From nginx-forum at nginx.us Sat Nov 1 03:37:19 2014 From: nginx-forum at nginx.us (DamienR) Date: Fri, 31 Oct 2014 23:37:19 -0400 Subject: Hotlinking protection and try_files problem Message-ID: Hi, I'm having some trouble getting hotlinking protection working with nginx and xenforo forum software. Currently I have; server { listen 80; ... location / { try_files $uri $uri/ /index.php?$uri&$args; } location ~ \.php$ { .... } location ~* ([0-9a-zA-Z])+-(png|jpg|jpeg|gif)[.]([0-9]+)/$ { valid_referers server_names blocked *.mydomain.com; if ($invalid_referer) { rewrite ^(.*)$ url/to/leech.gif break; } } } This will 404 image attachments, as the developers put it; "Nginx only matches one location block per request "attempt" (try_files retries the attempt with the new URL). So basically, the try_files block isn't being hit after your referrer block... block. I don't know what the best practice is here unfortunately". domain.com/attachments/someimage-jpg.3/ 404's with the error; .../attachments/someimage-jpg.3/index.html" is not found (2: No such file or directory), client: xxx.xxx.x.xx, server: domain.com, request: "GET /attachments/someimage-jpg.3/ HTTP/1.1", host: "domain.com", referrer: "http://domain.com/threads/thread.1/" It's adding /index.html in the backend processing. Any ideas how I can get this to work? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254500,254500#msg-254500 From nginx-forum at nginx.us Sat Nov 1 14:06:53 2014 From: nginx-forum at nginx.us (cubicdaiya) Date: Sat, 01 Nov 2014 10:06:53 -0400 Subject: Proxied request header names in SPDY are always lowercase Message-ID: <05717d6003058c83c111913e09b7adf1.NginxMailingListEnglish@forum.nginx.org> Hello! I have a question about the behavior of proxing SPDY to HTTP with nginx. First, there is a configuration like the following. upstream app { server 127.0.0.1:80; keepalive 32; } server { listen 443 ssl spdy; server_name example.com; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; location / { proxy_pass http://app; } } Next, send a request to example.com with spdycat. # spdycat is a command like curl for SPDY. # https://github.com/tatsuhiro-t/spdylay spdycat \ --spdy3-1 \ -H "User-Agent: spdycat" \ -H "X-VERSION: 1.3.1" \ "https://example.com/" In this case, a proxied request to app is the following according to `# ngrep -W byline port 80 -d lo` GET / HTTP/1.1 Host: example.com X-Real-IP: xxx.xxx.xxx.xxx X-Forwarded-Host: example.com X-Forwarded-For: xxx.xxx.xxx.xxx X-Forwarded-Proto: https accept: */* accept-encoding: gzip, deflate user-agent: spdycat x-version: 1.3.1 Even if request-header names are uppercase, proxied them become lowercase. According to SPDY Protocol - Draft 3.1(http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1), * All header names must be lowercase. Is this specific to a proxied request-header names to HTTP? Or is there a solution except for the following workaround? proxy_set_header User-Agent $http_user_agent; proxy_set_header X-Version $http_x_version; Thanks in advance! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254506,254506#msg-254506 From vbart at nginx.com Sat Nov 1 14:23:56 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Sat, 01 Nov 2014 17:23:56 +0300 Subject: Proxied request header names in SPDY are always lowercase In-Reply-To: <05717d6003058c83c111913e09b7adf1.NginxMailingListEnglish@forum.nginx.org> References: <05717d6003058c83c111913e09b7adf1.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1556649.4WU24zdAyz@vbart-laptop> On Saturday 01 November 2014 10:06:53 cubicdaiya wrote: > Hello! > > I have a question about the behavior of proxing SPDY to HTTP with nginx. > [..] > # spdycat is a command like curl for SPDY. > # https://github.com/tatsuhiro-t/spdylay > spdycat \ > --spdy3-1 \ > -H "User-Agent: spdycat" \ > -H "X-VERSION: 1.3.1" \ > "https://example.com/" > > In this case, a proxied request to app is the following according to `# > ngrep -W byline port 80 -d lo` > > GET / HTTP/1.1 > Host: example.com > X-Real-IP: xxx.xxx.xxx.xxx > X-Forwarded-Host: example.com > X-Forwarded-For: xxx.xxx.xxx.xxx > X-Forwarded-Proto: https > accept: */* > accept-encoding: gzip, deflate > user-agent: spdycat > x-version: 1.3.1 > > > Even if request-header names are uppercase, proxied them become lowercase. > > According to SPDY Protocol - Draft > 3.1(http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1), > > * All header names must be lowercase. > > Is this specific to a proxied request-header names to HTTP? This is specific to SPDY protocol. And "spdycat" converts all headers to lowercase before send it over SPDY. Nginx just pass them as is, since case in HTTP doesn't matter. > Or is there a solution except for the following workaround? > > proxy_set_header User-Agent $http_user_agent; > proxy_set_header X-Version $http_x_version; > > Thanks in advance! > There's cannot be any other solution than explicit specifying what letters in headers you want to be in uppercase, since this information are lost in the client. But the question is why do you care? It seems if you care about it, you're definitely doing something wrong. wbr, Valentin V. Bartenev From nginx-forum at nginx.us Sat Nov 1 15:27:15 2014 From: nginx-forum at nginx.us (cubicdaiya) Date: Sat, 01 Nov 2014 11:27:15 -0400 Subject: Proxied request header names in SPDY are always lowercase In-Reply-To: <1556649.4WU24zdAyz@vbart-laptop> References: <1556649.4WU24zdAyz@vbart-laptop> Message-ID: <17e752a1bb01e99877d61e3f2005dbe9.NginxMailingListEnglish@forum.nginx.org> Hello! > "spdycat" converts all headers to lowercase before send it over SPDY. Oh, I had not notice it. Thanks(I assumed that nginx converts) > But the question is why do you care? It seems if you care > about it, you're definitely doing something wrong. Maybe so. Sorry for confusion. Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254506,254509#msg-254509 From nginx-forum at nginx.us Sat Nov 1 16:47:32 2014 From: nginx-forum at nginx.us (richardm) Date: Sat, 01 Nov 2014 12:47:32 -0400 Subject: CentOS 6.6, SELinux breaks Nginx 1.6.0 In-Reply-To: References: <54528273.5050807@xtremenitro.org> <7281073aa45ca8772087c6e14fafa165.NginxMailingListEnglish@forum.nginx.org> Message-ID: I've verified that the update to Centos 6.6 does indeed relabel nginx related directories/files during yum update. And a restart of the nginx process will now have the label "httpd_t". Someone in RH decided to make the nginx webserver follow the same SELinux policy rules as Apache. OK, that works fine so long as all the needed directories/files are in the expected places. It also opens up some standard approaches for common options. For example, I place my web site files under /home/webs/. I can make that work by setting a boolean (the -P makes this persist across reboots) # setsebool -P httpd_enable_homedirs on I also wanted to use a non-standard port 8088 for PHPMyAdmin. I achieve that with # semanage port -a -t http_port_t -p tcp 8088 Other things: I want to place my log files in a new location, not /var/log/nginx. I can use the semanage and restorecon lines shown above by bdwyertech, and that works fine for nginx. But logrotate and logwatch fail. So now I need to create new policies for them using the same audit2allow approach that you already mentioned but with different policy names. I use a unix socket to connect with php-fpm. That has to be in a standard directory too. For now I put it in /var/run/. Finally, PHPMyAdmin uses PHP sessions and my session directory is in a non-standard location. Again I had to use semanage and restorecon to make the session directory usable. Whew! It all works now. In future, perhaps I should let all directories/files stay in their default locations. Richard Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254511#msg-254511 From nginx-forum at nginx.us Sat Nov 1 16:57:33 2014 From: nginx-forum at nginx.us (richardm) Date: Sat, 01 Nov 2014 12:57:33 -0400 Subject: CentOS 6.6, SELinux breaks Nginx 1.6.0 In-Reply-To: References: <54528273.5050807@xtremenitro.org> <7281073aa45ca8772087c6e14fafa165.NginxMailingListEnglish@forum.nginx.org> Message-ID: <291dc7a2e7891dc3f2abc5c25faec062.NginxMailingListEnglish@forum.nginx.org> >For now, to work around the issue, CentOS forum user sercan has provided the following commands to create >a new SELinux policy for Nginx. I've tested it on two of my servers and it works. > . . . And there's one more quick workaround to get running very quickly. Not entirely recommended since this turns off SELinux for nginx (while leaving it on for everything else). # semanage permissive -a httpd_t With this setting I expect the audit.log file will fill quickly with many warning messages. Another reason why it is not a great idea except for emergencies. But it worked for me as a quick test. (Don't forget to set it back to enforcing later). Richard Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254512#msg-254512 From nginx-forum at nginx.us Sun Nov 2 13:16:05 2014 From: nginx-forum at nginx.us (tunist) Date: Sun, 02 Nov 2014 08:16:05 -0500 Subject: SPDY inflate errors in nginx 1.7.4 Message-ID: i am seeing many error log messages relating to SPDY on an HTTPS only website here. this appears to also be triggering (or at least related to) database timing problems, which is causing dbase failures. the error log contains mostly these: "inflate() failed: -5 while processing SPDY" anyone know what's occuring here? i think i already asked a similar question on a forum and someone pointed to the possibility of there being attempted exploits made against SSL3 / openSSL - though i have no direct evidence of that. thanks Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254523#msg-254523 From nginx-forum at nginx.us Sun Nov 2 13:22:57 2014 From: nginx-forum at nginx.us (itpp2012) Date: Sun, 02 Nov 2014 08:22:57 -0500 Subject: SPDY inflate errors in nginx 1.7.4 In-Reply-To: References: Message-ID: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> Maybe this one: http://forum.nginx.org/read.php?29,250118 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254524#msg-254524 From nginx-forum at nginx.us Sun Nov 2 14:03:47 2014 From: nginx-forum at nginx.us (tunist) Date: Sun, 02 Nov 2014 09:03:47 -0500 Subject: SPDY inflate errors in nginx 1.7.4 In-Reply-To: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> References: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> Message-ID: thanks, looks like the same error message is buried in that change / code, yes - though i am no closer to discerning the original cause of the error being triggered, since i am not familiar with the nginx sourecode at this point. any tips are welcomed! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254525#msg-254525 From nginx-forum at nginx.us Sun Nov 2 14:40:36 2014 From: nginx-forum at nginx.us (itpp2012) Date: Sun, 02 Nov 2014 09:40:36 -0500 Subject: SPDY inflate errors in nginx 1.7.4 In-Reply-To: References: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> Message-ID: Then upgrade to 1.7.7 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254526#msg-254526 From nginx-forum at nginx.us Sun Nov 2 16:40:04 2014 From: nginx-forum at nginx.us (tunist) Date: Sun, 02 Nov 2014 11:40:04 -0500 Subject: SPDY inflate errors in nginx 1.7.4 In-Reply-To: References: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1fcdde1f59ab81e5214768db2408cb70.NginxMailingListEnglish@forum.nginx.org> ok, i have upgraded.. will see how that goes. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254527#msg-254527 From nginx-forum at nginx.us Sun Nov 2 18:36:27 2014 From: nginx-forum at nginx.us (mevans336) Date: Sun, 02 Nov 2014 13:36:27 -0500 Subject: CentOS 6.6, SELinux breaks Nginx 1.6.0 In-Reply-To: References: <54528273.5050807@xtremenitro.org> <7281073aa45ca8772087c6e14fafa165.NginxMailingListEnglish@forum.nginx.org> Message-ID: richardm Wrote: ------------------------------------------------------- > [...]Someone in RH decided > to make the nginx webserver follow the same SELinux policy rules as > Apache. Thanks for following up on this Richard. Undisclosed changes like this drive me crazy ... why make changes like this and then not disclose them in the release notes? *shakes fist at Red Hat* :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254456,254528#msg-254528 From vbart at nginx.com Sun Nov 2 23:20:18 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Mon, 03 Nov 2014 02:20:18 +0300 Subject: SPDY inflate errors in nginx 1.7.4 In-Reply-To: References: <6ffb5a5c49e69283d449e9985522b7cb.NginxMailingListEnglish@forum.nginx.org> Message-ID: <2881109.AUh5tBCom1@vbart-laptop> On Sunday 02 November 2014 09:03:47 tunist wrote: > thanks, looks like the same error message is buried in that change / code, > yes - though i am no closer to discerning the original cause of the error > being triggered, since i am not familiar with the nginx sourecode at this > point. > any tips are welcomed! > There's no way to find out what caused the error only by looking to standard error message. You should provide the debug log at least. See: http://nginx.org/en/docs/debugging_log.html wbr, Valentin V. Bartenev From nginx-forum at nginx.us Mon Nov 3 06:40:33 2014 From: nginx-forum at nginx.us (Replace) Date: Mon, 03 Nov 2014 01:40:33 -0500 Subject: nginx configuration - sharetronix Message-ID: i try to setup sharetronix on my vps server, with nginx + php5-fpm. The problem is (maybe) my nginx configuration, when i try to view website, i get error 404 - No input file specified. My configuration (at last) server { root /var/www/sharetronix.example; server_name sharetronix.example www.sharetronix.example; location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.php?$request_uri break; } fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS off; } error_log /var/log/nginx/sharetronix.example.error.log; access_log /var/log/nginx/sharetronix.example.access.log; } but error log show this 2014/11/02 06:40:59 [error] 18235#0: *3 FastCGI sent in stderr: "PHP message: PH P Warning: Unknown: failed to open stream: Success in Unknown on line 0 Unable to open primary script: /var/www/sharetronix.example/ (Success)" while rea ding response header from upstream, client: 85.130.69.179, server: share.z-latko .info, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.so ck:", host: "sharetronix.example" Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254533,254533#msg-254533 From nginx-forum at nginx.us Mon Nov 3 07:32:08 2014 From: nginx-forum at nginx.us (jazzhuang) Date: Mon, 03 Nov 2014 02:32:08 -0500 Subject: using variables in nginx.conf with 'set' In-Reply-To: References: Message-ID: <2c8724c185db992937729fec773c5893.NginxMailingListEnglish@forum.nginx.org> Maybe this will help you - http://serverfault.com/questions/508794/custom-nginx-configuration-variables-not-being-expanded Posted at Nginx Forum: http://forum.nginx.org/read.php?2,143479,254534#msg-254534 From nginx-forum at nginx.us Mon Nov 3 08:12:15 2014 From: nginx-forum at nginx.us (newnovice) Date: Mon, 03 Nov 2014 03:12:15 -0500 Subject: connection close on 500, 503, 502. Message-ID: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> Hi There, I want to send a connection_close to the client whenever the HTTP status is any of the 50X codes. How could i accomplish this? Thanks for your response. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254535#msg-254535 From nginx-forum at nginx.us Mon Nov 3 08:19:54 2014 From: nginx-forum at nginx.us (newnovice) Date: Mon, 03 Nov 2014 03:19:54 -0500 Subject: connection close on 500, 503, 502. In-Reply-To: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> References: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> Message-ID: <578ed0cafc443d7a736eb42e3bec47a7.NginxMailingListEnglish@forum.nginx.org> Can i do something like: (i don't really need a page necessarily - i am purely interested in changing the connection from keep-aline to connection-close) error_page 500 502 503 504 /ServiceUnavailableError.xml; location = /ServiceUnavailableError.xml { root /error_pages/; internal; default_type text/xml; keepalive_requests 0; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254536#msg-254536 From reallfqq-nginx at yahoo.fr Mon Nov 3 14:03:22 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 3 Nov 2014 15:03:22 +0100 Subject: Regex positional capture in map Message-ID: map's documentation states: A regular expression can contain named and positional captures that can later be used in other directives along with the resulting variable. Trying to do the following failed validation: map $host $foo { "~*^www\.(.*)$" $1; # Positional capture fails default $foo; } What am I doing wrong? --- *B. R.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Mon Nov 3 14:18:26 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 3 Nov 2014 15:18:26 +0100 Subject: Regex positional capture in map In-Reply-To: References: Message-ID: Using named captures works (as demonstrated by https://stackoverflow.com/questions/12459518/nginx-extract-a-value-from-a-variable-or-any-string), though: map $host $foo { "~*^www\.(?.*)$" $domain; # Named capture wins default $foo; } --- *B. R.* On Mon, Nov 3, 2014 at 3:03 PM, B.R. wrote: > map's documentation > states: > A regular expression can contain named and positional captures that can > later be used in other directives along with the resulting variable. > > Trying to do the following failed validation: > map $host $foo { > "~*^www\.(.*)$" $1; # Positional capture fails > default $foo; > } > > What am I doing wrong? > --- > *B. R.* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From igor at sysoev.ru Mon Nov 3 14:22:29 2014 From: igor at sysoev.ru (Igor Sysoev) Date: Mon, 3 Nov 2014 17:22:29 +0300 Subject: Regex positional capture in map In-Reply-To: References: Message-ID: <1CDB759C-9FA2-48A6-96C5-BA269DAA3C33@sysoev.ru> On 03 Nov 2014, at 17:18, B.R. wrote: > Using named captures works (as demonstrated by https://stackoverflow.com/questions/12459518/nginx-extract-a-value-from-a-variable-or-any-string), though: > map $host $foo { > "~*^www\.(?.*)$" $domain; # Named capture wins > default $foo; > } default $host; -- Igor Sysoev http://nginx.com > On Mon, Nov 3, 2014 at 3:03 PM, B.R. wrote: > map's documentation states: > A regular expression can contain named and positional captures that can later be used in other directives along with the resulting variable. > > Trying to do the following failed validation: > map $host $foo { > "~*^www\.(.*)$" $1; # Positional capture fails > default $foo; > } > > What am I doing wrong? > --- > B. R. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Mon Nov 3 21:14:13 2014 From: nginx-forum at nginx.us (newnovice) Date: Mon, 03 Nov 2014 16:14:13 -0500 Subject: connection close on 500, 503, 502. In-Reply-To: <578ed0cafc443d7a736eb42e3bec47a7.NginxMailingListEnglish@forum.nginx.org> References: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> <578ed0cafc443d7a736eb42e3bec47a7.NginxMailingListEnglish@forum.nginx.org> Message-ID: <3a771d903f734465e6991c030b82702f.NginxMailingListEnglish@forum.nginx.org> Can i just do this: error_page 404 =400; error_page 502 =500 @close_conns; location @close_conns { internal; keepalive_requests 0; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254546#msg-254546 From mdounin at mdounin.ru Mon Nov 3 21:25:56 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 4 Nov 2014 00:25:56 +0300 Subject: connection close on 500, 503, 502. In-Reply-To: <3a771d903f734465e6991c030b82702f.NginxMailingListEnglish@forum.nginx.org> References: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> <578ed0cafc443d7a736eb42e3bec47a7.NginxMailingListEnglish@forum.nginx.org> <3a771d903f734465e6991c030b82702f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141103212556.GC17248@mdounin.ru> Hello! On Mon, Nov 03, 2014 at 04:14:13PM -0500, newnovice wrote: > Can i just do this: > > error_page 404 =400; > error_page 502 =500 @close_conns; > location @close_conns { > internal; > keepalive_requests 0; > } Something like "keepalive_timeout 0;" should be a better choice, as it is documented to disable keepalive connections, see http://nginx.org/r/keepalive_timeout. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Mon Nov 3 21:44:25 2014 From: nginx-forum at nginx.us (newnovice) Date: Mon, 03 Nov 2014 16:44:25 -0500 Subject: connection close on 500, 503, 502. In-Reply-To: <20141103212556.GC17248@mdounin.ru> References: <20141103212556.GC17248@mdounin.ru> Message-ID: <375354f128da9f8b8a01ed7c1fbc8419.NginxMailingListEnglish@forum.nginx.org> Thank you MAXIM - you have been the most responsive & helpful on these forums. GREATLY APPRECIATED. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254548#msg-254548 From igal at getrailo.org Mon Nov 3 22:01:00 2014 From: igal at getrailo.org (Igal @ getRailo.org) Date: Mon, 03 Nov 2014 14:01:00 -0800 Subject: connection close on 500, 503, 502. In-Reply-To: <375354f128da9f8b8a01ed7c1fbc8419.NginxMailingListEnglish@forum.nginx.org> References: <20141103212556.GC17248@mdounin.ru> <375354f128da9f8b8a01ed7c1fbc8419.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5457FB1C.3030600@getrailo.org> > Thank you MAXIM - you have been the most responsive & helpful on these > forums. +1 -- Igal Sapir Railo Core Developer http://getRailo.org/ From reallfqq-nginx at yahoo.fr Mon Nov 3 22:02:23 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 3 Nov 2014 23:02:23 +0100 Subject: Regex positional capture in map In-Reply-To: <1CDB759C-9FA2-48A6-96C5-BA269DAA3C33@sysoev.ru> References: <1CDB759C-9FA2-48A6-96C5-BA269DAA3C33@sysoev.ru> Message-ID: On Mon, Nov 3, 2014 at 3:22 PM, Igor Sysoev wrote: > Using named captures works (as demonstrated by > https://stackoverflow.com/questions/12459518/nginx-extract-a-value-from-a-variable-or-any-string), > though: > map $host $foo { > "~*^www\.(?.*)$" $domain; # Named capture wins > default $foo; > } > > > default $host; > > ?Yup, my bad: typo while writing the example map.? It does not interfere much with the problem though. Any piece of advice? :o) --- *B. R.*? -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Mon Nov 3 23:04:36 2014 From: francis at daoine.org (Francis Daly) Date: Mon, 3 Nov 2014 23:04:36 +0000 Subject: Regex positional capture in map In-Reply-To: References: Message-ID: <20141103230436.GX3771@daoine.org> On Mon, Nov 03, 2014 at 03:03:22PM +0100, B.R. wrote: Hi there, I think this is a documentation bug. > map's documentation > states: > A regular expression can contain named and positional captures that can > later be used in other directives along with the resulting variable. Strictly, those words are true -- you *can* use the named or positional captures in other directives. It does not say that you can use them in this same directive. (Or at least, it is possible to read it that way, if you really wanted to.) But practically, it should state that the resulting value can be a string, or can be a variable or a named capture, but cannot be a positional capture. (Or whatever the actual restrictions are.) f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Tue Nov 4 00:22:46 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 4 Nov 2014 03:22:46 +0300 Subject: Regex positional capture in map In-Reply-To: References: <1CDB759C-9FA2-48A6-96C5-BA269DAA3C33@sysoev.ru> Message-ID: <20141104002246.GI17248@mdounin.ru> Hello! On Mon, Nov 03, 2014 at 11:02:23PM +0100, B.R. wrote: > On Mon, Nov 3, 2014 at 3:22 PM, Igor Sysoev wrote: > > > Using named captures works (as demonstrated by > > https://stackoverflow.com/questions/12459518/nginx-extract-a-value-from-a-variable-or-any-string), > > though: > > map $host $foo { > > "~*^www\.(?.*)$" $domain; # Named capture wins > > default $foo; > > } > > > > > > default $host; > > > > ?Yup, my bad: typo while writing the example map.? > It does not interfere much with the problem though. Any piece of advice? :o) As you already found yourself, map{} doesn't allow to use positional captures in resulting values. Use named captures instead. -- Maxim Dounin http://nginx.org/ From reallfqq-nginx at yahoo.fr Tue Nov 4 07:46:18 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Tue, 4 Nov 2014 08:46:18 +0100 Subject: Regex positional capture in map In-Reply-To: <20141104002246.GI17248@mdounin.ru> References: <1CDB759C-9FA2-48A6-96C5-BA269DAA3C33@sysoev.ru> <20141104002246.GI17248@mdounin.ru> Message-ID: Thanks to both of you! Documentation bug, then... --- *B. R.* On Tue, Nov 4, 2014 at 1:22 AM, Maxim Dounin wrote: > Hello! > > On Mon, Nov 03, 2014 at 11:02:23PM +0100, B.R. wrote: > > > On Mon, Nov 3, 2014 at 3:22 PM, Igor Sysoev wrote: > > > > > Using named captures works (as demonstrated by > > > > https://stackoverflow.com/questions/12459518/nginx-extract-a-value-from-a-variable-or-any-string > ), > > > though: > > > map $host $foo { > > > "~*^www\.(?.*)$" $domain; # Named capture wins > > > default $foo; > > > } > > > > > > > > > default $host; > > > > > > ?Yup, my bad: typo while writing the example map.? > > It does not interfere much with the problem though. Any piece of advice? > :o) > > As you already found yourself, map{} doesn't allow to use > positional captures in resulting values. Use named captures > instead. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Tue Nov 4 09:03:07 2014 From: nginx-forum at nginx.us (lockheed) Date: Tue, 04 Nov 2014 04:03:07 -0500 Subject: 'location' as an alias for 'server'? Message-ID: <785353fc24a61734ec853821f928b9f2.NginxMailingListEnglish@forum.nginx.org> I have nginx set up with several servers in /etc/nginx/sites-enabled However, I want to convert my setup to one domain ***myserver.com*** , so typing in a browser "lalala.com" will no longer get me to the appropriate ***/usr/share/webapps/lalala*** subfolder. Therefore, I want to create some kind of bind (if possible) so that if I type "myserver.com/lalala" it will redirect me to ***/usr/share/webapps*** while still applying all the configuration from ***/etc/nginx/sites-enabled/lalala*** Is it doable, or do I have to rewrite all the server files from /sites-enabled/ as locations? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254563,254563#msg-254563 From nginx-forum at nginx.us Tue Nov 4 12:21:12 2014 From: nginx-forum at nginx.us (NaZz) Date: Tue, 04 Nov 2014 07:21:12 -0500 Subject: upstream sent invalid status "-1 Copy failed" while reading response header from upstream In-Reply-To: <20141028001935.GH45418@mdounin.ru> References: <20141028001935.GH45418@mdounin.ru> Message-ID: Maxim Dounin Wrote: ------------------------------------------------------- > From nginx point of view, "your upstream server" is _exact_ thing > to dig into. Sounds like this Nginx guy you are talking about is the type of guy who never wants to admit his mistakes. :D Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254279,254566#msg-254566 From reallfqq-nginx at yahoo.fr Tue Nov 4 12:50:56 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Tue, 4 Nov 2014 13:50:56 +0100 Subject: 'location' as an alias for 'server'? In-Reply-To: <785353fc24a61734ec853821f928b9f2.NginxMailingListEnglish@forum.nginx.org> References: <785353fc24a61734ec853821f928b9f2.NginxMailingListEnglish@forum.nginx.org> Message-ID: The fact that sites-enabled contains 1 file per server is a *de facto* standard. From nginx point of view, those are just include like others. Since nginx.conf must have some include sites-enabled/*.conf rule, those files are already loaded at http level. To have the behavior you wish, I would do the following: location /lalala { alias /usr/share/webapps; include locations/lalala.conf; } The locations directory shall include your per-location rules. Note that directives working at server level might not do inside a location. Those are 2 different scope with specific purposes. I hope you know what you are doing. I do not know what you have in mind. :o) --- *B. R.* On Tue, Nov 4, 2014 at 10:03 AM, lockheed wrote: > I have nginx set up with several servers in /etc/nginx/sites-enabled > > However, I want to convert my setup to one domain ***myserver.com*** , so > typing in a browser > > "lalala.com" > > will no longer get me to the appropriate ***/usr/share/webapps/lalala*** > subfolder. > > > Therefore, I want to create some kind of bind (if possible) so that if I > type > > "myserver.com/lalala" > > it will redirect me to ***/usr/share/webapps*** while still applying all > the > configuration from > ***/etc/nginx/sites-enabled/lalala*** > > > > Is it doable, or do I have to rewrite all the server files from > /sites-enabled/ as locations? > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254563,254563#msg-254563 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Tue Nov 4 17:27:51 2014 From: nginx-forum at nginx.us (abstein2) Date: Tue, 04 Nov 2014 12:27:51 -0500 Subject: map_hash_bucket_size, map_hash_max_size, and memory usage Message-ID: I was hoping someone could clarify how exactly map_hash_bucket_size and map_hash_max_size should be set and the impact it has on memory. For map_hash_bucket_size, it says it should be a multiple of the processor's line cache size. Under what circumstances does it make sense or would it be necessary to move away from the default cache size? For map_hash_max_size, is this just the maximum size of the hash? If so, what is the metric: bytes? potential options? something else? Is it viewed as the maximum size of all maps or just each specific map directive? Also, do either of these values impact the memory that nginx uses? For example, if I have 200 maps will ones with a higher map_hash_bucket_size use more memory than one with a lower map_hash_bucket_size? Or a higher map_hash_max_size? Thanks! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254572,254572#msg-254572 From nginx-forum at nginx.us Wed Nov 5 00:25:59 2014 From: nginx-forum at nginx.us (newnovice) Date: Tue, 04 Nov 2014 19:25:59 -0500 Subject: connection close on 500, 503, 502. In-Reply-To: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> References: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> Message-ID: I have this in config: --- error_page 404 =400; error_page 500 502 503 504 =500 @close_conns; location @close_conns { internal; keepalive_timeout 0; } ---- I still see 502's behind returned in '$status' - Why would this happen? I was expecting to see a 500, based on my config. I also see 404's - which should have been transformed to 400. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254577#msg-254577 From nginx-forum at nginx.us Wed Nov 5 02:05:26 2014 From: nginx-forum at nginx.us (rcoup) Date: Tue, 04 Nov 2014 21:05:26 -0500 Subject: realip - protocol support Message-ID: <870e29ed1d33d3e33e657a30cb3ce712.NginxMailingListEnglish@forum.nginx.org> Hi all, I'm successfully using the realip module to validate proxies and set $remote_addr to the external IP for a request, but I'm trying to do the same for HTTP vs HTTPS where the proxy (Amazon ELB, CDN, etc) is terminating SSL and adding an X-Forwarded-Proto header ("https" or "http"). Note that not all requests are proxied through to nginx, some are coming direct. Initial idea: # Set $reqScheme to the original client scheme # Amazon ELB sets X-Forwarded-Proto map $http_x_forwarded_proto $reqScheme { default $scheme; https https; } # Amazon ELBs will be in the VPC public subnets set_real_ip_from 10.99.0.0/16; Which works, except that an end-user can forge the "X-Forwarded-Proto" header for requests that hit nginx directly. Attempt two was using: # Set $reqScheme to the original client scheme # Amazon ELB sets X-Forwarded-Proto map "$remote_addr:$http_x_forwarded_proto" $reqScheme { default $scheme; ~"10\.99\..*:https" https; # ELB subnets only } # Amazon ELBs will be in the VPC public subnets set_real_ip_from 10.99.0.0/16; But of course, $remote_addr is changed from the proxy address by realip really early in processing the request, so it's set to the actual client IP by the time the map is evaluated. From a look at the realip module code, it doesn't appear to save the original remote address to another variable which I could use in place of $remote_addr in the above, and there doesn't appear to be another way to find if realip-proxying happened. Does anyone have any other ideas for making this work? If not, would any of the following be a suitable approach to resolve this? 1. setting a $remote_addr_original= variable in the realip module, set to the original $remote_addr if realip changes it 2. setting a $remote_addr_proxied= variable in the realip module, set to true if realip changes $remote_addr 3. adding "set_real_scheme_from" and "real_scheme_header" directives to the realip module that manipulate the $scheme & $https variables in a similar way to $remote_addr. Seems unnecessary to create an entirely new module for this purpose, though that's an option too. Thanks, Rob :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254578,254578#msg-254578 From nginx-forum at nginx.us Wed Nov 5 02:12:13 2014 From: nginx-forum at nginx.us (rcoup) Date: Tue, 04 Nov 2014 21:12:13 -0500 Subject: realip - protocol support In-Reply-To: <870e29ed1d33d3e33e657a30cb3ce712.NginxMailingListEnglish@forum.nginx.org> References: <870e29ed1d33d3e33e657a30cb3ce712.NginxMailingListEnglish@forum.nginx.org> Message-ID: Ugh, > 3. adding "set_real_scheme_from" and "real_scheme_header" directives to the realip module that manipulate the $scheme & $https variables in a similar way to $remote_addr. Of course, "set_real_scheme_from" is unnecessary, since it'll be the same list of proxies as "set_real_ip_from". Revise as: 3. adding a "real_scheme_header" directive to the realip module that manipulate the $scheme & $https variables in a similar way to $remote_addr. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254578,254579#msg-254579 From nginx-forum at nginx.us Wed Nov 5 09:32:15 2014 From: nginx-forum at nginx.us (bluekyu) Date: Wed, 05 Nov 2014 04:32:15 -0500 Subject: Can response code be 444 in error_page Message-ID: <058037f8fe99eb1c01e2b0e422e118a2.NginxMailingListEnglish@forum.nginx.org> Hello. I want to reject a connection when some errors (400, 403, ...) occur, so I used error code 444 in error_page like this: error_page 400 =444 @reject_conn; location @reject_conn { return 444; } When I tested it, the network connection was waiting continuously, not closed (reseted). I wonder if this situation is right. I also searched internet and read a document, but I could not find a answer. Is this situation right? (or, does the code work, well?) Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254589,254589#msg-254589 From nginx-forum at nginx.us Wed Nov 5 09:33:16 2014 From: nginx-forum at nginx.us (zhijianpeng) Date: Wed, 05 Nov 2014 04:33:16 -0500 Subject: cache manager worker_connections not enough Message-ID: I am using proxy_cache as a cache server, about 20-30k requests /s. It sometimes gets slow,and I find lots of such messages: 2014/11/05 17:01:32 [alert] 22169#0: 512 worker_connections are not enough 2014/11/05 17:01:32 [alert] 22169#0: 512 worker_connections are not enough 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough process 22169 is the "nginx: cache manager process" . Should I modify the num of cache_manager_process_cycle->connection_n in src/os/unix/ngx_process_cycle.c, and rebuild nginx ? 1310 static void 1311 ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data) 1312 { 1313 ngx_cache_manager_ctx_t *ctx = data; 1314 1315 void *ident[4]; 1316 ngx_event_t ev; 1317 1318 /* 1319 * Set correct process type since closing listening Unix domain socket 1320 * in a master process also removes the Unix domain socket file. 1321 */ 1322 ngx_process = NGX_PROCESS_HELPER; 1323 1324 ngx_close_listening_sockets(cycle); 1325 1326 /* Set a moderate number of connections for a helper process. */ 1327 cycle->connection_n = 512; 1328 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254590,254590#msg-254590 From nginx-forum at nginx.us Wed Nov 5 11:03:27 2014 From: nginx-forum at nginx.us (tunist) Date: Wed, 05 Nov 2014 06:03:27 -0500 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: <2881109.AUh5tBCom1@vbart-laptop> References: <2881109.AUh5tBCom1@vbart-laptop> Message-ID: <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> "There's no way to find out what caused the error only by looking to standard error message. You should provide the debug log at least." - ok, thanks - i will post what i can find once the next error occurs. i upgraded to 1.7.7 and there have been 2 of these errors since then, though debug was not enabled at that point. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254594#msg-254594 From mdounin at mdounin.ru Wed Nov 5 12:26:05 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 5 Nov 2014 15:26:05 +0300 Subject: map_hash_bucket_size, map_hash_max_size, and memory usage In-Reply-To: References: Message-ID: <20141105122605.GA10189@mdounin.ru> Hello! On Tue, Nov 04, 2014 at 12:27:51PM -0500, abstein2 wrote: > I was hoping someone could clarify how exactly map_hash_bucket_size and > map_hash_max_size should be set and the impact it has on memory. > > For map_hash_bucket_size, it says it should be a multiple of the processor's > line cache size. Under what circumstances does it make sense or would it be > necessary to move away from the default cache size? > > For map_hash_max_size, is this just the maximum size of the hash? If so, > what is the metric: bytes? potential options? something else? Is it viewed > as the maximum size of all maps or just each specific map directive? > > Also, do either of these values impact the memory that nginx uses? For > example, if I have 200 maps will ones with a higher map_hash_bucket_size use > more memory than one with a lower map_hash_bucket_size? Or a higher > map_hash_max_size? Some details about configuring of hashes can be found here: http://nginx.org/en/docs/hash.html -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Nov 5 12:48:21 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 5 Nov 2014 15:48:21 +0300 Subject: Can response code be 444 in error_page In-Reply-To: <058037f8fe99eb1c01e2b0e422e118a2.NginxMailingListEnglish@forum.nginx.org> References: <058037f8fe99eb1c01e2b0e422e118a2.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141105124820.GC10189@mdounin.ru> Hello! On Wed, Nov 05, 2014 at 04:32:15AM -0500, bluekyu wrote: > Hello. > > I want to reject a connection when some errors (400, 403, ...) occur, so I > used error code 444 in error_page like this: > > error_page 400 =444 @reject_conn; > location @reject_conn { > return 444; > } > > When I tested it, the network connection was waiting continuously, not > closed (reseted). > I wonder if this situation is right. > I also searched internet and read a document, but I could not find a > answer. > > Is this situation right? (or, does the code work, well?) That's a known bug, and we even have a ticket for it (though it was filed in Russian by the reporter): http://trac.nginx.org/nginx/ticket/274 -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Nov 5 12:55:57 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 5 Nov 2014 15:55:57 +0300 Subject: cache manager worker_connections not enough In-Reply-To: References: Message-ID: <20141105125557.GD10189@mdounin.ru> Hello! On Wed, Nov 05, 2014 at 04:33:16AM -0500, zhijianpeng wrote: > I am using proxy_cache as a cache server, about 20-30k requests /s. It > sometimes gets slow,and I find lots of such messages: > > 2014/11/05 17:01:32 [alert] 22169#0: 512 worker_connections are not enough > 2014/11/05 17:01:32 [alert] 22169#0: 512 worker_connections are not enough > 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough > 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough > 2014/11/05 17:04:12 [alert] 22169#0: 512 worker_connections are not enough > > process 22169 is the "nginx: cache manager process" . Do you use 3rd party modules/patches? What "nginx -V" shows? > Should I modify the num of cache_manager_process_cycle->connection_n in > src/os/unix/ngx_process_cycle.c, and rebuild nginx ? While this may help in your particular case, it's wrong in general as cache manager isn't expected to use many connections. It would be better to find out what goes on here. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Wed Nov 5 14:00:30 2014 From: nginx-forum at nginx.us (bluekyu) Date: Wed, 05 Nov 2014 09:00:30 -0500 Subject: Can response code be 444 in error_page In-Reply-To: <20141105124820.GC10189@mdounin.ru> References: <20141105124820.GC10189@mdounin.ru> Message-ID: <462d6abf15f1433f59beffe1aa2621ca.NginxMailingListEnglish@forum.nginx.org> Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Wed, Nov 05, 2014 at 04:32:15AM -0500, bluekyu wrote: > > > Hello. > > > > I want to reject a connection when some errors (400, 403, ...) > occur, so I > > used error code 444 in error_page like this: > > > > error_page 400 =444 @reject_conn; > > location @reject_conn { > > return 444; > > } > > > > When I tested it, the network connection was waiting continuously, > not > > closed (reseted). > > I wonder if this situation is right. > > I also searched internet and read a document, but I could not find a > > answer. > > > > Is this situation right? (or, does the code work, well?) > > That's a known bug, and we even have a ticket for it (though it > was filed in Russian by the reporter): > > http://trac.nginx.org/nginx/ticket/274 > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Thank you for the reply. I translated and read the report. I understood the bug is related with only error_page 400. If this is correct, my example may be inappropriate. My question was whether the response code of error_page can be 444, or not. (In the document, only standard HTTP codes are described.) For another example, I want to reject inappropriate accesses such as 497 error. error_page 497 =444 @reject_conn; location @reject_conn { return 444; } I expected that the connection is reset when error 497 occurs, but it was waiting. Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254589,254606#msg-254606 From mdounin at mdounin.ru Wed Nov 5 16:06:53 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 5 Nov 2014 19:06:53 +0300 Subject: Can response code be 444 in error_page In-Reply-To: <462d6abf15f1433f59beffe1aa2621ca.NginxMailingListEnglish@forum.nginx.org> References: <20141105124820.GC10189@mdounin.ru> <462d6abf15f1433f59beffe1aa2621ca.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141105160653.GG10189@mdounin.ru> Hello! On Wed, Nov 05, 2014 at 09:00:30AM -0500, bluekyu wrote: [...] > I translated and read the report. I understood the bug is related with only > error_page 400. > If this is correct, my example may be inappropriate. > > My question was whether the response code of error_page can be 444, or not. > (In the document, only standard HTTP codes are described.) > For another example, I want to reject inappropriate accesses such as 497 > error. > > error_page 497 =444 @reject_conn; > location @reject_conn { > return 444; > } > > I expected that the connection is reset when error 497 occurs, but it was > waiting. As 497 is just a special case of 400 (and it is actually changed to 400 during handling), I suspect it's affected by the same bug. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Wed Nov 5 17:04:04 2014 From: nginx-forum at nginx.us (Ivan Artyukhin) Date: Wed, 05 Nov 2014 12:04:04 -0500 Subject: Problem with 'Host' http header when using ssl Message-ID: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> I'm using Nginx as reverse proxy with SSL termination. The J2EE application that is behind it sometimes uses host information to create URLs for popup windows. Right now it inserts name of my upstream into URL and popup windows are not launched (obviously). I understand that i have to fill 'Host' header with appropriate value. So I tried to use proxy_set_header Host $host; inside my 'location' block. It works perfectly when I'm connecting over http. By when I'm connection over https it doesn't work (even more - all pages are not available). My configuration: upstream BE { ip_hash; server ... max_fails=1 fail_timeout=300s; server ... max_fails=1 fail_timeout=300s; } server { listen 443 ssl; server_name localhost; location / { proxy_pass http://BE; # proxy_redirect off; #proxy_set_header X-Forwarded-Proto https; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header Host $host; } I found this post http://forum.nginx.org/read.php?2,228638,228640#msg-228640 but it is not resolved. Regards, Ivan Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254615,254615#msg-254615 From nginx-forum at nginx.us Wed Nov 5 17:05:53 2014 From: nginx-forum at nginx.us (Ivan Artyukhin) Date: Wed, 05 Nov 2014 12:05:53 -0500 Subject: Problem with 'Host' http header when using ssl In-Reply-To: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> References: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> Message-ID: <03a561fa5295bd416542878fa41d473e.NginxMailingListEnglish@forum.nginx.org> As soon as I uncomment '# proxy_set_header Host $host;' line it stops working. All other headers don't matter Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254615,254616#msg-254616 From nginx-forum at nginx.us Wed Nov 5 17:47:53 2014 From: nginx-forum at nginx.us (itpp2012) Date: Wed, 05 Nov 2014 12:47:53 -0500 Subject: Problem with 'Host' http header when using ssl In-Reply-To: <03a561fa5295bd416542878fa41d473e.NginxMailingListEnglish@forum.nginx.org> References: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> <03a561fa5295bd416542878fa41d473e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <269e86f88119a07cbfac9acf3b56f7fa.NginxMailingListEnglish@forum.nginx.org> With such backends you need to tell the backend that the origin is https, otherwise it will 'think' its serving http since it is unaware of a proxy. ea. References: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> <03a561fa5295bd416542878fa41d473e.NginxMailingListEnglish@forum.nginx.org> <269e86f88119a07cbfac9acf3b56f7fa.NginxMailingListEnglish@forum.nginx.org> Message-ID: <91887d1213f101cdefbb854d403f926e.NginxMailingListEnglish@forum.nginx.org> Backend correctly analyzes 'host' header. To check it I created simple ServletFilter to 'set' this header and after it backend forms correct URLs. So my problem will be solved if I manage to set 'host' header in nginx configuration. I'm still confused why I can set this header for non-SSL port and I can't do it for SSL. What am I missing? Regards, Ivan Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254615,254620#msg-254620 From nginx-forum at nginx.us Wed Nov 5 21:57:35 2014 From: nginx-forum at nginx.us (itpp2012) Date: Wed, 05 Nov 2014 16:57:35 -0500 Subject: Problem with 'Host' http header when using ssl In-Reply-To: <91887d1213f101cdefbb854d403f926e.NginxMailingListEnglish@forum.nginx.org> References: <703d2c194cd51dd424ef0ef5b2336c08.NginxMailingListEnglish@forum.nginx.org> <03a561fa5295bd416542878fa41d473e.NginxMailingListEnglish@forum.nginx.org> <269e86f88119a07cbfac9acf3b56f7fa.NginxMailingListEnglish@forum.nginx.org> <91887d1213f101cdefbb854d403f926e.NginxMailingListEnglish@forum.nginx.org> Message-ID: Ivan Artyukhin Wrote: ------------------------------------------------------- > configuration. I'm still confused why I can set this header for > non-SSL port and I can't do it for SSL. What am I missing? Maybe its a SNI thing, see also http://forum.nginx.org/read.php?2,222512,222516#msg-222516 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254615,254621#msg-254621 From nginx-forum at nginx.us Thu Nov 6 01:46:57 2014 From: nginx-forum at nginx.us (nrahl) Date: Wed, 05 Nov 2014 20:46:57 -0500 Subject: Require a password for everything except one folder? Message-ID: I'm trying to deny access to all locations on the server, unless the user has a specific IP address or enteres a password. This part is working. I'm also trying to add an exception, where any path starting with /Public is allowed by anyone with no password. I've tried to override it in a location block, but this doesn't seem to have any effect. server { ... satisfy any; allow xx.xxx.xxx.xxx; deny all; auth_basic "Restricted"; auth_basic_user_file /x/y/z; location ~* ^/Public { satisfy any; allow all; } location / { try_files fake.html @apache; } } I've also tried nesting like: location / { location ~* ^/Public { satisfy any; allow all; } try_files fake.html @apache; } But it always requires a password, even on Public. How can I override security on just the one folder? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254625,254625#msg-254625 From nginx-forum at nginx.us Thu Nov 6 05:32:58 2014 From: nginx-forum at nginx.us (khav) Date: Thu, 06 Nov 2014 00:32:58 -0500 Subject: File '/usr/sbin/nginx' seems to be deleted Message-ID: I am seeing a lot of these entries in my logs Nov 6 04:29:13 sv1 kernel: nginx[62598]: segfault at 0 ip 0000000000438f38 sp 0 0007fffa5a934c0 error 4 in nginx (deleted)[400000+e2000] Nov 6 04:29:13 sv1 abrt[22289]: File '/usr/sbin/nginx' seems to be deleted Nov 6 04:29:13 sv1 abrt[22289]: Not saving repeating crash in '/usr/sbin/nginx' Nov 6 04:29:17 sv1 abrtd: Package 'nginx' isn't signed with proper key Nov 6 04:29:17 sv1 abrtd: 'post-create' on '/var/spool/abrt/ccpp-2014-11-06-04: 29:08-56907' exited with 1 Nov 6 04:29:17 sv1 abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2014 -11-06-04:29:08-56907' How can i fix this nginx version: nginx/1.7.7 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254626,254626#msg-254626 From e1c1bac6253dc54a1e89ddc046585792 at posteo.net Thu Nov 6 07:01:49 2014 From: e1c1bac6253dc54a1e89ddc046585792 at posteo.net (Philipp) Date: Thu, 06 Nov 2014 08:01:49 +0100 Subject: Require a password for everything except one folder? In-Reply-To: References: Message-ID: <28994ea2ce78cab21b0dd40a27dd3331@posteo.de> Am 06.11.2014 02:46 schrieb nrahl: > I'm > also trying to add an exception, where any path starting with /Public > is > allowed by anyone with no password. > location ~* ^/Public { > satisfy any; > allow all; > } location /Public { auth_basic off; } From mdounin at mdounin.ru Thu Nov 6 13:17:42 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 6 Nov 2014 16:17:42 +0300 Subject: File '/usr/sbin/nginx' seems to be deleted In-Reply-To: References: Message-ID: <20141106131741.GB22132@mdounin.ru> Hello! On Thu, Nov 06, 2014 at 12:32:58AM -0500, khav wrote: > I am seeing a lot of these entries in my logs > > Nov 6 04:29:13 sv1 kernel: nginx[62598]: segfault at 0 ip 0000000000438f38 > sp 0 0007fffa5a934c0 error 4 in nginx (deleted)[400000+e2000] > Nov 6 04:29:13 sv1 abrt[22289]: File '/usr/sbin/nginx' seems to be deleted > Nov 6 04:29:13 sv1 abrt[22289]: Not saving repeating crash in > '/usr/sbin/nginx' > Nov 6 04:29:17 sv1 abrtd: Package 'nginx' isn't signed with proper key > Nov 6 04:29:17 sv1 abrtd: 'post-create' on > '/var/spool/abrt/ccpp-2014-11-06-04: 29:08-56907' exited with 1 > Nov 6 04:29:17 sv1 abrtd: Deleting problem directory > '/var/spool/abrt/ccpp-2014 -11-06-04:29:08-56907' > > How can i fix this The message suggests the nginx binary on disk is not the one which is running. You have to restart nginx or follow the binary upgrade procedure, see http://nginx.org/en/docs/control.html#upgrade. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Thu Nov 6 14:51:12 2014 From: nginx-forum at nginx.us (nrahl) Date: Thu, 06 Nov 2014 09:51:12 -0500 Subject: Require a password for everything except one folder? In-Reply-To: <28994ea2ce78cab21b0dd40a27dd3331@posteo.de> References: <28994ea2ce78cab21b0dd40a27dd3331@posteo.de> Message-ID: <5a3f4a56add74113b55006469b02797c.NginxMailingListEnglish@forum.nginx.org> > location /Public { auth_basic off; } > This prevents the password prompt from appearing on /Public, but results in an immediate 403 Forbidden error on that location. I've also tried: location /Public { auth_basic off; allow all; } But adding "allow all" causes the password prompt to appear on that location again. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254625,254636#msg-254636 From nginx-forum at nginx.us Thu Nov 6 16:57:20 2014 From: nginx-forum at nginx.us (newnovice) Date: Thu, 06 Nov 2014 11:57:20 -0500 Subject: connection close on 500, 503, 502. In-Reply-To: References: <671b20d470c80d1653c9be7063d58045.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5acfa5f2dc4d967711269484185b6db1.NginxMailingListEnglish@forum.nginx.org> ping ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254535,254639#msg-254639 From francis at daoine.org Thu Nov 6 18:47:24 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 6 Nov 2014 18:47:24 +0000 Subject: Require a password for everything except one folder? In-Reply-To: <5a3f4a56add74113b55006469b02797c.NginxMailingListEnglish@forum.nginx.org> References: <28994ea2ce78cab21b0dd40a27dd3331@posteo.de> <5a3f4a56add74113b55006469b02797c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141106184724.GY3771@daoine.org> On Thu, Nov 06, 2014 at 09:51:12AM -0500, nrahl wrote: Hi there, > I've also tried: > > location /Public { auth_basic off; allow all; } > > But adding "allow all" causes the password prompt to appear on that location > again. location ^~ /public { auth_basic off; allow all; } seems to work for me. Are you sure that the test url that you are requesting matches this location? There may be more useful information in the debug log regarding what is going wrong for you. f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Thu Nov 6 21:47:28 2014 From: nginx-forum at nginx.us (nrahl) Date: Thu, 06 Nov 2014 16:47:28 -0500 Subject: Require a password for everything except one folder? In-Reply-To: <20141106184724.GY3771@daoine.org> References: <20141106184724.GY3771@daoine.org> Message-ID: <1079d2e3761bd215bd995d1b819e25b2.NginxMailingListEnglish@forum.nginx.org> > Are you sure that the test url that you are requesting matches this > location? > > There may be more useful information in the debug log regarding what > is going wrong for you. > With debug logging on, I ahve confirmed it is matching the correct location. With: location ^~ /Public { satisfy any; allow all; auth_basic off; try_files fake.html @apache; } It matched the /Public location and I get: "no user/password was provided for basic authentication" durring the access phase. With: location ^~ /Public { auth_basic off; try_files fake.html @apache; } It matches the Public location, and produces: access phase: 9 post access phase: 10 access forbidden by rule, client: xxx.xxx.xxx.xxx, server: www.myserver.com, request: "GET /Public/ HTTP/1.1", host: "www.myserver.com". Then it returns a 403 without a basic auth prompt. So It looks like the rule is ovverriding the basic auth prompt, but not the deny rule? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254625,254641#msg-254641 From francis at daoine.org Thu Nov 6 22:23:07 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 6 Nov 2014 22:23:07 +0000 Subject: Require a password for everything except one folder? In-Reply-To: <1079d2e3761bd215bd995d1b819e25b2.NginxMailingListEnglish@forum.nginx.org> References: <20141106184724.GY3771@daoine.org> <1079d2e3761bd215bd995d1b819e25b2.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141106222307.GZ3771@daoine.org> On Thu, Nov 06, 2014 at 04:47:28PM -0500, nrahl wrote: Hi there, > With debug logging on, I ahve confirmed it is matching the correct location. Do you also see the subrequest that accesses a different location that has its own configration? > With: > > location ^~ /Public { > satisfy any; > allow all; > auth_basic off; > try_files fake.html @apache; > } > > It matched the /Public location and I get: "no user/password was provided > for basic authentication" durring the access phase. Is that only if the file fake.html does not exist, so there is a new request to the location @apache which does require authentication? Or do you get unexpected output when the request is only handled in this location? > With: > > location ^~ /Public { > auth_basic off; > try_files fake.html @apache; > } > access forbidden by rule, client: xxx.xxx.xxx.xxx, server: www.myserver.com, > request: "GET /Public/ HTTP/1.1", host: "www.myserver.com". You have denied access by ip address here, so 403 is the expected response, no? You may have more success if you can describe what response you expect, and provide a complete (small) server{} configuration that demonstrates the unwanted behaviour that you see. f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Thu Nov 6 22:35:09 2014 From: nginx-forum at nginx.us (nrahl) Date: Thu, 06 Nov 2014 17:35:09 -0500 Subject: Require a password for everything except one folder? In-Reply-To: <20141106222307.GZ3771@daoine.org> References: <20141106222307.GZ3771@daoine.org> Message-ID: <5d64b9ac42a8e39de780dce10860ea16.NginxMailingListEnglish@forum.nginx.org> > You have denied access by ip address here, so 403 is the expected > response, no? > > > You may have more success if you can describe what response you > expect, > and provide a complete (small) server{} configuration that > demonstrates > the unwanted behaviour that you see. > The expected response is a password prompt on all locations, unless the IP matches, in which case allow, or the path starts with /Public, in which case allow. Here's the whole config, it's not that long: server { listen 443 ssl; root /path/to/www; index index.html index.php; server_name www.myserver.com myserver.com; error_log /var/log/nginx/debug.log debug; # Password Protect Everything satisfy any; allow xxx.xxx.xxx.xxx; # Our IP deny all; auth_basic "Restricted"; auth_basic_user_file /path/to/pw/file; ... ssl_certificate ... error_page 404 /Errors/404.html; # If request is for the homepage, skip all rules and just serve it. location = / { try_files /cache/index.html @apache; } location ~* ^/(blog|about)/(.*)\.(css|js|gif|jpe?g|png|pdf|htm?l)$ { rewrite ^/(blog|about)/(.*)\.(css|js|gif|jpe?g|png|pdf|htm?l)$ /wordpress/$2.$3 last; } # Static CSS, JS and Image Files location ~* \.(css|js|gif|jpe?g|png|pdf|htm?l)$ { expires 168h; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; try_files $uri $uri/ =404; } location ^~ /Public { # Disable access restriction on this location auth_basic off; try_files fake.html @apache; } location / { # All other requests get proxy passed to apache. try_files fake.html @apache; } # Proxy Pass location @apache { proxy_max_temp_file_size 0; proxy_buffering off; proxy_set_header X-Forwarded-Protocol $scheme; proxy_intercept_errors on; proxy_read_timeout 500; proxy_connect_timeout 500; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_pass http://127.0.0.1:8080; } } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254625,254644#msg-254644 From francis at daoine.org Thu Nov 6 23:09:05 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 6 Nov 2014 23:09:05 +0000 Subject: Require a password for everything except one folder? In-Reply-To: <5d64b9ac42a8e39de780dce10860ea16.NginxMailingListEnglish@forum.nginx.org> References: <20141106222307.GZ3771@daoine.org> <5d64b9ac42a8e39de780dce10860ea16.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141106230905.GA3771@daoine.org> On Thu, Nov 06, 2014 at 05:35:09PM -0500, nrahl wrote: Hi there, > The expected response is a password prompt on all locations, unless the IP > matches, in which case allow, or the path starts with /Public, in which case > allow. nginx config is based on "one request is handled in one location"; but one http request is not necessarily just one nginx request. I suspect that if you put the configuration that you want, in the location that you want, things will Just Work. Trying to have one location both require and not require a password, is probably the root of the issue. > location ^~ /Public { # Disable access restriction on this location > auth_basic off; (You will want to disable "deny all" or "satisfy any" here too.) > try_files fake.html @apache; Instead of that try_files, can you just "proxy_pass" directly? Either copy-paste the config ending with proxy_pass http://127.0.0.1:8080; or do "include the-proxy-pass-file;"? > } > > location / { # All other requests get proxy passed to apache. > try_files fake.html @apache; Same there, but that one is not directly influenced by the "satisfy any" thing. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Thu Nov 6 23:52:15 2014 From: nginx-forum at nginx.us (tunist) Date: Thu, 06 Nov 2014 18:52:15 -0500 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> References: <2881109.AUh5tBCom1@vbart-laptop> <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> Message-ID: <8884442f804e8e7f53f63382cb5e9d12.NginxMailingListEnglish@forum.nginx.org> oh, so the log file is 3.5GB in size and even though the server has enough RAM to handle it, the log viewer crashes and gedit gets stuck too. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254648#msg-254648 From nginx-forum at nginx.us Thu Nov 6 23:54:31 2014 From: nginx-forum at nginx.us (mevans336) Date: Thu, 06 Nov 2014 18:54:31 -0500 Subject: Autoindex - Filter by filename? Message-ID: Is there a way to have autoindex only display certain files? If I only want to display a file named "the_nginx_mailing_list_guys_are_genuises*" - can I do that? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254649,254649#msg-254649 From nginx-forum at nginx.us Thu Nov 6 23:55:44 2014 From: nginx-forum at nginx.us (mevans336) Date: Thu, 06 Nov 2014 18:55:44 -0500 Subject: Autoindex - Filter by filename? In-Reply-To: References: Message-ID: <642f47745836be2c9c19b6279e8460bd.NginxMailingListEnglish@forum.nginx.org> Sorry, I got a little ahead of myself. If I only want to display all files named "the_nginx_mailing_list_guys_are_genuises*" - can I do that? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254649,254650#msg-254650 From nginx-forum at nginx.us Fri Nov 7 00:17:18 2014 From: nginx-forum at nginx.us (tunist) Date: Thu, 06 Nov 2014 19:17:18 -0500 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: <8884442f804e8e7f53f63382cb5e9d12.NginxMailingListEnglish@forum.nginx.org> References: <2881109.AUh5tBCom1@vbart-laptop> <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> <8884442f804e8e7f53f63382cb5e9d12.NginxMailingListEnglish@forum.nginx.org> Message-ID: ok, so i opened the log using glogg and have pasted a relevant sequence into pastebin here: http://pastebin.com/wTQs6ALb any tips welcome, thanks Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254651#msg-254651 From nginx-forum at nginx.us Fri Nov 7 00:29:00 2014 From: nginx-forum at nginx.us (nrahl) Date: Thu, 06 Nov 2014 19:29:00 -0500 Subject: Require a password for everything except one folder? In-Reply-To: <20141106230905.GA3771@daoine.org> References: <20141106230905.GA3771@daoine.org> Message-ID: Thanks, I got it working. My goal was to avoid repeating both the proxy config and the password blocks, but I was able to make them inlcudes to avoid a bunch of duplicate lines. Thanks again! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254625,254652#msg-254652 From francis at daoine.org Fri Nov 7 08:23:20 2014 From: francis at daoine.org (Francis Daly) Date: Fri, 7 Nov 2014 08:23:20 +0000 Subject: Autoindex - Filter by filename? In-Reply-To: References: Message-ID: <20141107082320.GB3771@daoine.org> On Thu, Nov 06, 2014 at 06:54:31PM -0500, mevans336 wrote: Hi there, > Is there a way to have autoindex only display certain files? Using the stock nginx autoindex module, no. Documentation is at http://nginx.org/en/docs/http/ngx_http_autoindex_module.html You could compile in a separate module that does do what you want -- there is one likely-looking one listed on http://wiki.nginx.org/3rdPartyModules, but I'm sure that others can exist. Or you could put your preferred "autoindex" logic in a script which nginx causes to be run as an argument to "index": http://nginx.org/r/index f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Fri Nov 7 09:23:58 2014 From: nginx-forum at nginx.us (saravsars) Date: Fri, 07 Nov 2014 04:23:58 -0500 Subject: ssl_protocols per server? In-Reply-To: <20141016130108.GA16333@mdounin.ru> References: <20141016130108.GA16333@mdounin.ru> Message-ID: <35cc5d521c653be8222ec5e8a1ba6eee.NginxMailingListEnglish@forum.nginx.org> Hello >When using SSLv3 to connect, settings of the default server{} >block will be used. This is because there is no SNI in SSLv3, and >hence SSL connection is established in the context of the default >server{} block Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in effect. server { listen 443 ssl; server_name a.example.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_protocols TLSv1.1 TLSv1.2; } server { listen 443 ssl default_server; server_name ""; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } openssl s_client -connect a.example.com:443 -servername a.example.com -tls1 (success) TLSv1 is disabled in a.example.com but TLSv1 request is successful. server { listen 443 ssl; server_name a.example.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } server { listen 443 ssl default_server; server_name ""; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_protocols TLSv1.2; } openssl s_client -connect a.example.com:443 -servername a.example.com -tls1_1 (failed) TLSv1, TLSv1.1, TLSv1.2 is enabled for a.example.com but TLSv1 and TLSv1.1 requests get failed. So, even with SNI clients default_server "ssl_protocols" is only selected. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254016,254661#msg-254661 From nginx-forum at nginx.us Fri Nov 7 09:30:39 2014 From: nginx-forum at nginx.us (tunist) Date: Fri, 07 Nov 2014 04:30:39 -0500 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> References: <2881109.AUh5tBCom1@vbart-laptop> <50b2b623a3e0cbc588f8478d705de2bd.NginxMailingListEnglish@forum.nginx.org> Message-ID: enabling debug on the site in question generated vast amounts of log data and i think either some type of limit was reached or a bug caused the logging to fail. i was unable to open the logviewer for the site's error log after the first few minutes and eventually the interface crashed while attempting to open the log. now i have disabled debug again and can open the log. the logging stopped shortly after i initialised the debug directive for nginx, so there is no useful debug info pertaining to the SPDY issues yet. i'm not entirely sure what to do here.. has anyone seen this type of behavior before? thanks Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254647#msg-254647 From vbart at nginx.com Fri Nov 7 10:02:13 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 07 Nov 2014 13:02:13 +0300 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: References: <2881109.AUh5tBCom1@vbart-laptop> <8884442f804e8e7f53f63382cb5e9d12.NginxMailingListEnglish@forum.nginx.org> Message-ID: <2175642.tSbjL1VvHb@vbart-laptop> On Thursday 06 November 2014 19:17:18 tunist wrote: > ok, so i opened the log using glogg and have pasted a relevant sequence into > pastebin here: > http://pastebin.com/wTQs6ALb > > any tips welcome, thanks > [..] Ok, thanks, I see the problem. Why have you changed the "large_client_header_buffers" value? wbr, Valentin V. Bartenev From nginx-forum at nginx.us Fri Nov 7 10:11:44 2014 From: nginx-forum at nginx.us (zappa) Date: Fri, 07 Nov 2014 05:11:44 -0500 Subject: Handling redirects among upstream servers Message-ID: Hello, I'm trying to configure Nginx to access a cluster of application servers using a simple proxy with multiple application servers in the upstream. The application servers use a REST api for object storage and retrieval, and use 301 redirects among the nodes of the cluster for load balancing. A client can connect to server A, then get a redirect to server B, where the request will be handled. This fails when nginx is used as a proxy in this case: - the client connects through the proxy and gets connected to server A - A returns a 301 with one of the other servers in the Location header - Nginx rewrites the location header, so information about which node the client is supposed to connect to is lost Does Nginx offer a solution for this? Can nginx handle the 301 itself without the client ever knowing the redirect happend? Would it be possible to store the redirect into a client cookie which is read during the next request and forces nginx to connect to a particular upstream server? Thank you, Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254664,254664#msg-254664 From nginx-forum at nginx.us Fri Nov 7 13:07:51 2014 From: nginx-forum at nginx.us (tunist) Date: Fri, 07 Nov 2014 08:07:51 -0500 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: <2175642.tSbjL1VvHb@vbart-laptop> References: <2175642.tSbjL1VvHb@vbart-laptop> Message-ID: i was having a lot of trouble with 302 errors initially and then later on was having slow TLS performance.. i had difficulty finding the right combination of buffer settings to get the site to run reliably and quickly. if i recall correctly, that was a field that i changed while i was in the process of stabilising the site. possibly there was no need to change that one and i just left the change in the file once the site stabilised. the lines in the current config are: large_client_header_buffers 2 1k; client_header_buffer_size 1k; i don't truly know how to set the values for these perfectly. do you recommend to remove 'large_client_header_buffers' completely? or change it? thanks Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254523,254672#msg-254672 From mdounin at mdounin.ru Fri Nov 7 13:38:57 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Nov 2014 16:38:57 +0300 Subject: ssl_protocols per server? In-Reply-To: <35cc5d521c653be8222ec5e8a1ba6eee.NginxMailingListEnglish@forum.nginx.org> References: <20141016130108.GA16333@mdounin.ru> <35cc5d521c653be8222ec5e8a1ba6eee.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141107133857.GF22132@mdounin.ru> Hello! On Fri, Nov 07, 2014 at 04:23:58AM -0500, saravsars wrote: > Hello > > >When using SSLv3 to connect, settings of the default server{} > >block will be used. This is because there is no SNI in SSLv3, and > >hence SSL connection is established in the context of the default > >server{} block > > Even with TLSv1.1 and TLSv1.2, default server "ssl_protocols" is only in > effect. In theory, this depends on the OpenSSL library behaviour and may work as long as SNI is used - nginx does it's best to update all SSL options on SNI callback. With current OpenSSL code it doesn't seem to work though, as protocols allowed are checked before SNI callback happens and not rechecked afterwards. So yes, you are right - "ssl_protocols" won't do anything good in non-default server{} blocks, even if SNI is used. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Fri Nov 7 13:49:49 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 07 Nov 2014 16:49:49 +0300 Subject: SPDY inflate errors in nginx 1.7.4 - 1.7.7 In-Reply-To: References: <2175642.tSbjL1VvHb@vbart-laptop> Message-ID: <2789043.Ed0o9Y1dCH@vbart-workstation> On Friday 07 November 2014 08:07:51 tunist wrote: > i was having a lot of trouble with 302 errors initially and then later on > was having slow TLS performance.. i had difficulty finding the right > combination of buffer settings to get the site to run reliably and quickly. > if i recall correctly, that was a field that i changed while i was in the > process of stabilising the site. possibly there was no need to change that > one and i just left the change in the file once the site stabilised. > > the lines in the current config are: > large_client_header_buffers 2 1k; > client_header_buffer_size 1k; > > i don't truly know how to set the values for these perfectly. > > do you recommend to remove 'large_client_header_buffers' completely? or > change it? > thanks > [..] Yes, I recommend to remove it. Most of the settings are more or less optimal by default. wbr, Valentin V. Bartenev From mdounin at mdounin.ru Fri Nov 7 14:01:53 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Nov 2014 17:01:53 +0300 Subject: Handling redirects among upstream servers In-Reply-To: References: Message-ID: <20141107140153.GG22132@mdounin.ru> Hello! On Fri, Nov 07, 2014 at 05:11:44AM -0500, zappa wrote: > Hello, > > I'm trying to configure Nginx to access a cluster of application servers > using a simple proxy with multiple application servers in the upstream. The > application servers use a REST api for object storage and retrieval, and use > 301 redirects among the nodes of the cluster for load balancing. A client > can connect to server A, then get a redirect to server B, where the request > will be handled. > > This fails when nginx is used as a proxy in this case: > > - the client connects through the proxy and gets connected to server A > > - A returns a 301 with one of the other servers in the Location header > > - Nginx rewrites the location header, so information about which node the > client is supposed to connect to is lost > > Does Nginx offer a solution for this? Can nginx handle the 301 itself > without the client ever knowing the redirect happend? Would it be possible > to store the redirect into a client cookie which is read during the next > request and forces nginx to connect to a particular upstream server? In no particular order: - You can avoid changes to the Location header, or control them as needed. The flexibility provied by the proxy_redirect directive should be enough to preserve information needed. See http://nginx.org/r/proxy_redirect for details. - You can instruct nginx to forward requests to another node by itself, using the X-Accel-Redirect header. This may be a good solution if you are willing to rewrite application servers to use features provided by nginx. - Redirections can be intercepted using the error_page and proxy_intercept_errors directives (I wouldn't recommend this though). -- Maxim Dounin http://nginx.org/ From devnull82 at gmail.com Fri Nov 7 14:34:48 2014 From: devnull82 at gmail.com (Andrea) Date: Fri, 7 Nov 2014 15:34:48 +0100 Subject: nginx as pop3/imap proxy Message-ID: Hello, I'm using with satisfaction nginx as pop3 and imap proxy of 4/5 mailservers. I have just one problem: when one server is down, nginx can't authenticate the user and the user mail client request the password as if it's wrong. Without nginx, if one server is down, the user just can't connect to it, but there's not an authentication problem. So, my question is: is it possible to configure nginx to manage in some different way this kind of situation? Best, but maybe not implementable, would be nginx to simulate a fake connection even if the server is down, so when it comes up again the user just see a delay with the received mails. Thanks Andrea -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Fri Nov 7 15:01:56 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Nov 2014 18:01:56 +0300 Subject: nginx as pop3/imap proxy In-Reply-To: References: Message-ID: <20141107150155.GJ22132@mdounin.ru> Hello! On Fri, Nov 07, 2014 at 03:34:48PM +0100, Andrea wrote: > Hello, > I'm using with satisfaction nginx as pop3 and imap proxy of 4/5 mailservers. > > I have just one problem: > when one server is down, nginx can't authenticate the user and the user > mail client request the password as if it's wrong. > Without nginx, if one server is down, the user just can't connect to it, > but there's not an authentication problem. > > So, my question is: > is it possible to configure nginx to manage in some different way this kind > of situation? Best, but maybe not implementable, would be nginx to simulate > a fake connection even if the server is down, so when it comes up again the > user just see a delay with the received mails. As of now nginx tries to be as clear as possible that the problem is not with an authentication. In particular, for IMAP it uses the BAD response rather than NO: http://tools.ietf.org/html/rfc3501#section-7.1.3 I don't think that such a distinction is possible with POP3 though, and also has no idea if mail clients are smart enough to understand the difference in case of IMAP. The idea to simulate a fake connection looks very wrong for me, but something like closing a connection without returning anything may work well. But I think we need more information about client behaviour to find out what can/should be done here. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Fri Nov 7 15:53:42 2014 From: nginx-forum at nginx.us (abstein2) Date: Fri, 07 Nov 2014 10:53:42 -0500 Subject: map_hash_bucket_size, map_hash_max_size, and memory usage In-Reply-To: <20141105122605.GA10189@mdounin.ru> References: <20141105122605.GA10189@mdounin.ru> Message-ID: Thanks Maxim -- that's actually the page that has led me to ask these questions. Since the content of that page is a bit general, I was hoping to get some more specific detail about how all the pieces are connected so that I could optimize my NGINX hash map setup as much as possible. Thanks for any additional information you can provide! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254572,254680#msg-254680 From nginx-forum at nginx.us Fri Nov 7 17:25:48 2014 From: nginx-forum at nginx.us (zappa) Date: Fri, 07 Nov 2014 12:25:48 -0500 Subject: Handling redirects among upstream servers In-Reply-To: <20141107140153.GG22132@mdounin.ru> References: <20141107140153.GG22132@mdounin.ru> Message-ID: Unfortunately I'm not able to change the behaviour of the upstream servers, these are a closed-source commercial product and come as-is. I'll look into the proxy_redirect to see if I can preserve the server to redirect to in some way, something like a GET argument or cookie. I just found out about the Lua module as well. I'm pretty fluent at Lua so I'll see if the module offers the tools to solve my problem - maybe I can forge X-accel-redir headers before Ngix handles the response and trick it into thinking these were generated by upstream. Thank you, Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254664,254683#msg-254683 From nginx-forum at nginx.us Fri Nov 7 19:05:38 2014 From: nginx-forum at nginx.us (zappa) Date: Fri, 07 Nov 2014 14:05:38 -0500 Subject: Handling redirects among upstream servers In-Reply-To: <20141107140153.GG22132@mdounin.ru> References: <20141107140153.GG22132@mdounin.ru> Message-ID: <4650844c4b3264939542f0bff47b84d0.NginxMailingListEnglish@forum.nginx.org> Btw, why is it you don't recomment using the error_page method? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254664,254684#msg-254684 From nginx-forum at nginx.us Fri Nov 7 22:52:31 2014 From: nginx-forum at nginx.us (jpherbst) Date: Fri, 07 Nov 2014 17:52:31 -0500 Subject: nginx uwsgi connection timeout Message-ID: <65cbdfc5ee2ac30dd8ab3d8818c26307.NginxMailingListEnglish@forum.nginx.org> Hello, I have nginx 1.6.1 setup in front of uwsgi 2.0.7 using uwsgi_pass, which has been working very well for me except for one request. When I make the failing request uwsgi processes the request and returns the response in less than a second, but nginx just sits there with an open connection to uwsgi eventually timing out after 60 seconds as if uwsgi did not send back a complete request. I have many other pages hosted on this server all of which work just fine, both post and get requests. The one difference I have noticed about this request is that the response is very small, 14 bytes of json. I have tried using both chunked and not chunked (with content-length header) encoding, they both yield the same result. I tried adding "uwsgi_buffering off;" to my configuration, this allowed the request to complete, but the next request hangs because nginx doesn't think the previous request is finished and I only have one uwsgi worker. Does anyone have any ideas about what could cause this? Thanks for your time, Jon Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254687,254687#msg-254687 From sven.koehler at gmail.com Sat Nov 8 00:47:33 2014 From: sven.koehler at gmail.com (=?windows-1252?Q?Sven_K=F6hler?=) Date: Sat, 08 Nov 2014 02:47:33 +0200 Subject: Mail proxy with SNI In-Reply-To: <20140515163445.GP1849@mdounin.ru> References: <20140515163445.GP1849@mdounin.ru> Message-ID: Hi, Am 15.05.2014 um 19:34 schrieb Maxim Dounin: > On Thu, May 15, 2014 at 11:23:19AM -0400, salsaj wrote: > >> Is there any news on this? I would be interested to know if there are plans >> to include this in nginx? > > As of now, there are no plans. I'd also like to use SNI on port 587 (submission). I thought nginx could proxy connections to postfix, which doesn't seem to support SNI either. Regards, Sven From nginx-forum at nginx.us Sat Nov 8 02:17:18 2014 From: nginx-forum at nginx.us (cachito) Date: Fri, 07 Nov 2014 21:17:18 -0500 Subject: How to follow request path within the config? Message-ID: Hello, I'm hitting my head against a wall since a couple days ago. Last paragraph has the big question, the rest is context. I run a fairly big Wordpress blog, with a somewhat convoluted configuration rewriting legacy URLs that follow me since 2002. I use extensive caching via plugins that pregenerate HTML on disk and I rewrite requests to serve HTML instead of talking to PHP. Everything worked well until a domain change. Yesterday after I replaced the domain in the various configuration files, nginx started sending every request to the PHP processor. The location / is pretty standard: location / { try_files cache_path$uri $uri $uri/ /index.php; } Everything in the paths exists and has the correct permissions, but nginx keeps sending everything through /index.php and killing my server via a 180-200 load average. I tried everything googleable, but I can't detect WHY nginx goes that route. The debug log shows a lot of not matching rules/regexes but there's nothing I can do to follow the decision tree that nginx follows to end in PHP. Is there anything I can do to at least simulate the directive processing? Thanks in advance. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254690,254690#msg-254690 From reallfqq-nginx at yahoo.fr Sat Nov 8 02:31:59 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Sat, 8 Nov 2014 03:31:59 +0100 Subject: URI rewriting based on arguments Message-ID: Hello, Trying to rewrite an URI based on an argument, I cannot match it otherwise than by using rewrite. The problem is I fail to achieve a working recipe rewriting example.com/watch?v=123456 to example.com/watch?vid=123456 rewrite ^/watch\?v=(?