of the responses, if the fix is not clear. > > f > Hmmm... now I've confused myself! Both are now returning the same... minus the slash argument! Seems like it may have been my error in copying the files to the server... A classic case of PEBKAC! Daniel signature.asc Description: OpenPGP digital signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
problem with argument route in upstream
Hi,
I was looking for hours what is the problem with my conf.
I am trying to implement a nginx reverse loadbalancer with tomcat application
servers.
I chose the route method here is the conf :
map $cookie_jsessionid $route_cookie {
~.+\.(?P\w+)$ $route;
}
map $request_uri $route_uri {
~jsessionid=.+\.(?P\w+)$ $route;
}
upstream antares {
server x:8000 route=server1;
server :8000 route=server2;
sticky route $route_cookie $route_uri;
}
server {
listen X:51001;
access_log /var/log/nginx/c2375.log main;
location / {
proxy_buffers 8 4k;
proxy_busy_buffers_size 16k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://antares;
}
}
With this I get on the error.log :
2014/11/18 19:56:40 [emerg] 9520#0: invalid parameter "route=server1" in
/etc/nginx/conf.d/c2375.conf:13
I an using ngninx on rhel 6 with the rpm compile on ngin.org :
nginx version: nginx/1.6.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx
--with-http_ssl_module --with-http_realip_module --with-http_addition_module
--with-http_sub_module --with-http_dav_module --with-http_flv_module
--with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-http_auth_request_module --with-mail
--with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module
--with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Any idea ?
Rodriguez Daniel
Administrateur Infrastructures Clientes
Groupe SOFTWAY MEDICAL
Tel: 04 42 97 66 36
Gsm : 06 59 75 17 58
www.softwaymedical.fr<http://www.softwaymedical.fr>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: problem with argument route in upstream
Tanks for your reply
It means there is only the ip_hash solution on the free version?
Envoyé de mon iPhone
> Le 18 nov. 2014 à 22:32, Homutov Vladimir a écrit :
>
>> On 19.11.2014 00:25, RODRIGUEZ Daniel wrote:
>> Hi,
>>
>> I was looking for hours what is the problem with my conf.
>>
>> I am trying to implement a nginx reverse loadbalancer with tomcat
>> application servers.
>>
>> I chose the route method here is the conf :
>>
>> map $cookie_jsessionid $route_cookie {
>>
>> ~.+\.(?P\w+)$ $route;
>>
>> }
>>
>> map $request_uri $route_uri {
>>
>> ~jsessionid=.+\.(?P\w+)$ $route;
>>
>> }
>>
>> upstream antares {
>>
>>server x:8000 route=server1;
>>
>>server :8000 route=server2;
>>
>>sticky route $route_cookie $route_uri;
>>
>> }
>>
>> server {
>>
>>listen X:51001;
>>
>>access_log /var/log/nginx/c2375.log main;
>>
>> location / {
>>
>> proxy_buffers 8 4k;
>>
>> proxy_busy_buffers_size 16k;
>>
>> proxy_set_header Host $host;
>>
>> proxy_set_header X-Real-IP $remote_addr;
>>
>> proxy_pass http://antares;
>>
>>}
>>
>> }
>>
>> With this I get on the error.log :
>>
>> 2014/11/18 19:56:40 [emerg] 9520#0: invalid parameter "route=server1" in
>> /etc/nginx/conf.d/c2375.conf:13
>>
>> I an using ngninx on rhel 6 with the rpm compile on ngin.org :
>>
>> nginx version: nginx/1.6.2
>>
>> built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
>>
>> TLS SNI support enabled
>>
>> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>> --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log
>> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
>> --lock-path=/var/run/nginx.lock
>> --http-client-body-temp-path=/var/cache/nginx/client_temp
>> --http-proxy-temp-path=/var/cache/nginx/proxy_temp
>> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
>> --group=nginx --with-http_ssl_module --with-http_realip_module
>> --with-http_addition_module --with-http_sub_module
>> --with-http_dav_module --with-http_flv_module --with-http_mp4_module
>> --with-http_gunzip_module --with-http_gzip_static_module
>> --with-http_random_index_module --with-http_secure_link_module
>> --with-http_stub_status_module --with-http_auth_request_module
>> --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6
>> --with-http_spdy_module --with-cc-opt='-O2 -g -pipe
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic'
>>
>> Any idea ?
>
> The sticky directive is only available in nginx-plus [1]
>
> [1] http://nginx.com/products/
>
>>
>> *Rodriguez Daniel*
>> *Administrateur Infrastructures Clientes**
>> *Groupe SOFTWAY MEDICAL
>> Tel: 04 42 97 66 36
>> Gsm : 06 59 75 17 58
>>
>> www.softwaymedical.fr <http://www.softwaymedical.fr>
>>
>>
>>
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: problem with argument route in upstream
Thanks I am going to have a look on this module Envoyé de mon iPhone > Le 19 nov. 2014 à 09:44, mex a écrit : > > Hi, > > you can use the nginx-sticky-module if you need sticky sessions > https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng > > it just has no way to extract the routing-info from tomcat-routes (yet, > we're working on it) and comes with an own cookie, but is > production-ready > > > cheers, > > > mex > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254896,254909#msg-254909 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse Proxy for SNMP
nginx has no support for SNMP You should be able to whitelist IP's using whatever SNMP daemon you are using. On 17/03/15 16:16, Igal @ Lucee.org wrote: > hi, > > can it be used as reverse proxy for any protocol or is it limited to > http(s) and smtp? > > I'm trying to setup a reverse proxy for SNMP for the purpose opening > remote SNMP access and using the proxy for whitelisting IPs etc. > signature.asc Description: OpenPGP digital signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse Proxy for SNMP
nginx has no support for SNMP You should be able to whitelist IP's using whatever SNMP daemon you are using. On 17/03/15 16:16, Igal @ Lucee.org wrote: > hi, > > can it be used as reverse proxy for any protocol or is it limited to > http(s) and smtp? > > I'm trying to setup a reverse proxy for SNMP for the purpose opening > remote SNMP access and using the proxy for whitelisting IPs etc. > signature.asc Description: OpenPGP digital signature ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: please suggest performance tweak and the right siege options for load test
I tried siege a lot, but could never get it to really use all cores on the server, I found the tool wrk much more useful for load testing. On Mar 18, 2015 2:31 AM, "halozen" wrote: > 2 nginx 1.4.6 web servers - ocfs cluster, web root inside mounted LUN > from SAN storage > 2 MariaDB 5.5 servers - galera cluster, different network segment than > nginx web servers > > nginx servers each two sockets quad core xeon, 128 gb ram > Load balanced via F5 load balancer (round-robin, http performance) > > Based on my setup above, what options that I should use with siege to > perform load term to at least 5000 concurrent users? > > There is a time when thousands of student storms university's web > application. > > Below is result for 300 concurrent users. > > # siege -c 300 -q -t 1m domain.com > > siege aborted due to excessive socket failure; you > can change the failure threshold in $HOME/.siegerc > > Transactions: 370 hits > Availability: 25.38 % > Elapsed time: 47.06 secs > Data transferred:4.84 MB > Response time: 20.09 secs > Transaction rate:7.86 trans/sec > Throughput:0.10 MB/sec > Concurrency: 157.98 > Successful transactions: 370 > Failed transactions:1088 > Longest transaction: 30.06 > Shortest transaction:0.00 > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,257373,257373#msg-257373 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: https to http error "too many redirects"
Correct, you give the HSTS header on the SSL/TLS port. So if *any*
connection in the past has gone to the SSL/TLS port, the browser is forced
to use https:// for any future connection. You should set it to 1 for a
while and then disable it.
On Mar 20, 2015 9:48 AM, "jinwon42" wrote:
> Sorry.
>
> 80 port is right.
>
>
> if ($scheme != $example_org_preferred_proto) {
> return 301
> $example_org_preferred_proto://$server_name$request_uri;
> }
>
>
> Still saw error. "ERR_TOO_MANY_REDIRECTS"
>
>
>
>
> ---
>
> map $request_uri $example_org_preferred_proto {
> default "https";
> ~^/mobile/PayOnlyResult.do "http";
> ~^/kor/tel.do "http";
> }
>
> server {
> listen 443 ssl;
> listen 80;
> server_name www..com;
>
> charset utf-8;
>
> #ssl on;
> ssl_certificate D:/nginx-1.7.10/ssl/cert.pem;
> ssl_certificate_key D:/nginx-1.7.10/ssl/key.pem;
> ssl_verify_client off;
>
> ssl_session_timeout 5m;
>
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphers AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
> ssl_prefer_server_ciphers on;
>
> # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6
> months)
> add_header Strict-Transport-Security max-age=15768000;
>
> error_page 400 /error/error.html;
> error_page 403 /error/error.html;
> error_page 404 /error/error.html;
>
> if ($scheme != $example_org_preferred_proto) {
> return 301
> $example_org_preferred_proto://$server_name$request_uri;
> }
>
> location / {
>proxy_set_header Host$host;
>proxy_set_header X-Real-IP$remote_addr;
>proxy_set_header X-Forwarded-Host$host;
>proxy_set_header X-Forwarded-Server$host;
>proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
>proxy_set_header X-Forwarded-Proto $scheme;
>proxy_set_headerHost $http_host;
>proxy_buffering off;
>proxy_connect_timeout 60;
>proxy_read_timeout 60;
>proxy_pass http://wwwcom;
>proxy_ssl_session_reuse off;
> }
> }
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,257458,257469#msg-257469
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Preferred method for location blocks
What is the difference between:
location /admin {
}
vs.
location ~ /admin(/.*) {
}
The first seems cleaner, and I assume runs faster - but do they process
differently?
--
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Set a PHP parameter for only one location
I have a "standard" location block for my php directives...
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
}
But...I want to set a php_value for a specific directory. Is there a
more elegant method than duplicating all the directives for the "global"
php handler above for the directory?
--
Daniel
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Site should not be accessed through IP
If you're using a 1-config-per-site setup, then yes, you could. It completely depends on your setup as to where you need to place it. You can put it in any existing file that already has a server directive in there. Just make sure none of the other server configs/files have the default_server in their listen directive. The server name of _ just makes sure it won't conflict with any existing name as hostnames are not allowed to have underscores in them. The default_server is special, it makes sure that any request that does not have a matching name in the rest of the config will end up there. So not just the IP that you asked for, but also any other website name that is not in the config. The 444 status code is just to return a "no response" kinda thing. If you want you can even have a default site there, telling users there is no site at that address with a fancy text and/or logo instead. On Apr 9, 2015 8:30 PM, "blason" wrote: > Hi Finalx, > > you mean shall I create the .conf file by name default_server and add up > this there? Or would you please tell me where shoudl I add the above > stanza? > Sorry I am being novice in nginx just would like to know more information > about this. > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,257927,257930#msg-257930 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Execute python files with Nginx
Hi Nitin, If you're using django you can follow these steps: https://www.digitalocean.com/community/tutorials/how-to-serve-django-applications-with-uwsgi-and-nginx-on-ubuntu-14-04 Daniel Theodoro Cel: 11 99399-3364 http://www.linkedin.com/in/danieltheodoro • RHCA - Red Hat Certified Architect • RHCDS - Red Hat Certified Datacenter Specialist • RHCE - Red Hat Certified Engineer • RHCVA - Red Hat Certified Virtualization Administrator • LPIC-3 - Senior Level Linux Certification • Novell Certified Linux Administrator - Suse 11 • OCA - Oracle Enterprise Linux Administrator Certified Associate On Fri, Aug 7, 2015 at 5:12 PM, Nitin Solanki wrote: > Hi, > Right now, I am not office.. I am from India.. Now, it is 1.42 > am. It will be great. If you provide step by step from beginning. Is it > possible to mail. Thanks. > > On Sat, Aug 8, 2015 at 12:50 AM Shannon Burns wrote: > >> Hi Nitin, >> >> Would you mind providing a bit more information? >> >> On Aug 6, 2015, at 4:53 AM, Nitin Solanki wrote: >> >> I tried that and getting issues. Unable to configure. I am not getting >> those steps. Any help you can do by explaining in steps… >> >> >> What issues are you running into? Can you copy and paste any errors >> you’re receiving? >> >> Can you provide the configuration file you are using? >> >> What is the behavior you are expecting and what is the behavior you’re >> seeing? >> >> >> On Thu, Aug 6, 2015 at 5:19 PM Alt wrote: >> >>> Hello, >>> >>> I've never used python with nginx, but there are some examples on how to >>> configure everything here: >>> http://wiki.nginx.org/Configuration#Python_via_FastCGI >>> >>> Best Regards >>> >>> Posted at Nginx Forum: >>> http://forum.nginx.org/read.php?2,260817,260818#msg-260818 >>> >>> ___ >>> nginx mailing list >>> nginx@nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
ipv6 on nginx.org
Hi List, i know, this list is about the webserver itself. But i have some Problems with the website nginx.org and ipv6 and I really need it to read webserver docs. What's the Problem? It just does not work on two very different systems (workplace and private server). Ping works fine on nginx.org and ipv6.google.com: [root@kackkiste]/home/dkraemer# ping6 ipv6.google.com PING ipv6.google.com(wm-in-x71.1e100.net) 56 data bytes 64 bytes from wm-in-x71.1e100.net: icmp_seq=1 ttl=57 time=17.6 ms 64 bytes from wm-in-x71.1e100.net: icmp_seq=2 ttl=57 time=11.3 ms --- ipv6.google.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 11.389/14.500/17.611/3.111 ms [root@kackkiste]/home/dkraemer# ping6 nginx.org PING nginx.org(2606:7100:1:69::3f) 56 data bytes 64 bytes from 2606:7100:1:69::3f: icmp_seq=1 ttl=53 time=151 ms 64 bytes from 2606:7100:1:69::3f: icmp_seq=2 ttl=53 time=150 ms 64 bytes from 2606:7100:1:69::3f: icmp_seq=3 ttl=53 time=151 ms 64 bytes from 2606:7100:1:69::3f: icmp_seq=4 ttl=53 time=151 ms --- nginx.org ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 4276ms rtt min/avg/max/mdev = 150.971/151.187/151.457/0.510 ms No HTTP-Response from nginx.org (tried HTTP/1.1 and GET as well): [root@kackkiste]/home/dkraemer# telnet ipv6.google.com 80 Trying 2a00:1450:400c:c09::71... Connected to ipv6.google.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.de/?gfe_rd=cr&ei=GtAkVtL1FYS7cMLkh6AL Content-Length: 256 Date: Mon, 19 Oct 2015 11:12:26 GMT Server: GFE/2.0 Connection closed by foreign host. [root@kackkiste]/home/dkraemer# telnet nginx.org 80 Trying 2606:7100:1:69::3f... Connected to nginx.org. Escape character is '^]'. HEAD / HTTP/1.0 Connection closed by foreign host. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: ipv6 on nginx.org
Thank you so far! Looks like a problem in our network at work: [dkraemer@castleblack:~/] echo -ne "HEAD / HTTP/1.1\nHost: nginx.org\n\n" |nc -6 nginx.org 80 HTTP/1.1 200 OK Server: nginx/1.7.7 Date: Tue, 20 Oct 2015 11:06:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 7658 Last-Modified: Tue, 22 Sep 2015 15:20:08 GMT Connection: keep-alive Keep-Alive: timeout=15 ETag: "560171a8-1dea" Accept-Ranges: bytes [dkraemer@castleblack:~/] echo -ne "GET / HTTP/1.1\nHost: nginx.org\n\n" |nc -6 -i 10 nginx.org 80 Ncat: Idle timeout expired (1 ms). Works with my private server: [dkraemer@kackkiste:~] echo -ne "GET / HTTP/1.1\nHost: nginx.org\n\n" |nc -6 nginx.org 80 HTTP/1.1 200 OK Server: nginx/1.7.7 Date: Tue, 20 Oct 2015 11:07:48 GMT Content-Type: text/html; charset=utf-8 Content-Length: 7658 Last-Modified: Tue, 22 Sep 2015 15:20:08 GMT Connection: keep-alive Keep-Alive: timeout=15 ETag: "560171a8-1dea" Accept-Ranges: bytes "http://www.w3.org/TR/html4/loose.dtd";> [...] ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: ipv6 on nginx.org
Hi, Looks like an MTU issue then (small response OK, big responses timeout). Check if you correctly clamp MSS on IPv6. thanks for your suggestion. I made some tests with my private server and workplace. I'm not done testing MSS clamping yet. [root@kackkiste]~# echo -ne "GET / HTTP/1.1\nHost: nginx.org\n\n" |nc -6 nginx.org 80 > /tmp/test [root@kackkiste]~# ls -l /tmp/test -rw-r--r--. 1 root root 7936 20. Okt 15:38 /tmp/test [root@kackkiste]~# nc -6 -l 80 < /tmp/test GET / HTTP/1.1 Host: kackkiste.de [dkraemer@castleblack:~] echo -ne "GET / HTTP/1.1\nHost: kackkiste.de\n\n" |nc -6 kackkiste.de 80 HTTP/1.1 200 OK Server: nginx/1.7.7 Date: Tue, 20 Oct 2015 13:38:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 7658 Last-Modified: Tue, 22 Sep 2015 15:20:08 GMT Connection: keep-alive Keep-Alive: timeout=15 ETag: "560171a8-1dea" Accept-Ranges: bytes "http://www.w3.org/TR/html4/loose.dtd";> [..lot of stuff..] ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DNS Caching Issue For community version
Maybe You should try this module:
https://github.com/GUI/nginx-upstream-dynamic-servers
Regards,
Biazus
On Fri, May 13, 2016 at 3:13 AM, RT.Nat wrote:
> Not clear regarding, " Also you might check using directly the hostname as
> it might be possible that there is a bug when using variables."
>
> I tried adding the variable for resolving the dns but still the ip address
> does not changes. Is there any other way? or is there any bug in my script.
>
> resolver 8.8.8.8 valid=30s;
> resolver_timeout 10s;
> set $checkup "example.net";
>
> location / {
> rewrite ^/(.*) /$1 break;
> proxy_pass https://$checkup:8080;
> }
>
> even adding the following codes instead of the above proxy pass doesnt
> work.
>
> proxy_pass https://example.net:8080$request_uri;
> proxy_pass https://example.net:8080;
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,266857,266880#msg-266880
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
*Daniel Biazus, R&DAZION | Deliver. Accelerate. Protect.Office: +55 51
3012 3005 <%2B55%2051%203012%203005> | Mobile: +55 51 8227 9032
*
Quaisquer informações contidas neste e-mail e anexos podem ser
confidenciais e privilegiadas, protegidas por sigilo legal. Qualquer forma
de utilização deste documento depende de autorização do emissor, sujeito as
penalidades cabíveis.
Any information in this e-mail and attachments may be confidential and
privileged, protected by legal confidentiality. The use of this document
require authorization by the issuer, subject to penalties.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
nginx-1.27.0 - shasum does not match with expected shasum from pkg-oss
Hello, the SHA512 of https://nginx.org/download/nginx-1.27.0.tar.gz (downloaded 2024-05-29 15:42:02 UTC) is 251bfe65c717a8027ef05caae2ab2ea73b9b544577f539a1d419fe6adf0bcc846b73b58f54ea3f102df79aaf340e4fa56793ddadea3cd61bcbbe2364ef94bacb This does not match with the shasum expected here https://hg.nginx.org/pkg-oss/file/tip/contrib/src/nginx/SHA512SUMS#l57 ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Automatic trailing slash redirect and scheme
Hi,
I an trying to set the sheme used in automatic redirect generates by nginx
when trailing slash is missing. The nginx server is behind a proxy that
handles ssl, hence all requests are made using http so nginx use http in
absolute redirect.
Is there a way to configure nginx to use the value of
"$http_x_forwarded_proto" ?
The server conf:
server {
listen 8080;
server_name _;
gzip on;
gzip_disable "msie6";
root /usr/share/nginx/www;
# Prevent redirect to have port 8080
port_in_redirect off;
# 404
error_page 404 /404.html;
# Redir auto to http
if ($http_x_forwarded_proto = http) {
return 301 https://$host$request_uri;
}
# Ensure remote ip is the right one
set_real_ip_from 0.0.0.0/0;
real_ip_headerX-Forwarded-For;
real_ip_recursive on;
# Cache control on image
location ~
^/fr/(.*\.(bmp|gif|jpeg|jpg|jxr|hdp|wdp|png|svg|svgz|tif|tiff|wbmp|webp|jng|cur|ico|woff|woff2))$
{
add_header Cache-Control public,max-age=86400;
alias /usr/share/nginx/www/$1;
}
# Serving data configuration
location ~ ^/fr/(.*) {
include /etc/nginx/redirect/*;
alias /usr/share/nginx/www/$1;
}
}
Regards,
--
<https://cedreo.com/> *Jean-Daniel Fischer*
Developer
+33 (0)2 40 18 04 77
16 Bd Charles de Gaulle, Bât. B
44800 Saint-Herblain, France
[image: LinkedIn] <https://linkedin.com/company/cedreo/> [image: Facebook]
<https://facebook.com/cedreo3d/> [image: YouTube]
<https://youtube.com/channel/UCj1QYnZvV8Wbtdivc4GD7CA> [image: Instagram]
<https://instagram.com/cedreo3D/>
*Cedreo est noté* [image: Trustpilot Stars]
<https://fr.trustpilot.com/review/www.cedreo.com?utm_medium=Trustbox&utm_source=EmailSignature1>
sur [image: Trustpilot Logo]
<https://fr.trustpilot.com/review/www.cedreo.com?utm_medium=Trustbox&utm_source=EmailSignature1>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Automatic trailing slash redirect and scheme
Thanks for all the reply, I activate "absolute_redirect off". Le ven. 23 août 2019 à 00:07, Francis Daly a écrit : > On Thu, Aug 22, 2019 at 03:22:38PM +0200, Jean-Daniel FISCHER wrote: > > Hi there, > > > I an trying to set the sheme used in automatic redirect generates by > nginx > > when trailing slash is missing. The nginx server is behind a proxy that > > handles ssl, hence all requests are made using http so nginx use http in > > absolute redirect. > > > > Is there a way to configure nginx to use the value of > > "$http_x_forwarded_proto" ? > > I think "not directly". > > So, if the ssl-handling proxy does not have the equivalent of > proxy_redirect (http://nginx.org/r/proxy_redirect) to modify the Location: > header before it goes to the client; then you could use "absolute_redirect > off" (http://nginx.org/r/absolute_redirect) so that nginx will omit the > scheme and host and port from the Location: header, which all current > clients should Just Work with. > > f > -- > Francis Dalyfran...@daoine.org > _______ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- <https://cedreo.com/> *Jean-Daniel Fischer* Developer +33 (0)2 40 18 04 77 16 Bd Charles de Gaulle, Bât. B 44800 Saint-Herblain, France [image: LinkedIn] <https://linkedin.com/company/cedreo/> [image: Facebook] <https://facebook.com/cedreo3d/> [image: YouTube] <https://youtube.com/channel/UCj1QYnZvV8Wbtdivc4GD7CA> [image: Instagram] <https://instagram.com/cedreo3D/> *Cedreo est noté* [image: Trustpilot Stars] <https://fr.trustpilot.com/review/www.cedreo.com?utm_medium=Trustbox&utm_source=EmailSignature1> sur [image: Trustpilot Logo] <https://fr.trustpilot.com/review/www.cedreo.com?utm_medium=Trustbox&utm_source=EmailSignature1> ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Reverse proxy redirection issue
Hello,
I am new in this world (of nginx) and I have a problem that has me
crazy.
I am using nginx as a reverse proxy, I managed to configure SSL
certificates using LetsEncrypt but nginx does the redirection to the
wrong vhost.
This is the configuration of one of the vhost, they are 3 identical ones
pointing to the same virtual machine. I have a fourth one pointing to
another virtual machine that works without problems.
I have the domains 1.DOMAIN.edu.ar, 2.DOMAIN.edu.ar and 3.DOMAIN.edu.ar
pointing to the same internal IP. But any domain I enter in the browser
the redirection is made to 1.DOMAIN.edu.ar.
Also set a 4th as default_server, but behaviuor still remains.
This is the vhost configuration
---
# cat /etc/nginx/sites-enabled/2.DOMAIN.edu.ar.conf
server {
listen 80;
server_name 2.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
#return 301 https://2.DOMAIN.edu.ar$request_uri;
rewrite ^ https://2.DOMAIN.edu.ar$request_uri? permanent;
}
server {
listen 443 ssl http2;
server_name 2.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/2.DOMAIN.edu.ar/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/2.DOMAIN.edu.ar/privkey.pem;
ssl_session_cache builtin:1000 shared:SSL:10m;
# Defining option to share SSL Connection with Passed Proxy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Defining used protocol versions.
ssl_ciphers
HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# Defining ciphers to use.
ssl_prefer_server_ciphers on;
# Enabling ciphers
location / {
proxy_http_version 1.1;
#For Websockets and keepalive connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection"upgrade";
#required when using Websockets
proxy_set_header Host $host;
#Contains:
# hostname from the request line,
# or hostname from the Host request header field,
# or the server name matching a request.
proxy_set_header X-Real-IP $remote_addr;
#Forwards the real visitor remote IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#List containing the IP addresses of every server the client has
been proxied through.
proxy_set_header X-Forwarded-Proto $scheme;
#When used inside an HTTPS server block,
#each HTTP response from the proxied server is rewritten to HTTPS
proxy_set_header X-Forwarded-Host $host;
#Original host requested by the client
proxy_set_header X-Forwarded-Port $server_port;
#Original port requested by the client
proxy_pass http://INTERNAL-IP/;
}
access_log /var/log/nginx/2.DOMAIN.edu.ar/access.log;
error_log /var/log/nginx/2.DOMAIN.edu.ar/error.log;
}
---
Any hint will be much appreciated.
Thanks in advance.-
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy redirection issue
El 2021-09-18 05:03, Francis Daly escribió:
On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez
wrote:
Hi there,
I am using nginx as a reverse proxy, I managed to configure SSL
certificates
using LetsEncrypt but nginx does the redirection to the wrong vhost.
This is the configuration of one of the vhost, they are 3 identical
ones
pointing to the same virtual machine. I have a fourth one pointing to
another virtual machine that works without problems.
I have the domains 1.DOMAIN.edu.ar, 2.DOMAIN.edu.ar and
3.DOMAIN.edu.ar
pointing to the same internal IP. But any domain I enter in the
browser the
redirection is made to 1.DOMAIN.edu.ar.
I think you are reporting that if you do
curl -i http://1.DOMAIN.edu.ar
you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar
(which
is what you want); and if you do
curl -i http://2.DOMAIN.edu.ar
you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar
(which
is not what you want).
Is that correct?
Yep, that was exactly the issu. And saying 'was' 'cause this morning
everything is working like a charm. Without made any further
modification I mean. Really don't know what have happened here, but glad
to see it working as expected.
If so...
Also set a 4th as default_server, but behaviuor still remains.
This is the vhost configuration
---
# cat /etc/nginx/sites-enabled/2.DOMAIN.edu.ar.conf
server {
listen 80;
server_name 2.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
#return 301 https://2.DOMAIN.edu.ar$request_uri;
rewrite ^ https://2.DOMAIN.edu.ar$request_uri? permanent;
}
...can you show the "server" blocks that have "listen 80", to make sure
that they each have the expected "server_name" values and
return/rewrite
value?
At the time the mail was sent I've double check those values.
The output of "nginx -T" should list the configuration that nginx
actually
reads; that might be simpler to copy from than the files.
(There are other possible things to check too -- perhaps the problem is
not that "curl -i http://2.DOMAIN.edu.ar"; gives the unwanted response,
but that "curl -i https://2.DOMAIN.edu.ar"; gives the unwanted response.
Or
perhaps the problem is that the requests are not getting to this nginx
at all. But, one step at a time, to identify where the problem is.)
The issue raised on https redirection, indeed. But, as said, no changes
made at all and now it's all working.
Good luck with it,
Thank's for taking the time to read, and sorry for the noise.
ATB
f
___
Daniel A. Rodriguez
Informática, Conectividad y Sistemas
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
www.unau.edu.ar
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy redirection issue
El 2021-09-19 04:00, Francis Daly escribió:
On Sat, Sep 18, 2021 at 09:16:28AM -0300, Daniel Armando Rodriguez
wrote:
El 2021-09-18 05:03, Francis Daly escribió:
> On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez
> wrote:
Hi there,
> if you do
>
> curl -i http://2.DOMAIN.edu.ar
>
> you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which
> is not what you want).
>
> Is that correct?
Yep, that was exactly the issu. And saying 'was' 'cause this morning
everything is working like a charm. Without made any further
modification I
mean. Really don't know what have happened here, but glad to see it
working
as expected.
Great that you have a config and setup that now does what you want :-)
Now that is isn't broken, with no known changes, it's hard to guess
what might have been the problem. Maybe something restarted overnight,
or caches cleared, or something odd like that.
Cheers,
f
Today I added a new domain, and the issue showed up again.
curl -i http://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
But
curl -i https://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
I really would like to understand why this happens.
This is the output of nginx -T
# configuration file /etc/nginx/sites-enabled/4.DOMAIN.edu.ar.conf:
server {
listen 80;
server_name 4.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name 4.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
include /etc/nginx/snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/4.DOMAIN.edu.ar/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/4.DOMAIN.edu.ar/privkey.pem;
location / {
proxy_http_version 1.1;
#For Websockets and keepalive connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection"upgrade";
#required when using Websockets
proxy_set_header Host $host;
#Contains:
# hostname from the request line,
# or hostname from the Host request header field,
# or the server name matching a request.
proxy_set_header X-Real-IP $remote_addr;
#Forwards the real visitor remote IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#List containing the IP addresses of every server the client has
been proxied through.
proxy_set_header X-Forwarded-Proto $scheme;
#When used inside an HTTPS server block,
#each HTTP response from the proxied server is rewritten to HTTPS
proxy_set_header X-Forwarded-Host $host;
#Original host requested by the client
proxy_set_header X-Forwarded-Port $server_port;
#Original port requested by the client
proxy_pass http://INTERNAL-IP/;
}
access_log /var/log/nginx/4.DOMAIN.edu.ar/access.log;
error_log /var/log/nginx/4.DOMAIN.edu.ar/error.log;
}
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy redirection issue
El 2021-09-19 22:08, Daniel Armando Rodriguez escribió:
El 2021-09-19 04:00, Francis Daly escribió:
On Sat, Sep 18, 2021 at 09:16:28AM -0300, Daniel Armando Rodriguez
wrote:
El 2021-09-18 05:03, Francis Daly escribió:
> On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez
> wrote:
Hi there,
> if you do
>
> curl -i http://2.DOMAIN.edu.ar
>
> you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which
> is not what you want).
>
> Is that correct?
Yep, that was exactly the issu. And saying 'was' 'cause this morning
everything is working like a charm. Without made any further
modification I
mean. Really don't know what have happened here, but glad to see it
working
as expected.
Great that you have a config and setup that now does what you want :-)
Now that is isn't broken, with no known changes, it's hard to guess
what might have been the problem. Maybe something restarted overnight,
or caches cleared, or something odd like that.
Cheers,
f
Today I added a new domain, and the issue showed up again.
curl -i http://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
But
curl -i https://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
I really would like to understand why this happens.
This is the output of nginx -T
# configuration file /etc/nginx/sites-enabled/4.DOMAIN.edu.ar.conf:
server {
listen 80;
server_name 4.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name 4.DOMAIN.edu.ar;
server_tokens off;
# Don't show the nginx version number
include /etc/nginx/snippets/location-letsencrypt.conf;
include /etc/nginx/snippets/ssl-params.conf;
ssl_certificate
/etc/letsencrypt/live/4.DOMAIN.edu.ar/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/4.DOMAIN.edu.ar/privkey.pem;
location / {
proxy_http_version 1.1;
#For Websockets and keepalive connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection"upgrade";
#required when using Websockets
proxy_set_header Host $host;
#Contains:
# hostname from the request line,
# or hostname from the Host request header field,
# or the server name matching a request.
proxy_set_header X-Real-IP $remote_addr;
#Forwards the real visitor remote IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#List containing the IP addresses of every server the client
has been proxied through.
proxy_set_header X-Forwarded-Proto $scheme;
#When used inside an HTTPS server block,
#each HTTP response from the proxied server is rewritten to
HTTPS
proxy_set_header X-Forwarded-Host $host;
#Original host requested by the client
proxy_set_header X-Forwarded-Port $server_port;
#Original port requested by the client
proxy_pass http://INTERNAL-IP/;
}
access_log /var/log/nginx/4.DOMAIN.edu.ar/access.log;
error_log /var/log/nginx/4.DOMAIN.edu.ar/error.log;
}
Gave a try adding
server {
listen 80;
return 444;
}
server {
listen 443;
return 444;
}
to prevent processing requests with undefined server names, but the
message was 'Connection closed'
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy redirection issue
El 2021-09-20 13:49, Francis Daly escribió:
On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez
wrote:
El 2021-09-19 04:00, Francis Daly escribió:
Hi there,
Today I added a new domain, and the issue showed up again.
curl -i http://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
Ok, so that much is doing what is wanted.
But
curl -i https://4.DOMAIN.edu.ar
Returns a redirect to https://4.DOMAIN.edu.ar
And that is a redirect loop, which is not what you want.
When you request https://4.DOMAIN.edu.ar, that should get to nginx,
which should make a http request to INTERNAL_IP and return the
response.
server {
listen 443 ssl http2;
server_name 4.DOMAIN.edu.ar;
location / {
proxy_http_version 1.1;
#For Websockets and keepalive connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection"upgrade";
#required when using Websockets
proxy_set_header Host $host;
...
proxy_pass http://INTERNAL-IP/;
}
What response do you get if you start on the nginx server and run the
command
curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/
? I'm not sure if the Connection header will make a difference here;
it is possible that some of the X- headers are specially handled by the
internal server; and maybe adding --http1.1 to the curl command line
will make a difference too.
The aim is to see how the internal server responds, to see if there is
an nginx-side config that can be made to make the end-user experience
more useful.
It is possible that the internal server logs, or the nginx debug log,
could give more detail; but the "curl" command is probably relatively
quick to run and interpret.
Cheers,
f
This is the output
# curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/
* Expire in 0 ms for 6 (transfer 0x56179d823c10)
* Trying INTERNAL-IP...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x56179d823c10)
* Connected to INTERNAL-IP (INTERNAL-IP) port 80 (#0)
GET / HTTP/1.1
Host:4.DOMAIN.edu.ar
User-Agent: curl/7.64.0
Accept: */*
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 20 Sep 2021 20:07:38 GMT
< Server: Apache/2.4.38
< X-Pingback: http://1.DOMAIN.edu.ar/xmlrpc.php
< X-Redirect-By: WordPress
< Location: https://1.DOMAIN.edu.ar/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host INTERNAL-IP left intact
However, the same target machine hosts other services (each one with its
own subdomain: 1, 2 & 3) that also go through the proxy. And they work
as expected. Just to compare, this is the output.
# curl -v -H Host:2.DOMAIN.edu.ar http://INTERNAL-IP/
* Expire in 0 ms for 6 (transfer 0x55c30497ac10)
* Trying INTERNAL-IP...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55c30497ac10)
* Connected to INTERNAL-IP (INTERNAL-IP) port 80 (#0)
GET / HTTP/1.1
Host:2.DOMAIN.edu.ar
User-Agent: curl/7.64.0
Accept: */*
< HTTP/1.1 200 OK
< Date: Mon, 20 Sep 2021 20:12:01 GMT
< Server: Apache/2.4.38
< Set-Cookie: PHPSESSID=qujrksv6dbcf4t2pvf53judvnk; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Vary: Accept-Encoding
< Content-Length: 4364
< Content-Type: text/html; charset=UTF-8
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Reverse proxy redirection issue
El 2021-09-21 09:23, Francis Daly escribió: On Mon, Sep 20, 2021 at 05:20:55PM -0300, Daniel Armando Rodriguez wrote: El 2021-09-20 13:49, Francis Daly escribió: > On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez > wrote: Hi there, > > curl -i https://4.DOMAIN.edu.ar > > > > Returns a redirect to https://4.DOMAIN.edu.ar > > And that is a redirect loop, which is not what you want. > > When you request https://4.DOMAIN.edu.ar, that should get to nginx, > which should make a http request to INTERNAL_IP and return the response. > What response do you get if you start on the nginx server and run the > command > > curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ This is the output # curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > GET / HTTP/1.1 > Host:4.DOMAIN.edu.ar < HTTP/1.1 301 Moved Permanently < Location: https://1.DOMAIN.edu.ar/ This indicates that the internal web server is returning a redirect to https://1, when you ask it for http://4. Is there any chance that that internal web server is not yet configured to believe that it is 4, and it instead redirects to its default name of 1? However, the same target machine hosts other services (each one with its own subdomain: 1, 2 & 3) that also go through the proxy. And they work as expected. Just to compare, this is the output. # curl -v -H Host:2.DOMAIN.edu.ar http://INTERNAL-IP/ > GET / HTTP/1.1 > Host:2.DOMAIN.edu.ar < HTTP/1.1 200 OK (And, presumably, the correct content from 2.) That might also explain why the first test failed, then started working -- perhaps the internal web server reloaded its configuration and it started behaving as expected? (And maybe it works for 4 now too, if the config reloaded over night?) Cheers, f Well, reloaded conf in internal server but issue is still there. Seems there's some odd behaviuor from Apache in that host. So, my quest will go that way. Thanks for taking the time to read. Regards ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
X-Frame-Options in nginx to allow certain subdomain
I'm using nginx as a reverse proxy for several web services. One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such it needs to access resources in WOPI server subdomain. What I need is my nginx to allow X-Frame-Options for WOPI server subdomain. My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to SAMEORIGIN. I've tried adding following line to NC conf file with no luck: proxy_hide_header X-Frame-Options Also tried adding this line, with no luck either add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";; Any clue will be much appreciated. Best regards.- ________ Daniel A. Rodriguez _Informática, Conectividad y Sistemas_ Universidad Nacional del Alto Uruguay San Vicente - Misiones - Argentina informatica.unau.edu.ar ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: X-Frame-Options in nginx to allow certain subdomain
El 2021-11-26 11:19, Francis Daly escribió: On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez wrote: Hi there, One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such it needs to access resources in WOPI server subdomain. What I need is my nginx to allow X-Frame-Options for WOPI server subdomain. It sounds like you want a request from the client, to have a specific header with a specific value in the response when being proxy_pass'ed through nginx. Well, it's not a browser request but OxOffice Online one. Whith X-Frame-Options set to SAMEORIGIN I can work, can edit documents, spreadsheets and so on. The issue raises when doing a presentation as a new browser window is displayed. And console says chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and WOPI web services are consumed from wopi.dominio.edu.ar Can you show one request that you make, and the response that you get, and the response that you want to get instead? If I disable X-Frame-Options set to SAMEORIGIN presentation appears as it should, but I don't like the idea to dissallow X-Frame-Options just for one service. Possibly the browser "developer tools" console can show the network requests and responses; I suspect that you only care about the http response headers, not the response body. My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to SAMEORIGIN. I've tried adding following line to NC conf file with no luck: proxy_hide_header X-Frame-Options Also tried adding this line, with no luck either add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";; What does "no luck" mean, here? The refused to display 'https://wopi.dominio.edu.ar/ I suspect it is "the browser did not end up doing what I want"; but from an nginx perspective it would be easier if you could say "I want *this* response but I get *that* response". (What the browser does with the response is less interesting, from this viewpoint.) When it comes to nginx directives, adding things in one part of the config can "hide" or "override" things written elsewhere, for one request. "proxy_hide_header" means "if the proxy_pass response includes this header, do not send it to the client". "add_header" means "for certain response codes, send this header name/value in the response". However... https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options suggests that "ALLOW-FROM" is in the set "Don't use it". You can have DENY or SAMEORIGIN, or you can use Content-Security-Policy instead. Whether your browser would do anything with an X-Frame-Options header, is entirely up to your browser. (If it would not do anything, then spending time configuring your nginx to send the header will not benefit the browser.) If you can show a complete-minimal config that shows the problem that you see, it may become clearer what changes are needed on the nginx side. Cheers, Sure, NextCloud Server = https://pad.unau.edu.ar/p/r.12c074621fc8c7a6ab900a0899872dbf Wopi Server = https://pad.unau.edu.ar/p/r.9b59663162dd956d7fe6604ba9e0870c Nginx SSL = https://pad.unau.edu.ar/p/r.861b2c17a9ad10e0c741a0588065e317 Daniel A. Rodriguez _Informática, Conectividad y Sistemas_ Universidad Nacional del Alto Uruguay San Vicente - Misiones - Argentina informatica.unau.edu.ar ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: X-Frame-Options in nginx to allow certain subdomain
El 2021-11-26 20:30, Francis Daly escribió: On Fri, Nov 26, 2021 at 04:04:46PM -0300, Daniel Armando Rodriguez wrote: El 2021-11-26 11:19, Francis Daly escribió: > On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez > wrote: Hi there, > > One of them is a NextCloud + WOPI based LibreOffice Online Solution, > > as such > > it needs to access resources in WOPI server subdomain. What I need > > is my > > nginx to allow X-Frame-Options for WOPI server subdomain. > > It sounds like you want a request from the client, to have a specific > header with a specific value in the response when being proxy_pass'ed > through nginx. Well, it's not a browser request but OxOffice Online one. Whith X-Frame-Options set to SAMEORIGIN I can work, can edit documents, spreadsheets and so on. The issue raises when doing a presentation as a new browser window is displayed. And console says chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. Ok, so a request to "wopi" currently includes 'X-Frame-Options sameorigin' in the response; and you don't want that. Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and WOPI web services are consumed from wopi.dominio.edu.ar > Can you show one request that you make, and the response that you get, > and the response that you want to get instead? If I disable X-Frame-Options set to SAMEORIGIN presentation appears as it should, but I don't like the idea to dissallow X-Frame-Options just for one service. I think that says that when you turn off X-Frame-Options for all servers, the response from wopi does not include the header, and things work for you. Does "disable X-Frame-Options set to SAMEORIGIN" mean "have no X-Frame-Options at all"; or "have X-Frame-Options set to allow-from cloud"? (Or: something else?) In this case, the former. Have no X-Frame-Options at all But you don't want to turn off X-Frame-Options for all servers. Are you happy to turn off X-Frame-Options for the wopi server? (I'm trying to find out, what is the specific response you want nginx to provide.) If there's no way to bypass SAMEORIGIN for this specific server, could sleep turning off X-Frame-Options for the wopi server (I'm trying to find out, what is the specific response you want nginx to provide.) > I suspect it is "the browser did not end up doing what I want"; but from > an nginx perspective it would be easier if you could say "I want *this* > response but I get *that* response". (What the browser does with the > response is less interesting, from this viewpoint.) > If you can show a complete-minimal config that shows the problem that > you see, it may become clearer what changes are needed on the nginx > side. NextCloud Server = https://pad.unau.edu.ar/p/r.12c074621fc8c7a6ab900a0899872dbf Wopi Server = https://pad.unau.edu.ar/p/r.9b59663162dd956d7fe6604ba9e0870c Nginx SSL = https://pad.unau.edu.ar/p/r.861b2c17a9ad10e0c741a0588065e317 Based on the current words there, I think that any request to "wopi" will include the 5 response headers listed as "add_header" in the third link (including X-Frame-Options SAMEORIGIN); and any request to "cloud" will not include those 5 headers, but will include Front-End-Https and Strict-Transport-Security. Is that what you currently see; and is that what you want to see? (That is: X-Frame-Options is already turned off for "cloud".) (For example: "curl -I https://cloud.dominio.edu.ar/"; will show the headers.) This are the headers HTTP/2 200 server: nginx date: Sat, 27 Nov 2021 12:50:25 GMT content-type: text/html content-length: 612 last-modified: Tue, 04 Dec 2018 14:52:24 GMT etag: "5c0694a8-264" strict-transport-security: max-age=63072000 x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block x-robots-tag: none accept-ranges: byte Based on that... I'm not sure what nginx behaviour you actually want. What I need is wopi.domain xframe call allowed from cloud.domain One possible suggestion is: * remove the add_header X-Frame-Options line from ssl-params.conf * wherever you currently have "include ssl-params.conf", add the line 'add_header X-Frame-Options SAMEORIGIN;' * except in the "wopi" server, add the line 'add_header X-Frame-Options "allow-from whatever";'. Or maybe omit the line entirely. Any way to do that the other way around?, I mean having SAMEORIGIN for all and just allow specific domain in one server config. (I suspect that "whatever" will be "the cloud url"; but it is "whatever chromewebdata
Reverse proxy to traefik
Hi there I need to forward HTTP/HTTPS stream to a traefik within docker container. Additionally, this traefik is also SSL termination. And just at this point where I am stuck, as the SSL management against Let's Encrypt needs both HTTP and HTTPS traffic. I would appreciate any further guidance in this regard. By the way, it's not an ellection we made, just kind of a black box we need to deal with. Made this representation to illustrate the situation. https://i.postimg.cc/Zq1Ndyws/scheme.png Thanks in advance. ____ Daniel A. Rodriguez _Informática, Conectividad y Sistemas_ Universidad Nacional del Alto Uruguay San Vicente - Misiones - Argentina informatica.unau.edu.ar ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: Reverse proxy to traefik
El 6/7/22 a las 10:47, Francis Daly escribió:
On Tue, Jul 05, 2022 at 12:53:05PM +, Daniel Armando Rodriguez via nginx
wrote:
El 2022-07-02 08:24, Francis Daly escribió:
On Fri, Jun 24, 2022 at 04:23:54PM -0300, Daniel Armando Rodriguez
wrote:
Hi there,
Made this representation to illustrate the situation.
https://i.postimg.cc/Zq1Ndyws/scheme.png
What I need to do is allowing traefik "black" box to negotiate SSL
certificate directly with Let's Encrypt, that was intended to be referred as
stream.
I think you are saying that you want nginx to be a "plain" tcp-forwarder
in this case.
(I'm not certain *why* that matters here, but that's ok; I don't need
to understand it ;-) .)
Doeshttp://nginx.org/en/docs/stream/ngx_stream_proxy_module.html work
for you?
Something like
==
stream {
server {
listen nginx-ip:443;
proxy_pass traefik-ip:443;
}
}
==
(If you have a stream listener on an IP:port, you cannot also have a
http listener on that same IP:port.)
Your picture also shows some blue lines on the left-hand
side, so it may be that you also want something like
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html,
to choose which "upstream" to proxy_pass to, depending on the server
name presented in the SSL connection to nginx.
Cheers,
f
Nginx is actually working as RP for several subdomains for which is also
SSL termination. The traefik box is out of my scope, but it has the
ability to negotiate TLS certificates for its own. That's why I need to
forward just specific subdomain TCP traffic to it.
________
*Daniel A. Rodriguez*
/Informática, Conectividad y Sistemas/
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar <https://informatica.unau.edu.ar>
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
Wrong content served
Hi,
This behavior is driving me crazy. Currently have more than 30 sites
behind this reverse proxy, but the latest is refusing to work.
Config is simple and pretty similar between them all.
server {
listen 80;
server_name material.av.domain;
include /etc/nginx/snippets/location-letsencrypt.conf;
# return 301 https://$server_name$request_uri;
}
If I point the browser to material.av.domain got redirected to another
sub-domain, among the 30 mentioned before. However, everything else
works just fine.
The configuration of the domain it redirects to is the same as the site
I am trying to deploy.
Even tried changing URL, but result is the same. DNS is resolving to
correct IP. Got no error logged neither.
Since I'm stuck, I welcome any ideas and/or suggestions.
--
https://unau.edu.ar/assets/logo.png"; width="100" />
Daniel A. RodriguezInformática, Conectividad y SistemasUniversidad Nacional del
Alto UruguaySan Vicente - Misiones - Argentinahttps://informatica.unau.edu.ar";
rel="noopener">informatica.unau.edu.ar
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Re: Wrong content served
Hi both Francis and Jake. Sorry for the late response
This is the content of such file
# cat /etc/nginx/snippets/location-letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
alias /var/www/le_root/.well-known/acme-challenge/;
}
and the directory exists
# ls -alh /var/www/le_root/.well-known/acme-challenge/
total 28K
drwxr-xr-x 2 root root 4,0K ene 2 00:14 .
drwxr-xr-x 3 root root 4,0K sep 1 2021 ..
-rw-r--r-- 1 root root 87 sep 2 2021 9nxS2wAszlGI
-rw-r--r-- 1 root root 87 sep 9 2021 AEzjuq9P8yXQ
-rw-r--r-- 1 root root 87 sep 9 2021 TPlVMnrhufmE
-rw-r--r-- 1 root root 87 oct 14 2021 YbHZSf8CqW40
-rw-r--r-- 1 root root 87 sep 9 2021 ZHFolsWkDv90
and what curl returns
# curl -i http://material.av.unau.edu.ar/
HTTP/1.1 200 OK
Date: Tue, 02 Jan 2024 20:44:45 GMT
Server: Apache/2.4.58
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=cfj2h18l4u9j99o6pa4k77eaff; path=/
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Oficina virtual - UNAU
Such content is from another host: oficinavirtual.unau.edu.ar. Which is
working as expected in its own domain.
I use acme.sh script to deploy SSL certificates.
El 26/12/23 a las 21:15, Jeff Dyke escribió:
In addition to Francis' always helpful ask. You have a domain problem
with material.av.domain <http://material.av.domain/> and it may be
from /etc/hosts all the way to public DNS. Or, incorrectly supplied
*location-letsencrypt.conf.*
If you provide that file contents, you'll likely see your own error as
you send it (i've done it dozens of times, its not an insult)
On Tue, Dec 26, 2023 at 6:59 PM Francis Daly wrote:
On Tue, Dec 26, 2023 at 07:57:41PM -0300, Daniel A. Rodriguez wrote:
Hi there,
> This behavior is driving me crazy. Currently have more than 30
sites behind
> this reverse proxy, but the latest is refusing to work.
Can you provide more details?
> Config is simple and pretty similar between them all.
"include" means "anything in that file is effectively in this
config". Nobody but you knows what is in that file.
> server {
> listen 80;
> server_name material.av.domain;
>
> include /etc/nginx/snippets/location-letsencrypt.conf;
>
> # return 301 https://$server_name$request_uri;
>
> }
Your test request is:
$ curl -i http://material.av.domain/
What response do you get? What response do you want to get instead?
The "return" is commented out, so unless there is something surprising
in the location-letsencrypt.conf file, I would expect a http 200
response
with the content of "the default" index.html file.
> If I point the browser to material.av.domain got redirected to
another
> sub-domain, among the 30 mentioned before. However, everything
else works
> just fine.
Can you show the response to the "curl" request, to see whether
"redirect"
is a http 301 from the web server, or is something like a http 200
from
the web server with maybe some javascript content that redirects to
"the wrong" place?
Cheers,
f
--
Francis Daly fran...@daoine.org
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
--
________
https://correo.unau.edu.ar/skins/elastic/images/logo.svg"; width="73"
height="96" />
Daniel A. RodriguezInformática, Conectividad y SistemasUniversidad Nacional del
Alto UruguaySan Vicente - Misiones - Argentinahttps://informatica.unau.edu.ar";
rel="noopener">informatica.unau.edu.ar
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
SSL passtrough
Hi there
I have a RP in front of several services and now need to add SSL
passtrough for some of them. So, with this goal set up this config
stream {
map $ssl_preread_server_name $name {
sub1.DOMAIN sub1;
sub2.DOMAIN sub2;
sub3.DOMAIN sub3;
sub4.DOMAIN sub4;
}
upstream sub1 {
server x.y.z.1:443;
}
upstream sub2 {
server x.y.z.1:443;
}
upstream sub3 {
server x.y.z.1:443;
}
upstream sub4 {
server x.y.z.1:443;
}
server {
listen 443;
proxy_pass $name;
ssl_preread on;
}
}
And yes, four subdomains are hosted in the same VM. This has to do with
the peculiarities of the software used.
In order to catch HTTP traffic, and redirect, add this to each subdomain
server.
server {
listen 80;
return 301 https://$host$request_uri;
}
Is this the right way to go or am I missing something?
Also tryied to upgrade nginx using Debian repo but wasn't possible.
Currently installed 1.14.2 under Debian Buster
____
Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
Re: Reverse proxy to traefik
El 2022-07-02 08:24, Francis Daly escribió: On Fri, Jun 24, 2022 at 04:23:54PM -0300, Daniel Armando Rodriguez wrote: Hi there, I need to forward HTTP/HTTPS stream to a traefik within docker container. Additionally, this traefik is also SSL termination. And just at this point where I am stuck, as the SSL management against Let's Encrypt needs both HTTP and HTTPS traffic. I'm not quite sure what you are trying to do, in nginx terms. nginx has the idea of "http", where an incoming http or https request to nginx is handled by nginx making a new http or https request to the upstream service; and nginx has the idea of "stream", where any traffic on an incoming tcp connection is forwarded to an upstream service. That "stream" traffic can optionally be SSL-decrypted or encrypted by nginx before forwarding. Made this representation to illustrate the situation. https://i.postimg.cc/Zq1Ndyws/scheme.png If you can describe what you want, in terms of "something external will make a http request of nginx that should be handled in this way; it will make a https request of nginx that should be handled in that way; and it will send a generic tcp stream to this port on nginx that should be handled in this other way", then the nginx config to handle that, might be clearer. Cheers, Hi, thanks for your time What I need to do is allowing traefik "black" box to negotiate SSL certificate directly with Let's Encrypt, that was intended to be referred as stream. Daniel A. Rodriguez _Informática, Conectividad y Sistemas_ Universidad Nacional del Alto Uruguay San Vicente - Misiones - Argentina informatica.unau.edu.ar ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Multiple wildcard server_name
While I'm sure this is documented somewhere - I haven't found exactly
what I'm looking for. Or I'm just not understanding what I've read.
My understanding is simply prefixing a server name with ".", such as
".example.com", is a special wildcard that basically becomes
"example.com *.example.com". My current nginx version is 1.20.2.
I have a number of domains that I want to re-direct to a master name.
And I want http re-directed to https. So I have:
server {
listen 80 default_server;
server_name
.maindomain.com
.example1.com
.example2.com
.example3.com
location / {
return 301 https://maindomain.com$request_uri;
<https://amfes.com$request_uri;>
}
}
server {
listen 443 ssl http2 default_server;
server_name_in_redirect on;
server_name maindomain.com www.maindomain.com *.maindomain.com;
}
Based on the docs, I recently changed by second server block from just
".maindomain.com" to the explicit matching for faster default
processing.
This works for "https://maindomain.com"; and "http://maindomain.com";.
Also for both protocols for "www.maindomain.com". And - it works for
"www.example1.com" as well as the other alternate domains with a "www"
prefix. But it does not work for just "example1.com" or the other
domains. It doesn't appear to be DNS - both the base domain and the
"www" A records point to the same IP. What I'm receiving is a 404 Not
Found for either "http://example1.com"; (which does not re-direct to
https) or "https://example1.com";. And I don't understand why.
--
Daniel
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
Please take me off the mailing list
___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Please take me off the mailing list
Please take me off the mailing list___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
