From gfrankliu at gmail.com Fri Apr 1 02:46:40 2016 From: gfrankliu at gmail.com (Frank Liu) Date: Thu, 31 Mar 2016 19:46:40 -0700 Subject: 1.9.13 and non_idempotent In-Reply-To: <20160330024815.GH36620@mdounin.ru> References: <20160330024815.GH36620@mdounin.ru> Message-ID: Does that mean by default if one upstream server is down (connect error or connect timeout), nginx won't try the next server and POST request will just fail? Thanks! Frank On Tue, Mar 29, 2016 at 7:48 PM, Maxim Dounin wrote: > Hello! > > On Tue, Mar 29, 2016 at 06:34:59PM -0700, Frank Liu wrote: > > > If I explicitly configured to retry next upstream based on a > > certain http_xxx, will that stop working if a request is a POST with > > 1.9.13? > > Yes. There is no real difference between a network error and an > HTTP error returned from idempotence point of view. E.g., 502 > error just means that a network error happened somewhere else. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Fri Apr 1 03:31:30 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 1 Apr 2016 06:31:30 +0300 Subject: 1.9.13 and non_idempotent In-Reply-To: References: <20160330024815.GH36620@mdounin.ru> Message-ID: <20160401033130.GO36620@mdounin.ru> Hello! On Thu, Mar 31, 2016 at 07:46:40PM -0700, Frank Liu wrote: > Does that mean by default if one upstream server is down (connect error or > connect timeout), nginx won't try the next server and POST request will > just fail? No. Quoting CHANGES (http://nginx.org/en/CHANGES): *) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer passed to the next server by default if a request has been sent to a backend; the "non_idempotent" parameter of the "proxy_next_upstream" directive explicitly allows retrying such requests. Connect errors doesn't imply that a request has been sent to a backend. As long a request hasn't been sent yet, it can be retried to another server without any problems. See docs here for more details: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#non_idempotent -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Fri Apr 1 04:29:32 2016 From: nginx-forum at forum.nginx.org (plutocrat) Date: Fri, 01 Apr 2016 00:29:32 -0400 Subject: Nginx with Varnish as a proxy. Phantom Port 80 Message-ID: <6fd76e8fae5865f0386aa5794b92bb10.NginxMailingListEnglish@forum.nginx.org> Hi, I'm having an odd problem here. I'm trying to set up nginx with a varnish proxy in front of it. The box is Ubuntu 15.10, nginx 1.9.3, varnish 4.0.3. For testing I set up varnish on port 8080, and nginx was running on port 80 and 443. I shut down both, edit the config files so that varnish is listening on port 80 and forwarding to the nginx backend on 8080. I do a search and replace on all the listen directives in /etc/nginx/sites-enabled to change listen 80 to listen 8080. When I restart nginx, it comes up listening on port 8080 and 443 as expected, but ALSO on port 80. This means varnish is unable to start up as the port is already bound. tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 17514/nginx -g daem tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 17514/nginx -g daem tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 17514/nginx -g daem I've checked through the nginx conf files many times. There are no other listen 80 directives. I've also tried putting a server block in the main nginx.conf with listen 8080 in it, but that doesn't help. I think the problem may be that this system is confused between systemd and init.d. I was having trouble with varnish in this respect. However I've checked all the systemd files and none of them mention a port, and the /etc/init.d/nginx file doesn't either. Why is nginx using port 80? And how to stop it! Any pointers gratefully received. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265791,265791#msg-265791 From rpaprocki at fearnothingproductions.net Fri Apr 1 04:33:17 2016 From: rpaprocki at fearnothingproductions.net (Robert Paprocki) Date: Thu, 31 Mar 2016 21:33:17 -0700 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <6fd76e8fae5865f0386aa5794b92bb10.NginxMailingListEnglish@forum.nginx.org> References: <6fd76e8fae5865f0386aa5794b92bb10.NginxMailingListEnglish@forum.nginx.org> Message-ID: Without showing your nginx config it's unlikely that anyone will be able to troubleshoot. Likely there is a stray listen directive that's causing this. On Thu, Mar 31, 2016 at 9:29 PM, plutocrat wrote: > Hi, > > I'm having an odd problem here. I'm trying to set up nginx with a varnish > proxy in front of it. The box is Ubuntu 15.10, nginx 1.9.3, varnish 4.0.3. > > For testing I set up varnish on port 8080, and nginx was running on port 80 > and 443. I shut down both, edit the config files so that varnish is > listening on port 80 and forwarding to the nginx backend on 8080. I do a > search and replace on all the listen directives in /etc/nginx/sites-enabled > to change listen 80 to listen 8080. > > When I restart nginx, it comes up listening on port 8080 and 443 as > expected, but ALSO on port 80. This means varnish is unable to start up as > the port is already bound. > > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN > 17514/nginx -g daem > tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN > 17514/nginx -g daem > tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN > 17514/nginx -g daem > > I've checked through the nginx conf files many times. There are no other > listen 80 directives. I've also tried putting a server block in the main > nginx.conf with listen 8080 in it, but that doesn't help. > > I think the problem may be that this system is confused between systemd and > init.d. I was having trouble with varnish in this respect. However I've > checked all the systemd files and none of them mention a port, and the > /etc/init.d/nginx file doesn't either. > > Why is nginx using port 80? And how to stop it! Any pointers gratefully > received. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,265791,265791#msg-265791 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Apr 1 04:42:57 2016 From: nginx-forum at forum.nginx.org (plutocrat) Date: Fri, 01 Apr 2016 00:42:57 -0400 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: References: Message-ID: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> Robert Paprocki Wrote: ------------------------------------------------------- > Without showing your nginx config it's unlikely that anyone will be able to > troubleshoot. Likely there is a stray listen directive that's causing this. There are no stray listen directives. I've checked many times. grep -ril listen /etc/nginx Shows only files in sites-enabled and sites-available directories. grep -i listen /etc/nginx/sites-enabled Shows only port 8080 grep 80 /etc/nginx/sites-enabled Shows only port 8080 I've also manually opened all files and verified just in case my grepping skills were failing. I've checked probably 10 times. This is why I can't figure it out and came to ask the mailing list! :-) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265791,265793#msg-265793 From rpaprocki at fearnothingproductions.net Fri Apr 1 04:47:21 2016 From: rpaprocki at fearnothingproductions.net (Robert Paprocki) Date: Thu, 31 Mar 2016 21:47:21 -0700 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> References: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> Message-ID: I'm sure the mailing list would be happy to help if you would provide your config files so that debugging doesn't involve reading your mind :) On Thu, Mar 31, 2016 at 9:42 PM, plutocrat wrote: > Robert Paprocki Wrote: > ------------------------------------------------------- > > Without showing your nginx config it's unlikely that anyone will be able > to > > troubleshoot. Likely there is a stray listen directive that's causing > this. > > There are no stray listen directives. I've checked many times. > grep -ril listen /etc/nginx > Shows only files in sites-enabled and sites-available directories. > grep -i listen /etc/nginx/sites-enabled > Shows only port 8080 > grep 80 /etc/nginx/sites-enabled > Shows only port 8080 > I've also manually opened all files and verified just in case my grepping > skills were failing. I've checked probably 10 times. This is why I can't > figure it out and came to ask the mailing list! :-) > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,265791,265793#msg-265793 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Apr 1 05:38:01 2016 From: nginx-forum at forum.nginx.org (plutocrat) Date: Fri, 01 Apr 2016 01:38:01 -0400 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: References: Message-ID: <7f03fb70011f1384e792f8c67dd859f7.NginxMailingListEnglish@forum.nginx.org> OK, was trying to keep the post relevant and succinct, but here goes with the config. Its a newly set up server, so pretty much standard. ============================= # cat nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { # required for letsencrypt verification server { location ~ /.well-known/acme-challenge/(.*) { default_type text/plain; } } ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } =========================== nothing at all in ./conf.d/ =========================== > cat sites-enabled/default # Default server configuration # server { # handles anything going to numeric IP address. listen 80 default_server; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.php index.htm index.nginx-debian.html; server_name localhost 16.17.18.19; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } ======================================================= $> cat sites-enabled/domain1.com. server { listen 80; server_name www.domain1.com domain1.com; root /home/user/domains/domain1.com/public_html/public; access_log /home/user/domains/domain1.com/logs/access.log; error_log /home/user/domains/domain1.com/logs/error.log; index index.php index.html index.htm; error_page 404 /404.html; location / { try_files $uri $uri/ /index.php?$args; } # Pass PHP scripts to PHP-FPM location ~ \.php$ { try_files $uri =403; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.0-fpm-user.sock; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # Enable browser cache for CSS / JS location ~* \.(?:css|js)$ { expires 2d; add_header Pragma "public"; add_header Cache-Control "public"; add_header Vary "Accept-Encoding"; } # Enable browser cache for static files location ~* \.(?:ico|jpg|jpeg|gif|png|bmp|webp|tiff|svg|svgz|pdf|mp3|flac|ogg|mid|midi|wav|mp4|webm|mkv|ogv|wmv|eot|otf|woff|ttf|rss|atom|zip|7z|tgz|gz|rar|bz2|tar|exe|doc|docx|xls|xlsx|ppt|pptx|rtf|odt|ods|odp)$ { expires 5d; add_header Pragma "public"; add_header Cache-Control "public"; } # Prevent logging of favicon and robot request errors location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } } server { listen 443; server_name www.domain1.com domain1.com; root /home/user/domains/domain1.com/public_html; access_log /home/user/domains/domain1.com/logs/access.log; error_log /home/user/domains/domain1.com/logs/error.log; index index.php index.html index.htm; error_page 404 /404.html; ssl on; ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; index index.php index.html index.htm; error_page 404 /404.html; location / { try_files $uri $uri/ /index.php?$args; } # Pass PHP scripts to PHP-FPM location ~ \.php$ { try_files $uri =403; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.0-fpm-user.sock; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } # Enable browser cache for CSS / JS location ~* \.(?:css|js)$ { expires 2d; add_header Pragma "public"; add_header Cache-Control "public"; add_header Vary "Accept-Encoding"; } # Enable browser cache for static files location ~* \.(?:ico|jpg|jpeg|gif|png|bmp|webp|tiff|svg|svgz|pdf|mp3|flac|ogg|mid|midi|wav|mp4|webm|mkv|ogv|wmv|eot|otf|woff|ttf|rss|atom|zip|7z|tgz|gz|rar|bz2|tar|exe|doc|docx|xls|xlsx|ppt|pptx|rtf|odt|ods|odp)$ { expires 5d; add_header Pragma "public"; add_header Cache-Control "public"; } # Prevent logging of favicon and robot request errors location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } } =========== There are three other domains in this directory, all created by copying and editing the domain1 file. So nothing extra in there. You'll just have to take my word for it that the listen directives are all the same. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265791,265795#msg-265795 From nginx-forum at forum.nginx.org Fri Apr 1 05:41:24 2016 From: nginx-forum at forum.nginx.org (plutocrat) Date: Fri, 01 Apr 2016 01:41:24 -0400 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <7f03fb70011f1384e792f8c67dd859f7.NginxMailingListEnglish@forum.nginx.org> References: <7f03fb70011f1384e792f8c67dd859f7.NginxMailingListEnglish@forum.nginx.org> Message-ID: So, just to be clear, these are the ones running now without varnish. Of course the lines with listen 80 are changed to listen 8080, and when I restart nginx, it appears on ports 80, 8080 and 443. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265791,265796#msg-265796 From francis at daoine.org Fri Apr 1 07:12:12 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 1 Apr 2016 08:12:12 +0100 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> References: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20160401071212.GI28270@daoine.org> On Fri, Apr 01, 2016 at 12:42:57AM -0400, plutocrat wrote: Hi there, > There are no stray listen directives. I've checked many times. > grep -ril listen /etc/nginx > Shows only files in sites-enabled and sites-available directories. > grep -i listen /etc/nginx/sites-enabled > Shows only port 8080 > grep 80 /etc/nginx/sites-enabled > Shows only port 8080 http://nginx.org/r/listen "Default" there means that if a server{} block does not have any listen directive, it is equivalent to "listen *:80" (or "listen *:8080" if running as non-root). Your "letsencrypt" server{} block does not have any listen directive. So add one there -- and to any other similar blocks -- or do not start nginx as root (and therefore be unable to listen to any port below 1024). f -- Francis Daly francis at daoine.org From francis at daoine.org Fri Apr 1 07:16:24 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 1 Apr 2016 08:16:24 +0100 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <20160401071212.GI28270@daoine.org> References: <46247a25189e157ba60b615c38b19567.NginxMailingListEnglish@forum.nginx.org> <20160401071212.GI28270@daoine.org> Message-ID: <20160401071624.GJ28270@daoine.org> On Fri, Apr 01, 2016 at 08:12:12AM +0100, Francis Daly wrote: > On Fri, Apr 01, 2016 at 12:42:57AM -0400, plutocrat wrote: One silly typo and thinko... > http://nginx.org/r/listen > > "Default" there means that if a server{} block does not have any listen > directive, it is equivalent to "listen *:80" (or "listen *:8080" if 8000, not 8080. > running as non-root). > > Your "letsencrypt" server{} block does not have any listen directive. > > So add one there -- and to any other similar blocks -- or do not start > nginx as root (and therefore be unable to listen to any port below 1024). "start as not root" would listen on 8000; and would fail to listen on 443. So adding an explicit "listen" to every server{} block without one is the way to go. f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Fri Apr 1 10:33:47 2016 From: nginx-forum at forum.nginx.org (plutocrat) Date: Fri, 01 Apr 2016 06:33:47 -0400 Subject: Nginx with Varnish as a proxy. Phantom Port 80 In-Reply-To: <20160401071212.GI28270@daoine.org> References: <20160401071212.GI28270@daoine.org> Message-ID: <3bfb0ed5506e6046dff948f97118e9c3.NginxMailingListEnglish@forum.nginx.org> Francis Daly Wrote: ------------------------------------------------------- > "Default" there means that if a server{} block does not have any > listen directive, it is equivalent to "listen *:80" (or "listen *:8080" if > running as non-root). > > Your "letsencrypt" server{} block does not have any listen directive. Oh wow. It was that simple. Thanks. I probably should have found it, but when you start going around in circles its hard to break out. Adding a listen directive to the letsencrypt server {} block fixed it. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265791,265803#msg-265803 From nginx-forum at forum.nginx.org Fri Apr 1 13:18:44 2016 From: nginx-forum at forum.nginx.org (JoakimR) Date: Fri, 01 Apr 2016 09:18:44 -0400 Subject: video stream and secure link In-Reply-To: <201207021942.54710.ne@vbart.ru> References: <201207021942.54710.ne@vbart.ru> Message-ID: <0c30dab3b11477af624d5986ff169ce8.NginxMailingListEnglish@forum.nginx.org> Hi, as I tried to write in this thread https://forum.nginx.org/read.php?2,265663,265688#msg-265688 I'm trying to accomplish the same But 1. did you get it to work 2. how did you form your link in the php script? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,228161,265810#msg-265810 From gfrankliu at gmail.com Fri Apr 1 15:43:56 2016 From: gfrankliu at gmail.com (Frank Liu) Date: Fri, 1 Apr 2016 08:43:56 -0700 Subject: proxy_next_upstream_timeout behavior Message-ID: Hi, If I set proxy_next_upstream_timeout to 50 second, will nginx break the current upstream connection at 50 second and fail the request? Or will it wait until current one finishes (or read timeout) then decide whether it should try next upstream and find out it is already more than 50 so fail the request? Thanks! Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfrankliu at gmail.com Fri Apr 1 15:46:30 2016 From: gfrankliu at gmail.com (Frank Liu) Date: Fri, 1 Apr 2016 08:46:30 -0700 Subject: 1.9.13 and non_idempotent In-Reply-To: <20160330032629.GJ36620@mdounin.ru> References: <20160330024815.GH36620@mdounin.ru> <20160330032629.GJ36620@mdounin.ru> Message-ID: Can you post a quick patch on how to exclude http_404? Thanks! Frank On Tue, Mar 29, 2016 at 8:26 PM, Maxim Dounin wrote: > Hello! > > On Tue, Mar 29, 2016 at 08:04:33PM -0700, Frank Liu wrote: > > > It's a custom error code, think of it as if http_404, so if the first > > upstream can't handle this request , it will send "404" saying it is not > > for me, please try next, nginx should then send the same request to next > > upstream. > > Well, nginx can't handle custom error codes in > proxy_next_upstream, so this is probably irrelevant anyway. > Though I was considered excluding http_403 and http_404 from > idempotence checks, it may make sense to do it if there are enough > such use cases. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfrankliu at gmail.com Sat Apr 2 05:33:22 2016 From: gfrankliu at gmail.com (Frank Liu) Date: Fri, 1 Apr 2016 22:33:22 -0700 Subject: 1.9.13 and non_idempotent In-Reply-To: References: <20160330024815.GH36620@mdounin.ru> <20160330032629.GJ36620@mdounin.ru> Message-ID: Will this work? --- ngx_http_upstream.c.orig 2016-03-29 15:09:31.000000000 +0000 +++ ngx_http_upstream.c 2016-04-02 05:28:17.877466756 +0000 @@ -3990,6 +3990,7 @@ timeout = u->conf->next_upstream_timeout; if (u->request_sent + && (ft_type != NGX_HTTP_UPSTREAM_FT_HTTP_404) && (r->method & (NGX_HTTP_POST|NGX_HTTP_LOCK|NGX_HTTP_PATCH))) { ft_type |= NGX_HTTP_UPSTREAM_FT_NON_IDEMPOTENT; On Fri, Apr 1, 2016 at 8:46 AM, Frank Liu wrote: > Can you post a quick patch on how to exclude http_404? > > Thanks! > Frank > > On Tue, Mar 29, 2016 at 8:26 PM, Maxim Dounin wrote: > >> Hello! >> >> On Tue, Mar 29, 2016 at 08:04:33PM -0700, Frank Liu wrote: >> >> > It's a custom error code, think of it as if http_404, so if the first >> > upstream can't handle this request , it will send "404" saying it is not >> > for me, please try next, nginx should then send the same request to next >> > upstream. >> >> Well, nginx can't handle custom error codes in >> proxy_next_upstream, so this is probably irrelevant anyway. >> Though I was considered excluding http_403 and http_404 from >> idempotence checks, it may make sense to do it if there are enough >> such use cases. >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Sat Apr 2 20:36:02 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Sat, 2 Apr 2016 16:36:02 -0400 Subject: Nginx servers on both *:80 and :80? also duplicate listen parameters error when binding by just specific ips In-Reply-To: <20160331202928.GG28270@daoine.org> References: <20160331202928.GG28270@daoine.org> Message-ID: Your right, I should make a simple test case like you did in the prev message. I'll put that together. On Thu, Mar 31, 2016 at 4:29 PM, Francis Daly wrote: > On Thu, Mar 31, 2016 at 01:21:02PM -0400, CJ Ess wrote: > > Hi there, > > > I would like to have an Nginx setup where I have specific logic depending > > on which interface (ip) the request arrived on. > > multiple server{} with different "listen"; possibly with an "include > common-config" entry. > > Note: "listen" is on an ip, not an interface. > > > I was able to make this work by having a server stanza for each ip on the > > server, but was't able to do a combination of a specific ip and a > wildcard > > ip (as a catchall) - is there a way to do that with some option > combination > > (i.e. nginx listens on *:80, but matches the server stanza by ip?) > > I don't understand what you are describing. Could you try again, perhaps > with a config example? > > When I use > > === > server { > listen 127.0.0.1:8088; > return 200 "listen 127.0.0.1:8088\n"; > } > server { > listen 10.0.1.2:8088; > return 200 "listen 10.0.1.2:8088\n"; > } > server { > listen 8088; > return 200 "listen 8088\n"; > } > === > > I get the following output, which is what I expect: > > $ curl http://127.0.0.1:8088/ > listen 127.0.0.1:8088 > $ curl http://127.0.0.2:8088/ > listen 8088 > > > The scenario I'm playing towards is that I have a dedicated connection > to a > > CDN and I want to pass thru certain headers if they arrive via the > > dedicated interface, strip them if they arrive on other interface. > > As above, if "interface" is replaced with "ip", this can work with two > server{} blocks. > > > When I did the server{} per IP approach nginx complained about duplicate > > listen settings for the second IP even though both server stanzas were > > bound to a specific port/interface. Is this a bug per chance? > > What short server{} config can I use to reproduce the complaint? > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anoopalias01 at gmail.com Sun Apr 3 06:01:08 2016 From: anoopalias01 at gmail.com (Anoop Alias) Date: Sun, 3 Apr 2016 11:31:08 +0530 Subject: convert $msec to sec Message-ID: I need to log the seconds since epoch (without the millisecond resolution) in the access_log file is there is a way to convert the $msec to seconds or drop the exponential part of the time . Probably using the map function?. Thank you, -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Sun Apr 3 12:40:40 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Sun, 03 Apr 2016 15:40:40 +0300 Subject: convert $msec to sec In-Reply-To: References: Message-ID: <1542375.a4zIPB9JL3@vbart-laptop> On Sunday 03 April 2016 11:31:08 Anoop Alias wrote: > I need to log the seconds since epoch (without the millisecond resolution) > in the access_log file > > is there is a way to convert the $msec to seconds or drop the exponential > part of the time . Probably using the map function?. > It's easy with the map directive: map $msec $sec { ~^(?P<_sec>.+)\. $_sec; } wbr, Valentin V. Bartenev From anoopalias01 at gmail.com Sun Apr 3 15:10:33 2016 From: anoopalias01 at gmail.com (Anoop Alias) Date: Sun, 3 Apr 2016 20:40:33 +0530 Subject: convert $msec to sec In-Reply-To: <1542375.a4zIPB9JL3@vbart-laptop> References: <1542375.a4zIPB9JL3@vbart-laptop> Message-ID: Thanks Valentin. That works. Can you explain On Sun, Apr 3, 2016 at 6:10 PM, ???????? ???????? wrote: > On Sunday 03 April 2016 11:31:08 Anoop Alias wrote: > > I need to log the seconds since epoch (without the millisecond > resolution) > > in the access_log file > > > > is there is a way to convert the $msec to seconds or drop the exponential > > part of the time . Probably using the map function?. > > > > It's easy with the map directive: > > map $msec $sec { > ~^(?P<_sec>.+)\. $_sec; > } > > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From igal at lucee.org Sun Apr 3 15:11:25 2016 From: igal at lucee.org (Igal @ Lucee.org) Date: Sun, 3 Apr 2016 08:11:25 -0700 Subject: convert $msec to sec In-Reply-To: References: <1542375.a4zIPB9JL3@vbart-laptop> Message-ID: <5701329D.9050102@lucee.org> On 4/3/2016 8:10 AM, Anoop Alias wrote: > Thanks Valentin. That works. > > Can you explain see http://nginx.org/en/docs/http/ngx_http_map_module.html From vbart at nginx.com Sun Apr 3 20:25:39 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Sun, 03 Apr 2016 23:25:39 +0300 Subject: convert $msec to sec In-Reply-To: References: <1542375.a4zIPB9JL3@vbart-laptop> Message-ID: <5936422.WIncTPnhMy@vbart-laptop> On Sunday 03 April 2016 20:40:33 Anoop Alias wrote: > Thanks Valentin. That works. > > Can you explain > This is simple named subpattern: http://www.pcre.org/original/doc/html/pcrepattern.html#SEC16 used in the map directive: http://nginx.org/r/map wbr, Valentin V. Bartenev From mdounin at mdounin.ru Mon Apr 4 13:42:29 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 4 Apr 2016 16:42:29 +0300 Subject: 1.9.13 and non_idempotent In-Reply-To: References: <20160330024815.GH36620@mdounin.ru> <20160330032629.GJ36620@mdounin.ru>

Message-ID: <20160404134228.GA36620@mdounin.ru> Hello! On Fri, Apr 01, 2016 at 10:33:22PM -0700, Frank Liu wrote: > Will this work? > > --- ngx_http_upstream.c.orig 2016-03-29 15:09:31.000000000 +0000 > +++ ngx_http_upstream.c 2016-04-02 05:28:17.877466756 +0000 > @@ -3990,6 +3990,7 @@ > timeout = u->conf->next_upstream_timeout; > > if (u->request_sent > + && (ft_type != NGX_HTTP_UPSTREAM_FT_HTTP_404) > && (r->method & (NGX_HTTP_POST|NGX_HTTP_LOCK|NGX_HTTP_PATCH))) > { > ft_type |= NGX_HTTP_UPSTREAM_FT_NON_IDEMPOTENT; Yes, looks correct. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Apr 4 14:00:30 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 4 Apr 2016 17:00:30 +0300 Subject: proxy_next_upstream_timeout behavior In-Reply-To: References: Message-ID: <20160404140030.GB36620@mdounin.ru> Hello! On Fri, Apr 01, 2016 at 08:43:56AM -0700, Frank Liu wrote: > If I set proxy_next_upstream_timeout to 50 second, will nginx break the > current upstream connection at 50 second and fail the request? No. > Or will it > wait until current one finishes (or read timeout) then decide whether it > should try next upstream and find out it is already more than 50 so fail > the request? Yes. The proxy_next_upstream_timeout directive only sets the time period during which the proxy_next_upstream directive is allowed to work. It does nothing else, and won't anyhow influence current upstream connection. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Mon Apr 4 16:29:32 2016 From: nginx-forum at forum.nginx.org (JoakimR) Date: Mon, 04 Apr 2016 12:29:32 -0400 Subject: hide/strip set cookies on static files and howto use alias Message-ID: <81c2e0082084ed6b1a5596d829ac3da0.NginxMailingListEnglish@forum.nginx.org> Hi I have a few questions about how do I configure it. First question: How do I strip the "Set-Cookie" header from all static files like css and jpg? I know i can setup a reverse proxy and use "proxy_hide_header Set-Cookie", but seems like foolish to make yet another host, just to reverse to your self and add a few hundred msec to the request. Second question: I'm trying to make an alias to hide a folder in the lookup to the subfolder, the structure is: /var/www/domain.tld/media/ads /var/www/domain.tld/media/galleries /var/www/domain.tld/media/misc /var/www/domain.tld/media/thumbs making the url like this /media/thumbs/5 subfolders/image-file how do i change that into /thumbs/5 subfolders/image-file I have tried with both alias and root but both returns a 404 Third question: [error] 9178#9178: *13452 upstream timed out (110: Connection timed out) while reading response header from upstream, client: upstream: "fastcgi://unix:/var/run/php-fpm.sock", host: have a lot of those, any suggestions? nginx.conf #user nginx; user apache; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; aio threads; sendfile on; sendfile_max_chunk 1m; tcp_nopush on; tcp_nodelay on; server_tokens off; keepalive_timeout 15; client_max_body_size 4G; client_body_buffer_size 10K; client_header_buffer_size 1k; large_client_header_buffers 2 1k; index index.php index.html index.htm; ## Nginx?s Open file cache https://easyengine.io/tutorials/nginx/open-file-cache/ open_file_cache max=5000 inactive=5m; ##If you have way too many files, change max from 5000 to more appropriate value. open_file_cache_valid 20m; ## Tell nginx to check if information it is holding is valid every n minutes. open_file_cache_min_uses 1; ## If files don?t change much often, or accesses less frequently, you can change inactive duration from 20m to something else. ## Inactive andopen_file_cache_min_uses works together. ## This sample tells nginx to cache a file information as long as minimum 2 requests are made during 5m window. open_file_cache_errors on; ## Tell nginx to cache errors like 404 (file not found). If you are using nginx as load-balancer, leave this off. gzip on; gzip_disable "msie6"; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 6; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml application/rdf+xml application/vnd.ms-fontobject font/truetype font/opentype image/svg+xml; add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking add_header X-Content-Type-Options nosniff; #MIME-type sniffing include /etc/nginx/conf.d/*.conf; } domain.tld.conf server { listen ip:80; listen [ipv6]:80; server_name domain.tld www.domain.tld; index index.php =404; try_files $uri $uri/ /index.php?q=$uri&$args; root /var/www/domain.tld; expires max; add_header Pragma "public"; #include /etc/nginx/conf.d/mechbunny.inc; set $site_root $document_root; charset utf-8; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log error; location / { if ($arg_max) { expires max; } rewrite ^/page([0-9]+).html$ /index.php?controller=index&page=$1; rewrite ^/galleries/(.*)-([0-9]+).html$ /index.php?controller=gallery&id=$2; rewrite ^/video/(.*)-([0-9]+).html$ /index.php?controller=video&id=$2; rewrite ^/signup$ /index.php?controller=signup; rewrite ^/upload$ /index.php?controller=upload; rewrite ^/upload_photo$ /index.php?controller=upload&option=photo; rewrite ^/login$ /index.php?controller=login; rewrite ^/logout$ /index.php?controller=logout; rewrite ^/contact$ /index.php?controller=contact; rewrite ^/forgot-pass$ /index.php?controller=forgot_pass; rewrite ^/my-profile$ /index.php?controller=my_profile; rewrite ^/my-friends$ /index.php?controller=my_friends; rewrite ^/my-friends/$ /index.php?controller=friends; rewrite ^/my-friends/page([0-9]+).html$ /index.php?controller=friends&page=$1; rewrite ^/edit-profile$ /index.php?controller=edit_profile; rewrite ^/edit-content/(.*)$ /index.php?controller=editContent&id=$1; rewrite ^/static/(.*)$ /index.php?controller=displayStatic&id=$1; rewrite ^/load/(.*)$ /index.php?controller=loadLayout&id=$1; rewrite ^/filter/(.*)$ /index.php?controller=setFilter&id=$1; rewrite ^/embed/([0-9]+)$ /index.php?controller=embed&id=$1; rewrite ^/dmca$ /index.php?controller=dmca; rewrite ^/tos$ /index.php?controller=tos; rewrite ^/crss/([0-9]+)$ /index.php?controller=crss&id=$1; rewrite ^/rss$ /index.php?controller=rss; rewrite ^/a/(.*)$ /index.php?controller=link&slug=$1; rewrite ^/(my-uploads|favorites|most-recent|most-discussed|most-viewed|longest|top-rated|photos|random|my-friends)/$ /index.php?controller=index&mode=$1; rewrite ^/(my-uploads|favorites|most-recent|most-discussed|most-viewed|longest|top-rated|photos|random|my-friends)/page([0-9]+).html$ /index.php?controller=index&mode=$1&page=$2; rewrite ^/(my-uploads|favorites|most-recent|most-discussed|most-viewed|longest|top-rated|photos|random|my-friends)/(day|week|month)/$ /index.php?controller=index&mode=$1&dateRange=$2; rewrite ^/(my-uploads|favorites|most-recent|most-discussed|most-viewed|longest|top-rated|photos|random|my-friends)/(day|week|month)/page([0-9]+).html$ /index.php?controller=index&mode=$1&dateRange=$2&page=3; rewrite ^/(my-uploads|favorites|most-recent|most-discussed|most-viewed|longest|top-rated|photos|random|my-friends)/page([0-9]+).html$ /index.php?controller=index&mode=$1&page=$2; rewrite ^/uploads-by-user/([0-9]+)/$ /index.php?controller=index&mode=uploads-by-user&user=$1; rewrite ^/uploads-by-user/([0-9]+)/page([0-9]+).html$ /index.php?controller=index&mode=uploads-by-user&user=$1&page=$2; rewrite ^/search/(videos|members|photos)/([A-Za-z0-9-\s]+)/$ /index.php?controller=index&mode=search&type=$1&q=$2&page=1; rewrite ^/search/(videos|members|photos)/([A-Za-z0-9-\s]+)/page([0-9]+).html$ /index.php?controller=index&mode=search&type=$1&q=$2&page=$3; rewrite ^/search/(videos|members|photos)/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/$ /index.php?controller=index&mode=search&type=$1&q=$2&page=1&sortby=$3; rewrite ^/search/(videos|members|photos)/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/page([0-9]+).html$ /index.php?controller=index&mode=search&type=$1&q=$2&page=$4&sortby=$3; rewrite ^/search/([A-Za-z0-9-\s]+)/$ /index.php?controller=index&mode=search&q=$1&page=1; rewrite ^/search/([A-Za-z0-9-\s]+)/page([0-9]+).html$ /index.php?controller=index&mode=search&q=$1&page=$2; rewrite ^/search/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/$ /index.php?controller=index&mode=search&q=$1&page=1&sortby=$2; rewrite ^/search/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/page([0-9]+).html$ /index.php?controller=index&mode=search&q=$1&page=$3&sortby=$2; rewrite ^/channels/$ /index.php?controller=channels; rewrite ^/channels/([0-9]+)/([A-Za-z0-9-\s]+)/$ /index.php?controller=index&mode=channel&channel=$1; rewrite ^/channels/([0-9]+)/([A-Za-z0-9-\s]+)/page(.*).html$ /index.php?mode=channel&channel=$1&page=$3; rewrite ^/channels/([0-9]+)/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/$ /index.php?controller=index&mode=channel&channel=$1&sortby=$3; rewrite ^/channels/([0-9]+)/([A-Za-z0-9-\s]+)/(newest|rating|views|longest)/page(.*).html$ /index.php?mode=channel&channel=$1&sortby=$2&page=$4; rewrite ^/models/$ /index.php?controller=pornstars; rewrite ^/models/page([0-9]+).html$ /index.php?controller=pornstars&page=$1; rewrite ^/models/([A-Za-z0-9-\s]+)/$ /index.php?controller=pornstars&letter=$1&page=1; rewrite ^/models/([A-Za-z0-9-\s]+)/page([0-9]+).html$ /index.php?controller=pornstars&letter=$1&page=$2; rewrite ^/models/(.*)-(.*).html$ /index.php?controller=pornstar_bio&id=$2; rewrite ^/stars/$ /index.php?controller=pornstars; rewrite ^/stars/page([0-9]+).html$ /index.php?controller=pornstars&page=$1; rewrite ^/stars/([A-Za-z0-9-\s]+)/$ /index.php?controller=pornstars&letter=$1&page=1; rewrite ^/stars/([A-Za-z0-9-\s]+)/page([0-9]+).html$ /index.php?controller=pornstars&letter=$1&page=$2; rewrite ^/stars/(.*)-(.*).html$ /index.php?controller=pornstar_bio&id=$2; rewrite ^/mailbox/$ /mailbox.php; rewrite ^/mailbox/([0-9]+)$ /mailbox.php?mode=inbox&page=$1; rewrite ^/mailbox/inbox/(.*)$ /mailbox.php?mode=inbox&page=$1; rewrite ^/mailbox/outbox/(.*)$ /mailbox.php?mode=outbox&page=$1; rewrite ^/mailbox/read/([0-9]+)$ /mailbox.php?mode=read&mid=$1; rewrite ^/mailbox/read/([0-9]+)/delete/$ /mailbox.php?mode=read&mid=$1&delete=true; rewrite ^/mailbox/read/([0-9]+)/spam/$ /mailbox.php?mode=read&mid=$1&spam=true; rewrite ^/mailbox/compose/(.*)/reply/$ /mailbox.php?mode=compose&mid=$1&reply=true; rewrite ^/mailbox/inbox/$ /mailbox.php?mode=inbox; rewrite ^/mailbox/outbox/$ /mailbox.php?mode=outbox; rewrite ^/mailbox/compose/$ /mailbox.php?mode=compose; rewrite ^/user/(.*)-(.*)/$ /index.php?controller=user_profile&id=$2; rewrite ^/members/$ /index.php?controller=members; rewrite ^/members/page([0-9]+).html$ /index.php?controller=members&page=$1; if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; # # Om nom nom cookies # add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; # # Custom headers and headers various browsers *should* be OK with but aren't # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; # # Tell client that this pre-flight info is valid for 20 days # add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } location /thumbs/ { alias /var/www/domain.tld/media/thumbs/; } location /admin/ { #index index.php; try_files $uri $uri/ /index.php?q=$uri&$args; access_log off; log_not_found off; } location ~ \.mp4$ { limit_rate_after 5m; limit_rate 832k; mp4; mp4_buffer_size 1m; mp4_max_buffer_size 5m; gzip off; sendfile on; aio on; } location ~ \.flv$ { flv; aio on; limit_rate_after 10m; limit_rate 812k; sendfile on; } location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ { access_log off; log_not_found off; aio on; sendfile on; expires max; add_header Pragma 'public'; add_header X-Frame-Options SAMEORIGIN; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { try_files $uri $uri/ index.php; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265879,265879#msg-265879 From reallfqq-nginx at yahoo.fr Mon Apr 4 19:36:36 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 4 Apr 2016 21:36:36 +0200 Subject: error_page behavior Message-ID: Hello, I am struggling to understand the error_page directive behavior: ?server { listen 80; listen [::]:80; server_name example.org; location /proxied { return 418 "Host: $host, Connection: $http_connection"; } } server { listen 80; listen [::]:80; server_name example.com; root /var/ious/files; error_page 418 = /error_page.html; proxy_intercept_errors on; location /proxy { proxy_pass http://example.org/proxied; } } ? ?Expected behavior: ->Request to http://example.com/proxy -> Sub-request to http://example.org/proxied -> Response HTTP 418 -> Error page for HTTP 418 served http://example.com/error_page.html Observed behavior: -> Request to http://example.com/proxy -> Sub-request to http://example.org/proxied -> Response HTTP 418 -> Error page HTTP 404 (???) ?The error_page.html? file exists in the example.com root directory as any other file. No error message in the error_log file (warn level). ?I am running? nginx v1.8.1. ?What am I doing/understanding wrong?? --- *B. R.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Mon Apr 4 19:54:12 2016 From: francis at daoine.org (Francis Daly) Date: Mon, 4 Apr 2016 20:54:12 +0100 Subject: error_page behavior In-Reply-To: References: Message-ID: <20160404195412.GB9435@daoine.org> On Mon, Apr 04, 2016 at 09:36:36PM +0200, B.R. wrote: Hi there, > I am struggling to understand the error_page directive behavior: I do not get the full same results that you report, when I use 1.9.2. > Expected behavior: > ->Request to http://example.com/proxy > -> Sub-request to http://example.org/proxied > -> Response HTTP 418 > -> Error page for HTTP 418 served http://example.com/error_page.html No. Your "error_page" with "=" eats the 418 status. > Observed behavior: > -> Request to http://example.com/proxy > -> Sub-request to http://example.org/proxied > -> Response HTTP 418 I do get that much. > -> Error page HTTP 404 (???) I only get 404 if error_page.html does not exist. If it does exist, I get it with http 200. Aside from that: I suspect that proxy_intercept_errors does exactly the opposite of what you think it does. What happens if you set it "off"? > What am I doing/understanding wrong? error_page normally does not change the http status. Your extra config told it to change it. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Mon Apr 4 20:12:59 2016 From: francis at daoine.org (Francis Daly) Date: Mon, 4 Apr 2016 21:12:59 +0100 Subject: error_page behavior In-Reply-To: <20160404195412.GB9435@daoine.org> References: <20160404195412.GB9435@daoine.org> Message-ID: <20160404201259.GC9435@daoine.org> On Mon, Apr 04, 2016 at 08:54:12PM +0100, Francis Daly wrote: > On Mon, Apr 04, 2016 at 09:36:36PM +0200, B.R. wrote: Hi there, > > -> Error page HTTP 404 (???) > > I only get 404 if error_page.html does not exist. If it does exist, > I get it with http 200. > > Aside from that: I suspect that proxy_intercept_errors does exactly the > opposite of what you think it does. Apologies - I was wrong there. "proxy_intercept_errors on;" means that error_page *is* used for the returned http status. "proxy_intercept_errors off;" means that it is not, and the full original status+body gets to the client. So you had (and have) it the way that you want it to be. f -- Francis Daly francis at daoine.org From pablo at pablo.com.mx Mon Apr 4 20:31:19 2016 From: pablo at pablo.com.mx (Pablo Fischer) Date: Mon, 4 Apr 2016 13:31:19 -0700 Subject: Nginx TCP stream access log Message-ID: Howdy folks, We are using nginx with stream TCP support but we are wondering if there is a way to have access logs for TCP for at least to know a few things such as: - timestamp (of request) - source address. - destination address - time. Is there a way to log this information? nginx version: nginx/1.9.9 Thanks! -- Pablo From reallfqq-nginx at yahoo.fr Mon Apr 4 20:49:46 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 4 Apr 2016 22:49:46 +0200 Subject: error_page behavior In-Reply-To: <20160404201259.GC9435@daoine.org> References: <20160404195412.GB9435@daoine.org> <20160404201259.GC9435@daoine.org> Message-ID: Whoops! Minimal test configuration FTW... There was a '/' prefix location block hidden at the bottow of my server one, with an ugly 'try_files $uri.php =404;' directive... As notes, though : I removed the '=' parameter from the error_page directive to simplify, as there is no special processing during error handling. I forgot to update the configuration snippet in the mail. Let's be clear about proxy_intercept_errors: Setting it to 'on' enables error processing through error_page. The default (off) simply propagates the proxy error (status code >= 300) to clients. I should have double/triple/quadruplechecked the configuration before writing on this ML. ?Thanks for your time Francis! And sorry about that...? --- *B. R.* On Mon, Apr 4, 2016 at 10:12 PM, Francis Daly wrote: > On Mon, Apr 04, 2016 at 08:54:12PM +0100, Francis Daly wrote: > > On Mon, Apr 04, 2016 at 09:36:36PM +0200, B.R. wrote: > > Hi there, > > > > -> Error page HTTP 404 (???) > > > > I only get 404 if error_page.html does not exist. If it does exist, > > I get it with http 200. > > > > Aside from that: I suspect that proxy_intercept_errors does exactly the > > opposite of what you think it does. > > Apologies - I was wrong there. > > "proxy_intercept_errors on;" means that error_page *is* used for the > returned http status. > > "proxy_intercept_errors off;" means that it is not, and the full original > status+body gets to the client. > > So you had (and have) it the way that you want it to be. > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Apr 4 20:52:46 2016 From: nginx-forum at forum.nginx.org (tjunussov@gmail.com) Date: Mon, 04 Apr 2016 16:52:46 -0400 Subject: Using inline processing instructions with XSLT module? In-Reply-To: <20090512081049.GL47175@forum.nginx.org> References: <56fbd37aa79a18bcd514a4bc9053c837.NginxMailingList@forum.nginx.org> <20090512081049.GL47175@forum.nginx.org> Message-ID: <58c30703d15d06f84b0bce36e837bad7.NginxMailingListEnglish@forum.nginx.org> Can we vote for this feature ? If it is security risk, may be sandbox it to local location only Posted at Nginx Forum: https://forum.nginx.org/read.php?2,1905,265887#msg-265887 From francis at daoine.org Tue Apr 5 07:41:56 2016 From: francis at daoine.org (Francis Daly) Date: Tue, 5 Apr 2016 08:41:56 +0100 Subject: hide/strip set cookies on static files and howto use alias In-Reply-To: <81c2e0082084ed6b1a5596d829ac3da0.NginxMailingListEnglish@forum.nginx.org> References: <81c2e0082084ed6b1a5596d829ac3da0.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20160405074156.GD9435@daoine.org> On Mon, Apr 04, 2016 at 12:29:32PM -0400, JoakimR wrote: Hi there, > I have a few questions about how do I configure it. It's worth making sure that you are aware how nginx works, which is (very briefly and roughly): * one request is handled in one location{} * only the configuration in, or inherited into, that location matters * inheritance is typically by replacement, or not at all * directives from the "rewrite" module can interfere with the above * documentation for "location" is at http://nginx.org/r/location > First question: > > How do I strip the "Set-Cookie" header from all static files like css and > jpg? I know i can setup a reverse proxy and use "proxy_hide_header > Set-Cookie", but seems like foolish to make yet another host, just to > reverse to your self and add a few hundred msec to the request. Where does the "Set-Cookie" header come from? Default nginx does not add it. Can you create a small configuration which shows the problem? Copy-paste the configuration and a "curl -v" request and response to show the Set-Cookie header; that should make it more obvious what needs to be fixed. > Second question: > > I'm trying to make an alias to hide a folder in the lookup to the subfolder, > the structure is: > /var/www/domain.tld/media/ads > /var/www/domain.tld/media/galleries > /var/www/domain.tld/media/misc > /var/www/domain.tld/media/thumbs > > making the url like this /media/thumbs/5 subfolders/image-file > > how do i change that into /thumbs/5 subfolders/image-file For anything involving "root" or "alias", the questions to consider are: * what file on your filesystem do you wish to fetch? * what url do you wish to use, to fetch that file? And just in case it is not immediately obvious from those answers: * what is the intended mapping between url and filename? With that information, it may become clear what "root" or "alias" directive to use in the "location" that handles the request. For the above, I suspect that "root /var/www/domain.tld/media;" may be what you want, in the location{} that handles these requests. > I have tried with both alias and root but both returns a 404 What does the error log show? Usually it shows the request, and the filename attempted, for a 404. That may give a hint at what configuration should be used. What request did you make? What location{} did you put your root or alias directive in? > Third question: > [error] 9178#9178: *13452 upstream timed out (110: Connection timed out) > while reading response header from upstream, client: upstream: > "fastcgi://unix:/var/run/php-fpm.sock", host: > > have a lot of those, any suggestions? Either: ask your fastcgi server why it is slow to respond (check its logs); or ask nginx to wait longer before giving up (http://nginx.org/r/fastcgi_read_timeout). These are the "location" definitions that you show: > location / { > location /thumbs/ { > location /admin/ { > location ~ \.mp4$ { > location ~ \.flv$ { > location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ { > location = /50x.html { > location ~ \.php$ { > location ~ /\.ht { For each test request that you make, which location block have you configured nginx to use to handle it? Is that the one that you want nginx to use to handle it? Good luck with it, f -- Francis Daly francis at daoine.org From tseveendorj at on-air.mn Tue Apr 5 11:11:44 2016 From: tseveendorj at on-air.mn (tseveendorj) Date: Tue, 5 Apr 2016 20:11:44 +0900 Subject: Rewrite Message-ID: <57039D70.7000000@on-air.mn> Hello, I cannot do following request URL is http://domain.com/x4Zbs5B It should be http://domain.com/index.php?download=x4Zbs5B I tried location / { rewrite ^/([^/][a-zA-Z0-9]+)$ /index.php?download=$1 break; try_files $uri $uri/ /index.php?download=$uri; } but it is downloading index.php file itself :D how to on nginx ? From mdounin at mdounin.ru Tue Apr 5 15:11:28 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 5 Apr 2016 18:11:28 +0300 Subject: nginx-1.9.14 Message-ID: <20160405151127.GU36620@mdounin.ru> Changes with nginx 1.9.14 05 Apr 2016 *) Feature: OpenSSL 1.1.0 compatibility. *) Feature: the "proxy_request_buffering", "fastcgi_request_buffering", "scgi_request_buffering", and "uwsgi_request_buffering" directives now work with HTTP/2. *) Bugfix: "zero size buf in output" alerts might appear in logs when using HTTP/2. *) Bugfix: the "client_max_body_size" directive might work incorrectly when using HTTP/2. *) Bugfix: of minor bugs in logging. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Tue Apr 5 15:12:49 2016 From: nginx-forum at forum.nginx.org (marcosbontempo) Date: Tue, 05 Apr 2016 11:12:49 -0400 Subject: Nginx collect status data Message-ID: <3b80c66744bd99944f78b2095ad9472f.NginxMailingListEnglish@forum.nginx.org> Hello, I'm using the nginx free version and I need to collect status data like number of connections, number of requests per second, failures, latency and sent and received bytes. Is there a way to get these informations with the nginx free version? I need more detailed status than the informed by the stub page. Any tip will be very helpful, Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265920,265920#msg-265920 From vbart at nginx.com Tue Apr 5 15:21:31 2016 From: vbart at nginx.com (Valentin V. Bartenev) Date: Tue, 05 Apr 2016 18:21:31 +0300 Subject: Nginx collect status data In-Reply-To: <3b80c66744bd99944f78b2095ad9472f.NginxMailingListEnglish@forum.nginx.org> References: <3b80c66744bd99944f78b2095ad9472f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <4712274.nqC780YLan@vbart-workstation> On Tuesday 05 April 2016 11:12:49 marcosbontempo wrote: > Hello, > > I'm using the nginx free version and I need to collect status data like > number of connections, number of requests per second, failures, latency and > sent and received bytes. Is there a way to get these informations with the > nginx free version? I need more detailed status than the informed by the > stub page. > > Any tip will be very helpful, > > Thanks. > You can try NGINX Amplify: https://www.nginx.com/amplify/ wbr, Valentin V. Bartenev From nginx-forum at forum.nginx.org Tue Apr 5 17:16:56 2016 From: nginx-forum at forum.nginx.org (itpp2012) Date: Tue, 05 Apr 2016 13:16:56 -0400 Subject: Nginx collect status data In-Reply-To: <3b80c66744bd99944f78b2095ad9472f.NginxMailingListEnglish@forum.nginx.org> References: <3b80c66744bd99944f78b2095ad9472f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <58640b53718adaf58a700b4b601f6ee1.NginxMailingListEnglish@forum.nginx.org> marcosbontempo Wrote: ------------------------------------------------------- > Hello, > > I'm using the nginx free version and I need to collect status data > like number of connections, number of requests per second, failures, > latency and sent and received bytes. Is there a way to get these > informations with the nginx free version? I need more detailed status > than the informed by the stub page. https://github.com/vozlt/nginx-module-vts Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265920,265926#msg-265926 From francis at daoine.org Tue Apr 5 22:48:21 2016 From: francis at daoine.org (Francis Daly) Date: Tue, 5 Apr 2016 23:48:21 +0100 Subject: Rewrite In-Reply-To: <57039D70.7000000@on-air.mn> References: <57039D70.7000000@on-air.mn> Message-ID: <20160405224821.GE9435@daoine.org> On Tue, Apr 05, 2016 at 08:11:44PM +0900, tseveendorj wrote: Hi there, > request URL is http://domain.com/x4Zbs5B > It should be http://domain.com/index.php?download=x4Zbs5B > > I tried > location / { > rewrite ^/([^/][a-zA-Z0-9]+)$ /index.php?download=$1 break; I'm not sure that the four characters "[^/]" are doing anything useful on that line. I am sure that "break" is not what you want there. Just remove it. > try_files $uri $uri/ /index.php?download=$uri; > } > but it is downloading index.php file itself :D Presumably somewhere else in your config you tell nginx how to handle /index.php? f -- Francis Daly francis at daoine.org From shirley at nginx.com Wed Apr 6 00:15:18 2016 From: shirley at nginx.com (Shirley Bailes) Date: Tue, 5 Apr 2016 17:15:18 -0700 Subject: =?UTF-8?Q?nginx=2Econf_2016=3A_CFP_Now_Open_=E2=80=93_Submit_a_Proposal!?= Message-ID: Hello all! We?re excited to announce that the call for proposals for the third NGINX conference, nginx.conf 2016 is open. Please submit a talk, and share the CFP with those you know who have good NGINX stories to share: https://nginxconf16.busyconf.com/proposals/new/ *Deadline to submit: 11:59PM CDT, May 5, 2016.* Our goal is to help attendees learn about NGINX use cases, insights, and best practices from real-world experts like you. We want to hear how you?re using NGINX and/or NGINX Plus across any type of application and in any sort of environment. We?d love to see talks on any of the topics below: - Architecting, Developing, & Deploying Code - Scaling and Securing Applications - NGINX-specific and NGINX Plus-Specific Case Studies & Best Practices *Conference details: * - nginx.conf 2016 will be held in Austin, TX - Venue: Hilton Austin, East 4th Street - Dates: September 7-9 - Twitter: #nginxconf Questions? Email us: events at nginx.com. Looking forward to seeing your submissions, *s 707.569.4888 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Apr 6 00:43:24 2016 From: nginx-forum at forum.nginx.org (meteor8488) Date: Tue, 05 Apr 2016 20:43:24 -0400 Subject: Headers More module is not working in nginx-devel Message-ID: <36625eb7c11f69ca43e6bbf688e2c2bb.NginxMailingListEnglish@forum.nginx.org> Hi All, I'm using FreeBSD with nginx-devel. It seems that this problem is lasting for a long time (at least start from nginx 1.9.10 ). Even though I built the source with this module, this module is still not working. After add below configuration into http {}, more_set_headers "Server: my_server"; If try to start nginx, will always get error : nginx: [emerg] unknown directive "more_set_headers" in /usr/local/etc/nginx/nginx.conf Not sure which forum should I report this bug to, nginx forum or FreeBSD forum? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265939,265939#msg-265939 From jim at ohlste.in Wed Apr 6 00:53:08 2016 From: jim at ohlste.in (Jim Ohlstein) Date: Tue, 5 Apr 2016 20:53:08 -0400 Subject: Headers More module is not working in nginx-devel In-Reply-To: <36625eb7c11f69ca43e6bbf688e2c2bb.NginxMailingListEnglish@forum.nginx.org> References: <36625eb7c11f69ca43e6bbf688e2c2bb.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello, Jim Ohlstein > On Apr 5, 2016, at 8:43 PM, meteor8488 wrote: > > Hi All, > > I'm using FreeBSD with nginx-devel. It seems that this problem is lasting > for a long time (at least start from nginx 1.9.10 ). > > Even though I built the source with this module, this module is still not > working. > > After add below configuration into http {}, > more_set_headers "Server: my_server"; > > If try to start nginx, will always get error : > > nginx: [emerg] unknown directive "more_set_headers" in > /usr/local/etc/nginx/nginx.conf I'm guessing that you need to add: load_module modules/ngx_http_headers_more_filter_module.so; to the main section of nginx. conf. From jimssupp at rushpost.com Wed Apr 6 00:53:13 2016 From: jimssupp at rushpost.com (JimS) Date: Tue, 05 Apr 2016 17:53:13 -0700 Subject: Headers More module is not working in nginx-devel In-Reply-To: <36625eb7c11f69ca43e6bbf688e2c2bb.NginxMailingListEnglish@forum.nginx.org> References: <36625eb7c11f69ca43e6bbf688e2c2bb.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1459903993.557872.570208521.5651C0CB@webmail.messagingengine.com> On Tue, Apr 5, 2016, at 05:43 PM, meteor8488 wrote: > Hi All, > > I'm using FreeBSD with nginx-devel. It seems that this problem is lasting > for a long time (at least start from nginx 1.9.10 ). > > Even though I built the source with this module, this module is still not > working. > > After add below configuration into http {}, > more_set_headers "Server: my_server"; > > If try to start nginx, will always get error : > > nginx: [emerg] unknown directive "more_set_headers" in > /usr/local/etc/nginx/nginx.conf > > > Not sure which forum should I report this bug to, nginx forum or FreeBSD > forum? It's never not worked for me as long as I've been using it. Currently I've nginx v1.9.14, and it's fine. Post the output of your `nginx -V`. Show how you configure & build the module, or where you're getting it from. Jim From nginx-forum at forum.nginx.org Wed Apr 6 04:39:33 2016 From: nginx-forum at forum.nginx.org (fevangelou) Date: Wed, 06 Apr 2016 00:39:33 -0400 Subject: Nginx proxy cache/temp folders empty when located inside /tmp on CentOS 7 Message-ID: <6d9bede86523beb66a1fbd352ded4b91.NginxMailingListEnglish@forum.nginx.org> (First post in the Nginx forum, so please bear with me if it seems slightly long...) I'm the maker of Engintron, a popular cPanel plugin which integrates Nginx as a reverse caching proxy in front of Apache. The project started in Dec 2014, it is open source & free and you can check out the code here, including Nginx configuration files: https://github.com/engintron/engintron In Feb 2016 I rewrote the plugin from scratch using a more efficient universal proxy configuration in Nginx, for any domain hosted on a cPanel server. The benefit is that you install Engintron on your cPanel server and it just works, with zero maintenance and no vhost sync'ing between Nginx & Apache like similar plugins for cPanel. I am defining 2 proxy cache zones/pools plus a proxy temp location in /etc/nginx/nginx.conf like this: proxy_cache_path /tmp/engintron_dynamic levels=1:2 keys_zone=engintron_dynamic:20m inactive=10m max_size=500m; proxy_cache_path /tmp/engintron_static levels=1:2 keys_zone=engintron_static:20m inactive=10m max_size=500m; proxy_temp_path /tmp/engintron_temp; Nginx does 1 min caching for static assets like CSS, JS, images etc. and 1 sec micro-caching for dynamic/HTML content. The latter is used so that it doesn't break sites with user-generated content such as forums, e-commerce sites etc. In CentOS versions 5 & 6, the folders referenced above will start filling up when Nginx is installed via Engintron, as Nginx caching kicks in. In CentOS 7 however - and this has been verified in multiple cPanel installations on my end, as well as other Engintron users via the project's Issues section on GitHub- the above folders are just empty. However caching DOES work in CentOS 7, at least according to the headers sent by Nginx as well as by checking a static file if it gets cached. For example if I modify this CSS file http://www.benetomaretti.com/templates/vp_merchant/css/template.css I won't see any changes until a minute has passed (1 min static cache). So the file does indeed get cached by Nginx, but the cache entry does not appear in the proxy cache/temp folders. These folders show up as empty with a simple du command. And if you check the same file via curl, you get something like this: $ curl -I http://www.benetomaretti.com/templates/vp_merchant/css/template.css HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Apr 2016 04:27:52 GMT Content-Type: text/css Content-Length: 45237 Connection: keep-alive Vary: Accept-Encoding Last-Modified: Wed, 06 Apr 2016 04:25:52 GMT ETag: "45a86635-b0b5-52fc95b6d4120" Expires: Fri, 06 May 2016 04:27:52 GMT Cache-Control: max-age=2592000 X-Cache-Status: HIT X-Server-Powered-By: Engintron Pragma: public Cache-Control: public Vary: Accept-Encoding Accept-Ranges: bytes I'm really out of ideas why on earth there's this behaviour with CentOS 7 specifically. Any pointers would be appreciated. For the record, the (re-written) release of Engintron in Feb 2016 already has more than 1300 server deployments in 72 countries worldwide. It's in my plans to also get anonymous system metrics at some point in the near future, so I know which CentOS version is used (along with other data such Apache version, MySQL version etc.). In the meantime I can't know what percentage uses CentOS 7, but judging from the fact that new cPanel deployments usually get setup on CentOS 7, I'm assuming the percentage may be high overall. Thanks in advance for any help or guidance. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265943,265943#msg-265943 From ahutchings at nginx.com Wed Apr 6 07:32:30 2016 From: ahutchings at nginx.com (Andrew Hutchings) Date: Wed, 6 Apr 2016 08:32:30 +0100 Subject: Nginx proxy cache/temp folders empty when located inside /tmp on CentOS 7 In-Reply-To: <6d9bede86523beb66a1fbd352ded4b91.NginxMailingListEnglish@forum.nginx.org> References: <6d9bede86523beb66a1fbd352ded4b91.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5704BB8E.7070904@nginx.com> Hi, This gives a good explanation of what you are observing: https://securityblog.redhat.com/2014/04/09/new-red-hat-enterprise-linux-7-security-feature-privatetmp/ Kind Regards Andrew On 06/04/16 05:39, fevangelou wrote: > (First post in the Nginx forum, so please bear with me if it seems slightly > long...) > > I'm the maker of Engintron, a popular cPanel plugin which integrates Nginx > as a reverse caching proxy in front of Apache. The project started in Dec > 2014, it is open source & free and you can check out the code here, > including Nginx configuration files: https://github.com/engintron/engintron > > In Feb 2016 I rewrote the plugin from scratch using a more efficient > universal proxy configuration in Nginx, for any domain hosted on a cPanel > server. The benefit is that you install Engintron on your cPanel server and > it just works, with zero maintenance and no vhost sync'ing between Nginx & > Apache like similar plugins for cPanel. > > I am defining 2 proxy cache zones/pools plus a proxy temp location in > /etc/nginx/nginx.conf like this: > > proxy_cache_path /tmp/engintron_dynamic levels=1:2 > keys_zone=engintron_dynamic:20m inactive=10m max_size=500m; > proxy_cache_path /tmp/engintron_static levels=1:2 > keys_zone=engintron_static:20m inactive=10m max_size=500m; > proxy_temp_path /tmp/engintron_temp; > > Nginx does 1 min caching for static assets like CSS, JS, images etc. and 1 > sec micro-caching for dynamic/HTML content. The latter is used so that it > doesn't break sites with user-generated content such as forums, e-commerce > sites etc. > > In CentOS versions 5 & 6, the folders referenced above will start filling up > when Nginx is installed via Engintron, as Nginx caching kicks in. > In CentOS 7 however - and this has been verified in multiple cPanel > installations on my end, as well as other Engintron users via the project's > Issues section on GitHub- the above folders are just empty. > > However caching DOES work in CentOS 7, at least according to the headers > sent by Nginx as well as by checking a static file if it gets cached. > > For example if I modify this CSS file > http://www.benetomaretti.com/templates/vp_merchant/css/template.css I won't > see any changes until a minute has passed (1 min static cache). So the file > does indeed get cached by Nginx, but the cache entry does not appear in the > proxy cache/temp folders. These folders show up as empty with a simple du > command. > > And if you check the same file via curl, you get something like this: > > $ curl -I > http://www.benetomaretti.com/templates/vp_merchant/css/template.css > HTTP/1.1 200 OK > Server: nginx > Date: Wed, 06 Apr 2016 04:27:52 GMT > Content-Type: text/css > Content-Length: 45237 > Connection: keep-alive > Vary: Accept-Encoding > Last-Modified: Wed, 06 Apr 2016 04:25:52 GMT > ETag: "45a86635-b0b5-52fc95b6d4120" > Expires: Fri, 06 May 2016 04:27:52 GMT > Cache-Control: max-age=2592000 > X-Cache-Status: HIT > X-Server-Powered-By: Engintron > Pragma: public > Cache-Control: public > Vary: Accept-Encoding > Accept-Ranges: bytes > > I'm really out of ideas why on earth there's this behaviour with CentOS 7 > specifically. > > Any pointers would be appreciated. > > For the record, the (re-written) release of Engintron in Feb 2016 already > has more than 1300 server deployments in 72 countries worldwide. > > It's in my plans to also get anonymous system metrics at some point in the > near future, so I know which CentOS version is used (along with other data > such Apache version, MySQL version etc.). In the meantime I can't know what > percentage uses CentOS 7, but judging from the fact that new cPanel > deployments usually get setup on CentOS 7, I'm assuming the percentage may > be high overall. > > Thanks in advance for any help or guidance. > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265943,265943#msg-265943 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Andrew Hutchings (LinuxJedi) Technical Product Manager, NGINX Inc. From roni at citrusinformatics.com Wed Apr 6 10:44:50 2016 From: roni at citrusinformatics.com (Roni Baby) Date: Wed, 6 Apr 2016 16:14:50 +0530 Subject: Help for nginx proxy pass rule Message-ID: <005101d18ff1$5a5427d0$0efc7770$@com> HI, We have a WordPress site named it as https://www.abc.com; We are using Nginx as the web server for this site. I wanted to create a proxy pass rule like this https://www.abc.com/static/js/widget.js will be load from https://www.xys.org/static/js/widget.js without changing URL Here is the configuration that I configured for this requirement in the www.abc.com Nginx site configuration file location /static { proxy_pass https://www.xys.org/static; proxy_set_header Host www.xys.org; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } When I access https://www.abc.com/static/js/widget.js, I am getting Nginx 404 Not Found error with the following error log in its log file 2016/04/06 06:39:14 [error] 20107#0: *907 open() "/usr/share/nginx/html/www.abc.com/static/js/widget.js" failed (2: No such file or directory), client: 118.102.223.138, server: www.abc.com, request: "GET /static/js/widget.js HTTP/1.1", host: www.abc.com I have tried different Nginx proxy pass configuration but not success yet. It will be good to get your thought to fix this issues Thanks Roni -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Apr 6 12:53:22 2016 From: nginx-forum at forum.nginx.org (meteor8488) Date: Wed, 06 Apr 2016 08:53:22 -0400 Subject: Headers More module is not working in nginx-devel In-Reply-To: References: Message-ID: <09778cb76153ce025bd2644cdb171b7d.NginxMailingListEnglish@forum.nginx.org> Thanks. You're right. After I load the module, it works. Another question is for now I have 3 modules -r-xr-xr-x 1 root wheel 17K 4 6 07:27 ngx_http_geoip_module.so* -r-xr-xr-x 1 root wheel 25K 4 6 07:27 ngx_http_headers_more_filter_module.so* -r-xr-xr-x 1 root wheel 328K 4 6 07:27 ngx_http_lua_module.so* But it seems I only need to load ngx_http_headers_more_filter_module.so. For geoip and lua module, even though I didn't load them, they are still working. So is there any differences between these modules? Why some of them need to be loaded before use, some are not? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265939,265952#msg-265952 From kworthington at gmail.com Wed Apr 6 13:17:09 2016 From: kworthington at gmail.com (Kevin Worthington) Date: Wed, 6 Apr 2016 09:17:09 -0400 Subject: [nginx-announce] nginx-1.9.14 In-Reply-To: <20160405151132.GV36620@mdounin.ru> References: <20160405151132.GV36620@mdounin.ru> Message-ID: Hello Nginx users, Now available: Nginx 1.9.14 for Windows https://kevinworthington.com/nginxwin1914 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Google+ https://plus.google.com/+KevinWorthington/ Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) http://kevinworthington.com/ http://twitter.com/kworthington https://plus.google.com/+KevinWorthington/ On Tue, Apr 5, 2016 at 11:11 AM, Maxim Dounin wrote: > Changes with nginx 1.9.14 05 Apr > 2016 > > *) Feature: OpenSSL 1.1.0 compatibility. > > *) Feature: the "proxy_request_buffering", "fastcgi_request_buffering", > "scgi_request_buffering", and "uwsgi_request_buffering" directives > now work with HTTP/2. > > *) Bugfix: "zero size buf in output" alerts might appear in logs when > using HTTP/2. > > *) Bugfix: the "client_max_body_size" directive might work incorrectly > when using HTTP/2. > > *) Bugfix: of minor bugs in logging. > > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-announce mailing list > nginx-announce at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anoopalias01 at gmail.com Wed Apr 6 13:21:26 2016 From: anoopalias01 at gmail.com (Anoop Alias) Date: Wed, 6 Apr 2016 18:51:26 +0530 Subject: Help for nginx proxy pass rule In-Reply-To: <005101d18ff1$5a5427d0$0efc7770$@com> References: <005101d18ff1$5a5427d0$0efc7770$@com> Message-ID: Are you sure the location is working? abc.com/static/js/widget.js" failed (2: No such file or directory) - I think its trying to access that file locally and not via the proxy On Wed, Apr 6, 2016 at 4:14 PM, Roni Baby wrote: > HI, > > > > We have a WordPress site named it as https://www.abc.com; We are using Nginx > as the web server for this site. I wanted to create a proxy pass rule like > this > > > > https://www.abc.com/static/js/widget.js will be load from > https://www.xys.org/static/js/widget.js without changing URL > > > > Here is the configuration that I configured for this requirement in the > www.abc.com Nginx site configuration file > > > > location /static { > > proxy_pass https://www.xys.org/static; > > proxy_set_header Host www.xys.org; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Forwarded-Proto $scheme; > > } > > > > When I access https://www.abc.com/static/js/widget.js, I am getting Nginx > 404 Not Found error with the following error log in its log file > > 2016/04/06 06:39:14 [error] 20107#0: *907 open() > "/usr/share/nginx/html/www.abc.com/static/js/widget.js" failed (2: No such > file or directory), client: 118.102.223.138, server: www.abc.com, request: > "GET /static/js/widget.js HTTP/1.1", host: www.abc.com > > I have tried different Nginx proxy pass configuration but not success yet. > It will be good to get your thought to fix this issues > > Thanks > > Roni > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Anoop P Alias From robin at reportlab.com Wed Apr 6 13:26:25 2016 From: robin at reportlab.com (Robin Becker) Date: Wed, 6 Apr 2016 14:26:25 +0100 Subject: default server with custom 404 Message-ID: <57050E81.4030405@chamonix.reportlab.co.uk> I see this question has been asked and answered many times, but I am unable to make it work. On a server with multiple virtual hosts I wish to make a catchall which responds to everything with a 404 that reveals no information. I am running nginx version: nginx/1.8.1 on ubuntu 14.04. My catchall looks like this server { listen 80 default_server; listen 443 ssl default_server; allow all; charset utf-8; error_page 404 /404.html; root /mypath/html/; location = /404.html { root /mypath/html/; } location / { return 404; } } if I make a fake /etc/hosts dns say dongo.bilbo.com and point at my server then http://dongo.bilbo.com/404.html shows me the correct 404 page with no Nginx info, however, any other path eg http://dongo.bilbo.com always shows me the standard Nginx 404 page. Is there a way to customize my error page for this case? I would add that the following works well for my real sites > charset utf-8; > error_page 404 /404.html; > location /404.html { > root /mypath/html; > } and there I do see the 404.html from /mypath/html when I visit missing pages. Alternatively is there a way to override nginx's 404 page so it doesn't reveal the server. -- Robin Becker From roni at citrusinformatics.com Wed Apr 6 13:28:07 2016 From: roni at citrusinformatics.com (Roni Baby) Date: Wed, 6 Apr 2016 18:58:07 +0530 Subject: Help for nginx proxy pass rule In-Reply-To: References: <005101d18ff1$5a5427d0$0efc7770$@com> Message-ID: <007b01d19008$28fccf90$7af66eb0$@com> Yes the destination URl [https://www.xys.org/static/js/widget.js] is working perfectly alone Why it tried locally? I used proxypass rule for it. If I wanted to do anything to enable proxy capability in my Nginx? Thanks for your reply Roni -----Original Message----- From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Anoop Alias Sent: 06 April 2016 18:51 To: Nginx Subject: Re: Help for nginx proxy pass rule Are you sure the location is working? abc.com/static/js/widget.js" failed (2: No such file or directory) - I think its trying to access that file locally and not via the proxy On Wed, Apr 6, 2016 at 4:14 PM, Roni Baby wrote: > HI, > > > > We have a WordPress site named it as https://www.abc.com; We are using > Nginx as the web server for this site. I wanted to create a proxy pass > rule like this > > > > https://www.abc.com/static/js/widget.js will be load from > https://www.xys.org/static/js/widget.js without changing URL > > > > Here is the configuration that I configured for this requirement in > the www.abc.com Nginx site configuration file > > > > location /static { > > proxy_pass https://www.xys.org/static; > > proxy_set_header Host www.xys.org; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Forwarded-Proto $scheme; > > } > > > > When I access https://www.abc.com/static/js/widget.js, I am getting > Nginx > 404 Not Found error with the following error log in its log file > > 2016/04/06 06:39:14 [error] 20107#0: *907 open() > "/usr/share/nginx/html/www.abc.com/static/js/widget.js" failed (2: No > such file or directory), client: 118.102.223.138, server: www.abc.com, request: > "GET /static/js/widget.js HTTP/1.1", host: www.abc.com > > I have tried different Nginx proxy pass configuration but not success yet. > It will be good to get your thought to fix this issues > > Thanks > > Roni > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Anoop P Alias _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From jim at ohlste.in Wed Apr 6 13:42:51 2016 From: jim at ohlste.in (Jim Ohlstein) Date: Wed, 6 Apr 2016 09:42:51 -0400 Subject: Headers More module is not working in nginx-devel In-Reply-To: <09778cb76153ce025bd2644cdb171b7d.NginxMailingListEnglish@forum.nginx.org> References: <09778cb76153ce025bd2644cdb171b7d.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5705125B.1020105@ohlste.in> Hello, On 4/6/16 8:53 AM, meteor8488 wrote: > Thanks. You're right. After I load the module, it works. > > Another question is for now I have 3 modules > > -r-xr-xr-x 1 root wheel 17K 4 6 07:27 ngx_http_geoip_module.so* > -r-xr-xr-x 1 root wheel 25K 4 6 07:27 > ngx_http_headers_more_filter_module.so* > -r-xr-xr-x 1 root wheel 328K 4 6 07:27 ngx_http_lua_module.so* > > But it seems I only need to load ngx_http_headers_more_filter_module.so. For > geoip and lua module, even though I didn't load them, they are still > working. > > So is there any differences between these modules? Why some of them need to > be loaded before use, some are not? > Most likely you are not using those modules in your configuration. You will only get a complaint from nginx if they are referenced in your configuration file(s) and not loaded. Since you built nginx from FreeBSD ports, you can look at /usr/local/etc/nginx/nginx.conf-dist and it will show all the modules that have been built and need to be loaded dynamically if used. -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain From slim at inbox.lv Wed Apr 6 15:32:25 2016 From: slim at inbox.lv (=?UTF-8?B?0JTQtdC90LjRgdC60LAt0YDQtdC00LjRgdC60LA=?=) Date: Wed, 06 Apr 2016 18:32:25 +0300 Subject: bug in processing passwords with backslash in mail/imap proxy code Message-ID: <1459956745.57052c090d7e7@mail.inbox.lv> Hello, looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization: backslash becomes stripped from password when quoted in imap command: * OK IMAP4 ready p LOGIN "testdev" ",\REz=#tPc" p NO Invalid login or password p LOGIN "testdev" ,\REz=#tPc p OK [CAPABILITY..... auth_http gets following: GET /auth HTTP/1.0 Host: 127.0.0.1 Auth-Method: plain Auth-User: testdev Auth-Pass: ,REz=#tPc Auth-Protocol: imap and GET /auth HTTP/1.0 Host: 127.0.0.1 Auth-Method: plain Auth-User: testdev Auth-Pass: ,\REz=#tPc Auth-Protocol: imap respectivelly nginx conf is as following: mail { server { listen 127.0.0.1:143; server_name mail.example.com; auth_http 127.0.0.1:900/auth; protocol imap; proxy on; } } From mdounin at mdounin.ru Wed Apr 6 15:59:26 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 6 Apr 2016 18:59:26 +0300 Subject: bug in processing passwords with backslash in mail/imap proxy code In-Reply-To: <1459956745.57052c090d7e7@mail.inbox.lv> References: <1459956745.57052c090d7e7@mail.inbox.lv> Message-ID: <20160406155926.GC36620@mdounin.ru> Hello! On Wed, Apr 06, 2016 at 06:32:25PM +0300, ???????-??????? wrote: > Hello, > > looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization: > backslash becomes stripped from password when quoted in imap command: > > * OK IMAP4 ready > p LOGIN "testdev" ",\REz=#tPc" > p NO Invalid login or password This should be "p BAD Syntax error", but nginx doesn't care to check syntax so strictly and allows any character after a backslash. Quoting RFC 3501, http://tools.ietf.org/html/rfc3501#section-9: : quoted = DQUOTE *QUOTED-CHAR DQUOTE : : QUOTED-CHAR = / : "\" quoted-specials : : quoted-specials = DQUOTE / "\" In summary: fix the client. -- Maxim Dounin http://nginx.org/ From slim at inbox.lv Wed Apr 6 17:09:30 2016 From: slim at inbox.lv (=?UTF-8?B?0JTQtdC90LjRgdC60LAt0YDQtdC00LjRgdC60LA=?=) Date: Wed, 06 Apr 2016 20:09:30 +0300 Subject: bug in processing passwords with backslash in mail/imap proxy code In-Reply-To: <20160406155926.GC36620@mdounin.ru> References: <1459956745.57052c090d7e7@mail.inbox.lv> <20160406155926.GC36620@mdounin.ru> Message-ID: <1459962570.570542ca15bf3@mail.inbox.lv> for note, the client is saslauthd from cyrus-sasl package running with -a rimap ? ??????????? Maxim Dounin : > Hello! > On Wed, Apr 06, 2016 at 06:32:25PM +0300, ???????-??????? wrote: > > Hello, > > > > looks like there is a bug in nginx 1.8.1 in mail proxy code which used for authorization: > > backslash becomes stripped from password when quoted in imap command: > > > > * OK IMAP4 ready > > p LOGIN "testdev" ",\REz=#tPc" > > p NO Invalid login or password > This should be "p BAD Syntax error", but nginx doesn't care to > check syntax so strictly and allows any character after a > backslash. > Quoting RFC 3501, http://tools.ietf.org/html/rfc3501#section-9: > : quoted = DQUOTE *QUOTED-CHAR DQUOTE > : > : QUOTED-CHAR = / > : "\" quoted-specials > : > : quoted-specials = DQUOTE / "\" > In summary: fix the client. > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Wed Apr 6 19:38:31 2016 From: nginx-forum at forum.nginx.org (jshare) Date: Wed, 06 Apr 2016 15:38:31 -0400 Subject: Bug in 1.9.14 or something else? Message-ID: I'm running a WordPress 4.4.2-based membership site on Ubuntu 12.04 LTS with PHP 5.6.20. After upgrading to 1.9.14 (compiling from source with no errors or warnings), I could no longer log in to my site, using Firefox/Chrome/IE. Trying to login didn't timeout. Instead, fairly quickly, I would get an error message like this in Firefox: ---------- Secure Connection Failed The connection to jobmob.co.il was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Learn more? ---------- Tailing the error logs, nothing at all appears when I try to log in. My WordPress install is Multisite, which means I can have multiple websites running off a single install, and I do. However, only the main website has this login issue with 1.9.14. *I could still log in without a problem in each of the other sites.* How to troubleshoot this? 1.9.14 has relatively few changes, so I was surprised by this. I've since rolled back to 1.9.13 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265964,265964#msg-265964 From francis at daoine.org Wed Apr 6 21:47:01 2016 From: francis at daoine.org (Francis Daly) Date: Wed, 6 Apr 2016 22:47:01 +0100 Subject: Help for nginx proxy pass rule In-Reply-To: <007b01d19008$28fccf90$7af66eb0$@com> References: <005101d18ff1$5a5427d0$0efc7770$@com> <007b01d19008$28fccf90$7af66eb0$@com> Message-ID: <20160406214701.GF9435@daoine.org> On Wed, Apr 06, 2016 at 06:58:07PM +0530, Roni Baby wrote: Hi there, > Yes the destination URl [https://www.xys.org/static/js/widget.js] is working > perfectly alone > Why it tried locally? I used proxypass rule for it. If I wanted to do > anything to enable proxy capability in my Nginx? Read http://nginx.org/r/location Then do something like grep location your.conf to see which location{} blocks you have defined. Which one of those locations will nginx use to handle this request? The error log suggests that this request is handled in a location that is not the one that you showed -- perhaps one defined as something like location ~ js$ { Possibly changing your > location /static { to location ^~ /static { will make it work the way you want. That would tell nginx to choose it instead of any regex one, for this request. Separate from that: for the proxy_pass directive, you could probably drop the "/static" part of the argument since it matches the request prefix. But until the proxy_pass is actually used, changing it will make no difference. f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Apr 6 22:14:40 2016 From: francis at daoine.org (Francis Daly) Date: Wed, 6 Apr 2016 23:14:40 +0100 Subject: default server with custom 404 In-Reply-To: <57050E81.4030405@chamonix.reportlab.co.uk> References: <57050E81.4030405@chamonix.reportlab.co.uk> Message-ID: <20160406221440.GG9435@daoine.org> On Wed, Apr 06, 2016 at 02:26:25PM +0100, Robin Becker wrote: Hi there, > I see this question has been asked and answered many times, but I am > unable to make it work. It seems to work for me. Are you certain that no caching in front of nginx is interfering with your tests? What do you see if you do something like curl -v -H Host:anything http://your-server/should-give-404 ? > On a server with multiple virtual hosts I wish to make a catchall > which responds to everything with a 404 that reveals no information. What information does the default nginx internal 404 response reveal, that your own file does not? See the "curl -v" response above for the http headers. > I am running nginx version: nginx/1.8.1 on ubuntu 14.04. > > My catchall looks like this > > server { > listen 80 default_server; This will be the default server over any others that have "listen *:80" (in its various guises). If you have anything like "listen ip" anywhere, then any connection to that IP will not use this server{}. You most likely do not have "listen ip" anywhere. But just in case -- this is not necessarily a catch-*all*. > if I make a fake /etc/hosts dns say dongo.bilbo.com and point at my server then > > http://dongo.bilbo.com/404.html shows me the correct 404 page with > no Nginx info, however, any other path eg http://dongo.bilbo.com > always shows me the standard Nginx 404 page. That's not what I get. If you still have the problem, perhaps the debug log will show more about what is going on. > Is there a way to customize my error page for this case? What you have done should work. Depending on the rest of your config, of course. > Alternatively is there a way to override nginx's 404 page so it > doesn't reveal the server. Patch the code and recompile. You probably don't want to do that. f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Wed Apr 6 23:48:20 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 7 Apr 2016 02:48:20 +0300 Subject: Bug in 1.9.14 or something else? In-Reply-To: References: Message-ID: <20160406234820.GD36620@mdounin.ru> Hello! On Wed, Apr 06, 2016 at 03:38:31PM -0400, jshare wrote: > I'm running a WordPress 4.4.2-based membership site on Ubuntu 12.04 LTS with > PHP 5.6.20. > > After upgrading to 1.9.14 (compiling from source with no errors or > warnings), I could no longer log in to my site, using Firefox/Chrome/IE. > Trying to login didn't timeout. Instead, fairly quickly, I would get an > error message like this in Firefox: > > ---------- > Secure Connection Failed > > The connection to jobmob.co.il was interrupted while the page was loading. > > The page you are trying to view cannot be shown because the authenticity > of the received data could not be verified. > Please contact the website owners to inform them of this problem. > > Learn more? > ---------- > > Tailing the error logs, nothing at all appears when I try to log in. > > My WordPress install is Multisite, which means I can have multiple websites > running off a single install, and I do. However, only the main website has > this login issue with 1.9.14. *I could still log in without a problem in > each of the other sites.* > > How to troubleshoot this? 1.9.14 has relatively few changes, so I was > surprised by this. I've since rolled back to 1.9.13 There are various changes related to request body handling when using HTTP/2 in 1.9.14. If you are using HTTP/2, consider disabling it to see if it helps. In either case debug log should help to further diagnose the problem, see http://nginx.org/en/docs/debugging_log.html. -- Maxim Dounin http://nginx.org/ From tseveendorj at on-air.mn Thu Apr 7 01:41:46 2016 From: tseveendorj at on-air.mn (tseveendorj) Date: Thu, 07 Apr 2016 10:41:46 +0900 Subject: Rewrite Message-ID: Thank you Francis. It is working now. Sent from my Samsung device -------- Original message -------- From: Francis Daly Date: 06/04/2016 07:48 (GMT+08:00) To: nginx at nginx.org Subject: Re: Rewrite On Tue, Apr 05, 2016 at 08:11:44PM +0900, tseveendorj wrote: Hi there, > request URL is http://domain.com/x4Zbs5B > It should be http://domain.com/index.php?download=x4Zbs5B > > I tried > location / { >???????????????? rewrite ^/([^/][a-zA-Z0-9]+)$ /index.php?download=$1 break; I'm not sure that the four characters "[^/]" are doing anything useful on that line. I am sure that "break" is not what you want there. Just remove it. >???????????????? try_files $uri $uri/ /index.php?download=$uri; >???????? } > but it is downloading index.php file itself :D Presumably somewhere else in your config you tell nginx how to handle /index.php? f -- Francis Daly??????? francis at daoine.org _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From roni at citrusinformatics.com Thu Apr 7 04:20:06 2016 From: roni at citrusinformatics.com (Roni Baby) Date: Thu, 7 Apr 2016 09:50:06 +0530 Subject: Help for nginx proxy pass rule In-Reply-To: <20160406214701.GF9435@daoine.org> References: <005101d18ff1$5a5427d0$0efc7770$@com> <007b01d19008$28fccf90$7af66eb0$@com> <20160406214701.GF9435@daoine.org> Message-ID: <003601d19084$c5666540$50332fc0$@com> Perfect fix... Able to solve my issues.Thanks Francis The issue was, I configured these location blocks already in my config file location ~* ^.+\.(jpg|jpeg|gif|css|png|ico|zip|xspf|swf|ttf|woff|js)$ { for serving static files directly. It was over ride the location rule that I used It started to work my location rule changed it like this as per your recommendation location ^~ /static { Thanks a Lot Roni Baby -----Original Message----- From: Nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Francis Daly Sent: 07 April 2016 03:17 To: nginx at nginx.org Subject: Re: Help for Nginx proxy pass rule On Wed, Apr 06, 2016 at 06:58:07PM +0530, Roni Baby wrote: Hi there, > Yes the destination Url [https://www.xys.org/static/js/widget.js] is > working perfectly alone Why it tried locally? I used proxypass rule > for it. If I wanted to do anything to enable proxy capability in my > Nginx? Read http://nginx.org/r/location Then do something like grep location your.conf to see which location{} blocks you have defined. Which one of those locations will nginx use to handle this request? The error log suggests that this request is handled in a location that is not the one that you showed -- perhaps one defined as something like location ~ js$ { Possibly changing your > location /static { to location ^~ /static { will make it work the way you want. That would tell nginx to choose it instead of any regex one, for this request. Separate from that: for the proxy_pass directive, you could probably drop the "/static" part of the argument since it matches the request prefix. But until the proxy_pass is actually used, changing it will make no difference. f -- Francis Daly francis at daoine.org _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From robin at reportlab.com Thu Apr 7 09:31:31 2016 From: robin at reportlab.com (Robin Becker) Date: Thu, 7 Apr 2016 10:31:31 +0100 Subject: default server with custom 404 In-Reply-To: <20160406221440.GG9435@daoine.org> References: <57050E81.4030405@chamonix.reportlab.co.uk> <20160406221440.GG9435@daoine.org> Message-ID: <570628F3.10203@chamonix.reportlab.co.uk> On 06/04/2016 23:14, Francis Daly wrote: ........... > > That's not what I get. > > If you still have the problem, perhaps the debug log will show more > about what is going on. > >> Is there a way to customize my error page for this case? > > What you have done should work. Depending on the rest of your config, > of course. > >> Alternatively is there a way to override nginx's 404 page so it >> doesn't reveal the server. > > Patch the code and recompile. > > You probably don't want to do that. > > f > I suspect my issue has more to do with me not understanding the way server names are matched. I look in vain for some equivalent to apache2ctl -S, but can't find it. I have only one vhost with the default_server present and thought that listen 80 default_server; would fire for servers without an explicit match. Some simple testing reveals another is matching, but I don't know which one yet. As this is a live server I won't try the debug route there, just bad luck we got an IP address that had previous connections to some kind of music distribution. Compiling nginx would be a last resort. Sorry for the noise. -- Robin Becker From pankajitbhu at gmail.com Thu Apr 7 11:48:27 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Thu, 7 Apr 2016 17:18:27 +0530 Subject: Regarding development nginx module Message-ID: Hi, This is Pankaj,I am trying to write a module which is capable to access header value and set header and reading cookie and setting cookie. if i refer apache module then found apr_table_get() and apr_table_set() APIs are available to get/set header/cookie values. I have tried to use ngx_http_get_variable() API to get cookie value but not getting any value. Please help me on this and let me know is any other API which I can use for the same. Thanks & Regards, Pankaj Chaudhary -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Thu Apr 7 12:17:02 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 7 Apr 2016 13:17:02 +0100 Subject: default server with custom 404 In-Reply-To: <570628F3.10203@chamonix.reportlab.co.uk> References: <57050E81.4030405@chamonix.reportlab.co.uk> <20160406221440.GG9435@daoine.org> <570628F3.10203@chamonix.reportlab.co.uk> Message-ID: <20160407121702.GH9435@daoine.org> On Thu, Apr 07, 2016 at 10:31:31AM +0100, Robin Becker wrote: > On 06/04/2016 23:14, Francis Daly wrote: Hi there, > >>Is there a way to customize my error page for this case? > > > >What you have done should work. Depending on the rest of your config, > >of course. > I suspect my issue has more to do with me not understanding the way > server names are matched. I look in vain for some equivalent to > apache2ctl -S, but can't find it. http://nginx.org/en/docs/ links to http://nginx.org/en/docs/http/request_processing.html for the first, and http://nginx.org/en/docs/switches.html for the second. Very approximately, nginx -T | grep 'listen\|server' will indicate your server{} blocks, their contained listen directives, and their contained server_name directives. (Except: "nginx -T" isn't in v1.8.1. So grep in your config file, and in any files that you "include" in it.) When you know the IP:port the connection arrives on, plus the hostname that is requested, you can probably work out which server{} block nginx will choose to handle the request. > I have only one vhost with the default_server present and thought that > > listen 80 default_server; > > would fire for servers without an explicit match. Some simple > testing reveals another is matching, but I don't know which one yet. For every unique "listen IP" or "listen IP:80" directive that you have anywhere in your config, add the same line to this server{} with default_server set. (Which means: if you have somewhere "listen 127.0.0.1:80;", then you add a line "listen 127.0.0.1:80 default_server;" to your catch-all server block.) > As this is a live server I won't try the debug route there, just bad > luck we got an IP address that had previous connections to some kind > of music distribution. Install nginx on your test machine. Configure it there until you are happy that it does what you want. Then transfer the config to your production machine. Good luck with it, f -- Francis Daly francis at daoine.org From robin at reportlab.com Thu Apr 7 13:04:37 2016 From: robin at reportlab.com (Robin Becker) Date: Thu, 7 Apr 2016 14:04:37 +0100 Subject: default server with custom 404 In-Reply-To: <20160407121702.GH9435@daoine.org> References: <57050E81.4030405@chamonix.reportlab.co.uk> <20160406221440.GG9435@daoine.org> <570628F3.10203@chamonix.reportlab.co.uk> <20160407121702.GH9435@daoine.org> Message-ID: <57065AE5.4040200@chamonix.reportlab.co.uk> On 07/04/2016 13:17, Francis Daly wrote: ........... > > For every unique "listen IP" or "listen IP:80" directive that you > have anywhere in your config, add the same line to this server{} with > default_server set. > > (Which means: if you have somewhere "listen 127.0.0.1:80;", then you > add a line "listen 127.0.0.1:80 default_server;" to your catch-all > server block.) > ...... Ah I begin to see the light, I had thought the default_server attribute would force this irrespective of the listen now I see I have to allow listening with all the patterns eg IP1:80 IP1:443 IP2:80........ that makes things much clearer. Thank you very much. > Good luck with it, > > f > -- Robin Becker From nginx-forum at forum.nginx.org Thu Apr 7 13:36:53 2016 From: nginx-forum at forum.nginx.org (fevangelou) Date: Thu, 07 Apr 2016 09:36:53 -0400 Subject: Nginx proxy cache/temp folders empty when located inside /tmp on CentOS 7 In-Reply-To: <5704BB8E.7070904@nginx.com> References: <5704BB8E.7070904@nginx.com> Message-ID: <966c1f18fdf2596787a29821ac6fb52a.NginxMailingListEnglish@forum.nginx.org> Awesome. Thank you :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265943,265986#msg-265986 From artemrts at ukr.net Thu Apr 7 14:02:19 2016 From: artemrts at ukr.net (wishmaster) Date: Thu, 07 Apr 2016 17:02:19 +0300 Subject: Proxying to ip-camera Message-ID: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> Hi, I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. website http://site.com ip-cam http://site.com/ipcam Below config: location /ipcam { proxy_pass http://192.168.20.99:80/; proxy_redirect off; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; } All works fine, but ip-cam can not determine UA and therefore I gets broken login page and unable to login. Below the error log from console: ReferenceError: Browser is not defined if(!(Browser.ie7 || Browser.ie8)){ With port redirection by firewall all works fine. Is anybody can help me. IP-camera - Dahua. -- Vitaliy From vbart at nginx.com Thu Apr 7 14:25:55 2016 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 07 Apr 2016 17:25:55 +0300 Subject: Bug in 1.9.14 or something else? In-Reply-To: References: Message-ID: <4481926.4TEyTzMZuM@vbart-workstation> On Wednesday 06 April 2016 15:38:31 jshare wrote: > I'm running a WordPress 4.4.2-based membership site on Ubuntu 12.04 LTS with > PHP 5.6.20. > > After upgrading to 1.9.14 (compiling from source with no errors or > warnings), I could no longer log in to my site, using Firefox/Chrome/IE. > Trying to login didn't timeout. Instead, fairly quickly, I would get an > error message like this in Firefox: > > ---------- > Secure Connection Failed > > The connection to jobmob.co.il was interrupted while the page was loading. > > The page you are trying to view cannot be shown because the authenticity > of the received data could not be verified. > Please contact the website owners to inform them of this problem. > > Learn more? > ---------- > > Tailing the error logs, nothing at all appears when I try to log in. > > My WordPress install is Multisite, which means I can have multiple websites > running off a single install, and I do. However, only the main website has > this login issue with 1.9.14. *I could still log in without a problem in > each of the other sites.* > > How to troubleshoot this? 1.9.14 has relatively few changes, so I was > surprised by this. I've since rolled back to 1.9.13 > Could you try without 3rd-party modules and patches? wbr, Valentin V. Bartenev From alexandr.porunov at gmail.com Thu Apr 7 14:55:12 2016 From: alexandr.porunov at gmail.com (Alexandr Porunov) Date: Thu, 7 Apr 2016 17:55:12 +0300 Subject: Performance of NGINX on 16 instances vs 1 instance Message-ID: Hello, I would like to know how NGINX works on a server with 16 cores. Is it is better to run one instance of NGINX in a bare metal or run 16 virtual servers with NGINX instance on each? Sincerely, Alexandr -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxim at nginx.com Thu Apr 7 15:00:35 2016 From: maxim at nginx.com (Maxim Konovalov) Date: Thu, 7 Apr 2016 18:00:35 +0300 Subject: Performance of NGINX on 16 instances vs 1 instance In-Reply-To: References: Message-ID: <57067613.8080809@nginx.com> Hello, On 4/7/16 5:55 PM, Alexandr Porunov wrote: > Hello, > > I would like to know how NGINX works on a server with 16 cores. Is > it is better to run one instance of NGINX in a bare metal or run 16 > virtual servers with NGINX instance on each? > Just one instance and "worker_processes auto". http://nginx.org/r/worker_processes -- Maxim Konovalov From artemrts at ukr.net Thu Apr 7 15:44:08 2016 From: artemrts at ukr.net (wishmaster) Date: Thu, 07 Apr 2016 18:44:08 +0300 Subject: Proxying to ip-camera In-Reply-To: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> References: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> Message-ID: <1460043631.306466615.gssma036@frv34.fwdcdn.com> > > Hi, > > I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. > > website http://site.com > ip-cam http://site.com/ipcam > > Below config: > > location /ipcam { > proxy_pass http://192.168.20.99:80/; > proxy_redirect off; > proxy_set_header Host $host:$server_port; > proxy_set_header X-Real-IP $remote_addr; > } > > All works fine, but ip-cam can not determine UA and therefore I gets broken login page and unable to login. > > Below the error log from console: > > ReferenceError: Browser is not defined > if(!(Browser.ie7 || Browser.ie8)){ > > With port redirection by firewall all works fine. > > Is anybody can help me. IP-camera - Dahua. > As I can see the problem is in not proxying static content like JS and CSS. Dynamic works fine. location /ipcam { proxy_pass http://192.168.20.99:80/; location ~ \.css { proxy_pass http://192.168.20.99:80/ } } This is not working. From francis at daoine.org Thu Apr 7 20:45:15 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 7 Apr 2016 21:45:15 +0100 Subject: Proxying to ip-camera In-Reply-To: <1460043631.306466615.gssma036@frv34.fwdcdn.com> References: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> <1460043631.306466615.gssma036@frv34.fwdcdn.com> Message-ID: <20160407204515.GI9435@daoine.org> On Thu, Apr 07, 2016 at 06:44:08PM +0300, wishmaster wrote: Hi there, > > I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. > > > > website http://site.com > > ip-cam http://site.com/ipcam > > With port redirection by firewall all works fine. > As I can see the problem is in not proxying static content like JS and CSS. Dynamic works fine. > > location /ipcam { > proxy_pass http://192.168.20.99:80/; > > location ~ \.css { > proxy_pass http://192.168.20.99:80/ > } > } > > This is not working. Your first config would probably work if that was the only config in the server{} block. Since it appears that you have some other configuration there, possibly location ^~ /ipcam/ { proxy_pass http://192.168.20.99:80/; } will do what you want. Note: location and proxy_pass both end in a /, and ^~ is used in the location directive. http://nginx.org/r/location http://nginx.org/r/proxy_pass Good luck with it, f -- Francis Daly francis at daoine.org From alexandr.porunov at gmail.com Thu Apr 7 20:51:03 2016 From: alexandr.porunov at gmail.com (Alexandr Porunov) Date: Thu, 7 Apr 2016 23:51:03 +0300 Subject: Performance of NGINX on 16 instances vs 1 instance In-Reply-To: <57067613.8080809@nginx.com> References: <57067613.8080809@nginx.com> Message-ID: Hello, Maxim Thank you very much Sincerely, Alexandr On Thu, Apr 7, 2016 at 6:00 PM, Maxim Konovalov wrote: > Hello, > > On 4/7/16 5:55 PM, Alexandr Porunov wrote: > > Hello, > > > > I would like to know how NGINX works on a server with 16 cores. Is > > it is better to run one instance of NGINX in a bare metal or run 16 > > virtual servers with NGINX instance on each? > > > Just one instance and "worker_processes auto". > > http://nginx.org/r/worker_processes > > -- > Maxim Konovalov > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From artemrts at ukr.net Fri Apr 8 05:45:48 2016 From: artemrts at ukr.net (wishmaster) Date: Fri, 08 Apr 2016 08:45:48 +0300 Subject: Proxying to ip-camera In-Reply-To: <20160407204515.GI9435@daoine.org> References: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> <1460043631.306466615.gssma036@frv34.fwdcdn.com> <20160407204515.GI9435@daoine.org> Message-ID: <1460094074.819496323.cj0e4rgm@frv34.fwdcdn.com> Hi, Francis. > On Thu, Apr 07, 2016 at 06:44:08PM +0300, wishmaster wrote: > > Hi there, > > > > I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. > > > > > > website http://site.com > > > ip-cam http://site.com/ipcam > > > > With port redirection by firewall all works fine. > > > As I can see the problem is in not proxying static content like JS and CSS. Dynamic works fine. > > > > location /ipcam { > > proxy_pass http://192.168.20.99:80/; > > > > location ~ \.css { > > proxy_pass http://192.168.20.99:80/ > > } > > } > > > > This is not working. > > Your first config would probably work if that was the only config in the > server{} block. Since it appears that you have some other configuration > there, possibly > > location ^~ /ipcam/ { > proxy_pass http://192.168.20.99:80/; > } > > will do what you want. Note: location and proxy_pass both end in a /, > and ^~ is used in the location directive. Heh, this server block has another locations as well. E.g. location \.css {...} and so on. The second problem is I want to proxying location "/ipcam" to "/" on the ip-camera and I think I must use sub module to overwrite pathes of returned css,js in HTML pages. -- Vitaliy From francis at daoine.org Fri Apr 8 07:12:02 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 8 Apr 2016 08:12:02 +0100 Subject: Proxying to ip-camera In-Reply-To: <1460094074.819496323.cj0e4rgm@frv34.fwdcdn.com> References: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> <1460043631.306466615.gssma036@frv34.fwdcdn.com> <20160407204515.GI9435@daoine.org> <1460094074.819496323.cj0e4rgm@frv34.fwdcdn.com> Message-ID: <20160408071202.GJ9435@daoine.org> On Fri, Apr 08, 2016 at 08:45:48AM +0300, wishmaster wrote: > > On Thu, Apr 07, 2016 at 06:44:08PM +0300, wishmaster wrote: Hi there, > > > > I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. > > > > > > > > website http://site.com > > > > ip-cam http://site.com/ipcam > > > > > > With port redirection by firewall all works fine. > > location ^~ /ipcam/ { > > proxy_pass http://192.168.20.99:80/; > > } > Heh, this server block has another locations as well. E.g. location \.css {...} and so on. > The second problem is I want to proxying location "/ipcam" to "/" on the ip-camera and I think I must use sub module to overwrite pathes of returned css,js in HTML pages. You can try that. Alternatively, if you know the (static) list of urls that the ip-camera uses, you could proxy_pass for each one of those (and make sure that your main web service does not use any of the same ones). Or, if the content from those urls is constant, you could just copy the content to the same urls on your main web server and then not have to proxy_pass the extra ones. I suspect it will be easier if you can configure the 192.168.20.99 server to believe that its application is installed at /ipcam/ instead of /. And if that is not possible, it may be easier if you use a new server name for just the camera -- http://ipcam.site.com which just uses proxy_pass for everything. In general, I find that it is not trivial to reverse-proxy a web site to a different hierarchy level in the url space unless the site was written with that in mind. Good luck with it, f -- Francis Daly francis at daoine.org From artemrts at ukr.net Fri Apr 8 07:27:05 2016 From: artemrts at ukr.net (wishmaster) Date: Fri, 08 Apr 2016 10:27:05 +0300 Subject: Proxying to ip-camera In-Reply-To: <20160408071202.GJ9435@daoine.org> References: <1460037183.592668703.56ppodap@frv34.fwdcdn.com> <1460043631.306466615.gssma036@frv34.fwdcdn.com> <20160407204515.GI9435@daoine.org> <1460094074.819496323.cj0e4rgm@frv34.fwdcdn.com> <20160408071202.GJ9435@daoine.org> Message-ID: <1460100299.701844575.usvsmsrd@frv34.fwdcdn.com> Hi, --- Original message --- From: "Francis Daly" Date: 8 April 2016, 10:12:08 > On Fri, Apr 08, 2016 at 08:45:48AM +0300, wishmaster wrote: > > > On Thu, Apr 07, 2016 at 06:44:08PM +0300, wishmaster wrote: > > Hi there, > > > > > > I have the web site and would like to proxying all requests to /ipcam location to internal ip-camera. > > > > > > > > > > website http://site.com > > > > > ip-cam http://site.com/ipcam > > > > > > > > With port redirection by firewall all works fine. > > > > location ^~ /ipcam/ { > > > proxy_pass http://192.168.20.99:80/; > > > } > > > Heh, this server block has another locations as well. E.g. location \.css {...} and so on. > > The second problem is I want to proxying location "/ipcam" to "/" on the ip-camera and I think I must use sub module to overwrite pathes of returned css,js in HTML pages. > > You can try that. > > Alternatively, if you know the (static) list of urls that the ip-camera > uses, you could proxy_pass for each one of those (and make sure that > your main web service does not use any of the same ones). Or, if the > content from those urls is constant, you could just copy the content to > the same urls on your main web server and then not have to proxy_pass > the extra ones. Yes, I have thought about this. This will work. > I suspect it will be easier if you can configure the 192.168.20.99 server > to believe that its application is installed at /ipcam/ instead of /. > > And if that is not possible, it may be easier if you use a new server name > for just the camera -- http://ipcam.site.com which just uses proxy_pass > for everything. I think this is the esiest way. Thanks. > In general, I find that it is not trivial to reverse-proxy a web site to > a different hierarchy level in the url space unless the site was written > with that in mind. Yes, you truth. > Good luck with it, > > f > -- > Francis Daly francis at daoine.org --- Vitaliy From nginx-forum at forum.nginx.org Fri Apr 8 09:06:19 2016 From: nginx-forum at forum.nginx.org (JoakimR) Date: Fri, 08 Apr 2016 05:06:19 -0400 Subject: hide/strip set cookies on static files and howto use alias In-Reply-To: <20160405074156.GD9435@daoine.org> References: <20160405074156.GD9435@daoine.org> Message-ID: <757f99545c8499b25c2fd6f6a3eff7f2.NginxMailingListEnglish@forum.nginx.org> Hi Francis Daly thank you very much for your reply Let's brake this down one by one. I followed you suggestion and added fastcgi_connect_timeout 600s; to the conf, however the pages still time out after ~75 sec as expected do to this http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_connect_timeout "Defines a timeout for establishing a connection with a FastCGI server. It should be noted that this timeout cannot usually exceed 75 seconds." 2016/04/06 12:30:47 [error] 9286#9286: *348669 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 108.162.216.74, server: myvid.top, request: "GET ", upstream: "fastcgi://unix:/var/run/php-fpm.sock", host: "myvid.top" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265879,266023#msg-266023 From francis at daoine.org Fri Apr 8 21:13:39 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 8 Apr 2016 22:13:39 +0100 Subject: hide/strip set cookies on static files and howto use alias In-Reply-To: <757f99545c8499b25c2fd6f6a3eff7f2.NginxMailingListEnglish@forum.nginx.org> References: <20160405074156.GD9435@daoine.org> <757f99545c8499b25c2fd6f6a3eff7f2.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20160408211339.GK9435@daoine.org> On Fri, Apr 08, 2016 at 05:06:19AM -0400, JoakimR wrote: Hi there, > Hi Francis Daly thank you very much for your reply You're welcome. > Let's brake this down one by one. I followed you suggestion and added > fastcgi_connect_timeout 600s; to the conf, however the pages still time out > after ~75 sec as expected do to this You may want to read the previous mail again. I'm pretty sure I did not mention fastcgi_connect_timeout. > 2016/04/06 12:30:47 [error] 9286#9286: *348669 upstream timed out (110: > Connection timed out) while reading response header from upstream, client: > 108.162.216.74, server: myvid.top, request: "GET ", upstream: > "fastcgi://unix:/var/run/php-fpm.sock", host: "myvid.top" You have nginx as the client, talking to your fastcgi(php) server. This log file suggests that the fastcgi server is not writing to nginx quickly enough. The default nginx timeout is (I think) 60 seconds between reads. That is usually suitable for fastcgi responses. If your fastcgi server should be able to respond within that time, then the problem you must address is why your fastcgi server is slower than it should be. If your fastcgi server is one of the few that has good reason to respond more slowly than the nginx default timeout, then you must learn from your fastcgi server how long it will take before it responds (at least, for these requests); and then configure nginx to be willing to wait that long (for these responses). Nothing on the nginx side will determine how long it takes your fastcgi server to respond. You must know how long that is; and configure your nginx appropriately. (If your php script starts with "sleep(100)", for example, it will probably take it at least that long to write something. If it needs to do that sleep, then you need to configure the client to be willing to wait that long.) f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sat Apr 9 13:16:33 2016 From: nginx-forum at forum.nginx.org (JoakimR) Date: Sat, 09 Apr 2016 09:16:33 -0400 Subject: hide/strip set cookies on static files and howto use alias In-Reply-To: <20160405074156.GD9435@daoine.org> References: <20160405074156.GD9435@daoine.org> Message-ID: <3e998d357c2e5a09f94963290426ddc5.NginxMailingListEnglish@forum.nginx.org> Hi Francis, and of course everyone else Another Q Hi do have this in my domain.conf location /admin { index index.php; access_log off; log_not_found off; expires 0; } but yet, everything is logged? do you have some kind of answer to this? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265879,266052#msg-266052 From francis at daoine.org Sun Apr 10 08:04:46 2016 From: francis at daoine.org (Francis Daly) Date: Sun, 10 Apr 2016 09:04:46 +0100 Subject: hide/strip set cookies on static files and howto use alias In-Reply-To: <3e998d357c2e5a09f94963290426ddc5.NginxMailingListEnglish@forum.nginx.org> References: <20160405074156.GD9435@daoine.org> <3e998d357c2e5a09f94963290426ddc5.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20160410080446.GL9435@daoine.org> On Sat, Apr 09, 2016 at 09:16:33AM -0400, JoakimR wrote: Hi there, > Another Q For ease of searching in future, it probably will be simpler if new unrelated questions start new message threads, with a Subject: line that is relevant. > Hi do have this in my domain.conf > > location /admin { > index index.php; > access_log off; > log_not_found off; > expires 0; > } > > but yet, everything is logged? do you have some kind of answer to this? In nginx, a http request is logged in the location where it ends. So your "everything" request is not finally handled in the location that you show. (Or you've found a bug in nginx.) If it is not clear to you which location{} is used for the request, and what subrequest is made, and which location{} is used for that subrequest; then possibly enabling the debug log on a test server will help you track it. Note - the debug log contains lots of information, most of which probably counts as "noise" for the one specific thing you are trying to find. f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sun Apr 10 08:18:05 2016 From: nginx-forum at forum.nginx.org (jshare) Date: Sun, 10 Apr 2016 04:18:05 -0400 Subject: Bug in 1.9.14 or something else? In-Reply-To: <20160406234820.GD36620@mdounin.ru> References: <20160406234820.GD36620@mdounin.ru> Message-ID: If I disable http/2, I can login - good call! I enabled the debug.log to compare the output with http/2 enabled and disabled, but when I compare the two side by side, nothing jumps out at me. Aside from the time and a few numbers, the two log sections are identical. What should I be looking for? For example, here's the tailed log section that appears when I can't login because http/2 is enabled: 2016/04/10 10:53:23 [debug] 11339#0: post event 0A108050 2016/04/10 10:53:23 [debug] 11339#0: delete posted event 0A108050 2016/04/10 10:53:23 [debug] 11339#0: accept on 0.0.0.0:80, ready: 1 2016/04/10 10:53:23 [debug] 11339#0: posix_memalign: 0A2A1A30:256 @16 2016/04/10 10:53:23 [debug] 11339#0: *32 accept: 127.0.0.1:47024 fd:17 2016/04/10 10:53:23 [debug] 11339#0: *32 event timer add: 17: 20000:4280909831 2016/04/10 10:53:23 [debug] 11339#0: *32 reusable connection: 1 2016/04/10 10:53:23 [debug] 11339#0: *32 epoll add event: fd:17 op:1 ev:80002001 2016/04/10 10:53:23 [debug] 11339#0: accept() not ready (11: Resource temporarily unavailable) 2016/04/10 10:53:23 [debug] 11339#0: *32 post event 0A1081A0 2016/04/10 10:53:23 [debug] 11339#0: *32 delete posted event 0A1081A0 2016/04/10 10:53:23 [debug] 11339#0: *32 http wait request handler 2016/04/10 10:53:23 [debug] 11339#0: *32 malloc: 0A2557C8:1024 2016/04/10 10:53:23 [debug] 11339#0: *32 recv: fd:17 106 of 1024 2016/04/10 10:53:23 [debug] 11339#0: *32 reusable connection: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 posix_memalign: 0A29E7B0:4096 @16 2016/04/10 10:53:23 [debug] 11339#0: *32 http process request line 2016/04/10 10:53:23 [debug] 11339#0: *32 http request line: "GET /readme.html HTTP/1.1" 2016/04/10 10:53:23 [debug] 11339#0: *32 http uri: "/readme.html" 2016/04/10 10:53:23 [debug] 11339#0: *32 http args: "" 2016/04/10 10:53:23 [debug] 11339#0: *32 http exten: "html" 2016/04/10 10:53:23 [debug] 11339#0: *32 http process request header line 2016/04/10 10:53:23 [debug] 11339#0: *32 http header: "Host: jobmob.co.il" 2016/04/10 10:53:23 [debug] 11339#0: *32 http header: "Accept: */*" 2016/04/10 10:53:23 [debug] 11339#0: *32 http header: "Connection: close" 2016/04/10 10:53:23 [debug] 11339#0: *32 http header: "User-Agent: monit/5.3.2" 2016/04/10 10:53:23 [debug] 11339#0: *32 http header done 2016/04/10 10:53:23 [debug] 11339#0: *32 event timer del: 17: 4280909831 2016/04/10 10:53:23 [debug] 11339#0: *32 generic phase: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 rewrite phase: 1 2016/04/10 10:53:23 [debug] 11339#0: *32 http set discard body 2016/04/10 10:53:23 [debug] 11339#0: *32 http script copy: "https://jobmob.co.il" 2016/04/10 10:53:23 [debug] 11339#0: *32 http script var: "/readme.html" 2016/04/10 10:53:23 [debug] 11339#0: *32 http finalize request: 301, "/readme.html?" a:1, c:1 2016/04/10 10:53:23 [debug] 11339#0: *32 http special response: 301, "/readme.html?" 2016/04/10 10:53:23 [debug] 11339#0: *32 http set discard body 2016/04/10 10:53:23 [debug] 11339#0: *32 xslt filter header 2016/04/10 10:53:23 [debug] 11339#0: *32 charset: "" > "UTF-8" 2016/04/10 10:53:23 [debug] 11339#0: *32 HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 10 Apr 2016 07:53:23 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://jobmob.co.il/readme.html 2016/04/10 10:53:23 [debug] 11339#0: *32 write new buf t:1 f:0 0A29F1AC, pos 0A29F1AC, size: 195 file: 0, size: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 http write filter: l:0 f:0 s:195 2016/04/10 10:53:23 [debug] 11339#0: *32 http output filter "/readme.html?" 2016/04/10 10:53:23 [debug] 11339#0: *32 http copy filter: "/readme.html?" 2016/04/10 10:53:23 [debug] 11339#0: *32 image filter 2016/04/10 10:53:23 [debug] 11339#0: *32 xslt filter body 2016/04/10 10:53:23 [debug] 11339#0: *32 http postpone filter "/readme.html?" 0A29F328 2016/04/10 10:53:23 [debug] 11339#0: *32 write old buf t:1 f:0 0A29F1AC, pos 0A29F1AC, size: 195 file: 0, size: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 write new buf t:0 f:0 00000000, pos 08EFEF00, size: 132 file: 0, size: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 write new buf t:0 f:0 00000000, pos 08EFF1A0, size: 46 file: 0, size: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 http write filter: l:1 f:0 s:373 2016/04/10 10:53:23 [debug] 11339#0: *32 http write filter limit 0 2016/04/10 10:53:23 [debug] 11339#0: *32 writev: 373 of 373 2016/04/10 10:53:23 [debug] 11339#0: *32 http write filter 00000000 2016/04/10 10:53:23 [debug] 11339#0: *32 http copy filter: 0 "/readme.html?" 2016/04/10 10:53:23 [debug] 11339#0: *32 http finalize request: 0, "/readme.html?" a:1, c:1 2016/04/10 10:53:23 [debug] 11339#0: *32 event timer add: 17: 5000:4280894832 2016/04/10 10:53:23 [debug] 11339#0: *32 http lingering close handler 2016/04/10 10:53:23 [debug] 11339#0: *32 recv: fd:17 -1 of 4096 2016/04/10 10:53:23 [debug] 11339#0: *32 recv() not ready (11: Resource temporarily unavailable) 2016/04/10 10:53:23 [debug] 11339#0: *32 lingering read: -2 2016/04/10 10:53:23 [debug] 11339#0: *32 event timer: 17, old: 4280894832, new: 4280894832 2016/04/10 10:53:23 [debug] 11339#0: *32 post event 0A1081A0 2016/04/10 10:53:23 [debug] 11339#0: *32 delete posted event 0A1081A0 2016/04/10 10:53:23 [debug] 11339#0: *32 http lingering close handler 2016/04/10 10:53:23 [debug] 11339#0: *32 recv: fd:17 0 of 4096 2016/04/10 10:53:23 [debug] 11339#0: *32 lingering read: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 http request count:1 blk:0 2016/04/10 10:53:23 [debug] 11339#0: *32 http close request 2016/04/10 10:53:23 [debug] 11339#0: *32 http log handler 2016/04/10 10:53:23 [debug] 11339#0: *32 free: 0A29E7B0, unused: 1006 2016/04/10 10:53:23 [debug] 11339#0: *32 close http connection: 17 2016/04/10 10:53:23 [debug] 11339#0: *32 event timer del: 17: 4280894832 2016/04/10 10:53:23 [debug] 11339#0: *32 reusable connection: 0 2016/04/10 10:53:23 [debug] 11339#0: *32 free: 0A2557C8 2016/04/10 10:53:23 [debug] 11339#0: *32 free: 0A2A1A30, unused: 36 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265964,266058#msg-266058 From alexschwarz at live.de Sun Apr 10 17:16:33 2016 From: alexschwarz at live.de (Alexander Schwarz) Date: Sun, 10 Apr 2016 19:16:33 +0200 Subject: Error 404 if url contains "star" Message-ID: Hello, i have a very strange problem with my nginx configuration. If the URL contains the word "star", i get the standard 404 Error not found page. I defined a rule that should redirect all requests to index.php. http://example.com/some/url/starr --> works, returns my custom styled error 404 page (processed by PHP)http://example.com/some/url/star -> exact word "star", returns default error 404 page (Request does not seem to go over PHP) The access_log does not log the 404 Error, if the url contains the word. I changed to debug log levels but no logfileis showing something. Tried different nginx versions, server is running Debian 8. Any ideas?! Best regards, Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sun Apr 10 18:37:35 2016 From: francis at daoine.org (Francis Daly) Date: Sun, 10 Apr 2016 19:37:35 +0100 Subject: Error 404 if url contains "star" In-Reply-To: References: Message-ID: <20160410183735.GM9435@daoine.org> On Sun, Apr 10, 2016 at 07:16:33PM +0200, Alexander Schwarz wrote: Hi there, > i have a very strange problem with my nginx configuration. If the URL contains the word "star", i get the standard 404 Error not found page. > I defined a rule that should redirect all requests to index.php. http://nginx.org/r/location Your rule does not redirect *all* requests. > Any ideas?! There's a missing backslash "\" on the "location ~*" line, just before the ".(". f -- Francis Daly francis at daoine.org From alexschwarz at live.de Sun Apr 10 19:27:42 2016 From: alexschwarz at live.de (Alexander Schwarz) Date: Sun, 10 Apr 2016 21:27:42 +0200 Subject: Error 404 if url contains "star" In-Reply-To: <20160410183735.GM9435@daoine.org> References: , <20160410183735.GM9435@daoine.org> Message-ID: Hello Francis, you are right. But the weird thing is, i already commented out that line (it was for caching/expires headers, and yes, missing the backslash). Is there any chance I was running two nginx instances? Because it seemed my configuration was kind of cached, as i commented that line, but it still didn't work. Now, after i completely reinstalled nginx everything is working fine. I got the idea because i downgraded from newest nginx version to a older one in my testing. Is it possible that there were multiple instances? Anyway, thank you very much. > Date: Sun, 10 Apr 2016 19:37:35 +0100 > From: francis at daoine.org > To: nginx at nginx.org > Subject: Re: Error 404 if url contains "star" > > On Sun, Apr 10, 2016 at 07:16:33PM +0200, Alexander Schwarz wrote: > > Hi there, > > > i have a very strange problem with my nginx configuration. If the URL contains the word "star", i get the standard 404 Error not found page. > > I defined a rule that should redirect all requests to index.php. > > http://nginx.org/r/location > > Your rule does not redirect *all* requests. > > > Any ideas?! > > There's a missing backslash "\" on the "location ~*" line, just before > the ".(". > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From pankajitbhu at gmail.com Mon Apr 11 06:44:02 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Mon, 11 Apr 2016 12:14:02 +0530 Subject: cookie issue Message-ID: Hi, This is Pankaj,I am trying to write a module which is capable to access header value and set header and reading cookie and setting cookie. if i refer apache module then found apr_table_get() and apr_table_set() APIs are available to get/set header/cookie values. I have tried to use ngx_http_get_variable() API to get cookie value but not getting any value. Please help me on this and let me know is any other API which I can use for the same. Thanks & Regards, Pankaj Chaudhary -------------- next part -------------- An HTML attachment was scrubbed... URL: From pankajitbhu at gmail.com Mon Apr 11 06:46:01 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Mon, 11 Apr 2016 12:16:01 +0530 Subject: cookie issue Message-ID: Hi , This is Pankaj,I am trying to write a module which is capable to access header value and set header and reading cookie and setting cookie. if i refer apache module then found apr_table_get() and apr_table_set() APIs are available to get/set header/cookie values. I have tried to use ngx_http_get_variable() API to get cookie value but not getting any value. Please help me on this and let me know is any other API which I can use for the same. Thanks & Regards, Pankaj Chaudhary -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbxara at icloud.com Mon Apr 11 08:41:00 2016 From: sbxara at icloud.com (Arnaud Van der Vorst) Date: Mon, 11 Apr 2016 10:41:00 +0200 Subject: TLS/SSL Cache Automatic Purge Message-ID: <001401d193cd$e1583c50$a408b4f0$@icloud.com> Hi, My name is Arnaud and I am new to the list. I would like to know if NGINX is using any automatic purge mechanism for its TLS/SSL Cache configured using the following directives: ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; I understand that a daily purge of TLS/SSL Cache is highly recommended to avoid breaking Perfect Forward Secrecy of the TLS Protocol. If it does NOT use automatic purge, how can I purge the Shared cache used by NGINX then? Are there any command line tools for that purpose? Thank you very much in advance for your answer and have a nice day! Kind regards, Arnaud -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Apr 11 09:19:17 2016 From: nginx-forum at forum.nginx.org (n.dom) Date: Mon, 11 Apr 2016 05:19:17 -0400 Subject: 1.9.14 - Issues with disabled request buffering and HTTP/2 Message-ID: <4ce6f1668109603e220275998c41fbb8.NginxMailingListEnglish@forum.nginx.org> Hello, we have an issue with the newest nginx version 1.9.14. I am not sure if this is a possible bug or a configuration problem. We use nginx with disabled request buffering (proxy_request_buffering off) We are currently using nginx 1.9.12 with HTTP/2 enabled. In this setup we don't have any issues. I am aware of the fact, that request buffering cannot be deactivated with HTTP/2 until version 1.9.13. When updating to nginx 1.9.14, request buffering is disabled for HTTP/2 as well. In this case requests from some of our clients (we tested Firefox and OkHttpClient) cannot load our web application anymore. In the nginx error log we can see the following lines (non debug): 2016/04/07 14:20:49 [info] 20235#0: *3115050 client terminated stream 41 with status 1 while sending request to upstream, client: [......], server: , request: "POST [....]" This only occurs when the client (Firefox and OkHttpClient) uses HTTP/2. We cannot reproduce this issue with Google Chrome! Chrome works like a charm. We also found out, that this issue seems only to occur within POST requests. When enabling proxy request buffering (proxy_request_buffering on), all clients work as expected. Is there anyone with similar issues when updating to the newest nginx version 1.9.14? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266071,266071#msg-266071 From reallfqq-nginx at yahoo.fr Mon Apr 11 09:22:40 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 11 Apr 2016 11:22:40 +0200 Subject: Error 404 if url contains "star" In-Reply-To: References: <20160410183735.GM9435@daoine.org> Message-ID: The only way to know would have been to have a look at the processes table before killing everyone and restarting. If you nginx through the package management of your distribution and service scripts to manage nginx processus, there is little-to-no chance you got multiplt nginx masters running. It is however possible to spawn multiple nginx (master) instances if you manage you processes manually (and is useful when you do an on-the-fly upgrade). No multiple instances can bind to listen on the same ports though. It would have been interesting to dig further, since you are saying the configuration was valid (as after restart nginx accepted/loaded it). In the current state, there is not much ability to conclude on anything. Maybe could you try to reproduce the problem by recreating your old configuration, loading it and trying to load the current configuraiton again? Remember to use `nginx -t` have a look at nginx' error logs on reload to check the configuration has been accepted. --- *B. R.* On Sun, Apr 10, 2016 at 9:27 PM, Alexander Schwarz wrote: > Hello Francis, > > you are right. But the weird thing is, i already commented out that line > (it was for caching/expires headers, and yes, missing the backslash). > > Is there any chance I was running two nginx instances? Because it seemed > my configuration was kind of cached, as i commented that line, but it still > didn't work. Now, after i completely reinstalled nginx everything is > working fine. > > I got the idea because i downgraded from newest nginx version to a older > one in my testing. Is it possible that there were multiple instances? > > Anyway, thank you very much. > > > > > Date: Sun, 10 Apr 2016 19:37:35 +0100 > > From: francis at daoine.org > > To: nginx at nginx.org > > Subject: Re: Error 404 if url contains "star" > > > > On Sun, Apr 10, 2016 at 07:16:33PM +0200, Alexander Schwarz wrote: > > > > Hi there, > > > > > i have a very strange problem with my nginx configuration. If the URL > contains the word "star", i get the standard 404 Error not found page. > > > I defined a rule that should redirect all requests to index.php. > > > > http://nginx.org/r/location > > > > Your rule does not redirect *all* requests. > > > > > Any ideas?! > > > > There's a missing backslash "\" on the "location ~*" line, just before > > the ".(". > > > > f > > -- > > Francis Daly francis at daoine.org > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Mon Apr 11 10:33:55 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Mon, 11 Apr 2016 13:33:55 +0300 Subject: 1.9.14 - Issues with disabled request buffering and HTTP/2 In-Reply-To: <4ce6f1668109603e220275998c41fbb8.NginxMailingListEnglish@forum.nginx.org> References: <4ce6f1668109603e220275998c41fbb8.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5871670.3T5ddxhlFL@vbart-laptop> On Monday 11 April 2016 05:19:17 n.dom wrote: > Hello, > > we have an issue with the newest nginx version 1.9.14. I am not sure if this > is a possible bug or a configuration problem. > > We use nginx with disabled request buffering (proxy_request_buffering off) > > We are currently using nginx 1.9.12 with HTTP/2 enabled. In this setup we > don't have any issues. I am aware of the fact, that request buffering cannot > be deactivated with HTTP/2 until version 1.9.13. > > When updating to nginx 1.9.14, request buffering is disabled for HTTP/2 as > well. > In this case requests from some of our clients (we tested Firefox and > OkHttpClient) cannot load our web application anymore. > In the nginx error log we can see the following lines (non debug): > 2016/04/07 14:20:49 [info] 20235#0: *3115050 client terminated stream 41 > with status 1 while sending request to upstream, client: [......], server: , > request: "POST [....]" > > This only occurs when the client (Firefox and OkHttpClient) uses HTTP/2. We > cannot reproduce this issue with Google Chrome! Chrome works like a charm. > > We also found out, that this issue seems only to occur within POST > requests. > > When enabling proxy request buffering (proxy_request_buffering on), all > clients work as expected. > > Is there anyone with similar issues when updating to the newest nginx > version 1.9.14? > [..] Do you use any 3rd-party modules or patches? In this case try without them. Otherwise, please, provide a debug log: http://nginx.org/en/docs/debugging_log.html wbr, Valentin V. Bartenev From nginx-forum at forum.nginx.org Mon Apr 11 11:01:01 2016 From: nginx-forum at forum.nginx.org (drookie) Date: Mon, 11 Apr 2016 07:01:01 -0400 Subject: upstream member liveness Message-ID: What is the scope of the upstream member liveness: is it per upstream group, or per vhost ? If the question is unclear, consider I have 3 nginx - one balancer and two backends, and the following config part on the nginx balancer: upstream backends { server 192.168.0.1; server 192.168.0.2; } And on both 192.168.0.1 and 192.168.0.2 the following configs: server { server_name A; root /foo/bar1; location / { fastcgi_pass 127.0.0.1:9000; } } server { server_name B; root /foo/bar1; location / { fastcgi_pass 127.0.0.1:9000; } } server 192.168.0.1 returns 500 for vhost A, will it be considered dead for vhost B (and I supposed it will be) ? Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266077,266077#msg-266077 From vbart at nginx.com Mon Apr 11 11:09:04 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Mon, 11 Apr 2016 14:09:04 +0300 Subject: upstream member liveness In-Reply-To: References: Message-ID: <4570392.T6zVfKGu4c@vbart-laptop> On Monday 11 April 2016 07:01:01 drookie wrote: > What is the scope of the upstream member liveness: is it per upstream group, > or per vhost ? > It's per upstream group. > If the question is unclear, consider I have 3 nginx - one balancer and two > backends, and the following config part on the nginx balancer: > > > upstream backends { > server 192.168.0.1; > server 192.168.0.2; > } > [..] > > server 192.168.0.1 returns 500 for vhost A, will it be considered dead for > vhost B (and I supposed it will be) ? > [..] It won't be cosidered dead for any vhost, unless you have "http_500" in your "fastcgi_next_upstream" directive. http://nginx.org/r/fastcgi_next_upstream wbr, Valentin V. Bartenev From absolutely_free at libero.it Mon Apr 11 11:12:03 2016 From: absolutely_free at libero.it (absolutely_free at libero.it) Date: Mon, 11 Apr 2016 13:12:03 +0200 (CEST) Subject: disable caching for single virtual host Message-ID: <1003584160.6246231460373123744.JavaMail.httpd@webmail-24.iol.local> Hi,I am using nginx as reverse proxy cache with Apache. Basically I use this configuration: https://www.djm.org.uk/wordpress-nginx-reverse-proxy-caching-setup/ I need to exclude a specific virtual from nginx's cache. So I added "shop" upstream with this configuration: upstream backend { ip_hash; server 127.0.0.1:8080; # IP goes here. }upstream shop { ip_hash; server 127.0.0.1:8081; # IP goes here. }server { listen 1.1.1.1; # IP goes here. server_name virtual_host_without_cache.domain.org; location / { proxy_pass http://shop; } real_ip_header X-Forwarded-For; # Set proxy headers for the passthrough proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-For $remote_addr;} server { listen 1.1.1.1:80; # IP goes here. server_name virtual_host_WITH_cache.domain.org; # IP could go here........... Is it correct way to do this?I am still getting in http request header regarding caching when I get pages from virtual_host_without_cache.domain.org: HTTP/1.1 200 OK Server: nginx/1.8.1 Date: Mon, 11 Apr 2016 11:00:59 GMT Content-Type: image/jpeg Content-Length: 65721 Connection: keep-alive Last-Modified: Thu, 21 Jan 2016 16:59:08 GMT ETag: "38292e-100b9-529db055b4f00" Accept-Ranges: bytes Expires: Tue, 12 Apr 2016 11:00:59 GMT Cache-Control: max-age=86400 # nginx -vnginx version: nginx/1.8.1 # cat /etc/redhat-release CentOS release 6.7 (Final) # httpd -vServer version: Apache/2.2.15 (Unix)Server built: Mar 22 2016 19:03:53 Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Apr 11 11:20:56 2016 From: nginx-forum at forum.nginx.org (drookie) Date: Mon, 11 Apr 2016 07:20:56 -0400 Subject: upstream member liveness In-Reply-To: <4570392.T6zVfKGu4c@vbart-laptop> References: <4570392.T6zVfKGu4c@vbart-laptop> Message-ID: <62174a3b862d7ad784cf73ed60deb6e7.NginxMailingListEnglish@forum.nginx.org> I'm asking about the balancer behaviour, not the backends. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266077,266080#msg-266080 From reallfqq-nginx at yahoo.fr Mon Apr 11 11:23:02 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 11 Apr 2016 13:23:02 +0200 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: <001401d193cd$e1583c50$a408b4f0$@icloud.com> References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> Message-ID: Sounds like US media political messages: 'I am Arnaud, and I approve this message'. That said, welcome! You will have to write your own module if you want to manually delete TLS sessions parameters instead of letting them expire after 10 minutes. You could also emulate this daily purge by keeping stock nginx but setting : ssl_session_timeout 1d; albeit I for one do not recommend such settings since sessions parameters should probably not be remembered that long for several reasons... On a side-note, by default nginx does not store session parameters as it prefers tickets , supported since v1.5.9, over sessions ID. The former is a more recent mechanism than the latter, and has the notable benefit of storing session parameters client-side, which scales, avoids cache management trouble as yours and some other ones. There are some docs about that in the Web tubes. Why not sticking with those defaults (or even set ssl_session_cache to off to be absolutely clear)? --- *B. R.* On Mon, Apr 11, 2016 at 10:41 AM, Arnaud Van der Vorst wrote: > Hi, > > > > My name is Arnaud and I am new to the list. > > > > I would like to know if NGINX is using any automatic purge mechanism for > its TLS/SSL Cache configured using the following directives: > > ssl_session_timeout 10m; > > ssl_session_cache shared:SSL:10m; > > > > I understand that a daily purge of TLS/SSL Cache is highly recommended to > avoid breaking Perfect Forward Secrecy of the TLS Protocol. > > If it does NOT use automatic purge, how can I purge the Shared cache used > by NGINX then? > > Are there any command line tools for that purpose? > > > > Thank you very much in advance for your answer and have a nice day! > > > > Kind regards, > > > > Arnaud > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbxara at icloud.com Mon Apr 11 12:23:40 2016 From: sbxara at icloud.com (Arnaud Van der Vorst) Date: Mon, 11 Apr 2016 14:23:40 +0200 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> Message-ID: <007201d193ec$fcabfdb0$f603f910$@icloud.com> Hi B.R., Thank you very much for your answer and sorry for the US media political like message ;-) So, if I understand correctly, using ssl_session_timeout makes sure that after the specified amount of time, the TLS/SSL Sessions will be removed/purged from the TLS/SSL Shared Cache? Is that correct? Kind regards, Arnaud From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of B.R. Sent: lundi 11 avril 2016 13:23 To: nginx ML Subject: Re: TLS/SSL Cache Automatic Purge Sounds like US media political messages: 'I am Arnaud, and I approve this message'. That said, welcome! You will have to write your own module if you want to manually delete TLS sessions parameters instead of letting them expire after 10 minutes. You could also emulate this daily purge by keeping stock nginx but setting : ssl_session_timeout 1d; albeit I for one do not recommend such settings since sessions parameters should probably not be remembered that long for several reasons... On a side-note, by default nginx does not store session parameters as it prefers tickets , supported since v1.5.9, over sessions ID. The former is a more recent mechanism than the latter, and has the notable benefit of storing session parameters client-side, which scales, avoids cache management trouble as yours and some other ones. There are some docs about that in the Web tubes. Why not sticking with those defaults (or even set ssl_session_cache to off to be absolutely clear)? --- B. R. On Mon, Apr 11, 2016 at 10:41 AM, Arnaud Van der Vorst > wrote: Hi, My name is Arnaud and I am new to the list. I would like to know if NGINX is using any automatic purge mechanism for its TLS/SSL Cache configured using the following directives: ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; I understand that a daily purge of TLS/SSL Cache is highly recommended to avoid breaking Perfect Forward Secrecy of the TLS Protocol. If it does NOT use automatic purge, how can I purge the Shared cache used by NGINX then? Are there any command line tools for that purpose? Thank you very much in advance for your answer and have a nice day! Kind regards, Arnaud _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Mon Apr 11 13:31:34 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 11 Apr 2016 16:31:34 +0300 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> Message-ID: <20160411133134.GP36620@mdounin.ru> Hello! On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote: [...] > On a side-note, by default nginx does not store session parameters as it > prefers tickets > , > supported since v1.5.9, over sessions ID. Session tickets supported as long as OpenSSL version used supports them, that is, with OpenSSL 0.9.8f or later. In nginx 1.5.9 the "ssl_session_tickets" directive was added, which makes it possible to disable session tickets when needed. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Mon Apr 11 13:51:10 2016 From: vbart at nginx.com (Valentin V. Bartenev) Date: Mon, 11 Apr 2016 16:51:10 +0300 Subject: upstream member liveness In-Reply-To: <62174a3b862d7ad784cf73ed60deb6e7.NginxMailingListEnglish@forum.nginx.org> References: <4570392.T6zVfKGu4c@vbart-laptop> <62174a3b862d7ad784cf73ed60deb6e7.NginxMailingListEnglish@forum.nginx.org> Message-ID: <3123869.6p0jnTSTGn@vbart-workstation> On Monday 11 April 2016 07:20:56 drookie wrote: > I'm asking about the balancer behaviour, not the backends. > I've answered about the balancer. wbr, Valentin V. Bartenev From sca at andreasschulze.de Mon Apr 11 15:17:07 2016 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 11 Apr 2016 17:17:07 +0200 Subject: opinions about Session tickets In-Reply-To: <20160411133134.GP36620@mdounin.ru> References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> <20160411133134.GP36620@mdounin.ru> Message-ID: <20160411171707.Horde.yyvKpPLtwT43pVooZCVa6og@andreasschulze.de> Maxim Dounin: > In nginx 1.5.9 the "ssl_session_tickets" directive was added, > which makes it possible to disable session tickets when needed. I found these two opinions. They suggest to disable session tickets. - https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/ - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ what do others think about that? Andreas From mdounin at mdounin.ru Mon Apr 11 16:52:18 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 11 Apr 2016 19:52:18 +0300 Subject: Bug in 1.9.14 or something else? In-Reply-To: References: <20160406234820.GD36620@mdounin.ru> Message-ID: <20160411165217.GV36620@mdounin.ru> Hello! On Sun, Apr 10, 2016 at 04:18:05AM -0400, jshare wrote: > If I disable http/2, I can login - good call! > > I enabled the debug.log to compare the output with http/2 enabled and > disabled, but when I compare the two side by side, nothing jumps out at me. > Aside from the time and a few numbers, the two log sections are identical. > What should I be looking for? > > For example, here's the tailed log section that appears when I can't login > because http/2 is enabled: [...] > 2016/04/10 10:53:23 [debug] 11339#0: *32 http process request line > 2016/04/10 10:53:23 [debug] 11339#0: *32 http request line: "GET /readme.html HTTP/1.1" [...] > 2016/04/10 10:53:23 [debug] 11339#0: *32 HTTP/1.1 301 Moved Permanently > Server: nginx > Date: Sun, 10 Apr 2016 07:53:23 GMT > Content-Type: text/html > Content-Length: 178 > Connection: close > Location: https://jobmob.co.il/readme.html This log doesn't looks like a request with HTTP/2 enabled. Rather, it looks like a plain HTTP/1.1 redirect to SSL. You probably have another server{} section to handle SSL, and this section doesn't have debugging log configured. You may also want to provide: - "nginx -V" output; - the configuration you are using. -- Maxim Dounin http://nginx.org/ From hroku003 at yahoo.com Mon Apr 11 18:52:25 2016 From: hroku003 at yahoo.com (hroku003 at yahoo.com) Date: Mon, 11 Apr 2016 18:52:25 +0000 (UTC) Subject: Does "include" use the "configuration prefix" or the "path prefix"? References: <44502594.1016991.1460400745610.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <44502594.1016991.1460400745610.JavaMail.yahoo@mail.yahoo.com> I've read the documentation and it implies the "path prefix" would be used for the "include" directive. Example: "include mime.types" However, in practice, the "configuration prefix" is always used even if the file is found within the "path prefix". Is this the correct behaviour? Here are sample values: nginx path prefix: "/tmp/app" nginx binary file: "/tmp/app/progs/nginx/sbin/nginx" nginx configuration prefix: "/tmp/app/progs" nginx configuration file: "/tmp/app/progs/nginx.conf" (I used 1.8.1 and 1.9.14.) - diego From mdounin at mdounin.ru Mon Apr 11 19:43:22 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 11 Apr 2016 22:43:22 +0300 Subject: Does "include" use the "configuration prefix" or the "path prefix"? In-Reply-To: <44502594.1016991.1460400745610.JavaMail.yahoo@mail.yahoo.com> References: <44502594.1016991.1460400745610.JavaMail.yahoo.ref@mail.yahoo.com> <44502594.1016991.1460400745610.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160411194322.GY36620@mdounin.ru> Hello! On Mon, Apr 11, 2016 at 06:52:25PM +0000, hroku003 at yahoo.com wrote: > I've read the documentation and it implies the "path prefix" > would be used for the "include" directive. > > Example: "include mime.types" > > However, in practice, the "configuration prefix" is always used > even if the file is found within the "path prefix". > Is this the correct behaviour? Yes, this is correct behaviour. Configuration-specific paths like in the "include" directive are resolved relative to the conf prefix, that is, relative to the directory where nginx.conf file resides. -- Maxim Dounin http://nginx.org/ From hroku003 at yahoo.com Mon Apr 11 19:54:58 2016 From: hroku003 at yahoo.com (hroku003 at yahoo.com) Date: Mon, 11 Apr 2016 19:54:58 +0000 (UTC) Subject: Does "include" use the "configuration prefix" or the "path prefix"? In-Reply-To: <20160411194322.GY36620@mdounin.ru> References: <20160411194322.GY36620@mdounin.ru> Message-ID: <1074750852.1067997.1460404498641.JavaMail.yahoo@mail.yahoo.com> THank you very much for confirmation. Is this documented anywhere? I looked at various places: http://nginx.org/en/docs/ngx_core_module.html#include http://nginx.org/en/docs/switches.html https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions/ and I could not find it. (I also tried reading the C source, https://github.com/nginx/nginx/blob/master/src/core/ngx_conf_file.cbut got lost due to my lack of C experience.) - diego On Monday, April 11, 2016 2:43 PM, Maxim Dounin wrote: Hello! Yes, this is correct behaviour. Configuration-specific paths like in the "include" directive are resolved relative to the conf prefix, that is, relative to the directory where nginx.conf file resides. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From reallfqq-nginx at yahoo.fr Mon Apr 11 20:15:24 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 11 Apr 2016 22:15:24 +0200 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: <20160411133134.GP36620@mdounin.ru> References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> <20160411133134.GP36620@mdounin.ru> Message-ID: Hello, @Maxim Just to be perfectly clear: does that mean that session tickets are supported for any version of nginx (including have all your answers. --- *B. R.* On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin wrote: > Hello! > > On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote: > > [...] > > > On a side-note, by default nginx does not store session parameters as it > > prefers tickets > > < > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets > >, > > supported since v1.5.9, over sessions ID. > > Session tickets supported as long as OpenSSL version used supports > them, that is, with OpenSSL 0.9.8f or later. > > In nginx 1.5.9 the "ssl_session_tickets" directive was added, > which makes it possible to disable session tickets when needed. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Mon Apr 11 21:42:39 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Mon, 11 Apr 2016 17:42:39 -0400 Subject: Nginx hack day project Message-ID: I was trying to think of a hack day project, and one idea was to implement a blob server similar to Facebook's haystack. Facebook did their server with the evhttpd library, I was thinking of making it an nginx module. In order to make it work I'd need to have nginx send a range of bytes from a larger file as bytes 0..x of the requested object. Is there a capability to do that within Nginx? I could only find one module that did something similar, and it copied the data it wanted to a seperate file before sending it. However, it was an old module so it might not represent the abilities of modern nginx. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbxara at icloud.com Tue Apr 12 06:30:23 2016 From: sbxara at icloud.com (Arnaud Van der Vorst) Date: Tue, 12 Apr 2016 08:30:23 +0200 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> <20160411133134.GP36620@mdounin.ru> Message-ID: <000a01d19484$cc72e210$6558a630$@icloud.com> Hi, @B.R. Not really? The only information for ssl_session_timout is ?Specifies a time during which a client may reuse the session parameters stored in a cache.? It does not say anything about purging the TLS/SSL Cache which is my concern here. I have read that invalidating a TLS/SSL Session and purging the TLS/SSL Cache are two separate things. Arnaud From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of B.R. Sent: lundi 11 avril 2016 22:15 To: nginx ML Subject: Re: TLS/SSL Cache Automatic Purge Hello, @Maxim Just to be perfectly clear: does that mean that session tickets are supported for any version of nginx (including have all your answers. --- B. R. On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin > wrote: Hello! On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote: [...] > On a side-note, by default nginx does not store session parameters as it > prefers tickets > , > supported since v1.5.9, over sessions ID. Session tickets supported as long as OpenSSL version used supports them, that is, with OpenSSL 0.9.8f or later. In nginx 1.5.9 the "ssl_session_tickets" directive was added, which makes it possible to disable session tickets when needed. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbxara at icloud.com Tue Apr 12 06:32:13 2016 From: sbxara at icloud.com (Arnaud Van der Vorst) Date: Tue, 12 Apr 2016 08:32:13 +0200 Subject: opinions about Session tickets In-Reply-To: <20160411171707.Horde.yyvKpPLtwT43pVooZCVa6og@andreasschulze.de> References: <001401d193cd$e1583c50$a408b4f0$@icloud.com> <20160411133134.GP36620@mdounin.ru> <20160411171707.Horde.yyvKpPLtwT43pVooZCVa6og@andreasschulze.de> Message-ID: <003f01d19485$0dd0bd40$297237c0$@icloud.com> Good morning, @Andreas Thank you for sharing these documents. I had already read the one from Tim Taubert and had the same concern about using TLS/SSL Tickets. Is it a good thing or not? -----Original Message----- From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of A. Schulze Sent: lundi 11 avril 2016 17:17 To: nginx at nginx.org Subject: opinions about Session tickets Maxim Dounin: > In nginx 1.5.9 the "ssl_session_tickets" directive was added, which > makes it possible to disable session tickets when needed. I found these two opinions. They suggest to disable session tickets. - https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/ - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session- resumption-implementations/ what do others think about that? Andreas _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From pankajitbhu at gmail.com Tue Apr 12 06:34:16 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Tue, 12 Apr 2016 12:04:16 +0530 Subject: reading cookie Message-ID: Hi, My name is Pankaj and i am new to this list. I would like to know how i can set cookie value and get cookie value. Please let me know is any module already written to do this. Regards, Pankaj -------------- next part -------------- An HTML attachment was scrubbed... URL: From luky-37 at hotmail.com Tue Apr 12 09:17:30 2016 From: luky-37 at hotmail.com (Lukas Tribus) Date: Tue, 12 Apr 2016 11:17:30 +0200 Subject: opinions about Session tickets In-Reply-To: <20160411171707.Horde.yyvKpPLtwT43pVooZCVa6og@andreasschulze.de> References: <001401d193cd$e1583c50$a408b4f0$@icloud.com>, , <20160411133134.GP36620@mdounin.ru>, <20160411171707.Horde.yyvKpPLtwT43pVooZCVa6og@andreasschulze.de> Message-ID: Hi! > I found these two opinions. They suggest to disable session tickets. > > - https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/ > - > https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ > > what do others think about that? Well, it depends: By default, unless you specify a tls ticket file (ssl_session_ticket_key), a new key is generated when nginx is restarted, and the key is never written to disk. So for the session to get compromised, the attacker has to be able to extract the key from the servers memory, which will compromise all sessions using this ticket key. However, when the attacker has access to the memory the ticket key is stored, he probably can access the shared memory containg the session cache as well, which will compromise those session (not using tls tickets) too - the difference is that it will only compromise the sessions that are in the cache, while the ticket key can decrypt all sessions encrypted with it. I would say restart nginx once a day via cronjob to cycle the tls ticket key. Disabling tls tickets can be another workaround, yes, but all this is only relevant when the attacker gains access to your memory, which will reveal session cache and private key as well. If you have more than one server, you probably want to distribute and rotate the ticket key on all servers, in that case generate the tls ticket key in a central location and distribute it to all servers, never touching a permanent storage (don't save to disk, use something like tmpfs). Lukas From luky-37 at hotmail.com Tue Apr 12 09:23:15 2016 From: luky-37 at hotmail.com (Lukas Tribus) Date: Tue, 12 Apr 2016 11:23:15 +0200 Subject: TLS/SSL Cache Automatic Purge In-Reply-To: References: <001401d193cd$e1583c50$a408b4f0$@icloud.com>, , <20160411133134.GP36620@mdounin.ru>, Message-ID: Hi, > Just to be perfectly clear: does that mean that session tickets are? > supported for any version of nginx (including OpenSSL 0.9.8f is available? Yes. > So the directive would be kind of 'intercepting' TLS commands, a man in? > the middle of client and OpenSSL? No, the feature [1] sets SSL_OP_NO_TICKET [2], which instructs OpenSSL to NOT use TLS tickets. By default, OpenSSL uses tickets. > The only information for ssl_session_timout is ?Specifies a time during > which a client may reuse the session parameters stored in a cache.? > It does not say anything about purging the TLS/SSL Cache which is my > concern here. I don't think the sessions are purged, its probably an LRU. Lukas [1] http://hg.nginx.org/nginx/rev/d049b0ea00a3 [2] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html From sirtcp at gmail.com Tue Apr 12 14:32:53 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Tue, 12 Apr 2016 19:32:53 +0500 Subject: Redirection 301 create "Redirection loop" while using wordpress site. Message-ID: Dear All, I am very new to nginx and trying to learn it from very basic. i have a website and i am willing to remove the "www" before my actual domain name. the solution so far i have find out on google is very simple. so when ever any of the visitor visits my website by using www.xxx.com he should be redirected to xxx.com. fortunately everything is working as expected i can load php files and html file correctly, however when i try to load my actual website my browser shows error "redirection loop created" here is the config code of my website. server { server_name www.xxx.com; return 301 $scheme://xxx.com$request_uri; } server { server_name xxx.com; root /var/www/html/xxx/public_html; index index.php info.php; access_log /var/log/nginx/xxx.com/access.log; error_log /var/log/nginx/xxx.com/error.log; location / { try_files $uri $uri/ /index.php?q=$request_uri; } rewrite /wp-admin$ $scheme://$host$uri/ permanent; location ~ \.php$ { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; } location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2)$ { add_header Access-Control-Allow-Origin xxx.com; } } I can access php files properly like info.php. to check whether php is working or not. however the problem part is wordpress. when i try to load my wordpress site chrome shows an error saying reduction loop occur. Any friendly advice will be highly appreciated. Thanks, Yousuf -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Apr 12 15:02:11 2016 From: nginx-forum at forum.nginx.org (Alt) Date: Tue, 12 Apr 2016 11:02:11 -0400 Subject: Redirection 301 create "Redirection loop" while using wordpress site. In-Reply-To: References: Message-ID: Hello, Muhammad Yousuf Khan Wrote: ------------------------------------------------------- > I can access php files properly like info.php. to check whether php > is > working or not. however the problem part is wordpress. > > when i try to load my wordpress site chrome shows an error saying > reduction > loop occur. > I would think there's a configuration somewhere (a config file or database?) in WordPress which redirect your example.com to www.example.com. As I don't use WordPress, I can't help you better. Best Regards Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266118,266119#msg-266119 From lists-nginx at swsystem.co.uk Tue Apr 12 15:07:11 2016 From: lists-nginx at swsystem.co.uk (Steve Wilson) Date: Tue, 12 Apr 2016 16:07:11 +0100 Subject: Redirection 301 create "Redirection loop" while using wordpress site. In-Reply-To: References: Message-ID: <8c19d8fba730b66e91e127c8011645c2@swsystem.co.uk> It sounds to me like wordpress believes that www is required and nginx doesn't want it. I'd try commenting out the redirect server{} block and add the server_name to the xxx.com one and see what you end up with in your browser, then have a look through the wordpress settings to see what it's wanting in the address bar. For my wordpress there seems to be 2 options under Settings/General, "Wordpress Address (URL)" and "Site Address (URL)". On 12/04/2016 15:32, Muhammad Yousuf Khan wrote: > Dear All, > > I am very new to nginx and trying to learn it from very basic. i have a website and i am willing to remove the "www" before my actual domain name. the solution so far i have find out on google is very simple. > > so when ever any of the visitor visits my website by using www.xxx.com [1] he should be redirected to xxx.com [2]. fortunately everything is working as expected i can load php files and html file correctly, however when i try to load my actual website my browser shows error "redirection loop created" > here is the config code of my website. > > server { > server_name www.xxx.com [1]; > return 301 $scheme://xxx.com [2]$request_uri; > } > > server { > server_name xxx.com [2]; > root /var/www/html/xxx/public_html; > index index.php info.php; > access_log /var/log/nginx/xxx.com/access.log [3]; > error_log /var/log/nginx/xxx.com/error.log [4]; > > location / { > try_files $uri $uri/ /index.php?q=$request_uri; > } > > rewrite /wp-admin$ $scheme://$host$uri/ permanent; > > location ~ \.php$ { > include fastcgi_params; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > #fastcgi_pass unix:/var/run/php5-fpm.sock; > fastcgi_pass 127.0.0.1:9000 [5]; > fastcgi_index index.php; > fastcgi_param SCRIPT_FILENAME $request_filename; > } > > location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2)$ { > add_header Access-Control-Allow-Origin xxx.com [2]; > > } > > } > > I can access php files properly like info.php. to check whether php is working or not. however the problem part is wordpress. > > when i try to load my wordpress site chrome shows an error saying reduction loop occur. > > Any friendly advice will be highly appreciated. > > Thanks, > Yousuf > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Links: ------ [1] http://www.xxx.com [2] http://xxx.com [3] http://xxx.com/access.log [4] http://xxx.com/error.log [5] http://127.0.0.1:9000 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Apr 12 16:05:58 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 12 Apr 2016 19:05:58 +0300 Subject: Does "include" use the "configuration prefix" or the "path prefix"? In-Reply-To: <1074750852.1067997.1460404498641.JavaMail.yahoo@mail.yahoo.com> References: <20160411194322.GY36620@mdounin.ru> <1074750852.1067997.1460404498641.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160412160558.GE36620@mdounin.ru> Hello! On Mon, Apr 11, 2016 at 07:54:58PM +0000, hroku003 at yahoo.com wrote: > THank you very much for confirmation. > Is this documented anywhere? I don't think it's explicitly documented anywhere except in CHANGES for 0.6.7 (http://nginx.org/en/CHANGES): *) Change: now the paths specified in the "include", "auth_basic_user_file", "perl_modules", "ssl_certificate", "ssl_certificate_key", and "ssl_client_certificate" directives are relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory. Basically, there are two types of paths in nginx configuration: - configuration-specific paths (include, SSL certs/keys, auth_basic_user_file - that is, things that naturally a part of configuration), resolved relative to nginx.conf file; - all other paths, resolved from prefix. This should be documented somewhere, and we already have a ticket for a related question, https://trac.nginx.org/nginx/ticket/781. -- Maxim Dounin http://nginx.org/ From reallfqq-nginx at yahoo.fr Tue Apr 12 16:13:58 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Tue, 12 Apr 2016 18:13:58 +0200 Subject: Does "include" use the "configuration prefix" or the "path prefix"? In-Reply-To: <20160412160558.GE36620@mdounin.ru> References: <20160411194322.GY36620@mdounin.ru> <1074750852.1067997.1460404498641.JavaMail.yahoo@mail.yahoo.com> <20160412160558.GE36620@mdounin.ru> Message-ID: I found some bits: prefix is explained on the command-line parameters docs page and, in a little more vebose fashion, in an nginx.com tutorial , probably thanks to Rick Nelson. Life's lesson: never consider anything as obvious for everyone... Easy to say, hard to apply. --- *B. R.* On Tue, Apr 12, 2016 at 6:05 PM, Maxim Dounin wrote: > Hello! > > On Mon, Apr 11, 2016 at 07:54:58PM +0000, hroku003 at yahoo.com wrote: > > > THank you very much for confirmation. > > Is this documented anywhere? > > I don't think it's explicitly documented anywhere except in > CHANGES for 0.6.7 (http://nginx.org/en/CHANGES): > > *) Change: now the paths specified in the "include", > "auth_basic_user_file", "perl_modules", "ssl_certificate", > "ssl_certificate_key", and "ssl_client_certificate" directives are > relative to directory of nginx configuration file nginx.conf, but > not > to nginx prefix directory. > > Basically, there are two types of paths in nginx configuration: > > - configuration-specific paths (include, SSL certs/keys, > auth_basic_user_file - that is, things that naturally a part of > configuration), resolved relative to nginx.conf file; > > - all other paths, resolved from prefix. > > This should be documented somewhere, and we already have a ticket > for a related question, https://trac.nginx.org/nginx/ticket/781. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Apr 12 20:48:27 2016 From: nginx-forum at forum.nginx.org (lfisher) Date: Tue, 12 Apr 2016 16:48:27 -0400 Subject: gzip working for 443 but not 80 in same listener? Message-ID: I added port 80 in my listener. # HTTPS server server { listen 80; listen 443 ssl; Gzip still works on 443, but css/js are not getting gzipped in port 80. My nginx.conf has gzip on; gzip_vary on; gzip_min_length 500; gzip_buffers 4 32k; gzip_comp_level 6; # gzip_proxied expired no-cache no-store private auth; gzip_proxied any; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/x-javascript application/xml application/xml+rss; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_disable "MSIE [1-6]\."; I tried adding this but it didn't seem to help # it wasn't compressing for port 80 gzip_http_version 1.0; I can also see if I do curl --header "Accept-Encoding: gzip,deflate,sdch" -sI http://wwwtest.vishay.com/scripts/6a1ffc5abe3087be4ead5451c1651f74ee0672f3/scripts/satellite-56dd434664746d0550000142.js vs curl --header "Accept-Encoding: gzip,deflate,sdch" -sI https://wwwtest.vishay.com/scripts/6a1ffc5abe3087be4ead5451c1651f74ee0672f3/scripts/satellite-56dd434664746d0550000142.js only the https shows Content-Encoding: gzip What am I missing?? Thanks, Lee Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266128,266128#msg-266128 From vbart at nginx.com Tue Apr 12 21:32:25 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Wed, 13 Apr 2016 00:32:25 +0300 Subject: gzip working for 443 but not 80 in same listener? In-Reply-To: References: Message-ID: <5903258.IMcBXoZH4h@vbart-laptop> On Tuesday 12 April 2016 16:48:27 lfisher wrote: > I added port 80 in my listener. > # HTTPS server > server { > listen 80; > listen 443 ssl; > > Gzip still works on 443, but css/js are not getting gzipped in port 80. > > My nginx.conf has > gzip on; > gzip_vary on; > gzip_min_length 500; > gzip_buffers 4 32k; > gzip_comp_level 6; > # gzip_proxied expired no-cache no-store private auth; > gzip_proxied any; > gzip_types text/plain text/css text/xml text/javascript > application/json application/javascript application/x-javascript > application/xml application/xml+rss; > # gzip_types text/plain text/css application/json > application/x-javascript text/xml application/xml application/xml+rss > text/javascript; > gzip_disable "MSIE [1-6]\."; > > I tried adding this but it didn't seem to help > # it wasn't compressing for port 80 > gzip_http_version 1.0; > > > I can also see if I do > curl --header "Accept-Encoding: gzip,deflate,sdch" -sI > http://wwwtest.vishay.com/scripts/6a1ffc5abe3087be4ead5451c1651f74ee0672f3/scripts/satellite-56dd434664746d0550000142.js > > vs > > curl --header "Accept-Encoding: gzip,deflate,sdch" -sI > https://wwwtest.vishay.com/scripts/6a1ffc5abe3087be4ead5451c1651f74ee0672f3/scripts/satellite-56dd434664746d0550000142.js > > only the https shows > Content-Encoding: gzip > > What am I missing?? > [...] Works fine: % curl --header "Accept-Encoding: gzip,deflate,sdch" -sI http://wwwtest.vishay.com/scripts/6a1ffc5abe3087be4ead5451c1651f74ee0672f3/scripts/satellite-56dd434664746d0550000142.js HTTP/1.1 200 OK Server: nginx Content-Type: application/javascript Last-Modified: Thu, 10 Mar 2016 15:49:44 GMT Vary: Accept-Encoding ETag: "56e19798-c70" Strict-Transport-Security: max-age=31536000; Accept-Ranges: bytes Content-Encoding: gzip Cache-Control: max-age=2591947 Expires: Thu, 12 May 2016 21:26:40 GMT Date: Tue, 12 Apr 2016 21:27:33 GMT Content-Length: 20 Connection: keep-alive wbr, Valentin V. Bartenev From nginx-forum at forum.nginx.org Wed Apr 13 00:01:57 2016 From: nginx-forum at forum.nginx.org (Ramon_Ali) Date: Tue, 12 Apr 2016 20:01:57 -0400 Subject: $ssl_client_verify not working? Message-ID: Hi, i was wanting to return a 403 when invalid client certificate submitted, however Nginx 1.9.6 returning 400 Bad Request, The SSL Certificate Error. Seems to return 403 fine when no certificate is submitted, but any clues on getting it to return a 403 work when invalid (signed by unauthorised CA) certificate submitted. Nginx server block - server { listen 443 ssl; server_name server.com; ssl_certificate /etc/nginx/server.crt; ssl_certificate_key /etc/nginx/server.key; ssl_client_certificate /etc/nginx/client_ca.crt; ssl_verify_client optional; ssl_verify_depth 2; if ($ssl_client_verify != SUCCESS ) { return 403; } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266136,266136#msg-266136 From nginx-forum at forum.nginx.org Wed Apr 13 04:47:14 2016 From: nginx-forum at forum.nginx.org (drookie) Date: Wed, 13 Apr 2016 00:47:14 -0400 Subject: upstream member liveness In-Reply-To: <3123869.6p0jnTSTGn@vbart-workstation> References: <3123869.6p0jnTSTGn@vbart-workstation> Message-ID: Is there someone besides Captain Evidence who knows the answer ? This is actually the problem of the modern internet: half of the decent questions is flooded out by people, who not only think they know the answer, but are arrogant enough to insist it, and from the point of an outer observer the topic looks "answered". Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266077,266137#msg-266137 From nginx-forum at forum.nginx.org Wed Apr 13 06:32:17 2016 From: nginx-forum at forum.nginx.org (Ramon_Ali) Date: Wed, 13 Apr 2016 02:32:17 -0400 Subject: $ssl_client_verify not working? In-Reply-To: References: Message-ID: ... i also tried adding below, but still wouldn't return a 403? error_page 400 =403 /; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266136,266138#msg-266138 From sirtcp at gmail.com Wed Apr 13 06:54:17 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Wed, 13 Apr 2016 11:54:17 +0500 Subject: Redirection 301 create "Redirection loop" while using wordpress site. In-Reply-To: <8c19d8fba730b66e91e127c8011645c2@swsystem.co.uk> References: <8c19d8fba730b66e91e127c8011645c2@swsystem.co.uk> Message-ID: Thanks Steve and Alt for the hint. you point out the correct problem. there are two settings in wp-config.php which i change something like this and it worked. from this define('WP_HOME','http://www.xxx.com'); define('WP_SITEURL','http://www.xxx.com'); to this define('WP_HOME','http://xxx.com'); define('WP_SITEURL','http://xxx.com'); now things are working as expected. Thanks Alot :) MYK On Tue, Apr 12, 2016 at 8:07 PM, Steve Wilson wrote: > It sounds to me like wordpress believes that www is required and nginx > doesn't want it. > > I'd try commenting out the redirect server{} block and add the server_name > to the xxx.com one and see what you end up with in your browser, then > have a look through the wordpress settings to see what it's wanting in the > address bar. > > For my wordpress there seems to be 2 options under Settings/General, > "Wordpress Address (URL)" and "Site Address (URL)". > > On 12/04/2016 15:32, Muhammad Yousuf Khan wrote: > > Dear All, > > I am very new to nginx and trying to learn it from very basic. i have a > website and i am willing to remove the "www" before my actual domain name. > the solution so far i have find out on google is very simple. > > so when ever any of the visitor visits my website by using www.xxx.com he > should be redirected to xxx.com. fortunately everything is working as > expected i can load php files and html file correctly, however when i try > to load my actual website my browser shows error "redirection loop created" > > here is the config code of my website. > > server { > server_name www.xxx.com; > return 301 $scheme://xxx.com$request_uri; > } > > server { > server_name xxx.com; > root /var/www/html/xxx/public_html; > index index.php info.php; > access_log /var/log/nginx/xxx.com/access.log; > error_log /var/log/nginx/xxx.com/error.log; > > location / { > try_files $uri $uri/ /index.php?q=$request_uri; > } > > rewrite /wp-admin$ $scheme://$host$uri/ permanent; > > > location ~ \.php$ { > include fastcgi_params; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > #fastcgi_pass unix:/var/run/php5-fpm.sock; > fastcgi_pass 127.0.0.1:9000; > fastcgi_index index.php; > fastcgi_param SCRIPT_FILENAME $request_filename; > } > > location ~* > \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2)$ > { > add_header Access-Control-Allow-Origin xxx.com; > > } > > } > > > > I can access php files properly like info.php. to check whether php is > working or not. however the problem part is wordpress. > > when i try to load my wordpress site chrome shows an error saying > reduction loop occur. > > Any friendly advice will be highly appreciated. > > Thanks, > Yousuf > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Wed Apr 13 07:36:19 2016 From: francis at daoine.org (Francis Daly) Date: Wed, 13 Apr 2016 08:36:19 +0100 Subject: upstream member liveness In-Reply-To: References: <3123869.6p0jnTSTGn@vbart-workstation> Message-ID: <20160413073619.GN9435@daoine.org> On Wed, Apr 13, 2016 at 12:47:14AM -0400, drookie wrote: Hi there, > Is there someone besides Captain Evidence who knows the answer ? There's you, me, him, them, everybody. At least, everybody who read the previous answers in the thread. > This is > actually the problem of the modern internet: half of the decent questions is > flooded out by people, who not only think they know the answer, but are > arrogant enough to insist it, and from the point of an outer observer the > topic looks "answered". Since you already know that, why would you believe *any* answer to your question? (Including this one.) And, by extension, why would you even ask a question? Read The Fine Source. It's the only way to be sure. Good luck with it, f -- Francis Daly francis at daoine.org From vbart at nginx.com Wed Apr 13 08:05:52 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Wed, 13 Apr 2016 11:05:52 +0300 Subject: upstream member liveness In-Reply-To: References: <3123869.6p0jnTSTGn@vbart-workstation> Message-ID: <2520028.DBKEfizxdd@vbart-laptop> On Wednesday 13 April 2016 00:47:14 drookie wrote: > Is there someone besides Captain Evidence who knows the answer ? This is > actually the problem of the modern internet: half of the decent questions is > flooded out by people, who not only think they know the answer, but are > arrogant enough to insist it, and from the point of an outer observer the > topic looks "answered". > [..] Ok, probably "fastcgi_next_upstream" in my answer misled you, since nginx with the "upstream" block for sure talks to other nginx instances by HTTP using "proxy_pass", then "proxy_next_upstream" would the correct answer in this case. In the configuration below: upstream backends { server 192.168.0.1; server 192.168.0.2; } proxy_pass http://backends; nginx doesn't care (and knows nothing) about the virtual hosts presented on these servers in the upstream block, and don't try to differentiate requests in terms of liveness using the host header or any other parameter. If the "192.168.0.1" will be recognized as dead by the rules that are described in the documentation, it will be considered dead for all requests for all hosts that use this upstream block. So the "member liveness" is per upstream group. What I also wanted to bring to your attention is that by default the 500 response isn't recognized as a fail attempt, unless you have configured it using the proxy_next_upstream, fastcgi_next_upstream, uwsgi_next_upstream, or scgi_next_upstream directives (depending on the protocol). wbr, Valentin V. Bartenev From nginx-forum at forum.nginx.org Wed Apr 13 09:08:50 2016 From: nginx-forum at forum.nginx.org (vergil) Date: Wed, 13 Apr 2016 05:08:50 -0400 Subject: Cache manager occasionally stops deleting cached files In-Reply-To: <20160225142129.GX31796@mdounin.ru> References: <20160225142129.GX31796@mdounin.ru> Message-ID: <22519b8fa5663174ece8dc758a4a0ed4.NginxMailingListEnglish@forum.nginx.org> Hello again. Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Thu, Feb 25, 2016 at 05:46:32AM -0500, vergil wrote: > > > vedranf Wrote: > > ------------------------------------------------------- > > > Hello, > > > > > > I'm having an issue where nginx (1.8) cache manager suddenly just > > > stops deleting content thus the disk soon ends up being full until > I > > > restart it by hand. After it is restarted, it works normally for a > > > couple of days, but then it happens again. Cache has some 30-40k > > > files, nothing huge. Relevant config lines are: > > [...] > > > We have the same problem, but i'm not sure, that this is caused by > often > > nginx restarts. > > This particular case was traced to segmentation faults, likely > caused by 3rd party modules. > > [...] > > > Also, i think it's somehow related to write connection leak. (see > image > > link) > > > > > https://s3.eu-central-1.amazonaws.com/drive-public-eu/nginx/betelgeuse > _nginx_connections.PNG > > [...] > > > As you see write connections continuously grows. (When we had to > power off > > the machine it's reached ~60k). > > > > For counting nginx connections we use standard > http_stub_status_module. > > > > I think that nginx "reference counter" could be broken, because > total > > established TCP connection remains the same all the time. > > Writing connections will grow due to segmentation faults as well, > so you are likely have the same problem. See basic > recommendations in my initial answer in this threads. I've maded custom nginx build using latest version (1.9.13) without 3rd party modules: nginx -V nginx version: nginx/1.9.13 built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads Nothing changed: connections continuously grow, cache manager works fine and not filled the disk yet, but i think it's a matter of 2-3 days. PIDs didn't changed since the start, and log didn't contain "worker process exited ..." messages. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264599,266142#msg-266142 From nginx-forum at forum.nginx.org Wed Apr 13 09:24:32 2016 From: nginx-forum at forum.nginx.org (benson9) Date: Wed, 13 Apr 2016 05:24:32 -0400 Subject: load balancing % available Message-ID: <67d0835e33f42a9b66bda9c99aadc0d8.NginxMailingListEnglish@forum.nginx.org> Hello, I'm not yet an Nginx user, but have a question on it's capacbility. I've had a look at the http load balancer, but cannot see anything that would allow me to set the % or number of servers in an upstream backend group that should be available before an error response is returned. The scenario I am looking into is one where Nginx can manage load balancing across servers in a tier and there are multiple tiers. If less than 50% servers are available in any tier I would like to respond with a HTTP failure and the hardware load balancer can then route traffic to a standby data centre. If the status page returns information about all the servers in the group in each tier then perhaps some orchestrating check called by the hardware load balancer could detemine whether the site is considered available? Is an orchestrating check available in Nginx and can % available be set? I look forward to any responses. Thanks Benson Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266143,266143#msg-266143 From reallfqq-nginx at yahoo.fr Wed Apr 13 10:13:36 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 13 Apr 2016 12:13:36 +0200 Subject: upstream member liveness In-Reply-To: <2520028.DBKEfizxdd@vbart-laptop> References: <3123869.6p0jnTSTGn@vbart-workstation> <2520028.DBKEfizxdd@vbart-laptop> Message-ID: Waow. I am off-topic, but Valentin I shall note you are showing a great deal of patience. Without any doubt your interlocutor will be glad and thankful for it, and will demonstrate it as good as when he (quickly) becomes upset. Btw, I do not know any Captain Evidence, only Captain Obvious. --- *B. R.* On Wed, Apr 13, 2016 at 10:05 AM, ???????? ???????? wrote: > On Wednesday 13 April 2016 00:47:14 drookie wrote: > > Is there someone besides Captain Evidence who knows the answer ? This is > > actually the problem of the modern internet: half of the decent > questions is > > flooded out by people, who not only think they know the answer, but are > > arrogant enough to insist it, and from the point of an outer observer the > > topic looks "answered". > > > [..] > > Ok, probably "fastcgi_next_upstream" in my answer misled you, since nginx > with > the "upstream" block for sure talks to other nginx instances by HTTP using > "proxy_pass", then "proxy_next_upstream" would the correct answer in this > case. > > In the configuration below: > > upstream backends { > server 192.168.0.1; > server 192.168.0.2; > } > > proxy_pass http://backends; > > nginx doesn't care (and knows nothing) about the virtual hosts presented on > these servers in the upstream block, and don't try to differentiate > requests > in terms of liveness using the host header or any other parameter. > > If the "192.168.0.1" will be recognized as dead by the rules that are > described in the documentation, it will be considered dead for all requests > for all hosts that use this upstream block. > > So the "member liveness" is per upstream group. > > What I also wanted to bring to your attention is that by default the 500 > response isn't recognized as a fail attempt, unless you have configured it > using the proxy_next_upstream, fastcgi_next_upstream, uwsgi_next_upstream, > or scgi_next_upstream directives (depending on the protocol). > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Wed Apr 13 10:21:52 2016 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 13 Apr 2016 12:21:52 +0200 Subject: load balancing % available In-Reply-To: <67d0835e33f42a9b66bda9c99aadc0d8.NginxMailingListEnglish@forum.nginx.org> References: <67d0835e33f42a9b66bda9c99aadc0d8.NginxMailingListEnglish@forum.nginx.org> Message-ID: As per the docs, I do not see a mean of doing what you wish directly in an upstream block. That cut-off might be a feature request you could post on their bug tracker. In the meanwhile, you might parse data about servers from an upstream group on a status page you would have configured. However, the status module is only part of the commercial version of nginx, not the FOSS one. Have a look: http://nginx.org/en/docs/http/ngx_http_status_module.html#status_zone That is the best answer I could provide you with. Maybe someone else could help you further? --- *B. R.* On Wed, Apr 13, 2016 at 11:24 AM, benson9 wrote: > Hello, > I'm not yet an Nginx user, but have a question on it's capacbility. > > I've had a look at the http load balancer, but cannot see anything that > would allow me to set the % or number of servers in an upstream backend > group that should be available before an error response is returned. > > The scenario I am looking into is one where Nginx can manage load balancing > across servers in a tier and there are multiple tiers. If less than 50% > servers are available in any tier I would like to respond with a HTTP > failure and the hardware load balancer can then route traffic to a standby > data centre. > > If the status page returns information about all the servers in the group > in > each tier then perhaps some orchestrating check called by the hardware load > balancer could detemine whether the site is considered available? > > Is an orchestrating check available in Nginx and can % available be set? > > I look forward to any responses. > > Thanks > Benson > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,266143,266143#msg-266143 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Wed Apr 13 13:15:47 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Wed, 13 Apr 2016 16:15:47 +0300 Subject: load balancing % available In-Reply-To: References: <67d0835e33f42a9b66bda9c99aadc0d8.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1696654.8NFtNZ9zla@vbart-laptop> On Wednesday 13 April 2016 12:21:52 B.R. wrote: > As per the docs, I do not see a mean of doing what you wish directly in an > upstream block. > That cut-off might be a feature request you could post on their bug tracker. > > In the meanwhile, you might parse data about servers from an upstream group > on a status page you would have configured. > However, the status module is only part of the commercial version of nginx, > not the FOSS one. Have a look: > http://nginx.org/en/docs/http/ngx_http_status_module.html#status_zone > [..] There is also a demo page that in more user-friendly way demonstrates most of the data provided by the status module. http://demo.nginx.com/status.html and the raw json data as well: http://demo.nginx.com/status wbr, Valentin V. Bartenev From romeroqj at gmail.com Thu Apr 14 06:46:05 2016 From: romeroqj at gmail.com (Jorge Romero) Date: Thu, 14 Apr 2016 00:46:05 -0600 Subject: unknown directive "proxy_ssl" Message-ID: Hi, I?m trying to configure Nginx 1.9.7 as a proxy server. This proxy server won?t serve as SSL termination for HTTPS requests, for which the proxy_ssl directive sounds perfect. http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html?&_ga=1.265652687.1742266542.1457571695#proxy_ssl However, I?m getting the following error: nginx: [emerg] unknown directive "proxy_ssl" in /home/devel/nginx.conf:14 I?m under the impression that this module is included in the core, but I might be wrong. How should go about compiling with the corresponding module included? These are my current configure arguments: configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.2.19 --add-module=../echo-nginx-module-0.58 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.30 --add-module=../form-input-nginx-module-0.11 --add-module=../encrypted-session-nginx-module-0.04 --add-module=../srcache-nginx-module-0.30 --add-module=../ngx_lua-0.10.2 --add-module=../ngx_lua_upstream-0.05 --add-module=../headers-more-nginx-module-0.29 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.16 --add-module=../redis2-nginx-module-0.12 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-http_ssl_module Thanks in advance. Cheers, Jorge Romero -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Thu Apr 14 07:17:14 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 14 Apr 2016 08:17:14 +0100 Subject: unknown directive "proxy_ssl" In-Reply-To: References: Message-ID: <20160414071714.GO9435@daoine.org> On Thu, Apr 14, 2016 at 12:46:05AM -0600, Jorge Romero wrote: Hi there, > I?m trying to configure Nginx 1.9.7 as a proxy server. This proxy server won?t serve as SSL termination for HTTPS requests, for which the proxy_ssl directive sounds perfect. I don't understand what your design is, but that's ok. You're happy that the "stream" system is what you want. > http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html?&_ga=1.265652687.1742266542.1457571695#proxy_ssl > > However, I?m getting the following error: > > nginx: [emerg] unknown directive "proxy_ssl" in /home/devel/nginx.conf:14 > > I?m under the impression that this module is included in the core, but I might be wrong. How should go about compiling with the corresponding module included? ./configure --help | grep stream Then add the bits that you want. f -- Francis Daly francis at daoine.org From pankajitbhu at gmail.com Thu Apr 14 10:04:40 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Thu, 14 Apr 2016 15:34:40 +0530 Subject: (52) Empty reply from server Message-ID: Hi All, i am trying to set value in header with the help of below code snippet . ngx_table_elt_t *h1; h1 = ngx_list_push(&r->headers_out.headers); h1->hash = 1; ngx_str_set(&h1->key, "http_user_agent"); ngx_str_set(&h1->value, "user_agent_value"); if i try to retrieve the same value then getting response "(52) Empty reply from server" ngx_http_core_loc_conf_t *clcf; ngx_str_t *type; ngx_uint_t hash; ngx_str_t name = ngx_string("http_user_agent"); clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); hash = ngx_hash_key_lc(name.data, name.len); type = ngx_hash_find(&clcf->types_hash, hash, name.data, name.len); Can anyone help me to fix this problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sirtcp at gmail.com Thu Apr 14 14:03:19 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Thu, 14 Apr 2016 19:03:19 +0500 Subject: Redirection problem again in new rules. Message-ID: Hi, there are multiple apache redirection rules that were working successfully. for example something like this Redirect 301 /aaaa/bbbbbbb /aaaaa/bbbbbb.html Now i have converted this rule in nginx like this location /aaaa/bbbbbbbb { rewrite ^(.*)$ /aaaa/bbbbbbbbbb.html redirect; } i also tried adding "permanent" and rewrite line but also didn;t wrok. now all redirection rules are keep giving error "redirection loops". and when i disable the rule things back to normal. there is no duplication happening as far as config is concern. i can confirm. can you guys please advice how can i troubleshoot this and fix the issue. your friendly advice is highly appreciated. Thanks, Yousuf -------------- next part -------------- An HTML attachment was scrubbed... URL: From ph.gras at worldonline.fr Thu Apr 14 15:18:16 2016 From: ph.gras at worldonline.fr (Ph. Gras) Date: Thu, 14 Apr 2016 17:18:16 +0200 Subject: Redirection problem again in new rules. In-Reply-To: References: Message-ID: <475CA68B-66B3-4C7D-8C61-32F26E9E5175@worldonline.fr> Le 14 avr. 2016 ? 16:03, Muhammad Yousuf Khan a ?crit : > Redirect 301 /aaaa/bbbbbbb /aaaaa/bbbbbb.html > > Now i have converted this rule in nginx like this > > location /aaaa/bbbbbbbb { > rewrite ^(.*)$ /aaaa/bbbbbbbbbb.html redirect; > } > You should use break instead redirect : http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite From francis at daoine.org Thu Apr 14 16:55:41 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 14 Apr 2016 17:55:41 +0100 Subject: (52) Empty reply from server In-Reply-To: References: Message-ID: <20160414165541.GP9435@daoine.org> On Thu, Apr 14, 2016 at 03:34:40PM +0530, Pankaj Chaudhary wrote: Hi there, > i am trying to set value in header with the help of below code snippet . Web searches for how to write nginx modules tend to point towards "Emiller's Guide" or the "Nginx Development Kit". You may find good background reading there (allowing for any changes to the nginx internals since they were written) to help you create a "hello world" module. After that, you'll have a skeleton into which you can add your specific pieces, knowing that the basic starting point does work for you. > ngx_table_elt_t *h1; > h1 = ngx_list_push(&r->headers_out.headers); > h1->hash = 1; > ngx_str_set(&h1->key, "http_user_agent"); > ngx_str_set(&h1->value, "user_agent_value"); > > if i try to retrieve the same value then getting response "(52) Empty reply > from server" There, it looks like you wrote something to a "headers_out.headers" data structure. > ngx_http_core_loc_conf_t *clcf; > ngx_str_t *type; > ngx_uint_t hash; > ngx_str_t name = ngx_string("http_user_agent"); > clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > hash = ngx_hash_key_lc(name.data, name.len); > type = ngx_hash_find(&clcf->types_hash, hash, name.data, name.len); And there it looks like you tried to read something from a "types_hash" data structure. So the "type" variable is probably NULL, and your code should do something sensible with that value. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Apr 14 17:04:23 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 14 Apr 2016 18:04:23 +0100 Subject: Redirection problem again in new rules. In-Reply-To: References: Message-ID: <20160414170423.GQ9435@daoine.org> On Thu, Apr 14, 2016 at 07:03:19PM +0500, Muhammad Yousuf Khan wrote: Hi there, > there are multiple apache redirection rules that were working successfully. > for example something like this > > Redirect 301 /aaaa/bbbbbbb /aaaaa/bbbbbb.html > > Now i have converted this rule in nginx like this > > location /aaaa/bbbbbbbb { > rewrite ^(.*)$ /aaaa/bbbbbbbbbb.html redirect; > } You have different numbers of a:s and b:s there, which makes it quite difficult to know what it is that you actually want to do. > now all redirection rules are keep giving error "redirection loops". > and when i disable the rule things back to normal. there is no duplication > happening as far as config is concern. i can confirm. Do note that "location /x" can match anything that starts with /x; and if a request for /x.html returns a redirect to /x.html, you've got a loop. *Possibly* you want your "rewrite/redirect" to only happen for specific requests; in that case, set the first argument to "rewrite" to be as specific as you want. Or leave the "rewrite" applying to everything, but have it in an exact-match location{}. (And if you are doing the same "rewrite...redirect" for all inputs, "return" may be a better directive to use instead.) > can you guys please advice how can i troubleshoot this and fix the issue. "troubleshoot" is "turn on the debug log to see, or otherwise work out, what you have asked nginx to do". Then compare that with what you want nginx to do. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Apr 14 17:37:58 2016 From: nginx-forum at forum.nginx.org (Ramon_Ali) Date: Thu, 14 Apr 2016 13:37:58 -0400 Subject: $ssl_client_verify not working? In-Reply-To: References: Message-ID: Does anyone know of any way to re-map a 400 response code? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266136,266185#msg-266185 From pankajitbhu at gmail.com Thu Apr 14 18:06:52 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Thu, 14 Apr 2016 23:36:52 +0530 Subject: (52) Empty reply from server In-Reply-To: <20160414165541.GP9435@daoine.org> References: <20160414165541.GP9435@daoine.org> Message-ID: Hi Francis, Thank you for your comments. Actually I have requirement to add value to header and then read same value like cookies values,URL. Is any API which I can use for the same. Please suggest. On 14 Apr 2016 22:25, "Francis Daly" wrote: > On Thu, Apr 14, 2016 at 03:34:40PM +0530, Pankaj Chaudhary wrote: > > Hi there, > > > i am trying to set value in header with the help of below code snippet . > > Web searches for how to write nginx modules tend to point towards > "Emiller's Guide" or the "Nginx Development Kit". > > You may find good background reading there (allowing for any changes > to the nginx internals since they were written) to help you create a > "hello world" module. > > After that, you'll have a skeleton into which you can add your specific > pieces, knowing that the basic starting point does work for you. > > > ngx_table_elt_t *h1; > > h1 = ngx_list_push(&r->headers_out.headers); > > h1->hash = 1; > > ngx_str_set(&h1->key, "http_user_agent"); > > ngx_str_set(&h1->value, "user_agent_value"); > > > > if i try to retrieve the same value then getting response "(52) Empty > reply > > from server" > > There, it looks like you wrote something to a "headers_out.headers" > data structure. > > > ngx_http_core_loc_conf_t *clcf; > > ngx_str_t *type; > > ngx_uint_t hash; > > ngx_str_t name = ngx_string("http_user_agent"); > > clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > > hash = ngx_hash_key_lc(name.data, name.len); > > type = ngx_hash_find(&clcf->types_hash, hash, name.data, name.len); > > And there it looks like you tried to read something from a "types_hash" > data structure. So the "type" variable is probably NULL, and your code > should do something sensible with that value. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Thu Apr 14 18:35:25 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Thu, 14 Apr 2016 21:35:25 +0300 Subject: unknown directive "proxy_ssl" In-Reply-To: References: Message-ID: <2033649.azsd2xFxeJ@vbart-laptop> On Thursday 14 April 2016 00:46:05 Jorge Romero wrote: > Hi, > > I?m trying to configure Nginx 1.9.7 as a proxy server. This proxy server won?t serve as SSL termination for HTTPS requests, for which the proxy_ssl directive sounds perfect. > > http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html?&_ga=1.265652687.1742266542.1457571695#proxy_ssl > > However, I?m getting the following error: > > nginx: [emerg] unknown directive "proxy_ssl" in /home/devel/nginx.conf:14 > > I?m under the impression that this module is included in the core, but I might be wrong. How should go about compiling with the corresponding module included? > [..] "The ngx_stream_ssl_module module (1.9.0) provides the necessary support for a stream proxy server to work with the SSL/TLS protocol. This module is not built by default, it should be enabled with the --with-stream_ssl_module configuration parameter." http://nginx.org/en/docs/stream/ngx_stream_ssl_module.html wbr, Valentin v. Bartenev From igor at sysoev.ru Thu Apr 14 19:09:13 2016 From: igor at sysoev.ru (Igor Sysoev) Date: Thu, 14 Apr 2016 22:09:13 +0300 Subject: $ssl_client_verify not working? In-Reply-To: References: Message-ID: On 13 Apr 2016, at 03:01, Ramon_Ali wrote: > Hi, i was wanting to return a 403 when invalid client certificate submitted, > however Nginx 1.9.6 returning 400 Bad Request, The SSL Certificate Error. > Seems to return 403 fine when no certificate is submitted, but any clues on > getting it to return a 403 work when invalid (signed by unauthorised CA) > certificate submitted. > > Nginx server block - > > server { > listen 443 ssl; > server_name server.com; > > ssl_certificate /etc/nginx/server.crt; > ssl_certificate_key /etc/nginx/server.key; > > ssl_client_certificate /etc/nginx/client_ca.crt; > ssl_verify_client optional; > ssl_verify_depth 2; > > if ($ssl_client_verify != SUCCESS ) { > return 403; > } http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors error_page 495 496 =403 /403.html; -- Igor Sysoev http://nginx.com From francis at daoine.org Thu Apr 14 21:13:42 2016 From: francis at daoine.org (Francis Daly) Date: Thu, 14 Apr 2016 22:13:42 +0100 Subject: (52) Empty reply from server In-Reply-To: References: <20160414165541.GP9435@daoine.org> Message-ID: <20160414211342.GR9435@daoine.org> On Thu, Apr 14, 2016 at 11:36:52PM +0530, Pankaj Chaudhary wrote: Hi there, > Actually I have requirement to add value to header and then read same value > like cookies values,URL. > Is any API which I can use for the same. The referenced guides are probably the best starting points. It sounds like you want to read headers_in and write headers_out; Emillers guide seems to have examples of that in sections 4.1 and 3.1.3, respectively. Note that just using the words in this mail, your requirements can possibly be met in nginx.conf, not needing a new module at all. I suspect that your full requirements are much more detailed. It is worth making sure that you are very clear on what you are trying to do; otherwise you won't be able to know when you've done it. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Apr 14 21:52:45 2016 From: nginx-forum at forum.nginx.org (Ramon_Ali) Date: Thu, 14 Apr 2016 17:52:45 -0400 Subject: $ssl_client_verify not working? In-Reply-To: References: Message-ID: <3d8945f8a0d1ea47b335727cc3ce9b46.NginxMailingListEnglish@forum.nginx.org> Ahh, as i wasn't seeing the 495 and 496 codes in the logs, only 400 i had assumed that what i needed to re-map. Using 495 and 496 works wonderfully! Thanks Igor. 2016/04/14 21:46:51 [info] 7#7: *1 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 142.22.213.199, server: server.jetstar.com, request: "GET / HTTP/1.1", host: "server.com" 172.23.203.199 - - [14/Apr/2016:21:46:51 +0000] "GET / HTTP/1.1" 403 168 "-" "curl/7.40.0" "-""/C=AU/ST=NSW/L=Sydney/O=ex NSI/OU=HQ/CN=Ramon's Key/emailAddress=ramon at server.com" "/C=AU/ST=NSW/O=NSI/OU=HQ/CN=Cert Authority/emailAddress=no-reply at server.co";"FAILED" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266136,266191#msg-266191 From zxcvbn4038 at gmail.com Fri Apr 15 02:45:36 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Thu, 14 Apr 2016 22:45:36 -0400 Subject: nginx returns 503 when it gets 403 from haproxy Message-ID: In my environment I have Nginx terminating connections, then sending them to an HAProxy upstream. We've noticed that whenever HAProxy emts a 403 error (Forbidden, in response to our ACL rules), NGINX reports a 503 result (service unavailable) and I believe is logging an "upstream prematurely closed connection while reading response header from upstream" error message in the nginx error log. What I'd really like to do is pass the 403 code back to the user - what do I need to do? -------------- next part -------------- An HTML attachment was scrubbed... URL: From sirtcp at gmail.com Fri Apr 15 07:27:11 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Fri, 15 Apr 2016 12:27:11 +0500 Subject: Redirection problem again in new rules. In-Reply-To: <20160414170423.GQ9435@daoine.org> References: <20160414170423.GQ9435@daoine.org> Message-ID: Hi All, Thanks for your help. Ph. Gras and Francis for your support and advice i really appreciate that. Ph. Gras, i tried "break" but now it is showing 404. Francis, Sorry for the mistake in a's and b's i was typing that in general because the context was not the URL but the problem. >Do note that "location /x" can match anything that starts with /x; and >if a request for /x.html returns a redirect to /x.html, you've got a loop. Yes , i have double checked but my redirection rules are not created wrong. so i am sure no loop is happening there. BTW just to update you guys. i am using wordpress. i am doing two redirections , one domain base and second URL base. domain base is working fine however URL redirections are giving me issues. could this be related to wordpress? Thanks, MYK On Thu, Apr 14, 2016 at 10:04 PM, Francis Daly wrote: > On Thu, Apr 14, 2016 at 07:03:19PM +0500, Muhammad Yousuf Khan wrote: > > Hi there, > > > there are multiple apache redirection rules that were working > successfully. > > for example something like this > > > > Redirect 301 /aaaa/bbbbbbb /aaaaa/bbbbbb.html > > > > Now i have converted this rule in nginx like this > > > > location /aaaa/bbbbbbbb { > > rewrite ^(.*)$ /aaaa/bbbbbbbbbb.html redirect; > > } > > You have different numbers of a:s and b:s there, which makes it quite > difficult to know what it is that you actually want to do. > > > now all redirection rules are keep giving error "redirection loops". > > and when i disable the rule things back to normal. there is no > duplication > > happening as far as config is concern. i can confirm. > > Do note that "location /x" can match anything that starts with /x; and > if a request for /x.html returns a redirect to /x.html, you've got a loop. > > *Possibly* you want your "rewrite/redirect" to only happen for specific > requests; in that case, set the first argument to "rewrite" to be as > specific as you want. Or leave the "rewrite" applying to everything, > but have it in an exact-match location{}. > > > (And if you are doing the same "rewrite...redirect" for all inputs, > "return" may be a better directive to use instead.) > > > can you guys please advice how can i troubleshoot this and fix the issue. > > "troubleshoot" is "turn on the debug log to see, or otherwise work out, > what you have asked nginx to do". Then compare that with what you want > nginx to do. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Fri Apr 15 07:31:53 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 15 Apr 2016 08:31:53 +0100 Subject: nginx returns 503 when it gets 403 from haproxy In-Reply-To: References: Message-ID: <20160415073153.GS9435@daoine.org> On Thu, Apr 14, 2016 at 10:45:36PM -0400, CJ Ess wrote: Hi there, > In my environment I have Nginx terminating connections, then sending them > to an HAProxy upstream. We've noticed that whenever HAProxy emts a 403 > error (Forbidden, in response to our ACL rules), NGINX reports a 503 result > (service unavailable) and I believe is logging an "upstream prematurely > closed connection while reading response header from upstream" error > message in the nginx error log. > > What I'd really like to do is pass the 403 code back to the user - what do > I need to do? Can you provide a small config that shows the problem? === http { upstream haproxy { server 127.0.0.1:8080; } server { listen 127.0.0.1:8080; server_name haproxy; return 403; } server { listen 8080; location / { proxy_pass http://haproxy; } } } === seems to suggest that nginx does what you want. So - have you a different config; or is your haproxy not issuing a "clean" 403, or is something else happening on the wire? f -- Francis Daly francis at daoine.org From pankajitbhu at gmail.com Fri Apr 15 07:47:56 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Fri, 15 Apr 2016 13:17:56 +0530 Subject: (52) Empty reply from server In-Reply-To: <20160414211342.GR9435@daoine.org> References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> Message-ID: Hi Francis, thank you! i have checked Emillers guide but i am not able to use the same for my problem. I have my product in c and currently running on Apache and now i have to move this product on nginx. In Apache apr_table_set() can use set value to header and later that value can read from header by calling apr_table_get(). I am achieving the same behavior apr_table_set() with ngx_list_push() call but not able to find like apr_table_get() in nginx. Reagrds, Pankaj On Fri, Apr 15, 2016 at 2:43 AM, Francis Daly wrote: > On Thu, Apr 14, 2016 at 11:36:52PM +0530, Pankaj Chaudhary wrote: > > Hi there, > > > Actually I have requirement to add value to header and then read same > value > > like cookies values,URL. > > Is any API which I can use for the same. > > The referenced guides are probably the best starting points. > > It sounds like you want to read headers_in and write headers_out; > Emillers guide seems to have examples of that in sections 4.1 and 3.1.3, > respectively. > > Note that just using the words in this mail, your requirements can > possibly be met in nginx.conf, not needing a new module at all. I suspect > that your full requirements are much more detailed. > > It is worth making sure that you are very clear on what you are trying > to do; otherwise you won't be able to know when you've done it. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Fri Apr 15 16:35:45 2016 From: francis at daoine.org (Francis Daly) Date: Fri, 15 Apr 2016 17:35:45 +0100 Subject: Redirection problem again in new rules. In-Reply-To: References: <20160414170423.GQ9435@daoine.org> Message-ID: <20160415163545.GT9435@daoine.org> On Fri, Apr 15, 2016 at 12:27:11PM +0500, Muhammad Yousuf Khan wrote: Hi there, > Sorry for the mistake in a's and b's i was typing that in general because > the context was not the URL but the problem. If you can show one specific url which does show the problem, then it makes it much easier to see what is going on. If you can also include one small but complete config file that shows the problem, that makes it much easier for someone else to repeat your experiment. (And sometimes, the act of making a small config that shows the problem, will show you what the fix is.) > >Do note that "location /x" can match anything that starts with /x; and > >if a request for /x.html returns a redirect to /x.html, you've got a loop. > > Yes , i have double checked but my redirection rules are not created wrong. > so i am sure no loop is happening there. Part of the point of you asking the question, is that you do not know where the problem is. So usually, the best thing is to run a test nginx with your config, then remove as much as possible while still showing the problem. Maybe that config will just have two location{} blocks, and the loop will be obvious. > BTW just to update you guys. i am using wordpress. > > i am doing two redirections , one domain base and second URL base. > > domain base is working fine however URL redirections are giving me issues. Use "curl" to test your broken url and see what exactly is returned. Do something like curl -i http://your-server/aaaa/bbbbbbbb and you should get a http 301 response, with something in the Location: header. Then do "curl -i" against that url, and see if you get the loop. The *rest* of the headers may show that PHP was, or was not, involved in the redirections. > could this be related to wordpress? It could be. If the "curl" responses show that PHP is involved, then it probably is. f -- Francis Daly francis at daoine.org From vbart at nginx.com Fri Apr 15 20:49:05 2016 From: vbart at nginx.com (=?utf-8?B?0JLQsNC70LXQvdGC0LjQvSDQkdCw0YDRgtC10L3QtdCy?=) Date: Fri, 15 Apr 2016 23:49:05 +0300 Subject: nginx returns 503 when it gets 403 from haproxy In-Reply-To: References: Message-ID: <9891929.23yY3HS8Es@vbart-laptop> On Thursday 14 April 2016 22:45:36 CJ Ess wrote: > In my environment I have Nginx terminating connections, then sending them > to an HAProxy upstream. We've noticed that whenever HAProxy emts a 403 > error (Forbidden, in response to our ACL rules), NGINX reports a 503 result > (service unavailable) and I believe is logging an "upstream prematurely > closed connection while reading response header from upstream" error > message in the nginx error log. > > What I'd really like to do is pass the 403 code back to the user - what do > I need to do? That message suggests that haproxy closes connection before properly returning headers. So nginx can't pass 403 since it can't get it right from haproxy. You should check what is wrong with haproxy. wbr, Valentin V. Bartenev From sirtcp at gmail.com Sat Apr 16 07:22:46 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Sat, 16 Apr 2016 12:22:46 +0500 Subject: Redirection problem again in new rules. In-Reply-To: <20160415163545.GT9435@daoine.org> References: <20160414170423.GQ9435@daoine.org> <20160415163545.GT9435@daoine.org> Message-ID: Here is our nginx default configuration file. server { server_name www.mydomain.com; return 301 $scheme://mydomain.com$request_uri; } server { server_name mydomain.com; #listen 80; root /var/www/html/mydomain/public_html; index index.php info.php; access_log /var/log/nginx/mydomain/access.log; error_log /var/log/nginx/mydomain/error.log; location ~ \.php$ { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; } location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2)$ { add_header Access-Control-Allow-Origin mydomain.com; } location / { try_files $uri $uri/ /index.php?q=$request_uri; autoindex off; rewrite ^/([^_]*)_([^_]*_.*)\.html /$1-$2; rewrite ^/([^_]*)_([^_]*)\.html$ /$1-$2.html redirect; #if (!-e $request_filename){ #rewrite ^(.*)$ /index.php redirect; #} } if ( $request_filename ~ /action/cycling/cycling-is-best-for-health ) { rewrite ^ /action/cycling/cycling-is-best-for-health.html? permanent; } #Server HTTP End } Thanks for your troubleshooting tip. the redirection rule is working great however but the.html link again redirection to the .html link. i can not get this thing. where is the second 301 rule once the link is redirected why again html is redirecting. here is the test run of curl -i http://mydomain.com/action/cycling/cycling-is-best-for-health HTTP/1.1 301 Moved Permanently Server: nginx/1.6.2 Date: Sat, 16 Apr 2016 07:10:33 GMT Content-Type: text/html Content-Length: 184 Location: http://mydomain.com/action/cycling/cycling-is-best-for-health.html Connection: keep-alive 301 Moved Permanently

301 Moved Permanently

nginx/1.6.2 test run with ".html" at the end. curl -i http://mydomain.com/action/cycling/cycling-is-best-for-health.html HTTP/1.1 301 Moved Permanently Server: nginx/1.6.2 Date: Sat, 16 Apr 2016 07:10:37 GMT Content-Type: text/html Content-Length: 184 Location: http://mydomain.com/action/cycling/cycling-is-best-for-health.html Connection: keep-alive 301 Moved Permanently

301 Moved Permanently

nginx/1.6.2 what i found out is that 2nd test on .html is again redirecting to .html. now what is causing this second redirection i have no clue. any advice would be highly appreciated. Thanks, Yousuf On Fri, Apr 15, 2016 at 9:35 PM, Francis Daly wrote: > On Fri, Apr 15, 2016 at 12:27:11PM +0500, Muhammad Yousuf Khan wrote: > > Hi there, > > > Sorry for the mistake in a's and b's i was typing that in general because > > the context was not the URL but the problem. > > If you can show one specific url which does show the problem, then it > makes it much easier to see what is going on. > > If you can also include one small but complete config file that shows > the problem, that makes it much easier for someone else to repeat your > experiment. > > (And sometimes, the act of making a small config that shows the problem, > will show you what the fix is.) > > > >Do note that "location /x" can match anything that starts with /x; and > > >if a request for /x.html returns a redirect to /x.html, you've got a > loop. > > > > Yes , i have double checked but my redirection rules are not created > wrong. > > so i am sure no loop is happening there. > > Part of the point of you asking the question, is that you do not know > where the problem is. > > So usually, the best thing is to run a test nginx with your config, then > remove as much as possible while still showing the problem. Maybe that > config will just have two location{} blocks, and the loop will be obvious. > > > BTW just to update you guys. i am using wordpress. > > > > i am doing two redirections , one domain base and second URL base. > > > > domain base is working fine however URL redirections are giving me > issues. > > Use "curl" to test your broken url and see what exactly is returned. > > Do something like > > curl -i http://your-server/aaaa/bbbbbbbb > > and you should get a http 301 response, with something in the Location: > header. > > Then do "curl -i" against that url, and see if you get the loop. > > The *rest* of the headers may show that PHP was, or was not, involved > in the redirections. > > > could this be related to wordpress? > > It could be. > > If the "curl" responses show that PHP is involved, then it probably is. > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sat Apr 16 12:36:21 2016 From: francis at daoine.org (Francis Daly) Date: Sat, 16 Apr 2016 13:36:21 +0100 Subject: Redirection problem again in new rules. In-Reply-To: References: <20160414170423.GQ9435@daoine.org> <20160415163545.GT9435@daoine.org> Message-ID: <20160416123621.GU9435@daoine.org> On Sat, Apr 16, 2016 at 12:22:46PM +0500, Muhammad Yousuf Khan wrote: Hi there, > location ~ \.php$ { > location ~* > \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff|woff2)$ > location / { > try_files $uri $uri/ /index.php?q=$request_uri; > autoindex off; > rewrite ^/([^_]*)_([^_]*_.*)\.html /$1-$2; > rewrite ^/([^_]*)_([^_]*)\.html$ /$1-$2.html redirect; > } > if ( $request_filename ~ /action/cycling/cycling-is-best-for-health ) { > rewrite ^ /action/cycling/cycling-is-best-for-health.html? permanent; > } To recap: A loop is when the second (redirected) request is handled in the same way as the first request. So to avoid or break the loop, the second request must not get the same response as the first one. You know that location /x { rewrite ^ /x.html redirect; } fails because "location /x" will match /x.html, so the second request will match the same location as the first one and the same redirect will happen again; and one way to avoid the loop is to make the "location" only match exactly "/x". Based on that, can you guess what the "~" in if ( $request_filename ~ /action/cycling/cycling-is-best-for-health ) { means, in the context of "matching both the first request and the second request"? http://nginx.org/r/if One way to avoid the loop is the make the "if" only match exactly the first request. Also, you know that rewrite ^ /x.html redirect; fails because the first argument to "rewrite" is a pattern, and both your original /x and your rewritten /x.html match it; so another way to avoid the loop is to make the "rewrite" only match exactly "/x". So you could try that approach instead. http://nginx.org/r/rewrite Anyhow: since your example redirect is static, not depending on anything other than the first request, what you probably want here is a series of exact location matches, of the form location = /action/cycling/cycling-is-best-for-health { return 301 /action/cycling/cycling-is-best-for-health.html; } But *if* what you want is always-and-only serve the file of "the original request with .html on the end", then you don't necessarily need a redirect at all. Depending on what the full requirements are, you might be able to get away with adjusting your try_files line instead: > try_files $uri $uri/ /index.php?q=$request_uri; Make that try_files $uri $uri.html $uri/ /index.php?q=$request_uri; and it might do what you want without any redirects. (Whether the new $uri.html goes before or after "$uri/" depends on the requirements.) > here is the test run of curl -i > http://mydomain.com/action/cycling/cycling-is-best-for-health > > > HTTP/1.1 301 Moved Permanently > Server: nginx/1.6.2 > Date: Sat, 16 Apr 2016 07:10:33 GMT > Content-Type: text/html > Content-Length: 184 > Location: http://mydomain.com/action/cycling/cycling-is-best-for-health.html > Connection: keep-alive We know from the config that that is handled directly by nginx; additionally, if it were handled by PHP or wordpress, there would probably be an extra header in there to indicate that. > test run with ".html" at the end. > curl -i http://mydomain.com/action/cycling/cycling-is-best-for-health.html > > HTTP/1.1 301 Moved Permanently > Server: nginx/1.6.2 > Date: Sat, 16 Apr 2016 07:10:37 GMT > Content-Type: text/html > Content-Length: 184 > Location: http://mydomain.com/action/cycling/cycling-is-best-for-health.html > Connection: keep-alive Since that extra PHP-or-wordpress header is not there, we can suspect that it is also handled directly by nginx. (To be sure, you would have to check the headers for a wordpress response as well.) But from the analysis above, we already now that it is handled directly by nginx, because your "if/rewrite" configuration is the loop. Cheers, f -- Francis Daly francis at daoine.org From zxcvbn4038 at gmail.com Sat Apr 16 19:24:34 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Sat, 16 Apr 2016 15:24:34 -0400 Subject: nginx returns 503 when it gets 403 from haproxy In-Reply-To: <9891929.23yY3HS8Es@vbart-laptop> References: <9891929.23yY3HS8Es@vbart-laptop> Message-ID: It sounds like this is not as straight forward as I had hoped, I'll do like Francis Daly said and put together a test case - I'll get some packet captures to see what exactly is being sent between all the components. On Fri, Apr 15, 2016 at 4:49 PM, ???????? ???????? wrote: > On Thursday 14 April 2016 22:45:36 CJ Ess wrote: > > In my environment I have Nginx terminating connections, then sending them > > to an HAProxy upstream. We've noticed that whenever HAProxy emts a 403 > > error (Forbidden, in response to our ACL rules), NGINX reports a 503 > result > > (service unavailable) and I believe is logging an "upstream prematurely > > closed connection while reading response header from upstream" error > > message in the nginx error log. > > > > What I'd really like to do is pass the 403 code back to the user - what > do > > I need to do? > > That message suggests that haproxy closes connection before properly > returning > headers. So nginx can't pass 403 since it can't get it right from haproxy. > > You should check what is wrong with haproxy. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pankajitbhu at gmail.com Mon Apr 18 10:55:24 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Mon, 18 Apr 2016 16:25:24 +0530 Subject: (52) Empty reply from server In-Reply-To: References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> Message-ID: not able to read header value after setting... any help most welcome On Fri, Apr 15, 2016 at 1:17 PM, Pankaj Chaudhary wrote: > Hi Francis, > > thank you! > > i have checked Emillers guide but i am not able to use the same for my > problem. > > I have my product in c and currently running on Apache and now i have to > move this product on nginx. > In Apache apr_table_set() can use set value to header and later that > value can read from header by calling > apr_table_get(). > I am achieving the same behavior apr_table_set() with ngx_list_push() > call but not able to find like apr_table_get() in nginx. > > Reagrds, > Pankaj > > On Fri, Apr 15, 2016 at 2:43 AM, Francis Daly wrote: > >> On Thu, Apr 14, 2016 at 11:36:52PM +0530, Pankaj Chaudhary wrote: >> >> Hi there, >> >> > Actually I have requirement to add value to header and then read same >> value >> > like cookies values,URL. >> > Is any API which I can use for the same. >> >> The referenced guides are probably the best starting points. >> >> It sounds like you want to read headers_in and write headers_out; >> Emillers guide seems to have examples of that in sections 4.1 and 3.1.3, >> respectively. >> >> Note that just using the words in this mail, your requirements can >> possibly be met in nginx.conf, not needing a new module at all. I suspect >> that your full requirements are much more detailed. >> >> It is worth making sure that you are very clear on what you are trying >> to do; otherwise you won't be able to know when you've done it. >> >> Good luck with it, >> >> f >> -- >> Francis Daly francis at daoine.org >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sirtcp at gmail.com Mon Apr 18 13:37:59 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Mon, 18 Apr 2016 18:37:59 +0500 Subject: Redirection problem again in new rules. In-Reply-To: <20160416123621.GU9435@daoine.org> References: <20160414170423.GQ9435@daoine.org> <20160415163545.GT9435@daoine.org> <20160416123621.GU9435@daoine.org> Message-ID: Thanks alot Francis Daly :). the try_file option worked for me and location tip also worked but try_file seems more better approach. Btw, can you please explain this paragraph. actually i am really sorry for this newbie type question. actually i have been working as ssytem admin for last 5 years. now my Firewall concepts of rules are collapsing with nginx rules. >location /x { rewrite ^ /x.html redirect; } >fails because "location /x" will match /x.html, so the second request >will match the same location as the first one and the same redirect will >happen again; and one way to avoid the loop is to make the "location" >only match exactly "/x". >Based on that, can you guess what the "~" in can you please explain how the second request creates the loop. if i use break instead of redirect? -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Mon Apr 18 17:54:40 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Mon, 18 Apr 2016 13:54:40 -0400 Subject: nginx returns 503 when it gets 403 from haproxy In-Reply-To: <9891929.23yY3HS8Es@vbart-laptop> References: <9891929.23yY3HS8Es@vbart-laptop> Message-ID: Ok, I figured it out. Seems that several years ago someone at my day job did a custom errorfile in haproxy which returns a 503 error whenever haproxy intends to return a 403 error. It was forgotten and went unnoticed until now. Now we have to figure out if its a cut and paste error or if there was a legit reason for doing this. Either way its not an nginx (or haproxy) issue. On Fri, Apr 15, 2016 at 4:49 PM, ???????? ???????? wrote: > On Thursday 14 April 2016 22:45:36 CJ Ess wrote: > > In my environment I have Nginx terminating connections, then sending them > > to an HAProxy upstream. We've noticed that whenever HAProxy emts a 403 > > error (Forbidden, in response to our ACL rules), NGINX reports a 503 > result > > (service unavailable) and I believe is logging an "upstream prematurely > > closed connection while reading response header from upstream" error > > message in the nginx error log. > > > > What I'd really like to do is pass the 403 code back to the user - what > do > > I need to do? > > That message suggests that haproxy closes connection before properly > returning > headers. So nginx can't pass 403 since it can't get it right from haproxy. > > You should check what is wrong with haproxy. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sca at andreasschulze.de Mon Apr 18 19:21:53 2016 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 18 Apr 2016 21:21:53 +0200 Subject: Advise for NTLM-Auth Message-ID: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> Hello, currently we run web applications on nginx accessible from MS clients part of a Windows Domain. the users are requested to authenticate via Basic-Auth (via HTTPS) which nginx validate against the domain activ directory using https://github.com/kvspb/nginx-auth-ldap But I think the MS browser could do NTLM auth as well. Are there suggested nginx modules to let a MS browser transparent login into a webapp run on nginx? I found https://github.com/stnoonan/spnego-http-auth-nginx-module so far. Before I start playing I'll ask if there are other / better / suggested modules? (I usually compile nginx+modules myself) Thanks Andreas From mdounin at mdounin.ru Mon Apr 18 19:47:42 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 18 Apr 2016 22:47:42 +0300 Subject: Advise for NTLM-Auth In-Reply-To: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> Message-ID: <20160418194742.GS36620@mdounin.ru> Hello! On Mon, Apr 18, 2016 at 09:21:53PM +0200, A. Schulze wrote: > Hello, > > currently we run web applications on nginx accessible from MS clients part > of a Windows Domain. > the users are requested to authenticate via Basic-Auth (via HTTPS) which > nginx validate against the > domain activ directory using https://github.com/kvspb/nginx-auth-ldap > > But I think the MS browser could do NTLM auth as well. > > Are there suggested nginx modules to let a MS browser transparent login into > a webapp run on nginx? > I found https://github.com/stnoonan/spnego-http-auth-nginx-module so far. > Before I start playing I'll ask if there are other / better / suggested > modules? > (I usually compile nginx+modules myself) Just a side note: NTLM auth is broken by design and violates HTTP basic rules. Avoid using it if you can. -- Maxim Dounin http://nginx.org/ From sca at andreasschulze.de Mon Apr 18 20:59:02 2016 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 18 Apr 2016 22:59:02 +0200 Subject: Advise for NTLM-Auth In-Reply-To: <20160418194742.GS36620@mdounin.ru> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> Message-ID: <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> Maxim Dounin: > Just a side note: NTLM auth is broken by design and violates HTTP > basic rules. Avoid using it if you can. to be clear: I don't care if it's named NTLM or ugly_voodoo The goal is a nginx accesses by a IE/edge browser. Users should not be bothered with authentication as they are already logged on into the windows account. possible? From pchychi at gmail.com Mon Apr 18 21:28:19 2016 From: pchychi at gmail.com (Payam Chychi) Date: Mon, 18 Apr 2016 14:28:19 -0700 Subject: Advise for NTLM-Auth In-Reply-To: <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> Message-ID: <57155173.1060208@gmail.com> > Maxim Dounin: > >> Just a side note: NTLM auth is broken by design and violates HTTP >> basic rules. Avoid using it if you can. > > to be clear: I don't care if it's named NTLM or ugly_voodoo > > The goal is a nginx accesses by a IE/edge browser. Users should not be > bothered with authentication > as they are already logged on into the windows account. > > possible? > Im not sure what you do not understand from the reply, NTLM auth is broken. This is not about "lets call it Voodoo_melt" and make it work, Windows utilizes NTLM, so... what you are trying to use will not work. why? because NGINX NTLM does not work. Now, if you are looking for a solution... a solution you may have. re-route your authentication to squid which does support NTLM auth . If this is not what you want to do then you are more than welcome to write a NTLM auth module that works. Thanks From francis at daoine.org Mon Apr 18 23:23:31 2016 From: francis at daoine.org (Francis Daly) Date: Tue, 19 Apr 2016 00:23:31 +0100 Subject: Redirection problem again in new rules. In-Reply-To: References: <20160414170423.GQ9435@daoine.org> <20160415163545.GT9435@daoine.org> <20160416123621.GU9435@daoine.org> Message-ID: <20160418232331.GV9435@daoine.org> On Mon, Apr 18, 2016 at 06:37:59PM +0500, Muhammad Yousuf Khan wrote: Hi there, > Thanks alot Francis Daly :). the try_file option worked for me and location > tip also worked but try_file seems more better approach. I'm glad you got it working for you. > Btw, can you please explain this paragraph. actually i am really sorry for > this newbie type question. actually i have been working as ssytem admin for > last 5 years. now my Firewall concepts of rules are collapsing with nginx > rules. No worries - nginx config follows its own rules, which are generally consistent but not necessarily the same as any other program. > >location /x { rewrite ^ /x.html redirect; } > >fails because "location /x" will match /x.html, so the second request > >will match the same location as the first one and the same redirect will > >happen again; and one way to avoid the loop is to make the "location" > >only match exactly "/x". > >Based on that, can you guess what the "~" in > > can you please explain how the second request creates the loop. if i use > break instead of redirect? I don't understand the question. What break, and what loop? I thought you had said that when you used "break" instead of "redirect" in the above "location /x", you got a 404. And that is what I would expect if the file $document_root/x.html does not exist. 404 is not a loop. Can you start with one specific configuration, and use the documentation (probably at http://nginx.org/r/rewrite, since that seems to be the troublesome one) to work out what will happen? Note: when a request arrives, the server-level "rewrite"-module directives (basically: if and rewrite) are used; if that does not complete the request, then the location is chosen, and the "rewrite"-modules directives in that location are used. If a "rewrite" leads to an external redirect, that completes the request; and the browser may then come back with a whole new request that is handled afresh. If the "rewrite" leads to an internal rewrite (to a new url), then the "subrequest" of the new url is handled according to the docs -- possibly with a whole new selection of the location to use, depending on the arguments given to the rewrite. So: show your (simplified, but complete) config; show your http request; show your http response; and if appropriate, describe the response that you wanted to get instead. "break" does exactly what it says in the documentation. If that is unclear, let's fix the documentation. f -- Francis Daly francis at daoine.org From francis at daoine.org Mon Apr 18 23:35:03 2016 From: francis at daoine.org (Francis Daly) Date: Tue, 19 Apr 2016 00:35:03 +0100 Subject: (52) Empty reply from server In-Reply-To: References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> Message-ID: <20160418233503.GW9435@daoine.org> On Mon, Apr 18, 2016 at 04:25:24PM +0530, Pankaj Chaudhary wrote: Hi there, > not able to read header value after setting... > > any help most welcome You have your nginx "hello world" module, yes? You can show your config and your "curl -i" request and response with your module's output, yes? Are you able to modify your module to read a particular request header and write the value to the response body? Are you able to modify your module to add a particular response header with a particular value? At what particular point does your implementation fail? If you can describe that, perhaps someone here will be able to offer some more direct help. Good luck with it, f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Tue Apr 19 01:24:55 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Apr 2016 04:24:55 +0300 Subject: Advise for NTLM-Auth In-Reply-To: <57155173.1060208@gmail.com> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> <57155173.1060208@gmail.com> Message-ID: <20160419012455.GT36620@mdounin.ru> Hello! On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote: > >Maxim Dounin: > > > >>Just a side note: NTLM auth is broken by design and violates HTTP > >>basic rules. Avoid using it if you can. > > > >to be clear: I don't care if it's named NTLM or ugly_voodoo > > > >The goal is a nginx accesses by a IE/edge browser. Users should not be > >bothered with authentication > >as they are already logged on into the windows account. > > > >possible? > > > > Im not sure what you do not understand from the reply, NTLM auth is broken. > This is not about "lets call it Voodoo_melt" and make it work, Windows > utilizes NTLM, so... what you are trying to use will not work. why? because > NGINX NTLM does not work. No, you didn't get it. NTLM http auth itself, as "defined" by RFC 4559, is broken by design, and it has nothing to do with nginx. In anything more complex than "a server and directly connected clients" it's expected to require various NTLM-specific hacks, quirks, and so on. Because NTLM tries to authenticate connections instead of requests, thus breaking basic HTTP principles. The above, actually, is explicitly said in RFC 4559 Errata, see https://www.rfc-editor.org/errata_search.php?rfc=4559. And that's why I don't recommend using it if possible. Regardless of support in particular software. -- Maxim Dounin http://nginx.org/ From pchychi at gmail.com Tue Apr 19 06:12:38 2016 From: pchychi at gmail.com (Payam Chychi) Date: Mon, 18 Apr 2016 23:12:38 -0700 Subject: Advise for NTLM-Auth In-Reply-To: <20160419012455.GT36620@mdounin.ru> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> <57155173.1060208@gmail.com> <20160419012455.GT36620@mdounin.ru> Message-ID: <223a8b00-5079-4f8c-ab1b-67d7c249c44e@Spark> On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin, wrote: > Hello! > > On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote: > > > > Maxim Dounin: > > > > > > > Just a side note: NTLM auth is broken by design and violates HTTP > > > > basic rules. Avoid using it if you can. > > > > > > to be clear: I don't care if it's named NTLM or ugly_voodoo > > > > > > The goal is a nginx accesses by a IE/edge browser. Users should not be > > > bothered with authentication > > > as they are already logged on into the windows account. > > > > > > possible? > > > > > > > Im not sure what you do not understand from the reply, NTLM auth is broken. > > This is not about "lets call it Voodoo_melt" and make it work, Windows > > utilizes NTLM, so... what you are trying to use will not work. why? because > > NGINX NTLM does not work. > > No, you didn't get it. NTLM http auth itself, as "defined" by > RFC 4559, is broken by design, and it has nothing to do with nginx. > In anything more complex than "a server and directly connected > clients" it's expected to require various NTLM-specific hacks, > quirks, and so on. Because NTLM tries to authenticate connections > instead of requests, thus breaking basic HTTP principles. > > The above, actually, is explicitly said in RFC 4559 Errata, see > https://www.rfc-editor.org/errata_search.php?rfc=4559. > > And that's why I don't recommend using it if possible. Regardless > of support in particular software. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > Hi Maxim, > > Broken or not, its what MS supports and its not going anywhere just yet. > > If he/his application needs ntlm, mainly because of MS based solitions and first hand i can say that nginx module v.s squid comes up very short. > > So in short... If you 'need' ntlm and want a fully working ntlm auth then proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make something work if you 'must' > -------------- next part -------------- An HTML attachment was scrubbed... URL: From al-nginx at none.at Tue Apr 19 07:02:05 2016 From: al-nginx at none.at (Aleksandar Lazic) Date: Tue, 19 Apr 2016 09:02:05 +0200 Subject: Advise for NTLM-Auth In-Reply-To: <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> Message-ID: <9cee8dffc5fbca2edfd8d757c9577806@none.at> Hi. Am 18-04-2016 22:59, schrieb A. Schulze: > Maxim Dounin: > >> Just a side note: NTLM auth is broken by design and violates HTTP >> basic rules. Avoid using it if you can. > > to be clear: I don't care if it's named NTLM or ugly_voodoo > > The goal is a nginx accesses by a IE/edge browser. Users should not be > bothered with authentication > as they are already logged on into the windows account. > > possible? Well as the commercial one have the ntlm feature for upstream http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm maybe there could be a auth_ntlm also for the commercial one? Best Regards Aleks From pankajitbhu at gmail.com Tue Apr 19 10:21:17 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Tue, 19 Apr 2016 15:51:17 +0530 Subject: (52) Empty reply from server In-Reply-To: <20160418233503.GW9435@daoine.org> References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> <20160418233503.GW9435@daoine.org> Message-ID: Hi all, i am trying to search for one header with the specified name i am not able to get header value . below my code snippet. ngx_http_core_main_conf_t *clcf; ngx_str_t *type; ngx_uint_t hash; ngx_str_t val = ngx_string("http_cookie"); clcf = ngx_http_get_module_main_conf(r, ngx_http_core_module); hash = ngx_hash_key_lc(val.data, val.len); type = ngx_hash_find(&clcf->headers_in_hash, hash, val.data, val.len); if (type != NULL) { // type is not null but type->data value is null } On Tue, Apr 19, 2016 at 5:05 AM, Francis Daly wrote: > On Mon, Apr 18, 2016 at 04:25:24PM +0530, Pankaj Chaudhary wrote: > > Hi there, > > > not able to read header value after setting... > > > > any help most welcome > > You have your nginx "hello world" module, yes? > > You can show your config and your "curl -i" request and response with > your module's output, yes? > > Are you able to modify your module to read a particular request header > and write the value to the response body? > > Are you able to modify your module to add a particular response header > with a particular value? > > At what particular point does your implementation fail? > > If you can describe that, perhaps someone here will be able to offer > some more direct help. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Apr 19 16:21:19 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Apr 2016 19:21:19 +0300 Subject: nginx-1.9.15 Message-ID: <20160419162119.GD36620@mdounin.ru> Changes with nginx 1.9.15 19 Apr 2016 *) Bugfix: "recv() failed" errors might occur when using HHVM as a FastCGI server. *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives a timeout or a "client violated flow control" error might occur while reading client request body; the bug had appeared in 1.9.14. *) Workaround: a response might not be shown by some browsers if HTTP/2 was used and client request body was not fully read; the bug had appeared in 1.9.14. *) Bugfix: connections might hang when using the "aio threads" directive. Thanks to Mindaugas Rasiukevicius. -- Maxim Dounin http://nginx.org/ From francis at daoine.org Tue Apr 19 17:42:50 2016 From: francis at daoine.org (Francis Daly) Date: Tue, 19 Apr 2016 18:42:50 +0100 Subject: (52) Empty reply from server In-Reply-To: References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> <20160418233503.GW9435@daoine.org> Message-ID: <20160419174250.GY9435@daoine.org> On Tue, Apr 19, 2016 at 03:51:17PM +0530, Pankaj Chaudhary wrote: Hi there, > i am trying to search for one header with the specified name > > i am not able to get header value . https://www.nginx.com/resources/wiki/start/topics/examples/headers_management/ lists four ways to try this. You are using something like #2: "Quick search". But your code snippet does not match exactly the types and return values of that example. I don't know if that is something worth investigating. Also, you may be able to make use of #3: "Blazing fast" instead. > ngx_str_t val = ngx_string("http_cookie"); And one final thing - I suspect that the request header "Cookie" will be presented in the header_in structure under the name "cookie", not the name "http_cookie". Possibly just making that change will cause your code to find the value you want. Good luck with it, f -- Francis Daly francis at daoine.org From max at clements.za.net Tue Apr 19 17:56:36 2016 From: max at clements.za.net (Max Clements) Date: Tue, 19 Apr 2016 10:56:36 -0700 Subject: Advise for NTLM-Auth In-Reply-To: <223a8b00-5079-4f8c-ab1b-67d7c249c44e@Spark> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> <57155173.1060208@gmail.com> <20160419012455.GT36620@mdounin.ru> <223a8b00-5079-4f8c-ab1b-67d7c249c44e@Spark> Message-ID: Depending on the versions of Windows and what you are trying to do, it may be possible to use Kerberos via Nginx, rather than NTLM. It requires some foo setting up Service Principal Names, but does work properly via an HTTP proxy, and provides passthrough auth, which seems to be what the desire here is. On Mon, Apr 18, 2016 at 11:12 PM, Payam Chychi wrote: > > > On Apr 18, 2016, 6:25 PM -0700, Maxim Dounin , wrote: > > Hello! > > On Mon, Apr 18, 2016 at 02:28:19PM -0700, Payam Chychi wrote: > > Maxim Dounin: > > Just a side note: NTLM auth is broken by design and violates HTTP > basic rules. Avoid using it if you can. > > > to be clear: I don't care if it's named NTLM or ugly_voodoo > > The goal is a nginx accesses by a IE/edge browser. Users should not be > bothered with authentication > as they are already logged on into the windows account. > > possible? > > > Im not sure what you do not understand from the reply, NTLM auth is broken. > This is not about "lets call it Voodoo_melt" and make it work, Windows > utilizes NTLM, so... what you are trying to use will not work. why? because > NGINX NTLM does not work. > > > No, you didn't get it. NTLM http auth itself, as "defined" by > RFC 4559, is broken by design, and it has nothing to do with nginx. > In anything more complex than "a server and directly connected > clients" it's expected to require various NTLM-specific hacks, > quirks, and so on. Because NTLM tries to authenticate connections > instead of requests, thus breaking basic HTTP principles. > > The above, actually, is explicitly said in RFC 4559 Errata, see > https://www.rfc-editor.org/errata_search.php?rfc=4559. > > And that's why I don't recommend using it if possible. Regardless > of support in particular software. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > Hi Maxim, > > > Broken or not, its what MS supports and its not going anywhere just yet. > > > If he/his application needs ntlm, mainly because of MS based solitions and > first hand i can say that nginx module v.s squid comes up very short. > > > So in short... If you 'need' ntlm and want a fully working ntlm auth then > proxy/redir to a squid box, or wrap it in a tcp proxy; lot of ways to make > something work if you 'must' > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Monday is an awful way to spend 1/7th of your life... From sca at andreasschulze.de Tue Apr 19 19:29:00 2016 From: sca at andreasschulze.de (A. Schulze) Date: Tue, 19 Apr 2016 21:29:00 +0200 Subject: Advise for NTLM-Auth In-Reply-To: References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> <57155173.1060208@gmail.com> <20160419012455.GT36620@mdounin.ru> <223a8b00-5079-4f8c-ab1b-67d7c249c44e@Spark> Message-ID: <20160419212900.Horde.W_Uvhv8IMDWHFSv5oDgWHJM@andreasschulze.de> Max Clements: > Depending on the versions of Windows and what you are trying to do, it > may be possible to use Kerberos via Nginx, rather than NTLM. that's what I mean saying "I don't care if it's named NTLM or ugly_voodoo" You name it "Kerberos" - fine. Now I came up with two questions: - which module you may suggest - what role play the proxy mentioned here not the first time? A general problem description and how a proxy (reverse-proxy?) solve it would be nice. Thanks, Andreas From max at clements.za.net Wed Apr 20 00:01:21 2016 From: max at clements.za.net (Max Clements) Date: Tue, 19 Apr 2016 17:01:21 -0700 Subject: Advise for NTLM-Auth In-Reply-To: <20160419212900.Horde.W_Uvhv8IMDWHFSv5oDgWHJM@andreasschulze.de> References: <20160418212153.Horde.vlI2Egp3dB6kepMz9RqzoFw@andreasschulze.de> <20160418194742.GS36620@mdounin.ru> <20160418225902.Horde.r2vvwpZFhPCK4I6HrsuZ9PY@andreasschulze.de> <57155173.1060208@gmail.com> <20160419012455.GT36620@mdounin.ru> <223a8b00-5079-4f8c-ab1b-67d7c249c44e@Spark> <20160419212900.Horde.W_Uvhv8IMDWHFSv5oDgWHJM@andreasschulze.de> Message-ID: Andreas, Kerberos and NTLM are two completely different ways of authenticating a user. Whilst they essentially do the same thing, the main difference that you care about is that Kerberos works correctly over HTTP, unlike NTLM which does not. - which module you may suggest There are a number of modules that perform kerberos authentication on Nginx -- this one for example https://github.com/stnoonan/spnego-http-auth-nginx-module, you should select one that meets your needs. - what role play the proxy mentioned here not the first time? I am using the term generically. Nginx is a proxy to whatever application you are running behind it - in the sense that you make a request to Nginx from a client, and Nginx sends it (proxies) it to your application server - be that a WSGI application or whatever. That part I don't know - but it also really does not matter as your problem seems to be pass-through authentication on Nginx? Now you also need to configure Kerberos and a Keytab file on Nginx for this all to work. There is a reference on how to configure this with AD integration here: https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu Ignore the parts on how to configure Apache, the first parts on configuring kerberos and NTP are relevant, as well as how to make a keytab file. --Max On Tue, Apr 19, 2016 at 12:29 PM, A. Schulze wrote: > > Max Clements: > >> Depending on the versions of Windows and what you are trying to do, it >> may be possible to use Kerberos via Nginx, rather than NTLM. > > > that's what I mean saying "I don't care if it's named NTLM or ugly_voodoo" > You name it "Kerberos" - fine. > > Now I came up with two questions: > - which module you may suggest > - what role play the proxy mentioned here not the first time? > > A general problem description and how a proxy (reverse-proxy?) solve it > would be nice. > > Thanks, > Andreas > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Monday is an awful way to spend 1/7th of your life... From vicent at vcubells.net Wed Apr 20 05:05:49 2016 From: vicent at vcubells.net (cubells) Date: Wed, 20 Apr 2016 07:05:49 +0200 Subject: Nginx redirection problem in odoo Message-ID: <57170E2D.4010908@vcubells.net> Hi all: I'm trying to print a report with product ean13 barcodes and the barcodes are printed blank. I think my problem is an incorrect redirection problem because I can see correctly the barcodes if I browse to the url: https://mydomain.net/report/barcode/?type=EAN13&value=8435095319553&width=300&height=300&humanreadable=1 MY server response in that case is: "GET /report/barcode/?type=EAN13&value=8435095319553&width=300&height=300&humanreadable=1 HTTP/1.0" 200 - But if I try to print the report with barcodes my server response is: "GET /report/barcode/?type=EAN13&value=8435095319508&width=600&height=200&humanreadable=1 HTTP/1.0" 302 - "GET /?redirect=http%3A%2F%2Fmydomain.com%2Freport%2Fbarcode%2F%3Ftype%3DEAN13%26value%3D8435095319508%26width%3D600%26height%3D200%26humanreadable%3D1 HTTP/1.0" 302 - My nginx configuration file: upstream openerpweb { server 127.0.0.1:8069 weight=1 fail_timeout=300s; } server { listen 80; server_name mydomain.net; return 301 https://mydomain.net$request_uri; } server { # server port and name listen 443 default; server_name mydomain.net; add_header Strict-Transport-Security max-age=2592000; # Specifies the maximum accepted body size of a client request, # as indicated by the request header Content-Length. client_max_body_size 200m; # ssl log files access_log /var/log/nginx/openerp-access.log; error_log /var/log/nginx/openerp-error.log; log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $request_time'; # ssl certificate files ssl on; ssl_certificate /etc/ssl/nginx/server.crt; ssl_certificate_key /etc/ssl/nginx/server.key; # add ssl specific settings keepalive_timeout 60; # limit ciphers ssl_ciphers HIGH:!ADH:!MD5; ssl_protocols SSLv3 TLSv1; ssl_prefer_server_ciphers on; # increase proxy buffer to handle some OpenERP web requests proxy_buffers 16 64k; proxy_buffer_size 128k; location / { proxy_pass http://openerpweb; # force timeouts if the backend dies proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # set headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; # set timeouts proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; # Let the OpenERP web service know that we're using HTTPS, otherwise # it will generate URL using http:// and not https:// proxy_set_header X-Forwarded-Proto https; # by default, do not forward anything proxy_redirect off; } # cache some static data in memory for 60mins. # under heavy load this should relieve stress on the OpenERP web interface a bit. location ~* /web/static/ { proxy_cache_valid 200 60m; proxy_buffering on; expires 864000; proxy_pass http://openerpweb; } } Any idea? Thanks a lot. -- Atentament, cubells. -- From pankajitbhu at gmail.com Wed Apr 20 07:24:13 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Wed, 20 Apr 2016 12:54:13 +0530 Subject: (52) Empty reply from server In-Reply-To: <20160419174250.GY9435@daoine.org> References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> <20160418233503.GW9435@daoine.org> <20160419174250.GY9435@daoine.org> Message-ID: >>But your code snippet does not match exactly the types and return values >>of that example. I don't know if that is something worth investigating. I have tried to change match exactly the types and return values of that example. but below is response curl: (52) Empty reply from server >>Also, you may be able to make use of #3: "Blazing fast" instead. but same response >>And one final thing - I suspect that the request header "Cookie" will >>be presented in the header_in structure under the name "cookie", not >>the name "http_cookie". Possibly just making that change will cause your >>code to find the value you want. Tried to use the same now i am getting response only one word "cookie" I have used below example to set custom header ngx_int_tset_custom_header_in_headers_out(ngx_http_request_t *r, ngx_str_t *key, ngx_str_t *value) { ngx_table_elt_t *h; /* All we have to do is just to allocate the header... */ h = ngx_list_push(&r->headers_out.headers); if (h == NULL) { return NGX_ERROR; } /* ... setup the header key ... */ h->key = *key; /* ... and the value. */ h->value = *value; /* Mark the header as not deleted. */ h->hash = 1; return NGX_OK;} below is "curl -i" response HTTP/1.1 200 OK Server: nginx/1.9.12 Date: Wed, 20 Apr 2016 15:25:20 GMT Content-Type: text/plain Content-Length: 14 Connection: keep-alive cookie: thisitestvalue user_agent: 10.9 user get-rese: Cookie On Tue, Apr 19, 2016 at 11:12 PM, Francis Daly wrote: > On Tue, Apr 19, 2016 at 03:51:17PM +0530, Pankaj Chaudhary wrote: > > Hi there, > > > i am trying to search for one header with the specified name > > > > i am not able to get header value . > > > https://www.nginx.com/resources/wiki/start/topics/examples/headers_management/ > lists four ways to try this. You are using something like #2: "Quick > search". > > But your code snippet does not match exactly the types and return values > of that example. I don't know if that is something worth investigating. > > Also, you may be able to make use of #3: "Blazing fast" instead. > > > ngx_str_t val = ngx_string("http_cookie"); > > And one final thing - I suspect that the request header "Cookie" will > be presented in the header_in structure under the name "cookie", not > the name "http_cookie". Possibly just making that change will cause your > code to find the value you want. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sirtcp at gmail.com Wed Apr 20 10:34:13 2016 From: sirtcp at gmail.com (Muhammad Yousuf Khan) Date: Wed, 20 Apr 2016 15:34:13 +0500 Subject: Redirection problem again in new rules. In-Reply-To: <20160418232331.GV9435@daoine.org> References: <20160414170423.GQ9435@daoine.org> <20160415163545.GT9435@daoine.org> <20160416123621.GU9435@daoine.org> <20160418232331.GV9435@daoine.org> Message-ID: Thanks Alot Francis Daly, actually i was trying to understand the working of rewrite and location rules how they handle the query. you explain it very well. Thanks again for sharing such useful and detailed explanation. i really appreciate that. :) On Tue, Apr 19, 2016 at 4:23 AM, Francis Daly wrote: > On Mon, Apr 18, 2016 at 06:37:59PM +0500, Muhammad Yousuf Khan wrote: > > Hi there, > > > Thanks alot Francis Daly :). the try_file option worked for me and > location > > tip also worked but try_file seems more better approach. > > I'm glad you got it working for you. > > > Btw, can you please explain this paragraph. actually i am really sorry > for > > this newbie type question. actually i have been working as ssytem admin > for > > last 5 years. now my Firewall concepts of rules are collapsing with nginx > > rules. > > No worries - nginx config follows its own rules, which are generally > consistent but not necessarily the same as any other program. > > > >location /x { rewrite ^ /x.html redirect; } > > >fails because "location /x" will match /x.html, so the second request > > >will match the same location as the first one and the same redirect will > > >happen again; and one way to avoid the loop is to make the "location" > > >only match exactly "/x". > > >Based on that, can you guess what the "~" in > > > > can you please explain how the second request creates the loop. if i use > > break instead of redirect? > > I don't understand the question. > > What break, and what loop? > > I thought you had said that when you used "break" instead of "redirect" > in the above "location /x", you got a 404. And that is what I would > expect if the file $document_root/x.html does not exist. 404 is not a loop. > > Can you start with one specific configuration, and use the documentation > (probably at http://nginx.org/r/rewrite, since that seems to be the > troublesome one) to work out what will happen? > > Note: when a request arrives, the server-level "rewrite"-module directives > (basically: if and rewrite) are used; if that does not complete the > request, then the location is chosen, and the "rewrite"-modules directives > in that location are used. > > If a "rewrite" leads to an external redirect, that completes the > request; and the browser may then come back with a whole new request > that is handled afresh. > > If the "rewrite" leads to an internal rewrite (to a new url), then the > "subrequest" of the new url is handled according to the docs -- possibly > with a whole new selection of the location to use, depending on the > arguments given to the rewrite. > > So: show your (simplified, but complete) config; show your http request; > show your http response; and if appropriate, describe the response that > you wanted to get instead. > > "break" does exactly what it says in the documentation. If that is > unclear, let's fix the documentation. > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Apr 20 11:19:55 2016 From: nginx-forum at forum.nginx.org (gischethans) Date: Wed, 20 Apr 2016 07:19:55 -0400 Subject: Making Tomcat accessible only through nginx reverse proxy Message-ID: <2fdf0969fa0f6ef80c5c6fa0f620c5c3.NginxMailingListEnglish@forum.nginx.org> I have a Tomcat server serving a web application and I have a Nginx server running in front of it as a reverse proxy. Both the servers are on Intranet, in the same domain network. The issue I am facing is, the tomcat server is accessible through both IP addresses - if I use the Nginx IP, it redirects to the Tomcat FQDN (expected) but if I ping using the FQDN tomcat.domain.com, it reveals the real IP of the Tomcat server and not that of Nginx server. Effectively, my Nginx server is not serving any purpose. I was suggested to firewall the Tomcat instance, but based on my findings from different forums, limiting Tomcat to listen to localhost seemed to be the way to go. In order to prevent Tomcat from listening to other IPs, I added "address=127.0.0.1" to the connector configuration. The entire connector block is like this - proxyPort="80"/> In the Nginx server, I have these lines for the server configuration. server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; server_name ; location / { proxy_pass ; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; } } Now, if I try to use the FQDN to access the web application, Chrome reports ERR_CONNECTION_REFUSED. My Nginx configuration seems to be the culprit based on what I understood. How can it be corrected? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266297,266297#msg-266297 From kworthington at gmail.com Wed Apr 20 12:56:22 2016 From: kworthington at gmail.com (Kevin Worthington) Date: Wed, 20 Apr 2016 08:56:22 -0400 Subject: [nginx-announce] nginx-1.9.15 In-Reply-To: <20160419162125.GE36620@mdounin.ru> References: <20160419162125.GE36620@mdounin.ru> Message-ID: Hello Nginx users, Now available: Nginx 1.9.15 for Windows https://kevinworthington.com/nginxwin1915 (32-bit and 64-bit versions) This version was built with OpenSSL 1.0.2g, so upgraded is strongly encouraged. These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Google+ https://plus.google.com/+KevinWorthington/ Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) http://kevinworthington.com/ http://twitter.com/kworthington https://plus.google.com/+KevinWorthington/ On Tue, Apr 19, 2016 at 12:21 PM, Maxim Dounin wrote: > Changes with nginx 1.9.15 19 Apr > 2016 > > *) Bugfix: "recv() failed" errors might occur when using HHVM as a > FastCGI server. > > *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" > directives a timeout or a "client violated flow control" error might > occur while reading client request body; the bug had appeared in > 1.9.14. > > *) Workaround: a response might not be shown by some browsers if HTTP/2 > was used and client request body was not fully read; the bug had > appeared in 1.9.14. > > *) Bugfix: connections might hang when using the "aio threads" > directive. > Thanks to Mindaugas Rasiukevicius. > > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-announce mailing list > nginx-announce at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Wed Apr 20 13:24:52 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Wed, 20 Apr 2016 09:24:52 -0400 Subject: Sending nginx errors to syslog but fuser -u still shows error file open by nginx Message-ID: I've tried putting this directive into the nginx config file in both the main and html sections: error_log syslog:server=127.0.0.1,facility=local5 error; The file tests fine and reloads without issue, however if I do fuser -u on the error file (which is the same one used by syslog) I see that every nginx process has it open. Is there anyway to be sure that errors are being written by syslog and not the nginx process itself? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rpaprocki at fearnothingproductions.net Wed Apr 20 13:51:15 2016 From: rpaprocki at fearnothingproductions.net (Robert Paprocki) Date: Wed, 20 Apr 2016 06:51:15 -0700 Subject: Sending nginx errors to syslog but fuser -u still shows error file open by nginx In-Reply-To: References: Message-ID: Have you done a full restart (not a reload)? I would imagine the master process needs to flush everything out. > On Apr 20, 2016, at 06:24, CJ Ess wrote: > > I've tried putting this directive into the nginx config file in both the main and html sections: > > error_log syslog:server=127.0.0.1,facility=local5 error; > > The file tests fine and reloads without issue, however if I do fuser -u on the error file (which is the same one used by syslog) I see that every nginx process has it open. Is there anyway to be sure that errors are being written by syslog and not the nginx process itself? > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From zxcvbn4038 at gmail.com Wed Apr 20 14:46:13 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Wed, 20 Apr 2016 10:46:13 -0400 Subject: Sending nginx errors to syslog but fuser -u still shows error file open by nginx In-Reply-To: References:

Message-ID: Yes, I went as far as to stop nginx altogether, manually verify there are no nginx processes running, then start it again and it opens the error log first thing. On Wed, Apr 20, 2016 at 9:51 AM, Robert Paprocki < rpaprocki at fearnothingproductions.net> wrote: > Have you done a full restart (not a reload)? I would imagine the master > process needs to flush everything out. > > > On Apr 20, 2016, at 06:24, CJ Ess wrote: > > > > I've tried putting this directive into the nginx config file in both the > main and html sections: > > > > error_log syslog:server=127.0.0.1,facility=local5 error; > > > > The file tests fine and reloads without issue, however if I do fuser -u > on the error file (which is the same one used by syslog) I see that every > nginx process has it open. Is there anyway to be sure that errors are being > written by syslog and not the nginx process itself? > > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Apr 20 15:52:13 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 20 Apr 2016 18:52:13 +0300 Subject: Sending nginx errors to syslog but fuser -u still shows error file open by nginx In-Reply-To: References: Message-ID: <20160420155213.GK36620@mdounin.ru> Hello! On Wed, Apr 20, 2016 at 09:24:52AM -0400, CJ Ess wrote: > I've tried putting this directive into the nginx config file in both the > main and html sections: > > error_log syslog:server=127.0.0.1,facility=local5 error; > > The file tests fine and reloads without issue, however if I do fuser -u on > the error file (which is the same one used by syslog) I see that every > nginx process has it open. Is there anyway to be sure that errors are being > written by syslog and not the nginx process itself? At least one file-based error log must be present. In particular, it is used to redirect STDERR (as in some cases written to by various libraries), and it is also believed to be useful to log errors of writing to syslog when they happen. If no file-based logs are configured, a compiled-in default one will be used. -- Maxim Dounin http://nginx.org/ From francis at daoine.org Wed Apr 20 18:17:55 2016 From: francis at daoine.org (Francis Daly) Date: Wed, 20 Apr 2016 19:17:55 +0100 Subject: Making Tomcat accessible only through nginx reverse proxy In-Reply-To: <2fdf0969fa0f6ef80c5c6fa0f620c5c3.NginxMailingListEnglish@forum.nginx.org> References: <2fdf0969fa0f6ef80c5c6fa0f620c5c3.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20160420181755.GZ9435@daoine.org> On Wed, Apr 20, 2016 at 07:19:55AM -0400, gischethans wrote: Hi there, > I have a Tomcat server serving a web application and I have a Nginx server > running in front of it as a reverse proxy. What you need is that your users talk to nginx, and that nginx is able to talk to tomcat. What you additionally want, is that your users do not talk to tomcat. All of that network setup is outside of anything that nginx can do. > In order to prevent Tomcat from listening to other IPs, I added > "address=127.0.0.1" to the connector configuration. That will mean that your users cannot talk to tomcat (unless you do something special to allow them to). It will also mean that nginx cannot talk to tomcat, unless you do something special to allow it to. The easiest special thing is probably to run nginx on the same server as tomcat. If that is not what you want, then you will probably need some firewalling / ip forwarding on the tomcat machine to allow nginx connect to something which gets sent to tomcat. (But at that point, it may be easier to just leave tomcat listening on the public address, and add firewalling to block anything other than nginx from accessing it.) > In the Nginx server, I have these lines for the server configuration. On the nginx side, what you have looks fine. In the "proxy_pass" line, it will probably be simpler if you use the IP:port that tomcat is listening on (that nginx can connect to) rather than the hostname. > Now, if I try to use the FQDN to access the web application, Chrome reports > ERR_CONNECTION_REFUSED. My Nginx configuration seems to be the culprit based > on what I understood. How can it be corrected? I suspect that your request to the FQDN does not get to nginx. After you have things configured correctly, changing name resolution (dns) so that the FQDN corresponds to the nginx IP address instead of the tomcat IP address will be a necessary step. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Apr 20 19:38:35 2016 From: francis at daoine.org (Francis Daly) Date: Wed, 20 Apr 2016 20:38:35 +0100 Subject: (52) Empty reply from server In-Reply-To: References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> <20160418233503.GW9435@daoine.org> <20160419174250.GY9435@daoine.org> Message-ID: <20160420193835.GA9435@daoine.org> On Wed, Apr 20, 2016 at 12:54:13PM +0530, Pankaj Chaudhary wrote: Hi there, > >>But your code snippet does not match exactly the types and return values > >>of that example. I don't know if that is something worth investigating. > > I have tried to change match exactly the types and return values > of that example. but below is response curl: (52) Empty reply from server > ngx_int_tset_custom_header_in_headers_out(ngx_http_request_t *r, > ngx_str_t *key, ngx_str_t *value) { The code snippet you show seems to relate to writing your own http headers. > below is "curl -i" response > > HTTP/1.1 200 OK > Server: nginx/1.9.12 > Date: Wed, 20 Apr 2016 15:25:20 GMT > Content-Type: text/plain > Content-Length: 14 > Connection: keep-alive > cookie: thisitestvalue > user_agent: 10.9 user > get-rese: Cookie The "curl" output you show seems to show your own http headers being successfully written. So it looks like what you have shown, is working. That's good. f -- Francis Daly francis at daoine.org From zxcvbn4038 at gmail.com Thu Apr 21 03:11:10 2016 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Wed, 20 Apr 2016 23:11:10 -0400 Subject: Sending nginx errors to syslog but fuser -u still shows error file open by nginx In-Reply-To: <20160420155213.GK36620@mdounin.ru> References: <20160420155213.GK36620@mdounin.ru> Message-ID: Ok, I understand what is happening now, thank you! On Wed, Apr 20, 2016 at 11:52 AM, Maxim Dounin wrote: > Hello! > > On Wed, Apr 20, 2016 at 09:24:52AM -0400, CJ Ess wrote: > > > I've tried putting this directive into the nginx config file in both the > > main and html sections: > > > > error_log syslog:server=127.0.0.1,facility=local5 error; > > > > The file tests fine and reloads without issue, however if I do fuser -u > on > > the error file (which is the same one used by syslog) I see that every > > nginx process has it open. Is there anyway to be sure that errors are > being > > written by syslog and not the nginx process itself? > > At least one file-based error log must be present. In particular, > it is used to redirect STDERR (as in some cases written to by > various libraries), and it is also believed to be useful to log > errors of writing to syslog when they happen. If no file-based > logs are configured, a compiled-in default one will be used. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Thu Apr 21 06:05:24 2016 From: nginx-forum at forum.nginx.org (rahulgupta20nov) Date: Thu, 21 Apr 2016 02:05:24 -0400 Subject: only .json file not load using rewrite or internal redirection cycle while internally redirecting Message-ID: Hi, In nginx conf file I have written:- location /hello { alias /var/www/html/hello/some_path/www; try_files $uri $uri/ /helllo/some_path/www/index.html; } location ~ /hello/(.*)\.(css|js|html|eot|svg|ttf|woff|ico|png|map|json) { try_files $uri $uri/ /hello/some_path/www/$1.$2; } So when I request a json file eg:- http://localhost/hello/language/locale-en-us.json it should be redirect to http://localhost/hello/some_path/www/language/locale-en-us.json But it not redirect to mentioned path. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266308,266308#msg-266308 From pankajitbhu at gmail.com Thu Apr 21 07:34:40 2016 From: pankajitbhu at gmail.com (Pankaj Chaudhary) Date: Thu, 21 Apr 2016 13:04:40 +0530 Subject: (52) Empty reply from server In-Reply-To: <20160420193835.GA9435@daoine.org> References: <20160414165541.GP9435@daoine.org> <20160414211342.GR9435@daoine.org> <20160418233503.GW9435@daoine.org> <20160419174250.GY9435@daoine.org> <20160420193835.GA9435@daoine.org> Message-ID: Hi, Thank You! yes i am able to write successfully but while reading i am not getting the my written value in header. for Example from my source code:-I am writing "thisitestvalue" value against key "Set-Cookie" but if trying to read value against key "Set-Cookie" not getting . On Thu, Apr 21, 2016 at 1:08 AM, Francis Daly wrote: > On Wed, Apr 20, 2016 at 12:54:13PM +0530, Pankaj Chaudhary wrote: > > Hi there, > > > >>But your code snippet does not match exactly the types and return > values > > >>of that example. I don't know if that is something worth investigating. > > > > I have tried to change match exactly the types and return values > > of that example. but below is response curl: (52) Empty reply from server > > > ngx_int_tset_custom_header_in_headers_out(ngx_http_request_t *r, > > ngx_str_t *key, ngx_str_t *value) { > > > The code snippet you show seems to relate to writing your own http > headers. > > > below is "curl -i" response > > > > HTTP/1.1 200 OK > > Server: nginx/1.9.12 > > Date: Wed, 20 Apr 2016 15:25:20 GMT > > Content-Type: text/plain > > Content-Length: 14 > > Connection: keep-alive > > cookie: thisitestvalue > > user_agent: 10.9 user > > get-rese: Cookie > > The "curl" output you show seems to show your own http headers being > successfully written. > > So it looks like what you have shown, is working. > > That's good. > > f > -- > Francis Daly francis at daoine.org > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pcgeopc at gmail.com Thu Apr 21 12:56:28 2016 From: pcgeopc at gmail.com (Geo P.C.) Date: Thu, 21 Apr 2016 18:26:28 +0530 Subject: Redirect /login to / Message-ID: I have a wordpress site in which be default while accessing wp.geo.com it goes to login page wp.geo.com/login/ . But what i need when i access wp.geo.com, in browser address bar it should display as wp.geo.com but inside server it should proxypass to wp.geo.com/login. We tried configuring nginx proxypass and redirect but its getting redirect loop. Can any one please help to write the nginx configuration rule for this. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Apr 21 13:38:02 2016 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 21 Apr 2016 16:38:02 +0300 Subject: only .json file not load using rewrite or internal redirection cycle while internally redirecting In-Reply-To: References: