From rpaprocki at fearnothingproductions.net Wed Oct 1 00:22:29 2014 From: rpaprocki at fearnothingproductions.net (Robert Paprocki) Date: Tue, 30 Sep 2014 17:22:29 -0700 Subject: [nginx] list proxy_cache keys Message-ID: <542B4945.2060309@fearnothingproductions.net> Hello! Is a quick way to easily list all the keys stored in a proxy_cache memory zone? I would like to be able to list all cache elements without implementing a custom tracking solution. I looked through the source of both the proxy_cache facet, and FRiCKLE's purge module, but my C isn't strong enough to be able to thoroughly understand what's going on under the hood. Any ideas/solutions? From nginx-forum at nginx.us Wed Oct 1 03:38:59 2014 From: nginx-forum at nginx.us (martinproinity) Date: Tue, 30 Sep 2014 23:38:59 -0400 Subject: Max File Size Allowed In Cache In-Reply-To: <20140930120524.GC69200@mdounin.ru> References: <20140930120524.GC69200@mdounin.ru> Message-ID: <4b685c36f8e5de01523fb711904cc4af.NginxMailingListEnglish@forum.nginx.org> Thanks Maxim. Is it possible the filter on a value "larger than" or "smaller than"? How would the regex in the map block look like? e.g. smaller than 1000000? I tried something like this, which is not working: map $upstream_http_content_length $docache { default 0; "~*([1-9][0-9]{0,6}|1000)$" 1; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253260,253652#msg-253652 From nginx-forum at nginx.us Wed Oct 1 08:38:41 2014 From: nginx-forum at nginx.us (aytar) Date: Wed, 01 Oct 2014 04:38:41 -0400 Subject: Wordpress white page Message-ID: <5aa22b2fb33c254a9be53796f49707c2.NginxMailingListEnglish@forum.nginx.org> Hello, I have a problem with wordpress nginx I use php-fpm, mysql, nginx, epel. And getting this problem: imageurl: http://imgur.com/bm24mvj If i reload page it works but if first time a user loads page it shows that but next visit it shows normal? How can I fix this seems i cannot find the problem.. Somebody can help me? Best regards Aytar Verschuren Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253657,253657#msg-253657 From viktor at szepe.net Wed Oct 1 08:44:26 2014 From: viktor at szepe.net (=?utf-8?b?U3rDqXBl?= Viktor) Date: Wed, 01 Oct 2014 10:44:26 +0200 Subject: Wordpress white page In-Reply-To: <5aa22b2fb33c254a9be53796f49707c2.NginxMailingListEnglish@forum.nginx.org> References: <5aa22b2fb33c254a9be53796f49707c2.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141001104426.Horde.adCKnyqCgYQiiPWWOhgu3Q2@szepe.net> Good morning! After seeing you image I think this problem is in your PHP code. Maybe the "Content-Encoding: gzip" header is missing. This has nothing to do with the nginx mailing list. I gladly help you in PHP application problems. Id?zem/Quoting aytar : > Hello, > > I have a problem with wordpress nginx Sz?pe Viktor -- +36-20-4242498 sms at szepe.net skype: szepe.viktor Budapest, XX. ker?let From nginx-forum at nginx.us Wed Oct 1 09:08:07 2014 From: nginx-forum at nginx.us (aytar) Date: Wed, 01 Oct 2014 05:08:07 -0400 Subject: Wordpress white page In-Reply-To: <5aa22b2fb33c254a9be53796f49707c2.NginxMailingListEnglish@forum.nginx.org> References: <5aa22b2fb33c254a9be53796f49707c2.NginxMailingListEnglish@forum.nginx.org> Message-ID: I haven't installed this package yet. Is that the problem? Thanks! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253657,253659#msg-253659 From nginx-forum at nginx.us Wed Oct 1 09:11:24 2014 From: nginx-forum at nginx.us (aytar) Date: Wed, 01 Oct 2014 05:11:24 -0400 Subject: Wordpress white page In-Reply-To: <20141001104426.Horde.adCKnyqCgYQiiPWWOhgu3Q2@szepe.net> References: <20141001104426.Horde.adCKnyqCgYQiiPWWOhgu3Q2@szepe.net> Message-ID: <768ad4cc9097f79513e687a3a67d7635.NginxMailingListEnglish@forum.nginx.org> Hello, Sorry for double post.. I'm using CentOS 6 with Nginx EPEL, PHP-FPM, But if you are saying Viktor, You should think I should enable it? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253657,253660#msg-253660 From viktor at szepe.net Wed Oct 1 09:18:48 2014 From: viktor at szepe.net (=?utf-8?b?U3rDqXBl?= Viktor) Date: Wed, 01 Oct 2014 11:18:48 +0200 Subject: Wordpress white page In-Reply-To: <768ad4cc9097f79513e687a3a67d7635.NginxMailingListEnglish@forum.nginx.org> References: <20141001104426.Horde.adCKnyqCgYQiiPWWOhgu3Q2@szepe.net> <768ad4cc9097f79513e687a3a67d7635.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141001111848.Horde.WKFKxtPOZEhQb90jrBLpuA2@szepe.net> This is not an nginx related problem. Id?zem/Quoting aytar : > Hello, > > Sorry for double post.. I'm using CentOS 6 with Nginx EPEL, PHP-FPM, But if > you are saying Viktor, You should think I should enable it? > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253657,253660#msg-253660 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Sz?pe Viktor -- +36-20-4242498 sms at szepe.net skype: szepe.viktor Budapest, XX. ker?let From mdounin at mdounin.ru Wed Oct 1 11:24:44 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 1 Oct 2014 15:24:44 +0400 Subject: Max File Size Allowed In Cache In-Reply-To: <4b685c36f8e5de01523fb711904cc4af.NginxMailingListEnglish@forum.nginx.org> References: <20140930120524.GC69200@mdounin.ru> <4b685c36f8e5de01523fb711904cc4af.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141001112444.GT69200@mdounin.ru> Hello! On Tue, Sep 30, 2014 at 11:38:59PM -0400, martinproinity wrote: > Thanks Maxim. Is it possible the filter on a value "larger than" or "smaller > than"? How would the regex in the map block look like? e.g. smaller than > 1000000? > > I tried something like this, which is not working: > map $upstream_http_content_length $docache { > default 0; > "~*([1-9][0-9]{0,6}|1000)$" 1; > } You've forgot start anchor. Something like this should work to disable cache for responses with Content-Length larger than 1000000: map $upstream_http_content_length $nocache { default 1; "~^[1-9]{0,6}$" 0; } proxy_no_cache $nocache; -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Wed Oct 1 11:27:31 2014 From: nginx-forum at nginx.us (aytar) Date: Wed, 01 Oct 2014 07:27:31 -0400 Subject: Wordpress white page In-Reply-To: <20141001111848.Horde.WKFKxtPOZEhQb90jrBLpuA2@szepe.net> References: <20141001111848.Horde.WKFKxtPOZEhQb90jrBLpuA2@szepe.net> Message-ID: Can you explain what I need to do in order to fix this? Some more information is welcome thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253657,253663#msg-253663 From viktor at szepe.net Wed Oct 1 11:29:15 2014 From: viktor at szepe.net (=?utf-8?b?U3rDqXBl?= Viktor) Date: Wed, 01 Oct 2014 13:29:15 +0200 Subject: Wordpress white page In-Reply-To: References: <20141001111848.Horde.WKFKxtPOZEhQb90jrBLpuA2@szepe.net> Message-ID: <20141001132915.Horde.Wwv2fwtfNjZzwR6xbjzD4Q2@szepe.net> You can contact a PHP developer. Id?zem/Quoting aytar : > Can you explain what I need to do in order to fix this? Some more > information is welcome thanks. > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253657,253663#msg-253663 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Sz?pe Viktor -- +36-20-4242498 sms at szepe.net skype: szepe.viktor Budapest, XX. ker?let From mayak at australsat.com Wed Oct 1 12:11:30 2014 From: mayak at australsat.com (mayak) Date: Wed, 01 Oct 2014 14:11:30 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols Message-ID: <20141001121133.E455CC6A02@ssw-uk.net> hi all, i have several nginx sites, and as i try to deploy ssl, i am having issues with `ssl_protocols` ... ssl on; ssl_certificate /etc/x509V6/domain.crt; ssl_certificate_key /etc/x509V6/domain.key; ssl_session_cache off; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5; ... this configuration can then be tested with: https://testssl.sh/testssl.sh SSLv2 NOT offered (ok) SSLv3 offered TLSv1 not offered TLSv1.1 not offered TLSv1.2 not offered SPDY/NPN http/1.1 (advertised) so SSLv3 is still offered and SSLv1.2 is not offered. any ideas on how to get the `ssl_protocols` to be parsed and respected by nginx? thanks m From nginx-forum at nginx.us Wed Oct 1 12:33:08 2014 From: nginx-forum at nginx.us (mex) Date: Wed, 01 Oct 2014 08:33:08 -0400 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <20141001121133.E455CC6A02@ssw-uk.net> References: <20141001121133.E455CC6A02@ssw-uk.net> Message-ID: <831f5cd1953f4c16de4451af14504c03.NginxMailingListEnglish@forum.nginx.org> this probably depends on the underlaying openssl-version from your os. what does 'openssl version' says? if you want nginx with newer openssl-version you can build a custom nginx witth openssl statically linked https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#workaround-for-outdated-openssl-versions regards, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253665,253666#msg-253666 From ron.van.der.vegt at openindex.io Wed Oct 1 13:25:27 2014 From: ron.van.der.vegt at openindex.io (Ron van der Vegt) Date: Wed, 01 Oct 2014 13:27:27 +0002 Subject: Trying to assemble logs through tcp, problems with multiple worker_processes In-Reply-To: <1412085262.3688.0@mail.openindex.io> References: <1412085262.3688.0@mail.openindex.io> Message-ID: <1412169927.31816.0@mail.openindex.io> Nevermind, I found the problem. It seems that netcat is not reliable when benchmarking. At some point it will just not read any incomming tcp packages. With wireshark I saw that the packages where sent without problems. On di, sep 30, 2014 at 3:54 , Ron van der Vegt wrote: > Hi, > > Im trying to collect access log by passing them with tcp to flume. > But the two tools below I tried both give me the same sintums, that > it seems there is a race condition, when running nginx with multiple > worker_processes: > > http://www.binpress.com/issue/possible-race-condition-while-nginx-is-running-on-more-workerprocesses/6955 > https://github.com/cloudflare/lua-resty-logger-socket/issues/13 > > Anyone else have seen this problem, or maybe knows what is causing it? > > Thanks in advice, > > Ron > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From mayak at australsat.com Wed Oct 1 14:39:10 2014 From: mayak at australsat.com (mayak) Date: Wed, 01 Oct 2014 16:39:10 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <831f5cd1953f4c16de4451af14504c03.NginxMailingListEnglish@forum.nginx.org> References: <20141001121133.E455CC6A02@ssw-uk.net> <831f5cd1953f4c16de4451af14504c03.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141001143917.065B2C782D@ssw-uk.net> On 10/01/2014 02:33 PM, mex wrote: > this probably depends on the underlaying openssl-version from your os. > what does 'openssl version' says? > > if you want nginx with newer openssl-version you can build a custom nginx > witth > openssl statically linked > > https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#workaround-for-outdated-openssl-versions > > > > regards, > > mex > hi mex, thanks for your note -- i totally forgot to give specifics: - CentOS 6.5, x64, totally up2date - OpenSSL 1.0.1e-fips 11 Feb 2013 - nginx-1.6.2-1.el6.ngx.x86_64 (from nginx repo) - openssl-1.0.1e-16.el6_5.15.x86_64 - openssl-devel-1.0.1e-16.el6_5.15.x86_64 i did rebuild your src rpm on my machine, and it sill wont support any TLS versions ... thanks m From luky-37 at hotmail.com Wed Oct 1 14:54:42 2014 From: luky-37 at hotmail.com (Lukas Tribus) Date: Wed, 1 Oct 2014 16:54:42 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <20141001143917.065B2C782D@ssw-uk.net> References: <20141001121133.E455CC6A02@ssw-uk.net>, <831f5cd1953f4c16de4451af14504c03.NginxMailingListEnglish@forum.nginx.org>, <20141001143917.065B2C782D@ssw-uk.net> Message-ID: > thanks for your note -- i totally forgot to give specifics: > > - CentOS 6.5, x64, totally up2date > - OpenSSL 1.0.1e-fips 11 Feb 2013 > - nginx-1.6.2-1.el6.ngx.x86_64 (from nginx repo) > - openssl-1.0.1e-16.el6_5.15.x86_64 > - openssl-devel-1.0.1e-16.el6_5.15.x86_64 > > i did rebuild your src rpm on my machine, and it sill wont support any TLS versions ... post the output of the following commands: which nginx (use is this path instead of /path/to/nginx) /path/to/nginx -V ldd /path/to/nginx and specify if this is with your src build or with the prebuild binary. From mayak at australsat.com Wed Oct 1 15:10:37 2014 From: mayak at australsat.com (mayak) Date: Wed, 01 Oct 2014 17:10:37 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: References: <20141001121133.E455CC6A02@ssw-uk.net>, <831f5cd1953f4c16de4451af14504c03.NginxMailingListEnglish@forum.nginx.org>, <20141001143917.065B2C782D@ssw-uk.net> Message-ID: <20141001151038.CC0B1C78F9@ssw-uk.net> On 10/01/2014 04:54 PM, Lukas Tribus wrote: >> thanks for your note -- i totally forgot to give specifics: >> >> - CentOS 6.5, x64, totally up2date >> - OpenSSL 1.0.1e-fips 11 Feb 2013 >> - nginx-1.6.2-1.el6.ngx.x86_64 (from nginx repo) >> - openssl-1.0.1e-16.el6_5.15.x86_64 >> - openssl-devel-1.0.1e-16.el6_5.15.x86_64 >> >> i did rebuild your src rpm on my machine, and it sill wont support any TLS versions ... > post the output of the following commands: > which nginx (use is this path instead of /path/to/nginx) > /path/to/nginx -V > ldd /path/to/nginx > > > and specify if this is with your src build or with the prebuild binary. > hi lukas, here we go: [root ~]# which /usr/sbin/nginx /usr/sbin/nginx [root ~]# /usr/sbin/nginx -V nginx version: nginx/1.6.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' [root ~]# ldd /usr/sbin/nginx linux-vdso.so.1 => (0x00007fff1d5ff000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5ca7ec3000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f5ca7c8c000) libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f5ca7a5f000) libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f5ca77f3000) libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f5ca7413000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f5ca720e000) libz.so.1 => /lib64/libz.so.1 (0x00007f5ca6ff8000) libc.so.6 => /lib64/libc.so.6 (0x00007f5ca6c64000) /lib64/ld-linux-x86-64.so.2 (0x00007f5ca80ea000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f5ca69ec000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f5ca67a8000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f5ca64c2000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f5ca62bd000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f5ca6091000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f5ca5e86000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f5ca5c82000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f5ca5a68000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5ca5848000) cheers m From sarah at nginx.com Wed Oct 1 15:21:48 2014 From: sarah at nginx.com (Sarah Novotny) Date: Wed, 1 Oct 2014 08:21:48 -0700 Subject: nginx.conf 2014 October 20-22 in San Francisco Message-ID: <2603F7DC-B1E7-4C74-B1CE-A979A8C3B7AE@nginx.com> Hello all! nginx.conf 2014 is coming soon and best pricing and conference hotel rates expire October 3. We?re super excited about the speakers including Ilya Grigork of Google, Adrian Cockcroft of Battery Ventures, Yichun Zhang (agentzh) and John Graham-Cumming of Cloud Flare, Chris Byron of Box and, of course, many of the core developers of NGINX. More speakers are here - http://nginx.com/nginxconf/speakers/ One of our team highlighted a short list of talks he?s going to try to attend? perhaps they will pique your interest too? > Building a low-latency WAF inside NGINX using Lua > The Latest and Greatest from ngx_lua: New Features & Tools > NGINX and Single sign-on Authentication in Under 150 Lines of Code > Streaming File Decryption and Other Uses for NGINX at Box > Performance Testing Crash Course > Load Balancing a Dynamic Infrastructure with NGINX, Chef, and Confd > From Zero to CDN in Two Days > Large Scale NGINX Sharding at Spotify > Surviving High Bursts of Traffic > When Dynamic Becomes Static: The Next Step in Web Caching Techniques You can check out the full schedule - http://nginx.busyconf.com/schedule#day_5392085d1ba4772c03000011 Please also use (and feel free to share) this code NGINXUG to get 25% off of the training and sessions. Sarah From nginx-forum at nginx.us Wed Oct 1 17:26:33 2014 From: nginx-forum at nginx.us (mex) Date: Wed, 01 Oct 2014 13:26:33 -0400 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <20141001143917.065B2C782D@ssw-uk.net> References: <20141001143917.065B2C782D@ssw-uk.net> Message-ID: <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> btw, it seems impossible to have ... ssl_protocols TLSv1.2; ... and a testresult of SSLv2 NOT offered (ok) SSLv3 offered TLSv1 not offered TLSv1.1 not offered TLSv1.2 not offered are you sure you have tested the right machine? i'd suggest you run the testssl.sh - script against https://localhost:443 on the machine where you build nginx. iirc, openssl 1.0.1e should be able to provide tls 1.2, so it seems quite strange Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253665,253675#msg-253675 From luky-37 at hotmail.com Wed Oct 1 18:45:01 2014 From: luky-37 at hotmail.com (Lukas Tribus) Date: Wed, 1 Oct 2014 20:45:01 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> References: <20141001143917.065B2C782D@ssw-uk.net>, <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> Message-ID: > btw, it seems impossible to have > > ... > ssl_protocols TLSv1.2; > ... > > and a testresult of > > SSLv2 NOT offered (ok) > SSLv3 offered > TLSv1 not offered > TLSv1.1 not offered > TLSv1.2 not offered No, its very possible. A SSL_CTX_set_ssl_version() call can fail, or the call itself can be #ifdef'ed out. > iirc, openssl 1.0.1e should be able to provide tls 1.2, so > it seems quite strange It may be: - the nginx centos 6 RPM is linked against openssl 0.9.8 AND - when using a source build, you didn't stop and start the correct executable AND/OR - you have some library mismatch/mess on your system If you don't care about the possible mess on your system and want a fast fix, just build it statically, as previously suggested. Regards, Lukas From mayak at australsat.com Wed Oct 1 20:45:59 2014 From: mayak at australsat.com (mayak) Date: Wed, 01 Oct 2014 22:45:59 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: References: <20141001143917.065B2C782D@ssw-uk.net>, <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141001204600.84AEEC7DD8@ssw-uk.net> On 10/01/2014 08:45 PM, Lukas Tribus wrote: >> btw, it seems impossible to have >> >> ... >> ssl_protocols TLSv1.2; >> ... >> >> and a testresult of >> >> SSLv2 NOT offered (ok) >> SSLv3 offered >> TLSv1 not offered >> TLSv1.1 not offered >> TLSv1.2 not offered > No, its very possible. A SSL_CTX_set_ssl_version() call can fail, > or the call itself can be #ifdef'ed out. > > > >> iirc, openssl 1.0.1e should be able to provide tls 1.2, so >> it seems quite strange > It may be: > - the nginx centos 6 RPM is linked against openssl 0.9.8 AND > - when using a source build, you didn't stop and start the correct executable AND/OR > - you have some library mismatch/mess on your system > > > If you don't care about the possible mess on your system and want a fast fix, > just build it statically, as previously suggested. > > > > hi lukas, hi mex, - there is definetely something strange -- this is a vanilla install -- for testing -- i installed apache on the same machine and ran it on port 444 for an ssl host. it works as expected. that would seem to indicate the ssl libraries, etc, are in good shape. - if you point a mozilla firefox 32.0.3 to this site, you get: > Secure Connection Failed > > An error occurred during a connection to domain.com. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version) > > The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. > Please contact the website owners to inform them of this problem. - i am going to generate some different certs -- mine are insane -- 4096 key, 4096 dh, sha512 sig -- perhaps the problem lies there. although, why would apache work and not nginx? will report back tomorrow. thanks! m From nginx-forum at nginx.us Wed Oct 1 21:30:04 2014 From: nginx-forum at nginx.us (jmobile) Date: Wed, 01 Oct 2014 17:30:04 -0400 Subject: Safe log rotation Message-ID: <060880401d0755daed0c039f39733db8.NginxMailingListEnglish@forum.nginx.org> Hi, I'd like to check how nginx handles command from http://wiki.nginx.org/LogRotation kill -USR1 `cat /var/run/nginx.pid` I'm using it to recreate log files during rotation. My question if any loglines can be lost in case time interval between physical log files rotation and USR1 is large enough, like seconds? Or if load is very high. For example, while I was sending traffic to website with "ab -n 20 -c 10 http://test-s.mysite.com/static/99$i/logo/test.png > /dev/null 2>&1" in the loop, I executed on the web-server this tail -n 5 /mnt/vg0-lv0/access.log rm -rf /mnt/vg0-lv0/access.log sleep 15; sudo kill -USR1 `cat /var/run/nginx.pid` sleep 2 head -n 5 /mnt/vg0-lv0/dj-access.log 2014-10-01T21:16:10+00:00,1412198170.957,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2486547,1,201,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:10+00:00,1412198170.957,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2486548,1,240,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:10+00:00,1412198170.958,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2486549,1,279,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:10+00:00,1412198170.959,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2486550,1,318,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:10+00:00,1412198170.964,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2486551,1,279,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" ... 2014-10-01T21:16:27+00:00,1412198187.024,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2489854,1,162,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:27+00:00,1412198187.024,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2489855,1,162,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:27+00:00,1412198187.024,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2489856,1,162,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:27+00:00,1412198187.024,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2489857,1,240,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" 2014-10-01T21:16:27+00:00,1412198187.024,10.120.71.11,"-","206.223.189.242",test-s.mysite.com,2489858,1,279,"-","-","-",-,"-","-","ApacheBench/2.3","-",HTTP/1.0,GET,http,/static/logo/test.png,"-",200,5676,5150,0.000,"-","-" As you can see, there is a gap in timestamps sequence. Is there a way to make sure all log-lines are going to be written on a highly loaded web farm? Thank you, Roman Naumenko Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253681,253681#msg-253681 From steve at greengecko.co.nz Wed Oct 1 22:16:17 2014 From: steve at greengecko.co.nz (Steve Holdoway) Date: Thu, 02 Oct 2014 11:16:17 +1300 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols In-Reply-To: <20141001204600.84AEEC7DD8@ssw-uk.net> References: <20141001143917.065B2C782D@ssw-uk.net> , <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> <20141001204600.84AEEC7DD8@ssw-uk.net> Message-ID: <1412201777.20902.18.camel@steve-new> On Wed, 2014-10-01 at 22:45 +0200, mayak wrote: > On 10/01/2014 08:45 PM, Lukas Tribus wrote: > >> btw, it seems impossible to have > >> > >> ... > >> ssl_protocols TLSv1.2; > >> ... > >> > >> and a testresult of > >> > >> SSLv2 NOT offered (ok) > >> SSLv3 offered > >> TLSv1 not offered > >> TLSv1.1 not offered > >> TLSv1.2 not offered > > No, its very possible. A SSL_CTX_set_ssl_version() call can fail, > > or the call itself can be #ifdef'ed out. > > > > > > > >> iirc, openssl 1.0.1e should be able to provide tls 1.2, so > >> it seems quite strange > > It may be: > > - the nginx centos 6 RPM is linked against openssl 0.9.8 AND > > - when using a source build, you didn't stop and start the correct executable AND/OR > > - you have some library mismatch/mess on your system > > > > > > If you don't care about the possible mess on your system and want a fast fix, > > just build it statically, as previously suggested. > > > > > > > > > hi lukas, hi mex, > > - there is definetely something strange -- this is a vanilla install -- for testing -- i installed apache on the same machine and ran it on port 444 for an ssl host. it works as expected. that would seem to indicate the ssl libraries, etc, are in good shape. > > - if you point a mozilla firefox 32.0.3 to this site, you get: > > Secure Connection Failed > > > > An error occurred during a connection to domain.com. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version) > > > > The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. > > Please contact the website owners to inform them of this problem. > - i am going to generate some different certs -- mine are insane -- 4096 key, 4096 dh, sha512 sig -- perhaps the problem lies there. although, why would apache work and not nginx? > > will report back tomorrow. > > thanks! > > m > I find that https://www.ssllabs.com/ssltest/ provides a good breakdown of what a site is offering. I certainly used it to fine tune my SSL setup. I generally use CentOS 6/Amazon, but do use the nginx repo when not building from source for pagespeed. This repo certainly offers all the way up to TLS 1.2 if enabled. Cheers, Steve -- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa From nginx-forum at nginx.us Thu Oct 2 01:01:03 2014 From: nginx-forum at nginx.us (martinproinity) Date: Wed, 01 Oct 2014 21:01:03 -0400 Subject: Max File Size Allowed In Cache In-Reply-To: <20141001112444.GT69200@mdounin.ru> References: <20141001112444.GT69200@mdounin.ru> Message-ID: Thanks Martin! That works. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253260,253687#msg-253687 From mayak at australsat.com Thu Oct 2 06:00:34 2014 From: mayak at australsat.com (mayak) Date: Thu, 02 Oct 2014 08:00:34 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols [solved -- found an issue in nginx] In-Reply-To: <1412201777.20902.18.camel@steve-new> References: <20141001143917.065B2C782D@ssw-uk.net> , <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org> <20141001204600.84AEEC7DD8@ssw-uk.net> <1412201777.20902.18.camel@steve-new> Message-ID: <20141002060041.EE9C2C361F@ssw-uk.net> hi all, indeed -- i generated a new set of certs and tested: a signature of sha256 results in TLSv* begin offered a signature of sha512 results in TLSv* _not_ being offered certs with 4096 bit keys work fine i suspect that there is a variable that is not long enough to support the signature ... thanks! m From igor at sysoev.ru Thu Oct 2 06:39:07 2014 From: igor at sysoev.ru (Igor Sysoev) Date: Thu, 2 Oct 2014 10:39:07 +0400 Subject: Safe log rotation In-Reply-To: <060880401d0755daed0c039f39733db8.NginxMailingListEnglish@forum.nginx.org> References: <060880401d0755daed0c039f39733db8.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> On 02 Oct 2014, at 01:30, jmobile wrote: > Hi, > > I'd like to check how nginx handles command from > http://wiki.nginx.org/LogRotation > kill -USR1 `cat /var/run/nginx.pid` > > I'm using it to recreate log files during rotation. > > My question if any loglines can be lost in case time interval between > physical log files rotation and USR1 is large enough, like seconds? Or if > load is very high. > > For example, while I was sending traffic to website with "ab -n 20 -c 10 > http://test-s.mysite.com/static/99$i/logo/test.png > /dev/null 2>&1" in the > loop, I executed on the web-server this > > tail -n 5 /mnt/vg0-lv0/access.log > rm -rf /mnt/vg0-lv0/access.log > sleep 15; sudo kill -USR1 `cat /var/run/nginx.pid` > sleep 2 > head -n 5 /mnt/vg0-lv0/dj-access.log This is not log rotation but log removal. Try this: mv /mnt/vg0-lv0/access.log /mnt/vg0-lv0/access.log.OLD sleep 15; sudo kill -USR1 `cat /var/run/nginx.pid` sleep 2 head -n 5 /mnt/vg0-lv0/access.log -- Igor Sysoev Join us for nginx.conf 2014, October 20-22, San Francisco. Get 25% off with code NGINXUG: http://nginx.com/nginxconf/ From oscaretu at gmail.com Thu Oct 2 07:08:24 2014 From: oscaretu at gmail.com (oscaretu .) Date: Thu, 2 Oct 2014 09:08:24 +0200 Subject: Safe log rotation In-Reply-To: <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> References: <060880401d0755daed0c039f39733db8.NginxMailingListEnglish@forum.nginx.org> <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> Message-ID: I think you should remove the line: sleep 15 It doesnt' anything useful, It just delay the restart, so during 15 seconds the request will end been registered in the old log file mv /mnt/vg0-lv0/access.log /mnt/vg0-lv0/access.log.OLD sudo kill -USR1 `cat /var/run/nginx.pid` sleep 2 head -n 5 /mnt/vg0-lv0/access.log If I would do this in a interactive way, I'd prefer mv /mnt/vg0-lv0/access.log /mnt/vg0-lv0/access.log.OLD sudo kill -USR1 `cat /var/run/nginx.pid` sleep 2 tail -f /mnt/vg0-lv0/access.log because I see the log request in real time On Thu, Oct 2, 2014 at 8:39 AM, Igor Sysoev wrote: > > On 02 Oct 2014, at 01:30, jmobile wrote: > > > Hi, > > > > I'd like to check how nginx handles command from > > http://wiki.nginx.org/LogRotation > > kill -USR1 `cat /var/run/nginx.pid` > > > > I'm using it to recreate log files during rotation. > > > > My question if any loglines can be lost in case time interval between > > physical log files rotation and USR1 is large enough, like seconds? Or if > > load is very high. > > > > For example, while I was sending traffic to website with "ab -n 20 -c 10 > > http://test-s.mysite.com/static/99$i/logo/test.png > /dev/null 2>&1" in > the > > loop, I executed on the web-server this > > > > tail -n 5 /mnt/vg0-lv0/access.log > > rm -rf /mnt/vg0-lv0/access.log > > sleep 15; sudo kill -USR1 `cat /var/run/nginx.pid` > > sleep 2 > > head -n 5 /mnt/vg0-lv0/dj-access.log > > This is not log rotation but log removal. Try this: > > mv /mnt/vg0-lv0/access.log /mnt/vg0-lv0/access.log.OLD > sleep 15; > sudo kill -USR1 `cat /var/run/nginx.pid` > sleep 2 > head -n 5 /mnt/vg0-lv0/access.log > > > -- > Igor Sysoev > Join us for nginx.conf 2014, October 20-22, San Francisco. > Get 25% off with code NGINXUG: http://nginx.com/nginxconf/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Oscar Fernandez Sierra oscaretu at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From igor at sysoev.ru Thu Oct 2 07:24:38 2014 From: igor at sysoev.ru (Igor Sysoev) Date: Thu, 2 Oct 2014 11:24:38 +0400 Subject: Safe log rotation In-Reply-To: References: <060880401d0755daed0c039f39733db8.NginxMailingListEnglish@forum.nginx.org> <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> Message-ID: On 02 Oct 2014, at 11:08, oscaretu . wrote: > I think you should remove the line: > > sleep 15 > > It doesnt' anything useful, It just delay the restart, so during 15 seconds the request will end been registered in the old log file Of course this sleep is not required, it is just to see that nothing is lost during the sleep. -- Igor Sysoev Join us for nginx.conf 2014, October 20-22, San Francisco. Get 25% off with code NGINXUG: http://nginx.com/nginxconf/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 2 11:01:34 2014 From: nginx-forum at nginx.us (vicendominguez) Date: Thu, 02 Oct 2014 07:01:34 -0400 Subject: nginx-1.7.6 In-Reply-To: <20140930140111.GG69200@mdounin.ru> References: <20140930140111.GG69200@mdounin.ru> Message-ID: <653baa44c1ebebd00e9d7208488e3238.NginxMailingListEnglish@forum.nginx.org> I don't see any patch for the client body buffering ....mmm... is this ticket still pending for 1.7.x (http://trac.nginx.org/nginx/ticket/251) or is in this version??? if not, any date? This would be very interesting to know. thx Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253626,253695#msg-253695 From bertrand.paquet at gmail.com Thu Oct 2 12:24:35 2014 From: bertrand.paquet at gmail.com (Bertrand Paquet) Date: Thu, 2 Oct 2014 14:24:35 +0200 Subject: Distributed cache Message-ID: Hi, I need to have the same cache content on every frontend nodes. I'm seeking a solution to do what the nginx proxy cache does, but in a distributed way : using memcached, riak or any another storage. Do you know if it's possible with Nginx ? If not, do you know a solution with other products ? Regards, Bertrand -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 2 12:34:38 2014 From: nginx-forum at nginx.us (idabic) Date: Thu, 02 Oct 2014 08:34:38 -0400 Subject: Proxy_cache_methods and OPTIONS In-Reply-To: <20140919074107.GT91749@mdounin.ru> References: <20140919074107.GT91749@mdounin.ru> Message-ID: <127d461a3a70469fed7edccda6c48ff2.NginxMailingListEnglish@forum.nginx.org> Thanks for your answer, highly appreciated! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253403,253702#msg-253702 From nginx-forum at nginx.us Thu Oct 2 12:48:07 2014 From: nginx-forum at nginx.us (idabic) Date: Thu, 02 Oct 2014 08:48:07 -0400 Subject: encoded vs un-encoded URLs in requests are treated the same Message-ID: <71946630a62d2445f5be096fc166e342.NginxMailingListEnglish@forum.nginx.org> Hello! How correct is the assumption that nginx will always treat Encoded URLs in requests same as un-encoded unless processing of urls is manually overridden by custom rules to intercept requests and change the cache key? Note: nginx is configured as reverse proxy Bottom line is, I have a client who needs to have urls like: %2Fpath%2to%2Ffile.ext treated differently than: /path/to/file.ext because origin is returning different content if url is encoded. Any thoughts ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253703,253703#msg-253703 From rob.stradling at comodo.com Thu Oct 2 12:49:05 2014 From: rob.stradling at comodo.com (Rob Stradling) Date: Thu, 02 Oct 2014 13:49:05 +0100 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols[solved -- found an issue in nginx] In-Reply-To: <20141002060041.EE9C2C361F@ssw-uk.net> References: <20141001143917.065B2C782D@ssw-uk.net> , <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org><20141001204600.84AEEC7DD8@ssw-uk.net> <1412201777.20902.18.camel@steve-new> <20141002060041.EE9C2C361F@ssw-uk.net> Message-ID: <542D49C1.6090800@comodo.com> Hi. Visit https://www.ssllabs.com/ssltest/viewMyClient.html and check out "Protocol Details -> Signature algorithms". I expect you'll find that your browser doesn't offer SHA512/RSA. Judging from a recent discussion on the IETF TLS list [1], there seems to be some confusion over whether the TLS signature_algorithms extension should 1) restrict the permitted certificate signature algorithms and the non-certificate uses of digital signatures in the TLS protocol or 2) only restrict the non-certificate uses of digital signatures in the TLS protocol. Those taking view 2 don't offer SHA512/RSA because no cipher suites require it. I've concluded that, sadly, certs signed with SHA512/RSA basically don't work for TLS. [1] http://www.ietf.org/mail-archive/web/tls/current/msg13606.html On 02/10/14 07:00, mayak wrote: > hi all, > > indeed -- i generated a new set of certs and tested: > > a signature of sha256 results in TLSv* begin offered > a signature of sha512 results in TLSv* _not_ being offered > certs with 4096 bit keys work fine > > i suspect that there is a variable that is not long enough to support > the signature ... > > thanks! > > m -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online From mdounin at mdounin.ru Thu Oct 2 13:05:24 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 2 Oct 2014 17:05:24 +0400 Subject: nginx-1.7.6 In-Reply-To: <653baa44c1ebebd00e9d7208488e3238.NginxMailingListEnglish@forum.nginx.org> References: <20140930140111.GG69200@mdounin.ru> <653baa44c1ebebd00e9d7208488e3238.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141002130524.GA69200@mdounin.ru> Hello! On Thu, Oct 02, 2014 at 07:01:34AM -0400, vicendominguez wrote: > I don't see any patch for the client body buffering ....mmm... > > is this ticket still pending for 1.7.x > (http://trac.nginx.org/nginx/ticket/251) or is in this version??? > > if not, any date? This would be very interesting to know. No ETA. -- Maxim Dounin http://nginx.org/ From wandenberg at gmail.com Thu Oct 2 13:09:22 2014 From: wandenberg at gmail.com (Wandenberg Peixoto) Date: Thu, 2 Oct 2014 10:09:22 -0300 Subject: Distributed cache In-Reply-To: References: Message-ID: Take a look on SRCache module if it is suitable for you. On Thu, Oct 2, 2014 at 9:24 AM, Bertrand Paquet wrote: > Hi, > > I need to have the same cache content on every frontend nodes. I'm seeking > a solution to do what the nginx proxy cache does, but in a distributed way > : using memcached, riak or any another storage. > > Do you know if it's possible with Nginx ? If not, do you know a solution > with other products ? > > Regards, > > Bertrand > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bertrand.paquet at gmail.com Thu Oct 2 13:16:19 2014 From: bertrand.paquet at gmail.com (Bertrand Paquet) Date: Thu, 2 Oct 2014 15:16:19 +0200 Subject: Distributed cache In-Reply-To: References: Message-ID: It's exactly what I need. Thx you. Bertrand On Thu, Oct 2, 2014 at 3:09 PM, Wandenberg Peixoto wrote: > Take a look on SRCache module if > it is suitable for you. > > On Thu, Oct 2, 2014 at 9:24 AM, Bertrand Paquet > wrote: > >> Hi, >> >> I need to have the same cache content on every frontend nodes. I'm >> seeking a solution to do what the nginx proxy cache does, but in a >> distributed way : using memcached, riak or any another storage. >> >> Do you know if it's possible with Nginx ? If not, do you know a solution >> with other products ? >> >> Regards, >> >> Bertrand >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 2 14:51:25 2014 From: nginx-forum at nginx.us (mottycruz) Date: Thu, 02 Oct 2014 10:51:25 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide Message-ID: <1c9ad3122933b9b507454f3e331102cf.NginxMailingListEnglish@forum.nginx.org> Hello All, I am trying to redirect users base on four digits number they provide. For instance, if they provide a number 4024 they will be redirect to web server name fly.fqdn.com, if digits are 5025 they will be directed to another web server name guide.fqdn.com. if this possible? if so, can someone point to instructions, I am confuse. New to Nginx. Thanks in advance, Motty Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253708,253708#msg-253708 From semenukha at gmail.com Thu Oct 2 15:10:50 2014 From: semenukha at gmail.com (Styopa Semenukha) Date: Thu, 02 Oct 2014 11:10:50 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <1c9ad3122933b9b507454f3e331102cf.NginxMailingListEnglish@forum.nginx.org> References: <1c9ad3122933b9b507454f3e331102cf.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5212773.tsz4xLVlvR@tornado> On Thursday, October 02, 2014 10:51:25 AM mottycruz wrote: > Hello All, > > I am trying to redirect users base on four digits number they provide. For > instance, if they provide a number 4024 they will be redirect to web server > name fly.fqdn.com, if digits are 5025 they will be directed to another web > server name guide.fqdn.com. if this possible? if so, can someone point to > instructions, I am confuse. New to Nginx. > > Thanks in advance, > Motty > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253708,253708#msg-253708 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Probably http://nginx.org/r/map will come in handy. Depends on how many entries you expect to have. -- Best regards, Styopa Semenukha. From nginx-forum at nginx.us Thu Oct 2 16:14:41 2014 From: nginx-forum at nginx.us (mottycruz) Date: Thu, 02 Oct 2014 12:14:41 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <5212773.tsz4xLVlvR@tornado> References: <5212773.tsz4xLVlvR@tornado> Message-ID: <35c98f2f7f465476186310a41c858b66.NginxMailingListEnglish@forum.nginx.org> Thank you very much Styopa, I am working on server that was installed by person no longer in the company. I don't know if Map modules was originally installed. I am using Ubuntu 10.04.4 TLS. here is part of my current configuration: upstream backend { server alice.fqdn.com:80; } # Note: This following "server" section allows Secure SSL reverse proxy and controlled redirecting. server { listen 443; server_name bob; ssl on; ssl_certificate /usr/local/nginx/certs/apps.fqdn.com.crt; ssl_certificate_key /usr/local/nginx/certs/bob-apps.key; server_name_in_redirect on; cust_app_version_routing_data_file /usr/local/nginx/conf/cust_app_version_routing.dat; cust_app_version_routing_apps app1,app2,app3; access_log logs/host.access.log main; proxy_intercept_errors on; error_page 404 /myportal/Account/LogOn; # Main location location / { my questions is can I add a second "upstream backend" and called "upstream backend2"? I would like to route specific 4 digits number to "upstream backend2"? would this is a possibility? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253708,253711#msg-253711 From nginx-forum at nginx.us Thu Oct 2 17:22:05 2014 From: nginx-forum at nginx.us (Kurogane) Date: Thu, 02 Oct 2014 13:22:05 -0400 Subject: redirection issue Message-ID: <143fd388c5f52536a9f882dd9a2bec9a.NginxMailingListEnglish@forum.nginx.org> Hello All, I am facing some issue regarding nginx redirection i'm unable to fix it. I want to create redirect non www to www but always redirect me to default_server how i can fix this issue. This is what i have server { listen 80 default_server; server_name localhost; root /home/nginx/default/public; .... } server { listen 80; server_name domain.com; return 301 $scheme://www.domain.com$request_uri; root /home/user/public_html; .... } When i go to domain.com or www.domain.com i got default document root If i change server_name domain.com; to server_name domain.com www.domain.com; i got redirect loop issue. Then how i suppose to solve this problem. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253713,253713#msg-253713 From nurahmadie at gmail.com Thu Oct 2 17:26:45 2014 From: nurahmadie at gmail.com (Adie Nurahmadie) Date: Fri, 3 Oct 2014 00:26:45 +0700 Subject: redirection issue In-Reply-To: <143fd388c5f52536a9f882dd9a2bec9a.NginxMailingListEnglish@forum.nginx.org> References: <143fd388c5f52536a9f882dd9a2bec9a.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Fri, Oct 3, 2014 at 12:22 AM, Kurogane wrote: > Hello All, > > I am facing some issue regarding nginx redirection i'm unable to fix it. I > want to create redirect non www to www but always redirect me to > default_server how i can fix this issue. > > This is what i have > > server { > listen 80 default_server; > server_name localhost; > root /home/nginx/default/public; > > .... > } > > > server { > listen 80; > server_name domain.com; > return 301 $scheme://www.domain.com$request_uri; > root /home/user/public_html; > .... > } > > When i go to domain.com or www.domain.com i got default document root > > If i change server_name domain.com; to server_name domain.com > www.domain.com; i got redirect loop issue. > > Then how i suppose to solve this problem. > Do you have another server block with `server_name www.domain.com` which supposed to handle the actual request? > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253713,253713#msg-253713 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- regards, Nurahmadie -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From mayak at australsat.com Thu Oct 2 17:32:54 2014 From: mayak at australsat.com (mayak) Date: Thu, 02 Oct 2014 19:32:54 +0200 Subject: nginx centos build only supports SSLv3 and ignores ssl_protocols[solved -- found an issue in nginx] In-Reply-To: <542D49C1.6090800@comodo.com> References: <20141001143917.065B2C782D@ssw-uk.net> , <189e3d3b17e042bf40ec4125e8476f52.NginxMailingListEnglish@forum.nginx.org><20141001204600.84AEEC7DD8@ssw-uk.net> <1412201777.20902.18.camel@steve-new> <20141002060041.EE9C2C361F@ssw-uk.net> <542D49C1.6090800@comodo.com> Message-ID: <20141002173303.31F1CC580F@ssw-uk.net> On 10/02/2014 02:49 PM, Rob Stradling wrote: > Hi. Visit https://www.ssllabs.com/ssltest/viewMyClient.html and check out "Protocol Details -> Signature algorithms". I expect you'll find that your browser doesn't offer SHA512/RSA. > > Judging from a recent discussion on the IETF TLS list [1], there seems to be some confusion over whether the TLS signature_algorithms extension should 1) restrict the permitted certificate signature algorithms and the non-certificate uses of digital signatures in the TLS protocol or 2) only restrict the non-certificate uses of digital signatures in the TLS protocol. > > Those taking view 2 don't offer SHA512/RSA because no cipher suites require it. I've concluded that, sadly, certs signed with SHA512/RSA basically don't work for TLS. > > [1] http://www.ietf.org/mail-archive/web/tls/current/msg13606.html hi rob, the `offer` was checked using `openssl` binary command within the https://testssl.sh/testssl.sh script -- the openssl binary is openssl-1.0.2-beta1 i agree -- nginx cannot handle an sha512 signed cert and will only offer sslv3. apache does offer tlsv1.* with an sha512 signature. this question goes beyond my comprehension of ssl, so i am going to live with sha256 -- strong enough to quench my paranoiac thirst :-) cheers m From nginx-forum at nginx.us Thu Oct 2 17:33:51 2014 From: nginx-forum at nginx.us (Kurogane) Date: Thu, 02 Oct 2014 13:33:51 -0400 Subject: redirection issue In-Reply-To: References: Message-ID: <6723094f1c0117a7bc86eb5395a13805.NginxMailingListEnglish@forum.nginx.org> No. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253713,253715#msg-253715 From nurahmadie at gmail.com Thu Oct 2 17:39:46 2014 From: nurahmadie at gmail.com (Adie Nurahmadie) Date: Fri, 3 Oct 2014 00:39:46 +0700 Subject: redirection issue In-Reply-To: <6723094f1c0117a7bc86eb5395a13805.NginxMailingListEnglish@forum.nginx.org> References: <6723094f1c0117a7bc86eb5395a13805.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Fri, Oct 3, 2014 at 12:33 AM, Kurogane wrote: > No. > There is your problem, the config supposed to looks like this: server { listen 80 default_server; server_name localhost; root /home/nginx/default/public; } server { listen 80; server_name domain.com; return 301 $scheme://www.domain.com$request_uri; } server { listen 80; server_name www.domain.com; root /home/user/public_html; # proceed with the rest of the config down here # ... } Also, it's not mandatory, but I think you should set the default_server on the www.domain.com server block instead of localhost. Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253713,253715#msg-253715 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- regards, Nurahmadie -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From nurahmadie at gmail.com Thu Oct 2 17:45:37 2014 From: nurahmadie at gmail.com (Adie Nurahmadie) Date: Fri, 3 Oct 2014 00:45:37 +0700 Subject: redirection issue In-Reply-To: References: <6723094f1c0117a7bc86eb5395a13805.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Fri, Oct 3, 2014 at 12:39 AM, Adie Nurahmadie wrote: > > On Fri, Oct 3, 2014 at 12:33 AM, Kurogane wrote: > >> No. >> > > There is your problem, the config supposed to looks like this: > > server { > listen 80 default_server; > server_name localhost; > root /home/nginx/default/public; > } > > > server { > listen 80; > server_name domain.com; > return 301 $scheme://www.domain.com$request_uri; > } > > server { > listen 80; > server_name www.domain.com; > root /home/user/public_html; > > # proceed with the rest of the config down here > # ... > } > > Also, it's not mandatory, but I think you should set the default_server on > the www.domain.com server block > instead of localhost. > > Posted at Nginx Forum: >> http://forum.nginx.org/read.php?2,253713,253715#msg-253715 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > > -- > regards, > Nurahmadie > -- > For reference, http://nginx.org/en/docs/http/converting_rewrite_rules.html -- regards, Nurahmadie -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From semenukha at gmail.com Thu Oct 2 17:46:25 2014 From: semenukha at gmail.com (Styopa Semenukha) Date: Thu, 02 Oct 2014 13:46:25 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <35c98f2f7f465476186310a41c858b66.NginxMailingListEnglish@forum.nginx.org> References: <5212773.tsz4xLVlvR@tornado> <35c98f2f7f465476186310a41c858b66.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1457422.7Ddq5TuDVu@tornado> On Thursday, October 02, 2014 12:14:41 PM mottycruz wrote: > Thank you very much Styopa, I am working on server that was installed by > person no longer in the company. I don't know if Map modules was originally > installed. I am using Ubuntu 10.04.4 TLS. > > here is part of my current configuration: > > upstream backend { > server alice.fqdn.com:80; > } > > # Note: This following "server" section allows Secure SSL reverse proxy and > controlled redirecting. > server { > listen 443; > server_name bob; > ssl on; > ssl_certificate /usr/local/nginx/certs/apps.fqdn.com.crt; > ssl_certificate_key /usr/local/nginx/certs/bob-apps.key; > server_name_in_redirect on; > cust_app_version_routing_data_file > /usr/local/nginx/conf/cust_app_version_routing.dat; > cust_app_version_routing_apps app1,app2,app3; > access_log logs/host.access.log main; > > proxy_intercept_errors on; > error_page 404 /myportal/Account/LogOn; > # Main location > location / { > > my questions is can I add a second "upstream backend" and called "upstream > backend2"? I would like to route specific 4 digits number to "upstream > backend2"? would this is a possibility? > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253708,253711#msg-253711 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx There was a similar thread here: http://forum.nginx.org/read.php?2,194480,194990#msg-194990 Hope this helps. -- Best regards, Styopa Semenukha. From nginx-forum at nginx.us Thu Oct 2 17:46:48 2014 From: nginx-forum at nginx.us (Kurogane) Date: Thu, 02 Oct 2014 13:46:48 -0400 Subject: redirection issue In-Reply-To: References: Message-ID: <3328a0397c44e88010874e1d51d94b53.NginxMailingListEnglish@forum.nginx.org> Thats working thanks!! I set default_server in localhost because i want to show default page when you go to http://1.2.3.4 Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253713,253719#msg-253719 From nginx-forum at nginx.us Thu Oct 2 17:50:07 2014 From: nginx-forum at nginx.us (vicendominguez) Date: Thu, 02 Oct 2014 13:50:07 -0400 Subject: nginx-1.7.6 In-Reply-To: <20141002130524.GA69200@mdounin.ru> References: <20141002130524.GA69200@mdounin.ru> Message-ID: Ok.... ten-four. Thanks for answering. I have make a fast "adaptation" to 1.7.6 of the yaoweibin's tengine patch: https://github.com/vicendominguez/no_buffer_yaoweibin_nginx_patch I have a very easy configuration in nginx but it is working very well for me. Kind regards, Vicente. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253626,253721#msg-253721 From nginx-forum at nginx.us Thu Oct 2 18:05:41 2014 From: nginx-forum at nginx.us (vicendominguez) Date: Thu, 02 Oct 2014 14:05:41 -0400 Subject: nginx-1.7.6 In-Reply-To: References: <20141002130524.GA69200@mdounin.ru> Message-ID: vicendominguez Wrote: ------------------------------------------------------- > > I have make a fast "adaptation" to 1.7.6 of the yaoweibin's tengine I have made... :shame: Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253626,253724#msg-253724 From nginx-forum at nginx.us Thu Oct 2 21:31:36 2014 From: nginx-forum at nginx.us (jmobile) Date: Thu, 02 Oct 2014 17:31:36 -0400 Subject: Safe log rotation In-Reply-To: <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> References: <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> Message-ID: Thanks Igor for pointing this out. If file is renamed, would it guarantee that nginx continues writing to it without interruption? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253681,253729#msg-253729 From nginx-forum at nginx.us Fri Oct 3 03:08:53 2014 From: nginx-forum at nginx.us (nikolaos2012) Date: Thu, 02 Oct 2014 23:08:53 -0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ Message-ID: <62b451ac0670ec3483e5d924b5c5a71c.NginxMailingListEnglish@forum.nginx.org> We have the following code that worked in 1.3.16.... # Map VWS URI's to HTTP ($use_secure=0), HTTPS ($use_secure=1) or keep same ($use_secure=2) map $uri $use_secure { default 0; ~^/sites/ 2; ~^/account/ 1; } And this file for the main config that includes the map file: include /srv/etc/web_x/nginx/include/example.org_prepend.conf; server { listen 192.168.0.101:80; server_name p3.example.com; # If map says that this resource should be served over HTTPS (vs. HTTP) then redirect now if ($use_secure = 1) { return 301 https://securep3.example.com$request_uri; } } However in 1.6.0 and 1.6.1 $use_secure is ALWAYS 0 no matter what URI is used. I have even tried using $request_uri instead of $uri and it still won't work. Why is this not backward compatible OR what am I doing wrong? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253733,253733#msg-253733 From igor at sysoev.ru Fri Oct 3 04:25:21 2014 From: igor at sysoev.ru (Igor Sysoev) Date: Fri, 3 Oct 2014 08:25:21 +0400 Subject: Safe log rotation In-Reply-To: References: <5547C53E-1C9A-48C0-ADC4-679BEEBCDA4C@sysoev.ru> Message-ID: <6D47EBCF-6336-49FD-8B8A-3AC96BD42BE3@sysoev.ru> On 03 Oct 2014, at 01:31, jmobile wrote: > Thanks Igor for pointing this out. > > If file is renamed, would it guarantee that nginx continues writing to it > without interruption? This is guaranteed by OS. -- Igor Sysoev Join us for nginx.conf 2014, October 20-22, San Francisco. Get 25% off with code NGINXUG: http://nginx.com/nginxconf/ From nginx-forum at nginx.us Fri Oct 3 04:58:55 2014 From: nginx-forum at nginx.us (nikolaos2012) Date: Fri, 03 Oct 2014 00:58:55 -0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ In-Reply-To: <62b451ac0670ec3483e5d924b5c5a71c.NginxMailingListEnglish@forum.nginx.org> References: <62b451ac0670ec3483e5d924b5c5a71c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <8f6f5905dbbd519ac4a6356a27fd410b.NginxMailingListEnglish@forum.nginx.org> Turns out that this was a mis-configuration on our end and that it works great in 1.6.0+ We had the issue on a test server that had 2 sites sharing the same IP address but moreover both sites assigned the $use_secure variable so it was being overwritten by the 2nd site and always set to 0 b/c of no match of a URI with the 1st site against the 2nd site. Resolution was simple... I just suffixed the variables appropriately for each site... e.g. $use_secure_xx and $use_secure_yy and the problem went away. Wasted a lot of time trying to debug. Perhaps Nginx "can" be smarter and catch such a situation (i.e. that 2 or more map directives set the same variable) and perhaps issue a warning. Either way though no big deal... it just was hard to pin down... as it involved multiple file domain configs. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253733,253735#msg-253735 From nginx-forum at nginx.us Fri Oct 3 08:32:06 2014 From: nginx-forum at nginx.us (rapamiti) Date: Fri, 03 Oct 2014 04:32:06 -0400 Subject: location filter Message-ID: <51958647495b6c08ab8cb3b6a5b5d20d.NginxMailingListEnglish@forum.nginx.org> Hi everybody, i'm a newbie with nginx, i use nginx for static content and apache. i use actually : location ~* ^.+.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|txt|css|js|xml|woff|eot|ttf|svg)$ { and all is ok but i want to remove from nginx a dynamic image, ex : logo_125_21.gif who is generated by apache/php (with rewrite) numbers are randoms. so how can i modify the location line for exclude logo_*_*.gif please ? all my tests failed. Thanks Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253740,253740#msg-253740 From vbart at nginx.com Fri Oct 3 09:01:01 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 03 Oct 2014 13:01:01 +0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ In-Reply-To: <62b451ac0670ec3483e5d924b5c5a71c.NginxMailingListEnglish@forum.nginx.org> References: <62b451ac0670ec3483e5d924b5c5a71c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1731594.HURCLO97h8@vbart-laptop> On Thursday 02 October 2014 23:08:53 nikolaos2012 wrote: > We have the following code that worked in 1.3.16.... > > > # Map VWS URI's to HTTP ($use_secure=0), HTTPS ($use_secure=1) or keep same > ($use_secure=2) > map $uri $use_secure { > default 0; > ~^/sites/ 2; > ~^/account/ 1; > } [..] $uri in the "map" directive usually means that you're doing it wrong. For mapping configuration on URIs there's special and highly optimized directive, called "location". The only reason to use map instead of location could be to save some memory when you have thousands of URIs to map. wbr, Valentin V. Bartenev From francis at daoine.org Fri Oct 3 09:04:02 2014 From: francis at daoine.org (Francis Daly) Date: Fri, 3 Oct 2014 10:04:02 +0100 Subject: location filter In-Reply-To: <51958647495b6c08ab8cb3b6a5b5d20d.NginxMailingListEnglish@forum.nginx.org> References: <51958647495b6c08ab8cb3b6a5b5d20d.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141003090402.GV3771@daoine.org> On Fri, Oct 03, 2014 at 04:32:06AM -0400, rapamiti wrote: Hi there, > i use actually : > location ~* > ^.+.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|txt|css|js|xml|woff|eot|ttf|svg)$ > { > and all is ok > > but i want to remove from nginx a dynamic image, ex : logo_125_21.gif who is > generated by apache/php (with rewrite) > numbers are randoms. If I've understood you correctly: See http://nginx.org/r/location and possibly http://nginx.org/en/docs/http/request_processing.html#simple_php_site_configuration and add a separate location that does match your urls -- something like ~logo.*gif$ -- that will apply before your current location. f -- Francis Daly francis at daoine.org From gk at leniwiec.biz Fri Oct 3 09:42:23 2014 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Fri, 03 Oct 2014 11:42:23 +0200 Subject: proxy_cache_bypass and cache refresh Message-ID: <542E6F7F.4040806@leniwiec.biz> Hello, Is it true that a GET request that satisfies proxy_cache_bypass (and generates BYPASS cache status in the access log) should also refresh proxy cache for that URL? There are several tutorials on the Internet that advise that it works. Also it was working for us before but stopped - either after nginx upgrade or after some configuration change - not sure right now. We are currently running nginx 1.4.7. Parts of configuration: http { proxy_cache_path /var/cache/www levels=1:2 keys_zone=foo-cache:256m max_size=4g inactive=1h; proxy_cache_key "$host$request_uri"; proxy_cache_lock on; proxy_cache_lock_timeout 120s; proxy_no_cache $upstream_http_x_bar_dont_cache_me $cookie_x_no_cache; proxy_cache_bypass $http_x_bar_cache_refresh $cookie_x_bar_no_cache; } location = / { proxy_pass http://foo_old_www; proxy_cache foo-cache; proxy_cache_valid 200 1h; } Request to refresh cache (I double checked that it generates a GET request and a cache status BYPASS): curl -H 'X-Bar-Cache-Refresh: true' -D - 'http://www.foo.pl/' Any idea why it doesn't work? -- Grzegorz Kulewski From nginx-forum at nginx.us Fri Oct 3 10:02:59 2014 From: nginx-forum at nginx.us (rapamiti) Date: Fri, 03 Oct 2014 06:02:59 -0400 Subject: location filter In-Reply-To: <20141003090402.GV3771@daoine.org> References: <20141003090402.GV3771@daoine.org> Message-ID: <45c465cb346c5c05fca61eac2bbc766b.NginxMailingListEnglish@forum.nginx.org> hi, thanks you right, so i must add a location like this : location ~logo_(\d+)_(\d+).gif$ { My regex is correct ? (ex: logo_5435_252.gif logo_25_1.gif etc..) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253740,253745#msg-253745 From pasik at iki.fi Fri Oct 3 10:11:50 2014 From: pasik at iki.fi (Pasi =?iso-8859-1?Q?K=E4rkk=E4inen?=) Date: Fri, 3 Oct 2014 13:11:50 +0300 Subject: Proxy buffering In-Reply-To: <20140509040751.GQ1849@mdounin.ru> References: <20131219191515.GQ2924@reaktio.net> <0a700b459407088a28f7bedad1f94697.NginxMailingListEnglish@forum.nginx.org> <20140509040751.GQ1849@mdounin.ru> Message-ID: <20141003101150.GH12451@reaktio.net> On Fri, May 09, 2014 at 08:07:51AM +0400, Maxim Dounin wrote: > Hello! > > On Thu, May 08, 2014 at 04:45:18AM -0400, JSurf wrote: > > > > I'll plan to work on this and related problems at the start of > > > next year. > > > > > > > Hi, is this still somewhere on the priority list ? > > Yes, it's still in the list. > Any updates about the no_buffer feature? Would it make sense to merge the existing no_buffer patch as a baseline, and then add incremental fixes/enhancements over time? (http://yaoweibin.cn/patches/nginx-1.4.2-no_buffer-v8.patch) Thanks, -- Pasi > -- > Maxim Dounin > http://nginx.org/ > From braulio at eita.org.br Fri Oct 3 11:17:22 2014 From: braulio at eita.org.br (=?UTF-8?Q?Br=C3=A1ulio_Bhavamitra?=) Date: Fri, 3 Oct 2014 08:17:22 -0300 Subject: Disable log for a specific server {} Message-ID: Hello all, I use a setup of nginx(ssl)+varnish+nginx+proxy. Because of this, the second nginx server should not log the request as it would duplicate on the logs. How to disable log for it? cheers, br?ulio -- "Lute pela sua ideologia. Seja um com sua ideologia. Viva pela sua ideologia. Morra por sua ideologia" P.R. Sarkar EITA - Educa??o, Informa??o e Tecnologias para Autogest?o http://cirandas.net/brauliobo http://eita.org.br "Paramapurusha ? meu pai e Parama Prakriti ? minha m?e. O universo ? meu lar e todos n?s somos cidad?os deste cosmo. Este universo ? a imagina??o da Mente Macroc?smica, e todas as entidades est?o sendo criadas, preservadas e destru?das nas fases de extrovers?o e introvers?o do fluxo imaginativo c?smico. No ?mbito pessoal, quando uma pessoa imagina algo em sua mente, naquele momento, essa pessoa ? a ?nica propriet?ria daquilo que ela imagina, e ningu?m mais. Quando um ser humano criado mentalmente caminha por um milharal tamb?m imaginado, a pessoa imaginada n?o ? a propriedade desse milharal, pois ele pertence ao indiv?duo que o est? imaginando. Este universo foi criado na imagina??o de Brahma, a Entidade Suprema, por isso a propriedade deste universo ? de Brahma, e n?o dos microcosmos que tamb?m foram criados pela imagina??o de Brahma. Nenhuma propriedade deste mundo, mut?vel ou imut?vel, pertence a um indiv?duo em particular; tudo ? o patrim?nio comum de todos." Restante do texto em http://cirandas.net/brauliobo/blog/a-problematica-de-hoje-em-dia -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Oct 3 11:22:02 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 03 Oct 2014 15:22:02 +0400 Subject: Disable log for a specific server {} In-Reply-To: References: Message-ID: <4758257.7YMB0STr9D@vbart-laptop> On Friday 03 October 2014 08:17:22 Br?ulio Bhavamitra wrote: > Hello all, > > I use a setup of nginx(ssl)+varnish+nginx+proxy. Because of this, the > second nginx server should not log the request as it would duplicate on the > logs. How to disable log for it? > [..] access_log off; Please, look at the documentation: http://nginx.org/r/access_log wbr, Valentin V. Bartenev From nginx-forum at nginx.us Fri Oct 3 16:33:08 2014 From: nginx-forum at nginx.us (mottycruz) Date: Fri, 03 Oct 2014 12:33:08 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <1457422.7Ddq5TuDVu@tornado> References: <1457422.7Ddq5TuDVu@tornado> Message-ID: <8ce08ecdd3c2ff2398e4256a7ad7b077.NginxMailingListEnglish@forum.nginx.org> Thanks for the post, I am trying to install map module but I can't figure out how to compile nginx with map module, I did the following: ./configure --with-http_charset_module but get an error "invalid option". I would like to compile Nginx with upstread module as well, please help. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253708,253752#msg-253752 From nginx-forum at nginx.us Fri Oct 3 16:43:29 2014 From: nginx-forum at nginx.us (nikolaos2012) Date: Fri, 03 Oct 2014 12:43:29 -0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ In-Reply-To: <1731594.HURCLO97h8@vbart-laptop> References: <1731594.HURCLO97h8@vbart-laptop> Message-ID: <788843893c1be7a41e353f9015f70f98.NginxMailingListEnglish@forum.nginx.org> Hi Valentin, I have read that I should be using the location directive unless I have numerous mappings in other places. In this case we have about a dozen mappings. But I am curious if I used the location directive what would the above mapping example translate to so that it results in a $use_secure variable that we can include in another file so that it can be used inside multiple server blocks. Why do we do it this way... b/c we have standardized templates for the core server blocks and mappings specific to the domain are prepended to the main file. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253733,253749#msg-253749 From vbart at nginx.com Fri Oct 3 18:57:58 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 03 Oct 2014 22:57:58 +0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ In-Reply-To: <788843893c1be7a41e353f9015f70f98.NginxMailingListEnglish@forum.nginx.org> References: <1731594.HURCLO97h8@vbart-laptop> <788843893c1be7a41e353f9015f70f98.NginxMailingListEnglish@forum.nginx.org> Message-ID: <2163930.TOnb5JNY69@vbart-laptop> On Friday 03 October 2014 12:43:29 nikolaos2012 wrote: > Hi Valentin, > > I have read that I should be using the location directive unless I have > numerous mappings in other places. > > In this case we have about a dozen mappings. > > But I am curious if I used the location directive what would the above > mapping example translate to so that it results in a $use_secure variable > that we can include in another file so that it can be used inside multiple > server blocks. [..] If I understand you case right, then it can be something like that: location /sites/ { return 301 https://secure$host$request_uri; } location /account/ { return 301 https://secure$host$request_uri; } wbr, Valentin V. Bartenev From semenukha at gmail.com Fri Oct 3 19:30:34 2014 From: semenukha at gmail.com (Styopa Semenukha) Date: Fri, 03 Oct 2014 15:30:34 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <8ce08ecdd3c2ff2398e4256a7ad7b077.NginxMailingListEnglish@forum.nginx.org> References: <1457422.7Ddq5TuDVu@tornado> <8ce08ecdd3c2ff2398e4256a7ad7b077.NginxMailingListEnglish@forum.nginx.org> Message-ID: <21730381.8GjbTcYIWU@tornado> Map and upstream are built by default, unless you removed them manually. You might want to grab pre-built packages from the vendor: http://wiki.nginx.org/Install , or from your OS repository. On Friday, October 03, 2014 12:33:08 PM mottycruz wrote: > Thanks for the post, I am trying to install map module but I can't figure > out how to compile nginx with map module, I did the following: ./configure > --with-http_charset_module but get an error "invalid option". > > I would like to compile Nginx with upstread module as well, please help. > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,253708,253752#msg-253752 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Best regards, Styopa Semenukha. From francis at daoine.org Fri Oct 3 20:45:47 2014 From: francis at daoine.org (Francis Daly) Date: Fri, 3 Oct 2014 21:45:47 +0100 Subject: location filter In-Reply-To: <45c465cb346c5c05fca61eac2bbc766b.NginxMailingListEnglish@forum.nginx.org> References: <20141003090402.GV3771@daoine.org> <45c465cb346c5c05fca61eac2bbc766b.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141003204547.GW3771@daoine.org> On Fri, Oct 03, 2014 at 06:02:59AM -0400, rapamiti wrote: Hi there, > so i must add a location like this : > location ~logo_(\d+)_(\d+).gif$ { > > My regex is correct ? (ex: logo_5435_252.gif logo_25_1.gif etc..) That looks right to me -- it will match the examples you give; it will also match some others like logo_5435_252gif or logo_25_1Xgif; and it will not match logo_5435_252.GIF f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Sat Oct 4 04:20:25 2014 From: nginx-forum at nginx.us (nikolaos2012) Date: Sat, 04 Oct 2014 00:20:25 -0400 Subject: map $uri in 1.3.0+ NOT working in 1.6.0+ In-Reply-To: <2163930.TOnb5JNY69@vbart-laptop> References: <2163930.TOnb5JNY69@vbart-laptop> Message-ID: <51a38ef4c57a0ebffd01d799abaa0aac.NginxMailingListEnglish@forum.nginx.org> Hi Valentin, I am not sure that what you provided is exactly what I am trying to achieve. What I want is if someone hits port 80 (HTTP) with /account that they redirect to /account on port 443 (HTTPS). However, if they come in on port 443 (HTTPS) with /account that they remain on port 443 (HTTPS). Similar rules exist for keeping certain URI's on HTTP or allowing certain URIs to use HTTP/HTTPS (basically we don't care). With the example you provided I would need to embed these location directives into the respective Server sections of our main template file (unless I am missing something) and thus would introduce domain / application specific behaviour into the template VS. how we are doing it now in that application specific behaviour is limited to pre-pended or post-pended include files so as to create clean separation across multiple domains. While the map directive may not be the most efficient it has the benefits of being the most compact, easiest to maintain and that it can be decoupled from our core common Nginx template files i.e. it can live outside the Server directive. So at this point its a tradeoff between simplicity and speed. Just how bad will the map (say about a dozen mappings) perform in comparison to location directives? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253733,253764#msg-253764 From bvasseur at siliconsalad.com Mon Oct 6 09:17:56 2014 From: bvasseur at siliconsalad.com (Benoit Vasseur) Date: Mon, 6 Oct 2014 11:17:56 +0200 Subject: double slashes redirection Message-ID: Hi everybody, I am in trouble with my nginx configuration. my version of nginx is 1.1.19 My goal is to redirect http://example.com//site to http://example/site My app is in Rails and I want to handle this redirect with Rack. However I am not able to detect this ?//? in the url. Nginx send to my app ?/site? and not ?//site?. Seeing that my rails app had not the right info I tried to handle this redirection at the nginx level but I had the same issue ; I am not able to detect the ?//?. I tried to desactivate the merge slashes option but it did not change anything $uri and $request_uri still contained ?/site? and not ?//site? Do you have any idea why the first slash is skip ? I tried to follow some examples but nothing worked :/ http://rosslawley.co.uk/archive/old/2010/01/10/nginx-how-to-url-cleaning-removing/ http://bneijt.nl/blog/post/nginx-and-the-extra-slashes/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Mon Oct 6 10:09:05 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 6 Oct 2014 12:09:05 +0200 Subject: double slashes redirection In-Reply-To: References: Message-ID: By default, nginx 'cleanse' URI by decoding/correcting specific cases before matching it against a location. The multiple slashes are part of it. Read how location works. I suppose the internal $uri variable holds watch nginx uses for its logic, but in any case holds a decoded/corrected version of the URI. If you *do not* want nginx to automatically try to correct multiple slashes, you can override the default configuration for the corresponding merge_slashes directive. Be careful then: your locations won't match if they do not find any exact stanza suitable for them. ;o) You will be up for the pain you asked for... --- *B. R.* On Mon, Oct 6, 2014 at 11:17 AM, Benoit Vasseur wrote: > Hi everybody, > > I am in trouble with my nginx configuration. > > my version of nginx is 1.1.19 > > My goal is to redirect http://example.com//site to http://example/site > > My app is in Rails and I want to handle this redirect with Rack. > > However I am not able to detect this ?//? in the url. > > Nginx send to my app ?/site? and not ?//site?. > > Seeing that my rails app had not the right info I tried to handle this > redirection at the nginx level but I had the same issue ; I am not able to > detect the ?//?. > > I tried to desactivate the merge slashes option but it did not change > anything > > $uri and $request_uri still contained ?/site? and not ?//site? > > Do you have any idea why the first slash is skip ? > > I tried to follow some examples but nothing worked :/ > > > http://rosslawley.co.uk/archive/old/2010/01/10/nginx-how-to-url-cleaning-removing/ > http://bneijt.nl/blog/post/nginx-and-the-extra-slashes/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From multiformeingegno at gmail.com Mon Oct 6 13:28:06 2014 From: multiformeingegno at gmail.com (Lorenzo Raffio) Date: Mon, 06 Oct 2014 06:28:06 -0700 (PDT) Subject: Combine location blocks with same content Message-ID: <1412602086748.a93472fc@Nodemailer> location ^~ /categoria/personale-scolastico/area-docenti/ { ? ? ? ? ? ? ? ? auth_basic ? ? ? ? ? ? ? ? ? ? ? ? ?"Restricted"; ? ? ? ? ? ? ? ? auth_basic_user_file ? ?/var/www/domain/.pswd_docenti; ? ? ? ? ? ? ? ? try_files $uri $uri/ ? ?/index.php?$args; ? ? ? ? ? ? ? ? include ? ? ? ? ? ? ? ? ? ? ? ? ? ? /etc/nginx/conf/*.conf; ? ? ? ? } location ^~ /personale/ { ? ? ? ? ? ? ? ? auth_basic ? ? ? ? ? ? ? ? ? ? ? ? ?"Restricted"; ? ? ? ? ? ? ? ? auth_basic_user_file ? ?/var/www/domain/.pswd_docenti; ? ? ? ? ? ? ? ? try_files $uri $uri/ ? ?/index.php?$args; ? ? ? ? ? ? ? ? include ? ? ? ? ? ? ? ? ? ? ? ? ? ? /etc/nginx/conf/*.conf; ? ? ? ? } location ^~ /colloqui/bs-events { ? ? ? ? ? ? ? ? auth_basic ? ? ? ? ? ? ? ? ? ? ? ? ?"Restricted"; ? ? ? ? ? ? ? ? auth_basic_user_file ? ?/var/www/domain/.pswd_docenti; ? ? ? ? ? ? ? ? try_files ? ? ? ? ? ? ? ? ? ? ? ? ? $uri $uri/ /index.php?$args; ? ? ? ? ? ? ? ? include ? ? ? ? ? ? ? ? ? ? ? ? ? ? /etc/nginx/conf/*.conf; ? ? ? ? } Is there a way to combine these locations? The content of the blocks is the same... I tried with location ^~ (/categoria/personale-scolastico/area-docenti/|/personale/|/colloqui/bs-events) but didn't work.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Mon Oct 6 15:24:47 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 6 Oct 2014 17:24:47 +0200 Subject: Combine location blocks with same content In-Reply-To: <1412602086748.a93472fc@Nodemailer> References: <1412602086748.a93472fc@Nodemailer> Message-ID: location directive documentation states that '^~' modifier matches prefix locations, not regular expression ones, thus trying to use '^~' with a regular expression will most probably always end up in a failure. Try to use the regular expression case-(in)sensitive modifier. --- *B. R.* On Mon, Oct 6, 2014 at 3:28 PM, Lorenzo Raffio wrote: > location ^~ /categoria/personale-scolastico/area-docenti/ { > auth_basic "Restricted"; > auth_basic_user_file /var/www/domain/.pswd_docenti; > try_files $uri $uri/ /index.php?$args; > include /etc/nginx/conf/*.conf; > } > location ^~ /personale/ { > auth_basic "Restricted"; > auth_basic_user_file /var/www/domain/.pswd_docenti; > try_files $uri $uri/ /index.php?$args; > include /etc/nginx/conf/*.conf; > } > > location ^~ /colloqui/bs-events { > auth_basic "Restricted"; > auth_basic_user_file /var/www/domain/.pswd_docenti; > try_files $uri $uri/ > /index.php?$args; > include /etc/nginx/conf/*.conf; > } > > > > Is there a way to combine these locations? The content of the blocks is > the same... > I tried with location ^~ > (/categoria/personale-scolastico/area-docenti/|/personale/|/colloqui/bs-events) > but didn't work.. > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Mon Oct 6 16:24:35 2014 From: nginx-forum at nginx.us (mottycruz) Date: Mon, 06 Oct 2014 12:24:35 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <21730381.8GjbTcYIWU@tornado> References: <21730381.8GjbTcYIWU@tornado> Message-ID: <75f4e9c4207988483e97f3d399852e6e.NginxMailingListEnglish@forum.nginx.org> Thanks for your help Styopa, I was able to find modules installed on our current proxy with the following command, because we have a customize module. :~# /usr/local/nginx/sbin/nginx -V nginx version: nginx/0.7.67 built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module --add-module=/home/ngx_http_cust_app_version_routing I tried to redirect base on URL for instance I tried: Redirect ^/app2$ http://app2.server2.com; but does not seem to be working, I can't find much in the logs. do you have any suggestions? Thanks, -Motty Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253708,253792#msg-253792 From shmick at riseup.net Mon Oct 6 18:25:31 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Tue, 07 Oct 2014 05:25:31 +1100 Subject: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles In-Reply-To: <541DA019.6090000@riseup.net> References: <5272D269.20203@comodo.com> <541C3B2B.1050002@comodo.com> <541C3F92.1060409@riseup.net> <541C42D9.2000207@comodo.com> <541DA019.6090000@riseup.net> Message-ID: <5432DE9B.4040400@riseup.net> calling all patch XPerts ! calling all patch XPerts ! is anybody out there able to update patch support for the latest nginx ? shmick at riseup.net wrote: > unfortunately this was as far as i got with version git > > $ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch > patching file a/src/event/ngx_event_openssl.c > Hunk #1 succeeded at 96 with fuzz 2 (offset 12 lines). > Hunk #2 succeeded at 162 (offset 14 lines). > Hunk #3 FAILED at 191. > Hunk #4 FAILED at 236. > 2 out of 4 hunks FAILED -- saving rejects to file > a/src/event/ngx_event_openssl.c.rej > patching file a/src/event/ngx_event_openssl.h > Hunk #1 FAILED at 104. > Hunk #2 succeeded at 203 (offset 22 lines). > 1 out of 2 hunks FAILED -- saving rejects to file > a/src/event/ngx_event_openssl.h.rej > patching file a/src/event/ngx_event_openssl_stapling.c > Hunk #1 FAILED at 11. > Hunk #12 succeeded at 1793 (offset 13 lines). > 1 out of 12 hunks FAILED -- saving rejects to file > a/src/event/ngx_event_openssl_stapling.c.rej > patching file a/src/http/modules/ngx_http_ssl_module.c > Hunk #1 FAILED at 66. > Hunk #2 succeeded at 209 (offset 31 lines). > Hunk #3 FAILED at 404. > Hunk #4 FAILED at 463. > Hunk #5 FAILED at 550. > Hunk #6 succeeded at 702 (offset 110 lines). > Hunk #7 succeeded at 762 (offset 118 lines). > 4 out of 7 hunks FAILED -- saving rejects to file > a/src/http/modules/ngx_http_ssl_module.c.rej > patching file a/src/http/modules/ngx_http_ssl_module.h > Hunk #1 FAILED at 25. > 1 out of 1 hunk FAILED -- saving rejects to file > a/src/http/modules/ngx_http_ssl_module.h.rej > patching file a/src/mail/ngx_mail_ssl_module.c > Hunk #1 FAILED at 57. > Hunk #2 FAILED at 173. > Hunk #3 FAILED at 215. > Hunk #4 FAILED at 243. > 4 out of 4 hunks FAILED -- saving rejects to file > a/src/mail/ngx_mail_ssl_module.c.rej > patching file a/src/mail/ngx_mail_ssl_module.h > Hunk #1 FAILED at 27. > 1 out of 1 hunk FAILED -- saving rejects to file > a/src/mail/ngx_mail_ssl_module.h.rej > > > and this was as far as i got with version 1.6.2 just renaming dirs > > beyond that its all greek to me ... > > > $ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch > patching file nginx-1.6.2/src/event/ngx_event_openssl.c > Hunk #1 succeeded at 86 with fuzz 2 (offset 2 lines). > Hunk #2 succeeded at 150 (offset 2 lines). > Hunk #3 FAILED at 191. > Hunk #4 succeeded at 240 (offset 4 lines). > 1 out of 4 hunks FAILED -- saving rejects to file > nginx-1.6.2/src/event/ngx_event_openssl.c.rej > patching file nginx-1.6.2/src/event/ngx_event_openssl.h > Hunk #1 succeeded at 108 (offset 4 lines). > Hunk #2 succeeded at 191 (offset 6 lines). > patching file nginx-1.6.2/src/event/ngx_event_openssl_stapling.c > Hunk #1 FAILED at 11. > Hunk #12 succeeded at 1791 (offset 11 lines). > 1 out of 12 hunks FAILED -- saving rejects to file > nginx-1.6.2/src/event/ngx_event_openssl_stapling.c.rej > patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c > Hunk #1 succeeded at 74 (offset 8 lines). > Hunk #2 succeeded at 200 (offset 22 lines). > Hunk #3 FAILED at 404. > Hunk #4 FAILED at 463. > Hunk #5 succeeded at 640 (offset 90 lines). > Hunk #6 succeeded at 677 (offset 92 lines). > Hunk #7 succeeded at 737 (offset 100 lines). > 2 out of 7 hunks FAILED -- saving rejects to file > nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c.rej > patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h > Hunk #1 FAILED at 25. > 1 out of 1 hunk FAILED -- saving rejects to file > nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h.rej > patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.c > Hunk #2 FAILED at 173. > Hunk #3 succeeded at 223 (offset 8 lines). > Hunk #4 succeeded at 253 (offset 8 lines). > 1 out of 4 hunks FAILED -- saving rejects to file > nginx-1.6.2/src/mail/ngx_mail_ssl_module.c.rej > patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.h > Hunk #1 succeeded at 27 with fuzz 1. > > From fletch at fletchowns.net Mon Oct 6 19:25:37 2014 From: fletch at fletchowns.net (Greg Barker) Date: Mon, 6 Oct 2014 12:25:37 -0700 Subject: SPDY connection was interrupted while downloading a file Message-ID: I'm using nginx 1.6.2 w/ SPDY to serve an autoindex of static files. After I start downloading a file, I can no longer access other pages on the site. I get a Firefox error message "The connection was interrupted" - a similar message appears in Chrome. If I do a CTRL+F5, then I can browse the site again while the download is going. Is this a limitation of using SPDY to serve static files? Is there a configuration parameter I need to adjust to avoid this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dol+list at cyon.ch Tue Oct 7 00:51:44 2014 From: dol+list at cyon.ch (Dominic) Date: Tue, 07 Oct 2014 02:51:44 +0200 Subject: Debian Package Rules as Mercurial repositories Message-ID: <54333920.5040602@cyon.ch> Dear List I'm looking for the Debian package rules. I could download the source file from http://nginx.org/packages/mainline/ubuntu/pool/nginx/n/nginx/. But I guess there is an non public repository, where the package rules are stored to build all the provided packages. Something like https://github.com/hhvm/packaging (Package rules for HHVM) would be nice to have. The reason for my question is, that I need to build nginx an older version of nginx, but the source package of this older version is not longer hosted on http://nginx.org/packages/. A solution to this problem might be an archive of the nginx builds at http://nginx.org/packages/ or a public repository for the build process. Regards Dominic From nginx-forum at nginx.us Tue Oct 7 01:06:19 2014 From: nginx-forum at nginx.us (imran_k) Date: Mon, 06 Oct 2014 21:06:19 -0400 Subject: nginx proxy being slow Message-ID: We are trying to act as a proxy for a site within the same DMZ. Things seem to work fine, except when there is quite a heavy load. There are many CSS assets that just hang upon retrieval. Sometimes the full page comes through; sometimes just spins forever. Server: nginx 1.6.1 running on Linux. Memory: 18Gb proxy_buffering on; proxy_buffers 256 8k; proxy_busy_buffers_size 64; proxy_temp_file_write_size 64; Under heavy loads, about 1500 requests a second, a page is not completely sent back to the browser as some of the CSS resources taking anywhere from 2 - 10 seconds to return. It will just spin until eventually it gets sent back. CPU and memory usage is not dramatically high. Smaller sites return without any issue at all. Do I have the buffering wrong or is there something else at play? Thank you Imran Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253796,253796#msg-253796 From semenukha at gmail.com Tue Oct 7 02:20:01 2014 From: semenukha at gmail.com (Styopa Semenukha) Date: Mon, 06 Oct 2014 22:20:01 -0400 Subject: Nginx 1.6.2 - Redirect users base on 4 digits number provide In-Reply-To: <75f4e9c4207988483e97f3d399852e6e.NginxMailingListEnglish@forum.nginx.org> References: <21730381.8GjbTcYIWU@tornado> <75f4e9c4207988483e97f3d399852e6e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1514629.vfAm8ZuhIA@hydra> On Monday, October 06, 2014 12:24:35 PM mottycruz wrote: > Thanks for your help Styopa, > > I was able to find modules installed on our current proxy with the following > command, because we have a customize module. > > :~# /usr/local/nginx/sbin/nginx -V > nginx version: nginx/0.7.67 > built by gcc 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) > TLS SNI support enabled > configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module > --add-module=/home/ngx_http_cust_app_version_routing > > I tried to redirect base on URL > > for instance I tried: > Redirect ^/app2$ http://app2.server2.com; > > but does not seem to be working, I can't find much in the logs. do you have > any suggestions? > > Thanks, > -Motty > > Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253708,253792#msg-253792 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Hello Motty, I'm a little bit confused by your question. If your goal is to serve different URLs by different backends, the config will look like this: location = /app2 { # this will strip "/app2" from the request to the backend # e.g. user request of: /app2/index.do?foo=bar # will be routed to app2 backend as: # /index.do?foo=bar proxy_pass http://app2.server2.com/; } If your goal is to return HTTP 301 permanent redirect, it will be: location = /app2 { return 301 $scheme://app2.server2.com/; } Please be sure to read the following info (it's pretty short actually): http://nginx.org/r/location http://nginx.org/r/proxy_pass Unfortunately, I'm not familiar with 3rd-party modules, so I cannot advise on them. -- Sincerely yours, Styopa Semenukha. From kyprizel at gmail.com Tue Oct 7 07:31:56 2014 From: kyprizel at gmail.com (kyprizel) Date: Tue, 7 Oct 2014 11:31:56 +0400 Subject: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles In-Reply-To: <5432DE9B.4040400@riseup.net> References: <5272D269.20203@comodo.com> <541C3B2B.1050002@comodo.com> <541C3F92.1060409@riseup.net> <541C42D9.2000207@comodo.com> <541DA019.6090000@riseup.net> <5432DE9B.4040400@riseup.net> Message-ID: Updating patch for the last nginx isn't a problem - we need to hear from Maxim what was the problem with old patch (it wasn't applied that time - why should by applied a new one?) to fix it. On Mon, Oct 6, 2014 at 10:25 PM, shmick at riseup.net wrote: > calling all patch XPerts ! > calling all patch XPerts ! > is anybody out there able to update patch support for the latest nginx ? > > shmick at riseup.net wrote: > > unfortunately this was as far as i got with version git > > > > $ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch > > patching file a/src/event/ngx_event_openssl.c > > Hunk #1 succeeded at 96 with fuzz 2 (offset 12 lines). > > Hunk #2 succeeded at 162 (offset 14 lines). > > Hunk #3 FAILED at 191. > > Hunk #4 FAILED at 236. > > 2 out of 4 hunks FAILED -- saving rejects to file > > a/src/event/ngx_event_openssl.c.rej > > patching file a/src/event/ngx_event_openssl.h > > Hunk #1 FAILED at 104. > > Hunk #2 succeeded at 203 (offset 22 lines). > > 1 out of 2 hunks FAILED -- saving rejects to file > > a/src/event/ngx_event_openssl.h.rej > > patching file a/src/event/ngx_event_openssl_stapling.c > > Hunk #1 FAILED at 11. > > Hunk #12 succeeded at 1793 (offset 13 lines). > > 1 out of 12 hunks FAILED -- saving rejects to file > > a/src/event/ngx_event_openssl_stapling.c.rej > > patching file a/src/http/modules/ngx_http_ssl_module.c > > Hunk #1 FAILED at 66. > > Hunk #2 succeeded at 209 (offset 31 lines). > > Hunk #3 FAILED at 404. > > Hunk #4 FAILED at 463. > > Hunk #5 FAILED at 550. > > Hunk #6 succeeded at 702 (offset 110 lines). > > Hunk #7 succeeded at 762 (offset 118 lines). > > 4 out of 7 hunks FAILED -- saving rejects to file > > a/src/http/modules/ngx_http_ssl_module.c.rej > > patching file a/src/http/modules/ngx_http_ssl_module.h > > Hunk #1 FAILED at 25. > > 1 out of 1 hunk FAILED -- saving rejects to file > > a/src/http/modules/ngx_http_ssl_module.h.rej > > patching file a/src/mail/ngx_mail_ssl_module.c > > Hunk #1 FAILED at 57. > > Hunk #2 FAILED at 173. > > Hunk #3 FAILED at 215. > > Hunk #4 FAILED at 243. > > 4 out of 4 hunks FAILED -- saving rejects to file > > a/src/mail/ngx_mail_ssl_module.c.rej > > patching file a/src/mail/ngx_mail_ssl_module.h > > Hunk #1 FAILED at 27. > > 1 out of 1 hunk FAILED -- saving rejects to file > > a/src/mail/ngx_mail_ssl_module.h.rej > > > > > > and this was as far as i got with version 1.6.2 just renaming dirs > > > > beyond that its all greek to me ... > > > > > > $ patch -p0 < nginx_multiple_certs_and_stapling_V2.patch > > patching file nginx-1.6.2/src/event/ngx_event_openssl.c > > Hunk #1 succeeded at 86 with fuzz 2 (offset 2 lines). > > Hunk #2 succeeded at 150 (offset 2 lines). > > Hunk #3 FAILED at 191. > > Hunk #4 succeeded at 240 (offset 4 lines). > > 1 out of 4 hunks FAILED -- saving rejects to file > > nginx-1.6.2/src/event/ngx_event_openssl.c.rej > > patching file nginx-1.6.2/src/event/ngx_event_openssl.h > > Hunk #1 succeeded at 108 (offset 4 lines). > > Hunk #2 succeeded at 191 (offset 6 lines). > > patching file nginx-1.6.2/src/event/ngx_event_openssl_stapling.c > > Hunk #1 FAILED at 11. > > Hunk #12 succeeded at 1791 (offset 11 lines). > > 1 out of 12 hunks FAILED -- saving rejects to file > > nginx-1.6.2/src/event/ngx_event_openssl_stapling.c.rej > > patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c > > Hunk #1 succeeded at 74 (offset 8 lines). > > Hunk #2 succeeded at 200 (offset 22 lines). > > Hunk #3 FAILED at 404. > > Hunk #4 FAILED at 463. > > Hunk #5 succeeded at 640 (offset 90 lines). > > Hunk #6 succeeded at 677 (offset 92 lines). > > Hunk #7 succeeded at 737 (offset 100 lines). > > 2 out of 7 hunks FAILED -- saving rejects to file > > nginx-1.6.2/src/http/modules/ngx_http_ssl_module.c.rej > > patching file nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h > > Hunk #1 FAILED at 25. > > 1 out of 1 hunk FAILED -- saving rejects to file > > nginx-1.6.2/src/http/modules/ngx_http_ssl_module.h.rej > > patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.c > > Hunk #2 FAILED at 173. > > Hunk #3 succeeded at 223 (offset 8 lines). > > Hunk #4 succeeded at 253 (offset 8 lines). > > 1 out of 4 hunks FAILED -- saving rejects to file > > nginx-1.6.2/src/mail/ngx_mail_ssl_module.c.rej > > patching file nginx-1.6.2/src/mail/ngx_mail_ssl_module.h > > Hunk #1 succeeded at 27 with fuzz 1. > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Oct 7 11:41:47 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Oct 2014 15:41:47 +0400 Subject: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles In-Reply-To: References: <5272D269.20203@comodo.com> <541C3B2B.1050002@comodo.com> <541C3F92.1060409@riseup.net> <541C42D9.2000207@comodo.com> <541DA019.6090000@riseup.net> <5432DE9B.4040400@riseup.net> Message-ID: <20141007114147.GK69200@mdounin.ru> Hello! On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote: > Updating patch for the last nginx isn't a problem - we need to hear from > Maxim what was the problem with old patch (it wasn't applied that time - > why should by applied a new one?) to fix it. http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004475.html -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Oct 7 12:00:59 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Oct 2014 16:00:59 +0400 Subject: nginx proxy being slow In-Reply-To: References: Message-ID: <20141007120059.GL69200@mdounin.ru> Hello! On Mon, Oct 06, 2014 at 09:06:19PM -0400, imran_k wrote: > We are trying to act as a proxy for a site within the same DMZ. Things seem > to work fine, except when there is quite a heavy load. There are many CSS > assets that just hang upon retrieval. Sometimes the full page comes through; > sometimes just spins forever. > > Server: nginx 1.6.1 running on Linux. > Memory: 18Gb > > proxy_buffering on; > proxy_buffers 256 8k; > proxy_busy_buffers_size 64; Just a side note: using 64 bytes for proxy_busy_buffers_size looks like a bad idea. Additionally, it will be rejected by nginx as long as you use 8k proxy buffers. > proxy_temp_file_write_size 64; Same here. 64 bytes is way too low. > Under heavy loads, about 1500 requests a second, a page is not completely > sent back to the browser as some of the CSS resources taking anywhere from 2 > - 10 seconds to return. It will just spin until eventually it gets sent > back. CPU and memory usage is not dramatically high. Smaller sites return > without any issue at all. > > Do I have the buffering wrong or is there something else at play? First of all, you may want to find out what causes problems you observe. From your description I suspect you are actually debugging listen queue overflows. When using Linux with net.ipv4.tcp_abort_on_overflow set to 0 (which is the default) it is not trivial to debug unless you are looking closesly into tcpdump and/or network stats (try looking into queue sizes in "ss -nlt"). -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Tue Oct 7 14:00:10 2014 From: nginx-forum at nginx.us (imran_k) Date: Tue, 07 Oct 2014 10:00:10 -0400 Subject: nginx proxy being slow In-Reply-To: <20141007120059.GL69200@mdounin.ru> References: <20141007120059.GL69200@mdounin.ru> Message-ID: <6428c0403bf990bf3799c9d358c856d5.NginxMailingListEnglish@forum.nginx.org> Thank you very much for your pointing this out. What are some good starting points for these figures? Some posts I read even say to disable buffering... The value for tcp_abort_on_overflow is set to 0 (in /proc/). Thank you Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253796,253806#msg-253806 From shmick at riseup.net Tue Oct 7 14:03:02 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Wed, 08 Oct 2014 01:03:02 +1100 Subject: [calling all patch XPerts !] [PATCH] RSA+DSA+ECC bundles In-Reply-To: <20141007114147.GK69200@mdounin.ru> References: <5272D269.20203@comodo.com> <541C3B2B.1050002@comodo.com> <541C3F92.1060409@riseup.net> <541C42D9.2000207@comodo.com> <541DA019.6090000@riseup.net> <5432DE9B.4040400@riseup.net> <20141007114147.GK69200@mdounin.ru> Message-ID: <5433F296.9000506@riseup.net> Maxim Dounin wrote: > Hello! > > On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote: > >> Updating patch for the last nginx isn't a problem - we need to hear from >> Maxim what was the problem with old patch (it wasn't applied that time - >> why should by applied a new one?) to fix it. > > http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004475.html ok, so what is the plan for progression & inclusion ? do you believe there is enough interest and is the idea supported ? you think Rob's patch isn't feasible ? is there anybody who can take over and have they ? From trm.nagios at gmail.com Tue Oct 7 14:35:26 2014 From: trm.nagios at gmail.com (trm asn) Date: Tue, 7 Oct 2014 20:05:26 +0530 Subject: Caching based on Content Size Message-ID: Hi List : Is there any way to restrict object caching bases on their sizes . For example: > 3mb pass through <3 mb cache in Nginx Any help/hint will be really appreciable . Thanks, tRM -------------- next part -------------- An HTML attachment was scrubbed... URL: From artemrts at ukr.net Tue Oct 7 16:09:33 2014 From: artemrts at ukr.net (wishmaster) Date: Tue, 07 Oct 2014 19:09:33 +0300 Subject: Caching based on Content Size In-Reply-To: References: Message-ID: <1412697889.331687312.8o7juldz@frv34.fwdcdn.com> Hi, what about $http_content_length and map this variable with directives $*_cache_bypass and $*_no_cache. Cheers, w --- Original message --- From: "trm asn" Date: 7 October 2014, 17:35:41 > Hi List :? > > Is there any way to restrict object caching bases on their sizes . > > > For example:? > > > > 3mb pass through > <3 mb cache in Nginx > > > Any help/hint will be really appreciable . > > > Thanks, > tRM? > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at nginx.us Wed Oct 8 02:42:28 2014 From: nginx-forum at nginx.us (keeyong) Date: Tue, 07 Oct 2014 22:42:28 -0400 Subject: proxy_hide_header question Message-ID: I am using nginx as a reverse proxy and am trying to log some variables set by apache to nginx log. So certain HTTP response headers are set by apache (PHP) and then I log them successfully with $sent_http_* variables. But then I don't want the info to be exposed to outside world so I tried to remove them by adding "proxy_hide_header". What happened is that it actually makes the variables empty so nothing is logged properly. Is there any work-around for this? I want to remove the entries only for end users but I want to access them inside my nginx. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253819,253819#msg-253819 From francis at daoine.org Wed Oct 8 07:32:06 2014 From: francis at daoine.org (Francis Daly) Date: Wed, 8 Oct 2014 08:32:06 +0100 Subject: proxy_hide_header question In-Reply-To: References: Message-ID: <20141008073206.GZ3771@daoine.org> On Tue, Oct 07, 2014 at 10:42:28PM -0400, keeyong wrote: Hi there, > I am using nginx as a reverse proxy and am trying to log some variables set > by apache to nginx log. So certain HTTP response headers are set by apache > (PHP) and then I log them successfully with $sent_http_* variables. $sent_* refers to things sent to the client. http://nginx.org/en/docs/http/ngx_http_core_module.html#variables $upstream_* refers to things received from the upstream. http://nginx.org/en/docs/http/ngx_http_upstream_module.html#variables > But then I don't want the info to be exposed to outside world so I tried to > remove them by adding "proxy_hide_header". That means that it won't be sent to the client, so the $sent_* variable should be empty. > I want to remove the entries only for end users but I > want to access them inside my nginx. Use the correct variable. f -- Francis Daly francis at daoine.org From nginx-forum at nginx.us Wed Oct 8 10:22:35 2014 From: nginx-forum at nginx.us (paucorre) Date: Wed, 08 Oct 2014 06:22:35 -0400 Subject: Reverse TLS proxy Message-ID: <1ed37bb1449f8b1bb6b0946ce0d00ebb.NginxMailingListEnglish@forum.nginx.org> Hi all, I very new to NGINX, but thought that it might be the best tool to achieve a reverse proxy ( in the DMZ ) for an internal HTTPS server. Unfortunately it isn't working and I get 502 Bad Gateway message if I check in the error Log I see : 2014/10/07 17:38:27 [crit] 2606#0: *1 connect() to 172.16.36.155:9999 failed (13: Permission denied) while connecting to upstream, client: 10.51.44.100, server: ping0a.cisco.net, request: "https://172.16.36.155:9999/pingfederate/app/", host: "ping0a.cisco.net:9999" with a tcpdump in the HTTPS server that it is in the internal LAN I don't see any traffic arriving .... I have a split dns schema in my test, and the FQDN name in the internal HTTPS server is the same as the on e in the DMZ ( ping0a.cisco,.net ). This is my configuration : [root at ping0a nginx]# more nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; upstream backend { server 172.16.36.155:9999; } include /etc/nginx/conf.d/*.conf; } [root at ping0a conf.d]# more ping0a_ssl.conf # HTTPS server # server { listen 9999 default ssl; index index.php index.html index.htm; server_name ping0a.cisco.net; ssl on; ssl_certificate /etc/pki/tls/certs/IdP.pem; ssl_certificate_key /etc/pki/tls/private/IdP.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+EXP; ssl_prefer_server_ciphers on; location / { proxy_store off; proxy_pass https://backend; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_ssl_verify off; } } from the hosts in the DMZ where NGINX is installed I can reach the inetrnal HTTPS server [root at ping0a conf.d]# wget --no-check-certificate https://172.16.36.155:9999/pingfederate/app --2014-10-08 11:20:25-- https://172.16.36.155:9999/pingfederate/app Connecting to 172.16.36.155:9999... connected. WARNING: certificate common name ?ping0a.cisco.net? doesn't match requested host name ?172.16.36.155?. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ?app? [ <=> ] 5,576 --.-K/s in 0s 2014-10-08 11:20:25 (45.8 MB/s) - ?app? saved [5576] What is wrong in my configuration ? Thank you, Paulo Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253833#msg-253833 From nginx-forum at nginx.us Wed Oct 8 15:36:32 2014 From: nginx-forum at nginx.us (keeyong) Date: Wed, 08 Oct 2014 11:36:32 -0400 Subject: proxy_hide_header question In-Reply-To: <20141008073206.GZ3771@daoine.org> References: <20141008073206.GZ3771@daoine.org> Message-ID: <19e973427e82f73984f41714ddd9b5db.NginxMailingListEnglish@forum.nginx.org> Thanks. That was it! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253819,253843#msg-253843 From duanemulder at rattyshack.ca Wed Oct 8 19:47:14 2014 From: duanemulder at rattyshack.ca (Rattyshack) Date: Wed, 08 Oct 2014 15:47:14 -0400 Subject: Replacing part of a url string In-Reply-To: References: Message-ID: <20141008194714.7749790.92420.2758@rattyshack.ca> An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Wed Oct 8 21:21:15 2014 From: nginx-forum at nginx.us (pharasyte) Date: Wed, 08 Oct 2014 17:21:15 -0400 Subject: Reverse TLS proxy In-Reply-To: <1ed37bb1449f8b1bb6b0946ce0d00ebb.NginxMailingListEnglish@forum.nginx.org> References: <1ed37bb1449f8b1bb6b0946ce0d00ebb.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello, Which distro are you using? The first thing that comes to mind with this type of issue is that Selinux is enabled and blocking nginx from making connections to the upstream. You can test if this is the case by turning Selinux off and seeing if that resolves the issue. This of course only applies to distros that enable Selinux by default (RHEL and crew for sure). I'm not sure if AppArmor can cause the same issues on Debian, but it might be worth looking into if that's what you're using. -- Justin Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253850#msg-253850 From multiformeingegno at gmail.com Thu Oct 9 00:32:51 2014 From: multiformeingegno at gmail.com (Lorenzo Raffio) Date: Wed, 08 Oct 2014 17:32:51 -0700 (PDT) Subject: Access logs hang Message-ID: <1412814771142.91144148@Nodemailer> >From time to time access logs (for which I don't have a logrotation and manually rotate them) just "hang" and no lines are written. Same file and folder. No change in Nginx config! And the fact seems totally random, it's not related to file size, it happens to files some kilobytes long, and other with nearly 100 Mb of lines. As soon as I run "nginx -s reopen", they start working again. Any idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: From multiformeingegno at gmail.com Thu Oct 9 00:35:48 2014 From: multiformeingegno at gmail.com (Lorenzo Raffio) Date: Wed, 08 Oct 2014 17:35:48 -0700 (PDT) Subject: Combine location blocks with same content Message-ID: <1412814948298.8cbd9522@Nodemailer> Thanks B.R., it works now. :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: From pchychi at gmail.com Thu Oct 9 01:23:15 2014 From: pchychi at gmail.com (Payam Chychi) Date: Wed, 08 Oct 2014 18:23:15 -0700 Subject: Reverse TLS proxy In-Reply-To: References: <1ed37bb1449f8b1bb6b0946ce0d00ebb.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5435E383.9010905@gmail.com> ip.forwarding on? On 2014-10-08, 2:21 PM, pharasyte wrote: > Hello, > > Which distro are you using? > > The first thing that comes to mind with this type of issue is that Selinux > is enabled and blocking nginx from making connections to the upstream. You > can test if this is the case by turning Selinux off and seeing if that > resolves the issue. > > This of course only applies to distros that enable Selinux by default (RHEL > and crew for sure). I'm not sure if AppArmor can cause the same issues on > Debian, but it might be worth looking into if that's what you're using. > > -- Justin > > Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253850#msg-253850 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From reallfqq-nginx at yahoo.fr Thu Oct 9 06:40:43 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Thu, 9 Oct 2014 08:40:43 +0200 Subject: Combine location blocks with same content In-Reply-To: <1412814948298.8cbd9522@Nodemailer> References: <1412814948298.8cbd9522@Nodemailer> Message-ID: I am glad to read that things are working out :o) --- *B. R.* On Thu, Oct 9, 2014 at 2:35 AM, Lorenzo Raffio wrote: > Thanks B.R., it works now. :-) > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Thu Oct 9 06:54:59 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Thu, 9 Oct 2014 08:54:59 +0200 Subject: Access logs hang In-Reply-To: <1412814771142.91144148@Nodemailer> References: <1412814771142.91144148@Nodemailer> Message-ID: >From what you explain, that problem most probably come from the way you actually do the log rotation. I first suggest you read how nginx handle it on the nginx control docs . It seems nginx is not able to find your old log file when you moved the old one. You will notice that nginx keeps the old file open until a new one is opened, and you will notice that the old file must be *renamed* (thus, from what I understood, moving the file within the same filesystem is OK, since the inode remains the same, due to the file descriptor being open). If you are unsure about the the internals of *mv*, either use *rename* or ensure you do not move the file out of the log directory previous to having switched to the new one. If you are running on another OS than GNU Linux, you will need to know what the file utilities you use actually do and seek for a way to rename the old log file without destroying the ability for nginx to keep the old file open, even with a new name. Even if that part seems OK, ensure the 'reopen' command equals a USR1 signal and is sent to the master process. Once the signal is issued, you can then move the old log file wherever you wish. --- *B. R.* On Thu, Oct 9, 2014 at 2:32 AM, Lorenzo Raffio wrote: > From time to time access logs (for which I don't have a logrotation and > manually rotate them) just "hang" and no lines are written. Same file and > folder. No change in Nginx config! And the fact seems totally random, it's > not related to file size, it happens to files some kilobytes long, and > other with nearly 100 Mb of lines. As soon as I run "nginx -s reopen", they > start working again. Any idea? > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Thu Oct 9 07:00:16 2014 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Thu, 9 Oct 2014 09:00:16 +0200 Subject: Access logs hang In-Reply-To: References: <1412814771142.91144148@Nodemailer> Message-ID: Btw, using the nginx packages automatically configure stuff to run out of the box, including the (r)syslog rotation configuration. Here is an insight of the nginx log rotation configuration file: https://unix.stackexchange.com/questions/106280/what-does-this-logrotate-nginx-config-do If you are using GNU/Linux, (r)syslog is the most reliable/maintainable way of implementating any kind of rotation... ;o) --- *B. R.* On Thu, Oct 9, 2014 at 8:54 AM, B.R. wrote: > From what you explain, that problem most probably come from the way you > actually do the log rotation. > I first suggest you read how nginx handle it on the nginx control docs > . > > It seems nginx is not able to find your old log file when you moved the > old one. > You will notice that nginx keeps the old file open until a new one is > opened, and you will notice that the old file must be *renamed* (thus, > from what I understood, moving the file within the same filesystem is OK, > since the inode remains the same, due to the file descriptor being open). > > If you are unsure about the the internals of *mv*, either use *rename* or > ensure you do not move the file out of the log directory previous to having > switched to the new one. > If you are running on another OS than GNU Linux, you will need to know > what the file utilities you use actually do and seek for a way to rename > the old log file without destroying the ability for nginx to keep the old > file open, even with a new name. > > Even if that part seems OK, ensure the 'reopen' command equals a USR1 > signal and is sent to the master process. > Once the signal is issued, you can then move the old log file wherever you > wish. > --- > *B. R.* > > On Thu, Oct 9, 2014 at 2:32 AM, Lorenzo Raffio < > multiformeingegno at gmail.com> wrote: > >> From time to time access logs (for which I don't have a logrotation and >> manually rotate them) just "hang" and no lines are written. Same file and >> folder. No change in Nginx config! And the fact seems totally random, it's >> not related to file size, it happens to files some kilobytes long, and >> other with nearly 100 Mb of lines. As soon as I run "nginx -s reopen", they >> start working again. Any idea? >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From multiformeingegno at gmail.com Thu Oct 9 07:57:22 2014 From: multiformeingegno at gmail.com (Lorenzo Raffio) Date: Thu, 09 Oct 2014 00:57:22 -0700 (PDT) Subject: access logs hang Message-ID: <1412841442237.aec81d2c@Nodemailer> Thanks for the reply. I compiled nginx from source, 1.7.5. I'm on Ubuntu 14.04. I know there's a log rotation function built-in but I prefer to work things out by myself. :DSo I created this script to automatically rotate my logs:find /var/www/ -ipath */logs/access.log.gz -execdir mv "{}" "old/`date +\%G-\%m-\%d`-access.log.gz" \; wait /opt/nginx/sbin/nginx -s reopen Maybe the problem is that logs get reopen before files are moved? But "wait" should deal with that.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 9 11:10:31 2014 From: nginx-forum at nginx.us (hungnguyen) Date: Thu, 09 Oct 2014 07:10:31 -0400 Subject: [nginx module] Save response into temp file In-Reply-To: References: Message-ID: <56f8d5a615119547cef1790f887de6ce.NginxMailingListEnglish@forum.nginx.org> Hello, Sorry for my late replay. Now I can be able to write file into disk and read from it without problem (csv file) by using this: ngx_temp_file_t *tf; tf = ngx_pcalloc(r->pool, sizeof (ngx_temp_file_t)); tf->file.fd = NGX_INVALID_FILE; tf->file.log = nlog; tf->path = clcf->client_body_temp_path; tf->pool = r->pool; tf->persistent = 1; rc = ngx_create_temp_file(&tf->file, tf->path, tf->pool, tf->persistent, tf->clean, tf->access); //ngx_write_chain_to_file(&tf->file, bucket->first, bucket->content_length, r->pool); ngx_write_chain_to_temp_file(tf, bucket->first); I set persistent to 1 and I can read from it. The problem is after reading file and processing it, I have to delete file manually. How can file can be delete automatically just after sending nginx's chain to next filter. Other question: I write chain into file in order to read from it again. is it possible to use nginx's chain as a file buffer? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253477,253863#msg-253863 From theblessedadventhope at gmail.com Thu Oct 9 12:45:32 2014 From: theblessedadventhope at gmail.com (Steven Williams) Date: Thu, 09 Oct 2014 07:45:32 -0500 Subject: uwsgi problems Message-ID: <5436836C.4020502@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been trying to get nginx to talk to uwsgi to no avail. uwsgi works by itself as I can host it on port 80 on my local machine with no problems. I have tried configuring nginx with the following variations: # option 1 location / { include uwsgi_params; uwsgi_pass unix:/tmp/uwsgi.sock; } # option 2 location / { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } # option 3 location / { include uwsgi_params; uwsgi_pass 127.0.0.1:3000; } These are the corresponding errors I get: # option 1 # option 2 2014/10/08 14:24:39 [crit] 15736#0: *8 connect() to unix:///tmp/uwsgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///tmp/uwsgi.sock:", host: "127.0.0.1" # option 3 - -- Steven Williams My PGP Key: http://pgp.mit.edu/pks/lookup?op=get&search=0xCACA6C74669A54FA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUNoNoAAoJEMrKbHRmmlT6pWkP/i5w/RJdEKOS9C22W6WxIbmr MjrTH4L0FwrCizZnI+dV+2XnYSEkky4GzefaoffpoWsr/sfA7UwMYfjSiYrWcxxE 3U4mbyJVpxiJmafVswoifKJspHTGtsFDwigm0/k04TTml8exPK9sjLUFF4I/um7H CzEOvHahC1GIaeEWl+38GZAmSnBNo99TGSpQKzWaZ9zw5hed+ySkVj/nMIijNp0Y euLOKuH93JzSgRAY54fxVd8J+mLRh+HX/NUfAkEoDtJ2Bq6ltcgTmy4Q5HHTwrxP 8ekQk1Pmea7SMFiAU/zkD4WVTp3tyXX5F31DtTXXzGKVTt0VJZBbmXK1AwIO8H9h RyVyg10T5+4PCPWSpn7SLtAgdDupb7YXTXP4Owov7P47bawy6+z+9LaE5/IWc8V7 DY477LLmnbYK0M8voJcgcIVLWsS65yTr8l7S6tXBI8ONRmiPvr33MInGy14JefCv fXCkeCOYCwa6dVGLFHMHpDLcSWzxPPCSMjHyTOu2KpTpjwJO7qGpoZVXlrKt+Qkq JeFCAhbSAsPI1v8dcf5JzXXz1bjnOKhSVWQFgYg+MTqNoWq3oG1JLhuO19VR4Wb/ Kol91PhT6FkQITMWeBNftMqzatuk1sD5vXxl8kgycJTFCbtys64DKGgBmpkyfa56 2z62sKR23yH7VJuu4knb =9laf -----END PGP SIGNATURE----- From nginx-forum at nginx.us Thu Oct 9 15:40:30 2014 From: nginx-forum at nginx.us (paucorre) Date: Thu, 09 Oct 2014 11:40:30 -0400 Subject: Reverse TLS proxy In-Reply-To: References: <1ed37bb1449f8b1bb6b0946ce0d00ebb.NginxMailingListEnglish@forum.nginx.org> Message-ID: Correct Justin...... beginners mistake ..... disabled the firewalld but forgot selinux ....... I install it in CentOS 7.0. Do you know how to troubleshoot it when sometimes the proxy doesn't go through .... and other times works ?? Paulo Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253871#msg-253871 From nginx-forum at nginx.us Thu Oct 9 15:41:42 2014 From: nginx-forum at nginx.us (paucorre) Date: Thu, 09 Oct 2014 11:41:42 -0400 Subject: Reverse TLS proxy In-Reply-To: <5435E383.9010905@gmail.com> References: <5435E383.9010905@gmail.com> Message-ID: <38e9fa6c29bcbf0381efff589de37333.NginxMailingListEnglish@forum.nginx.org> Single nic deployed, the solution of Justin worked. Thank you, Paulo Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253872#msg-253872 From fletch at fletchowns.net Thu Oct 9 17:49:38 2014 From: fletch at fletchowns.net (Greg Barker) Date: Thu, 9 Oct 2014 10:49:38 -0700 Subject: uwsgi problems In-Reply-To: <5436836C.4020502@gmail.com> References: <5436836C.4020502@gmail.com> Message-ID: Option #2 should work, here's what I have for my uwsgi site. Double check your permissions on the directory the uwsgi.sock lives in. My nginx conf: location / { uwsgi_pass unix:///var/www/my_app/my_virtualenv/run/uwsgi.sock; include uwsgi_params; } Directory permissions: $ ls -la /var/www/my_app/my_virtualenv/run/ total 12 drwxr-xr-x 2 www-data www-data 4096 Sep 29 13:03 . drwxr-xr-x 7 www-data www-data 4096 Jul 22 23:05 .. srwxr-xr-x 1 www-data www-data 0 Sep 29 13:03 uwsgi.sock My vassal contains: [uwsgi] socket = /var/www/my_app/my_virtualenv/run/uwsgi.sock uid = www-data gid = www-data On Thu, Oct 9, 2014 at 5:45 AM, Steven Williams < theblessedadventhope at gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have been trying to get nginx to talk to uwsgi to no avail. uwsgi > works by itself as I can host it on port 80 on my local machine with no > problems. I have tried configuring nginx with the following variations: > > # option 1 > location / { > include uwsgi_params; > uwsgi_pass unix:/tmp/uwsgi.sock; > } > > # option 2 > location / { > include uwsgi_params; > uwsgi_pass unix:///tmp/uwsgi.sock; > } > > # option 3 > location / { > include uwsgi_params; > uwsgi_pass 127.0.0.1:3000; > } > > These are the corresponding errors I get: > > # option 1 > > # option 2 > 2014/10/08 14:24:39 [crit] 15736#0: *8 connect() to > unix:///tmp/uwsgi.sock failed (2: No such file or directory) while > connecting to upstream, client: 127.0.0.1, server: localhost, request: > "GET / HTTP/1.1", upstream: "uwsgi://unix:///tmp/uwsgi.sock:", host: > "127.0.0.1" > > # option 3 > > > - -- > Steven Williams > My PGP Key: http://pgp.mit.edu/pks/lookup?op=get&search=0xCACA6C74669A54FA > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJUNoNoAAoJEMrKbHRmmlT6pWkP/i5w/RJdEKOS9C22W6WxIbmr > MjrTH4L0FwrCizZnI+dV+2XnYSEkky4GzefaoffpoWsr/sfA7UwMYfjSiYrWcxxE > 3U4mbyJVpxiJmafVswoifKJspHTGtsFDwigm0/k04TTml8exPK9sjLUFF4I/um7H > CzEOvHahC1GIaeEWl+38GZAmSnBNo99TGSpQKzWaZ9zw5hed+ySkVj/nMIijNp0Y > euLOKuH93JzSgRAY54fxVd8J+mLRh+HX/NUfAkEoDtJ2Bq6ltcgTmy4Q5HHTwrxP > 8ekQk1Pmea7SMFiAU/zkD4WVTp3tyXX5F31DtTXXzGKVTt0VJZBbmXK1AwIO8H9h > RyVyg10T5+4PCPWSpn7SLtAgdDupb7YXTXP4Owov7P47bawy6+z+9LaE5/IWc8V7 > DY477LLmnbYK0M8voJcgcIVLWsS65yTr8l7S6tXBI8ONRmiPvr33MInGy14JefCv > fXCkeCOYCwa6dVGLFHMHpDLcSWzxPPCSMjHyTOu2KpTpjwJO7qGpoZVXlrKt+Qkq > JeFCAhbSAsPI1v8dcf5JzXXz1bjnOKhSVWQFgYg+MTqNoWq3oG1JLhuO19VR4Wb/ > Kol91PhT6FkQITMWeBNftMqzatuk1sD5vXxl8kgycJTFCbtys64DKGgBmpkyfa56 > 2z62sKR23yH7VJuu4knb > =9laf > -----END PGP SIGNATURE----- > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 9 18:11:13 2014 From: nginx-forum at nginx.us (paucorre) Date: Thu, 09 Oct 2014 14:11:13 -0400 Subject: Reverse TLS proxy In-Reply-To: <5435E383.9010905@gmail.com> References: <5435E383.9010905@gmail.com> Message-ID: Single nic deployed, the solution of Justin worked. Thank you, Paulo Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253833,253873#msg-253873 From lists at ruby-forum.com Thu Oct 9 19:28:26 2014 From: lists at ruby-forum.com (Mapper Uno) Date: Thu, 09 Oct 2014 21:28:26 +0200 Subject: Nginx error : open failed 2 no such file or directory Message-ID: <13edd8302f493d62ba4ac7da73a89c1c@ruby-forum.com> Hi, I've written a small nginx module that serves files (with some extra functionality). When I access the files through HTTP POST, I get below error [error] 2971#0: *184 open() "/home/user/build/default/main/nginx/extern-nginx-prefix/nginx/html/1/3/49123876" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: "POST /1/3/49123876 HTTP/1.1", host: "localhost:9000" HTTP client uses URI as 1/3/49123876. And the call is routed to my module correctly, however, the nginx log shows above error. I'm not sure why is nginx trying to look into /home/user/build/default/main/nginx/ .... The module functions correctly and serves the files that are requested, however, why would I see above error then. Here is my nginx config: Please note 'my_pass' directive for my module that handles the request. worker_processes 1; master_process off; daemon off; error_log stderr notice; events { worker_connections 256; } http { default_type application/octet-stream; keepalive_timeout 60; client_body_in_single_buffer on; client_body_buffer_size 20m; client_max_body_size 20m; server { listen 9000; server_name localhost; location / { my_pass /home/ubuntu/mugen_config.json; } } } ----------------------------------- $ nginx -V nginx version: ngx_openresty/1.4.3.6 TLS SNI support enabled configure arguments: --prefix=/home/ubuntu/install/main/nginx/extern-nginx-prefix/nginx --with-debug --add-module=../ngx_devel_kit-0.2.19 --add-module=../echo-nginx-module-0.49 --add-module=../encrypted-session-nginx-module-0.03 --add-module=../auth-request-nginx-module-0.2 --with-ld-opt='-L/home/ubuntu/install/output/lib -L/usr/local/src/NetBSD/pkgsrc/2013/x86_64-Ubuntu12-Linux-GNU/lib -lstdc++ -Wl,-rpath,/home/ubuntu/install/output/lib:/usr/local/src/NetBSD/pkgsrc/2013/x86_64-Ubuntu12-Linux-GNU/lib' --without-http_gzip_module --without-http_userid_module --without-http_geo_module --without-http_map_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --without-http_limit_zone_module --without-http_empty_gif_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=/home/ubuntu/install/main/nginx/ngx_http_my_module --add-module=/home/ubuntu/install/main/nginx/ngx_http_dav_ext_module --with-http_ssl_module -- Posted via http://www.ruby-forum.com/. From theblessedadventhope at gmail.com Thu Oct 9 20:52:41 2014 From: theblessedadventhope at gmail.com (Steven Williams) Date: Thu, 09 Oct 2014 15:52:41 -0500 Subject: uwsgi problems In-Reply-To: References: <5436836C.4020502@gmail.com> Message-ID: <5436F599.5060607@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/09/2014 12:49 PM, Greg Barker wrote: > Option #2 should work, here's what I have for my uwsgi site. > Double check your permissions on the directory the uwsgi.sock lives > in. > > My nginx conf: location / { uwsgi_pass > unix:///var/www/my_app/my_virtualenv/run/uwsgi.sock; include > uwsgi_params; } Changed my configuration to use the unix:/// notation. Still no change as I am getting a 50x type error. > > Directory permissions: $ ls -la /var/www/my_app/my_virtualenv/run/ > total 12 drwxr-xr-x 2 www-data www-data 4096 Sep 29 13:03 . > drwxr-xr-x 7 www-data www-data 4096 Jul 22 23:05 .. srwxr-xr-x 1 > www-data www-data 0 Sep 29 13:03 uwsgi.sock The permission bits match (755), but they are root. On my system (Fedora 20 on my laptop; CentOS 7 on my VPS) I do not have a www-data user or group. > My vassal contains: [uwsgi] socket = > /var/www/my_app/my_virtualenv/run/uwsgi.sock uid = www-data gid = > www-data I don't have a vassal setup, but that doesn't make a huge difference for just testing does it? Is there a good, current thorough guide that I can follow? Steven Williams My PGP Key: http://pgp.mit.edu/pks/lookup?op=get&search=0xCACA6C74669A54FA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUNvWVAAoJEMrKbHRmmlT6rgkP/3oFcVvKss3Aaf9Vv9BkOxmL U3t6TZ72MNpWZhDHz85iOSKrElr7ehiXwIpgEC+Id+2+cJzHPIoBsakw94vcqUeK pVhI8yJ7rqLVryXLYo5rFnXyQl4AvOP6HlRUPPbtGuF81BaAGYi5kuUQdddLzK7T 558wycBN7ZhO5+/UTKqHEohlp+cc9StTkxzy5tcI5/2mJjYkxcusPua1dTW3hJjg rypT7S0QBA9pwahdVHdSofySnwNG53fvE4gmwlkDpxJzS04gNw4LHsKeP4v9dU3X 5Qiibmtfd2GKw8C4JpPfJXsqObJHyc6sIRP2bHZ102QekwidgeXE7LpZTn9jHl4b PYN22at8PPBNSWmPnxiEMIvPvAWDeoS1390ADUGFQ4nDK9iM/DTWaQ1u+T59XooB oXYuzCSqgKmDN5aRYfLQRpEXORb/ur6LCQfCLlthuSZJnPt1jeUtz9zJghos88i2 vXyJo2DKswYEV9gwoeeStntZ/NfKib990lUS5R47e5yE9y2JXk1jPi8VeZ2omWVl SMKNQF/6w30625OQEXLxylG8Yjxzkox/Cz33+ywL179UZghmNY5X4vHrH22DpjVA FIFjDlkC5KfuhMf7jvFhummL9u9DVFaWXZTpDTvb/POrFdJJH2p1eDcNgzfV0mqK i30xy/3rHRgGZpT/1sWL =afHF -----END PGP SIGNATURE----- From fletch at fletchowns.net Thu Oct 9 21:52:59 2014 From: fletch at fletchowns.net (Greg Barker) Date: Thu, 9 Oct 2014 14:52:59 -0700 Subject: uwsgi problems In-Reply-To: <5436F599.5060607@gmail.com> References: <5436836C.4020502@gmail.com> <5436F599.5060607@gmail.com> Message-ID: Shouldn't matter that you don't have a www-data user, that just happens to be the one I am using. I am running uwsgi in emperor mode so my worker processes have that uid $ ps aux | grep uwsgi root 798 0.0 0.0 31748 2296 ? Ss Sep29 0:24 /var/www/my_app/my_virtualenv/bin/uwsgi --emperor /var/www/my_app/my_virtualenv/vassals www-data 805 0.0 0.4 110688 16944 ? S Sep29 0:35 /var/www/my_app/my_virtualenv/bin/uwsgi --ini www.myapp.com.ini www-data 898 1.2 5.5 413076 213776 ? S Sep29 189:06 /var/www/my_app/my_virtualenv/bin/uwsgi --ini www.myapp.com.ini I also don't think it matters that you don't have a vassal setup, probably doesn't make a big difference just for testing stuff out. Perhaps you need to try messing with the chmod-socket parameter? I'm not sure. I don't know of a good guide to follow, I had to piece mine together from a bunch of different guides of varying quality until I got it working. Greg On Thu, Oct 9, 2014 at 1:52 PM, Steven Williams < theblessedadventhope at gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/09/2014 12:49 PM, Greg Barker wrote: > > Option #2 should work, here's what I have for my uwsgi site. > > Double check your permissions on the directory the uwsgi.sock lives > > in. > > > > My nginx conf: location / { uwsgi_pass > > unix:///var/www/my_app/my_virtualenv/run/uwsgi.sock; include > > uwsgi_params; } > > Changed my configuration to use the unix:/// notation. Still no change > as I am getting a 50x type error. > > > > > Directory permissions: $ ls -la /var/www/my_app/my_virtualenv/run/ > > total 12 drwxr-xr-x 2 www-data www-data 4096 Sep 29 13:03 . > > drwxr-xr-x 7 www-data www-data 4096 Jul 22 23:05 .. srwxr-xr-x 1 > > www-data www-data 0 Sep 29 13:03 uwsgi.sock > > The permission bits match (755), but they are root. On my system > (Fedora 20 on my laptop; CentOS 7 on my VPS) I do not have a www-data > user or group. > > > My vassal contains: [uwsgi] socket = > > /var/www/my_app/my_virtualenv/run/uwsgi.sock uid = www-data gid = > > www-data > > I don't have a vassal setup, but that doesn't make a huge difference > for just testing does it? > > Is there a good, current thorough guide that I can follow? > > > Steven Williams > My PGP Key: http://pgp.mit.edu/pks/lookup?op=get&search=0xCACA6C74669A54FA > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJUNvWVAAoJEMrKbHRmmlT6rgkP/3oFcVvKss3Aaf9Vv9BkOxmL > U3t6TZ72MNpWZhDHz85iOSKrElr7ehiXwIpgEC+Id+2+cJzHPIoBsakw94vcqUeK > pVhI8yJ7rqLVryXLYo5rFnXyQl4AvOP6HlRUPPbtGuF81BaAGYi5kuUQdddLzK7T > 558wycBN7ZhO5+/UTKqHEohlp+cc9StTkxzy5tcI5/2mJjYkxcusPua1dTW3hJjg > rypT7S0QBA9pwahdVHdSofySnwNG53fvE4gmwlkDpxJzS04gNw4LHsKeP4v9dU3X > 5Qiibmtfd2GKw8C4JpPfJXsqObJHyc6sIRP2bHZ102QekwidgeXE7LpZTn9jHl4b > PYN22at8PPBNSWmPnxiEMIvPvAWDeoS1390ADUGFQ4nDK9iM/DTWaQ1u+T59XooB > oXYuzCSqgKmDN5aRYfLQRpEXORb/ur6LCQfCLlthuSZJnPt1jeUtz9zJghos88i2 > vXyJo2DKswYEV9gwoeeStntZ/NfKib990lUS5R47e5yE9y2JXk1jPi8VeZ2omWVl > SMKNQF/6w30625OQEXLxylG8Yjxzkox/Cz33+ywL179UZghmNY5X4vHrH22DpjVA > FIFjDlkC5KfuhMf7jvFhummL9u9DVFaWXZTpDTvb/POrFdJJH2p1eDcNgzfV0mqK > i30xy/3rHRgGZpT/1sWL > =afHF > -----END PGP SIGNATURE----- > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From agentzh at gmail.com Fri Oct 10 00:15:07 2014 From: agentzh at gmail.com (Yichun Zhang (agentzh)) Date: Thu, 9 Oct 2014 17:15:07 -0700 Subject: [ANN] OpenResty 1.7.4.1 released Message-ID: Hi folks! I am happy to announce the new formal release, 1.7.4.1, of the OpenResty bundle: http://openresty.org/#Download The highlights of this release are 1) the new "resty" command-line utility, 2) SSL/TLS cosocket support in ngx_lua (with SNI support and client-side session reuse support as well), and 3) SSL/TLS support in our nonblocking MySQL driver in pure Lua, lua-resty-mysql. (The highlight for the previous formal release was the full-duplex cosocket support ;)) Special thanks go to all our contributors for making this happen! Below is the complete change log for this release, as compared to the last formal release, 1.7.2.1: * upgraded the Nginx core to 1.7.4. * see the changes here: * feature: added a new command-line utility, "resty", to run Lua code or Lua files (for OpenResty) directly from the command-line. it is installed into the "/bin" directory. prodded by Vitaly Kosenko. This tool is currently experimental. * bugfix: "./configure": we might misuse the homebrew version of LuaJIT on Mac OS X when the user specified the "--with-ld-opt="-L/usr/local/lib"" option. thanks Aapo Talvensaari for the report. * bugfix: "util/install": remove the target file before overwriting to prevent running processes (if any) from crashing. * bugfix: "./configure": call "sh" explicitly for nginx's "./configure" script to prevent potential file permission issues. * optimize: now we use the C compiler option "-O2" for everything by default (we used to use "-O1" which is too conservative). * upgraded the ngx_postgres module to 1.0rc4. * bugfix: segmentation fault might happen in "ngx_destroy_pool" when debug logging was enabled in the nginx build. thanks buddy-ekb for the report. * upgraded the ngx_echo module to 0.56. * bugfix: our "create_loc_conf" callback did not return NULL on error. thanks Markus Linnala for the patch. * bugfix: reading $echo_client_request_headers would return garbled data when LF instead of CRLF is used as the line terminator in the original header. * bugfix: reading $echo_client_request_headers could lead to buffer overflow due to misuse of "r->header_end" while modules like ngx_fastcgi and ngx_proxy can change "r->header_end" to point to buffers of their own. * upgraded the ngx_form_input module to 0.10. * bugfix: "pcre_exec -2" error might happen when the standard "if" directive is used to test the empty value nginx variables set by this module with a regex. (Jiale) * bugfix: we incorrectly overrode "r->read_event_handler" with "ngx_http_request_empty_handler" in our "post read" callback for client request body reading, which could waste CPU time in level-triggered event models like poll and select. thanks chen for the catch. * upgraded the ngx_set_misc module 0.26. * change: set_escape_uri: use uppercase hexadecimal digits for percent-encoding as per RFC 3986. thanks splitice for the original patch. * bugfix: our "create_loc_conf" callback did not return NULL on error. thanks Markus Linnala for the patch. * bugfix: fixed source and test files' permission. they should not be executable at all. thanks Christos Kontas for the report. * upgraded LuaJIT to v2.1-20140805: https://github.com/openresty/luajit2/tags * imported Mike Pall's latest bug fixes: * FFI: Fix "__index"/"__newindex" metamethod resolution for ctypes. * Invalidate backpropagation cache after DCE. * upgraded the ngx_lua module to 0.9.12. * feature: implemented the SSL/TLS cosocket API. * added new method sslhandshake() to the stream-typed cosocket objects. * added new configuration directives lua_ssl_trusted_certificate, lua_ssl_verify_depth, lua_ssl_crl, lua_ssl_protocols, and lua_ssl_ciphers. thanks aviramc for the original patch. * feature: the standard coroutine API is now enabled in the context of header_filter_by_lua* and body_filter_by_lua*. thanks ngo for the request. * feature: for content/rewrite/access_by_lua_file directives, we now return 404 status code instead of 500 in case that the specified .lua file cannot be opened. thanks Sam Lee for the suggestion. * feature: added pure C API function for FFI-based implementation of reading ngx.header.HEADER. * feature: now we also explicitly check the Lua ABI/language version in our feature test of the "./configure" phase for a usable Lua lib. * feature: added pure C API functions for FFI-based implementations of ngx.worker.pid() and ngx.worker.exiting(). * bugfix: ngx.req.raw_header() could lead to buffer overflow and the "userdata length overflow" error due to misuse of "r->header_end" while modules like ngx_fastcgi and ngx_proxy can change "r->header_end" to point to buffers of their own. thanks sadmedved for the report. * bugfix: ngx.req.raw_header() would return garbled data when LF instead of CRLF is used as the line terminator in the original header. * bugfix: body_filter_by_lua*: reading "ngx.arg[1]" after clearing "ngx.arg[1]" (by assigning nil or "") could lead to segmentation faults. this regression had appeared in v0.9.10. thanks Jason Stangroome for the report. * bugfix: init_worker_by_lua* would conflict with some other nginx C modules (like ngx_proxy) when their "merge_loc_conf" callbacks (or alike) produce side-effects in "cf->cycle". thanks Ruoshan Huang for the report. * bugfix: stream-typed cosocket might read uninitialized memory bytes when logging errors due to sending to or receiving from a closed socket. * bugfix: the stream-typed and datagram-typed cosockets' resolver handler did not handle some special errors correctly. * bugfix: ngx.resp.get_headers(): sometimes we might omit the builtin-headers Content-Type, Content-Length, Connection, and Transfer-Encoding. thanks Jon Keys for the report. * bugfix: ngx.req.socket(true): it incrrectly returned the error "chunked request bodies not supported yet" for raw request sockets with chunked request bodies. thanks Xiaofei Yang for the report. * bugfix: we did not check allocation failures while compiling the pattern for tcpsock:receiveuntil(). thanks Tatsuhiko Kubo for the patch. * bugfix: we did not use "lua_checkstack()" to prevent Lua stack overflow in our own C-land Lua backtrace generator. * bugfix: fixed an incorrect error message. thanks aviramc for the patch. * bugfix: for statically linked LuaJIT, we need to pass "-ldl" to the linker. thanks cf2012 for the report. * bugfix: the tcp_nodelay directive configuration was not honored by upstream TCP cosockets, which could lead to extra delays for small messages. thanks Shun Zhang for reporting this issue. * bugfix: fixed build failures with OpenSSL older than 0.9.8f. thanks FFCZ for the report. * bugfix: compilation failed with nginx 1.3.6 or older. this regression had appeared in the v0.9.11 release. * bugfix: compilation failed with nginx 0.9.x. * bugfix: our "create_loc_conf" callback did not return NULL on error. * bugfix: added allocation failure check for "ngx_array_init()" on the C land. thanks Tatsuhiko Kubo for the patch. * optimize: we now cache the userdata metatable (for the "__gc" metamethod) in the lua registry for both the stream-typed datagram-typed cosockets. * optimize: reading ngx.header.HEADER: eliminated dynamic allocations and data copying when there is no need to ransform "_" to "-" in the header name. * change: ngx.escape_uri() now uses uppercase hexadecimal digits for percent-encoding according to the recommendation in RFC 3986. thanks Piotr Sikora for the suggestion. * change: use the type "ngx_http_lua_ffi_str_t" instead of "ngx_str_t" in the pure C API function "ngx_http_lua_ffi_req_get_headers". * change: renamed the C macro "NGX_HTTP_LUA_NO_FFI_API" to "NGX_LUA_NO_FFI_API". * style: various coding style fixes and minor optimizations from Tatsuhiko Kubo. * doc: documented the behavior of init_by_lua* when lua_code_cache is off. * doc: fixed a wrong statement regarding "require()" in the "Lua Variable Scope" section. thanks Hungpu DU for the report. * doc: more clarification in the docs for the "res.truncated" flag returned by ngx.location.capture(). thanks Jon Keys for asking. * doc: added missing method name "get_keys" under "ngx.shared.DICT" and also fixed the method order. thanks George Bashi for the patch. * doc: markdown: fixed the "Back to TOC" links for the sections ("Nginx API for Lua" and "Directives") with inlined TOC. thanks Pierre-Yves G?rardy and Simon Eskildsen for the reports. * doc: improved the wording in the "Lua Coroutine Yielding/Resuming" section. thanks Hungpu DU for the report. * doc: improved the wording of the documentation for ngx.req.clear_header() to prevent ambiguity. thanks Christophe-Marie Duquesne for the report. * upgraded the lua-resty-core library to 0.0.9. * feature: implemented the reading part of ngx.header.HEADER with FFI. * feature: implemented ngx.worker.pid() and ngx.worker.exiting() with FFI. * upgraded the lua-resty-upstream-healthcheck library to 0.03. * optimize: timers in different nginx worker processes can go out of phase as time goes, resulting in duplicate test requests from different workers in the same check interval. thanks fancyrabbit for the report and fix. * upgraded the lua-resty-websocket library to 0.04. * feature: resty.websocket.client: added support for the "origin" option to specify the value of the "Origin" request header. thanks woo for the original patch. * bugfix: resty.websocket.client: connection pooling was broken due to duplicate websocket handshakes. thanks woo for the patch. * bugfix: fixed the "Sec-WebSocket-Protocol" header when the secondary protocols are specified. thanks woo for the report. * doc: typo fixes from Laurent Arnoud. * upgraded the lua-resty-dns library to 0.13. * bugfix: we did not parse the character-strings in the "TXT" record data. thanks Kevin Ingersoll for the report. * upgraded the lua-resty-mysql library to 0.15. * feature: added new boolean-value options "ssl" and "ssl_verify" to the connect() method connecting to MySQL via SSL. * upgraded the lua-cjson library to 2.1.0.2. * bugfix: the Makefile had a bug that overwrites the existing "cjson.so" file in place which could cause already running processes with this ".so" file loaded to crash. thanks ywsample for the report. The HTML version of the change log with lots of helpful hyper-links can be browsed here: http://openresty.org/#ChangeLog1007004 OpenResty (aka. ngx_openresty) is a full-fledged web application server by bundling the standard Nginx core, lots of 3rd-party Nginx modules and Lua libraries, as well as most of their external dependencies. See OpenResty's homepage for details: http://openresty.org/ We have run extensive testing on our Amazon EC2 test cluster and ensured that all the components (including the Nginx core) play well together. The latest test report can always be found here: http://qa.openresty.org Have fun! -agentzh From tom+nginx at oneshoeco.com Fri Oct 10 00:34:46 2014 From: tom+nginx at oneshoeco.com (Tom Lanyon) Date: Fri, 10 Oct 2014 11:04:46 +1030 Subject: If-Modified-Since and If-None-Match conditionals with X-Accel-Redirect responses ? Message-ID: We've got an upstream returning X-Accel-Redirect responses to an internal location (which itself proxies to another upstream). Something like: upstream fileserver { server foo; } upstream backend { server bar; } server { location /filestore { internal; proxy_cache filestore_cache; proxy_pass http://fileserver; } # responses from backend include header: # X-Accel-Redirect: /filestore/ location / { proxy_set_header Host $host; proxy_pass http://backend; } } Both upstreams return Last-Modified and ETag headers. We want to keep the ETag and Last-Modified from the original backend (not the fileserver), so we changed the X-Accel-Redirect upstream to: location /filestore { internal; set $first_etag $upstream_http_etag; set $first_last_modified $upstream_http_last_modified; add_header ETag $first_etag; add_header Last-Modified $first_last_modified; proxy_cache filestore_cache; proxy_pass http://fileserver; } This appears to work OK, because a response returns the ETag and Last-Modified we'd expect: ETag: "ce79a35523521ae64290db620e1073b1ea145497" Expires: Fri, 09 Oct 2015 05:46:35 GMT Last-Modified: Fri, 17 Jan 2014 05:20:40 GMT But if we send a matching: If-None-Match: "ce79a35523521ae64290db620e1073b1ea145497" or: If-Modified-Since: Fri, 17 Jan 2014 05:20:40 GMT request header, then we get a HTTP 200 response, not a 304 Not Modified as we'd hope for. I assume that this is because we're relying on the ETag and Last-Modified being set from temporary variables rather than the ones from the fileserver upstream. Is there any way we can work around this to pass through the ETag and Last-Modified from the backend sending X-Accel-Redirect responses whilst still supporting conditional requests and 304 responses? Thanks, Tom From roberto at unbit.it Fri Oct 10 05:13:14 2014 From: roberto at unbit.it (Roberto De Ioris) Date: Fri, 10 Oct 2014 07:13:14 +0200 Subject: uwsgi problems In-Reply-To: <5436F599.5060607@gmail.com> References: <5436836C.4020502@gmail.com> <5436F599.5060607@gmail.com> Message-ID: <86c5a87b4ae5c8dc1ca075985302641c.squirrel@manage.unbit.it> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/09/2014 12:49 PM, Greg Barker wrote: >> Option #2 should work, here's what I have for my uwsgi site. >> Double check your permissions on the directory the uwsgi.sock lives >> in. >> >> My nginx conf: location / { uwsgi_pass >> unix:///var/www/my_app/my_virtualenv/run/uwsgi.sock; include >> uwsgi_params; } > > Changed my configuration to use the unix:/// notation. Still no change > as I am getting a 50x type error. > >> >> Directory permissions: $ ls -la /var/www/my_app/my_virtualenv/run/ >> total 12 drwxr-xr-x 2 www-data www-data 4096 Sep 29 13:03 . >> drwxr-xr-x 7 www-data www-data 4096 Jul 22 23:05 .. srwxr-xr-x 1 >> www-data www-data 0 Sep 29 13:03 uwsgi.sock > > The permission bits match (755), but they are root. On my system > (Fedora 20 on my laptop; CentOS 7 on my VPS) I do not have a www-data > user or group. > >> My vassal contains: [uwsgi] socket = >> /var/www/my_app/my_virtualenv/run/uwsgi.sock uid = www-data gid = >> www-data > > I don't have a vassal setup, but that doesn't make a huge difference > for just testing does it? > > Is there a good, current thorough guide that I can follow? > > This covers basically any aspect of a production ready-deployments: http://uwsgi-docs.readthedocs.org/en/latest/WSGIquickstart.html as you can see it uses tcp sockets when describing nginx integration. This avoid you to start messing with permissions (btw, the process connecting to the unix socket, nginx in your case, must have write permission on the socket). Read and follow the whole quickstart from start to end, as it progressively introduces concepts -- Roberto De Ioris http://unbit.it From rvrv7575 at yahoo.com Fri Oct 10 13:02:14 2014 From: rvrv7575 at yahoo.com (Rv Rv) Date: Fri, 10 Oct 2014 21:02:14 +0800 Subject: How to print at non emergency, critical, error from nginx configuration log Message-ID: <1412946134.48320.YahooMailNeo@web193502.mail.sg3.yahoo.com> Hello, If I use ngx_conf_log_error during parsing an nginx configuration (post config phase), the messages at NGX_LOG_INFO are not printed to the error log even when I set it the error log to log debug level. I can see the NGX_LOG_ERR, NGX_LOG_WARN , NGX_LOG_EMERG etc though. I scanned through the code and don't find any example of the code logging at NGX_LOG_INFO. Ultimately, ngx_conf_log_error also uses ngx_log_error which should log at NGX_LOG_INFO. Before investigating further, I wanted to understand if this is intended and if there are any workarounds. Thanks for any inputs -------------- next part -------------- An HTML attachment was scrubbed... URL: From sb at nginx.com Fri Oct 10 13:28:30 2014 From: sb at nginx.com (Sergey Budnevitch) Date: Fri, 10 Oct 2014 17:28:30 +0400 Subject: Debian Package Rules as Mercurial repositories In-Reply-To: <54333920.5040602@cyon.ch> References: <54333920.5040602@cyon.ch> Message-ID: On 07 Oct 2014, at 04:51, Dominic wrote: > Dear List > > I'm looking for the Debian package rules. I could download the source file from http://nginx.org/packages/mainline/ubuntu/pool/nginx/n/nginx/. But I guess there is an non public repository, where the package rules are stored to build all the provided packages. We have one, but have no plans to make it public, sorry. The whole build process is unificated for open and non-public packages and publishing and thus the freeze of the part of the infrastructure will complicate maintenance for us. > Something like https://github.com/hhvm/packaging (Package rules for HHVM) would be nice to have. > > The reason for my question is, that I need to build nginx an older version of nginx, but the source package of this older version is not longer hosted on http://nginx.org/packages/. There are almost no backward incompatible changes, besides new nginx module addition, like auth request module, so you may use last version of source package and just change nginx version in the debian changelog file. All package changes are mentioned in the changelog. From nginx-forum at nginx.us Fri Oct 10 14:51:01 2014 From: nginx-forum at nginx.us (carcus88) Date: Fri, 10 Oct 2014 10:51:01 -0400 Subject: health_check Windows Message-ID: <678d96acd6c4668049692f65cb776672.NginxMailingListEnglish@forum.nginx.org> I am trying to use the health_check module on Windows nginx/1..7.6 location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://backend; health_check; } and I'm getting the following error in the log file unknown directive "health_check" Is this module not included in the Windows build? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253893,253893#msg-253893 From vbart at nginx.com Fri Oct 10 14:55:32 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 10 Oct 2014 18:55:32 +0400 Subject: health_check Windows In-Reply-To: <678d96acd6c4668049692f65cb776672.NginxMailingListEnglish@forum.nginx.org> References: <678d96acd6c4668049692f65cb776672.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1765608.WWi2NMZrm2@vbart-laptop> On Friday 10 October 2014 10:51:01 carcus88 wrote: > I am trying to use the health_check module on Windows nginx/1..7.6 > > > > location / { > proxy_set_header Host $http_host; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_pass http://backend; > health_check; > } > > and I'm getting the following error in the log file > > unknown directive "health_check" > > > Is this module not included in the Windows build? > [..] This module is a part of the commercial version of nginx. See the notice at the end of description: http://nginx.org/r/health_check wbr, Valentin V. Bartenev From nginx-forum at nginx.us Fri Oct 10 14:56:18 2014 From: nginx-forum at nginx.us (itpp2012) Date: Fri, 10 Oct 2014 10:56:18 -0400 Subject: health_check Windows In-Reply-To: <678d96acd6c4668049692f65cb776672.NginxMailingListEnglish@forum.nginx.org> References: <678d96acd6c4668049692f65cb776672.NginxMailingListEnglish@forum.nginx.org> Message-ID: http://nginx.org/en/docs/http/ngx_http_upstream_module.html#health_check Alternative suggestions are welcome :) but I'm sure this can be tackled with Lua. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253893,253895#msg-253895 From vbart at nginx.com Fri Oct 10 15:07:41 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 10 Oct 2014 19:07:41 +0400 Subject: uwsgi problems In-Reply-To: References: <5436836C.4020502@gmail.com> Message-ID: <1763453.ECCqC3NFGq@vbart-laptop> On Thursday 09 October 2014 10:49:38 Greg Barker wrote: > Option #2 should work, here's what I have for my uwsgi site. Double check > your permissions on the directory the uwsgi.sock lives in. > > My nginx conf: > location / { > uwsgi_pass unix:///var/www/my_app/my_virtualenv/run/uwsgi.sock; > include uwsgi_params; > } > [..] Actually, these two extra slashes are surplus. Look at the docs: http://nginx.org/r/uwsgi_pass wbr, Valentin V. Bartenev From gk at leniwiec.biz Fri Oct 10 15:13:45 2014 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Fri, 10 Oct 2014 17:13:45 +0200 Subject: proxy_cache_bypass and cache refresh In-Reply-To: <542E6F7F.4040806@leniwiec.biz> References: <542E6F7F.4040806@leniwiec.biz> Message-ID: <5437F7A9.7080908@leniwiec.biz> Anyone? W dniu 03.10.2014 11:42, Grzegorz Kulewski pisze: > Hello, > > Is it true that a GET request that satisfies proxy_cache_bypass (and generates BYPASS cache status in the access log) should also refresh proxy cache for that URL? > > There are several tutorials on the Internet that advise that it works. Also it was working for us before but stopped - either after nginx upgrade or after some configuration change - not sure right now. We are currently running nginx 1.4.7. > > Parts of configuration: > > http { > proxy_cache_path /var/cache/www levels=1:2 keys_zone=foo-cache:256m max_size=4g inactive=1h; > proxy_cache_key "$host$request_uri"; > proxy_cache_lock on; > proxy_cache_lock_timeout 120s; > proxy_no_cache $upstream_http_x_bar_dont_cache_me $cookie_x_no_cache; > proxy_cache_bypass $http_x_bar_cache_refresh $cookie_x_bar_no_cache; > } > > location = / { > proxy_pass http://foo_old_www; > proxy_cache foo-cache; > proxy_cache_valid 200 1h; > } > > > Request to refresh cache (I double checked that it generates a GET request and a cache status BYPASS): > > curl -H 'X-Bar-Cache-Refresh: true' -D - 'http://www.foo.pl/' > > > Any idea why it doesn't work? -- Grzegorz Kulewski From nginx-forum at nginx.us Sat Oct 11 00:15:38 2014 From: nginx-forum at nginx.us (keeyong) Date: Fri, 10 Oct 2014 20:15:38 -0400 Subject: How to list all nginx plugin installed Message-ID: <8d47544ef72c0b9fecd285f61b19fe69.NginxMailingListEnglish@forum.nginx.org> Is there a way to list all plugins installed in my nginx? I am particularly interested in knowing whether HttpEchoModule is installed or not. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253901,253901#msg-253901 From nginx-forum at nginx.us Sat Oct 11 00:29:26 2014 From: nginx-forum at nginx.us (pharasyte) Date: Fri, 10 Oct 2014 20:29:26 -0400 Subject: How to list all nginx plugin installed In-Reply-To: <8d47544ef72c0b9fecd285f61b19fe69.NginxMailingListEnglish@forum.nginx.org> References: <8d47544ef72c0b9fecd285f61b19fe69.NginxMailingListEnglish@forum.nginx.org> Message-ID: <8ce16849c66e904efa1f7d7a54496671.NginxMailingListEnglish@forum.nginx.org> nginx -V will show you the options passed to configure. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253901,253902#msg-253902 From Boying.Lu at emc.com Sat Oct 11 02:58:58 2014 From: Boying.Lu at emc.com (Lu, Boying) Date: Fri, 10 Oct 2014 22:58:58 -0400 Subject: Can I use ngix as a SSL encryption wrapper as Stunnel? Message-ID: Hi, All, I'm new to Ngix. All I know is that it can be used as a LB for a website. Someone told me that I can use it as an alternative to Stunnel. Does anyone know that I can use ngix as a replacement to Stunnel? If so, is there any document about how to do this? Thanks Boying -------------- next part -------------- An HTML attachment was scrubbed... URL: From merkerxu at 163.com Sat Oct 11 03:57:47 2014 From: merkerxu at 163.com (MerKer Xu) Date: Sat, 11 Oct 2014 11:57:47 +0800 (CST) Subject: nginx have directives like httpd's MaxRequestsPerChild Message-ID: <5a65bc1.4c93.148fd5aed90.Coremail.merkerxu@163.com> hi there, does nginx have directives like apache's MaxRequestsPerChild? Description:?Limit on the number of requests that an individual child server will handle during its life Syntax: MaxRequestsPerChild number I only found nginx's worker_connections directive, they are quite different! Is there a similar one? or why nginx doesn't need it? Many thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Sat Oct 11 04:28:08 2014 From: nginx-forum at nginx.us (wangweixun) Date: Sat, 11 Oct 2014 00:28:08 -0400 Subject: Help! log phase is not executed due to r->count being non-zero Message-ID: <36c177ffbb1f421f8591b0b4b3ff4a8c.NginxMailingListEnglish@forum.nginx.org> Hey all, I'm writing an authentication module that is structurally very similar to ngx_http_auth_request_module (https://github.com/PiotrSikora/ngx_http_auth_request_module/blob/master/ngx_http_auth_request_module.c). It basically sends a subrequest to a service for auth. For testing, I put a hello_world module module (https://github.com/perusio/nginx-hello-world-module/blob/master/ngx_http_hello_world_module.c) behind it like: location /hello_world { auth_request /auth; hello_world; hello_world_string "Hello World!"; } Everything works fine EXCEPT I found today that the log phase is not excuted. I traced it down to ngx_http_close_request function in ngx_http_request.c (as it calls ngx_http_free_request(r, rc); to excute log handlers) where I found r->count = 2 so after r->count--; it's still non-zero thus ngx_http_close_request simply returns. I did not touch request count in my code. Are we supposed to handle r->acount (either directly or through ngx_http_finalize_request) when using subrequest? I didn't see the original ngx_http_auth_request_module does so. If not, then why the request count is incorrect? Thanks, W Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253906,253906#msg-253906 From nginx-forum at nginx.us Sat Oct 11 04:30:29 2014 From: nginx-forum at nginx.us (wangweixun) Date: Sat, 11 Oct 2014 00:30:29 -0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: <36c177ffbb1f421f8591b0b4b3ff4a8c.NginxMailingListEnglish@forum.nginx.org> References: <36c177ffbb1f421f8591b0b4b3ff4a8c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <21aec4e5b6b4e7fb1d46f4031c7a2afe.NginxMailingListEnglish@forum.nginx.org> BTW, I can add "r->count--;" in my module and it seems to work. But I don't feel it is the right thing especially when I'm not sure how it works. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253906,253907#msg-253907 From nginx-forum at nginx.us Sat Oct 11 09:08:02 2014 From: nginx-forum at nginx.us (itpp2012) Date: Sat, 11 Oct 2014 05:08:02 -0400 Subject: Can I use ngix as a SSL encryption wrapper as Stunnel? In-Reply-To: References: Message-ID: <4801cd4ffdca50734521d451fec91441.NginxMailingListEnglish@forum.nginx.org> For some things yes, depends on what your replacing. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253904,253908#msg-253908 From Boying.Lu at emc.com Sat Oct 11 09:13:14 2014 From: Boying.Lu at emc.com (Lu, Boying) Date: Sat, 11 Oct 2014 05:13:14 -0400 Subject: Can I use ngix as a SSL encryption wrapper as Stunnel? In-Reply-To: <4801cd4ffdca50734521d451fec91441.NginxMailingListEnglish@forum.nginx.org> References: <4801cd4ffdca50734521d451fec91441.NginxMailingListEnglish@forum.nginx.org> Message-ID: I just want to wrapper node-to-node TCP communications among ZooKeeper nodes which uses its own protocol Zab. I know it can be done through Stunnel. Is it feasible to use Nginx? If yes, can you point me to some document? Thanks Boying -----Original Message----- From: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] On Behalf Of itpp2012 Sent: 2014?10?11? 17:08 To: nginx at nginx.org Subject: Re: Can I use ngix as a SSL encryption wrapper as Stunnel? For some things yes, depends on what your replacing. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253904,253908#msg-253908 _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From vbart at nginx.com Sat Oct 11 10:13:55 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Sat, 11 Oct 2014 14:13:55 +0400 Subject: nginx have directives like httpd's MaxRequestsPerChild In-Reply-To: <5a65bc1.4c93.148fd5aed90.Coremail.merkerxu@163.com> References: <5a65bc1.4c93.148fd5aed90.Coremail.merkerxu@163.com> Message-ID: <5335765.uMAmrAQC93@vbart-laptop> On Saturday 11 October 2014 11:57:47 MerKer Xu wrote: > hi there, does nginx have directives like apache's MaxRequestsPerChild? > > Description:?Limit on the number of requests that an individual child server will handle during its life > Syntax: MaxRequestsPerChild number > > I only found nginx's worker_connections directive, they are quite different! > > Is there a similar one? or why nginx doesn't need it? > > Many thanks! > There are at least three arguments that I think make it a low priority: 1. Memory or socket leaks in nginx are something rare and usually considered as a serious bug (note also, that Apache has mod_php and friends, which often suffer from leaks); 2. Each worker process in Apache handles only one connection at a time, while nginx workers are able (and usually do) to handle millions of long lived connections simultaneously. So restarting an nginx worker without requests loss isn't a trivial task and can consume significant time; See: http://www.aosabook.org/en/nginx.html 3. Such functionality (if needed) can be easily implemented even with much more power using cron and/or some scripts, since nginx supports reloading and upgrading without interruption of the client servicing. And because nginx usually has only a few workers, reloading all of them at the same time isn't painful. See: http://nginx.org/en/docs/control.html wbr, Valentin V. Bartenev From multiformeingegno at gmail.com Sat Oct 11 13:49:22 2014 From: multiformeingegno at gmail.com (Lorenzo Raffio) Date: Sat, 11 Oct 2014 15:49:22 +0200 Subject: Disable SSL3 handshake errors Message-ID: I disabled SSL3 in ssl_protocols (ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ). So PCs with old browsers (example: IE on WinXP) fail to do the handshake and I have my nginx logs full of these errors ?? : SSL_do_handshake() failed (SSL: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number) while SSL handshaking ?Since this is wanted, is there a way to disable these logs (just for SSL3 failed handshakes)? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Sat Oct 11 22:23:28 2014 From: nginx-forum at nginx.us (jbjares) Date: Sat, 11 Oct 2014 18:23:28 -0400 Subject: How to make Nginx forget a hostname? Message-ID: <5e46f3fae348725a042f1fbe07efd706.NginxMailingListEnglish@forum.nginx.org> Hi Nginx forums team, I'm with a issue related a removed configuration file for a specific hostname. So, I need to associate the hostname with a new ip address from other vm, but it's not possible because, this hostname always are resolved by nginx. I am using ubuntu server lucid 64; I removed the sites-available and sites-enabled config files for this virtual host, as well as reloaded the nginx service. Anybody knows, if I'm forgetting anything, or if this is a common issue? Best Regards. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253918,253918#msg-253918 From francis at daoine.org Sun Oct 12 07:13:46 2014 From: francis at daoine.org (Francis Daly) Date: Sun, 12 Oct 2014 08:13:46 +0100 Subject: How to make Nginx forget a hostname? In-Reply-To: <5e46f3fae348725a042f1fbe07efd706.NginxMailingListEnglish@forum.nginx.org> References: <5e46f3fae348725a042f1fbe07efd706.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141012071346.GD3771@daoine.org> On Sat, Oct 11, 2014 at 06:23:28PM -0400, jbjares wrote: Hi there, > I'm with a issue related a removed configuration file for a specific > hostname. So, I need to associate the hostname with a new ip address from > other vm, but it's not possible because, this hostname always are resolved > by nginx. Do you mean "browser still talks to nginx on old-vm but I want it to talk to something on new-vm", or "nginx still talks to something on old-vm but I want it to talk to something on new-vm", or something else? f -- Francis Daly francis at daoine.org From wandenberg at gmail.com Sun Oct 12 11:06:11 2014 From: wandenberg at gmail.com (Wandenberg Peixoto) Date: Sun, 12 Oct 2014 08:06:11 -0300 Subject: How to make Nginx forget a hostname? In-Reply-To: <20141012071346.GD3771@daoine.org> References: <5e46f3fae348725a042f1fbe07efd706.NginxMailingListEnglish@forum.nginx.org> <20141012071346.GD3771@daoine.org> Message-ID: Did you execute a reload on nginx after remove the configuration file? On Oct 12, 2014 4:14 AM, "Francis Daly" wrote: > On Sat, Oct 11, 2014 at 06:23:28PM -0400, jbjares wrote: > > Hi there, > > > I'm with a issue related a removed configuration file for a specific > > hostname. So, I need to associate the hostname with a new ip address from > > other vm, but it's not possible because, this hostname always are > resolved > > by nginx. > > Do you mean "browser still talks to nginx on old-vm but I want it to > talk to something on new-vm", or "nginx still talks to something on > old-vm but I want it to talk to something on new-vm", or something else? > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Sun Oct 12 16:30:21 2014 From: nginx-forum at nginx.us (daniel.leandro) Date: Sun, 12 Oct 2014 12:30:21 -0400 Subject: HTTP access not working from Chrome, only HTTPS Message-ID: Hi, people. I 'm trying to publish IBM Connections by NGINX allowing access using both HTTP and HTTPS . By HTTPS is working but when I try to access by HTTP I get this error in Google Chrome only: This XML file does not appear to have any style information associated with it. The document tree is shown below. 403 You are not authorized to perform the requested action. In Firefox there is no error message , but the page does not load correctly . In Internet Explorer it opens normally. Internally it works in any browser. I believe I need some additional configuration in Nginx. My code is: upstream connections.domain.com { server 172.16.0.83:443 weight=100000; #LAN/Connections address server 172.16.0.83:80; } server { listen 172.17.0.14:80; #DMZ/NGINX address listen 172.17.0.14:443 default ssl; server_name connections.domain.com; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_certificate /etc/nginx/ssl/connections.cer; ssl_certificate_key /etc/nginx/ssl/connections.pem; ssl_verify_client off; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass https://connections.domain.com; proxy_set_header X-Real-IP $remote_addr; proxy_next_upstream timeout; } } In the Nginx log file, I saw these messages when trying to access from Google Chrome: "POST /homepage/j_security_check HTTP/1.1" 403 161 "http://connections.domain.com/homepage/login/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" "-" SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 179.213.15.12, server: connections.domain.com, request: "GET /homepage HTTP/1.1", upstream: "https://172.16.0.83:80/homepage", host: "connections.domain.com" Any help will be appreciated. If you need aditional information, please ask. Thanks you in advance. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253923,253923#msg-253923 From theblessedadventhope at gmail.com Sun Oct 12 17:51:45 2014 From: theblessedadventhope at gmail.com (Steven Williams) Date: Sun, 12 Oct 2014 12:51:45 -0500 Subject: uwsgi problems In-Reply-To: <86c5a87b4ae5c8dc1ca075985302641c.squirrel@manage.unbit.it> References: <5436836C.4020502@gmail.com> <5436F599.5060607@gmail.com> <86c5a87b4ae5c8dc1ca075985302641c.squirrel@manage.unbit.it> Message-ID: <543ABFB1.40003@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/10/2014 12:13 AM, Roberto De Ioris wrote: > This covers basically any aspect of a production > ready-deployments: > > http://uwsgi-docs.readthedocs.org/en/latest/WSGIquickstart.html > > as you can see it uses tcp sockets when describing nginx > integration. This avoid you to start messing with permissions (btw, > the process connecting to the unix socket, nginx in your case, must > have write permission on the socket). > > Read and follow the whole quickstart from start to end, as it > progressively introduces concepts > That did the trick. Apparently SELinux was interfering with Nginx connecting by the port number. I adjusted the policy and everything is working fine now. Thank you for telling me to read the guide from start to finish. For posterity's sake all nginx needed was: location / { include uwsgi_params; uwsgi_pass 127.0.0.1:3031; } $ uwsgi --socket 127.0.0.1:3031 --wsgi-file run.py In order to get that working under Fedora and CentOS you have to adjust the running SELinux policy which you can do with the following: $ sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx $ sudo semodule -i mynginx.pp Thanks guys. Steven Williams My PGP Key: http://pgp.mit.edu/pks/lookup?op=get&search=0xCACA6C74669A54FA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUOr+tAAoJEMrKbHRmmlT6mgwP/0hW3iZhGzFOlNp1XJp3ALs0 xVA3DISGzf8uigJXDnARNIcLRDzw16f8SeTpYYZs8YLZStvx0xaJYsdj9Us9rPLC dymF1kO3CwKjsuAS4Os94ENCFqzob5cqNdN6sp0dV1U1MLX17R1mvLych5WCosJp aFL6eMoP/CFI9cbfS1kbMLowVSOfjOmsq9R6ZVrvkEUM9hSH1gRmXbvJR6bMW7Sz vEH0eCLmL8/Z40YcX9ChXMvpZd1NoOLfMMQo/yKCHtrQQ/OBiSTPKu76KgIxNaiJ k5tDC6cAKw0xhvQ3XsT7skMiMRrUUozpnouhS7ochTXcQaXBKJ2uEA0qMgPhRgom K+OwJxrAAB0KglyLKdjiaNysI06Oy+eMn+WBQDX5BOVg35RjcWc/v8gRbdCSrLLO iTMma5uCReHLhfuPignMYOHQNWpwUwxygbHzSNGbs7rFDe8HQkC6UZA8r7Qzs7fD as6xPAjs3oTuW2fJRzOolzVO0qKmo1D/XQIL3YiscTYnqyololHdCGUgkz+a5NYY B9xgYgrI1NIYos2+L8mfvTeEj2xe2AMm1KU/3tepVoDc+2lle2dzl8utC2LJCKbU 0jaQhmjyzY4MKW11L6qHA17Do3GlKTp4mlQIl141pNSf1SY4ik3RyhKos6SnSWUN 3VXEKnnHUH4yS1hoiV4j =TG21 -----END PGP SIGNATURE----- From crazyworld at outlook.com Mon Oct 13 00:01:50 2014 From: crazyworld at outlook.com (crazy world) Date: Mon, 13 Oct 2014 00:01:50 +0000 Subject: HTTP access not working from Chrome, only HTTPS In-Reply-To: References: Message-ID: It would be helpful if you can share a copy of the HTTPS tcpdump on the serverside. thanks, -B > To: nginx at nginx.org > Subject: HTTP access not working from Chrome, only HTTPS > From: nginx-forum at nginx.us > Date: Sun, 12 Oct 2014 12:30:21 -0400 > > Hi, people. > > I 'm trying to publish IBM Connections by NGINX allowing access using both > HTTP and HTTPS . By HTTPS is working but when I try to access by HTTP I get > this error in Google Chrome only: > > This XML file does not appear to have any style information associated with > it. The document tree is shown below. > > 403 > > You are not authorized to perform the requested action. > > > > > In Firefox there is no error message , but the page does not load correctly > . In Internet Explorer it opens normally. Internally it works in any > browser. I believe I need some additional configuration in Nginx. My code > is: > > upstream connections.domain.com { > server 172.16.0.83:443 weight=100000; #LAN/Connections address > server 172.16.0.83:80; > } > server { > listen 172.17.0.14:80; #DMZ/NGINX > address > listen 172.17.0.14:443 default ssl; > server_name connections.domain.com; > ssl_session_cache shared:SSL:1m; > ssl_session_timeout 10m; > ssl_certificate /etc/nginx/ssl/connections.cer; > ssl_certificate_key /etc/nginx/ssl/connections.pem; > ssl_verify_client off; > ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers RC4:HIGH:!aNULL:!MD5; > ssl_prefer_server_ciphers on; > location / { > proxy_pass https://connections.domain.com; > proxy_set_header X-Real-IP $remote_addr; > proxy_next_upstream timeout; > } > } > > In the Nginx log file, I saw these messages when trying to access from > Google Chrome: > > "POST /homepage/j_security_check HTTP/1.1" 403 161 > "http://connections.domain.com/homepage/login/" "Mozilla/5.0 (Windows NT > 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 > Safari/537.36" "-" > > SSL_do_handshake() failed (SSL: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to > upstream, client: 179.213.15.12, server: connections.domain.com, request: > "GET /homepage HTTP/1.1", upstream: "https://172.16.0.83:80/homepage", host: > "connections.domain.com" > > Any help will be appreciated. If you need aditional information, please ask. > Thanks you in advance. > > Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253923,253923#msg-253923 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Mon Oct 13 00:25:17 2014 From: nginx-forum at nginx.us (magnotheater) Date: Sun, 12 Oct 2014 20:25:17 -0400 Subject: Need help with Secure Link!!! Lets see who can solve this... Message-ID: <002205e0d4b182bb04685be6f9225c6e.NginxMailingListEnglish@forum.nginx.org> I'm trying to create a Video Hosting site, for that I started checking all existing sites like that one to see how they work and how they secure their files. For my surprise, I noticed most "video streaming websites" not only work the same way but also have exactly the same "url encoding" for restricting their files according to "File name / Remote IP Address / Time Expiration"... I also notice that all of them work with NGINX and even old versions (1.2.9)... All their links look like this: http://some-server.com/6hv743pcesoax3ptxziinrn5wd5fwgxpr63zwur3eqfgsrd6xjog4nyvke/video.mp4 The ENCODING this link uses is not "MD5" or even "BASE64" and all NGINX modules specify (so this is what confuses me a lot)... All this sites encode their links in a format which includes only "a-z" letters and "2-7" numbers... according to my knowledge this links are in BASE32... and I can't find any method or module in NGINX to create my links the same way... 6hv743pcesoax3ptxziinrn5wd5fwgxpr63zwur3eqfgsrd6xjog4nyvke 58 chars (weird, MD5 uses 32)... Did all those sites use the same method? Or were all those sites made by the same owner/person? The thing is that I wanna know how to create in NGINX the same looking HASH link in BASE32 (not in MD5, not BASE64 and not any other encoding)... BASE32! The first one who helps me out i give him a free Membership on my site :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253926,253926#msg-253926 From shmick at riseup.net Mon Oct 13 04:23:09 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Mon, 13 Oct 2014 15:23:09 +1100 Subject: 1.6.2 selective dir logging in doc root Message-ID: <543B53AD.8080806@riseup.net> is it possible to enable selective dir logging from the document root ? i don't want to log access to a specific dir in doc root (and not sub dirs also) i do want to log errors to a specific dir in doc root (and sub dirs also) purpose: disable dir logging for roundcube dir but still enable error logs thx for help From mayak at australsat.com Mon Oct 13 06:46:27 2014 From: mayak at australsat.com (mayak) Date: Mon, 13 Oct 2014 08:46:27 +0200 Subject: cannot make catch all ssl server block work Message-ID: <20141013064628.23076C70E8@ssw-uk.net> hi all, i'm having trouble with nginx: #nginx -V nginx version: nginx/1.6.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled so i use .conf files in the /etc/nginx/conf.d directory server { listen 443 default_server; server_name a.domain.com *.domain.com; ssl on; ssl_certificate /etc/x509V6/a.crt; ssl_certificate_key /etc/x509V6/a.key; ... } and in the same directory i have server { listen 443 default_server; server_name b.domain.com; ssl on; ssl_certificate /etc/x509V6/b.crt; ssl_certificate_key /etc/x509V6/b.key; ... } both a.domain.com and b.domain.com and c.domain resolve to the same ip address. however, an `openssl s_client -connect c.domain.com:443` gives me b's certficate and not a's certificate. is there a way to do a catch all for ssl virtual hosts where a request c.domain.com (or any any other host for that matter) would be handled by a's container? thanks m From mayak at australsat.com Mon Oct 13 07:02:44 2014 From: mayak at australsat.com (mayak) Date: Mon, 13 Oct 2014 09:02:44 +0200 Subject: cannot make catch all ssl server block work [corrected] In-Reply-To: <20141013064628.23076C70E8@ssw-uk.net> References: <20141013064628.23076C70E8@ssw-uk.net> Message-ID: <20141013070247.C5C6BC7321@ssw-uk.net> hi all, i'm having trouble with nginx: #nginx -V nginx version: nginx/1.6.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled so i use .conf files in the /etc/nginx/conf.d directory server { listen 443 default_server; server_name a.domain.com *.domain.com; ssl on; ssl_certificate /etc/x509V6/a.crt; ssl_certificate_key /etc/x509V6/a.key; ... } and in the same directory i have server { listen 443; server_name b.domain.com; ssl on; ssl_certificate /etc/x509V6/b.crt; ssl_certificate_key /etc/x509V6/b.key; ... } both a.domain.com and b.domain.com and c.domain resolve to the same ip address. however, an `openssl s_client -connect c.domain.com:443` gives me b's certficate and not a's certificate. is there a way to do a catch all for ssl virtual hosts where a request c.domain.com (or any any other host for that matter) would be handled by a's container? thanks m _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From mdounin at mdounin.ru Mon Oct 13 09:59:20 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Oct 2014 13:59:20 +0400 Subject: 1.6.2 selective dir logging in doc root In-Reply-To: <543B53AD.8080806@riseup.net> References: <543B53AD.8080806@riseup.net> Message-ID: <20141013095920.GW31276@mdounin.ru> Hello! On Mon, Oct 13, 2014 at 03:23:09PM +1100, shmick at riseup.net wrote: > is it possible to enable selective dir logging from the document root ? > > i don't want to log access to a specific dir in doc root (and not sub > dirs also) > > i do want to log errors to a specific dir in doc root (and sub dirs also) > > purpose: > > disable dir logging for roundcube dir but still enable error logs You can use access_log and error_log directives on a per-location basis. See here for details: http://nginx.org/r/location http://nginx.org/r/access_log http://nginx.org/r/error_log -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Oct 13 10:01:46 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Oct 2014 14:01:46 +0400 Subject: Disable SSL3 handshake errors In-Reply-To: References: Message-ID: <20141013100146.GX31276@mdounin.ru> Hello! On Sat, Oct 11, 2014 at 03:49:22PM +0200, Lorenzo Raffio wrote: > I disabled SSL3 in ssl_protocols (ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ). > So PCs with old browsers (example: IE on WinXP) fail to do the handshake > and I have my nginx logs full of these errors > ?? > : > > SSL_do_handshake() failed (SSL: error:1408A10B:SSL > routines:SSL3_GET_CLIENT_HELLO:wrong version number) while SSL handshaking > > ?Since this is wanted, is there a way to disable these logs (just for SSL3 > failed handshakes)? You can configure logging level using the error_log directive, see http://nginx.org/r/error_log. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Oct 13 10:04:06 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Oct 2014 14:04:06 +0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: <36c177ffbb1f421f8591b0b4b3ff4a8c.NginxMailingListEnglish@forum.nginx.org> References: <36c177ffbb1f421f8591b0b4b3ff4a8c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141013100405.GY31276@mdounin.ru> Hello! On Sat, Oct 11, 2014 at 12:28:08AM -0400, wangweixun wrote: > Hey all, > > I'm writing an authentication module that is structurally very similar to > ngx_http_auth_request_module > (https://github.com/PiotrSikora/ngx_http_auth_request_module/blob/master/ngx_http_auth_request_module.c). > It basically sends a subrequest to a service for auth. For testing, I put a > hello_world module module > (https://github.com/perusio/nginx-hello-world-module/blob/master/ngx_http_hello_world_module.c) > behind it like: > > location /hello_world { > auth_request /auth; > hello_world; > hello_world_string "Hello World!"; > } > > Everything works fine EXCEPT I found today that the log phase is not > excuted. I traced it down to ngx_http_close_request function in > ngx_http_request.c (as it calls ngx_http_free_request(r, rc); to excute log > handlers) where I found r->count = 2 so after r->count--; it's still > non-zero thus ngx_http_close_request simply returns. I did not touch request > count in my code. > > Are we supposed to handle r->acount (either directly or through > ngx_http_finalize_request) when using subrequest? I didn't see the original > ngx_http_auth_request_module does so. If not, then why the request count is > incorrect? My best quess is that in your module you are calling ngx_http_read_client_request_body(), which will increment r->count. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Mon Oct 13 10:07:05 2014 From: nginx-forum at nginx.us (lzilles) Date: Mon, 13 Oct 2014 06:07:05 -0400 Subject: http keep alive with post requests issue Message-ID: Hi, I am using nginx as proxy with an upstream configuration: upstream example_server { server localhost:9000 fail_timeout=0; keepalive 64; } Everything works fine when configuring location to include proxy_http_version and connection header: location ... { send_timeout 300; client_body_buffer_size 1024k; proxy_read_timeout 300; ... proxy_http_version 1.1; proxy_set_header Connection ""; ... proxy_pass http://example_server; } Responses for both HTTP GET and POST requests contain "keep-alive" and "server nginx" headers. However, when I try to set proxy_http_version and connection header within server or http context instead of location, nginx will only proxy GET requests. Responses for any POST requests seem to be coming directly from my application server (no keep-alive headers and server name contains application server instead of nginx). What am I missing here? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253936,253936#msg-253936 From braulio at eita.org.br Mon Oct 13 10:56:06 2014 From: braulio at eita.org.br (=?UTF-8?Q?Br=C3=A1ulio_Bhavamitra?=) Date: Mon, 13 Oct 2014 07:56:06 -0300 Subject: Disable log for a specific server {} In-Reply-To: <4758257.7YMB0STr9D@vbart-laptop> References: <4758257.7YMB0STr9D@vbart-laptop> Message-ID: Thanks Valentin On Fri, Oct 3, 2014 at 8:22 AM, Valentin V. Bartenev wrote: > On Friday 03 October 2014 08:17:22 Br?ulio Bhavamitra wrote: >> Hello all, >> >> I use a setup of nginx(ssl)+varnish+nginx+proxy. Because of this, the >> second nginx server should not log the request as it would duplicate on the >> logs. How to disable log for it? >> > [..] > > access_log off; > > Please, look at the documentation: http://nginx.org/r/access_log > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- "Lute pela sua ideologia. Seja um com sua ideologia. Viva pela sua ideologia. Morra por sua ideologia" P.R. Sarkar EITA - Educa??o, Informa??o e Tecnologias para Autogest?o http://cirandas.net/brauliobo http://eita.org.br "Paramapurusha ? meu pai e Parama Prakriti ? minha m?e. O universo ? meu lar e todos n?s somos cidad?os deste cosmo. Este universo ? a imagina??o da Mente Macroc?smica, e todas as entidades est?o sendo criadas, preservadas e destru?das nas fases de extrovers?o e introvers?o do fluxo imaginativo c?smico. No ?mbito pessoal, quando uma pessoa imagina algo em sua mente, naquele momento, essa pessoa ? a ?nica propriet?ria daquilo que ela imagina, e ningu?m mais. Quando um ser humano criado mentalmente caminha por um milharal tamb?m imaginado, a pessoa imaginada n?o ? a propriedade desse milharal, pois ele pertence ao indiv?duo que o est? imaginando. Este universo foi criado na imagina??o de Brahma, a Entidade Suprema, por isso a propriedade deste universo ? de Brahma, e n?o dos microcosmos que tamb?m foram criados pela imagina??o de Brahma. Nenhuma propriedade deste mundo, mut?vel ou imut?vel, pertence a um indiv?duo em particular; tudo ? o patrim?nio comum de todos." Restante do texto em http://cirandas.net/brauliobo/blog/a-problematica-de-hoje-em-dia From nginx-forum at nginx.us Mon Oct 13 14:48:26 2014 From: nginx-forum at nginx.us (lzilles) Date: Mon, 13 Oct 2014 10:48:26 -0400 Subject: http keep alive with post requests issue In-Reply-To: References: Message-ID: <61eb21859dc4e1b0e7f5fdbeb5e62c61.NginxMailingListEnglish@forum.nginx.org> I figured that the location settings have not been used at all. So now I can see that even for location settings the same error occurs. If I use keepalive and proxy_set_header Connection "" it works. As soon as I add "proxy_http_version 1.1" to any context, the POST responses still get returned directly by the application server... Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253936,253940#msg-253940 From nginx-forum at nginx.us Mon Oct 13 16:41:04 2014 From: nginx-forum at nginx.us (wangweixun) Date: Mon, 13 Oct 2014 12:41:04 -0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: <20141013100405.GY31276@mdounin.ru> References: <20141013100405.GY31276@mdounin.ru> Message-ID: <7215c0ad0b0f8099f9ecdf95cd1b9e9a.NginxMailingListEnglish@forum.nginx.org> Maxim, You are right. Since I need to make a hash of the original request's body, I do make call to ngx_http_read_client_request_body(). What's the best way to decrement the count then? Simply "r->count--;" before returning from the module. By the way, in my access phase module, I need to send an subrequest and wait for its response asynchornously. ngx_http_read_client_request_body() also works asynchornously with a callback function, which apparently is not able to send a subrequest. What I did is registering two handlers in access phase. The first one does nothing but reading the request body only. The second one does the real work (subrequest, etc.). Does it sound right? Thanks!! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253906,253941#msg-253941 From mdounin at mdounin.ru Mon Oct 13 17:06:38 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Oct 2014 21:06:38 +0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: <7215c0ad0b0f8099f9ecdf95cd1b9e9a.NginxMailingListEnglish@forum.nginx.org> References: <20141013100405.GY31276@mdounin.ru> <7215c0ad0b0f8099f9ecdf95cd1b9e9a.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141013170638.GB31276@mdounin.ru> Hello! On Mon, Oct 13, 2014 at 12:41:04PM -0400, wangweixun wrote: > Maxim, > > You are right. Since I need to make a hash of the original request's body, I > do make call to ngx_http_read_client_request_body(). > > What's the best way to decrement the count then? Simply "r->count--;" before > returning from the module. The ngx_http_read_client_request_body() increments r->count as it expects that r->main->count will be decremented by twice: - right after the ngx_http_read_client_request_body() call, by ngx_http_finalize_request() as called automatically on you return from content handlers; - later in post_handler, by another ngx_http_finalize_request() call. If you do call ngx_http_read_client_request_body() from an access handler, it should be fine to do "r->main->count--" in post_handler directly. (Note well that nginx generally doesn't assume that the request body will be read before the content phase, and there may be problems associated with this if you'll try reading request body in an access handler.) > By the way, in my access phase module, I need to send an subrequest and wait > for its response asynchornously. ngx_http_read_client_request_body() also > works asynchornously with a callback function, which apparently is not able > to send a subrequest. What I did is registering two handlers in access > phase. The first one does nothing but reading the request body only. The > second one does the real work (subrequest, etc.). Does it sound right? No, it doesn't. You should do the real work in post_handler. -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Mon Oct 13 18:40:52 2014 From: nginx-forum at nginx.us (mex) Date: Mon, 13 Oct 2014 14:40:52 -0400 Subject: Can I use ngix as a SSL encryption wrapper as Stunnel? In-Reply-To: References: Message-ID: i dont know of an out-of-the-box-solution, bit this might point into the right direction: - https://github.com/yaoweibin/nginx_tcp_proxy_module - http://stackoverflow.com/questions/5337122/is-it-possible-to-forward-non-http-connecting-request-to-some-other-port-in-ngin cheers, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253904,253944#msg-253944 From nginx-forum at nginx.us Mon Oct 13 18:43:07 2014 From: nginx-forum at nginx.us (wangweixun) Date: Mon, 13 Oct 2014 14:43:07 -0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: <20141013170638.GB31276@mdounin.ru> References: <20141013170638.GB31276@mdounin.ru> Message-ID: Thanks for your prompt reply. Why do I have to do the work in the post handler? Now I have a stub post handler. ngx_http_read_client_request_body() does nothing but load the request body into the original request, which is used by the next handler. Everything seems to be working fine to me. I'm not sure how to use the post handler to send a subrequest like a real handler which is polled multiple times until the response is arrived. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253906,253945#msg-253945 From nginx-forum at nginx.us Mon Oct 13 18:52:56 2014 From: nginx-forum at nginx.us (mex) Date: Mon, 13 Oct 2014 14:52:56 -0400 Subject: cannot make catch all ssl server block work [corrected] In-Reply-To: <20141013070247.C5C6BC7321@ssw-uk.net> References: <20141013070247.C5C6BC7321@ssw-uk.net> Message-ID: <7e48231affb8fe5e954a08656c7e5c61.NginxMailingListEnglish@forum.nginx.org> did you tried server_name _; already? did you chained the certs for a.com / c.com in the correct order? see http://nginx.org/en/docs/http/configuring_https_servers.html / An SSL certificate with several names Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253929,253946#msg-253946 From mdounin at mdounin.ru Mon Oct 13 19:09:23 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Oct 2014 23:09:23 +0400 Subject: Help! log phase is not executed due to r->count being non-zero In-Reply-To: References: <20141013170638.GB31276@mdounin.ru> Message-ID: <20141013190923.GE31276@mdounin.ru> Hello! On Mon, Oct 13, 2014 at 02:43:07PM -0400, wangweixun wrote: > Thanks for your prompt reply. > > Why do I have to do the work in the post handler? Now I have a stub post > handler. ngx_http_read_client_request_body() does nothing but load the > request body into the original request, which is used by the next handler. > Everything seems to be working fine to me. If you don't need a request body in your module, it's not clear why at all you are trying to read it. If, in contrast, you do need the request body, you shouldn't try to do the real work till the post_handler is called. Technically, you can use multiple access-phase handlers to handle things, as long as proper order is maintained by using flags set in post_handler. But there is no need to use multiple handlers to do this, as there is no real difference as long as you anyway maintain flags set in post_handler. On the other hand, if you indeed using a stub post_handler, it means that things are working by chance. -- Maxim Dounin http://nginx.org/ From pluknet at nginx.com Mon Oct 13 19:21:36 2014 From: pluknet at nginx.com (Sergey Kandaurov) Date: Mon, 13 Oct 2014 23:21:36 +0400 Subject: proxy_cache_bypass and cache refresh In-Reply-To: <542E6F7F.4040806@leniwiec.biz> References: <542E6F7F.4040806@leniwiec.biz> Message-ID: <543C2640.8050803@nginx.com> On 03.10.2014 13:42, Grzegorz Kulewski wrote: > Hello, > > Is it true that a GET request that satisfies proxy_cache_bypass (and generates BYPASS cache status in the access log) should also refresh proxy cache for that URL? > > There are several tutorials on the Internet that advise that it works. Also it was working for us before but stopped - either after nginx upgrade or after some configuration change - not sure right now. We are currently running nginx 1.4.7. > HIT, STALE, UPDATING, REVALIDATED causes to read from a cache. MISS, EXPIRED, BYPASS causes to write to a cache. > Parts of configuration: > > http { > proxy_cache_path /var/cache/www levels=1:2 keys_zone=foo-cache:256m max_size=4g inactive=1h; > proxy_cache_key "$host$request_uri"; > proxy_cache_lock on; > proxy_cache_lock_timeout 120s; > proxy_no_cache $upstream_http_x_bar_dont_cache_me $cookie_x_no_cache; > proxy_cache_bypass $http_x_bar_cache_refresh $cookie_x_bar_no_cache; > } > > location = / { > proxy_pass http://foo_old_www; > proxy_cache foo-cache; > proxy_cache_valid 200 1h; > } > > > Request to refresh cache (I double checked that it generates a GET request and a cache status BYPASS): > > curl -H 'X-Bar-Cache-Refresh: true' -D - 'http://www.foo.pl/' > > > Any idea why it doesn't work? > Anything suspicious in error log? If not, looking at debug log should be a good thing to do. http://nginx.org/en/docs/debugging_log.html Search for "http file cache update" in logs. Also, make sure that you are not hitting cache format change in 1.7.3: http://hg.nginx.org/nginx/rev/44b9ab7752e3 From vbart at nginx.com Mon Oct 13 22:04:16 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Tue, 14 Oct 2014 02:04:16 +0400 Subject: http keep alive with post requests issue In-Reply-To: <61eb21859dc4e1b0e7f5fdbeb5e62c61.NginxMailingListEnglish@forum.nginx.org> References: <61eb21859dc4e1b0e7f5fdbeb5e62c61.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1508112.FpZal0pkAn@vbart-laptop> On Monday 13 October 2014 10:48:26 lzilles wrote: > I figured that the location settings have not been used at all. > So now I can see that even for location settings the same error occurs. If I > use keepalive and proxy_set_header Connection "" it works. As soon as I add > "proxy_http_version 1.1" to any context, the POST responses still get > returned directly by the application server... What do you mean by "returned directly"? wbr, Valentin V. Bartenev From dewanggaba at xtremenitro.org Tue Oct 14 05:03:05 2014 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Tue, 14 Oct 2014 12:03:05 +0700 Subject: Redirect loop problems Message-ID: <543CAE89.2070507@xtremenitro.org> Hi, Today, I was implement redirect using return 301, here's my snippet: server { listen 80; server_name domain.tld; error_log /dev/null; access_log off; return 301 https://www.domain.tld$request_uri; } server { listen 80; server_name www.domain.tld; error_log /dev/null; access_log off; location ^~ /go/ { # Apache2 Backend proxy_pass http://127.0.0.1:8080 } location / { return 301 https://$http_host$request_uri$is_args$query_string; } } server { listen 443 ssl spdy; server_name domain.tld; return 301 https://www.domain.tld$request_uri; error_log /dev/null; access_log off; ssl on; ssl_certificate bundle.crt; ssl_certificate_key file.key; ssl_verify_depth 2; } server { listen 443 ssl spdy; server_name www.domain.tld; location ^~ /go/ { return 301 http://$http_host$request_uri; } location / { # Apache2 Backend proxy_pass http://127.0.0.1:8080 } } The problem is, if the visitor hit `/go/` URL, the browser says it's redirect loop, but if I try `curl -I` command the `/go/` URL, it's normal, and says HTTP 200. Any hints? Really appreciate any helps. From dewanggaba at xtremenitro.org Tue Oct 14 05:37:33 2014 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Tue, 14 Oct 2014 12:37:33 +0700 Subject: Redirect loop problems In-Reply-To: <543CAE89.2070507@xtremenitro.org> References: <543CAE89.2070507@xtremenitro.org> Message-ID: <543CB69D.3080900@xtremenitro.org> Update: I just want to redirect specific URL contains `/go/*` to HTTP, and force others to HTTPS. On 10/14/2014 12:03 PM, Dewangga Bachrul Alam wrote: > Hi, > > Today, I was implement redirect using return 301, here's my snippet: > > server { > listen 80; > server_name domain.tld; > error_log /dev/null; > access_log off; > return 301 https://www.domain.tld$request_uri; > } > > server { > listen 80; > server_name www.domain.tld; > error_log /dev/null; > access_log off; > > location ^~ /go/ { > # Apache2 Backend > proxy_pass http://127.0.0.1:8080 > } > location / { > return 301 https://$http_host$request_uri$is_args$query_string; > } > } > > server { > listen 443 ssl spdy; > server_name domain.tld; > return 301 https://www.domain.tld$request_uri; > > error_log /dev/null; > access_log off; > > ssl on; > ssl_certificate bundle.crt; > ssl_certificate_key file.key; > ssl_verify_depth 2; > } > > server { > listen 443 ssl spdy; > server_name www.domain.tld; > location ^~ /go/ { > return 301 http://$http_host$request_uri; > } > location / { > # Apache2 Backend > proxy_pass http://127.0.0.1:8080 > } > } > > The problem is, if the visitor hit `/go/` URL, the browser says it's > redirect loop, but if I try `curl -I` command the `/go/` URL, it's > normal, and says HTTP 200. > > Any hints? Really appreciate any helps. > From shmick at riseup.net Tue Oct 14 07:31:20 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Tue, 14 Oct 2014 18:31:20 +1100 Subject: client_max_body_size increase Message-ID: <543CD148.3070309@riseup.net> are there any inherent security risks associated with increasing to a value of, say, 10M to accommodate attachment upload for web mail client usage ? From nginx-forum at nginx.us Tue Oct 14 07:35:20 2014 From: nginx-forum at nginx.us (mex) Date: Tue, 14 Oct 2014 03:35:20 -0400 Subject: client_max_body_size increase In-Reply-To: <543CD148.3070309@riseup.net> References: <543CD148.3070309@riseup.net> Message-ID: it is more a performance- than a security-issue (diskspace, i/o, buffering) etc Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253959,253960#msg-253960 From nginx-forum at nginx.us Tue Oct 14 07:46:47 2014 From: nginx-forum at nginx.us (lzilles) Date: Tue, 14 Oct 2014 03:46:47 -0400 Subject: http keep alive with post requests issue In-Reply-To: <1508112.FpZal0pkAn@vbart-laptop> References: <1508112.FpZal0pkAn@vbart-laptop> Message-ID: <3378909da620ffab2587c06b55633fcf.NginxMailingListEnglish@forum.nginx.org> The http headers returned to the client are incorrect. It should be "Connection 'keep-alive'" instead of "Conncetion "close"". Somehow all the nginx settings for response headers seem to be ignored. The fact that the application server's name is returned in the response http header instead of "Server nginx" made me think that the response is "directly" returned without taking nginx configuration into account. The requests get logged to access.log. I enabled further log statements using "$sent_http_header" variables. Still I can't figure out why the GET requests are treated differently. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253936,253961#msg-253961 From shmick at riseup.net Tue Oct 14 09:57:20 2014 From: shmick at riseup.net (shmick at riseup.net) Date: Tue, 14 Oct 2014 20:57:20 +1100 Subject: client_max_body_size increase In-Reply-To: References: <543CD148.3070309@riseup.net> Message-ID: <543CF380.4010405@riseup.net> mex wrote: > it is more a performance- than a security-issue (diskspace, i/o, buffering) > etc ok assume no webmail activity in this moment does this setting affect & impact a static site serving mainly images in this scenario ? From crazyworld at outlook.com Tue Oct 14 17:02:45 2014 From: crazyworld at outlook.com (crazy world) Date: Tue, 14 Oct 2014 17:02:45 +0000 Subject: Redirect loop problems In-Reply-To: <543CB69D.3080900@xtremenitro.org> References: <543CAE89.2070507@xtremenitro.org>, <543CB69D.3080900@xtremenitro.org> Message-ID: Can you grab the http conversation from the browser or run tcpdump to show the difference between curl and the browser? The client sends the different thing to the server which is confirmed. -B > Date: Tue, 14 Oct 2014 12:37:33 +0700 > From: dewanggaba at xtremenitro.org > To: nginx at nginx.org > Subject: Re: Redirect loop problems > > Update: > > I just want to redirect specific URL contains `/go/*` to HTTP, and force > others to HTTPS. > > On 10/14/2014 12:03 PM, Dewangga Bachrul Alam wrote: > > Hi, > > > > Today, I was implement redirect using return 301, here's my snippet: > > > > server { > > listen 80; > > server_name domain.tld; > > error_log /dev/null; > > access_log off; > > return 301 https://www.domain.tld$request_uri; > > } > > > > server { > > listen 80; > > server_name www.domain.tld; > > error_log /dev/null; > > access_log off; > > > > location ^~ /go/ { > > # Apache2 Backend > > proxy_pass http://127.0.0.1:8080 > > } > > location / { > > return 301 https://$http_host$request_uri$is_args$query_string; > > } > > } > > > > server { > > listen 443 ssl spdy; > > server_name domain.tld; > > return 301 https://www.domain.tld$request_uri; > > > > error_log /dev/null; > > access_log off; > > > > ssl on; > > ssl_certificate bundle.crt; > > ssl_certificate_key file.key; > > ssl_verify_depth 2; > > } > > > > server { > > listen 443 ssl spdy; > > server_name www.domain.tld; > > location ^~ /go/ { > > return 301 http://$http_host$request_uri; > > } > > location / { > > # Apache2 Backend > > proxy_pass http://127.0.0.1:8080 > > } > > } > > > > The problem is, if the visitor hit `/go/` URL, the browser says it's > > redirect loop, but if I try `curl -I` command the `/go/` URL, it's > > normal, and says HTTP 200. > > > > Any hints? Really appreciate any helps. > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at ruby-forum.com Wed Oct 15 07:51:19 2014 From: lists at ruby-forum.com (Andreas S.) Date: Wed, 15 Oct 2014 09:51:19 +0200 Subject: Possible to have a limit_req "nodelay burst" option? In-Reply-To: <75889ab591fdc9f01bb9d5f8c49ff467.NginxMailingListEnglish@forum.nginx.org> References: <20130415223803.GO92338@mdounin.ru> <75889ab591fdc9f01bb9d5f8c49ff467.NginxMailingListEnglish@forum.nginx.org> Message-ID: <09a9b975b7adaeaa251ac89ab065ebaf@ruby-forum.com> ppy wrote in post #1114430: > I have to agree with this completely. In fact, I thought this was the > intended behaviour of the "burst" argument, and it wasn't until further > testing that I realised its true meaning. > > I am looking for the exact same behaviour here ? to allow *actual* burst > requests before the delay starts to kick in. The eventual 503 is not > necessary. I came across the same issue today. Actually, a lot of the explanations of the limit_req functionality that you can find on the web seem to think that it works that way, probably because it would be the most intuitive and useful way to do it. -- Posted via http://www.ruby-forum.com/. From dol+list at cyon.ch Wed Oct 15 10:25:46 2014 From: dol+list at cyon.ch (Dominic) Date: Wed, 15 Oct 2014 12:25:46 +0200 Subject: Debian Package Rules as Mercurial repositories In-Reply-To: References: <54333920.5040602@cyon.ch> Message-ID: <543E4BAA.8050104@cyon.ch> On 10/10/14 15:28, Sergey Budnevitch wrote: > > On 07 Oct 2014, at 04:51, Dominic wrote: > >> Dear List >> >> I'm looking for the Debian package rules. I could download the >> source file from >> http://nginx.org/packages/mainline/ubuntu/pool/nginx/n/nginx/. But >> I guess there is an non public repository, where the package rules >> are stored to build all the provided packages. > > We have one, but have no plans to make it public, sorry. The whole > build process is unificated for open and non-public packages and > publishing and thus the freeze of the part of the infrastructure will > complicate maintenance for us. I understand your reason. No problem about this. I use the source package as a base. >> Something like https://github.com/hhvm/packaging (Package rules for >> HHVM) would be nice to have. >> >> The reason for my question is, that I need to build nginx an older >> version of nginx, but the source package of this older version is >> not longer hosted on http://nginx.org/packages/. > > There are almost no backward incompatible changes, besides new nginx > module addition, like auth request module, so you may use last > version of source package and just change nginx version in the debian > changelog file. All package changes are mentioned in the changelog. Ok. Good to know that only the modules will be altered. Thank you for the provided informations. From sandra.snan at idiomdrottning.org Wed Oct 15 11:17:49 2014 From: sandra.snan at idiomdrottning.org (Sandra Snan) Date: Wed, 15 Oct 2014 13:17:49 +0200 Subject: fastcgi_index - am I missing something obvious? Message-ID: <87fveppoo2.fsf@ellen.idiomdrottning.org> So I have the same setup on two different servers, using fcgiwrap to serve some basic classic style cgi scripts. On both, http://serverdomain.whatever/cgi-bin/index.cgi works great and other explicit .cgi urls work. But only on one of them, http://serverdomain.whatever/cgi-bin/ takes me to the index.cgi. On the other I get a 502. What am I missing? I think the unix permissions of /usr/lib, /usr/lib/cgi-bin and its contents, and /var/www are the same on both servers. The error log is 2014/10/15 11:16:40 [error] 30892#0: *845 upstream prematurely closed FastCGI stdout while reading response header from upstream, client: [my client ip], server: [my server adress], request: "GET /cgi-bin/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/fcgiwrap.socket:", host: "[my server adress]" Sandra Here is the conf: server { listen 80; root /var/www/; # not really relevant index index.html; server_name my_server_name_went_here; location / { try_files $uri $uri/ /index.html; } # this, as the rest of the conf, is the same on both location /cgi-bin/ { gzip off; # the cgi-bin directory is in /usr/lib root /usr/lib; fastcgi_pass unix:/var/run/fcgiwrap.socket; include /etc/nginx/fastcgi_params; # this next line seems to work on one, not the other fastcgi_index index.cgi; fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; } } From dewanggaba at xtremenitro.org Wed Oct 15 15:08:08 2014 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Wed, 15 Oct 2014 22:08:08 +0700 Subject: Redirect loop problems In-Reply-To: References: <543CAE89.2070507@xtremenitro.org>, <543CB69D.3080900@xtremenitro.org> Message-ID: <543E8DD8.30705@xtremenitro.org> Hi, Problem solved, on conf.d directory, there is active HSTS directive, that's why the HTTP forcing to HTTPS, wherever I force them back to http. Thanks anyway. On 10/15/2014 12:02 AM, crazy world wrote: > Can you grab the http conversation from the browser or run tcpdump to show the difference between curl and the browser? The client sends the different thing to the server which is confirmed. > > -B > >> Date: Tue, 14 Oct 2014 12:37:33 +0700 >> From: dewanggaba at xtremenitro.org >> To: nginx at nginx.org >> Subject: Re: Redirect loop problems >> >> Update: >> >> I just want to redirect specific URL contains `/go/*` to HTTP, and force >> others to HTTPS. >> >> On 10/14/2014 12:03 PM, Dewangga Bachrul Alam wrote: >>> Hi, >>> >>> Today, I was implement redirect using return 301, here's my snippet: >>> >>> server { >>> listen 80; >>> server_name domain.tld; >>> error_log /dev/null; >>> access_log off; >>> return 301 https://www.domain.tld$request_uri; >>> } >>> >>> server { >>> listen 80; >>> server_name www.domain.tld; >>> error_log /dev/null; >>> access_log off; >>> >>> location ^~ /go/ { >>> # Apache2 Backend >>> proxy_pass http://127.0.0.1:8080 >>> } >>> location / { >>> return 301 https://$http_host$request_uri$is_args$query_string; >>> } >>> } >>> >>> server { >>> listen 443 ssl spdy; >>> server_name domain.tld; >>> return 301 https://www.domain.tld$request_uri; >>> >>> error_log /dev/null; >>> access_log off; >>> >>> ssl on; >>> ssl_certificate bundle.crt; >>> ssl_certificate_key file.key; >>> ssl_verify_depth 2; >>> } >>> >>> server { >>> listen 443 ssl spdy; >>> server_name www.domain.tld; >>> location ^~ /go/ { >>> return 301 http://$http_host$request_uri; >>> } >>> location / { >>> # Apache2 Backend >>> proxy_pass http://127.0.0.1:8080 >>> } >>> } >>> >>> The problem is, if the visitor hit `/go/` URL, the browser says it's >>> redirect loop, but if I try `curl -I` command the `/go/` URL, it's >>> normal, and says HTTP 200. >>> >>> Any hints? Really appreciate any helps. >>> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > From nginx-forum at nginx.us Wed Oct 15 16:50:23 2014 From: nginx-forum at nginx.us (keeyong) Date: Wed, 15 Oct 2014 12:50:23 -0400 Subject: Logging POST body Message-ID: <7878335470620e8013c9959aa372a1c6.NginxMailingListEnglish@forum.nginx.org> I am using ngixing as a reverse proxy in front of apache (PHP) as a load balancer and a logger. For some endpoints, I want to log their POST bodies and I looked up the Web and found some solution requiring to install HttpEchoModule. Is there any other way of achieving this? Preferably without installing any new module? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254007,254007#msg-254007 From nginx-forum at nginx.us Wed Oct 15 18:01:43 2014 From: nginx-forum at nginx.us (mex) Date: Wed, 15 Oct 2014 14:01:43 -0400 Subject: Logging POST body In-Reply-To: <7878335470620e8013c9959aa372a1c6.NginxMailingListEnglish@forum.nginx.org> References: <7878335470620e8013c9959aa372a1c6.NginxMailingListEnglish@forum.nginx.org> Message-ID: <3d74e68ddb354d75c680ccc84a71d237.NginxMailingListEnglish@forum.nginx.org> hi, did you even tried too google it? dork: "logging post body nginx" http://stackoverflow.com/questions/4939382/logging-post-data-from-request-body cheers, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254007,254009#msg-254009 From mdounin at mdounin.ru Wed Oct 15 18:13:48 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 15 Oct 2014 22:13:48 +0400 Subject: Logging POST body In-Reply-To: <7878335470620e8013c9959aa372a1c6.NginxMailingListEnglish@forum.nginx.org> References: <7878335470620e8013c9959aa372a1c6.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141015181348.GT31276@mdounin.ru> Hello! On Wed, Oct 15, 2014 at 12:50:23PM -0400, keeyong wrote: > I am using ngixing as a reverse proxy in front of apache (PHP) as a load > balancer and a logger. For some endpoints, I want to log their POST bodies > and I looked up the Web and found some solution requiring to install > HttpEchoModule. Is there any other way of achieving this? Preferably without > installing any new module? Yes, you can access a request body either via $request_body variable, or with, if it's saved to a file, via $request_body_file variable. Related documentation links: http://nginx.org/r/$request_body http://nginx.org/r/$request_body_file http://nginx.org/r/client_body_in_file_only http://nginx.org/r/client_body_buffer_size -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Wed Oct 15 21:26:13 2014 From: nginx-forum at nginx.us (itpp2012) Date: Wed, 15 Oct 2014 17:26:13 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon Message-ID: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> 22:55 15-10-2014 nginx 1.7.7.2 Gryphon Tell me a story and I'll tell you my history. The Mock Turtle and the Gryphon are here to stay. What! Never heard of uglifying! If you don't know what to uglify is, you are a simpleton so you'd better get on your way. The nginx Gryphon release is here! Based on nginx 1.7.7 (15-10-2014, last changeset 5876:973fded4f461) with; + Openssl-1.0.1j (CVE-2014-3513, CVE-2014-3567, SSL 3.0 Fallback protection, CVE-2014-3568) + lua-nginx-module v0.9.13rc1 (upgraded 15-10-2014) + Source changes back ported + Source changes add-on's back ported + Changes for nginx_basic: Source changes back ported * Scheduled release: no (openssl fixes) * Additional specifications: see 'Feature list' Builds can be found here: http://nginx-win.ecsds.eu/ Follow releases https://twitter.com/nginx4Windows Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254012#msg-254012 From miguelmclara at gmail.com Wed Oct 15 23:01:13 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 00:01:13 +0100 Subject: ssl_protocols per server? Message-ID: >From the docs: Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; Default: ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; Context: http, server however I'm trying to have onde server with: ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; and another with: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; But the first seems to be applied to all. Note that the certs are different echo server is for a diferent domain ( example.org and example2.org) Is this the intended behaviour? we want to disable sslv3 for the main domain but still need backward compatibility support in some stuff running in the old one! Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Wed Oct 15 23:02:11 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 00:02:11 +0100 Subject: fastcgi_index - am I missing something obvious? In-Reply-To: <87fveppoo2.fsf@ellen.idiomdrottning.org> References: <87fveppoo2.fsf@ellen.idiomdrottning.org> Message-ID: <20141015230211.GG3771@daoine.org> On Wed, Oct 15, 2014 at 01:17:49PM +0200, Sandra Snan wrote: Hi there, > So I have the same setup on two different servers, using fcgiwrap to > serve some basic classic style cgi scripts. Presumably the setups are only "nearly" the same, or else they would respond the same way. What version of fcgiwrap do you run on each server? Can you show the output of "grep SCRIPT /etc/nginx/fastcgi_params" on the servers? (One output is fine, if the two are identical.) > But only on one of them, http://serverdomain.whatever/cgi-bin/ takes me > to the index.cgi. On the other I get a 502. What is the output of "curl -i http://serverdomain.whatever/cgi-bin/", especially on the failing server? (That's basically "have you cleared your browser cache?", but is more direct.) > What am I missing? > I think the unix permissions of /usr/lib, /usr/lib/cgi-bin and its > contents, and /var/www are the same on both servers. Since a request for /cgi-bin/index.cgi succeeds, they almost certainly are both correct; but the output of ls -ldZ / ls -ldZ /usr ls -ldZ /usr/lib ls -ldZ /usr/lib/cgi-bin ls -lZ /usr/lib/cgi-bin/index.cgi on each server should show that they are the same or not. (Omit the Z if it shows errors.) > # this, as the rest of the conf, is the same on both If you "diff conf1 conf2", do you see only and exactly the expected changes from lines before this point? Good luck with it, f -- Francis Daly francis at daoine.org From miguelmclara at gmail.com Wed Oct 15 23:06:34 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 00:06:34 +0100 Subject: ssl_protocols per server? In-Reply-To: References: Message-ID: Forgot to mention this is with "nginx version: nginx/1.6.0" compile with the normal "full" options + pagespeed Melhores Cumprimentos // Best Regards ----------------------------------------------- *Miguel Clara* *IT - Sys Admin & Developer* *E-mail: *miguelmclara at gmail.com www.linkedin.com/in/miguelmclara/ On Thu, Oct 16, 2014 at 12:01 AM, Miguel Clara wrote: > From the docs: > > Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; > Default: > ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; > Context: http, server > > however I'm trying to have onde server with: > ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; > > and another with: > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > But the first seems to be applied to all. > > Note that the certs are different echo server is for a diferent domain ( > example.org and example2.org) > > Is this the intended behaviour? we want to disable sslv3 for the main > domain but still need backward compatibility support in some stuff running > in the old one! > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: linkedin.png Type: image/png Size: 655 bytes Desc: not available URL: From francis at daoine.org Wed Oct 15 23:12:57 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 00:12:57 +0100 Subject: ssl_protocols per server? In-Reply-To: References: Message-ID: <20141015231257.GH3771@daoine.org> On Thu, Oct 16, 2014 at 12:01:13AM +0100, Miguel Clara wrote: Hi there, I do not know the answer, but... > however I'm trying to have onde server with: > ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; > > and another with: > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > But the first seems to be applied to all. what configuration method do you use to have two different ssl-enabled servers running in one nginx? http://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers The answer to that may eliminate some possibilities from the answer to your question. f -- Francis Daly francis at daoine.org From miguelmclara at gmail.com Wed Oct 15 23:37:19 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 00:37:19 +0100 Subject: ssl_protocols per server? In-Reply-To: <20141015231257.GH3771@daoine.org> References: <20141015231257.GH3771@daoine.org> Message-ID: listen 443 ssl spdy; Actually but sni is working fine sslabs reports the correct certs... just tells me SSLv3 is on in all when its only set for one of the domains... At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the servers/domain I removed that for http block and now have the different "ssl_protocols" directive in the corresponding configs and sslabs reports the one defined in the first. If I change the order (sslv3 first) sslabs reports all servers/domains have sslv3 on but curl fails with "-sslv3" and the error is related to the cert name ... but I'm assuming that's just because sni is a TLS extension not SSL.. so it actually proves sslv3 is on when it shouldn't be! -------------- next part -------------- An HTML attachment was scrubbed... URL: From fletch at fletchowns.net Wed Oct 15 23:58:47 2014 From: fletch at fletchowns.net (Greg Barker) Date: Wed, 15 Oct 2014 16:58:47 -0700 Subject: SPDY connection was interrupted while downloading a file In-Reply-To: References: Message-ID: Bump. Any ideas on this one? Some other folks on HN were experiencing this as well: https://news.ycombinator.com/item?id=8404790 On Mon, Oct 6, 2014 at 12:25 PM, Greg Barker wrote: > I'm using nginx 1.6.2 w/ SPDY to serve an autoindex of static files. After > I start downloading a file, I can no longer access other pages on the site. > I get a Firefox error message "The connection was interrupted" - a > similar message appears in Chrome. If I do a CTRL+F5, then I can browse the > site again while the download is going. > > Is this a limitation of using SPDY to serve static files? Is there a > configuration parameter I need to adjust to avoid this issue? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Thu Oct 16 00:35:43 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 16 Oct 2014 04:35:43 +0400 Subject: SPDY connection was interrupted while downloading a file In-Reply-To: References: Message-ID: <41589448.Ax4j7hcrCO@vbart-laptop> On Monday 06 October 2014 12:25:37 Greg Barker wrote: > I'm using nginx 1.6.2 w/ SPDY to serve an autoindex of static files. After > I start downloading a file, I can no longer access other pages on the site. > I get a Firefox error message "The connection was interrupted" - a similar > message appears in Chrome. If I do a CTRL+F5, then I can browse the site > again while the download is going. > > Is this a limitation of using SPDY to serve static files? Is there a > configuration parameter I need to adjust to avoid this issue? I can't reproduce with a simple configuration: events {} http { ssl_certificate server.crt; ssl_certificate_key server.key; server { listen 443 ssl spdy; location / {} } } Could you provide output of nginx -V and your configuration? wbr, Valentin V. Bartenev From fletch at fletchowns.net Thu Oct 16 02:24:11 2014 From: fletch at fletchowns.net (Greg Barker) Date: Wed, 15 Oct 2014 19:24:11 -0700 Subject: SPDY connection was interrupted while downloading a file In-Reply-To: <41589448.Ax4j7hcrCO@vbart-laptop> References: <41589448.Ax4j7hcrCO@vbart-laptop> Message-ID: Thanks Valentin. Here's my config: https://gist.github.com/fletchowns/13680a9d101f96d5f728 $ /opt/nginx-1.6.2/sbin/nginx -V nginx version: nginx/1.6.2 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/opt/nginx-1.6.2 --conf-path=/etc/nginx/nginx.conf --sbin-path=/opt/nginx-1.6.2/sbin/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_spdy_module --add-module=/tmp/nginx_http_fancyindex_module On Wed, Oct 15, 2014 at 5:35 PM, Valentin V. Bartenev wrote: > On Monday 06 October 2014 12:25:37 Greg Barker wrote: > > I'm using nginx 1.6.2 w/ SPDY to serve an autoindex of static files. > After > > I start downloading a file, I can no longer access other pages on the > site. > > I get a Firefox error message "The connection was interrupted" - a > similar > > message appears in Chrome. If I do a CTRL+F5, then I can browse the site > > again while the download is going. > > > > Is this a limitation of using SPDY to serve static files? Is there a > > configuration parameter I need to adjust to avoid this issue? > > I can't reproduce with a simple configuration: > > events {} > > http { > ssl_certificate server.crt; > ssl_certificate_key server.key; > > server { > listen 443 ssl spdy; > location / {} > } > } > > Could you provide output of nginx -V and your configuration? > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sandra.snan at idiomdrottning.org Thu Oct 16 05:40:17 2014 From: sandra.snan at idiomdrottning.org (Sandra Snan) Date: Thu, 16 Oct 2014 07:40:17 +0200 Subject: fastcgi_index - am I missing something obvious? In-Reply-To: <20141015230211.GG3771@daoine.org> Message-ID: <877g00po72.fsf@ellen.idiomdrottning.org> Thanks so much for finding so many avenues to trouble shoot, I had been figuratively banging my head against the screen for hours, and all of the ideas were good. On Thu, 16 Oct 2014 00:02:11 +0100, Francis Daly wrote: > Can you show the output of "grep SCRIPT /etc/nginx/fastcgi_params" > on the servers? (One output is fine, if the two are identical.) This was the problem; the non-working server had a fastcgi_param SCRIPT_FILENAME $request_filename; line that I commented out, restarted nginx and now it's working. The working server was missing that line. Both had a SCRIPT_NAME line, which I didn't change. So let that be a lesson to folks at home who find this post later! I made a couple of mistakes here; 1. assuming that the /etc/nginx/fastcgi_params files were the same; they plooked the same at first glance but I should've ran diff on them. Things usually are in one of the _first_ places you look, if you don't look carefully enough but think you have. 2. assuming that a SCRIPT_FILENAME line in the included file would be harmless since I also had a fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; line in the specific server conf, without doublechecking order of evaluation. Readers with similar problems: if this doesn't solve it, take a look at the other suggestions. Francis, thanks for taking the time to helping me troubleshoot this. I was seriously stuck. Sandra From nginx-forum at nginx.us Thu Oct 16 07:15:37 2014 From: nginx-forum at nginx.us (mex) Date: Thu, 16 Oct 2014 03:15:37 -0400 Subject: ssl_protocols per server? In-Reply-To: References: Message-ID: <63d82707284cd2ac36bc2801878b3bed.NginxMailingListEnglish@forum.nginx.org> could youe please send/gist your (anonymized) server {} configs? one suggestions: enable 2 different access-logs for each server-black and confirm requests to dom1.com go to the configured dom1.com and requests to dom2.com go to the configured dom2.com. once you are sure the requests go to the right server {} - config we can try to figure out whats happening. cheers, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254016,254027#msg-254027 From jessica at litw.in Thu Oct 16 07:40:44 2014 From: jessica at litw.in (Jessica Litwin) Date: Thu, 16 Oct 2014 03:40:44 -0400 Subject: issue with ssl_ciphers not being respected Message-ID: Hello I seem to have a bit of a problem. In my vhost's server {}; block, I have: ssl_ciphers EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4; ssl_prefer_server_ciphers on; but for some reason this doesn't seem to be respected because ssllabs.com's checker says: "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available." Testing with openssl s_client shows: SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-RC4-SHA My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if this is a bug or if I have these options in the wrong place (I tried them in the http{} block for grins with no effect) or if there's something missing from my build. Can someone provide guidance? TIA. -jkl root at dreamer:~# which nginx /usr/sbin/nginx root at dreamer:~# /usr/sbin/nginx -V nginx version: nginx/1.7.6 built by gcc 4.7.2 (Debian 4.7.2-5) TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-cc-opt=-Wno-error --add-module=/usr/local/rvm/gems/ruby-2.1.3/gems/passenger-4.0.53/ext/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-s -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wno-error=maybe-uninitialized -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --with-ipv6 --add-module=/opt/build/naxsi-master/naxsi_src root at dreamer:~# ldd /usr/sbin/nginx linux-vdso.so.1 => (0x00007fffb808d000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6f3cf7a000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f6f3cd43000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6f3ca3b000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6f3c7b9000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6f3c5b1000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f6f3c373000) libssl.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f6f3c113000) libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f6f3bd1b000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6f3bb16000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6f3b8ff000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f6f3b6e9000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6f3b35d000) /lib64/ld-linux-x86-64.so.2 (0x00007f6f3d1a0000) root at dreamer:~# openssl version OpenSSL 1.0.1e 11 Feb 2013 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jiri.horky at gmail.com Thu Oct 16 08:17:15 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Thu, 16 Oct 2014 10:17:15 +0200 Subject: upstream prematurely closed connection while reading response header from upstream Message-ID: <543F7F0B.5060202@gmail.com> Hi list, we are seeing sporadic nginx errors "upstream prematurely closed connection while reading response header from upstream" with nginx/1.6.2 which seems to be some kind of race condition. For debugging purposes we only setup 1 upstream server on a public IP address of the same server as nginx, there is no keepalive configured between nginx and the upstream server. The upstream HTTP server is written in a way that it forcibly closes the connection when the response status code is 303. This may be part of the problem as well. The error message in the logs is this: 2014/10/16 08:19:39 [error] 21664#0: *7504970 upstream prematurely closed connection while reading response header from upstream, client: 109.3.1.2, server: my.avast.com, request: "GET /fr-fr/ HTTP/1.1", upstream: "https://1.1.1.1:8888/ru-ru/", host: "my.upstream.com", referrer: "https://id.upstream.com/ru-ru/confirm/registration?token=TOKEN" The configuration looks like follows: location / { proxy_pass http://my-upstream; proxy_read_timeout 90; } upstream my-upstream { ip_hash ; #it was here because normally, we use more upstream servers server 1.1.1.1:8888; } Now, we tracked down, that this only happens when FIN packet from upstream server reaches nginx sooner than it's finished with parsing the response (headers) and thus sooner than nginx closes the connection itself. For example this packet order will trigger the problem: No. Time Source SrcPrt Destination Protocol Length Info 25571 10.297569 1.1.1.1 35481 1.1.1.1 TCP 76 35481 > 8888 [SYN] Seq=0 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=0 WS=8192 25572 10.297580 1.1.1.1 8888 1.1.1.1 TCP 76 8888 > 35481 [SYN, ACK] Seq=0 Ack=1 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=1902164528 WS=8192 25573 10.297589 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1 Ack=1 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 25574 10.297609 1.1.1.1 35481 1.1.1.1 HTTP 1533 GET / HTTP/1.0 25575 10.297617 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=1 Ack=1466 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 25596 10.323092 1.1.1.1 8888 1.1.1.1 HTTP 480 HTTP/1.1 303 See Other 25597 10.323106 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 25598 10.323161 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [FIN, ACK] Seq=413 Ack=1466 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 25599 10.323167 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [FIN, ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 25600 10.323180 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=414 Ack=1467 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 25601 10.323189 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1467 Ack=414 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 Note that the upstream HTTP (port 8888) sends the FIN packet sooner than nginx (port 35481 in this case). This is example of OK connection: No. Time Source SrcPrt Destination Protocol Length Info 27746 11.472853 1.1.1.1 35959 1.1.1.1 TCP 76 35959 > 8888 [SYN] Seq=0 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902165703 TSecr=0 WS=8192 27747 11.472867 1.1.1.1 8888 1.1.1.1 TCP 76 8888 > 35959 [SYN, ACK] Seq=0 Ack=1 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902165704 TSecr=1902165703 WS=8192 27748 11.472881 1.1.1.1 35959 1.1.1.1 TCP 68 35959 > 8888 [ACK] Seq=1 Ack=1 Win=8192 Len=0 TSval=1902165704 TSecr=1902165704 27749 11.472907 1.1.1.1 35959 1.1.1.1 HTTP 1187 GET /es-co/tab HTTP/1.0 27750 11.472917 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35959 [ACK] Seq=1 Ack=1120 Win=8192 Len=0 TSval=1902165704 TSecr=1902165704 27751 11.473818 1.1.1.1 8888 1.1.1.1 HTTP 354 HTTP/1.1 303 See Other 27752 11.473830 1.1.1.1 35959 1.1.1.1 TCP 68 35959 > 8888 [ACK] Seq=1120 Ack=287 Win=8192 Len=0 TSval=1902165704 TSecr=1902165704 27753 11.473865 1.1.1.1 35959 1.1.1.1 TCP 68 35959 > 8888 [FIN, ACK] Seq=1120 Ack=287 Win=8192 Len=0 TSval=1902165705 TSecr=1902165704 27754 11.473877 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35959 [FIN, ACK] Seq=287 Ack=1120 Win=8192 Len=0 TSval=1902165705 TSecr=1902165704 27755 11.473885 1.1.1.1 35959 1.1.1.1 TCP 68 35959 > 8888 [ACK] Seq=1121 Ack=288 Win=8192 Len=0 TSval=1902165705 TSecr=1902165705 27756 11.473892 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35959 [ACK] Seq=288 Ack=1121 Win=8192 Len=0 TSval=1902165705 TSecr=1902165705 Example of the request and response from wireshark when the problem occurred is attached below. >From looking at the code, it seems to me that the error message is printed only when recv() function returns 0 (i.e. there are no bytes to read and the connection is closed): src/http/ngx_http_upstream.c: 1653 n = c->recv(c, u->buffer.last, u->buffer.end - u->buffer.last); 1654 .... 1669 if (n == 0) { 1670 ngx_log_error(NGX_LOG_ERR, c->log, 0, 1671 "upstream prematurely closed connection"); 1672 } >From my limited understanding, this only can happen when one has read everything which was in the stream, so function: 1687 rc = u->process_header(r); 1688 should have had everything, i.e. complete header (verified in wireshark), so it should never return NGX_AGAIN and thus reach the line 1670. Any pointers will be much appreciated. Regards Jiri Horky GET / HTTP/1.0 Host: my.upstream.com X-Real-IP: 213.87.240.82 X-Forwarded-For: 213.87.240.82 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Cookie: __utma=1.1091156737.1413387695.1413387695.1413387695.1; __utmb=1.2.10.1413387695; __utmc=1; __utmz=1.1413387695.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-21229-MJfdls0NsfrjlHeztlBobHdPetEXXXXXX4; locale2=ru-ru; osc_omcid=undefined; osc_ot=wd%3E%3Eun%3Eun; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; s_cc=true; s_fid=10F5314146A83D94-160DXXXXXX; s_nr2=1413387748541-New; x-otid=wd%3E%3Eun%3Eun User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A365 Safari/600.1.4 Accept-Language: ru Referer: https://id.upstream.com/ru-ru/confirm/registration?token=TOKEN Accept-Encoding: gzip, deflate HTTP/1.1 303 See Other Content-Length: 0 Content-Type: text/plain Location: https://my.upstream.com/ru-ru/ Set-Cookie: mySessionId=3KNJXXXXXXqX; Expires=Wed, 15 Oct 2014 15:57:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly Set-Cookie: myLocalIdSession="IDTN-21229-MJfdls0NsfrjlHeztlBobHdPetEXXXXXXXX4:2"; Expires=Wed, 15 Oct 2014 15:57:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 16 08:52:57 2014 From: nginx-forum at nginx.us (itpp2012) Date: Thu, 16 Oct 2014 04:52:57 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: At least update your openssl to 1.0.1j and try again. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254032#msg-254032 From nginx-forum at nginx.us Thu Oct 16 09:38:13 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 05:38:13 -0400 Subject: try_files and a nested location regexp Message-ID: <220a8ba3a323945e56d11ca5476b50c8.NginxMailingListEnglish@forum.nginx.org> I could not figure out why try_files in a nested location defined with a regexp does not work in nginx/1.4.6 under Ubuntu 14.04. Consider the following config: server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; location ~ ^/x/test { try_files $uri =404; } } } With /test containing publically readable file test.html and directory test_dir this does not works as expected. While localhost:/x/ properly lists directory context of /test and localhost:/x/test_dir/ is reported as 404 not found , nginx also reported as 404 not found localhost:/x/test.html even if the file exists. Now, if replace the regexp with a simple prefix so the location reads: location /x/ { alias /test/; location /x/test { try_files $uri =404; } } then everything work. That is, both localhost:/x/ and localhost:/x/test.html are accessible and only localhost:/x/test_dir/ is 404 not found. So what is wrong with the usage of try_files in the initial regexp-based location config? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254033#msg-254033 From pluknet at nginx.com Thu Oct 16 09:59:54 2014 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 16 Oct 2014 13:59:54 +0400 Subject: try_files and a nested location regexp In-Reply-To: <220a8ba3a323945e56d11ca5476b50c8.NginxMailingListEnglish@forum.nginx.org> References: <220a8ba3a323945e56d11ca5476b50c8.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Oct 16, 2014, at 1:38 PM, igorb wrote: > [...] > So what is wrong with the usage of try_files in the initial regexp-based > location config? That is because a location defined with a regular expression has no fixed length to make a replacement in try_files, which is what alias do. -- Sergey Kandaurov From nginx-forum at nginx.us Thu Oct 16 11:09:44 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 07:09:44 -0400 Subject: try_files and a nested location regexp In-Reply-To: References: Message-ID: I tried to add explicit alias to the regexp location: server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; } location ~ ^/x/(test.*)$ { alias /test/$1; try_files $uri =404; } } However that still gives 404 for localhost/x/test.html . Does that mean that try_files cannot be used at all in a regexp location defined with an alias, it only works if the location uses the root directive? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254035#msg-254035 From me at myconan.net Thu Oct 16 11:12:49 2014 From: me at myconan.net (Edho Arief) Date: Thu, 16 Oct 2014 20:12:49 +0900 Subject: try_files and a nested location regexp In-Reply-To: References: Message-ID: On Thu, Oct 16, 2014 at 8:09 PM, igorb wrote: > I tried to add explicit alias to the regexp location: > > server { > listen 8080 default_server; > root /usr/share/nginx/html; > autoindex on; > > location /x/ { > alias /test/; > } > > location ~ ^/x/(test.*)$ { > alias /test/$1; > try_files $uri =404; > } > } > > However that still gives 404 for localhost/x/test.html . Does that mean that > try_files cannot be used at all in a regexp location defined with an alias, > it only works if the location uses the root directive? > Why don't just use the alias in try_files? try_files /test/$1 =404; From nginx-forum at nginx.us Thu Oct 16 11:25:47 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 07:25:47 -0400 Subject: try_files and a nested location regexp In-Reply-To: References: Message-ID: <05c8a7093321920cd7fdeb123a4e41c0.NginxMailingListEnglish@forum.nginx.org> I tried that, but it still does not work. The following config as before still gives 404 for localhost/x/test.html : server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; } location ~ ^/x/(test.*)$ { alias /test/$1; try_files /test/$1 =404; # try_files $uri =404; } } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254037#msg-254037 From francis at daoine.org Thu Oct 16 11:28:17 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 12:28:17 +0100 Subject: try_files and a nested location regexp In-Reply-To: References: Message-ID: <20141016112817.GI3771@daoine.org> On Thu, Oct 16, 2014 at 07:09:44AM -0400, igorb wrote: Hi there, > location ~ ^/x/(test.*)$ { > alias /test/$1; > try_files $uri =404; > } > However that still gives 404 for localhost/x/test.html . Does that mean that > try_files cannot be used at all in a regexp location defined with an alias, > it only works if the location uses the root directive? try_files puts its "file" argument after $document_root, and looks for a file on the filesystem with that combined name. alias-with-regex sets $document_root to the value given. So if you want try_files and alias-with-regex, you want something like try_files "" =404 But that specific use of try_files is probably not very useful, since it is mostly the same as having no try_files at all -- I guess it is a simplified version of what you really want, so it is useful as an example. f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Oct 16 11:36:44 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 12:36:44 +0100 Subject: fastcgi_index - am I missing something obvious? In-Reply-To: <877g00po72.fsf@ellen.idiomdrottning.org> References: <20141015230211.GG3771@daoine.org> <877g00po72.fsf@ellen.idiomdrottning.org> Message-ID: <20141016113644.GJ3771@daoine.org> On Thu, Oct 16, 2014 at 07:40:17AM +0200, Sandra Snan wrote: > On Thu, 16 Oct 2014 00:02:11 +0100, Francis Daly wrote: Hi there, > > Can you show the output of "grep SCRIPT /etc/nginx/fastcgi_params" > > on the servers? (One output is fine, if the two are identical.) > > This was the problem; the non-working server had a > fastcgi_param SCRIPT_FILENAME $request_filename; > line that I commented out, restarted nginx and now it's working. Good stuff. Any difference is a bad difference, when things should be the same ;-) > The working server was missing that line. > Both had a SCRIPT_NAME line, which I didn't change. All of the fastcgi_param handling is pretty much down to the fastcgi server, and different servers do different things, so there isn't always a single recipe that nginx can use. > 2. assuming that a SCRIPT_FILENAME line in the included file would be > harmless since I also had a > fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; > line in the specific server conf, without doublechecking order of > evaluation. That suggests that your current fastcgi server uses the *first* unique fastcgi_param value that it receives. So if you had put the fastcgi_param line before the include line in your nginx config, you probably would not have seen this problem (until something changed). > Francis, thanks for taking the time to helping me troubleshoot this. > I was seriously stuck. Good to hear that it is resolved. Cheers, f -- Francis Daly francis at daoine.org From me at myconan.net Thu Oct 16 11:40:06 2014 From: me at myconan.net (Edho Arief) Date: Thu, 16 Oct 2014 20:40:06 +0900 Subject: try_files and a nested location regexp In-Reply-To: <05c8a7093321920cd7fdeb123a4e41c0.NginxMailingListEnglish@forum.nginx.org> References: <05c8a7093321920cd7fdeb123a4e41c0.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Thu, Oct 16, 2014 at 8:25 PM, igorb wrote: > I tried that, but it still does not work. The following config as before > still gives 404 for localhost/x/test.html : > > server { > listen 8080 default_server; > root /usr/share/nginx/html; > autoindex on; > > location /x/ { > alias /test/; > } > > location ~ ^/x/(test.*)$ { > alias /test/$1; > try_files /test/$1 =404; > # try_files $uri =404; > } > } > Have you tried removing the alias? location ~ ^/x/(test.*)$ { try_files /test/$1 =404; } From nginx-forum at nginx.us Thu Oct 16 11:55:48 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 07:55:48 -0400 Subject: try_files and a nested location regexp In-Reply-To: <20141016112817.GI3771@daoine.org> References: <20141016112817.GI3771@daoine.org> Message-ID: <28d7025c6b8c2b11b5365eacd5b84601.NginxMailingListEnglish@forum.nginx.org> Thanks, try_files "" =404 works indeed as long as the regexp location block contains the necessary alias. I.e. the original example modified like in: server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; location ~ ^/x/test { try_files "" =404; } } } does not work, while the following one with an extra alias works nicely: server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; location ~ ^/x/(test.*) { alias /test/$1; try_files "" =404; } } } P.S. This is indeed a very simplified config. However, even in this form it is useful as it reports directories matching ^/x/test as not found even with autoindex on inherited from the server context. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254042#msg-254042 From nginx-forum at nginx.us Thu Oct 16 12:03:49 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 08:03:49 -0400 Subject: try_files and a nested location regexp In-Reply-To: References: Message-ID: <6fe070b05a6708c44f7bc5384924113f.NginxMailingListEnglish@forum.nginx.org> That does not work either. What works is try_files "" =404 together with an explicit alias as Francis Daly described in another post. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254043#msg-254043 From francis at daoine.org Thu Oct 16 12:18:01 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 13:18:01 +0100 Subject: try_files and a nested location regexp In-Reply-To: <28d7025c6b8c2b11b5365eacd5b84601.NginxMailingListEnglish@forum.nginx.org> References: <20141016112817.GI3771@daoine.org> <28d7025c6b8c2b11b5365eacd5b84601.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20141016121801.GK3771@daoine.org> On Thu, Oct 16, 2014 at 07:55:48AM -0400, igorb wrote: Hi there, > Thanks, try_files "" =404 works indeed as long as the regexp location block > contains the necessary alias. That sounds correct. "alias" sets $document_root. try_files concatenates $document_root with its "file" argument. (It does do more than that; those details might matter depending on what precisely you want to do.) So if you want to use try_files, you must make sure that $document_root and the "file" argument combine to name the file that you want to check the existence of. > location /x/ { > alias /test/; > location ~ ^/x/test { > try_files "" =404; > } > } > does not work, $document_root concatenated with "" is /test/, which is not a file, so =404 is used. > This is indeed a very simplified config. However, even in this form it is > useful as it reports directories matching ^/x/test as not found even with > autoindex on inherited from the server context. If you want try_files to look for a directory instead of a file, you have to configure it to do that. f -- Francis Daly francis at daoine.org From me at myconan.net Thu Oct 16 12:29:43 2014 From: me at myconan.net (Edho Arief) Date: Thu, 16 Oct 2014 21:29:43 +0900 Subject: try_files and a nested location regexp In-Reply-To: <6fe070b05a6708c44f7bc5384924113f.NginxMailingListEnglish@forum.nginx.org> References: <6fe070b05a6708c44f7bc5384924113f.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Thu, Oct 16, 2014 at 9:03 PM, igorb wrote: > That does not work either. What works is try_files "" =404 together with an > explicit alias as Francis Daly described in another post. > did you put it inside the aliased location block? That'd explain why it doesn't work (as francis said, $document_root is overridden) unless you add "root /test;" inside the block. Seriously though, you better avoid using `alias` at all. From nginx-forum at nginx.us Thu Oct 16 12:42:26 2014 From: nginx-forum at nginx.us (igorb) Date: Thu, 16 Oct 2014 08:42:26 -0400 Subject: try_files and a nested location regexp In-Reply-To: <20141016121801.GK3771@daoine.org> References: <20141016121801.GK3771@daoine.org> Message-ID: Thanks again for detailed explanation. Now I almost grasped how try_files works. "Almost" because I still do not see why the following does not work: server { listen 8080 default_server; root /usr/share/nginx/html; autoindex on; location /x/ { alias /test/; location ~ ^/x/(test.*) { try_files $1 =404; } } } For localhost/x/test.html $1 will be test.html. I suppose $document_root should be /test/ as it was set with the alias in the outer location so try_files should try to check for existing /test/test.html . However, nginx still reports 404. Why it is so? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254033,254047#msg-254047 From vbart at nginx.com Thu Oct 16 12:58:42 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 16 Oct 2014 16:58:42 +0400 Subject: SPDY connection was interrupted while downloading a file In-Reply-To: References: <41589448.Ax4j7hcrCO@vbart-laptop> Message-ID: <1671681.MsSFll6rZ2@vbart-workstation> On Wednesday 15 October 2014 19:24:11 Greg Barker wrote: > Thanks Valentin. Here's my config: > https://gist.github.com/fletchowns/13680a9d101f96d5f728 > > $ /opt/nginx-1.6.2/sbin/nginx -V > nginx version: nginx/1.6.2 > built by gcc 4.7.2 (Debian 4.7.2-5) > TLS SNI support enabled > configure arguments: --prefix=/opt/nginx-1.6.2 > --conf-path=/etc/nginx/nginx.conf --sbin-path=/opt/nginx-1.6.2/sbin/nginx > --with-http_ssl_module --with-http_gzip_static_module > --with-http_spdy_module --add-module=/tmp/nginx_http_fancyindex_module > [..] I'm able to reproduce, and from debug log it's clear that the issue is caused by the fancyindex 3rd-party module. And a brief look through its code reveals a number of problems with request handling. wbr, Valentin V. Bartenev From miguelmclara at gmail.com Thu Oct 16 12:59:34 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 13:59:34 +0100 Subject: ssl_protocols per server? In-Reply-To: <63d82707284cd2ac36bc2801878b3bed.NginxMailingListEnglish@forum.nginx.org> References: <63d82707284cd2ac36bc2801878b3bed.NginxMailingListEnglish@forum.nginx.org> Message-ID: It seems that the need for sslv3 was not so important, and so I've disabled it completely, this was on a production machine so I can't really be playing much with it :) However I'll try to reproduce this in our dev box see what we get, and post the results/config in a min. Melhores Cumprimentos // Best Regards ----------------------------------------------- *Miguel Clara* *IT - Sys Admin & Developer* *E-mail: *miguelmclara at gmail.com www.linkedin.com/in/miguelmclara/ On Thu, Oct 16, 2014 at 8:15 AM, mex wrote: > could youe please send/gist your (anonymized) server {} configs? > > one suggestions: enable 2 different access-logs for each server-black and > confirm requests to dom1.com go to the configured dom1.com and > requests to dom2.com go to the configured dom2.com. > > once you are sure the requests go to the right server {} - config > we can try to figure out whats happening. > > > > cheers, > > mex > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254016,254027#msg-254027 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: linkedin.png Type: image/png Size: 655 bytes Desc: not available URL: From mdounin at mdounin.ru Thu Oct 16 13:01:08 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Oct 2014 17:01:08 +0400 Subject: ssl_protocols per server? In-Reply-To: References: <20141015231257.GH3771@daoine.org> Message-ID: <20141016130108.GA16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote: > listen 443 ssl spdy; > > Actually but sni is working fine sslabs reports the correct certs... just > tells me SSLv3 is on in all when its only set for one of the domains... > At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level > and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the > servers/domain I removed that for http block and now have the different > "ssl_protocols" directive in the corresponding configs and sslabs reports > the one defined in the first. > > > If I change the order (sslv3 first) sslabs reports all servers/domains have > sslv3 on but curl fails with "-sslv3" and the error is related to the cert > name ... but I'm assuming that's just because sni is a TLS extension not > SSL.. so it actually proves sslv3 is on when it shouldn't be! When using SSLv3 to connect, settings of the default server{} block will be used. This is because there is no SNI in SSLv3, and hence SSL connection is established in the context of the default server{} block. The appropriate server{} block is then selected based on Host header in an http request, much like it used to work with non-SNI virtual hosting and normal HTTP. That is, by using the "ssl_protocols" directive you can only limit use of SSLv3 for all servers on a particular listen socket, as due to lack of SNI it doesn't make sense in non-default server{} blocks. If you want to limit use of SSLv3 for a particular server only, you have two basic options: - use a separate listen socket for this server (that is, use a separate IP address); - test $ssl_protocol variable during a http request processing and return an error; something like if ($ssl_protocol = "SSLv3") { return 403; } will do the trick. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Oct 16 13:10:13 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Oct 2014 17:10:13 +0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: <20141016131013.GB16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote: > Hello > > I seem to have a bit of a problem. In my vhost's server {}; block, I have: > > ssl_ciphers > EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4; > ssl_prefer_server_ciphers on; > > but for some reason this doesn't seem to be respected because ssllabs.com's > checker says: > > "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger > ciphers are available." > > Testing with openssl s_client shows: > > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-RC4-SHA > > My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure if > this is a bug or if I have these options in the wrong place (I tried them > in the http{} block for grins with no effect) or if there's something > missing from my build. Can someone provide guidance? Configuring ssl_ciphers at http{} level should be fine - as long as it's not overwritten in server{} blocks. Some thrivial things to check: - make sure ssl_ciphers isn't overwritten in server{} blocks; - make sure you've properly reloaded you configuration. If you used configuration reload (not nginx restart) - make sure to check logs to see if reload went fine, as nginx will revert to a previous configuration in case of errors. Additionally, "nginx -t" may be helpful here. - make sure you are testing correct server. -- Maxim Dounin http://nginx.org/ From francis at daoine.org Thu Oct 16 13:18:32 2014 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Oct 2014 14:18:32 +0100 Subject: try_files and a nested location regexp In-Reply-To: References: <20141016121801.GK3771@daoine.org> Message-ID: <20141016131832.GL3771@daoine.org> On Thu, Oct 16, 2014 at 08:42:26AM -0400, igorb wrote: Hi there, > Thanks again for detailed explanation. Now I almost grasped how try_files > works. "Almost" because I still do not see why the following does not work: There is a defect which is involved here, and probably interferes: http://trac.nginx.org/nginx/ticket/97 Anything involving try_files and alias may not do what you expect. If you can specify what exactly you want, it may be possible to find a configuration which does that using the current implementation of the defect. Or it may not be. You will probably be much happier investigating if you enable the debug log. > location /x/ { > alias /test/; > location ~ ^/x/(test.*) { > try_files $1 =404; > } > } > For localhost/x/test.html $1 will be test.html. I suppose $document_root > should be /test/ as it was set with the alias in the outer location so > try_files should try to check for existing /test/test.html . However, nginx > still reports 404. Why it is so? Can you tell whether the 404 is from the uri argument of try_files, or the serve-from-filesystem handler? Look in the debug log and you will see what happens. Or: what do you see if you change try_files to end in =405? The rest is "the details of what else try_files and alias do". (try_files does see /test/test.html, but the serve-from-filesystem handler does not try to serve that file.) f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Thu Oct 16 13:36:50 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Oct 2014 17:36:50 +0400 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <543F7F0B.5060202@gmail.com> References: <543F7F0B.5060202@gmail.com> Message-ID: <20141016133650.GC16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 10:17:15AM +0200, Jiri Horky wrote: > Hi list, > > we are seeing sporadic nginx errors "upstream prematurely closed > connection while reading response header from upstream" with nginx/1.6.2 > which seems to be some kind of race condition. > For debugging purposes we only setup 1 upstream server on a public IP > address of the same server as nginx, there is no keepalive configured > between nginx and the upstream server. The upstream HTTP server is > written in a way that it forcibly closes the connection when the > response status code is 303. This may be part of the problem as well. [...] > Now, we tracked down, that this only happens when FIN packet from > upstream server reaches nginx sooner than it's finished with parsing the > response (headers) and thus sooner than nginx closes the connection > itself. For example this packet order will trigger the problem: > No. Time Source SrcPrt Destination Protocol > Length Info > 25571 10.297569 1.1.1.1 35481 1.1.1.1 TCP 76 35481 > 8888 [SYN] Seq=0 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=0 WS=8192 > 25572 10.297580 1.1.1.1 8888 1.1.1.1 TCP 76 8888 > 35481 [SYN, ACK] Seq=0 Ack=1 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=1902164528 WS=8192 > 25573 10.297589 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1 Ack=1 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 > 25574 10.297609 1.1.1.1 35481 1.1.1.1 HTTP 1533 GET / HTTP/1.0 > 25575 10.297617 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=1 Ack=1466 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 > 25596 10.323092 1.1.1.1 8888 1.1.1.1 HTTP 480 HTTP/1.1 303 See Other > 25597 10.323106 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 > 25598 10.323161 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [FIN, ACK] Seq=413 Ack=1466 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 > 25599 10.323167 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [FIN, ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 > 25600 10.323180 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=414 Ack=1467 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 > 25601 10.323189 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1467 Ack=414 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 > > Note that the upstream HTTP (port 8888) sends the FIN packet sooner than > nginx (port 35481 in this case). Looking into the packet trace I suspect this commit may be relevant to your case: http://hg.nginx.org/nginx/rev/9d3a9c45fc43 Please test with nginx 1.7.3+ to see if it helps. -- Maxim Dounin http://nginx.org/ From miguelmclara at gmail.com Thu Oct 16 13:41:33 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 14:41:33 +0100 Subject: ssl_protocols per server? In-Reply-To: <20141016130108.GA16333@mdounin.ru> References: <20141015231257.GH3771@daoine.org> <20141016130108.GA16333@mdounin.ru> Message-ID: Hum... makes sense when sni is involved yes, but I get the same issue if using the same certificate (wildcard) for 2 subdomains our my dev environment. say "blog.domain.com" and "forums.domain.com" and I tested with cert/key_path define in the server's blocks and in conf.d/ssl.conf (which is read before site-enabled/*) both give the same result This are curl result with any ssl path/cipher striped form server blocks, and in one ssl_protocol as sslv3 (forums) the other does not ~% curl -sslv3 -I -uuser:pass https://blog.domain.com * Rebuilt URL to: https://blog.domain.com/ * Hostname was NOT found in DNS cache * Trying 1.2.3.4... * Connected to blogdev.domain.com (1.2.3.4) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection 0 ~% curl -sslv3 -I -uuser:pass https://orums.domain.com * Rebuilt URL to: https://forums.domain.com/ * Hostname was NOT found in DNS cache * Trying 1.2.3.4... * Connected to testforums.domain.com (1.2.3.4) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure * Closing connection 0 NOTE: the blog config is read first... if I rename the forums config to 00-forums.conf SSLv3 works, but works for both and it should not work for blog... so It seems that its not only about sni? Melhores Cumprimentos // Best Regards ----------------------------------------------- *Miguel Clara* *IT - Sys Admin & Developer* *E-mail: *miguelmclara at gmail.com www.linkedin.com/in/miguelmclara/ On Thu, Oct 16, 2014 at 2:01 PM, Maxim Dounin wrote: > Hello! > > On Thu, Oct 16, 2014 at 12:37:19AM +0100, Miguel Clara wrote: > > > listen 443 ssl spdy; > > > > Actually but sni is working fine sslabs reports the correct certs... just > > tells me SSLv3 is on in all when its only set for one of the domains... > > At first I had " ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" at the http level > > and just set " ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; " in one of the > > servers/domain I removed that for http block and now have the different > > "ssl_protocols" directive in the corresponding configs and sslabs reports > > the one defined in the first. > > > > > > If I change the order (sslv3 first) sslabs reports all servers/domains > have > > sslv3 on but curl fails with "-sslv3" and the error is related to the > cert > > name ... but I'm assuming that's just because sni is a TLS extension not > > SSL.. so it actually proves sslv3 is on when it shouldn't be! > > When using SSLv3 to connect, settings of the default server{} > block will be used. This is because there is no SNI in SSLv3, and > hence SSL connection is established in the context of the default > server{} block. The appropriate server{} block is then selected > based on Host header in an http request, much like it used to work > with non-SNI virtual hosting and normal HTTP. > > That is, by using the "ssl_protocols" directive you can only limit > use of SSLv3 for all servers on a particular listen socket, as due > to lack of SNI it doesn't make sense in non-default server{} > blocks. > > If you want to limit use of SSLv3 for a particular server only, > you have two basic options: > > - use a separate listen socket for this server (that is, use a > separate IP address); > > - test $ssl_protocol variable during a http request processing and > return an error; something like > > if ($ssl_protocol = "SSLv3") { > return 403; > } > > will do the trick. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: linkedin.png Type: image/png Size: 655 bytes Desc: not available URL: From mdounin at mdounin.ru Thu Oct 16 13:58:10 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Oct 2014 17:58:10 +0400 Subject: ssl_protocols per server? In-Reply-To: References: <20141015231257.GH3771@daoine.org> <20141016130108.GA16333@mdounin.ru> Message-ID: <20141016135810.GE16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote: > Hum... makes sense when sni is involved yes, but I get the same issue if > using the same certificate (wildcard) for 2 subdomains our my dev > environment. > > say "blog.domain.com" and "forums.domain.com" and I tested with > cert/key_path define in the server's blocks and in conf.d/ssl.conf (which > is read before site-enabled/*) both give the same result > > This are curl result with any ssl path/cipher striped form server blocks, > and in one ssl_protocol as sslv3 (forums) the other does not [...] > NOTE: the blog config is read first... if I rename the forums config to > 00-forums.conf SSLv3 works, but works for both and it should not work for > blog... so It seems that its not only about sni? Again: as long as SSLv3 is not enabled in the default server block, SSLv3 will not work. If it's enabled, it will work for all virtual servers using the listen socket in question. By chaning names you effectively change default server for the listen socket in question (but that's bad and not guaranteed to work, use "listen ... default_server" instead). That's expected behaviour. Quoting my previous response here, you may want to re-read it to make sure you've understood it correctly: > > When using SSLv3 to connect, settings of the default server{} > > block will be used. This is because there is no SNI in SSLv3, and > > hence SSL connection is established in the context of the default > > server{} block. The appropriate server{} block is then selected > > based on Host header in an http request, much like it used to work > > with non-SNI virtual hosting and normal HTTP. > > > > That is, by using the "ssl_protocols" directive you can only limit > > use of SSLv3 for all servers on a particular listen socket, as due > > to lack of SNI it doesn't make sense in non-default server{} > > blocks. > > > > If you want to limit use of SSLv3 for a particular server only, > > you have two basic options: > > > > - use a separate listen socket for this server (that is, use a > > separate IP address); > > > > - test $ssl_protocol variable during a http request processing and > > return an error; something like > > > > if ($ssl_protocol = "SSLv3") { > > return 403; > > } > > > > will do the trick. Addditionally, here are link to article about request processing in nginx, it explains things about "default_server" and so on: http://nginx.org/en/docs/http/request_processing.html Hope this helps. -- Maxim Dounin http://nginx.org/ From miguelmclara at gmail.com Thu Oct 16 14:30:02 2014 From: miguelmclara at gmail.com (Miguel Clara) Date: Thu, 16 Oct 2014 15:30:02 +0100 Subject: ssl_protocols per server? In-Reply-To: <20141016135810.GE16333@mdounin.ru> References: <20141015231257.GH3771@daoine.org> <20141016130108.GA16333@mdounin.ru> <20141016135810.GE16333@mdounin.ru> Message-ID: On Thu, Oct 16, 2014 at 2:58 PM, Maxim Dounin wrote: > Hello! > > On Thu, Oct 16, 2014 at 02:41:33PM +0100, Miguel Clara wrote: > > > Hum... makes sense when sni is involved yes, but I get the same issue if > > using the same certificate (wildcard) for 2 subdomains our my dev > > environment. > > > > say "blog.domain.com" and "forums.domain.com" and I tested with > > cert/key_path define in the server's blocks and in conf.d/ssl.conf (which > > is read before site-enabled/*) both give the same result > > > > This are curl result with any ssl path/cipher striped form server blocks, > > and in one ssl_protocol as sslv3 (forums) the other does not > > [...] > > > NOTE: the blog config is read first... if I rename the forums config to > > 00-forums.conf SSLv3 works, but works for both and it should not work for > > blog... so It seems that its not only about sni? > > Again: as long as SSLv3 is not enabled in the default server > block, SSLv3 will not work. If it's enabled, it will work for all > virtual servers using the listen socket in question. By chaning > names you effectively change default server for the listen socket in > question (but that's bad and not guaranteed to work, use > "listen ... default_server" instead). That's expected behaviour. > > Quoting my previous response here, you may want to re-read it to > make sure you've understood it correctly: > Duh, yes I get it now, its not possible to do this with sslv3 enable by default (also I do have default_server on ssl.conf) server { listen 443 default_server ssl spdy; server_name _; ssl_certificate wildcard.crt; ssl_certificate_key wildcard.key; } This just makes it use the cert for all and uses this as default (which as you say is preferred to just setting it on the server block and expect nginx uses the first as default. I was using ssl_protocols TLSv1 TLSv1.1 TLSv1.2; or ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; in the servers only and the moved it to ssl.conf. And what you say is that *the expect behaviour" is that if SSLv3 is on then its on for all, and if not its off for all, it will use the default config (or first it grabs although its not the recommend case). So as I said somewhere before this is indeed on for all or for none, but its not a bug, its how it works, there is no way around it except using a different socket (IP) for each server! I was wrongly expecting it would work different with a wildcard cert. Thanks for the clarification -------------- next part -------------- An HTML attachment was scrubbed... URL: From braulio at eita.org.br Thu Oct 16 16:25:39 2014 From: braulio at eita.org.br (=?UTF-8?Q?Br=C3=A1ulio_Bhavamitra?=) Date: Thu, 16 Oct 2014 13:25:39 -0300 Subject: Disable log for a specific server {} In-Reply-To: <4758257.7YMB0STr9D@vbart-laptop> References: <4758257.7YMB0STr9D@vbart-laptop> Message-ID: Valentin, do you know if "access_log off;" started to work on a location block on specific version of nginx? I've tried with the version from ubuntu trusty (1.4.7) and it didn't work. On Fri, Oct 3, 2014 at 8:22 AM, Valentin V. Bartenev wrote: > On Friday 03 October 2014 08:17:22 Br?ulio Bhavamitra wrote: >> Hello all, >> >> I use a setup of nginx(ssl)+varnish+nginx+proxy. Because of this, the >> second nginx server should not log the request as it would duplicate on the >> logs. How to disable log for it? >> > [..] > > access_log off; > > Please, look at the documentation: http://nginx.org/r/access_log > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- "Lute pela sua ideologia. Seja um com sua ideologia. Viva pela sua ideologia. Morra por sua ideologia" P.R. Sarkar EITA - Educa??o, Informa??o e Tecnologias para Autogest?o http://cirandas.net/brauliobo http://eita.org.br "Paramapurusha ? meu pai e Parama Prakriti ? minha m?e. O universo ? meu lar e todos n?s somos cidad?os deste cosmo. Este universo ? a imagina??o da Mente Macroc?smica, e todas as entidades est?o sendo criadas, preservadas e destru?das nas fases de extrovers?o e introvers?o do fluxo imaginativo c?smico. No ?mbito pessoal, quando uma pessoa imagina algo em sua mente, naquele momento, essa pessoa ? a ?nica propriet?ria daquilo que ela imagina, e ningu?m mais. Quando um ser humano criado mentalmente caminha por um milharal tamb?m imaginado, a pessoa imaginada n?o ? a propriedade desse milharal, pois ele pertence ao indiv?duo que o est? imaginando. Este universo foi criado na imagina??o de Brahma, a Entidade Suprema, por isso a propriedade deste universo ? de Brahma, e n?o dos microcosmos que tamb?m foram criados pela imagina??o de Brahma. Nenhuma propriedade deste mundo, mut?vel ou imut?vel, pertence a um indiv?duo em particular; tudo ? o patrim?nio comum de todos." Restante do texto em http://cirandas.net/brauliobo/blog/a-problematica-de-hoje-em-dia From fgunbin at fastmail.fm Thu Oct 16 16:26:55 2014 From: fgunbin at fastmail.fm (Filipp Gunbin) Date: Thu, 16 Oct 2014 20:26:55 +0400 Subject: internal and error_page directives Message-ID: Hi, today I've noticed a strange thing regarding "internal" and "error_page" directives. I have a config similar to this: location ~ { internal; proxy_pass ; error_page 404 = /other_location$uri; } What I'm surprised about is that if an external request comes to this location, we go the /other_location. So the 404 that results from "internal" is also subject for error_page processing. Isn't that strange? I cannot find any documentation about that. -- Filipp From fletch at fletchowns.net Thu Oct 16 17:02:42 2014 From: fletch at fletchowns.net (Greg Barker) Date: Thu, 16 Oct 2014 10:02:42 -0700 Subject: SPDY connection was interrupted while downloading a file In-Reply-To: <1671681.MsSFll6rZ2@vbart-workstation> References: <41589448.Ax4j7hcrCO@vbart-laptop> <1671681.MsSFll6rZ2@vbart-workstation> Message-ID: Thanks Valentin! I didn't realize fancyindex could be the culprit. I'll follow up with the fancyindex developer. On Thu, Oct 16, 2014 at 5:58 AM, Valentin V. Bartenev wrote: > On Wednesday 15 October 2014 19:24:11 Greg Barker wrote: > > Thanks Valentin. Here's my config: > > https://gist.github.com/fletchowns/13680a9d101f96d5f728 > > > > $ /opt/nginx-1.6.2/sbin/nginx -V > > nginx version: nginx/1.6.2 > > built by gcc 4.7.2 (Debian 4.7.2-5) > > TLS SNI support enabled > > configure arguments: --prefix=/opt/nginx-1.6.2 > > --conf-path=/etc/nginx/nginx.conf --sbin-path=/opt/nginx-1.6.2/sbin/nginx > > --with-http_ssl_module --with-http_gzip_static_module > > --with-http_spdy_module --add-module=/tmp/nginx_http_fancyindex_module > > > [..] > > I'm able to reproduce, and from debug log it's clear that the issue is > caused > by the fancyindex 3rd-party module. And a brief look through its code > reveals > a number of problems with request handling. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pluknet at nginx.com Thu Oct 16 17:19:02 2014 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 16 Oct 2014 21:19:02 +0400 Subject: Disable log for a specific server {} In-Reply-To: References: <4758257.7YMB0STr9D@vbart-laptop> Message-ID: On Oct 16, 2014, at 8:25 PM, Br?ulio Bhavamitra wrote: > Valentin, do you know if "access_log off;" started to work on a > location block on specific version of nginx? I've tried with the > version from ubuntu trusty (1.4.7) and it didn't work. I believe it was there in 0.0.10. http://hg.nginx.org/nginx/rev/0d08eabe5c7b -- Sergey Kandaurov From jessica at litw.in Thu Oct 16 17:31:06 2014 From: jessica at litw.in (Jessica Litwin) Date: Thu, 16 Oct 2014 13:31:06 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: <20141016131013.GB16333@mdounin.ru> References: <20141016131013.GB16333@mdounin.ru> Message-ID: Hi, Everything is loading OK and nginx -t (or service nginx configtest) show the config is ok and I am testing the correct server. Another poster suggested upgrading openssl to 1.0.1j but I'd have to build from source to do that and I'm not sure what affect it would have against nginx.... On Thu, Oct 16, 2014 at 9:10 AM, Maxim Dounin wrote: > Hello! > > On Thu, Oct 16, 2014 at 03:40:44AM -0400, Jessica Litwin wrote: > > > Hello > > > > I seem to have a bit of a problem. In my vhost's server {}; block, I > have: > > > > ssl_ciphers > > > EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CBC3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4; > > ssl_prefer_server_ciphers on; > > > > but for some reason this doesn't seem to be respected because > ssllabs.com's > > checker says: > > > > "RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger > > ciphers are available." > > > > Testing with openssl s_client shows: > > > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-RC4-SHA > > > > My ssl_ciphers line _should_ be disallowing all RC4... so I am not sure > if > > this is a bug or if I have these options in the wrong place (I tried them > > in the http{} block for grins with no effect) or if there's something > > missing from my build. Can someone provide guidance? > > Configuring ssl_ciphers at http{} level should be fine - as long > as it's not overwritten in server{} blocks. > > Some thrivial things to check: > > - make sure ssl_ciphers isn't overwritten in server{} blocks; > > - make sure you've properly reloaded you configuration. If you > used configuration reload (not nginx restart) - make sure to > check logs to see if reload went fine, as nginx will revert to a > previous configuration in case of errors. Additionally, "nginx -t" > may be helpful here. > > - make sure you are testing correct server. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Jessica K. Litwin jessicalitwin.com twitter: press5 aim: press5key skype: dr_jkl -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Oct 16 18:22:12 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Oct 2014 22:22:12 +0400 Subject: internal and error_page directives In-Reply-To: References: Message-ID: <20141016182212.GK16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 08:26:55PM +0400, Filipp Gunbin wrote: > Hi, today I've noticed a strange thing regarding "internal" and > "error_page" directives. > > I have a config similar to this: > > location ~ { > internal; > proxy_pass ; > error_page 404 = /other_location$uri; > } > > What I'm surprised about is that if an external request comes to this > location, we go the /other_location. So the 404 that results from > "internal" is also subject for error_page processing. Isn't that > strange? I cannot find any documentation about that. If a location with "internal" keyword is selected for an external request, the 404 error is generated. The error is handled as usual, and it's subject to error_page processing if one is configured. The documentation is here: http://nginx.org/en/docs/http/ngx_http_core_module.html#internal -- Maxim Dounin http://nginx.org/ From fgunbin at fastmail.fm Thu Oct 16 18:28:19 2014 From: fgunbin at fastmail.fm (Filipp Gunbin) Date: Thu, 16 Oct 2014 22:28:19 +0400 Subject: internal and error_page directives In-Reply-To: <20141016182212.GK16333@mdounin.ru> (Maxim Dounin's message of "Thu, 16 Oct 2014 22:22:12 +0400") References: <20141016182212.GK16333@mdounin.ru> Message-ID: On 16/10/2014 22:22 +0400, Maxim Dounin wrote: > If a location with "internal" keyword is selected for an external > request, the 404 error is generated. The error is handled as > usual, and it's subject to error_page processing if one is > configured. > > The documentation is here: > > http://nginx.org/en/docs/http/ngx_http_core_module.html#internal Thanks, of course I've read it before. It just happened that I was erroneously thinking of "internal" as a "reject-and-stop-processing" kind of directive. Now I see I was wrong. Maybe that should be stressed in the documentation to prevent the possible confusion. -- Filipp From jiri.horky at gmail.com Thu Oct 16 19:35:14 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Thu, 16 Oct 2014 21:35:14 +0200 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <20141016133650.GC16333@mdounin.ru> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> Message-ID: <54401DF2.10909@gmail.com> Hi, thanks for the quick response. I tried it with nginx/1.7.6 but unfortunately, the errors still show up. However, I did not try to confirm that these were with the same trace, but I strongly suspect so. I will confirm that hopefully tomorrow. Anything other I should try? Regards Jiri Horky On 10/16/2014 03:36 PM, Maxim Dounin wrote: > Hello! > > On Thu, Oct 16, 2014 at 10:17:15AM +0200, Jiri Horky wrote: > >> Hi list, >> >> we are seeing sporadic nginx errors "upstream prematurely closed >> connection while reading response header from upstream" with nginx/1.6.2 >> which seems to be some kind of race condition. >> For debugging purposes we only setup 1 upstream server on a public IP >> address of the same server as nginx, there is no keepalive configured >> between nginx and the upstream server. The upstream HTTP server is >> written in a way that it forcibly closes the connection when the >> response status code is 303. This may be part of the problem as well. > [...] > >> Now, we tracked down, that this only happens when FIN packet from >> upstream server reaches nginx sooner than it's finished with parsing the >> response (headers) and thus sooner than nginx closes the connection >> itself. For example this packet order will trigger the problem: >> No. Time Source SrcPrt Destination Protocol >> Length Info >> 25571 10.297569 1.1.1.1 35481 1.1.1.1 TCP 76 35481 > 8888 [SYN] Seq=0 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=0 WS=8192 >> 25572 10.297580 1.1.1.1 8888 1.1.1.1 TCP 76 8888 > 35481 [SYN, ACK] Seq=0 Ack=1 Win=3072 Len=0 MSS=16396 SACK_PERM=1 TSval=1902164528 TSecr=1902164528 WS=8192 >> 25573 10.297589 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1 Ack=1 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 >> 25574 10.297609 1.1.1.1 35481 1.1.1.1 HTTP 1533 GET / HTTP/1.0 >> 25575 10.297617 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=1 Ack=1466 Win=8192 Len=0 TSval=1902164528 TSecr=1902164528 >> 25596 10.323092 1.1.1.1 8888 1.1.1.1 HTTP 480 HTTP/1.1 303 See Other >> 25597 10.323106 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 >> 25598 10.323161 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [FIN, ACK] Seq=413 Ack=1466 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 >> 25599 10.323167 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [FIN, ACK] Seq=1466 Ack=413 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 >> 25600 10.323180 1.1.1.1 8888 1.1.1.1 TCP 68 8888 > 35481 [ACK] Seq=414 Ack=1467 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 >> 25601 10.323189 1.1.1.1 35481 1.1.1.1 TCP 68 35481 > 8888 [ACK] Seq=1467 Ack=414 Win=8192 Len=0 TSval=1902164554 TSecr=1902164554 >> >> Note that the upstream HTTP (port 8888) sends the FIN packet sooner than >> nginx (port 35481 in this case). > Looking into the packet trace I suspect this commit may be > relevant to your case: > > http://hg.nginx.org/nginx/rev/9d3a9c45fc43 > > Please test with nginx 1.7.3+ to see if it helps. > From nginx-forum at nginx.us Thu Oct 16 20:23:29 2014 From: nginx-forum at nginx.us (mex) Date: Thu, 16 Oct 2014 16:23:29 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> hi, > > > > - make sure you are testing correct server. > > i'd suggest to configure an additional access/error-log in that server {} - block, to be 100% sure. regards, mex Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254077#msg-254077 From jessica at litw.in Thu Oct 16 20:28:29 2014 From: jessica at litw.in (Jessica Litwin) Date: Thu, 16 Oct 2014 16:28:29 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> References: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> Message-ID: I'm sure. I'm very, very sure the correct site is being tested. On Thu, Oct 16, 2014 at 4:23 PM, mex wrote: > hi, > > > > > > > - make sure you are testing correct server. > > > > > > i'd suggest to configure an additional access/error-log > in that server {} - block, to be 100% sure. > > > regards, > > > mex > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254028,254077#msg-254077 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Jessica K. Litwin jessicalitwin.com twitter: press5 aim: press5key skype: dr_jkl -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Oct 16 20:40:00 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 17 Oct 2014 00:40:00 +0400 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <54401DF2.10909@gmail.com> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> Message-ID: <20141016204000.GR16333@mdounin.ru> Hello! On Thu, Oct 16, 2014 at 09:35:14PM +0200, Jiri Horky wrote: > Hi, > > thanks for the quick response. I tried it with nginx/1.7.6 but > unfortunately, the errors still show up. However, I did not try to > confirm that these were with the same trace, but I strongly suspect so. > I will confirm that hopefully tomorrow. Anything other I should try? Debug log may be helpful, see http://nginx.org/en/docs/debugging_log.html. -- Maxim Dounin http://nginx.org/ From stl at wiredrive.com Thu Oct 16 20:50:09 2014 From: stl at wiredrive.com (Scott Larson) Date: Thu, 16 Oct 2014 13:50:09 -0700 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> Message-ID: I'm personally partial to just outright declaring my supported ciphers rather than using the exclusion bits. My personal server is aggressively strict, the setup for our production gear is much less so. Either way it allows me to know exactly what's available to clients. For lunatics with DSA keys and LibreSSL: ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256; For more rational people with RSA keys and OpenSSL: ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA; *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823 8238 ext. 1106310 943 2078 faxwww.wiredrive.com www.twitter.com/wiredrive www.facebook.com/wiredrive * On Thu, Oct 16, 2014 at 1:28 PM, Jessica Litwin wrote: > I'm sure. I'm very, very sure the correct site is being tested. > > On Thu, Oct 16, 2014 at 4:23 PM, mex wrote: > >> hi, >> >> > > >> > > - make sure you are testing correct server. >> > > >> >> >> i'd suggest to configure an additional access/error-log >> in that server {} - block, to be 100% sure. >> >> >> regards, >> >> >> mex >> >> Posted at Nginx Forum: >> http://forum.nginx.org/read.php?2,254028,254077#msg-254077 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > > -- > Jessica K. Litwin > jessicalitwin.com > twitter: press5 > aim: press5key > skype: dr_jkl > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 16 21:02:00 2014 From: nginx-forum at nginx.us (mex) Date: Thu, 16 Oct 2014 17:02:00 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: what does cipherscan says? https://github.com/jvehent/cipherscan you can run that from the server nginx runs on Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254082#msg-254082 From jessica at litw.in Thu Oct 16 21:03:06 2014 From: jessica at litw.in (Jessica Litwin) Date: Thu, 16 Oct 2014 17:03:06 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> Message-ID: I can do this, but I guess my whole question was does this mean exclusion bits are broken? I'm personally partial to just outright declaring my supported ciphers rather than using the exclusion bits. My personal server is aggressively strict, the setup for our production gear is much less so. Either way it allows me to know exactly what's available to clients. For lunatics with DSA keys and LibreSSL: ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256; For more rational people with RSA keys and OpenSSL: ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA; *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823 8238 ext. 1106310 943 2078 faxwww.wiredrive.com www.twitter.com/wiredrive www.facebook.com/wiredrive * On Thu, Oct 16, 2014 at 1:28 PM, Jessica Litwin wrote: > I'm sure. I'm very, very sure the correct site is being tested. > > On Thu, Oct 16, 2014 at 4:23 PM, mex wrote: > >> hi, >> >> > > >> > > - make sure you are testing correct server. >> > > >> >> >> i'd suggest to configure an additional access/error-log >> in that server {} - block, to be 100% sure. >> >> >> regards, >> >> >> mex >> >> Posted at Nginx Forum: >> http://forum.nginx.org/read.php?2,254028,254077#msg-254077 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > > -- > Jessica K. Litwin > jessicalitwin.com > twitter: press5 > aim: press5key > skype: dr_jkl > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From jiri.horky at gmail.com Thu Oct 16 22:26:39 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Fri, 17 Oct 2014 00:26:39 +0200 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <20141016204000.GR16333@mdounin.ru> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> <20141016204000.GR16333@mdounin.ru> Message-ID: <5440461F.2070200@gmail.com> Hi Maxim, here is the debug log of one failed connection: 2014/10/17 00:18:30 [debug] 25783#0: *8190 http keepalive handler 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000BE44F0:1024 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 1024 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: 0000000000D41510:4096 @16 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 104: 1413497973959 2014/10/17 00:18:30 [debug] 25783#0: *8190 http process request line 2014/10/17 00:18:30 [debug] 25783#0: *8190 http request line: "GET /es-mx/ HTTP/1.1" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http uri: "/es-mx/" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http args: "" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http exten: "" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http process request header line 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Host: my.upstream.com" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Connection: keep-alive" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Referer: https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Accept-Language: es-ES,es;q=0.8" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http alloc large header buffer 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: 0000000000C66DE0:256 @16 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000E8A030:8192 2014/10/17 00:18:30 [debug] 25783#0: *8190 http large header alloc: 0000000000E8A030 8192 2014/10/17 00:18:30 [debug] 25783#0: *8190 http large header copy: 572 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 326 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Cookie: locale2=es-mx; osc_ot=wr%3E%3Eun%3Eun; x-otid=wr%3E%3Eun%3Eun; ld893_pop_g=1413877218; ld893_pop_s=1413877218; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444; s_cc=true; s_nr2=1413877237532-New; osc_v12=Website; osc_v13=Website%20%7C%20Referral; osc_v14=Website%20%7C%20Referral%20%7C%20; osc_v15=Website%20%7C%20Referral%20%7C%20; osc_v27=Website%20%7C%20Referral; osc_v42=web; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2A2021EC0531011A-6000010F20029A71[CE]; __utma=1.338233621.1413877155.1413877155.1413877155.1; __utmb=1.2.10.1413877155; __utmc=1; __utmz=1.1413877155.1.1.utmcsr=dub126.mail.live.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_fid=5230BF2FDF8FC79B-2A08DC4D856F30C9; osc_omcid=undefined; mySessionId=pYb401tEc5En9InZ; myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header done 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 rewrite phase: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 test location: "/" 2014/10/17 00:18:30 [debug] 25783#0: *8190 using configuration "/" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cl:-1 max:10485760 2014/10/17 00:18:30 [debug] 25783#0: *8190 rewrite phase: 3 2014/10/17 00:18:30 [debug] 25783#0: *8190 post rewrite phase: 4 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 5 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 6 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 7 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 8 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 9 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 10 2014/10/17 00:18:30 [debug] 25783#0: *8190 post access phase: 11 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: 0000000000E03DA0:4096 @16 2014/10/17 00:18:30 [debug] 25783#0: *8190 http init upstream, client timer: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "Host: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: "my.upstream.com" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "X-Real-IP: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: "201.138.52.240" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "X-Forwarded-For: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: "201.138.52.240" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "Connection: close 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Referer: https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Accept-Language: es-ES,es;q=0.8" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Cookie: locale2=es-mx; osc_ot=wr%3E%3Eun%3Eun; x-otid=wr%3E%3Eun%3Eun; ld893_pop_g=1413877218; ld893_pop_s=1413877218; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444; s_cc=true; s_nr2=1413877237532-New; osc_v12=Website; osc_v13=Website%20%7C%20Referral; osc_v14=Website%20%7C%20Referral%20%7C%20; osc_v15=Website%20%7C%20Referral%20%7C%20; osc_v27=Website%20%7C%20Referral; osc_v42=web; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2A2021EC0531011A-6000010F20029A71[CE]; __utma=1.338233621.1413877155.1413877155.1413877155.1; __utmb=1.2.10.1413877155; __utmc=1; __utmz=1.1413877155.1.1.utmcsr=dub126.mail.live.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_fid=5230BF2FDF8FC79B-2A08DC4D856F30C9; osc_omcid=undefined; mySessionId=pYb401tEc5En9InZ; myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cleanup add: 0000000000D424F8 2014/10/17 00:18:30 [debug] 25783#0: *8190 init keepalive peer 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer 2014/10/17 00:18:30 [debug] 25783#0: *8190 get ip hash peer, try: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 get rr peer, try: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer: using connection 0000000000A7D4F0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream connect: -4 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream send request 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer buf fl:1 s:1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer in: 0000000000E04A58 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer out: 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 219: 90000:1413498000113 2014/10/17 00:18:30 [debug] 25783#0: *8190 http finalize request: -4, "/es-mx/?" a:1, c:2 2014/10/17 00:18:30 [debug] 25783#0: *8190 http request count:2 blk:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http run request: "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream check client, write event:1, "/es-mx/" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream recv(): -1 (11: Resource temporarily unavailable) 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream request: "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process header 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000C44D60:8192 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 6 2014/10/17 00:18:30 [debug] 25783#0: *8190 peer shutdown SSL cleanly 2014/10/17 00:18:30 [error] 25783#0: *8190 upstream prematurely closed connection while reading response header from upstream, client: 201.138.52.240, server: my.upstream.com, request: "GET /es-mx/ HTTP/1.1", upstream: "https://1.1.1.1:8888/es-mx/", host: "my.upstream.com", referrer: "https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http next upstream, 2 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer 2014/10/17 00:18:30 [debug] 25783#0: *8190 free rr peer 1 4 2014/10/17 00:18:30 [debug] 25783#0: *8190 close http upstream connection: 219 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_shutdown: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E8D020 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000CF6D30 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000A93A90 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000A93A00, unused: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 219: 1413498000113 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer 2014/10/17 00:18:30 [debug] 25783#0: *8190 get ip hash peer, try: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 get rr peer, try: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer: using connection 0000000000A799E0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream connect: -4 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: 0000000000E6D280:4096 @16 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream send request 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer buf fl:1 s:1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer in: 0000000000E04C68 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 1405 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer out: 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 65: 90000:1413498000114 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream request: "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process header 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 8192 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy status 200 "200 OK" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Content-Length: 9960" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Content-Type: text/html" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: mySessionId=pYb401tEc5En9InZ; Expires=Thu, 16 Oct 2014 22:33:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: MY-params=; Expires=Thu, 16 Oct 2014 22:18:30 GMT; Path=/; Domain=.ff.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: locale2=es-mx; Expires=Wed, 04 Nov 2082 01:32:37 GMT; Path=/; Domain=.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: ID-params-prod=; Expires=Thu, 16 Oct 2014 22:18:30 GMT; Path=/; Domain=.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: fbSecThr=true; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Set-Cookie: myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"; Expires=Thu, 16 Oct 2014 22:33:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Last-Modified: Wed, 15 Oct 2014 16:26:53 GMT" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Cache-Control: max-age=0, private" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Strict-Transport-Security: max-age=31536000" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Date: Thu, 16 Oct 2014 22:18:30 GMT" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header done 2014/10/17 00:18:30 [debug] 25783#0: *8190 HTTP/1.1 200 OK 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 0000000000E6DAC8, pos 0000000000E6DAC8, size: 1016 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter: l:0 f:0 s:1016 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cacheable: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy filter init s:200 h:0 c:0 l:9960 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process upstream 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe read upstream: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe preread: 7251 2014/10/17 00:18:30 [debug] 25783#0: *8190 input buf #0 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000D1EBE0:4096 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 2709 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe recv chain: 2709 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe buf in s:1 t:1 f:0 0000000000C44D60, pos 0000000000C4510D, size: 7251 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe buf free s:0 t:1 f:0 0000000000D1EBE0, pos 0000000000D1EBE0, size: 2709 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe length: 2709 2014/10/17 00:18:30 [debug] 25783#0: *8190 input buf #1 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream flush in 2014/10/17 00:18:30 [debug] 25783#0: *8190 http output filter "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http postpone filter "/es-mx/?" 0000000000E6DFD0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http gzip filter 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000EB9680:139264 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:1 s:5928 a:8192 p:0000000000EB9680 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 a:32768 p:0000000000EBB680 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 a:32768 p:0000000000EC3680 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 a:32768 p:0000000000ECB680 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:8192 s:4 a:32768 p:0000000000ED3680 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E190 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6DFF0 ni:0000000000C4510D ai:7251 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000DF5FB0:4096 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: ni:0000000000C4510D no:0000000000DF5FB0 ai:7251 ao:4096 fl:0 redo:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: ni:0000000000C46D60 no:0000000000DF5FB0 ai:0 ao:4096 rc:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6DFF0 pos:0000000000C4510D 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E1A0 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E0B0 ni:0000000000D1EBE0 ai:2709 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: ni:0000000000D1EBE0 no:0000000000DF5FB0 ai:2709 ao:4096 fl:0 redo:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: ni:0000000000D1F675 no:0000000000DF5FB0 ai:0 ao:4096 rc:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E0B0 pos:0000000000D1EBE0 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: 0 "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream done 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer: 65, old: 1413498000114, new: 1413498000129 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream exit: 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 finalize http upstream request: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 finalize http proxy request 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer: saving connection 0000000000A799E0 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 65: 1413498000114 2014/10/17 00:18:30 [debug] 25783#0: *8190 free rr peer 1 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream temp fd: -1 2014/10/17 00:18:30 [debug] 25783#0: *8190 http output filter "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http postpone filter "/es-mx/?" 00007FFFE5A241B0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http gzip filter 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E170 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E210 ni:0000000000000000 ai:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: ni:0000000000000000 no:0000000000DF5FB0 ai:0 ao:4096 fl:4 redo:0 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: ni:0000000000000000 no:0000000000DF6C2F ai:0 ao:897 rc:1 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E210 pos:0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000EB9680 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: 0000000000E18990:4096 @16 2014/10/17 00:18:30 [debug] 25783#0: *8190 http chunk: 10 2014/10/17 00:18:30 [debug] 25783#0: *8190 http chunk: 3207 2014/10/17 00:18:30 [debug] 25783#0: *8190 write old buf t:1 f:0 0000000000E6DAC8, pos 0000000000E6DAC8, size: 1016 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 0000000000E18A70, pos 0000000000E18A70, size: 5 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:0 f:0 0000000000000000, pos 00000000006D7C08, size: 10 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 0000000000DF5FB0, pos 0000000000DF5FB0, size: 3207 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:0 f:0 0000000000000000, pos 00000000004B0C38, size: 7 file: 0, size: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter: l:1 f:1 s:4245 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter limit 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000D2E0F0:16384 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1016 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 5 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 10 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 3207 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 7 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 4245 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 4245 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: 0 "/es-mx/?" 2014/10/17 00:18:30 [debug] 25783#0: *8190 http finalize request: 0, "/es-mx/?" a:1, c:1 2014/10/17 00:18:30 [debug] 25783#0: *8190 set http keepalive handler 2014/10/17 00:18:30 [debug] 25783#0: *8190 http close request 2014/10/17 00:18:30 [debug] 25783#0: *8190 http log handler 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000DF5FB0 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000000000 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D1EBE0 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000C44D60 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D41510, unused: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E03DA0, unused: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E6D280, unused: 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E18990, unused: 3356 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000BE44F0 2014/10/17 00:18:30 [debug] 25783#0: *8190 hc free: 0000000000000000 0 2014/10/17 00:18:30 [debug] 25783#0: *8190 hc busy: 0000000000E075C0 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E8A030 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D2E0F0 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 1 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 104: 65000:1413497975129 From jiri.horky at gmail.com Thu Oct 16 22:48:43 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Fri, 17 Oct 2014 00:48:43 +0200 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <5440461F.2070200@gmail.com> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> <20141016204000.GR16333@mdounin.ru> <5440461F.2070200@gmail.com> Message-ID: <54404B4B.5020703@gmail.com> Hi again, I just realized that the debug log I posted previously was with a different setting (thus the SSL and keepalive there): location / { proxy_pass https://my-upstream; proxy_read_timeout 90; } upstream my-upstream { ip_hash ; server 1.1.1.1:8888; keepalive 1024 ; } Here is another debug output with previous settings: location / { proxy_pass http://my-upstream; proxy_read_timeout 90; } upstream my-upstream { ip_hash ; server 1.1.1.1:8888; keepalive; } 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL NPN advertised 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_do_handshake: -1 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_get_error: 2 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL handshake handler: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_do_handshake: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL reused session 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 http wait request handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 00000000010BE9E0:1024 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: -1 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_get_error: 2 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 00000000010BE9E0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http wait request handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 00000000010BE9E0:1024 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: 1024 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000001078940:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 http process request line 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request line: "GET / HTTP/1.1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http uri: "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http args: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http exten: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http process request header line 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Host: my.upstream.com" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Connection: keep-alive" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "DNT: 1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Referer: https://id.upstream.com/en-us/confirm/registration?token=TOKEN" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept-Language: en-US,en;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http alloc large header buffer 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000FFBFA0:256 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000F84000:8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 http large header alloc: 0000000000F84000 8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 http large header copy: 565 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: 535 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: -1 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_get_error: 2 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Cookie: _ga=GA1.2.2132928230.1413413645; locale2=en-us; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444; mySessionId=nDvMqjksghRHnlUW; myLocalIdSession="IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444:2"; s_cc=true; s_vi=[CS]v1|2A202483853125BA-600001144001021A[CE]; __utma=1.2132928230.1413413645.1413499144.1413499144.1; __utmb=1.3.10.1413499144; __utmc=1; __utmz=1.1413499144.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=59C41CF31B464520-25F08D3F0A8EAB2B; osc_omcid=undefined; s_nr2=1413499315275-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; s_sq=upstream-dev%3D%2526pid%253DID%252520Avast%252520%25257C%252520undefineden-us%25252Fconfirm%25252Fregistration%25253Ftoken%25253DTOKEN%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fmy.upstream.com%25252F%2526ot%253DA" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header done 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 174: 1413499375418 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 rewrite phase: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 test location: "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 using configuration "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http cl:-1 max:10485760 2014/10/17 00:41:55 [debug] 27396#0: *12485 rewrite phase: 3 2014/10/17 00:41:55 [debug] 27396#0: *12485 post rewrite phase: 4 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 5 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 6 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 7 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 8 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 9 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 10 2014/10/17 00:41:55 [debug] 27396#0: *12485 post access phase: 11 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000F186D0:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 http init upstream, client timer: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 epoll add event: fd:174 op:3 ev:80002005 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "Host: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "my.upstream.com" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "X-Real-IP: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "68.39.176.125" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "X-Forwarded-For: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "68.39.176.125" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "Connection: close 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "DNT: 1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Referer: https://id.upstream.com/en-us/confirm/registration?token=TOKEN" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept-Language: en-US,en;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Cookie: _ga=GA1.2.2132928230.1413413645; locale2=en-us; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444; mySessionId=nDvMqjksghRHnlUW; myLocalIdSession="IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444:2"; s_cc=true; s_vi=[CS]v1|2A202483853125BA-600001144001021A[CE]; __utma=1.2132928230.1413413645.1413499144.1413499144.1; __utmb=1.3.10.1413499144; __utmc=1; __utmz=1.1413499144.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=59C41CF31B464520-25F08D3F0A8EAB2B; osc_omcid=undefined; s_nr2=1413499315275-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; s_sq=upstream-dev%3D%2526pid%253DID%252520Avast%252520%25257C%252520undefineden-us%25252Fconfirm%25252Fregistration%25253Ftoken%25253DTOKEN%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fmy.upstream.com%25252F%2526ot%253DA" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: 2014/10/17 00:41:55 [debug] 27396#0: *12485 http cleanup add: 0000000001079928 2014/10/17 00:41:55 [debug] 27396#0: *12485 get ip hash peer, try: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 get rr peer, try: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 socket 183 2014/10/17 00:41:55 [debug] 27396#0: *12485 epoll add connection: fd:183 ev:80002005 2014/10/17 00:41:55 [debug] 27396#0: *12485 connect to 1.1.1.1:8888, fd:183 #12523 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream connect: -2 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000EF9C80:128 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 183: 90000:1413499405518 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: -4, "/?" a:1, c:2 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request count:2 blk:0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http run request: "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream check client, write event:1, "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream recv(): -1 (11: Resource temporarily unavailable) 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer buf fl:1 s:1612 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer in: 0000000000F19420 2014/10/17 00:41:55 [debug] 27396#0: *12485 writev: 1612 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer out: 0000000000000000 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 183: 1413499405518 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 183: 90000:1413499405519 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process header 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000F0A040:8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 recv: fd:183 412 of 8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy status 303 "303 See Other" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Content-Length: 0" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Content-Type: text/plain" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Location: https://my.upstream.com/en-us/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Set-Cookie: mySessionId=nDvMqjksghRHnlUW; Expires=Thu, 16 Oct 2014 22:56:55 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000DC56D0:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Set-Cookie: myLocalIdSession="IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444:2"; Expires=Thu, 16 Oct 2014 22:56:55 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header done 2014/10/17 00:41:55 [debug] 27396#0: *12485 HTTP/1.1 303 See Other 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:1 f:0 0000000000DC5808, pos 0000000000DC5808, size: 494 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter: l:0 f:0 s:494 2014/10/17 00:41:55 [debug] 27396#0: *12485 http cacheable: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy filter init s:303 h:0 c:0 l:0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process upstream 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe read upstream: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe preread: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 readv: 1, last:7780 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe recv chain: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe buf free s:0 t:1 f:0 0000000000F0A040, pos 0000000000F0A1DC, size: 0 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe length: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe write downstream: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 pipe write downstream done 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 183: 1413499405519 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream exit: 0000000000000000 2014/10/17 00:41:55 [debug] 27396#0: *12485 finalize http upstream request: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 finalize http proxy request 2014/10/17 00:41:55 [debug] 27396#0: *12485 free rr peer 1 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 close http upstream connection: 183 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000EF9C80, unused: 48 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream temp fd: -1 2014/10/17 00:41:55 [debug] 27396#0: *12485 http output filter "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http copy filter: "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http postpone filter "/?" 00007FFFA7DBA4E0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write old buf t:1 f:0 0000000000DC5808, pos 0000000000DC5808, size: 494 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:0 f:0 0000000000000000, pos 0000000000000000, size: 0 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter: l:1 f:0 s:494 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter limit 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 00000000010DA150:16384 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL buf copy: 494 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL to write: 494 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_write: 494 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter 0000000000000000 2014/10/17 00:41:55 [debug] 27396#0: *12485 http copy filter: 0 "/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: 0, "/?" a:1, c:1 2014/10/17 00:41:55 [debug] 27396#0: *12485 set http keepalive handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 http close request 2014/10/17 00:41:55 [debug] 27396#0: *12485 http log handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000F0A040 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000001078940, unused: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000F186D0, unused: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000DC56D0, unused: 2454 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 00000000010BE9E0 2014/10/17 00:41:55 [debug] 27396#0: *12485 hc free: 0000000000000000 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 hc busy: 0000000000FFBFC0 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000F84000 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 00000000010DA150 2014/10/17 00:41:55 [debug] 27396#0: *12485 tcp_nodelay 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 174: 65000:1413499380529 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D2F7F8 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D36008 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event 0000000000D2F7F8 2014/10/17 00:41:55 [debug] 27396#0: *12485 http keepalive handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 00000000010BE9E0:1024 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: 1024 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000F186D0:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 174: 1413499380529 2014/10/17 00:41:55 [debug] 27396#0: *12485 http process request line 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request line: "GET /en-us/ HTTP/1.1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http uri: "/en-us/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http args: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http exten: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http process request header line 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Host: my.upstream.com" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Connection: keep-alive" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "DNT: 1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Referer: https://id.upstream.com/en-us/confirm/registration?token=TOKEN" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Accept-Language: en-US,en;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http alloc large header buffer 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000E82F60:256 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000F84000:8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 http large header alloc: 0000000000F84000 8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 http large header copy: 559 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: 541 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_read: -1 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_get_error: 2 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header: "Cookie: _ga=GA1.2.2132928230.1413413645; locale2=en-us; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444; s_cc=true; s_vi=[CS]v1|2A202483853125BA-600001144001021A[CE]; __utma=1.2132928230.1413413645.1413499144.1413499144.1; __utmb=1.3.10.1413499144; __utmc=1; __utmz=1.1413499144.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=59C41CF31B464520-25F08D3F0A8EAB2B; osc_omcid=undefined; s_nr2=1413499315275-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; s_sq=upstream-dev%3D%2526pid%253DID%252520Avast%252520%25257C%252520undefineden-us%25252Fconfirm%25252Fregistration%25253Ftoken%25253DTOKEN%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fmy.upstream.com%25252F%2526ot%253DA; mySessionId=nDvMqjksghRHnlUW; myLocalIdSession="IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444:2"" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http header done 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 rewrite phase: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 test location: "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 using configuration "/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http cl:-1 max:10485760 2014/10/17 00:41:55 [debug] 27396#0: *12485 rewrite phase: 3 2014/10/17 00:41:55 [debug] 27396#0: *12485 post rewrite phase: 4 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 5 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 6 2014/10/17 00:41:55 [debug] 27396#0: *12485 generic phase: 7 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 8 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 9 2014/10/17 00:41:55 [debug] 27396#0: *12485 access phase: 10 2014/10/17 00:41:55 [debug] 27396#0: *12485 post access phase: 11 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000001040640:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 http init upstream, client timer: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "Host: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "my.upstream.com" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "X-Real-IP: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "68.39.176.125" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "X-Forwarded-For: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script var: "68.39.176.125" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: " 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "Connection: close 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http script copy: "" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "DNT: 1" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Referer: https://id.upstream.com/en-us/confirm/registration?token=TOKEN" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept-Encoding: gzip,deflate" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Accept-Language: en-US,en;q=0.8" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: "Cookie: _ga=GA1.2.2132928230.1413413645; locale2=en-us; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; IDT2=IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444; s_cc=true; s_vi=[CS]v1|2A202483853125BA-600001144001021A[CE]; __utma=1.2132928230.1413413645.1413499144.1413499144.1; __utmb=1.3.10.1413499144; __utmc=1; __utmz=1.1413499144.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=59C41CF31B464520-25F08D3F0A8EAB2B; osc_omcid=undefined; s_nr2=1413499315275-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; s_sq=upstream-dev%3D%2526pid%253DID%252520Avast%252520%25257C%252520undefineden-us%25252Fconfirm%25252Fregistration%25253Ftoken%25253DTOKEN%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fmy.upstream.com%25252F%2526ot%253DA; mySessionId=nDvMqjksghRHnlUW; myLocalIdSession="IDTN-34432-uxPmpoQ9sF6EuHAKTQWvy7ciHMBIbpBXGBU35444:2"" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http proxy header: 2014/10/17 00:41:55 [debug] 27396#0: *12485 http cleanup add: 0000000000F196B8 2014/10/17 00:41:55 [debug] 27396#0: *12485 get ip hash peer, try: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 get rr peer, try: 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 socket 184 2014/10/17 00:41:55 [debug] 27396#0: *12485 epoll add connection: fd:184 ev:80002005 2014/10/17 00:41:55 [debug] 27396#0: *12485 connect to 1.1.1.1:8888, fd:184 #12552 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream connect: -2 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000000FD3720:128 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: 90000:1413499405670 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: -4, "/en-us/?" a:1, c:2 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request count:2 blk:0 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event 0000000000D36008 2014/10/17 00:41:55 [debug] 27396#0: *12485 http run request: "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream check client, write event:1, "/en-us/" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream recv(): -1 (11: Resource temporarily unavailable) 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event 0000000000D39818 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer buf fl:1 s:1618 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer in: 0000000001041398 2014/10/17 00:41:55 [debug] 27396#0: *12485 writev: 1618 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer out: 0000000000000000 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 184: 1413499405670 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: 90000:1413499405670 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D33008 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event 0000000000D33008 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process header 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000FAB620:8192 2014/10/17 00:41:55 [debug] 27396#0: *12485 recv: fd:184 0 of 8192 2014/10/17 00:41:55 [error] 27396#0: *12485 upstream prematurely closed connection while reading response header from upstream, client: 68.39.176.125, server: my.upstream.com, request: "GET /en-us/ HTTP/1.1", upstream: "http://1.1.1.1:8888/en-us/", host: "my.upstream.com", referrer: "https://id.upstream.com/en-us/confirm/registration?token=TOKEN" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http next upstream, 2 2014/10/17 00:41:55 [debug] 27396#0: *12485 free rr peer 1 4 2014/10/17 00:41:55 [debug] 27396#0: *12485 finalize http upstream request: 502 2014/10/17 00:41:55 [debug] 27396#0: *12485 finalize http proxy request 2014/10/17 00:41:55 [debug] 27396#0: *12485 close http upstream connection: 184 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000FD3720, unused: 48 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 184: 1413499405670 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event 0000000000D39818 2014/10/17 00:41:55 [debug] 27396#0: *12485 reusable connection: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: 502, "/en-us/?" a:1, c:1 2014/10/17 00:41:55 [debug] 27396#0: *12485 http special response: 502, "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 HTTP/1.1 502 Bad Gateway 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: 0000000001078940:4096 @16 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:1 f:0 0000000001041588, pos 0000000001041588, size: 156 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter: l:0 f:0 s:156 2014/10/17 00:41:55 [debug] 27396#0: *12485 http output filter "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http copy filter: "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http postpone filter "/en-us/?" 0000000001078AD0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write old buf t:1 f:0 0000000001041588, pos 0000000001041588, size: 156 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:0 f:0 0000000000000000, pos 00000000006D4760, size: 120 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:0 f:0 0000000000000000, pos 00000000006D3520, size: 52 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 write new buf t:0 f:0 0000000000000000, pos 00000000006D35A0, size: 402 file: 0, size: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter: l:1 f:0 s:730 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter limit 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000ECBAA0:16384 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL buf copy: 156 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL buf copy: 120 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL buf copy: 52 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL buf copy: 402 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL to write: 730 2014/10/17 00:41:55 [debug] 27396#0: *12485 SSL_write: 730 2014/10/17 00:41:55 [debug] 27396#0: *12485 http write filter 0000000000000000 2014/10/17 00:41:55 [debug] 27396#0: *12485 http copy filter: 0 "/en-us/?" 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: 0, "/en-us/?" a:1, c:1 2014/10/17 00:41:55 [debug] 27396#0: *12485 set http keepalive handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 http close request 2014/10/17 00:41:55 [debug] 27396#0: *12485 http log handler 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000FAB620 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000F186D0, unused: 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000001040640, unused: 11 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000001078940, unused: 3264 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 00000000010BE9E0 2014/10/17 00:41:55 [debug] 27396#0: *12485 hc free: 0000000000000000 0 2014/10/17 00:41:55 [debug] 27396#0: *12485 hc busy: 0000000000FFBFC0 1 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000F84000 2014/10/17 00:41:55 [debug] 27396#0: *12485 free: 0000000000ECBAA0 On 10/17/2014 12:26 AM, Jiri Horky wrote: > Hi Maxim, > > here is the debug log of one failed connection: > > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http keepalive handler > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000BE44F0:1024 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 1024 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: > 0000000000D41510:4096 @16 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 104: > 1413497973959 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http process request line > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http request line: "GET > /es-mx/ HTTP/1.1" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http uri: "/es-mx/" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http args: "" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http exten: "" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http process request header line > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Host: > my.upstream.com" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Connection: > keep-alive" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "User-Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/37.0.2062.124 Safari/537.36" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Referer: > https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: > "Accept-Encoding: gzip,deflate" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: > "Accept-Language: es-ES,es;q=0.8" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http alloc large header buffer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: > 0000000000C66DE0:256 @16 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000E8A030:8192 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http large header alloc: > 0000000000E8A030 8192 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http large header copy: 572 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 326 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header: "Cookie: > locale2=es-mx; osc_ot=wr%3E%3Eun%3Eun; x-otid=wr%3E%3Eun%3Eun; > ld893_pop_g=1413877218; ld893_pop_s=1413877218; > ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; > IDT2=IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444; s_cc=true; > s_nr2=1413877237532-New; osc_v12=Website; > osc_v13=Website%20%7C%20Referral; > osc_v14=Website%20%7C%20Referral%20%7C%20; > osc_v15=Website%20%7C%20Referral%20%7C%20; > osc_v27=Website%20%7C%20Referral; osc_v42=web; s_sq=%5B%5BB%5D%5D; > s_vi=[CS]v1|2A2021EC0531011A-6000010F20029A71[CE]; > __utma=1.338233621.1413877155.1413877155.1413877155.1; > __utmb=1.2.10.1413877155; __utmc=1; > __utmz=1.1413877155.1.1.utmcsr=dub126.mail.live.com|utmccn=(referral)|utmcmd=referral|utmcct=/; > s_fid=5230BF2FDF8FC79B-2A08DC4D856F30C9; osc_omcid=undefined; > mySessionId=pYb401tEc5En9InZ; > myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http header done > 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 rewrite phase: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 test location: "/" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 using configuration "/" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cl:-1 max:10485760 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 rewrite phase: 3 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 post rewrite phase: 4 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 5 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 6 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 generic phase: 7 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 8 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 9 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 access phase: 10 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 post access phase: 11 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: > 0000000000E03DA0:4096 @16 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http init upstream, client > timer: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "Host: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: > "my.upstream.com" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "X-Real-IP: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: "201.138.52.240" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: > "X-Forwarded-For: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script var: "201.138.52.240" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: " > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: > "Connection: close > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http script copy: "" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Referer: > https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Accept-Encoding: gzip,deflate" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Accept-Language: es-ES,es;q=0.8" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Cookie: > locale2=es-mx; osc_ot=wr%3E%3Eun%3Eun; x-otid=wr%3E%3Eun%3Eun; > ld893_pop_g=1413877218; ld893_pop_s=1413877218; > ID-params-prod="registered=true&refreshIdSession=true&LOGIN_SUCCESS=true"; > IDT2=IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444; s_cc=true; > s_nr2=1413877237532-New; osc_v12=Website; > osc_v13=Website%20%7C%20Referral; > osc_v14=Website%20%7C%20Referral%20%7C%20; > osc_v15=Website%20%7C%20Referral%20%7C%20; > osc_v27=Website%20%7C%20Referral; osc_v42=web; s_sq=%5B%5BB%5D%5D; > s_vi=[CS]v1|2A2021EC0531011A-6000010F20029A71[CE]; > __utma=1.338233621.1413877155.1413877155.1413877155.1; > __utmb=1.2.10.1413877155; __utmc=1; > __utmz=1.1413877155.1.1.utmcsr=dub126.mail.live.com|utmccn=(referral)|utmcmd=referral|utmcct=/; > s_fid=5230BF2FDF8FC79B-2A08DC4D856F30C9; osc_omcid=undefined; > mySessionId=pYb401tEc5En9InZ; > myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cleanup add: > 0000000000D424F8 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 init keepalive peer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get ip hash peer, try: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get rr peer, try: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer: using > connection 0000000000A7D4F0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream connect: -4 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream send request > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer buf fl:1 s:1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer in: 0000000000E04A58 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer out: > 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 219: > 90000:1413498000113 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http finalize request: -4, > "/es-mx/?" a:1, c:2 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http request count:2 blk:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http run request: "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream check client, > write event:1, "/es-mx/" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream recv(): -1 (11: > Resource temporarily unavailable) > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream request: "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process header > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000C44D60:8192 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 6 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 peer shutdown SSL cleanly > 2014/10/17 00:18:30 [error] 25783#0: *8190 upstream prematurely closed > connection while reading response header from upstream, client: > 201.138.52.240, server: my.upstream.com, request: "GET /es-mx/ > HTTP/1.1", upstream: "https://1.1.1.1:8888/es-mx/", host: > "my.upstream.com", referrer: > "https://id.upstream.com/es-mx/confirm/registration?token=TOKEN" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http next upstream, 2 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free rr peer 1 4 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 close http upstream > connection: 219 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_shutdown: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E8D020 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000CF6D30 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000A93A90 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000A93A00, unused: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 219: > 1413498000113 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get ip hash peer, try: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get rr peer, try: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 get keepalive peer: using > connection 0000000000A799E0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream connect: -4 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: > 0000000000E6D280:4096 @16 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream send request > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer buf fl:1 s:1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer in: 0000000000E04C68 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 1405 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 chain writer out: > 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 65: > 90000:1413498000114 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream request: "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process header > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 8192 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy status 200 "200 OK" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Content-Length: 9960" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Content-Type: text/html" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: mySessionId=pYb401tEc5En9InZ; Expires=Thu, 16 Oct 2014 > 22:33:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: MY-params=; Expires=Thu, 16 Oct 2014 22:18:30 GMT; Path=/; > Domain=.ff.upstream.com; Secure; HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: locale2=es-mx; Expires=Wed, 04 Nov 2082 01:32:37 GMT; > Path=/; Domain=.upstream.com; Secure; HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: ID-params-prod=; Expires=Thu, 16 Oct 2014 22:18:30 GMT; > Path=/; Domain=.upstream.com; Secure; HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: fbSecThr=true; Path=/; Domain=.my.upstream.com; Secure; > HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Set-Cookie: > myLocalIdSession="IDTN-33612-GIxblg2ptOvu5R5nlevAy39OTcsyK3i1U6f35444:2"; Expires=Thu, > 16 Oct 2014 22:33:30 GMT; Path=/; Domain=.my.upstream.com; Secure; HTTPOnly" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Last-Modified: Wed, 15 Oct 2014 16:26:53 GMT" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Cache-Control: max-age=0, private" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: > "Strict-Transport-Security: max-age=31536000" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header: "Date: > Thu, 16 Oct 2014 22:18:30 GMT" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy header done > 2014/10/17 00:18:30 [debug] 25783#0: *8190 HTTP/1.1 200 OK > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 > 0000000000E6DAC8, pos 0000000000E6DAC8, size: 1016 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter: l:0 f:0 s:1016 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http cacheable: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http proxy filter init s:200 > h:0 c:0 l:9960 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream process upstream > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe read upstream: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe preread: 7251 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 input buf #0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000D1EBE0:4096 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: 2709 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_read: -1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_get_error: 2 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe recv chain: 2709 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe buf in s:1 t:1 f:0 > 0000000000C44D60, pos 0000000000C4510D, size: 7251 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe buf free s:0 t:1 f:0 > 0000000000D1EBE0, pos 0000000000D1EBE0, size: 2709 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe length: 2709 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 input buf #1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream flush in > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http output filter "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http postpone filter > "/es-mx/?" 0000000000E6DFD0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http gzip filter > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000EB9680:139264 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:1 s:5928 a:8192 > p:0000000000EB9680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 > a:32768 p:0000000000EBB680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 > a:32768 p:0000000000EC3680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:16384 s:2 > a:32768 p:0000000000ECB680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip alloc: n:8192 s:4 > a:32768 p:0000000000ED3680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E190 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6DFF0 > ni:0000000000C4510D ai:7251 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000DF5FB0:4096 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: > ni:0000000000C4510D no:0000000000DF5FB0 ai:7251 ao:4096 fl:0 redo:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: > ni:0000000000C46D60 no:0000000000DF5FB0 ai:0 ao:4096 rc:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6DFF0 > pos:0000000000C4510D > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E1A0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E0B0 > ni:0000000000D1EBE0 ai:2709 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: > ni:0000000000D1EBE0 no:0000000000DF5FB0 ai:2709 ao:4096 fl:0 redo:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: > ni:0000000000D1F675 no:0000000000DF5FB0 ai:0 ao:4096 rc:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E0B0 > pos:0000000000D1EBE0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: 0 "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 pipe write downstream done > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer: 65, old: > 1413498000114, new: 1413498000129 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream exit: > 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 finalize http upstream request: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 finalize http proxy request > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free keepalive peer: saving > connection 0000000000A799E0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer del: 65: > 1413498000114 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free rr peer 1 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http upstream temp fd: -1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http output filter "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http postpone filter > "/es-mx/?" 00007FFFE5A241B0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http gzip filter > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in: 0000000000E6E170 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E210 > ni:0000000000000000 ai:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate in: > ni:0000000000000000 no:0000000000DF5FB0 ai:0 ao:4096 fl:4 redo:0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 deflate out: > ni:0000000000000000 no:0000000000DF6C2F ai:0 ao:897 rc:1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 gzip in_buf:0000000000E6E210 > pos:0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000EB9680 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 posix_memalign: > 0000000000E18990:4096 @16 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http chunk: 10 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http chunk: 3207 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write old buf t:1 f:0 > 0000000000E6DAC8, pos 0000000000E6DAC8, size: 1016 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 > 0000000000E18A70, pos 0000000000E18A70, size: 5 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:0 f:0 > 0000000000000000, pos 00000000006D7C08, size: 10 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:1 f:0 > 0000000000DF5FB0, pos 0000000000DF5FB0, size: 3207 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 write new buf t:0 f:0 > 0000000000000000, pos 00000000004B0C38, size: 7 file: 0, size: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter: l:1 f:1 s:4245 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter limit 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 malloc: 0000000000D2E0F0:16384 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 1016 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 5 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 10 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 3207 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL buf copy: 7 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL to write: 4245 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 SSL_write: 4245 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http write filter > 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http copy filter: 0 "/es-mx/?" > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http finalize request: 0, > "/es-mx/?" a:1, c:1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 set http keepalive handler > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http close request > 2014/10/17 00:18:30 [debug] 25783#0: *8190 http log handler > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000DF5FB0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000000000 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D1EBE0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000C44D60 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D41510, unused: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E03DA0, unused: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E6D280, unused: 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E18990, > unused: 3356 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000BE44F0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 hc free: 0000000000000000 0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 hc busy: 0000000000E075C0 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000E8A030 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 free: 0000000000D2E0F0 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 reusable connection: 1 > 2014/10/17 00:18:30 [debug] 25783#0: *8190 event timer add: 104: > 65000:1413497975129 > > From stl at wiredrive.com Thu Oct 16 23:36:41 2014 From: stl at wiredrive.com (Scott Larson) Date: Thu, 16 Oct 2014 16:36:41 -0700 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: <408d3810c15ce2dd3a745d29bb530d8d.NginxMailingListEnglish@forum.nginx.org> Message-ID: Something else must be going on here. Looking at your ssl_cipher string, you're opening with a rough declaration of specific ciphers you'll support, none of which should pull in RC4. It's specific enough in fact that your subsequent excluded ciphers don't even come into play. To test this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL 1.0.1j, and hit it with `nmap --script ssl-enum-ciphers www.ossuary.net` and the results with your exact string and removing the exclusions returned identical supported options from the server on both runs, none of which were RC4. As for the location, in my tests this was defined within the server{} block. Without seeing your entire config, if you witness RC4 as truly being offered my guesses would be that it's declared in a place which is being ignored so nginx falls back to the default value, there is a second less strict declaration somewhere (maybe in an include) overriding it, or there is a proxy in front which is doing the actual termination. *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823 8238 ext. 1106310 943 2078 faxwww.wiredrive.com www.twitter.com/wiredrive www.facebook.com/wiredrive * On Thu, Oct 16, 2014 at 2:03 PM, Jessica Litwin wrote: > I can do this, but I guess my whole question was does this mean exclusion > bits are broken? > I'm personally partial to just outright declaring my supported > ciphers rather than using the exclusion bits. My personal server is > aggressively strict, the setup for our production gear is much less so. > Either way it allows me to know exactly what's available to clients. > > For lunatics with DSA keys and LibreSSL: > > ssl_ciphers > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256; > > For more rational people with RSA keys and OpenSSL: > > ssl_ciphers > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA; > > > > > *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823 > 8238 ext. 1106310 943 2078 faxwww.wiredrive.com > www.twitter.com/wiredrive > www.facebook.com/wiredrive > * > > On Thu, Oct 16, 2014 at 1:28 PM, Jessica Litwin wrote: > >> I'm sure. I'm very, very sure the correct site is being tested. >> >> On Thu, Oct 16, 2014 at 4:23 PM, mex wrote: >> >>> hi, >>> >>> > > >>> > > - make sure you are testing correct server. >>> > > >>> >>> >>> i'd suggest to configure an additional access/error-log >>> in that server {} - block, to be 100% sure. >>> >>> >>> regards, >>> >>> >>> mex >>> >>> Posted at Nginx Forum: >>> http://forum.nginx.org/read.php?2,254028,254077#msg-254077 >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> >> >> -- >> Jessica K. Litwin >> jessicalitwin.com >> twitter: press5 >> aim: press5key >> skype: dr_jkl >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Thu Oct 16 23:50:37 2014 From: nginx-forum at nginx.us (c0nw0nk) Date: Thu, 16 Oct 2014 19:50:37 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon In-Reply-To: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> References: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> Message-ID: <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> Hey Itpp2012 thanks for another fantastic build <3! :D I have a bit of a question to do with PHP running with your builds. So i run a site in the top 20,000 sites on windows ofcourse using your builds and today i had a big influx in traffic not a DDoS but more than PHP could handle it seems. So i have increased the number of PHP process created to 100. (Before it was 50) But with just 50 php processes i kept getting time outs and i checked my concurrent connections on each server and all 3 of them where at almost 1000 each. How much traffic can i take roughly with 100 php process running behind Nginx perhaps i should rescale it to be 1000 PHP processes for overkill >:) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254087#msg-254087 From mdounin at mdounin.ru Fri Oct 17 04:58:26 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 17 Oct 2014 08:58:26 +0400 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <54404B4B.5020703@gmail.com> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> <20141016204000.GR16333@mdounin.ru> <5440461F.2070200@gmail.com> <54404B4B.5020703@gmail.com> Message-ID: <20141017045826.GT16333@mdounin.ru> Hello! On Fri, Oct 17, 2014 at 12:48:43AM +0200, Jiri Horky wrote: [...] > 2014/10/17 00:41:55 [debug] 27396#0: *12485 connect to 1.1.1.1:8888, > fd:184 #12552 Here connection is stablished to an upstream server. > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream connect: -2 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: > 0000000000FD3720:128 @16 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: > 90000:1413499405670 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: -4, > "/en-us/?" a:1, c:2 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request count:2 blk:0 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event > 0000000000D36008 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http run request: "/en-us/?" > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream check client, > write event:1, "/en-us/" > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream recv(): -1 > (11: Resource temporarily unavailable) > 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event > 0000000000D39818 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: > "/en-us/?" > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request > handler > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request > 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer buf fl:1 s:1618 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer in: > 0000000001041398 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 writev: 1618 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer out: > 0000000000000000 Request is written into the socket. > 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 184: > 1413499405670 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: > 90000:1413499405670 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D33008 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event > 0000000000D33008 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: > "/en-us/?" > 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process header > 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000FAB620:8192 > 2014/10/17 00:41:55 [debug] 27396#0: *12485 recv: fd:184 0 of 8192 > 2014/10/17 00:41:55 [error] 27396#0: *12485 upstream prematurely closed > connection while reading response header from upstream, client: > 68.39.176.125, server: my.upstream.com, request: "GET /en-us/ HTTP/1.1", > upstream: "http://1.1.1.1:8888/en-us/", host: "my.upstream.com", > referrer: "https://id.upstream.com/en-us/confirm/registration?token=TOKEN" And reading from the socket indicate that it's closed. Packet traces you previously posted look unrelated to this debug log. In this case, there is either no response from the upstream at all, or the response contents are lost due to RST from the upstream. If, as you wrote, your backend "forcibly closes the connection", the reason may be that it does so by using close() with SO_LINGER, and this in turn results in RST being send to nginx in some cases. In either case debug log suggests there is nothing wrong on nginx side, you should focus on your backend instead. -- Maxim Dounin http://nginx.org/ From jiri.horky at gmail.com Fri Oct 17 06:01:28 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Fri, 17 Oct 2014 08:01:28 +0200 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <20141017045826.GT16333@mdounin.ru> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> <20141016204000.GR16333@mdounin.ru> <5440461F.2070200@gmail.com> <54404B4B.5020703@gmail.com> <20141017045826.GT16333@mdounin.ru> Message-ID: <5440B0B8.8030503@gmail.com> Hi Max, thanks for the explanation, I agree that from the traces, it really looks like there were no data available in the socket from the upstream, thus a different situation than I posted the first time. I will try to reproduce the problem with both, debug log and wireshark traces that will match and will get back to you. Jirka H. On 10/17/2014 06:58 AM, Maxim Dounin wrote: > Hello! > > On Fri, Oct 17, 2014 at 12:48:43AM +0200, Jiri Horky wrote: > > [...] > >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 connect to 1.1.1.1:8888, >> fd:184 #12552 > Here connection is stablished to an upstream server. > >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream connect: -2 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: >> 0000000000FD3720:128 @16 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: >> 90000:1413499405670 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: -4, >> "/en-us/?" a:1, c:2 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request count:2 blk:0 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >> 0000000000D36008 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http run request: "/en-us/?" >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream check client, >> write event:1, "/en-us/" >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream recv(): -1 >> (11: Resource temporarily unavailable) >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >> 0000000000D39818 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: >> "/en-us/?" >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request >> handler >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer buf fl:1 s:1618 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer in: >> 0000000001041398 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 writev: 1618 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer out: >> 0000000000000000 > Request is written into the socket. > >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 184: >> 1413499405670 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: >> 90000:1413499405670 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D33008 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >> 0000000000D33008 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: >> "/en-us/?" >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process header >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000FAB620:8192 >> 2014/10/17 00:41:55 [debug] 27396#0: *12485 recv: fd:184 0 of 8192 >> 2014/10/17 00:41:55 [error] 27396#0: *12485 upstream prematurely closed >> connection while reading response header from upstream, client: >> 68.39.176.125, server: my.upstream.com, request: "GET /en-us/ HTTP/1.1", >> upstream: "http://1.1.1.1:8888/en-us/", host: "my.upstream.com", >> referrer: "https://id.upstream.com/en-us/confirm/registration?token=TOKEN" > And reading from the socket indicate that it's closed. > > Packet traces you previously posted look unrelated to this debug > log. In this case, there is either no response from the upstream > at all, or the response contents are lost due to RST from the > upstream. > > If, as you wrote, your backend "forcibly closes the connection", > the reason may be that it does so by using close() with SO_LINGER, > and this in turn results in RST being send to nginx in some cases. > > In either case debug log suggests there is nothing wrong on nginx > side, you should focus on your backend instead. > From nginx-forum at nginx.us Fri Oct 17 10:07:26 2014 From: nginx-forum at nginx.us (itpp2012) Date: Fri, 17 Oct 2014 06:07:26 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon In-Reply-To: <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> References: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> Message-ID: <25fa4bb2c68e30781938c914e8399343.NginxMailingListEnglish@forum.nginx.org> With a backend (like php) you are always bound to what the backend can handle, nginx is just a portal here. The amount of backends should be balanced with the best balance setting like leastconn/iphash, ea: http://nginx.org/en/docs/http/load_balancing.html and also consider Lua for managing/offloading backends. So its not really a number game but a distribution one. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254091#msg-254091 From nginx-forum at nginx.us Fri Oct 17 10:14:24 2014 From: nginx-forum at nginx.us (itpp2012) Date: Fri, 17 Oct 2014 06:14:24 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: Scott Larson Wrote: ------------------------------------------------------- > Something else must be going on here. Looking at your ssl_cipher > string, you're opening with a rough declaration of specific ciphers > you'll > support, none of which should pull in RC4. It's specific enough in > fact > that your subsequent excluded ciphers don't even come into play. To > test > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL > 1.0.1j, Which is why I said try 101j, between 101e and j there are big differences when it comes to invalid fallbacks. Not even mentioning using 101e is asking to be hacked. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254028,254092#msg-254092 From nginx-forum at nginx.us Fri Oct 17 12:24:18 2014 From: nginx-forum at nginx.us (timbo) Date: Fri, 17 Oct 2014 08:24:18 -0400 Subject: Nginx Reverse proxy + RD Gateway Auth Problem Message-ID: Hello all, Nginx is the reverse proxy+ MS Remote Desktop Gateway using SSL, the first authentication is working, the problem is when I try to open a program in this environment for example wordpad.exe of session host RD, it ask for user and password (I use the same credentials used to connect in RD Gateway), when the credentials are filled up again, I get the message user or password are wrong. My .conf for the context: location /RDWeb { <--- the same context context in IIS proxy_pass https://server.domain/RDWeb; proxy_set_header Accept-Encoding ""; proxy_set_header host server.domain; } location /rpc { <-- the same context context in IIS proxy_pass http://server.domain/rpc; } In the log of nginx with debug mode on, show this information: 2014/10/17 09:06:02 [info] 20589#0: *43 client x.x.x.x closed keepalive connection(this is the only message) Any help will be appreciated, thank you! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254095,254095#msg-254095 From jiri.horky at gmail.com Fri Oct 17 12:36:46 2014 From: jiri.horky at gmail.com (Jiri Horky) Date: Fri, 17 Oct 2014 14:36:46 +0200 Subject: upstream prematurely closed connection while reading response header from upstream In-Reply-To: <5440B0B8.8030503@gmail.com> References: <543F7F0B.5060202@gmail.com> <20141016133650.GC16333@mdounin.ru> <54401DF2.10909@gmail.com> <20141016204000.GR16333@mdounin.ru> <5440461F.2070200@gmail.com> <54404B4B.5020703@gmail.com> <20141017045826.GT16333@mdounin.ru> <5440B0B8.8030503@gmail.com> Message-ID: <54410D5E.7040407@gmail.com> Hi Maxim, so I dig into it a bit further and it seems as that I made an error in pairing of tcpdump outputs with nginx error logs. I triple checked it now and the upstream server really killed the connection without sending a response in cases nginx triggers an error. I am sorry for the noise. Regards Jiri Horky On 10/17/2014 08:01 AM, Jiri Horky wrote: > Hi Max, > > thanks for the explanation, I agree that from the traces, it really > looks like there were no data available in the socket from the upstream, > thus a different situation than I posted the first time. I will try to > reproduce the problem with both, debug log and wireshark traces that > will match and will get back to you. > > Jirka H. > > On 10/17/2014 06:58 AM, Maxim Dounin wrote: >> Hello! >> >> On Fri, Oct 17, 2014 at 12:48:43AM +0200, Jiri Horky wrote: >> >> [...] >> >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 connect to 1.1.1.1:8888, >>> fd:184 #12552 >> Here connection is stablished to an upstream server. >> >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream connect: -2 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 posix_memalign: >>> 0000000000FD3720:128 @16 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: >>> 90000:1413499405670 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http finalize request: -4, >>> "/en-us/?" a:1, c:2 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http request count:2 blk:0 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >>> 0000000000D36008 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http run request: "/en-us/?" >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream check client, >>> write event:1, "/en-us/" >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream recv(): -1 >>> (11: Resource temporarily unavailable) >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >>> 0000000000D39818 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: >>> "/en-us/?" >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request >>> handler >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream send request >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer buf fl:1 s:1618 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer in: >>> 0000000001041398 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 writev: 1618 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 chain writer out: >>> 0000000000000000 >> Request is written into the socket. >> >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer del: 184: >>> 1413499405670 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 event timer add: 184: >>> 90000:1413499405670 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D33008 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 post event 0000000000D39818 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 delete posted event >>> 0000000000D33008 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream request: >>> "/en-us/?" >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 http upstream process header >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 malloc: 0000000000FAB620:8192 >>> 2014/10/17 00:41:55 [debug] 27396#0: *12485 recv: fd:184 0 of 8192 >>> 2014/10/17 00:41:55 [error] 27396#0: *12485 upstream prematurely closed >>> connection while reading response header from upstream, client: >>> 68.39.176.125, server: my.upstream.com, request: "GET /en-us/ HTTP/1.1", >>> upstream: "http://1.1.1.1:8888/en-us/", host: "my.upstream.com", >>> referrer: "https://id.upstream.com/en-us/confirm/registration?token=TOKEN" >> And reading from the socket indicate that it's closed. >> >> Packet traces you previously posted look unrelated to this debug >> log. In this case, there is either no response from the upstream >> at all, or the response contents are lost due to RST from the >> upstream. >> >> If, as you wrote, your backend "forcibly closes the connection", >> the reason may be that it does so by using close() with SO_LINGER, >> and this in turn results in RST being send to nginx in some cases. >> >> In either case debug log suggests there is nothing wrong on nginx >> side, you should focus on your backend instead. >> From mdounin at mdounin.ru Fri Oct 17 12:55:29 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 17 Oct 2014 16:55:29 +0400 Subject: Nginx Reverse proxy + RD Gateway Auth Problem In-Reply-To: References: Message-ID: <20141017125529.GC35211@mdounin.ru> Hello! On Fri, Oct 17, 2014 at 08:24:18AM -0400, timbo wrote: > Hello all, > > Nginx is the reverse proxy+ MS Remote Desktop Gateway using SSL, the first > authentication is working, the problem is when I try to open a program in > this environment for example wordpad.exe of session host RD, it ask for > user and password (I use the same credentials used to connect in RD > Gateway), when the credentials are filled up again, I get the message user > or password are wrong. Make sure that Basic authentication is used, not NTLM aka Integrated Windows Authentication. The latter has problem with proxy servers due to it's connection-oriented design, and will not work though nginx. http://en.wikipedia.org/wiki/Integrated_Windows_Authentication -- Maxim Dounin http://nginx.org/ From nginx-forum at nginx.us Fri Oct 17 13:13:09 2014 From: nginx-forum at nginx.us (c0nw0nk) Date: Fri, 17 Oct 2014 09:13:09 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon In-Reply-To: <25fa4bb2c68e30781938c914e8399343.NginxMailingListEnglish@forum.nginx.org> References: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> <25fa4bb2c68e30781938c914e8399343.NginxMailingListEnglish@forum.nginx.org> Message-ID: I suppose i should explain my enviorment odly enough i did a picture a while back to explain it too. Here is the pic http://hwdmediashare.co.uk/media/kunena/attachments/19987/Untitled_2014-09-19.png To explain it : A VRack is a virtual rack all my servers are connected to eachother by a ethernet cable. Now The loadbalencer is just a IP that the domain name points to and it will randomly redirect to one of the 3 php servers. The php servers then pull the data they need to process from the Z:/ Drive what is the storage server. Same with Nginx any static files it needs to deliever comes from the Z:/ drive. I was also curious since i use some try_files and fastcgi_split statements for security with PHP and Nginx would that be causing PHP more traffic since files get passed to PHP first. (Maybe my understanding of that is wrong.) location / { # This will allow for SEF URL?s try_files $uri $uri/ /index.php?$args; } if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location ~ \.php$ { # Zero-day exploit defense. # http://forum.nginx.org/read.php?2,88845,page=3 try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254099#msg-254099 From jake.he at gmail.com Fri Oct 17 13:49:55 2014 From: jake.he at gmail.com (Jake He) Date: Fri, 17 Oct 2014 21:49:55 +0800 Subject: =?UTF-8?Q?RoR_app=2C_=E2=80=9CFailed_to_load_resource=3A_the_server_respon?= =?UTF-8?Q?ded_with_a_status_of_404_=28Not_Found=29=E2=80=9D?= Message-ID: Hi, I am running a ruby application on Nginx. It is working fine on Apache. When I try to load the ruby application on Nginx, I get this error: "Failed to load resource: the server responded with a status of 404 (Not Found)" It fails to find two .json files. I had the same issue with Apache before. It was due to not having DocumentRoot in apache conf file. Once DocumentRoot is defined to the public directory of the rails application, the 404 error went away. This is my Nginx conf file within the server block. #owums location ~ ^/wifi(/.*|$) { alias /var/www/owums/public$1; # <-- be sure to point to 'public'! passenger_base_uri /wifi; passenger_app_root /var/www/owums; passenger_document_root /var/www/owums/public; passenger_enabled on; passenger_app_env development;} This is my Apache conf file. When I comment out DocumentRoot /var/www/owums/public in Apache conf, Apache will throw the same error. Any ideas? Alias /wifi /var/www/owums/public PassengerBaseURI /wifi PassengerAppRoot /var/www/owums RailsEnv production ServerName wifi DocumentRoot /var/www/owums/public Allow from all Options -MultiViews Require all granted -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at nginx.us Fri Oct 17 13:57:16 2014 From: nginx-forum at nginx.us (itpp2012) Date: Fri, 17 Oct 2014 09:57:16 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon In-Reply-To: References: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> <25fa4bb2c68e30781938c914e8399343.NginxMailingListEnglish@forum.nginx.org> Message-ID: <46d3b57dbce3a001c7ca00fc026d1d4b.NginxMailingListEnglish@forum.nginx.org> That php issue should be solved for awhile now, also deploy proper php.ini settings for each domain. ea: [PATH=s:/webroot/domain.nl] open_basedir = s:/webroot/domain.nl doc_root = s:/webroot/domain.nl error_reporting = E_ALL & ~E_NOTICE error_log = s:/logging/php/domain.nl.errors.log upload_tmp_dir = s:/webroot/domain.nl/uploads session.save_path = s:/webroot/domain.nl/sessions upload_max_filesize = 32M post_max_size = 8M disable_functions = "curl_exec,curl_multi_exec,dl,exec,parse_ini_file,passthru,popen,proc_open,proc_close,shell_exec,show_source,symlink,system" That if: use map and an if. As for storage, here we use a Debian VM as storage concentrator, nginx talks to Debian on IP level and Debian manages/caches all kinds of storage units as one pool. (mapping a drive is slow, use direct ip access) You might also benefit from speed when using separated lan connections. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254103#msg-254103 From nginx-forum at nginx.us Fri Oct 17 14:09:36 2014 From: nginx-forum at nginx.us (timbo) Date: Fri, 17 Oct 2014 10:09:36 -0400 Subject: Nginx Reverse proxy + RD Gateway Auth Problem In-Reply-To: <20141017125529.GC35211@mdounin.ru> References: <20141017125529.GC35211@mdounin.ru> Message-ID: Thank you very much Maxim, I will check your recommendation I will post the results here. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254095,254105#msg-254105 From dewanggaba at xtremenitro.org Fri Oct 17 14:30:56 2014 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Fri, 17 Oct 2014 21:30:56 +0700 Subject: TLS_FALLBACK_SCSV Message-ID: <54412820.2030508@xtremenitro.org> Hi there, Regarding POODLEbleed[1] issue, I've disable SSLv3 on `ssl_protocols` directive. But, ssllabs.com says that : ---- snip ---- Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more info[2]) ---- snip ---- But on LiteSpeed[3] configuration, it says yes. ---- snip ---- Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported ---- snip ---- With configuration: ---- snip ---- SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 ---- snip ---- $ nginx -v nginx version: nginx/1.6.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled [snip] --add-module=/home/mockbuild/rpmbuild/SOURCES/ngx_pagespeed-release-1.9.32.1-beta So the question is, how important it is? ---- Reference [1] http://nginx.com/blog/nginx-poodle-ssl/ [2] https://datatracker.ietf.org/doc/draft-bmoeller-tls-downgrade-scsv/ [3] http://www.litespeedtech.com/products/litespeed-web-server/release-log From nginx-forum at nginx.us Fri Oct 17 15:20:17 2014 From: nginx-forum at nginx.us (c0nw0nk) Date: Fri, 17 Oct 2014 11:20:17 -0400 Subject: [ANN] Windows nginx 1.7.7.2 Gryphon In-Reply-To: <46d3b57dbce3a001c7ca00fc026d1d4b.NginxMailingListEnglish@forum.nginx.org> References: <540e8d6252d119b8f8295ee8a15c37bc.NginxMailingListEnglish@forum.nginx.org> <093fa3bf9390cddd7ab4f24cb6d24631.NginxMailingListEnglish@forum.nginx.org> <25fa4bb2c68e30781938c914e8399343.NginxMailingListEnglish@forum.nginx.org> <46d3b57dbce3a001c7ca00fc026d1d4b.NginxMailingListEnglish@forum.nginx.org> Message-ID: Yeah i do the same with the IP each nginx process knows the machine to locate via http://172.0.0.1; each machine is assigned its own localhost ip. The only thing that does not use the IP is each servers nginx pulls from static data from the mapped hard drive Z:/ But taken into consideration i run SSD's and i also use a RAID6 setup with the following LSI Mega RAID. http://www.lsi.com/products/raid-controllers/pages/megaraid-sas-9271-8i.aspx And a CacheCade 120Go SSD to cache frequently accessed data. I also think Nginx open_file_cache feature would help allot too. I dont get any timeouts or lag or problems with static data requests. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254012,254108#msg-254108 From nginx-forum at nginx.us Fri Oct 17 15:29:00 2014 From: nginx-forum at nginx.us (mex) Date: Fri, 17 Oct 2014 11:29:00 -0400 Subject: TLS_FALLBACK_SCSV In-Reply-To: <54412820.2030508@xtremenitro.org> References: <54412820.2030508@xtremenitro.org> Message-ID: <0a037367aacd85f7206f5113a5d19c11.NginxMailingListEnglish@forum.nginx.org> > Regarding POODLEbleed[1] issue, I've disable SSLv3 on `ssl_protocols` thats the most important part > directive. But, ssllabs.com says that : > > ---- snip ---- > Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more > info[2]) TLS_FALLBACK_SCSV also prevents downgrades from TLSv1.2 -> TLSv1.1 -> TLSv1 and has got nothing to do with SSLv3 > With configuration: > ---- snip ---- > SSLHonorCipherOrder On > SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 isnt this the apacheconfig? > > So the question is, how important it is? > it is not yet important, but downgrade-attacks might happen again. do you have nginx with a different openssl-library installed, e.g. statically linked please paste the full output from $ nginx -V Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254106,254109#msg-254109 From nginx-forum at nginx.us Fri Oct 17 15:36:29 2014 From: nginx-forum at nginx.us (mex) Date: Fri, 17 Oct 2014 11:36:29 -0400 Subject: =?UTF-8?Q?Re=3A_RoR_app=2C_=E2=80=9CFailed_to_load_resource=3A_the_server_?= =?UTF-8?Q?responded_with_a_status_of_404_=28Not_Found=29=E2=80=9D?= In-Reply-To: References: Message-ID: <21795b0e7493f658f051d9627f2444ae.NginxMailingListEnglish@forum.nginx.org> iirc you donw need a $1 behind alias like in rewrite-rules http://nginx.org/en/docs/http/ngx_http_core_module.html#alias the following should work location /wifi { alias /var/www/owums/public; # <-- be sure to point to 'public'! passenger_base_uri /wifi; passenger_app_root /var/www/owums; passenger_document_root /var/www/owums/public; passenger_enabled on; passenger_app_env development; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254102,254110#msg-254110 From dewanggaba at xtremenitro.org Fri Oct 17 15:42:55 2014 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Fri, 17 Oct 2014 22:42:55 +0700 Subject: TLS_FALLBACK_SCSV In-Reply-To: <0a037367aacd85f7206f5113a5d19c11.NginxMailingListEnglish@forum.nginx.org> References: <54412820.2030508@xtremenitro.org> <0a037367aacd85f7206f5113a5d19c11.NginxMailingListEnglish@forum.nginx.org> Message-ID: <544138FF.40107@xtremenitro.org> Hi mex, Yes, it's apacheconfig, Litespeed is drop-in replacement for Apache. Here is my full nginx -V http://fpaste.org/142890/60334141/raw I don't have nginx with different openssl-library installed. Thanks. On 10/17/2014 10:29 PM, mex wrote: >> Regarding POODLEbleed[1] issue, I've disable SSLv3 on `ssl_protocols` > > thats the most important part > > >> directive. But, ssllabs.com says that : >> >> ---- snip ---- >> Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more >> info[2]) > > TLS_FALLBACK_SCSV also prevents downgrades from TLSv1.2 -> TLSv1.1 -> TLSv1 > > and has got nothing to do with SSLv3 > > >> With configuration: >> ---- snip ---- >> SSLHonorCipherOrder On >> SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 > > isnt this the apacheconfig? > > >> >> So the question is, how important it is? >> > > it is not yet important, but downgrade-attacks might happen > again. > > do you have nginx with a different openssl-library installed, e.g. > statically linked > > please paste the full output from > > $ nginx -V > > Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254106,254109#msg-254109 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > From ian at ianhobson.co.uk Fri Oct 17 16:19:29 2014 From: ian at ianhobson.co.uk (Ian) Date: Fri, 17 Oct 2014 17:19:29 +0100 Subject: SSL Certificate confusion. Message-ID: <54414191.4060505@ianhobson.co.uk> Hi All, My client's SSL certificates are about to run out, and we have gone through the process of getting the replacements from Godaddy. However their instructions as to how to use them are useless. I expected a .crt and possibly a .key file, and I expected to simply replace the existing files with the new, and restart nginx. However I have been given two .crt files! One contains a single certificate and the other three certificates! Is the reason there is no .key file because that is the private key and would not be sent out of our control. The old will continue to work fine. Does anyone know what the group of certificates is for, and how I should I introduce them to nginx? Nginx is a compiled version :- ian at ianhobson~ $ nginx -V nginx version: nginx/1.6.0 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) TLS SNI support enabled configure arguments: --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module --add-module=../nginx_tcp_proxy_module_v0.4.5 --add-module=../nginx_http_push_module-0.712 Many thanks Ian From mdounin at mdounin.ru Fri Oct 17 16:35:00 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 17 Oct 2014 20:35:00 +0400 Subject: SSL Certificate confusion. In-Reply-To: <54414191.4060505@ianhobson.co.uk> References: <54414191.4060505@ianhobson.co.uk> Message-ID: <20141017163500.GG35211@mdounin.ru> Hello! On Fri, Oct 17, 2014 at 05:19:29PM +0100, Ian wrote: > Hi All, > > My client's SSL certificates are about to run out, and we have gone through > the process of > getting the replacements from Godaddy. However their instructions as to how > to use them > are useless. > > I expected a .crt and possibly a .key file, and I expected to simply replace > the existing files > with the new, and restart nginx. > > However I have been given two .crt files! One contains a single certificate > and the other three certificates! > > Is the reason there is no .key file because that is the private key and > would not be sent out of our control. The old will continue to work fine. > > Does anyone know what the group of certificates is for, and how I should I > introduce them to nginx? The file with three certificates is a bundle with intermediate certs. See here for more info: http://nginx.org/en/docs/http/configuring_https_servers.html#chains -- Maxim Dounin http://nginx.org/ From stl at wiredrive.com Fri Oct 17 17:50:00 2014 From: stl at wiredrive.com (Scott Larson) Date: Fri, 17 Oct 2014 10:50:00 -0700 Subject: SSL Certificate confusion. In-Reply-To: <54414191.4060505@ianhobson.co.uk> References: <54414191.4060505@ianhobson.co.uk> Message-ID: The CA will never provide a key, if this was a simple renewal of the existing certificate the key already in place would be the one to reuse. One thing to note however is that SHA1 is being aggressively phased out now due the the Google policy change with Chrome. If that matters to you, you'll want to check that your cert chain is the new SHA256. *__________________Scott LarsonSystems AdministratorWiredrive/LA310 823 8238 ext. 1106310 943 2078 faxwww.wiredrive.com www.twitter.com/wiredrive www.facebook.com/wiredrive * On Fri, Oct 17, 2014 at 9:19 AM, Ian wrote: > Hi All, > > My client's SSL certificates are about to run out, and we have gone > through the process of > getting the replacements from Godaddy. However their instructions as to > how to use them > are useless. > > I expected a .crt and possibly a .key file, and I expected to simply > replace the existing files > with the new, and restart nginx. > > However I have been given two .crt files! One contains a single > certificate and the other three certificates! > > Is the reason there is no .key file because that is the private key and > would not be sent out of our control. The old will continue to work fine. > > Does anyone know what the group of certificates is for, and how I should I > introduce them to nginx? > > Nginx is a compiled version :- > ian at ianhobson~ $ nginx -V > nginx version: nginx/1.6.0 > built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) > TLS SNI support enabled > configure arguments: --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf > --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module > --add-module=../nginx_tcp_proxy_module_v0.4.5 --add-module=../nginx_http_ > push_module-0.712 > > Many thanks > > Ian > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jessica at litw.in Fri Oct 17 23:28:50 2014 From: jessica at litw.in (Jessica Litwin) Date: Fri, 17 Oct 2014 19:28:50 -0400 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: using openssl101j, I get the same results with the following in both my vhost config and nginx.conf ssl_protocols TLSv1.2 TLSv1.1; ssl_ciphers EECDH+aRSA+AESGCM:EECDH+aRSA+AES:EDH+aRSA+AESGCM:EDH+aRSA+AES:DES-CB C3-SHA:!EXP:!CAMELLIA:!DSS:!MEDIUM:!LOW:!aNULL:!eNULL:!RC4; ssl_prefer_server_ciphers on; RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available. What the hell am I doing wrong? On Fri, Oct 17, 2014 at 6:14 AM, itpp2012 wrote: > Scott Larson Wrote: > ------------------------------------------------------- > > Something else must be going on here. Looking at your ssl_cipher > > string, you're opening with a rough declaration of specific ciphers > > you'll > > support, none of which should pull in RC4. It's specific enough in > > fact > > that your subsequent excluded ciphers don't even come into play. To > > test > > this I switched in my old RSA cert, rebuilt 1.7.6 against OpenSSL > > 1.0.1j, > > Which is why I said try 101j, between 101e and j there are big differences > when it comes to invalid fallbacks. > Not even mentioning using 101e is asking to be hacked. > > Posted at Nginx Forum: > http://forum.nginx.org/read.php?2,254028,254092#msg-254092 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Jessica K. Litwin jessicalitwin.com twitter: press5 aim: press5key skype: dr_jkl -------------- next part -------------- An HTML attachment was scrubbed... URL: From stl at wiredrive.com Fri Oct 17 23:41:41 2014 From: stl at wiredrive.com (Scott Larson) Date: Fri, 17 Oct 2014 16:41:41 -0700 Subject: issue with ssl_ciphers not being respected In-Reply-To: References: Message-ID: Just to be thorough, are you sure nginx is actually using the config file that you think it is? If we?re talking about your personal domain I see TLS 1.0 and SSL 3.0 available which in this snippet you have not enabled. This behavior isn?t something I?m able to replicate with the 1.7.6/1.0.1i combo. __________________ Scott Larson Systems Administrator Wiredrive/LA 310 823 8238 ext. 1106 310 943 2078 fax www.wiredrive.com www.twitter.com/wiredrive www.facebook.com/wiredrive