Do you have the certificate that has that value as the Subject? What
is that certificate's Issuer? And repeat until you get to the root
certificate.
And which of the ssl*certificate files named in your config holds those
certificates?
i verified all my certs/chains. all good.
with my orig con
What does the error_log say about this request and response?
nothing that's giving me a hint i recognize,
...
2023/03/21 18:52:14 [debug] 4955#4955: *7 http2 header: "cache-control:
no-cache"
2023/03/21 18:52:14 [debug] 4955#4955: *7 http2 encoded string, len:2
i run
nginx -v
nginx version: nginx/1.23.3 (COPR Build)
the server's setup to use LE certs
server {
...
ssl_trusted_certificate
"/www/sec/le/deploy/otherexample.com/intermediate_ca.ec.crt.pem";
ssl_certificate
"/www/sec/le/deploy/o
hi,
The error message suggests there is something wrong with DNS on> your host.
If this happens only on boot but not when you restart/reload nginx
after boot,
ah. testing, yep, that does seem to be the case
this might indicate that DNS is not yet properly
available when nginx starts. One p
i run
nginx -v
nginx version: nginx/1.23.3 (Local Build)
nginx is launched on boot with a systemd service
my site's ssl enabled, using letsencrypt certs
in my boot logs, i see
Feb 15 11:54:03 svr017 nginx[912]: nginx: [warn] "ssl_stapling" ignored, host not fou
This 2012 post
Priming the OCSP cache in Nginx
https://unmitigatedrisk.com/?p=241
comments
"...
in Nginx 1.3.7, unfortunately architectural restrictions made it
impractical to make it so that pre-fetching the OCSP response on server
start-up so instead the fir
an old, 2015 post from Caddy Webserver's author,
OCSP Stapling Robustness in Apache and nginx
https://gist.github.com/mholt/3b4910c802b2ed7e92294e26a1ae8551
comments,
"...
nginx's logic is a lot more robust than Apache's in this regard. Good
OCSP responses are
i run nginx/1.23.2 on linux
after a clear reboot, on first access to my site front page, I see in log
==> /var/log/nginx/example.com.443.error.log <==
2022/11/09 12:38:15 [info] 1460#1460: *2 SSL_do_handshake() failed
(SSL: error:0A000412:SSL routines::sslv3 alert bad certificat
My primary driving reason for considering the deployment of Nginx from source
is to use ModSecurity WAF with Nginx. I'm under the impression that it's much
easier to use ModSecurity with Nginx when compiled from source.
If ModSecurity is the issue ...
There are old instructions easily found O
I don't know the process to install patches.
That's a big ol' red flag. Personally, I'd strongly recommend against
building/installing into a *production* env, until you're up to snuff with
managing the sources, including patches.
That said, are you solving for a real/existing production pro
I should have mentioned that I'm running in an Ubuntu environment so I'm not
sure if that makes much difference?
Ubuntu/Debian have all the tools for source builds.
They also have the apt packaging solution.
I assume there are available build services.
I'm not an Ubuntu/Debian user. Simply a m
Nginx is an easy build from source, thankfully.
Deploying tarbal'd local source-builds to other machines is not terrible at all
if you isolate your install DIR (e.g, 'everything' under /opt/nginx); ansible
is your friend.
But, it's a bit of a slog to deploy into usual distro env, avoid collisi
Name-based (including SNI-based) virtual servers are not supported
in the mail proxy module. As such, the remaining options are:
- Use multiple names in a certificate
- Use IP-based (or port-based) virtual servers
You can combine both options as appropriate.
add'l useful option for mail proxy
Want to use lua pages with nginx .
Can you please suggest what are the correct modules ?.
also where can i find the same?.
LUA support with nginx is third-party -- via OpenResty
https://www.nginx.com/resources/wiki/modules/lua/
https://openresty.org/en/
OpenResty is packaged as a standalo
i'm running nginx/1.23.1
i use 'geo'-based (ngx_http_geo_module) permissions to restrict access to some
sites
e.g., for explicit static IPs
geo $RESTRICT_ACCESS {
default 0;
127.0.0.1/32 1;
2601:...:abcd1;
}
On 12/5/20 2:35 PM, itpp2012 wrote:
Known perl issue, google: "segfault at 10 error 4 in libperl.so"
aha. +1. thanks!
noting,
https://serverfault.com/questions/1041031/nginx-sometimes-gets-killed-after-reloading-it-using-systemd
...
If you haven't got
I'm running nginx/1.19.5 on a Fedora32 VM, w/
uname -rm
5.9.11-100.fc32.x86_64 x86_64
Its run for ages without issues. At least that I'd noticed ...
Today, I caught a SEGV/core-dump; the server stopped
systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy
On 6/2/20 12:34 PM, Maxim Dounin wrote:
> The mis-match comes from trying to redefine the name in some parts
> of the configuration but not others. Hope the above explanation
> helps.
I've reread your comment
That is, the name you've written in the proxy_pass directive is
the ac
On 6/2/20 8:27 AM, Francis Daly wrote:
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
>
> The nginx code probably should not try to check for (and reject) that
> combination of directiv
with patch applied, and 'proxy_ssl_server_name on;'
this is where the problem appears
2020/06/02 00:50:08 [debug] 20166#20166: *3 verify:1, error:0, depth:2,
subject:"/O=example.com/OU=example.com_CA/L=New_York/ST=NY/C=US/emailAddress=ad...@example.com/CN=example.com_CA",
issuer:"/O=ex
On 6/1/20 8:42 AM, Maxim Dounin wrote:
>
> proxy_ssl_server_name on;
>
> to see if it helps. See http://nginx.org/r/proxy_ssl_server_name
> for details.
enabling it _has_ an effect.
now,
access to
https://example.com/app1
responds,
- 502 Bad Gateway
+ 421 Mis
I'm running
nginx -V
nginx version: nginx/1.19.0 (pgnd Build)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
...
It serves as front-end SSL termination, site host, and reverse-proxy to backend
apps.
I'm try
> Second, it's all in the location documentation:
I'm not asking about the order.
I'm asking about a specific match(es) that'd work in this specific case.
If it's trivial, care to share a working example?
___
nginx mailing list
nginx@nginx.org
http://m
editing a general location match to exclude one, specific instance?
I run nginx 1.18.0.
I've had a trivial 'protection' rule in place for a long time
location ~*
(gulpfile\.js|settings.php|readme|schema|htpasswd|password|config) {
deny all;
}
That hasn't caused
You may want to re-read my initial answer and the ticket it links to.
If that were _clear_, neither I nor others would STILL be spending
time/effort trying to understand & clarify this.
Nevermind.
___
nginx mailing list
nginx@nginx.org
http://mailma
On 7/19/19 11:02 AM, Maxim Dounin wrote:
> Hello!
>
> On Fri, Jul 19, 2019 at 10:52:55AM -0700, PGNet Dev wrote:
>
>>>> And, if I change nginx to be 'TLSv1.3-only',
>>>>
>>>> - ssl_protocols TLSv1.3 TLSv1.2;
>>>> -
>> And, if I change nginx to be 'TLSv1.3-only',
>>
>> -ssl_protocols TLSv1.3 TLSv1.2;
>> -ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384
>> TLS13-AES-128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305";
>> +ssl_protocols TLSv1.3;
>> +ssl_ciphers "TLS13-CHACHA20-POLY
I run nginx
nginx -v
nginx version: nginx/1.17.1
on linux/64.
I've installed
which openssl
/usr/local/openssl/bin/openssl
openssl version
OpenSSL 1.1.1c 28 May 2019
nginx is built with/linked to this version
ldd
I run nginx/1.17.1 + PHP 7.4.0-dev on linux/64. It's an in-production
setup, with lots of directly hosted, as well as proxied, SSL-secured
webapps.
I've now installed Nextcloud v16.0.3. For the moment, directly hosted
on Nginx, not-yet proxied.
It installs to DB with no errors. &, The sit
I've setup my nginx server with self-signed SSL server-side certs, using my
own/local CA.
Without client-side verifications, i.e. just an unverified-TLS connection,
all's good.
If I enable client-side SSL cert verification with,
ssl_certificate "ssl/example.com.server.crt.pem
> (And no, it does not look like an appropriate question for the
> nginx-devel@ list. Consider using nginx@ instead.)
k.
On 7/2/19 5:23 PM, Maxim Dounin wrote:
On Sat, Jun 29, 2019 at 09:48:01AM -0700, PGNet Dev wrote:
When generating hashed data for "HTTP Basic" login
On 5/5/19 2:41 AM, A. Schulze wrote:
Am 05.05.19 um 07:14 schrieb PGNet Dev:
Dropping back to 1.15 branch, all's working again -- with the var.
For example, the diff between 1.15.12 and 1.16.0 is *only* the changed version
number.
So, be precise about which 1.15 version is working fo
On 5/4/19 8:11 AM, PGNet Dev wrote:
but turning on debug,
2019/05/04 07:51:50 [debug] 6510#6510: *8 http script var: "/index.php"
2019/05/04 07:51:50 [debug] 6510#6510: *8 fastcgi param: "SCRIPT_FILENAME:
/usr/local/html/index.php"
the SCRIPT_FILENAME path
after upgrading my working nginx instance from v1.15.x to
nginx -V
nginx version: nginx/1.16.0 (local build)
built with OpenSSL 1.1.1b 26 Feb 2019
...
running with php-fpm from
php -v
PHP 7.3.6-dev (cli) (built: Apr
Hi
On 6/12/18 12:03 AM, Andrei wrote:
- The sheer amount of added context switches (proxying was done local on
a cPanel box, seeing 20-30k reqs/sec during peak hours)
Not clear what you mean here
- Having to manage two software versions, configs, auto config builders
used by internal tools,
On 6/7/18 9:27 AM, Reinis Rozitis wrote:
this patch
https://github.com/FRiCKLE/ngx_cache_purge/commit/c7345057ad5429617fc0823e92e3fa8043840cef.diff
Noted, thx.
In my case at one project we decided/had to switch to nginx caching from
varnish because varnish (even you are using disk based (mma
On 6/6/18 11:31 PM, Jon Franklin wrote:
You can try this:
https://github.com/nginx-modules/ngx_cache_purge
Thx! I'd aptly managed to not find/notice that fork.
Does address the 'stale' development status. Still, leaves some of the
concerns about nginx ABI, etc. mentioned earlier.
I'll set
On 6/6/18 4:09 PM, Robert Paprocki wrote:
Nginx has no stable API/ABI. With every release you want to leverage you need to walk
through your entire test/canary/B-G/whatever cycle. That's a question
only you can answer, but asking about "what about X release" is
fruitless because of a complete l
Hi
My $0.02 coming from experience building out scalable WP clusters is,
stick to Varnish here.
Miscommunication on my part -- my aforementioned Varnish-in-front
referred to site dev in general.
To date, it's been in front of Symfony sites. Works like a champ there.
Since you're apparentl
For some new WordPress sites, I'll be deploying fastcgi_cache as reverse proxy
/ page cache, instead of usual Varnish.
Although there are a number of WP-module-based PURGE options, I prefer that
it's handled by the web server.
A commonly referenced approach is to use the 'FRiCKLE/ngx_cache_purg
40 matches
Mail list logo
