From zchao1995 at gmail.com Tue Aug 1 01:48:10 2017 From: zchao1995 at gmail.com (Zhang Chao) Date: Mon, 31 Jul 2017 18:48:10 -0700 Subject: connection error bit set to 1 In-Reply-To: <0fa4ba37298ea9d6ee4210b8136b36af.NginxMailingListEnglish@forum.nginx.org> References: <0fa4ba37298ea9d6ee4210b8136b36af.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! Is there any network error in your connection? like connection reset by peer, maybe you can set the error log level as low as possible, then find the devil in the error.log. On 31 July 2017 at 22:46:12, Ortal (nginx-forum at forum.nginx.org) wrote: Hello, I am writing a nginx module. I would like to know it which flow is the error filed of the connection set to 1, I am running a test which the nginx epoll call ngx_http_finalize_request with: r->connection->error = 1, this will terminate my request before I finished with my job. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275771,275771#msg-275771 _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From rramirezm at hatandslash.com Tue Aug 1 02:58:11 2017 From: rramirezm at hatandslash.com (Raymundo Ramirez Mata) Date: Mon, 31 Jul 2017 21:58:11 -0500 Subject: Nginx Address is already in use In-Reply-To: <045F9F2F-9CB9-4B92-B907-D903C49C8BA7@nginx.com> References: <15d9625f15a.c47319fe208882.6514015783780099097@hatandslash.com> <045F9F2F-9CB9-4B92-B907-D903C49C8BA7@nginx.com> Message-ID: <15d9bbab826.cc3b288d423496.678023233893026170@hatandslash.com> Hello everyone, I forgot to mention that I also installed the nginx plugin for certbot. Looks like when configuring the server block, it added 3 snippets, on of them was for nginx ssl configuration options, some of the I was already adding them double the listeners on the ssl port. Just removing the new snippet fixed my issue ---- On Mon, 31 Jul 2017 17:49:24 -0500 Ekaterina Kukushkina <ek at nginx.com> wrote ---- Hello, > On 31 Jul 2017, at 03:57, Raymundo Ramirez Mata <rramirezm at hatandslash.com> wrote: > > Hi, > > My nginx has stopped working, I upgraded and updated today, also purged mysql and installed mariadb, so I don't know what might broke it. when i run > > sudo nginx I get: > > nginx: [emerg] bind() to [::]:80 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:80 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:80 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:80 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:80 failed (98: Address already in use) > nginx: [emerg] bind() to [::]:443 failed (98: Address already in use) > > Reading some answers I looked for who is using those ports but only nginx appers using it. Please check /etc/nginx/conf.d/default.conf If this file is missing before upgrade, it will be installed And it can cause mentioned problem. Try to comment out its content and restart nginx again. -- Ekaterina Kukushkina _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Tue Aug 1 08:47:36 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Tue, 1 Aug 2017 13:47:36 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! Message-ID: Hi, It was working well back in days but there's sudden error which is preventing our users to play videos in browser. The error is : GET https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 net::ERR_SPDY_PROTOCOL_ERROR We're unable to find any errors in nginx logs. Here is the Nginx Version : [root at cw008 /tunefiles/files]# nginx -V nginx version: nginx/1.10.1 built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_stub_status_module --with-http_sub_module --with-pcre --with-http_v2_module --with-stream=dynamic --with-stream_ssl_module --with-threads --with-mail=dynamic --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-http_ssl_module ====================================================== Please guide me on how should i diagnose this error ? Thanks. Shahzaib -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Tue Aug 1 12:39:23 2017 From: francis at daoine.org (Francis Daly) Date: Tue, 1 Aug 2017 13:39:23 +0100 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: Message-ID: <20170801123923.GZ365@daoine.org> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: Hi there, > It was working well back in days but there's sudden error which is > preventing our users to play videos in browser. The error is : > > GET > https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 > net::ERR_SPDY_PROTOCOL_ERROR > > > We're unable to find any errors in nginx logs. If the error message came from something not-nginx, possibly web-searching for it in the context of that other thing will give a hint as to the reason? Which browser shows the error message, and did that browser change anything recently? Good luck with it, f -- Francis Daly francis at daoine.org From shahzaib.cb at gmail.com Tue Aug 1 13:50:39 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Tue, 1 Aug 2017 18:50:39 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <20170801123923.GZ365@daoine.org> References: <20170801123923.GZ365@daoine.org> Message-ID: Hi, Thanks for the answer, the browser is google chrome. Googling not helping much we've tried various solutions but all in vain. :-( http://prntscr.com/g2zqo9 Also the OS is FreeBSD. Regards. Shahzaib On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: > On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: > > Hi there, > > > It was working well back in days but there's sudden error which is > > preventing our users to play videos in browser. The error is : > > > > GET > > https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h= > vOilKo_cOUft5fViRqIcMg&ttl=1501588832 > > net::ERR_SPDY_PROTOCOL_ERROR > > > > > > We're unable to find any errors in nginx logs. > > If the error message came from something not-nginx, possibly web-searching > for it in the context of that other thing will give a hint as to the > reason? > > Which browser shows the error message, and did that browser change > anything recently? > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tkadm30 at yandex.com Tue Aug 1 15:51:26 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Tue, 1 Aug 2017 11:51:26 -0400 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> Message-ID: Hi, i think mozilla don't even support SPDY protocol anymore. The replacement is HTTP2. Best regards, E Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : > Hi, > > Thanks for the answer, the browser is google chrome. Googling not > helping much we've tried various solutions but all in vain. :-( > > http://prntscr.com/g2zqo9 > > Also the OS is FreeBSD. > > Regards. > Shahzaib > > On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly > wrote: > > On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: > > Hi there, > > > It was working well back in days but there's sudden error which is > > preventing our users to play videos in browser. The error is : > > > > GET > > > https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 > > > net::ERR_SPDY_PROTOCOL_ERROR > > > > > > We're unable to find any errors in nginx logs. > > If the error message came from something not-nginx, possibly > web-searching > for it in the context of that other thing will give a hint as to the > reason? > > Which browser shows the error message, and did that browser change > anything recently? > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Tue Aug 1 18:30:59 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Tue, 1 Aug 2017 23:30:59 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> Message-ID: Hi, This error is mostly coming on google chrome. :( Shahzaib On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard wrote: > Hi, > > i think mozilla don't even support SPDY protocol anymore. The replacement > is HTTP2. > Best regards, > > E > > Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : > > Hi, > > Thanks for the answer, the browser is google chrome. Googling not helping > much we've tried various solutions but all in vain. :-( > > http://prntscr.com/g2zqo9 > > Also the OS is FreeBSD. > > Regards. > Shahzaib > > On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: > >> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >> >> Hi there, >> >> > It was working well back in days but there's sudden error which is >> > preventing our users to play videos in browser. The error is : >> > >> > GET >> > https://domain.com/files/videos/2017/08/01/15015680292fcdf- >> 360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >> > net::ERR_SPDY_PROTOCOL_ERROR >> > >> > >> > We're unable to find any errors in nginx logs. >> >> If the error message came from something not-nginx, possibly web-searching >> for it in the context of that other thing will give a hint as to the >> reason? >> >> Which browser shows the error message, and did that browser change >> anything recently? >> >> Good luck with it, >> >> f >> -- >> Francis Daly francis at daoine.org >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > > _______________________________________________ > nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx > > > -- > Etienne Robillardtkadm30 at yandex.comhttp://www.isotopesoftware.ca/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sales.skylinehosting at gmail.com Tue Aug 1 20:32:15 2017 From: sales.skylinehosting at gmail.com (spectre inc) Date: Tue, 01 Aug 2017 20:32:15 +0000 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> Message-ID: Are you useing ssl? On Tue, Aug 1, 2017 at 4:31 PM shahzaib mushtaq wrote: > Hi, > > This error is mostly coming on google chrome. :( > > > Shahzaib > > On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard > wrote: > >> Hi, >> >> i think mozilla don't even support SPDY protocol anymore. The replacement >> is HTTP2. >> Best regards, >> >> E >> >> Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : >> >> Hi, >> >> Thanks for the answer, the browser is google chrome. Googling not helping >> much we've tried various solutions but all in vain. :-( >> >> http://prntscr.com/g2zqo9 >> >> Also the OS is FreeBSD. >> >> Regards. >> Shahzaib >> >> On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: >> >>> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >>> >>> Hi there, >>> >>> > It was working well back in days but there's sudden error which is >>> > preventing our users to play videos in browser. The error is : >>> > >>> > GET >>> > >>> https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >>> > net::ERR_SPDY_PROTOCOL_ERROR >>> > >>> > >>> > We're unable to find any errors in nginx logs. >>> >>> If the error message came from something not-nginx, possibly >>> web-searching >>> for it in the context of that other thing will give a hint as to the >>> reason? >>> >>> Which browser shows the error message, and did that browser change >>> anything recently? >>> >>> Good luck with it, >>> >>> f >>> -- >>> Francis Daly francis at daoine.org >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> >> >> _______________________________________________ >> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx >> >> >> -- >> Etienne Robillardtkadm30 at yandex.comhttp://www.isotopesoftware.ca/ >> >> > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From sales.skylinehosting at gmail.com Tue Aug 1 21:15:15 2017 From: sales.skylinehosting at gmail.com (spectre inc) Date: Tue, 1 Aug 2017 17:15:15 -0400 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> Message-ID: <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> I had the same problem when seeing a site with https is that's the case then it has to do with the ssl and there is work around let me know and I'll tell you what to fix Sent from my iPhone > On Aug 1, 2017, at 2:30 PM, shahzaib mushtaq wrote: > > Hi, > > This error is mostly coming on google chrome. :( > > Shahzaib > >> On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard wrote: >> Hi, >> >> i think mozilla don't even support SPDY protocol anymore. The replacement is HTTP2. >> Best regards, >> E >> >>> Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : >>> Hi, >>> >>> Thanks for the answer, the browser is google chrome. Googling not helping much we've tried various solutions but all in vain. :-( >>> >>> http://prntscr.com/g2zqo9 >>> >>> Also the OS is FreeBSD. >>> >>> Regards. >>> Shahzaib >>> >>>> On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: >>>> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >>>> >>>> Hi there, >>>> >>>> > It was working well back in days but there's sudden error which is >>>> > preventing our users to play videos in browser. The error is : >>>> > >>>> > GET >>>> > https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >>>> > net::ERR_SPDY_PROTOCOL_ERROR >>>> > >>>> > >>>> > We're unable to find any errors in nginx logs. >>>> >>>> If the error message came from something not-nginx, possibly web-searching >>>> for it in the context of that other thing will give a hint as to the >>>> reason? >>>> >>>> Which browser shows the error message, and did that browser change >>>> anything recently? >>>> >>>> Good luck with it, >>>> >>>> f >>>> -- >>>> Francis Daly francis at daoine.org >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >> >> -- >> Etienne Robillard >> tkadm30 at yandex.com >> http://www.isotopesoftware.ca/ > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Tue Aug 1 21:32:09 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 02:32:09 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> References: <20170801123923.GZ365@daoine.org> <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> Message-ID: Hi, What fix do you suggest ? Shahzaib Virus-free. www.avast.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Wed, Aug 2, 2017 at 2:15 AM, spectre inc wrote: > I had the same problem when seeing a site with https is that's the case > then it has to do with the ssl and there is work around let me know and > I'll tell you what to fix > > Sent from my iPhone > > On Aug 1, 2017, at 2:30 PM, shahzaib mushtaq > wrote: > > Hi, > > This error is mostly coming on google chrome. :( > > Shahzaib > > On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard > wrote: > >> Hi, >> >> i think mozilla don't even support SPDY protocol anymore. The replacement >> is HTTP2. >> Best regards, >> >> E >> >> Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : >> >> Hi, >> >> Thanks for the answer, the browser is google chrome. Googling not helping >> much we've tried various solutions but all in vain. :-( >> >> http://prntscr.com/g2zqo9 >> >> Also the OS is FreeBSD. >> >> Regards. >> Shahzaib >> >> On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: >> >>> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >>> >>> Hi there, >>> >>> > It was working well back in days but there's sudden error which is >>> > preventing our users to play videos in browser. The error is : >>> > >>> > GET >>> > https://domain.com/files/videos/2017/08/01/15015680292fcdf-3 >>> 60.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >>> > net::ERR_SPDY_PROTOCOL_ERROR >>> > >>> > >>> > We're unable to find any errors in nginx logs. >>> >>> If the error message came from something not-nginx, possibly >>> web-searching >>> for it in the context of that other thing will give a hint as to the >>> reason? >>> >>> Which browser shows the error message, and did that browser change >>> anything recently? >>> >>> Good luck with it, >>> >>> f >>> -- >>> Francis Daly francis at daoine.org >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> >> >> _______________________________________________ >> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx >> >> >> -- >> Etienne Robillardtkadm30 at yandex.comhttp://www.isotopesoftware.ca/ >> >> > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sales.skylinehosting at gmail.com Tue Aug 1 21:40:19 2017 From: sales.skylinehosting at gmail.com (spectre inc) Date: Tue, 01 Aug 2017 21:40:19 +0000 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> Message-ID: The current workaround is to change the SSL Cipher Suite On Tue, Aug 1, 2017 at 5:37 PM shahzaib mushtaq wrote: > Hi, > > What fix do you suggest ? > > Shahzaib > > > Virus-free. > www.avast.com > > <#m_5273588369263236465_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > On Wed, Aug 2, 2017 at 2:15 AM, spectre inc < > sales.skylinehosting at gmail.com> wrote: > >> I had the same problem when seeing a site with https is that's the case >> then it has to do with the ssl and there is work around let me know and >> I'll tell you what to fix >> >> Sent from my iPhone >> >> On Aug 1, 2017, at 2:30 PM, shahzaib mushtaq >> wrote: >> >> Hi, >> >> This error is mostly coming on google chrome. :( >> >> Shahzaib >> >> On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard >> wrote: >> >>> Hi, >>> >>> i think mozilla don't even support SPDY protocol anymore. The >>> replacement is HTTP2. >>> Best regards, >>> >>> E >>> >>> Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : >>> >>> Hi, >>> >>> Thanks for the answer, the browser is google chrome. Googling not >>> helping much we've tried various solutions but all in vain. :-( >>> >>> http://prntscr.com/g2zqo9 >>> >>> Also the OS is FreeBSD. >>> >>> Regards. >>> Shahzaib >>> >>> On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly wrote: >>> >>>> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >>>> >>>> Hi there, >>>> >>>> > It was working well back in days but there's sudden error which is >>>> > preventing our users to play videos in browser. The error is : >>>> > >>>> > GET >>>> > >>>> https://domain.com/files/videos/2017/08/01/15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >>>> > net::ERR_SPDY_PROTOCOL_ERROR >>>> > >>>> > >>>> > We're unable to find any errors in nginx logs. >>>> >>>> If the error message came from something not-nginx, possibly >>>> web-searching >>>> for it in the context of that other thing will give a hint as to the >>>> reason? >>>> >>>> Which browser shows the error message, and did that browser change >>>> anything recently? >>>> >>>> Good luck with it, >>>> >>>> f >>>> -- >>>> Francis Daly francis at daoine.org >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>> >>> >>> >>> >>> _______________________________________________ >>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx >>> >>> >>> -- >>> Etienne Robillardtkadm30 at yandex.comhttp://www.isotopesoftware.ca/ >>> >>> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Tue Aug 1 21:51:21 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 02:51:21 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> Message-ID: Hi, Following ciphers i am using : server { listen 443 http2; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; =========== What do you think should i change it to ? Thanks Shahzaib On Wed, Aug 2, 2017 at 2:40 AM, spectre inc wrote: > The current workaround is to change the SSL Cipher Suite > > On Tue, Aug 1, 2017 at 5:37 PM shahzaib mushtaq > wrote: > >> Hi, >> >> What fix do you suggest ? >> >> Shahzaib >> >> >> Virus-free. >> www.avast.com >> >> <#m_-6754267639672595285_m_5273588369263236465_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >> >> On Wed, Aug 2, 2017 at 2:15 AM, spectre inc > com> wrote: >> >>> I had the same problem when seeing a site with https is that's the case >>> then it has to do with the ssl and there is work around let me know and >>> I'll tell you what to fix >>> >>> Sent from my iPhone >>> >>> On Aug 1, 2017, at 2:30 PM, shahzaib mushtaq >>> wrote: >>> >>> Hi, >>> >>> This error is mostly coming on google chrome. :( >>> >>> Shahzaib >>> >>> On Tue, Aug 1, 2017 at 8:51 PM, Etienne Robillard >>> wrote: >>> >>>> Hi, >>>> >>>> i think mozilla don't even support SPDY protocol anymore. The >>>> replacement is HTTP2. >>>> Best regards, >>>> >>>> E >>>> >>>> Le 2017-08-01 ? 09:50, shahzaib mushtaq a ?crit : >>>> >>>> Hi, >>>> >>>> Thanks for the answer, the browser is google chrome. Googling not >>>> helping much we've tried various solutions but all in vain. :-( >>>> >>>> http://prntscr.com/g2zqo9 >>>> >>>> Also the OS is FreeBSD. >>>> >>>> Regards. >>>> Shahzaib >>>> >>>> On Tue, Aug 1, 2017 at 5:39 PM, Francis Daly >>>> wrote: >>>> >>>>> On Tue, Aug 01, 2017 at 01:47:36PM +0500, shahzaib mushtaq wrote: >>>>> >>>>> Hi there, >>>>> >>>>> > It was working well back in days but there's sudden error which is >>>>> > preventing our users to play videos in browser. The error is : >>>>> > >>>>> > GET >>>>> > https://domain.com/files/videos/2017/08/01/ >>>>> 15015680292fcdf-360.mp4?h=vOilKo_cOUft5fViRqIcMg&ttl=1501588832 >>>>> > net::ERR_SPDY_PROTOCOL_ERROR >>>>> > >>>>> > >>>>> > We're unable to find any errors in nginx logs. >>>>> >>>>> If the error message came from something not-nginx, possibly >>>>> web-searching >>>>> for it in the context of that other thing will give a hint as to the >>>>> reason? >>>>> >>>>> Which browser shows the error message, and did that browser change >>>>> anything recently? >>>>> >>>>> Good luck with it, >>>>> >>>>> f >>>>> -- >>>>> Francis Daly francis at daoine.org >>>>> _______________________________________________ >>>>> nginx mailing list >>>>> nginx at nginx.org >>>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx >>>> >>>> >>>> -- >>>> Etienne Robillardtkadm30 at yandex.comhttp://www.isotopesoftware.ca/ >>>> >>>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rainer at ultra-secure.de Tue Aug 1 22:01:38 2017 From: rainer at ultra-secure.de (Rainer Duffner) Date: Wed, 2 Aug 2017 00:01:38 +0200 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> Message-ID: <5FC45200-2C0F-4792-A35D-90F4FF156F55@ultra-secure.de> > Am 01.08.2017 um 23:51 schrieb shahzaib mushtaq : > > What do you think should i change it to ? What does SSL-Labs say to it? Or htbridge? Rainer -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Aug 2 01:29:25 2017 From: nginx-forum at forum.nginx.org (Phani Sreenivasa Prasad) Date: Tue, 01 Aug 2017 21:29:25 -0400 Subject: nginx limit_req and limit_conn not working to prevent DoS attack Message-ID: <2a696033fbd95b6506777ac696ee769e.NginxMailingListEnglish@forum.nginx.org> Hi All, I am using nginx in our products. When I run goldeneye DoS attack script against nginx, it is not able to defend against the attack and normal users getting impacted. python goldeneye.py http:// -w 5 -s 10000 -m random -d we are using below nginx limit_req options but didnt help. The nginx documentation says that, these options are used to limit the request rating limit per key. below is some sample configuration that we tried. The problem is, when we use these nginx options, it still keeps nginx busy responding with 503 or some other error code for all those requests beyond the rate limit . Hence any genuine user when trying to access webserver during the attack time, not getting chance to access our server and timing out or getting 500 error. http { limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s; ... server { limit_req zone=one ; ... location /sampleurl/ { } (Note: also tried limit_conn options and behavior is same). Why should nginx respond back with any error code rather it should drop connections !! otherwise it can't protect itself against any DoS attack. please share the thoughts. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275796,275796#msg-275796 From zchao1995 at gmail.com Wed Aug 2 01:46:36 2017 From: zchao1995 at gmail.com (Zhang Chao) Date: Tue, 1 Aug 2017 21:46:36 -0400 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: <2a696033fbd95b6506777ac696ee769e.NginxMailingListEnglish@forum.nginx.org> References: <2a696033fbd95b6506777ac696ee769e.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi! I don?t think just drop the connection is a good idea, client will never know what happens on the server end. However, the code 444 may help you, nginx just close the connection in this case. On 2 August 2017 at 09:30:01, Phani Sreenivasa Prasad ( nginx-forum at forum.nginx.org) wrote: Hi All, I am using nginx in our products. When I run goldeneye DoS attack script against nginx, it is not able to defend against the attack and normal users getting impacted. python goldeneye.py http:// -w 5 -s 10000 -m random -d we are using below nginx limit_req options but didnt help. The nginx documentation says that, these options are used to limit the request rating limit per key. below is some sample configuration that we tried. The problem is, when we use these nginx options, it still keeps nginx busy responding with 503 or some other error code for all those requests beyond the rate limit . Hence any genuine user when trying to access webserver during the attack time, not getting chance to access our server and timing out or getting 500 error. http { limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s; ... server { limit_req zone=one ; ... location /sampleurl/ { } (Note: also tried limit_conn options and behavior is same). Why should nginx respond back with any error code rather it should drop connections !! otherwise it can't protect itself against any DoS attack. please share the thoughts. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275796,275796#msg-275796 _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Aug 2 02:13:21 2017 From: nginx-forum at forum.nginx.org (Phani Sreenivasa Prasad) Date: Tue, 01 Aug 2017 22:13:21 -0400 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: References: Message-ID: <2c24052d1a30608bca164d386f17d540.NginxMailingListEnglish@forum.nginx.org> I assume it would help dropping connections . since we are setting rate limit per ip and any client IP which is suspicious by sending requests in bulk(lets say 10000 connections/requests), it makes sense to not to accept connections/requests from that IP. Thoughts ?? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275796,275798#msg-275798 From anoopalias01 at gmail.com Wed Aug 2 03:26:39 2017 From: anoopalias01 at gmail.com (Anoop Alias) Date: Wed, 2 Aug 2017 08:56:39 +0530 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: <2c24052d1a30608bca164d386f17d540.NginxMailingListEnglish@forum.nginx.org> References: <2c24052d1a30608bca164d386f17d540.NginxMailingListEnglish@forum.nginx.org> Message-ID: You can use an external tool to parse Nginx error log and block the IP in iptables/netfilter On Wed, Aug 2, 2017 at 7:43 AM, Phani Sreenivasa Prasad < nginx-forum at forum.nginx.org> wrote: > I assume it would help dropping connections . since we are setting rate > limit per ip and any client IP which is suspicious by sending requests in > bulk(lets say 10000 connections/requests), it makes sense to not to accept > connections/requests from that IP. > > Thoughts ?? > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,275796,275798#msg-275798 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at lazygranch.com Wed Aug 2 03:59:07 2017 From: lists at lazygranch.com (Gary Sellani) Date: Tue, 01 Aug 2017 20:59:07 -0700 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: Message-ID: An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Aug 2 04:08:02 2017 From: nginx-forum at forum.nginx.org (Phani Sreenivasa Prasad) Date: Wed, 02 Aug 2017 00:08:02 -0400 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: References: Message-ID: Yes. Firewall would be another option. But before to that, i would like to try out all options at nginx level if one or other would resolve the issue at nginx layer itself. cant we put accept() filters? or how the deny option works? can we use deny option to not to accept any new connections if number of connections already exceeds max limit from a client IP.? are there any third party modules available for nginx to embed firewall functionality? something reliable !! My objective is, using limit_conn directive, when number of connections exceeding limit, instead of sending 503, or 444, just do not accept any new connections from that specific IP only(if a client is opening 10000 connections at a time, it should be fine to not accept connections from that IP citing the reason that it could be malicious). Thoughts !! Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275796,275801#msg-275801 From lists at lazygranch.com Wed Aug 2 04:27:08 2017 From: lists at lazygranch.com (Gary Sellani) Date: Tue, 01 Aug 2017 21:27:08 -0700 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: Message-ID: The trouble is nginx does a fair amount of work before blocking the IP address, unless things have changed. My recollection is it parses the whole request. Obviously it doesn't send any data. So you are better off blocking with the firewall. You do need to know your audience. Something related to a university could generate a number of simultaneous users behind one IP. In my case Boeing triggered the limit. ? Original Message ? From: nginx-forum at forum.nginx.org Sent: August 1, 2017 9:08 PM To: nginx at nginx.org Reply-to: nginx at nginx.org Subject: Re: nginx limit_req and limit_conn not working to prevent DoS attack Yes. Firewall would be another option. But before to that, i would like to try out all options at nginx level if one or other would resolve the issue at nginx layer itself. cant we put accept() filters? or how the deny option works? can we use deny option to not to accept any new connections if number of connections already exceeds max limit from a client IP.? are there any third party modules available for nginx to embed firewall functionality? something reliable !! My objective is, using limit_conn directive, when number of connections exceeding limit, instead of sending 503, or 444, just do not accept any new connections from that specific IP only(if a client is opening 10000 connections at a time, it should be fine to not accept connections from that IP citing the reason that it could be malicious). Thoughts !! Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275796,275801#msg-275801 _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From leeon2013 at gmail.com Wed Aug 2 04:27:08 2017 From: leeon2013 at gmail.com (David Woodstuck) Date: Wed, 2 Aug 2017 00:27:08 -0400 Subject: Nginx installation from source for Windows Message-ID: I have two questions: 1. How do I install Nginx from source for Windows? 2. If I can install Nginx from source for one Window OS, can I copy Nginx into another Windows? Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From leeon2013 at gmail.com Wed Aug 2 04:35:45 2017 From: leeon2013 at gmail.com (David Woodstuck) Date: Wed, 2 Aug 2017 00:35:45 -0400 Subject: Building Nginx from source for Windows Message-ID: I have two questions: 1. How do I build Nginx from source for Windows? 2. If I can build Nginx from source for one Window OS, can I copy Nginx into another Windows? 3. I have already build Nginx from for Linux because I need this module - https://github.com/yaoweibin/ngx_http_substitutions_filter_module. The build processs is the same for Linux and Windows( http://nginx.org/en/docs/configure.html). Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From i at zby.io Wed Aug 2 05:05:24 2017 From: i at zby.io (=?gb2312?B?y8TP0g==?=) Date: Wed, 2 Aug 2017 05:05:24 +0000 Subject: =?UTF-8?Q?=E7=AD=94=E5=A4=8D=3A_Building_Nginx_from_source_for_Windows?= In-Reply-To: References: Message-ID: <94b7e500289340cb8144749629e1f8f1HKNPR04MB17466C25AD0B0E27E894FCAFDAB00@HKNPR04MB1746.apcprd04.prod.outlook.com> Hello, The binary program built for Linux can't run directly on Windows.And the source of nginx is called a 'tarball',whose file structure is fit for Linux.To build it,you need Linux build tool chains. The best solution is Cygwin,which is a program that allow you to use POSIX programs on Windows.Or if you use Windows10(Build 14393 and higher),you can consider to use Linux Subsystem On Windows. ________________________________ ???: nginx ?? David Woodstuck ????: 2017?8?2? 12:35:45 ???: nginx at nginx.org ??: Building Nginx from source for Windows I have two questions: 1. How do I build Nginx from source for Windows? 2. If I can build Nginx from source for one Window OS, can I copy Nginx into another Windows? 3. I have already build Nginx from for Linux because I need this module - https://github.com/yaoweibin/ngx_http_substitutions_filter_module. The build processs is the same for Linux and Windows(http://nginx.org/en/docs/configure.html). Building nginx from Sources nginx.org Building nginx from Sources. The build is configured using the configure command. It defines various aspects of the system, including the methods nginx is allowed to ... [https://avatars0.githubusercontent.com/u/153753?v=4&s=400] GitHub - yaoweibin/ngx_http_substitutions_filter_module: a ... github.com ngx_http_substitutions_filter_module - a filter module which can do both regular expression and fixed string substitutions for nginx Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From idefix at fechner.net Wed Aug 2 06:07:27 2017 From: idefix at fechner.net (Matthias Fechner) Date: Wed, 2 Aug 2017 08:07:27 +0200 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <89A919D3-F517-4696-9764-8FB08573E078@gmail.com> Message-ID: <76231ef3-62d1-9db6-4c21-3fd0f3b1a7fc@fechner.net> Am 01.08.2017 um 23:51 schrieb shahzaib mushtaq: > Following ciphers i am using : > > server { > listen 443 http2; > ssl on; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers > 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; > ssl_prefer_server_ciphers on; > > =========== > > What do you think should i change it to ? have you tried to using this generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/ A very helpful tool. Gru? Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook From francis at daoine.org Wed Aug 2 07:13:05 2017 From: francis at daoine.org (Francis Daly) Date: Wed, 2 Aug 2017 08:13:05 +0100 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> Message-ID: <20170802071305.GA365@daoine.org> On Tue, Aug 01, 2017 at 06:50:39PM +0500, shahzaib mushtaq wrote: Hi there, > Thanks for the answer, the browser is google chrome. Googling not helping > much we've tried various solutions but all in vain. :-( That's not much to go on. There is more than one version of google chrome. Some web reports suggest that SPDY support was going to be removed in version 51. Some web reports suggest client-side changes that can avoid that error message, including one particular malware-protection system leading to it appearing. You don't say which "various solutions" you have tried, so there's no point me linking to the same web pages that you can find -- perhaps you've already seen them and done what they suggest. What you seem to be reporting is that things were working fine with your nginx and some clients; and then without changing nginx, some clients started failing. On that basis, if you are looking for how to diagnose the problem, I'd start by looking at the clients and seeing what changed on their side. There may well be a problem with your nginx setup; or there may well be something that you can change on your nginx side to unbreak whatever client changes happened; but from what you have written so far, I see no evidence of that. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Wed Aug 2 07:36:17 2017 From: nginx-forum at forum.nginx.org (itpp2012) Date: Wed, 02 Aug 2017 03:36:17 -0400 Subject: Building Nginx from source for Windows In-Reply-To: References: Message-ID: Use this one, portable, tried, tested, production ready http://nginx-win.ecsds.eu/ 2: yes 3: yes already included. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275804,275808#msg-275808 From reallfqq-nginx at yahoo.fr Wed Aug 2 08:15:44 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 2 Aug 2017 10:15:44 +0200 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: <20170802042714.08C152C56BB6@mail.nginx.com> References: <20170802042714.08C152C56BB6@mail.nginx.com> Message-ID: The original confusion came from the fact you slided away from the basic mantra of the Unix philosophy stating 'Make each program do one thing well'. nginx is a Web server, which generalized itself into a stream server. It serves content and manages access (protects it). What you are trying to achieve is turning nginx into a firewall, which it is not. A content server does not simply cut connections. It behaves and responds to requests. That is standard. All you can do at the connection level is limiting their number (cf. limit_conn). It has been suggested you used iptables, as it is a firewall. At the software level, I would rather recommend nftables. Some log analyzers could help you make the interface between a content server and a software firewall, such as fail2ban. You could also go for hardware (D)DoS protection, depending on the scale of your needs. ?There is nothing to be surprised of, the product you are using merely doing the job. it has been made for? --- *B. R.* On Wed, Aug 2, 2017 at 6:27 AM, Gary Sellani wrote: > The trouble is nginx does a fair amount of work before blocking the IP > address, unless things have changed. My recollection is it parses the whole > request. Obviously it doesn't send any data. So you are better off blocking > with the firewall. > > You do need to know your audience. Something related to a university could > generate a number of simultaneous users behind one IP. In my case Boeing > triggered the limit. > > > Original Message > From: nginx-forum at forum.nginx.org > Sent: August 1, 2017 9:08 PM > To: nginx at nginx.org > Reply-to: nginx at nginx.org > Subject: Re: nginx limit_req and limit_conn not working to prevent DoS > attack > > Yes. Firewall would be another option. But before to that, i would like to > try out all options at nginx level if one or other would resolve the issue > at nginx layer itself. > > cant we put accept() filters? or > how the deny option works? can we use deny option to not to accept any new > connections if number of connections already exceeds max limit from a > client > IP.? > are there any third party modules available for nginx to embed firewall > functionality? something reliable !! > > My objective is, using limit_conn directive, when number of connections > exceeding limit, instead of sending 503, or 444, just do not accept any new > connections from that specific IP only(if a client is opening 10000 > connections at a time, it should be fine to not accept connections from > that > IP citing the reason that it could be malicious). > > Thoughts !! > > Thanks. > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,275796,275801#msg-275801 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Wed Aug 2 08:17:06 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 13:17:06 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <20170802071305.GA365@daoine.org> References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> Message-ID: Hi Franic, Thanks for response well i've tried lot more things, updated FreeBsd, updated openssl but issue is still there. Do you think is there any possibility it is linked with Nginx ? Here is my Nginx SSL config : https://pastebin.com/gaVWfWJv >>There is more than one version of google chrome. Some web reports suggest that SPDY support was going to be removed in version 51. Chrome version is 64 latest which has removed spdy and supports HTTP2 i guess. >>On that basis, if you are looking for how to diagnose the problem, I'd start by looking at the clients and seeing what changed on their side. We are also getting spdy error, we create an html page and put 6 direct video links on the page like following : https://pastebin.com/dzpwg26C After that we open this link in Incognito chrome and in Inspect element under Console those SPDY protocol errors start to occur. Here see the screenshot : http://prntscr.com/g3bqcg Regards. Shahzaib On Wed, Aug 2, 2017 at 12:13 PM, Francis Daly wrote: > On Tue, Aug 01, 2017 at 06:50:39PM +0500, shahzaib mushtaq wrote: > > Hi there, > > > Thanks for the answer, the browser is google chrome. Googling not helping > > much we've tried various solutions but all in vain. :-( > > That's not much to go on. > > There is more than one version of google chrome. Some web reports suggest > that SPDY support was going to be removed in version 51. > > Some web reports suggest client-side changes that can avoid that error > message, including one particular malware-protection system leading to > it appearing. > > You don't say which "various solutions" you have tried, so there's no > point me linking to the same web pages that you can find -- perhaps > you've already seen them and done what they suggest. > > > What you seem to be reporting is that things were working fine with your > nginx and some clients; and then without changing nginx, some clients > started failing. > > On that basis, if you are looking for how to diagnose the problem, > I'd start by looking at the clients and seeing what changed on their side. > > There may well be a problem with your nginx setup; or there may well > be something that you can change on your nginx side to unbreak whatever > client changes happened; but from what you have written so far, I see > no evidence of that. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Wed Aug 2 09:52:31 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 14:52:31 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> Message-ID: Hi, The latest update: We tested videos on Debian and everything worked smooth, the issue looks to be on FreeBSD. No idea what is it related to though. Any guidance will be very much appreciated. :( Shahzaib On Wed, Aug 2, 2017 at 1:17 PM, shahzaib mushtaq wrote: > Hi Franic, > > Thanks for response well i've tried lot more things, updated FreeBsd, > updated openssl but issue is still there. Do you think is there any > possibility it is linked with Nginx ? Here is my Nginx SSL config : > > https://pastebin.com/gaVWfWJv > > >>There is more than one version of google chrome. Some web reports > suggest > that SPDY support was going to be removed in version 51. > > Chrome version is 64 latest which has removed spdy and supports HTTP2 i > guess. > > >>On that basis, if you are looking for how to diagnose the problem, > I'd start by looking at the clients and seeing what changed on their side. > > We are also getting spdy error, we create an html page and put 6 direct > video links on the page like following : > > https://pastebin.com/dzpwg26C > > After that we open this link in Incognito chrome and in Inspect element > under Console those SPDY protocol errors start to occur. Here see the > screenshot : http://prntscr.com/g3bqcg > > Regards. > Shahzaib > > > On Wed, Aug 2, 2017 at 12:13 PM, Francis Daly wrote: > >> On Tue, Aug 01, 2017 at 06:50:39PM +0500, shahzaib mushtaq wrote: >> >> Hi there, >> >> > Thanks for the answer, the browser is google chrome. Googling not >> helping >> > much we've tried various solutions but all in vain. :-( >> >> That's not much to go on. >> >> There is more than one version of google chrome. Some web reports suggest >> that SPDY support was going to be removed in version 51. >> >> Some web reports suggest client-side changes that can avoid that error >> message, including one particular malware-protection system leading to >> it appearing. >> >> You don't say which "various solutions" you have tried, so there's no >> point me linking to the same web pages that you can find -- perhaps >> you've already seen them and done what they suggest. >> >> >> What you seem to be reporting is that things were working fine with your >> nginx and some clients; and then without changing nginx, some clients >> started failing. >> >> On that basis, if you are looking for how to diagnose the problem, >> I'd start by looking at the clients and seeing what changed on their side. >> >> There may well be a problem with your nginx setup; or there may well >> be something that you can change on your nginx side to unbreak whatever >> client changes happened; but from what you have written so far, I see >> no evidence of that. >> >> Good luck with it, >> >> f >> -- >> Francis Daly francis at daoine.org >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From valery+nginxen at grid.net.ru Wed Aug 2 12:31:25 2017 From: valery+nginxen at grid.net.ru (Valery Kholodkov) Date: Wed, 2 Aug 2017 14:31:25 +0200 Subject: nginx limit_req and limit_conn not working to prevent DoS attack In-Reply-To: References: <20170802042714.08C152C56BB6@mail.nginx.com> Message-ID: I think the confusion is still there and it is in the term 'firewall'. While nginx is no good for level 3 firewall, also known as netfilter, it's perfect for application level firewall and you already mentioned it by saying that 'it manages access (protects it)'. People turn nginx into application level firewall, no problem. The question is rather if you want to pay the price of scrubbing the request in the userland and not philosophical considerations. Yet at certain scale and confidence level, indeed a vertically-integrated solution might be more adequate. On 02-08-17 10:15, B.R. via nginx wrote: > The original confusion came from the fact you slided away from the basic > mantra of the Unix philosophy stating 'Make each program do one thing well'. > > nginx is a Web server, which generalized itself into a stream server. It > serves content and manages access (protects it). > What you are trying to achieve is turning nginx into a firewall, which > it is not. > A content server does not simply cut connections. It behaves and > responds to requests. That is standard. > All you can do at the connection level is limiting their number (cf. > limit_conn). > > It has been suggested you used iptables, as it is a firewall. At the > software level, I would rather recommend nftables. > Some log analyzers could help you make the interface between a content > server and a software firewall, such as fail2ban. > > You could also go for hardware (D)DoS protection, depending on the scale > of your needs. > > ?There is nothing to be surprised of, the product you are using merely > doing the job. it has been made for? > --- > *B. R.* > > On Wed, Aug 2, 2017 at 6:27 AM, Gary Sellani > wrote: > > The trouble is nginx does a fair amount of work before blocking the > IP address, unless things have changed. My recollection is it parses > the whole request. Obviously it doesn't send any data. So you are > better off blocking with the firewall. > > You do need to know your audience. Something related to a university > could generate a number of simultaneous users behind one IP. In my > case Boeing triggered the limit. > > > Original Message > From: nginx-forum at forum.nginx.org > Sent: August 1, 2017 9:08 PM > To: nginx at nginx.org > Reply-to: nginx at nginx.org > Subject: Re: nginx limit_req and limit_conn not working to prevent > DoS attack > > Yes. Firewall would be another option. But before to that, i would > like to > try out all options at nginx level if one or other would resolve the > issue > at nginx layer itself. > > cant we put accept() filters? or > how the deny option works? can we use deny option to not to accept > any new > connections if number of connections already exceeds max limit from > a client > IP.? > are there any third party modules available for nginx to embed firewall > functionality? something reliable !! > > My objective is, using limit_conn directive, when number of connections > exceeding limit, instead of sending 503, or 444, just do not accept > any new > connections from that specific IP only(if a client is opening 10000 > connections at a time, it should be fine to not accept connections > from that > IP citing the reason that it could be malicious). > > Thoughts !! > > Thanks. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,275796,275801#msg-275801 > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > From nginx-forum at forum.nginx.org Wed Aug 2 13:53:20 2017 From: nginx-forum at forum.nginx.org (Alt) Date: Wed, 02 Aug 2017 09:53:20 -0400 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: Message-ID: <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> Hello! This issue often happens when a cipher is missing in your cipher list and Chrome tries to use another cipher forbidden in the HTTP/2 spec. Using SSL Labs would normally display such error (in the "Handshake Simulation" part of thei results). And yes, Chrome sucks for displaying an error related to SPDY, even when you don't have any SPDY and are using HTTP/2. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275776,275816#msg-275816 From shahzaib.cb at gmail.com Wed Aug 2 15:05:26 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 20:05:26 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> References: <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi, What could be the exact cipher missing in this case ? Here is the cipher list i am using , also there's nothing i found of error in ssl labs instead for two ciphers which it said as WEAK while ssllabs gave A grade. ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; On Wed, Aug 2, 2017 at 6:53 PM, Alt wrote: > Hello! > > This issue often happens when a cipher is missing in your cipher list and > Chrome tries to use another cipher forbidden in the HTTP/2 spec. Using SSL > Labs would normally display such error (in the "Handshake Simulation" part > of thei results). > > And yes, Chrome sucks for displaying an error related to SPDY, even when > you > don't have any SPDY and are using HTTP/2. > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,275776,275816#msg-275816 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From luky-37 at hotmail.com Wed Aug 2 15:11:31 2017 From: luky-37 at hotmail.com (Lukas Tribus) Date: Wed, 2 Aug 2017 15:11:31 +0000 Subject: AW: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> References: , <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! >?This issue often happens when a cipher is missing in your cipher list and >?Chrome tries to use another cipher forbidden in the HTTP/2 spec. Wrong. In that case, Chrome would return: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY which is different than ERR_SPDY_PROTOCOL_ERROR. Also note that all those error codes are valid for HTTP2 as well, its just that their name hasn't been updated in Chrome yet. I'd suggest to upgrade to a supported nginx release without any third-party modules first of all, also try without mp4 streaming code paths. Try to reproduce it in an isolated environment, then you can debug on the client site and on the nginx side. Lukas From nginx-forum at forum.nginx.org Wed Aug 2 16:21:43 2017 From: nginx-forum at forum.nginx.org (mattw) Date: Wed, 02 Aug 2017 12:21:43 -0400 Subject: nginscript subrequests or way to save vars between requests Message-ID: <562a4a31a94c1dbf5d54a8630fa8cbb3.NginxMailingListEnglish@forum.nginx.org> In most of the docs for nginscript it talks about how it will not block on subrequests. But I havent seen any examples on how to perform these subrequests. Is there a way to do this? Or any way to save a variable somewhere (over the net, in a file, in memory) between requests? Or are my scripts limited to using what I can generate in process and info from the current request? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275820,275820#msg-275820 From shahzaib.cb at gmail.com Wed Aug 2 16:43:19 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 21:43:19 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <6f61caffdf760fc7bd98a4db07d086e0.NginxMailingListEnglish@forum.nginx.org> Message-ID: The only fix that worked is disabling the HTTP2 on Nginx for chrome. No idea what the actual problem is. On Wed, Aug 2, 2017 at 8:11 PM, Lukas Tribus wrote: > Hello! > > > > This issue often happens when a cipher is missing in your cipher list and > > Chrome tries to use another cipher forbidden in the HTTP/2 spec. > > Wrong. In that case, Chrome would return: > ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY > > which is different than ERR_SPDY_PROTOCOL_ERROR. > > > Also note that all those error codes are valid for HTTP2 as well, its just > that their name hasn't been updated in Chrome yet. > > > I'd suggest to upgrade to a supported nginx release without any > third-party modules first of all, also try without mp4 streaming > code paths. > > Try to reproduce it in an isolated environment, then you can > debug on the client site and on the nginx side. > > > > Lukas > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Wed Aug 2 18:03:05 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Wed, 02 Aug 2017 21:03:05 +0300 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: Message-ID: <6737451.2x2hNCX4Vr@vbart-workstation> On Wednesday 02 August 2017 21:43:19 shahzaib mushtaq wrote: > The only fix that worked is disabling the HTTP2 on Nginx for chrome. No > idea what the actual problem is. > [..] There are a lot of problems has been fixed since 1.10. As already suggested, you should update nginx to a supported version. wbr, Valentin V. Bartenev From shahzaib.cb at gmail.com Wed Aug 2 18:04:22 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Wed, 2 Aug 2017 23:04:22 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <6737451.2x2hNCX4Vr@vbart-workstation> References: <6737451.2x2hNCX4Vr@vbart-workstation> Message-ID: I've already update Nginx to 12.X but issue is the same : nginx version: nginx/1.12.1 built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-cc-opt='-DNGX_HAVE_INET6=0 -I /usr/local/include' --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --without-http-cache --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-pcre --with-http_v2_module --with-threads --with-http_ssl_module Virus-free. www.avast.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Wed, Aug 2, 2017 at 11:03 PM, Valentin V. Bartenev wrote: > On Wednesday 02 August 2017 21:43:19 shahzaib mushtaq wrote: > > The only fix that worked is disabling the HTTP2 on Nginx for chrome. No > > idea what the actual problem is. > > > [..] > > There are a lot of problems has been fixed since 1.10. > As already suggested, you should update nginx to a supported version. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Aug 2 20:07:09 2017 From: nginx-forum at forum.nginx.org (Nogs) Date: Wed, 02 Aug 2017 16:07:09 -0400 Subject: ssl_error crl Message-ID: Hello everybody, I am a new in nginx and I need a help for crl config in my nginx.conf. About your information my ssl certificate is a trusted certificate by commodore. And the certificate that users use for authentication is provided by my own Microsoft CA. In my configuration, if I activate ssl_crl the authentication doesn't work but if the line ssl_crl is commented it works. At the line ssl_client certificate I put the ca certificate who delivered users certificate and my crl is a pem format in bellow my conf server_name yella.com; ssl_certificate /usr/local/etc/nginx/certs/fyella.crt; ssl_certificate_key /usr/local/etc/nginx/certs/yella.key; ssl_client_certificate /usr/local/etc/nginx/certs/root.pem; ssl_verify_client on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_crl /usr/local/etc/nginx/certs/crl.pem; Best Regards Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275827,275827#msg-275827 From nginx-forum at forum.nginx.org Wed Aug 2 23:18:34 2017 From: nginx-forum at forum.nginx.org (Alt) Date: Wed, 02 Aug 2017 19:18:34 -0400 Subject: AW: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: Message-ID: <6927540a5d1162fd1ad835c4ccd8cfab.NginxMailingListEnglish@forum.nginx.org> Lukas, you're of course right! My mistake, I see so many times the "ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY" error that I forgot there was another one which is completely different. Shahzaib, I'm very sorry, I can't help you :-( As said by Lukas, have you tried others files than the mp4 we see in your capture? Like images or just plain text. And also have you tried compiling nginx without "--with-http_mp4_module"? Best Regards Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275776,275828#msg-275828 From leeon2013 at gmail.com Thu Aug 3 01:15:31 2017 From: leeon2013 at gmail.com (David Woodstuck) Date: Wed, 2 Aug 2017 21:15:31 -0400 Subject: =?UTF-8?Q?Re=3A_=E7=AD=94=E5=A4=8D=3A_Building_Nginx_from_source_for_Windo?= =?UTF-8?Q?ws?= In-Reply-To: <94b7e500289340cb8144749629e1f8f1HKNPR04MB17466C25AD0B0E27E894FCAFDAB00@HKNPR04MB1746.apcprd04.prod.outlook.com> References: <94b7e500289340cb8144749629e1f8f1HKNPR04MB17466C25AD0B0E27E894FCAFDAB00@HKNPR04MB1746.apcprd04.prod.outlook.com> Message-ID: If I build Nginx by following instructions on http://nginx.org/en/docs/howto_build_on_win32.html on one Window machine, Can I copy it on this machine and paste it on another Window machine and use it? Thanks, David On Wed, Aug 2, 2017 at 1:05 AM, ?? wrote: > Hello, > > The binary program built for Linux can't run directly on Windows.And the > source of nginx is called a 'tarball',whose file structure is fit for > Linux.To build it,you need Linux build tool chains. > > The best solution is Cygwin,which is a program that allow you to use POSIX > programs on Windows.Or if you use Windows10(Build 14393 and higher),you can > consider to use Linux Subsystem On Windows. > > > ------------------------------ > *???:* nginx ?? David Woodstuck < > leeon2013 at gmail.com> > *????:* 2017?8?2? 12:35:45 > *???:* nginx at nginx.org > *??:* Building Nginx from source for Windows > > I have two questions: > > 1. How do I build Nginx from source for Windows? > > 2. If I can build Nginx from source for one Window OS, can I copy Nginx > into another Windows? > > 3. I have already build Nginx from for Linux because I need this module - > https://github.com/yaoweibin/ngx_http_substitutions_filter_module. The > build processs is the same for Linux and Windows(http://nginx.org/en/ > docs/configure.html). > Building nginx from Sources > nginx.org > Building nginx from Sources. The build is configured using the configure > command. It defines various aspects of the system, including the methods > nginx is allowed to ... > > > GitHub - yaoweibin/ngx_http_substitutions_filter_module: a ... > > github.com > ngx_http_substitutions_filter_module - a filter module which can do both > regular expression and fixed string substitutions for nginx > > > > Thanks, > > David > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From i at zby.io Thu Aug 3 04:41:26 2017 From: i at zby.io (=?gb2312?B?y8TP0g==?=) Date: Thu, 3 Aug 2017 04:41:26 +0000 Subject: =?UTF-8?B?562U5aSNOiDnrZTlpI06IEJ1aWxkaW5nIE5naW54IGZyb20gc291cmNlIGZvciBX?= =?UTF-8?B?aW5kb3dz?= In-Reply-To: References: <94b7e500289340cb8144749629e1f8f1HKNPR04MB17466C25AD0B0E27E894FCAFDAB00@HKNPR04MB1746.apcprd04.prod.outlook.com>, Message-ID: Hello, It's no problem,like any other program built on Windows. ________________________________ ???: nginx ?? David Woodstuck ????: 2017?8?3? 9:15:31 ???: nginx at nginx.org ??: Re: ??: Building Nginx from source for Windows If I build Nginx by following instructions on http://nginx.org/en/docs/howto_build_on_win32.html on one Window machine, Can I copy it on this machine and paste it on another Window machine and use it? Thanks, David On Wed, Aug 2, 2017 at 1:05 AM, ?? > wrote: Hello, The binary program built for Linux can't run directly on Windows.And the source of nginx is called a 'tarball',whose file structure is fit for Linux.To build it,you need Linux build tool chains. The best solution is Cygwin,which is a program that allow you to use POSIX programs on Windows.Or if you use Windows10(Build 14393 and higher),you can consider to use Linux Subsystem On Windows. ________________________________ ???: nginx > ?? David Woodstuck > ????: 2017?8?2? 12:35:45 ???: nginx at nginx.org ??: Building Nginx from source for Windows I have two questions: 1. How do I build Nginx from source for Windows? 2. If I can build Nginx from source for one Window OS, can I copy Nginx into another Windows? 3. I have already build Nginx from for Linux because I need this module - https://github.com/yaoweibin/ngx_http_substitutions_filter_module. The build processs is the same for Linux and Windows(http://nginx.org/en/docs/configure.html). Building nginx from Sources nginx.org Building nginx from Sources. The build is configured using the configure command. It defines various aspects of the system, including the methods nginx is allowed to ... [https://avatars0.githubusercontent.com/u/153753?v=4&s=400] GitHub - yaoweibin/ngx_http_substitutions_filter_module: a ... github.com ngx_http_substitutions_filter_module - a filter module which can do both regular expression and fixed string substitutions for nginx Thanks, David _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Thu Aug 3 07:27:20 2017 From: francis at daoine.org (Francis Daly) Date: Thu, 3 Aug 2017 08:27:20 +0100 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> Message-ID: <20170803072720.GB365@daoine.org> On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote: Hi there, > Thanks for response well i've tried lot more things, updated FreeBsd, > updated openssl but issue is still there. Do you think is there any > possibility it is linked with Nginx ? You have one client that reports an error message. What are the specific circumstances under which that version of that client can report that error message? That information may give a hint as to where the problem is. Is the problem repeatable? As in: if you do a fresh install with no historical information of the client browser (a new "profile" or under a new user account), do you see the same behaviour? In a later mail, you suggest that you have two test nginx instances, and one client reports the error against one instance and not against the other. "nginx -V" on each could be used to identify any differences in the compile-time settings. "nginx -T" on each could be used to identify any difference in the run-time configuration. > https://pastebin.com/gaVWfWJv > > >>There is more than one version of google chrome. Some web reports suggest > that SPDY support was going to be removed in version 51. > > Chrome version is 64 latest which has removed spdy and supports HTTP2 i > guess. As far as I know, there are about half a dozen "latest" versions of Google Chrome, and none of them are version 64 currently. If you ask for help in a Google Chrome mailing list, you may want to provide the specific version number there to allow them to identify what exactly you are running. Good luck with it, f -- Francis Daly francis at daoine.org From shahzaib.cb at gmail.com Thu Aug 3 16:13:42 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Thu, 3 Aug 2017 21:13:42 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: <20170803072720.GB365@daoine.org> References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> <20170803072720.GB365@daoine.org> Message-ID: Hi, >>As far as I know, there are about half a dozen "latest" versions of Google Chrome, and none of them are version 64 currently. Your're right sorry, the version latest is 60. >>You have one client that reports an error message.What are the specific circumstances under which that version of that client can report that error message? That information may give a hint as to where the problem is. Well, i can generate this issue without a problem all i've to do is create a test.html page, put 5 x static video links (our server http2 mp4 video links) and play them simultaneously. For the first request they'll start playing with *200* status in inspect element under *Network *tab but for further chunk requests from chrome, it'll stuck in *pending *and under *Console *tab spdy error will start to occur. Once i've disabled HTTP2 that issue is gone but 'pending' status issue still was there which i think is linked with my below issue : ---------------------------------------------------------------------------- Now we think there's issue with one SSL certificate which we renewed recently. Our server has actually two different domain SSL certificates configured on same ip; *.mydomain.com *.yourdomain.com (*Renewed*) We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). Now here is the twist comes. Recently we've renewed the SSL certificate for **.yourdomain.com * from *Godaddy *and after that sslshopper shows correct CN and intermediate chain for new certificate (*.yourdomain.com) but openssl is showing the CN of *.yourdomain.com as of *.mydomain.com. I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it : [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = **.mydomain.com * Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. ============================================== Now for testing i had disabled vhost for yourdomain.com and used only single mydomain.com after which requests for serving files improved drastically before that, if we would had hit a page, it'll first go to 'pending' status in chrome inspect element and after few time it'll show 200 status but now it goes directly to 200 status. I'm really confused on what's happening right now but if someone has faced this experience before please let me know, on first i thought there could be nginx config issue but the problem is SSLshopper and ssllabs are showing proper CName so now i think maybe its related to chrome Thanks for your help. Shahzaib Virus-free. www.avast.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Thu, Aug 3, 2017 at 12:27 PM, Francis Daly wrote: > On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote: > > Hi there, > > > Thanks for response well i've tried lot more things, updated FreeBsd, > > updated openssl but issue is still there. Do you think is there any > > possibility it is linked with Nginx ? > > You have one client that reports an error message. > > What are the specific circumstances under which that version of that > client can report that error message? That information may give a hint > as to where the problem is. > > Is the problem repeatable? As in: if you do a fresh install with no > historical information of the client browser (a new "profile" or under > a new user account), do you see the same behaviour? > > In a later mail, you suggest that you have two test nginx instances, > and one client reports the error against one instance and not against > the other. > > "nginx -V" on each could be used to identify any differences in the > compile-time settings. "nginx -T" on each could be used to identify any > difference in the run-time configuration. > > > https://pastebin.com/gaVWfWJv > > > > >>There is more than one version of google chrome. Some web reports > suggest > > that SPDY support was going to be removed in version 51. > > > > Chrome version is 64 latest which has removed spdy and supports HTTP2 i > > guess. > > As far as I know, there are about half a dozen "latest" versions of > Google Chrome, and none of them are version 64 currently. > > If you ask for help in a Google Chrome mailing list, you may want to > provide the specific version number there to allow them to identify what > exactly you are running. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Thu Aug 3 21:01:28 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Fri, 4 Aug 2017 02:01:28 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> <20170803072720.GB365@daoine.org> Message-ID: Update: Now i removed vhost for mydomain.com and yourdomain.com is now showing correct Common name. So there's some kind of overlapping in vhosts. Virus-free. www.avast.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Thu, Aug 3, 2017 at 9:13 PM, shahzaib mushtaq wrote: > Hi, > > >>As far as I know, there are about half a dozen "latest" versions of > Google Chrome, and none of them are version 64 currently. > > Your're right sorry, the version latest is 60. > > > >>You have one client that reports an error message.What are the specific > circumstances under which that version of that > client can report that error message? That information may give a hint > as to where the problem is. > > Well, i can generate this issue without a problem all i've to do is create > a test.html page, put 5 x static video links (our server http2 mp4 video > links) and play them simultaneously. For the first request they'll start > playing with *200* status in inspect element under *Network *tab but for > further chunk requests from chrome, it'll stuck in *pending *and under *Console > *tab spdy error will start to occur. Once i've disabled HTTP2 that issue > is gone but 'pending' status issue still was there which i think is linked > with my below issue : > > ------------------------------------------------------------ > ---------------- > > Now we think there's issue with one SSL certificate which we renewed > recently. Our server has actually two different domain SSL certificates > configured on same ip; > > *.mydomain.com > *.yourdomain.com (*Renewed*) > > We've configured both these certificates vhosts in > /usr/local/etc/nginx/vhosts/ directory. After installing certificate we > tested it with sslshopper and both were installed properly (CN, > Intermediate Chain etc were properly listed for each). > > Now here is the twist comes. Recently we've renewed the SSL certificate > for **.yourdomain.com * from *Godaddy *and after > that sslshopper shows correct CN and intermediate chain for new certificate > (*.yourdomain.com) but openssl is showing the CN of *.yourdomain.com as > of *.mydomain.com. > > I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use > openssl command to verify it : > > [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect > s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = > (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary > Certification Authority - G3verify return:1s_clidepth=1 C = US, O = > GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = **.mydomain.com > * > > Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. > > ============================================== > > Now for testing i had disabled vhost for yourdomain.com and used only > single mydomain.com after which requests for serving files improved > drastically before that, if we would had hit a page, it'll first go to > 'pending' status in chrome inspect element and after few time it'll show > 200 status but now it goes directly to 200 status. > > I'm really confused on what's happening right now but if someone has faced > this experience before please let me know, on first i thought there could > be nginx config issue but the problem is SSLshopper and ssllabs are showing > proper CName so now i think maybe its related to chrome > > > Thanks for your help. > Shahzaib > > > Virus-free. > www.avast.com > > <#m_1565204697939808308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > On Thu, Aug 3, 2017 at 12:27 PM, Francis Daly wrote: > >> On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote: >> >> Hi there, >> >> > Thanks for response well i've tried lot more things, updated FreeBsd, >> > updated openssl but issue is still there. Do you think is there any >> > possibility it is linked with Nginx ? >> >> You have one client that reports an error message. >> >> What are the specific circumstances under which that version of that >> client can report that error message? That information may give a hint >> as to where the problem is. >> >> Is the problem repeatable? As in: if you do a fresh install with no >> historical information of the client browser (a new "profile" or under >> a new user account), do you see the same behaviour? >> >> In a later mail, you suggest that you have two test nginx instances, >> and one client reports the error against one instance and not against >> the other. >> >> "nginx -V" on each could be used to identify any differences in the >> compile-time settings. "nginx -T" on each could be used to identify any >> difference in the run-time configuration. >> >> > https://pastebin.com/gaVWfWJv >> > >> > >>There is more than one version of google chrome. Some web reports >> suggest >> > that SPDY support was going to be removed in version 51. >> > >> > Chrome version is 64 latest which has removed spdy and supports HTTP2 i >> > guess. >> >> As far as I know, there are about half a dozen "latest" versions of >> Google Chrome, and none of them are version 64 currently. >> >> If you ask for help in a Google Chrome mailing list, you may want to >> provide the specific version number there to allow them to identify what >> exactly you are running. >> >> Good luck with it, >> >> f >> -- >> Francis Daly francis at daoine.org >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Thu Aug 3 21:12:14 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Fri, 4 Aug 2017 02:12:14 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> <20170803072720.GB365@daoine.org> Message-ID: I've noticed that its related to the orders of virtual host files. For example if vhost of mydomain.com comes first than yourdomain.com then SSL CN (common name) for both domains will be *.mydomain.com. And if vhost of yourdomain.com comes before than mydomain.com then common name for both domains is yourdomain.com . On Fri, Aug 4, 2017 at 2:01 AM, shahzaib mushtaq wrote: > Update: > > Now i removed vhost for mydomain.com and yourdomain.com is now showing > correct Common name. So there's some kind of overlapping in vhosts. > > > > Virus-free. > www.avast.com > > <#m_-2776267015937845177_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > > On Thu, Aug 3, 2017 at 9:13 PM, shahzaib mushtaq > wrote: > >> Hi, >> >> >>As far as I know, there are about half a dozen "latest" versions of >> Google Chrome, and none of them are version 64 currently. >> >> Your're right sorry, the version latest is 60. >> >> >> >>You have one client that reports an error message.What are the >> specific circumstances under which that version of that >> client can report that error message? That information may give a hint >> as to where the problem is. >> >> Well, i can generate this issue without a problem all i've to do is >> create a test.html page, put 5 x static video links (our server http2 mp4 >> video links) and play them simultaneously. For the first request they'll >> start playing with *200* status in inspect element under *Network *tab >> but for further chunk requests from chrome, it'll stuck in *pending *and >> under *Console *tab spdy error will start to occur. Once i've disabled >> HTTP2 that issue is gone but 'pending' status issue still was there which i >> think is linked with my below issue : >> >> ------------------------------------------------------------ >> ---------------- >> >> Now we think there's issue with one SSL certificate which we renewed >> recently. Our server has actually two different domain SSL certificates >> configured on same ip; >> >> *.mydomain.com >> *.yourdomain.com (*Renewed*) >> >> We've configured both these certificates vhosts in >> /usr/local/etc/nginx/vhosts/ directory. After installing certificate we >> tested it with sslshopper and both were installed properly (CN, >> Intermediate Chain etc were properly listed for each). >> >> Now here is the twist comes. Recently we've renewed the SSL certificate >> for **.yourdomain.com * from *Godaddy *and after >> that sslshopper shows correct CN and intermediate chain for new certificate >> (*.yourdomain.com) but openssl is showing the CN of *.yourdomain.com as >> of *.mydomain.com. >> >> I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i >> use openssl command to verify it : >> >> [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect >> s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = >> (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary >> Certification Authority - G3verify return:1s_clidepth=1 C = US, O = >> GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = **.mydomain.com >> * >> >> Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. >> >> ============================================== >> >> Now for testing i had disabled vhost for yourdomain.com and used only >> single mydomain.com after which requests for serving files improved >> drastically before that, if we would had hit a page, it'll first go to >> 'pending' status in chrome inspect element and after few time it'll show >> 200 status but now it goes directly to 200 status. >> >> I'm really confused on what's happening right now but if someone has >> faced this experience before please let me know, on first i thought there >> could be nginx config issue but the problem is SSLshopper and ssllabs are >> showing proper CName so now i think maybe its related to chrome >> >> >> Thanks for your help. >> Shahzaib >> >> >> Virus-free. >> www.avast.com >> >> <#m_-2776267015937845177_m_1565204697939808308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >> >> On Thu, Aug 3, 2017 at 12:27 PM, Francis Daly wrote: >> >>> On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote: >>> >>> Hi there, >>> >>> > Thanks for response well i've tried lot more things, updated FreeBsd, >>> > updated openssl but issue is still there. Do you think is there any >>> > possibility it is linked with Nginx ? >>> >>> You have one client that reports an error message. >>> >>> What are the specific circumstances under which that version of that >>> client can report that error message? That information may give a hint >>> as to where the problem is. >>> >>> Is the problem repeatable? As in: if you do a fresh install with no >>> historical information of the client browser (a new "profile" or under >>> a new user account), do you see the same behaviour? >>> >>> In a later mail, you suggest that you have two test nginx instances, >>> and one client reports the error against one instance and not against >>> the other. >>> >>> "nginx -V" on each could be used to identify any differences in the >>> compile-time settings. "nginx -T" on each could be used to identify any >>> difference in the run-time configuration. >>> >>> > https://pastebin.com/gaVWfWJv >>> > >>> > >>There is more than one version of google chrome. Some web reports >>> suggest >>> > that SPDY support was going to be removed in version 51. >>> > >>> > Chrome version is 64 latest which has removed spdy and supports HTTP2 i >>> > guess. >>> >>> As far as I know, there are about half a dozen "latest" versions of >>> Google Chrome, and none of them are version 64 currently. >>> >>> If you ask for help in a Google Chrome mailing list, you may want to >>> provide the specific version number there to allow them to identify what >>> exactly you are running. >>> >>> Good luck with it, >>> >>> f >>> -- >>> Francis Daly francis at daoine.org >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfrankliu at gmail.com Fri Aug 4 05:28:41 2017 From: gfrankliu at gmail.com (Frank Liu) Date: Thu, 3 Aug 2017 22:28:41 -0700 Subject: HTTP/405 Message-ID: https://tools.ietf.org/html/rfc7231#page-59 says: ... The origin server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods. nginx doesn't seem to have Allow header field. Is that against RFC? curl -v -X TRACE http://nginx.org * Rebuilt URL to: http://nginx.org/ * Trying 95.211.80.227... * TCP_NODELAY set * Connected to nginx.org (95.211.80.227) port 80 (#0) > TRACE / HTTP/1.1 > Host: nginx.org > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 405 Not Allowed < Server: nginx/1.13.3 < Date: Fri, 04 Aug 2017 05:25:26 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 173 < Connection: close < 405 Not Allowed

405 Not Allowed

nginx/1.13.3
* Closing connection 0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Fri Aug 4 10:46:07 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Fri, 4 Aug 2017 12:46:07 +0200 Subject: HTTP/405 In-Reply-To: References: Message-ID: How was that 405 generated? Show used configuration please. --- *B. R.* On Fri, Aug 4, 2017 at 7:28 AM, Frank Liu wrote: > https://tools.ietf.org/html/rfc7231#page-59 says: > > ... The origin server MUST generate an > Allow header field in a 405 response containing a list of the target > resource's currently supported methods. > > nginx doesn't seem to have Allow header field. Is that against RFC? > > curl -v -X TRACE http://nginx.org > * Rebuilt URL to: http://nginx.org/ > * Trying 95.211.80.227... > * TCP_NODELAY set > * Connected to nginx.org (95.211.80.227) port 80 (#0) > > TRACE / HTTP/1.1 > > Host: nginx.org > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 405 Not Allowed > < Server: nginx/1.13.3 > < Date: Fri, 04 Aug 2017 05:25:26 GMT > < Content-Type: text/html; charset=utf-8 > < Content-Length: 173 > < Connection: close > < > > 405 Not Allowed > >

405 Not Allowed

>
nginx/1.13.3
> > > * Closing connection 0 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Aug 4 11:05:56 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 04 Aug 2017 14:05:56 +0300 Subject: HTTP/405 In-Reply-To: References: Message-ID: <3810185.yKh45WF1ox@vbart-laptop> On Thursday 03 August 2017 22:28:41 Frank Liu wrote: > https://tools.ietf.org/html/rfc7231#page-59 says: > > ... The origin server MUST generate an > Allow header field in a 405 response containing a list of the target > resource's currently supported methods. > > nginx doesn't seem to have Allow header field. Is that against RFC? > Please, look at the explanations in https://trac.nginx.org/nginx/ticket/1161 wbr, Valentin V. Bartenev From leeon2013 at gmail.com Fri Aug 4 11:10:00 2017 From: leeon2013 at gmail.com (David Woodstuck) Date: Fri, 4 Aug 2017 07:10:00 -0400 Subject: =?UTF-8?B?UmU6IOetlOWkjTog562U5aSNOiBCdWlsZGluZyBOZ2lueCBmcm9tIHNvdXJjZSBm?= =?UTF-8?B?b3IgV2luZG93cw==?= In-Reply-To: References: <94b7e500289340cb8144749629e1f8f1HKNPR04MB17466C25AD0B0E27E894FCAFDAB00@HKNPR04MB1746.apcprd04.prod.outlook.com> Message-ID: I followed instruction on http://nginx.org/en/docs/howto_build_on_win32.html. Once I run "nmake -f objs/Makefile", I got the following error: $ nmake -f objs/Makefile Microsoft (R) Program Maintenance Utility Version 14.00.24210.0 Copyright (C) Microsoft Corporation. All rights reserved. "c:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\nmake.exe" - f auto/lib/pcre/makefile.msvc PCRE="objs/lib/pcre-8.40" pcre.h Microsoft (R) Program Maintenance Utility Version 14.00.24210.0 Copyright (C) Microsoft Corporation. All rights reserved. cd objs/lib/pcre-8.40 NMAKE : fatal error U1077: 'cd' : return code '0x1' Stop. NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual Studio 14.0 \VC\bin\nmake.exe"' : return code '0x2' Stop. Please help me out. David On Thu, Aug 3, 2017 at 12:41 AM, ?? wrote: > Hello, > > It's no problem,like any other program built on Windows. > ------------------------------ > *???:* nginx ?? David Woodstuck < > leeon2013 at gmail.com> > *????:* 2017?8?3? 9:15:31 > *???:* nginx at nginx.org > *??:* Re: ??: Building Nginx from source for Windows > > If I build Nginx by following instructions on http://nginx.org/en/docs/ > howto_build_on_win32.html on one Window machine, Can I copy it on this > machine and paste it on another Window machine and use it? > > Thanks, > > David > > On Wed, Aug 2, 2017 at 1:05 AM, ?? wrote: > >> Hello, >> >> The binary program built for Linux can't run directly on Windows.And the >> source of nginx is called a 'tarball',whose file structure is fit for >> Linux.To build it,you need Linux build tool chains. >> >> The best solution is Cygwin,which is a program that allow you to use >> POSIX programs on Windows.Or if you use Windows10(Build 14393 and >> higher),you can consider to use Linux Subsystem On Windows. >> >> >> ------------------------------ >> *???:* nginx ?? David Woodstuck < >> leeon2013 at gmail.com> >> *????:* 2017?8?2? 12:35:45 >> *???:* nginx at nginx.org >> *??:* Building Nginx from source for Windows >> >> I have two questions: >> >> 1. How do I build Nginx from source for Windows? >> >> 2. If I can build Nginx from source for one Window OS, can I copy Nginx >> into another Windows? >> >> 3. I have already build Nginx from for Linux because I need this module - >> https://github.com/yaoweibin/ngx_http_substitutions_filter_module. The >> build processs is the same for Linux and Windows(http://nginx.org/en/do >> cs/configure.html). >> Building nginx from Sources >> nginx.org >> Building nginx from Sources. The build is configured using the configure >> command. It defines various aspects of the system, including the methods >> nginx is allowed to ... >> >> >> GitHub - yaoweibin/ngx_http_substitutions_filter_module: a ... >> >> github.com >> ngx_http_substitutions_filter_module - a filter module which can do both >> regular expression and fixed string substitutions for nginx >> >> >> >> Thanks, >> >> David >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shahzaib.cb at gmail.com Fri Aug 4 11:13:26 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Fri, 4 Aug 2017 16:13:26 +0500 Subject: ERR_SPDY_PROTOCOL_ERROR Nginx !! In-Reply-To: References: <20170801123923.GZ365@daoine.org> <20170802071305.GA365@daoine.org> <20170803072720.GB365@daoine.org> Message-ID: Hi, Guys is there anything i am missing with SSL for multiple vhosts due to which the vhost Order is overlapping the other one ? Shahzaib On Fri, Aug 4, 2017 at 2:12 AM, shahzaib mushtaq wrote: > I've noticed that its related to the orders of virtual host files. For > example if vhost of mydomain.com comes first than yourdomain.com then SSL > CN (common name) for both domains will be *.mydomain.com. > > And if vhost of yourdomain.com comes before than mydomain.com then common > name for both domains is yourdomain.com . > > > > On Fri, Aug 4, 2017 at 2:01 AM, shahzaib mushtaq > wrote: > >> Update: >> >> Now i removed vhost for mydomain.com and yourdomain.com is now showing >> correct Common name. So there's some kind of overlapping in vhosts. >> >> >> >> Virus-free. >> www.avast.com >> >> <#m_6887420271712490320_m_-2776267015937845177_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >> >> On Thu, Aug 3, 2017 at 9:13 PM, shahzaib mushtaq >> wrote: >> >>> Hi, >>> >>> >>As far as I know, there are about half a dozen "latest" versions of >>> Google Chrome, and none of them are version 64 currently. >>> >>> Your're right sorry, the version latest is 60. >>> >>> >>> >>You have one client that reports an error message.What are the >>> specific circumstances under which that version of that >>> client can report that error message? That information may give a hint >>> as to where the problem is. >>> >>> Well, i can generate this issue without a problem all i've to do is >>> create a test.html page, put 5 x static video links (our server http2 mp4 >>> video links) and play them simultaneously. For the first request they'll >>> start playing with *200* status in inspect element under *Network *tab >>> but for further chunk requests from chrome, it'll stuck in *pending *and >>> under *Console *tab spdy error will start to occur. Once i've disabled >>> HTTP2 that issue is gone but 'pending' status issue still was there which i >>> think is linked with my below issue : >>> >>> ------------------------------------------------------------ >>> ---------------- >>> >>> Now we think there's issue with one SSL certificate which we renewed >>> recently. Our server has actually two different domain SSL certificates >>> configured on same ip; >>> >>> *.mydomain.com >>> *.yourdomain.com (*Renewed*) >>> >>> We've configured both these certificates vhosts in >>> /usr/local/etc/nginx/vhosts/ directory. After installing certificate we >>> tested it with sslshopper and both were installed properly (CN, >>> Intermediate Chain etc were properly listed for each). >>> >>> Now here is the twist comes. Recently we've renewed the SSL certificate >>> for **.yourdomain.com * from *Godaddy *and after >>> that sslshopper shows correct CN and intermediate chain for new certificate >>> (*.yourdomain.com) but openssl is showing the CN of *.yourdomain.com as >>> of *.mydomain.com. >>> >>> I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i >>> use openssl command to verify it : >>> >>> [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client >>> -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust >>> Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust >>> Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = >>> GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = **.mydomain.com >>> * >>> >>> Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. >>> >>> ============================================== >>> >>> Now for testing i had disabled vhost for yourdomain.com and used only >>> single mydomain.com after which requests for serving files improved >>> drastically before that, if we would had hit a page, it'll first go to >>> 'pending' status in chrome inspect element and after few time it'll show >>> 200 status but now it goes directly to 200 status. >>> >>> I'm really confused on what's happening right now but if someone has >>> faced this experience before please let me know, on first i thought there >>> could be nginx config issue but the problem is SSLshopper and ssllabs are >>> showing proper CName so now i think maybe its related to chrome >>> >>> >>> Thanks for your help. >>> Shahzaib >>> >>> >>> Virus-free. >>> www.avast.com >>> >>> <#m_6887420271712490320_m_-2776267015937845177_m_1565204697939808308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >>> >>> On Thu, Aug 3, 2017 at 12:27 PM, Francis Daly >>> wrote: >>> >>>> On Wed, Aug 02, 2017 at 01:17:06PM +0500, shahzaib mushtaq wrote: >>>> >>>> Hi there, >>>> >>>> > Thanks for response well i've tried lot more things, updated FreeBsd, >>>> > updated openssl but issue is still there. Do you think is there any >>>> > possibility it is linked with Nginx ? >>>> >>>> You have one client that reports an error message. >>>> >>>> What are the specific circumstances under which that version of that >>>> client can report that error message? That information may give a hint >>>> as to where the problem is. >>>> >>>> Is the problem repeatable? As in: if you do a fresh install with no >>>> historical information of the client browser (a new "profile" or under >>>> a new user account), do you see the same behaviour? >>>> >>>> In a later mail, you suggest that you have two test nginx instances, >>>> and one client reports the error against one instance and not against >>>> the other. >>>> >>>> "nginx -V" on each could be used to identify any differences in the >>>> compile-time settings. "nginx -T" on each could be used to identify any >>>> difference in the run-time configuration. >>>> >>>> > https://pastebin.com/gaVWfWJv >>>> > >>>> > >>There is more than one version of google chrome. Some web reports >>>> suggest >>>> > that SPDY support was going to be removed in version 51. >>>> > >>>> > Chrome version is 64 latest which has removed spdy and supports HTTP2 >>>> i >>>> > guess. >>>> >>>> As far as I know, there are about half a dozen "latest" versions of >>>> Google Chrome, and none of them are version 64 currently. >>>> >>>> If you ask for help in a Google Chrome mailing list, you may want to >>>> provide the specific version number there to allow them to identify what >>>> exactly you are running. >>>> >>>> Good luck with it, >>>> >>>> f >>>> -- >>>> Francis Daly francis at daoine.org >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Aug 4 12:39:55 2017 From: nginx-forum at forum.nginx.org (Olaf van der Spek) Date: Fri, 04 Aug 2017 08:39:55 -0400 Subject: Multiple certificates in one server block? Message-ID: <8afd70a512f7b220f48caaaa91d29c1d.NginxMailingListEnglish@forum.nginx.org> How do I set multiple certificates (for different names) in a single server block? I can easily set multiple server_names but there seems no way to set multiple certificates.. Is the only way to have all names in a single certificate? If so, is this an nginx, an openssl or a TLS limitation? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275855#msg-275855 From jeff.dyke at gmail.com Fri Aug 4 13:33:20 2017 From: jeff.dyke at gmail.com (Jeff Dyke) Date: Fri, 4 Aug 2017 09:33:20 -0400 Subject: Multiple certificates in one server block? In-Reply-To: <8afd70a512f7b220f48caaaa91d29c1d.NginxMailingListEnglish@forum.nginx.org> References: <8afd70a512f7b220f48caaaa91d29c1d.NginxMailingListEnglish@forum.nginx.org> Message-ID: i assume you have some sort of UCC certificate, if so you should be able to use it with multiple server_names, but have multiple ssl_certificates in a single server block is a limitation of nginx from what i understand. Most relavant information is here: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate, as there are too many quesitons regarding your certs, if you use SNI etc. HTH On Fri, Aug 4, 2017 at 8:39 AM, Olaf van der Spek < nginx-forum at forum.nginx.org> wrote: > How do I set multiple certificates (for different names) in a single server > block? > I can easily set multiple server_names but there seems no way to set > multiple certificates.. > Is the only way to have all names in a single certificate? If so, is this > an > nginx, an openssl or a TLS limitation? > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,275855,275855#msg-275855 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Aug 4 13:36:32 2017 From: nginx-forum at forum.nginx.org (Olaf van der Spek) Date: Fri, 04 Aug 2017 09:36:32 -0400 Subject: Multiple certificates in one server block? In-Reply-To: References: Message-ID: <881064426ab1a93c76e0b704e700f343.NginxMailingListEnglish@forum.nginx.org> I'm using letsencrypt and have multiple certs with a single name in them.. If I had one cert with multiple names we'd not be having this problem. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275858#msg-275858 From jim at mailman-hosting.com Fri Aug 4 13:40:45 2017 From: jim at mailman-hosting.com (Jim Ohlstein) Date: Fri, 4 Aug 2017 09:40:45 -0400 Subject: Multiple certificates in one server block? In-Reply-To: <881064426ab1a93c76e0b704e700f343.NginxMailingListEnglish@forum.nginx.org> References: <881064426ab1a93c76e0b704e700f343.NginxMailingListEnglish@forum.nginx.org> Message-ID: <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> Hello, On 08/04/2017 09:36 AM, Olaf van der Spek wrote: > I'm using letsencrypt and have multiple certs with a single name in them.. > If I had one cert with multiple names we'd not be having this problem. > Letsencrypt allows multiple domain names in the same certificate. As for nginx, it allows multiple certificate definitions if say you have both an ECDSA certificate and a RSA certificate. The only time I've done that is when the domain names matched in the two. -- Jim Ohlstein Professional Mailman Hosting https://mailman-hosting.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From jeff.dyke at gmail.com Fri Aug 4 13:45:39 2017 From: jeff.dyke at gmail.com (Jeff Dyke) Date: Fri, 4 Aug 2017 09:45:39 -0400 Subject: Multiple certificates in one server block? In-Reply-To: <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> References: <881064426ab1a93c76e0b704e700f343.NginxMailingListEnglish@forum.nginx.org> <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> Message-ID: Jim is correct, letsencrypt supports that ....wow, sorry for trying to help, that was a bit caustic, that information would be helpful in the original question. Enjoy the weekend. On Fri, Aug 4, 2017 at 9:40 AM, Jim Ohlstein wrote: > Hello, > > On 08/04/2017 09:36 AM, Olaf van der Spek wrote: > > I'm using letsencrypt and have multiple certs with a single name in > them.. > > If I had one cert with multiple names we'd not be having this problem. > > > > Letsencrypt allows multiple domain names in the same certificate. > > As for nginx, it allows multiple certificate definitions if say you have > both an ECDSA certificate and a RSA certificate. The only time I've done > that is when the domain names matched in the two. > > -- > Jim Ohlstein > Professional Mailman Hosting > https://mailman-hosting.com > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Aug 4 13:47:16 2017 From: nginx-forum at forum.nginx.org (Olaf van der Spek) Date: Fri, 04 Aug 2017 09:47:16 -0400 Subject: Multiple certificates in one server block? In-Reply-To: <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> References: <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> Message-ID: <9975519b1b08c0e59ebc6fde65a8c4c5.NginxMailingListEnglish@forum.nginx.org> Jim Ohlstein Wrote: > Letsencrypt allows multiple domain names in the same certificate. I know, just wondering if nginx supported multiple certs per server. My problem: I've got multiple servers and I'd like the servers to be accessible via the common name (ex.com) and via their dedicated name (a.ex.com, b.ex.com, etc). How do I do this with letsencrypt? If I use certbot the verification request might / will be server by another host and will thus fail. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275855,275860#msg-275860 From shahzaib.cb at gmail.com Fri Aug 4 13:55:19 2017 From: shahzaib.cb at gmail.com (shahzaib mushtaq) Date: Fri, 4 Aug 2017 18:55:19 +0500 Subject: SSL Multiple Vhost Overlapping common name [CN] Message-ID: Hi, Our Nginx server is configured with two different domain SSL certificates configured on same ip ; *.mydomain.com *.yourdomain.com (Renewed) We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). Now here comes the confusing part. Recently we've renewed the SSL certificate for *.yourdomain.com from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*. yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *. yourdomain.com. I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it : [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.mydomain.com Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically. To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of yourdomain.com above the mydomain.com and now CN for both (mydomain.com and yourdomain.com) is showing the *. yourdomain.com. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it. Is there anyway to get this fixed ? Here is the configuration of vhosts : server { listen 443 ; ssl on; server_name s4.mydomain.com; ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt; ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} server { listen 443 ; ssl on; server_name s4.yourdomain.com; ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt; ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} Any advice will be very much appreciated. Thanks. Shahzaib -------------- next part -------------- An HTML attachment was scrubbed... URL: From cooley.josh at gmail.com Fri Aug 4 14:03:22 2017 From: cooley.josh at gmail.com (Joshua Cooley) Date: Fri, 4 Aug 2017 09:03:22 -0500 Subject: SSL Multiple Vhost Overlapping common name [CN] In-Reply-To: References: Message-ID: You'll need to pass the servername parameter for openssl s_client to pass the SNI, e.g. openssl s_client -servername s4.yourdomain.com -connect s4.yourdomain.com:443 On Aug 4, 2017 8:55 AM, "shahzaib mushtaq" wrote: Hi, Our Nginx server is configured with two different domain SSL certificates configured on same ip ; *.mydomain.com *.yourdomain.com (Renewed) We've configured both these certificates vhosts in /usr/local/etc/nginx/vhosts/ directory. After installing certificate we tested it with sslshopper and both were installed properly (CN, Intermediate Chain etc were properly listed for each). Now here comes the confusing part. Recently we've renewed the SSL certificate for *.yourdomain.com from Godaddy and after installing it sslshopper shows correct CN and intermediate chain for new certificate (*. yourdomain.com) but openssl shows its CN as *.mydomain.com instead of *. yourdomain.com. I repeat SSLshopper and SSLLabs shows proper CN (common name) but if i use openssl command to verify it : [root at cw012 /usr/ports/security/ca_root_nss]# openssl s_client -connect s4.yourdomain.com:443 |head -30depth=2 C = US, O = GeoTrust Inc., OU = (c) 2008 GeoTrust Inc. - For authorized use only, CN = GeoTrust Primary Certification Authority - G3verify return:1s_clidepth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G2verify return:1head depth=0 CN = *.mydomain.com Here you can see that CN is *.mydomain.com instead of *.yourdomain.com. We were also seeing so much delayed in serving the requests but once we disabled one of the vhost, CN started to show correct domains and performance was improved drastically. To test it further with nginx we had reversed the order of virtual hosts and moved domain virtualhost of yourdomain.com above the mydomain.com and now CN for both (mydomain.com and yourdomain.com) is showing the *. yourdomain.com. So we concluded that its due to order of the virtual hosts, the vhost which comes before will overlap the CN for all other domains comming beneath it. Is there anyway to get this fixed ? Here is the configuration of vhosts : server { listen 443 ; ssl on; server_name s4.mydomain.com; ssl_certificate /etc/ssl/certs/mydomain/mydomain-combined.crt; ssl_certificate_key /etc/ssl/certs/mydomain/mydomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE- RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA- AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES- CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} server { listen 443 ; ssl on; server_name s4.yourdomain.com; ssl_certificate /etc/ssl/certs/yourdomain/yourdomain-combined.crt; ssl_certificate_key /etc/ssl/certs/yourdomain/yourdomain.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE- RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA- AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128- SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA- AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256: AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES- CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_prefer_server_ciphers on; location / { root /yourdomain; index index.html index.htm index.php; }} Any advice will be very much appreciated. Thanks. Shahzaib _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfrankliu at gmail.com Fri Aug 4 16:38:50 2017 From: gfrankliu at gmail.com (Frank Liu) Date: Fri, 4 Aug 2017 09:38:50 -0700 Subject: HTTP/405 In-Reply-To: References: Message-ID: B.R. If you read my original post carefully, you will see the test was against http://nginx.org and I certainly don't have their configuration, but you can run the same curl test against your own nginx server and get the same result. On Fri, Aug 4, 2017 at 3:46 AM, B.R. via nginx wrote: > How was that 405 generated? > Show used configuration please. > --- > *B. R.* > > On Fri, Aug 4, 2017 at 7:28 AM, Frank Liu wrote: > >> https://tools.ietf.org/html/rfc7231#page-59 says: >> >> ... The origin server MUST generate an >> Allow header field in a 405 response containing a list of the target >> resource's currently supported methods. >> >> nginx doesn't seem to have Allow header field. Is that against RFC? >> >> curl -v -X TRACE http://nginx.org >> * Rebuilt URL to: http://nginx.org/ >> * Trying 95.211.80.227... >> * TCP_NODELAY set >> * Connected to nginx.org (95.211.80.227) port 80 (#0) >> > TRACE / HTTP/1.1 >> > Host: nginx.org >> > User-Agent: curl/7.54.0 >> > Accept: */* >> > >> < HTTP/1.1 405 Not Allowed >> < Server: nginx/1.13.3 >> < Date: Fri, 04 Aug 2017 05:25:26 GMT >> < Content-Type: text/html; charset=utf-8 >> < Content-Length: 173 >> < Connection: close >> < >> >> 405 Not Allowed >> >>

405 Not Allowed

>>
nginx/1.13.3
>> >> >> * Closing connection 0 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfrankliu at gmail.com Fri Aug 4 16:42:42 2017 From: gfrankliu at gmail.com (Frank Liu) Date: Fri, 4 Aug 2017 09:42:42 -0700 Subject: HTTP/405 In-Reply-To: <3810185.yKh45WF1ox@vbart-laptop> References: <3810185.yKh45WF1ox@vbart-laptop> Message-ID: Valentin, I checked the trac and basically it says very complicated to properly implement. When I try the same curl against apache.org, they just return a blank Allow header to compliant RFC. Maybe nginx can do the same? curl -v -X TRACE http://apache.org * Rebuilt URL to: http://apache.org/ * Trying 140.211.11.105... * TCP_NODELAY set * Connected to apache.org (140.211.11.105) port 80 (#0) > TRACE / HTTP/1.1 > Host: apache.org > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 405 Method Not Allowed < Date: Fri, 04 Aug 2017 16:38:42 GMT < Server: Apache/2.4.7 (Ubuntu) < Allow: < Content-Length: 223 < Content-Type: text/html; charset=iso-8859-1 < 405 Method Not Allowed

Method Not Allowed

The requested method TRACE is not allowed for the URL /.

* Connection #0 to host apache.org left intact On Fri, Aug 4, 2017 at 4:05 AM, Valentin V. Bartenev wrote: > On Thursday 03 August 2017 22:28:41 Frank Liu wrote: > > https://tools.ietf.org/html/rfc7231#page-59 says: > > > > ... The origin server MUST generate an > > Allow header field in a 405 response containing a list of the target > > resource's currently supported methods. > > > > nginx doesn't seem to have Allow header field. Is that against RFC? > > > > Please, look at the explanations in https://trac.nginx.org/nginx/ > ticket/1161 > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Aug 4 17:36:01 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 04 Aug 2017 20:36:01 +0300 Subject: HTTP/405 In-Reply-To: References: <3810185.yKh45WF1ox@vbart-laptop> Message-ID: <3074764.ORdvKzBldl@vbart-workstation> On Friday 04 August 2017 09:42:42 Frank Liu wrote: > Valentin, > > I checked the trac and basically it says very complicated to properly > implement. When I try the same curl against apache.org, they just return a > blank Allow header to compliant RFC. Maybe nginx can do the same? > [..] Why should nginx do the same? Is there any real problem with that? According to RFC: | An empty Allow field value indicates that the resource allows no methods, | which might occur in a 405 response if the resource has been temporarily | disabled by configuration. that, as you know, isn't the case for apache.org. So, such behavior can only mislead a client. Unfortunately, the real world sometimes a bit different than theory of RFC authors. Strict and blind following to RFC is fine for academic purposes, but doesn't always work for real world applications. It's definitely not the goal you should achieve by any price. wbr, Valentin V. Bartenev From tkadm30 at yandex.com Sat Aug 5 15:47:24 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Sat, 5 Aug 2017 11:47:24 -0400 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> Message-ID: <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> Hi, The workaround suggested below is not working. The only case where Django correctly handle uWSGI transport is when PATH_INFO is set to DOCUMENT_URI in uwsgi_params. So can someone please explain how to set uWSGI to run a WSGI app in FastCGI (backward-compatible) mode? Etienne Le 2017-07-29 ? 06:09, Etienne Robillard a ?crit : > Hi Francis, > > > Le 2017-07-28 ? 03:17, Francis Daly a ?crit : >> >> What I meant there was that you could possibly use >> fastcgi_split_path_info >> to define how you want your $request_uri to be split into parts for your >> SCRIPT_NAME and PATH_INFO as uwsgi_param values. >> >> So your eventual config could include >> >> uwsgi_param SCRIPT_NAME $fastcgi_script_name; >> uwsgi_param PATH_INFO $fastcgi_path_info; >> >> after you have defined the first directive appropriately. >> >> It all comes down to: for one specific http request, what values do >> you want SCRIPT_NAME and PATH_INFO to have when they are sent to the >> uwsgi upstream? >> >> > I'll try your workaround. I want nginx to manage SCRIPT_NAME and > PATH_INFO in FastCGI mode, and uWSGI to act as a FastCGI handler. > > Etienne > -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From tkadm30 at yandex.com Sat Aug 5 18:42:11 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Sat, 5 Aug 2017 14:42:11 -0400 Subject: How to disable fastcgi caching for the logged user? Message-ID: Hi, I'm testing a OAuth2 middleware on my python web app and would like to disable fastcgi caching when the fastcgi variable REMOTE_USER is set. Is there any ways of doing this from nginx? Thanks in advance, Etienne -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From tkadm30 at yandex.com Sat Aug 5 19:24:28 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Sat, 5 Aug 2017 15:24:28 -0400 Subject: How to disable fastcgi caching for the logged user? In-Reply-To: References: Message-ID: <40bbd9b5-fd2f-f1e2-fbde-e6f27482efb8@yandex.com> The $http_pragma is not properly defined in http://nginx.org/en/docs/varindex.html Is that a custom variable or is defined in nginx? I was hoping of doing something like: fastcgi_no_cache $http_pragma $remote_user; What do you think? E Le 2017-08-05 ? 14:42, Etienne Robillard a ?crit : > Hi, > > I'm testing a OAuth2 middleware on my python web app and would like to > disable fastcgi caching when the fastcgi variable REMOTE_USER is set. > > Is there any ways of doing this from nginx? > > Thanks in advance, > > Etienne > > -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From nginx-forum at forum.nginx.org Sun Aug 6 07:04:35 2017 From: nginx-forum at forum.nginx.org (Michael_Fillios) Date: Sun, 06 Aug 2017 03:04:35 -0400 Subject: add variable support to proxy_cache_valid directive Message-ID: Hello everyone I want to use variables in proxy_cache_valid directive like the syntax below ? set $var10 "10m"; proxy_cache_valid 200 $var10; ? but I get the error ? invalid time value ? so I tried to tweak a little in the ngx_http_file_cache.c file and I added the following lines: ? ngx_http_complex_value_t cv; ngx_http_compile_complex_value_t ccv; ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); ccv.cf = cf; ccv.value = &value[n]; ccv.complex_value = &cv; if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { return NGX_CONF_ERROR; } ? the block after my code is ? valid = ngx_parse_time(&value[n], 1); if (valid == (time_t) NGX_ERROR) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid time value \"%V\"", &value[n]); return NGX_CONF_ERROR; } ? also the output of Nginx -V is ? ?with-cc-opt=-O2 ?add-module=../ngx_devel_kit-0.3.0 ?add-module=../echo-nginx-module-0.60 ?add-module=../xss-nginx-module-0.05 ?add-module=../ngx_coolkit-0.2rc3 ?add-module=../set-misc-nginx-module-0.31 ?add-module=../form-input-nginx-module-0.12 ?add-module=../encrypted-session-nginx-module-0.06 ?add-module=../srcache-nginx-module-0.31 ?add-module=../ngx_lua-0.10.8 ?add-module=../ngx_lua_upstream-0.06 ?add-module=../headers-more-nginx-module-0.32 ?add-module=../array-var-nginx-module-0.05 ?add-module=../memc-nginx-module-0.18 ?add-module=../redis2-nginx-module-0.14 ?add-module=../rds-json-nginx-module-0.14 ?add-module=../rds-csv-nginx-module-0.07 ?with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib ?sbin-path=/usr/sbin/nginx ?conf-path=etc/nginx.conf ?pid-path=file/nginx.pid ?error-log-path=log/error.log ?http-log-path=log/access.log ?with-http_gunzip_module ?with-http_gzip_static_module ?with-http_ssl_module ?with-http_geoip_module ?with-http_stub_status_module ?with-file-aio ?with-threads ?with-http_v2_module ?with-http_slice_module ?with-http_secure_link_module ?with-pcre-jit ?with-openssl=/root/temp/proxy/source/openssl-1.0.2j ?with-pcre=/root/temp/proxy/source/pcre-8.39 ?add-module=/root/temp/proxy/source/ngx_pagespeed-1.11.33.4-stable ?add-module=/root/temp/proxy/source/ngx_cache_purge-2.4.1 ?add-module=/root/temp/proxy/source/testcookie-nginx-module ?add-module=/root/temp/proxy/source/nginx-rtmp-module ? I'm a newbie in modifying and developing Nginx So I was wondering if anybody could help me. With respect. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275874,275874#msg-275874 From francis at daoine.org Sun Aug 6 09:48:57 2017 From: francis at daoine.org (Francis Daly) Date: Sun, 6 Aug 2017 10:48:57 +0100 Subject: How to disable fastcgi caching for the logged user? In-Reply-To: <40bbd9b5-fd2f-f1e2-fbde-e6f27482efb8@yandex.com> References: <40bbd9b5-fd2f-f1e2-fbde-e6f27482efb8@yandex.com> Message-ID: <20170806094857.GC365@daoine.org> On Sat, Aug 05, 2017 at 03:24:28PM -0400, Etienne Robillard wrote: Hi there, > The $http_pragma is not properly defined in > http://nginx.org/en/docs/varindex.html It's the one after "$http2" and before "$https". > Is that a custom variable or is defined in nginx? $http_anything is defined in nginx if the incoming request has a header that maps to "anything". > I was hoping of doing something like: > > fastcgi_no_cache $http_pragma $remote_user; > > What do you think? The documentation at http://nginx.org/r/fastcgi_no_cache describes what that directive should do. You want to disable fastcgi caching when the fastcgi variable REMOTE_USER is set. Your config presumably includes something like "fastcgi_param REMOTE_USER $something". In that case, you want "fastcgi_no_cache $something". Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sun Aug 6 09:59:33 2017 From: francis at daoine.org (Francis Daly) Date: Sun, 6 Aug 2017 10:59:33 +0100 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> Message-ID: <20170806095933.GD365@daoine.org> On Sat, Aug 05, 2017 at 11:47:24AM -0400, Etienne Robillard wrote: Hi there, > The workaround suggested below is not working. >From the words here, it is not clear to me what specific configuration you are using. > The only case where > Django correctly handle uWSGI transport is when PATH_INFO is set to > DOCUMENT_URI in uwsgi_params. So can someone please explain how to > set uWSGI to run a WSGI app in FastCGI (backward-compatible) mode? I don't know enough about Django to understand that question. I do know enough about nginx to believe that nginx does not care what Django does. The only thing that seems to be missing, from an nginx perspective, is: what does the uwsgi-server want to receive for this request? That is: > >>It all comes down to: for one specific http request, what values do > >>you want SCRIPT_NAME and PATH_INFO to have when they are sent to the > >>uwsgi upstream? If someone will provide one explicit example of what behaviour is wanted, then it may be clear what the appropriate nginx config for this case is. Cheers, f -- Francis Daly francis at daoine.org From roberto at unbit.it Sun Aug 6 10:28:11 2017 From: roberto at unbit.it (Roberto De Ioris) Date: Sun, 6 Aug 2017 12:28:11 +0200 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <20170806095933.GD365@daoine.org> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> <20170806095933.GD365@daoine.org> Message-ID: <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> > On Sat, Aug 05, 2017 at 11:47:24AM -0400, Etienne Robillard wrote: > > Hi there, > >> The workaround suggested below is not working. > > From the words here, it is not clear to me what specific configuration > you are using. > >> The only case where >> Django correctly handle uWSGI transport is when PATH_INFO is set to >> DOCUMENT_URI in uwsgi_params. So can someone please explain how to >> set uWSGI to run a WSGI app in FastCGI (backward-compatible) mode? > > I don't know enough about Django to understand that question. > > I do know enough about nginx to believe that nginx does not care what > Django does. > > The only thing that seems to be missing, from an nginx perspective, is: > what does the uwsgi-server want to receive for this request? > > That is: > >> >>It all comes down to: for one specific http request, what values do >> >>you want SCRIPT_NAME and PATH_INFO to have when they are sent to the >> >>uwsgi upstream? > > If someone will provide one explicit example of what behaviour is wanted, > then it may be clear what the appropriate nginx config for this case is. > > This is what any compliant WSGI server (included uWSGI) expects: https://www.python.org/dev/peps/pep-0333/#environ-variables nginx is not able to correctly split PATH_INFO accordingly to SCRIPT_NAME (and technically it should not do it as uwsgi is a transport only protocol and the server could make any kind of assumptions about variables). For this reason you need to instruct uWSGI to rewrite PATH_INFO accordingly (like shown in the previous posts). There can be no magic in uWSGI to rewrite it as it would mean infering what the user want to do. The solution is using uWSGI to rewrite it (it has at least 3 ways) Unfortunately i am not able to help better :) -- Roberto De Ioris http://unbit.com From tkadm30 at yandex.com Sun Aug 6 10:52:11 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Sun, 6 Aug 2017 06:52:11 -0400 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> <20170806095933.GD365@daoine.org> <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> Message-ID: <5c8f0710-8d4a-9361-4059-cc13609b7217@yandex.com> So either Django is not a compliant WSGI app or uWSGI is unable to mount a standard WSGI application to the root location in nginx without using magic rewrites? Eienne Le 2017-08-06 ? 06:28, Roberto De Ioris a ?crit : > > This is what any compliant WSGI server (included uWSGI) expects: > > https://www.python.org/dev/peps/pep-0333/#environ-variables > > nginx is not able to correctly split PATH_INFO accordingly to SCRIPT_NAME > (and technically it should not do it as uwsgi is a transport only protocol > and the server could make any kind of assumptions about variables). > > For this reason you need to instruct uWSGI to rewrite PATH_INFO > accordingly (like shown in the previous posts). There can be no magic in > uWSGI to rewrite it as it would mean infering what the user want to do. > > The solution is using uWSGI to rewrite it (it has at least 3 ways) > -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From roberto at unbit.it Sun Aug 6 14:09:51 2017 From: roberto at unbit.it (Roberto De Ioris) Date: Sun, 6 Aug 2017 16:09:51 +0200 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <5c8f0710-8d4a-9361-4059-cc13609b7217@yandex.com> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> <20170806095933.GD365@daoine.org> <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> <5c8f0710-8d4a-9361-4059-cc13609b7217@yandex.com> Message-ID: <05bd3f2b53f7e7fad94b8ebf0cde9352.squirrel@squirrelmail.unbit.it> > So either Django is not a compliant WSGI app or uWSGI is unable to mount > a standard WSGI application to the root location in nginx without using > magic rewrites? > > Eienne > Neither of the two, you were asking about mounting in a sub-uri in the previous posts, that requires some kind of ruling. For mounting under / (or empty SCRIPT_NAME to be more compliant with WSGI) you do not need additional configurations. -- Roberto De Ioris http://unbit.com From tkadm30 at yandex.com Mon Aug 7 08:47:30 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Mon, 7 Aug 2017 04:47:30 -0400 Subject: How to disable fastcgi caching for the logged user? In-Reply-To: <20170806094857.GC365@daoine.org> References: <40bbd9b5-fd2f-f1e2-fbde-e6f27482efb8@yandex.com> <20170806094857.GC365@daoine.org> Message-ID: <2560f451-f7c3-60c6-5dbe-affb691fdc75@yandex.com> Hi Francis, Thank you for your reply. What is the difference between: fastcgi_no_cache $http_pragma $http_authorization and fastcgi_no_cache $remote_user ? In addition, how can I verify the configuration is working as expected? Thanks, E Le 2017-08-06 ? 05:48, Francis Daly a ?crit : > > The documentation at http://nginx.org/r/fastcgi_no_cache describes what > that directive should do. > > You want to disable fastcgi caching when the fastcgi variable REMOTE_USER > is set. > > Your config presumably includes something like "fastcgi_param REMOTE_USER > $something". > > In that case, you want "fastcgi_no_cache $something". > Good luck with it, > > f -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From tkadm30 at yandex.com Mon Aug 7 09:06:37 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Mon, 7 Aug 2017 05:06:37 -0400 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <05bd3f2b53f7e7fad94b8ebf0cde9352.squirrel@squirrelmail.unbit.it> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> <20170806095933.GD365@daoine.org> <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> <5c8f0710-8d4a-9361-4059-cc13609b7217@yandex.com> <05bd3f2b53f7e7fad94b8ebf0cde9352.squirrel@squirrelmail.unbit.it> Message-ID: <27e8556a-a54b-429f-8123-0fee3fd2c589@yandex.com> Hi Roberto, Le 2017-08-06 ? 10:09, Roberto De Ioris a ?crit : > Neither of the two, you were asking about mounting in a sub-uri in the > previous posts, that requires some kind of ruling. For mounting under / > (or empty SCRIPT_NAME to be more compliant with WSGI) you do not need > additional configurations. To be fair, I haven't found anything in the uWSGI docs covering the subject of mounting a WSGI app in nginx without suggesting to define mountpoints in my uwsgi config. Mountpoints are not defined in the WSGI specification. Rewriting PATH_INFO and SCRIPT_NAME variables is ok, but I still need FastCGI-like compatibility. I would like an option to disable mountpoints at runtime... ;) E -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From reallfqq-nginx at yahoo.fr Mon Aug 7 17:21:52 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 7 Aug 2017 19:21:52 +0200 Subject: HTTP/405 In-Reply-To: <3074764.ORdvKzBldl@vbart-workstation> References: <3810185.yKh45WF1ox@vbart-laptop> <3074764.ORdvKzBldl@vbart-workstation> Message-ID: It would be interesting to amend the flawed RFC to adapt to the real world then, wouldn't it? Much like in any languages, specifications/reference and real world offen differ, but that should me a pretext to ignor the specs are here for a reason: make everyone try to speak the same language and be accessible to everyone else. >From what I understand, the fix would be the following: the RFC should accept an empty Allow and consider it equivalent to its presence with an empty value. ?It is indeed logic and useful as the answer length gets reduced?. However, one might wonder about backwards-compatibility, as current-day non-compliant Web servers which do not specify the Allow header might be interpreted by future clients as having no available method to gather the requested URI, even if that was not the initial goal. --- *B. R.* On Fri, Aug 4, 2017 at 7:36 PM, Valentin V. Bartenev wrote: > On Friday 04 August 2017 09:42:42 Frank Liu wrote: > > Valentin, > > > > I checked the trac and basically it says very complicated to properly > > implement. When I try the same curl against apache.org, they just > return a > > blank Allow header to compliant RFC. Maybe nginx can do the same? > > > [..] > > Why should nginx do the same? Is there any real problem with that? > > According to RFC: > > | An empty Allow field value indicates that the resource allows no > methods, > | which might occur in a 405 response if the resource has been temporarily > | disabled by configuration. > > that, as you know, isn't the case for apache.org. So, such behavior can > only mislead a client. > > Unfortunately, the real world sometimes a bit different than theory of > RFC authors. Strict and blind following to RFC is fine for academic > purposes, but doesn't always work for real world applications. It's > definitely not the goal you should achieve by any price. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Mon Aug 7 17:34:12 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 7 Aug 2017 19:34:12 +0200 Subject: Multiple certificates in one server block? In-Reply-To: <9975519b1b08c0e59ebc6fde65a8c4c5.NginxMailingListEnglish@forum.nginx.org> References: <0c9d6c1b-40df-f072-f192-f883dc296b6f@mailman-hosting.com> <9975519b1b08c0e59ebc6fde65a8c4c5.NginxMailingListEnglish@forum.nginx.org> Message-ID: Jim already replied with his ECDSA+RSA example in a single server block. You can also serve several names from a single server block. However, I never tested serving a certificate for several domains all served by the same virtual server block. I *suppose* nginx might be clever enough to select the right certificate(s) to serve. ANyone to test that? Anyway, for that to work, you will need to ensure both ends support SNI with their TLS library. First impressions, though: it does not look as an ideal setup to me, as it most probably will end up in a spaghetti configuration nightmare. It depends, as always. A long (potentially repetitive), clear (as in 'server block-complete'), nginx configuration properly managed through configuration management tools will always appeal the most to me for debugging purposes. --- *B. R.* On Fri, Aug 4, 2017 at 3:47 PM, Olaf van der Spek < nginx-forum at forum.nginx.org> wrote: > Jim Ohlstein Wrote: > > Letsencrypt allows multiple domain names in the same certificate. > > I know, just wondering if nginx supported multiple certs per server. > > My problem: > I've got multiple servers and I'd like the servers to be accessible via the > common name (ex.com) and via their dedicated name (a.ex.com, b.ex.com, > etc). > How do I do this with letsencrypt? > If I use certbot the verification request might / will be server by another > host and will thus fail. > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,275855,275860#msg-275860 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Mon Aug 7 17:42:33 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Mon, 07 Aug 2017 20:42:33 +0300 Subject: HTTP/405 In-Reply-To: References: <3074764.ORdvKzBldl@vbart-workstation> Message-ID: <2652677.jESjjs5PeV@vbart-workstation> On Monday 07 August 2017 19:21:52 B.R. via nginx wrote: > It would be interesting to amend the flawed RFC to adapt to the real world > then, wouldn't it? > > Much like in any languages, specifications/reference and real world offen > differ, but that should me a pretext to ignor the specs are here for a > reason: make everyone try to speak the same language and be accessible to > everyone else. > > From what I understand, the fix would be the following: the RFC should > accept an empty Allow and consider it equivalent to its presence with an > empty value. [..] The fix for RFC would be to allow 405 without "Allow" header. wbr, Valentin V. Bartenev From nginx-forum at forum.nginx.org Tue Aug 8 09:42:55 2017 From: nginx-forum at forum.nginx.org (chilly_bang) Date: Tue, 08 Aug 2017 05:42:55 -0400 Subject: Get rid of args from $request_uri Message-ID: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> Hi I want to build a construction like location ~* { if ($args ~ *) { add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\""; } } but need to get rid of argues from $request_uri. The goal is from any url with parameters to point with canonical auf non-parameter url counterpart. I've realized a method to get rid of argues from $request_uri, like this: map $request_uri $request_uri_path { "~^(?P[^?]*)(\?.*)?$" $path; } I Need an advice - how are both snippets to put together? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275930,275930#msg-275930 From nginx-forum at forum.nginx.org Tue Aug 8 12:45:54 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Tue, 08 Aug 2017 08:45:54 -0400 Subject: Get rid of args from $request_uri In-Reply-To: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> References: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> Message-ID: why don't you use $uri $is_args $args This will build the URL like. index.php ? arguement=value&moreargs=morevalue $request_uri will always output the full URL. Not individual segments of it. If you want the first part of the url only just use $uri on its own. http://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275930,275936#msg-275936 From nginx-forum at forum.nginx.org Tue Aug 8 14:02:19 2017 From: nginx-forum at forum.nginx.org (chilly_bang) Date: Tue, 08 Aug 2017 10:02:19 -0400 Subject: Get rid of args from $request_uri In-Reply-To: References: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> Message-ID: c0nw0nk Wrote: ------------------------------------------------------- > why don't you use > > $uri Is it not so, that $uri will output an encoded url? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275930,275937#msg-275937 From zchao1995 at gmail.com Tue Aug 8 14:06:55 2017 From: zchao1995 at gmail.com (Zhang Chao) Date: Tue, 8 Aug 2017 10:06:55 -0400 Subject: Get rid of args from $request_uri In-Reply-To: References: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> Message-ID: On 8 August 2017 at 22:02:32, chilly_bang (nginx-forum at forum.nginx.org) wrote: c0nw0nk Wrote: ------------------------------------------------------- > why don't you use > > $uri Is it not so, that $uri will output an encoded url? $uri is always the one decode once time and merge the slash(if you enable it). -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Aug 8 15:13:43 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 8 Aug 2017 18:13:43 +0300 Subject: nginx-1.13.4 Message-ID: <20170808151343.GO93611@mdounin.ru> Changes with nginx 1.13.4 08 Aug 2017 *) Feature: the ngx_http_mirror_module. *) Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux. *) Bugfix: request body might not be available in subrequests if it was saved to a file and proxying was used. *) Bugfix: cleaning cache based on the "max_size" parameter did not work on Windows. *) Bugfix: any shared memory allocation required 4096 bytes on Windows. *) Bugfix: nginx worker might be terminated abnormally when using the "zone" directive inside the "upstream" block on Windows. -- Maxim Dounin http://nginx.org/ From lucas at lucasrolff.com Tue Aug 8 15:55:55 2017 From: lucas at lucasrolff.com (Lucas Rolff) Date: Tue, 8 Aug 2017 15:55:55 +0000 Subject: Get rid of args from $request_uri In-Reply-To: References: <0b322fae3b7b07ee8431fcc4e3ddd13c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1E33A210-DF40-41AB-A62F-8241788F3918@lucasrolff.com> I use the set_misc module from openresty and do something like: if ($request_uri ~ "([^/?]*)(?:\?|$)") { set $double_encoded_filename $1; } set_unescape_uri $encoded_uri $double_encoded_uri; Can probably be improved, but I can use $encoded_uri and get the reslt you?re looking for c0nw0nk. From: nginx on behalf of Zhang Chao Reply-To: "nginx at nginx.org" Date: Tuesday, 8 August 2017 at 16.07 To: "nginx at nginx.org" Subject: Re: Get rid of args from $request_uri On 8 August 2017 at 22:02:32, chilly_bang (nginx-forum at forum.nginx.org) wrote: c0nw0nk Wrote: ------------------------------------------------------- > why don't you use > > $uri Is it not so, that $uri will output an encoded url? $uri is always the one decode once time and merge the slash(if you enable it). -------------- next part -------------- An HTML attachment was scrubbed... URL: From capile at tecnodz.com Tue Aug 8 16:12:34 2017 From: capile at tecnodz.com (=?UTF-8?Q?Guilherme_Capil=C3=A9?=) Date: Tue, 8 Aug 2017 13:12:34 -0300 Subject: Building and packaging dynamic modules Message-ID: Ola, I'm not sure if I should address this list or the nginx-devel, but I'd like to automate the installation/packaging of dynamic modules for nginx (right now focused on centos7). As far as I understood, dynamic modules can be compiled apart of the nginx installation, so if I got the source for nginx stable on centos I might be able to compile a dynamic module (let's say naxsi) for the binary package distributed by nginx.org, correct? I don't need to rebuild nginx from source for that ? or should I? If building the dynamic module this way is possible, what would be the best way to get the source for an automated installation? https://nginx.org/packages/centos/7/SRPMS/ ? Cheers, Guilherme Capil? -- Tecnodesign ? ? ? ? ? ? ? ? ? [55 21] 3042 4468 https://tecnodz.com capile at tecnodz.com From kworthington at gmail.com Tue Aug 8 17:39:22 2017 From: kworthington at gmail.com (Kevin Worthington) Date: Tue, 8 Aug 2017 13:39:22 -0400 Subject: [nginx-announce] nginx-1.13.4 In-Reply-To: <20170808151347.GP93611@mdounin.ru> References: <20170808151347.GP93611@mdounin.ru> Message-ID: Hello Nginx users, Now available: Nginx 1.13.4 for Windows https://kevinworthington.com/nginxwin1134 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Google+ https://plus.google.com/+KevinWorthington/ Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) https://kevinworthington.com/ https://twitter.com/kworthington https://plus.google.com/+KevinWorthington/ On Tue, Aug 8, 2017 at 11:13 AM, Maxim Dounin wrote: > Changes with nginx 1.13.4 08 Aug > 2017 > > *) Feature: the ngx_http_mirror_module. > > *) Bugfix: client connections might be dropped during configuration > testing when using the "reuseport" parameter of the "listen" > directive on Linux. > > *) Bugfix: request body might not be available in subrequests if it was > saved to a file and proxying was used. > > *) Bugfix: cleaning cache based on the "max_size" parameter did not > work > on Windows. > > *) Bugfix: any shared memory allocation required 4096 bytes on Windows. > > *) Bugfix: nginx worker might be terminated abnormally when using the > "zone" directive inside the "upstream" block on Windows. > > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx-announce mailing list > nginx-announce at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Tue Aug 8 18:11:41 2017 From: francis at daoine.org (Francis Daly) Date: Tue, 8 Aug 2017 19:11:41 +0100 Subject: Problem with uWSGI and PATH_INFO In-Reply-To: <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> References: <3f77e732-0400-9859-5048-8651147da727@yandex.com> <20170727152516.GQ365@daoine.org> <20170728071704.GR365@daoine.org> <145563a0-795b-1a11-6542-03a72af47f2a@yandex.com> <20170806095933.GD365@daoine.org> <4ca10e3d035ac2d1f33504f095634d5a.squirrel@squirrelmail.unbit.it> Message-ID: <20170808181141.GE365@daoine.org> On Sun, Aug 06, 2017 at 12:28:11PM +0200, Roberto De Ioris wrote: > > On Sat, Aug 05, 2017 at 11:47:24AM -0400, Etienne Robillard wrote: Hi there, > nginx is not able to correctly split PATH_INFO accordingly to SCRIPT_NAME That is correct. It is similarly correct that nginx is not able to know where your uwsgi server is listening. > (and technically it should not do it as uwsgi is a transport only protocol > and the server could make any kind of assumptions about variables). The administrator should know what variable values the uwsgi server will make use of, and where the uwsgi server is listening. The administrator can configure nginx to match whatever those site-specific requirements are. (And one possible way to do that, is for nginx to always set PATH_INFO = the original request, and let the uwsgi server use that in any way it likes.) f -- Francis Daly francis at daoine.org From francis at daoine.org Tue Aug 8 18:29:35 2017 From: francis at daoine.org (Francis Daly) Date: Tue, 8 Aug 2017 19:29:35 +0100 Subject: How to disable fastcgi caching for the logged user? In-Reply-To: <2560f451-f7c3-60c6-5dbe-affb691fdc75@yandex.com> References: <40bbd9b5-fd2f-f1e2-fbde-e6f27482efb8@yandex.com> <20170806094857.GC365@daoine.org> <2560f451-f7c3-60c6-5dbe-affb691fdc75@yandex.com> Message-ID: <20170808182935.GF365@daoine.org> On Mon, Aug 07, 2017 at 04:47:30AM -0400, Etienne Robillard wrote: Hi there, > Thank you for your reply. What is the difference between: > > fastcgi_no_cache $http_pragma $http_authorization > > and > > fastcgi_no_cache $remote_user http://nginx.org/r/fastcgi_no_cache http://nginx.org/r/$http_ http://nginx.org/r/$remote_user In each case, if the request is handled by a fastcgi_pass, then the response will[*] be cached unless certain conditions apply. In the first case, the conditions are that either there is a Pragma: header (other than "Pragma: 0") or an Authorization: header (other than "Authorization: 0") in the initial request. In the second case, the condition is if "user name supplied with the Basic authentication" is not empty (and, I guess, not 0). Basic authentication uses the Authorization: header; it is not the only thing that uses that header, and I guess that there may be a separate way to populate that variable (but I have not investigated). [*] strictly, it is more like "will not, not be cached". There are other reasons why the response might not be cached. > In addition, how can I verify the configuration is working as expected? Watch the logs. Watch the network traffic. Watch the files on the filesystem. Make a http request. Did it go to the fastcgi server? Was the response cached? (Was a file in the cache recently modified?) Repeat the http request? Did this one go to the fastcgi server, or was it served from cache? Did each of them do what you wanted them to do? f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Wed Aug 9 15:12:50 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 9 Aug 2017 18:12:50 +0300 Subject: nginx security advisory (CVE-2017-7529) In-Reply-To: <55405e97-8238-de6e-1d0f-571f3e7bb37a@gmail.com> References: <20170711154745.GF55433@mdounin.ru> <55405e97-8238-de6e-1d0f-571f3e7bb37a@gmail.com> Message-ID: <20170809151250.GH93611@mdounin.ru> Hello! On Thu, Jul 20, 2017 at 10:32:15PM -0700, Shuxin Yang wrote: > I try to exploit this bug in an attempt to do something nasty :-). > However, the more I dig into it, the more I get confused. No comments on this, sorry. We generally avoid providing exploitation details to minimize impact on not-yet-updated systems. [...] > d) the patch guarantees the total size of ranges is smaller than 4G > (again, assume 32bit system). But what if it ends up very close to 4G, > making the "len" variable in function variable > ngx_http_range_multipart_header() overflow. The "len" is to calculate > the content-length the resulting response, it is the total size of > multi-part overhead plus ranges. This looks like a separate bug, which can result in incorrect Content-Length being returned if a file larger than 4G is requested using multiple ranges on a 32-bit system. Thanks for reporting this. The following patch should fix this: # HG changeset patch # User Maxim Dounin # Date 1502291117 -10800 # Wed Aug 09 18:05:17 2017 +0300 # Node ID fc89eec543ee3e41b74347ffa0c59554188dc3f5 # Parent 2f48ab272052d9b2ca00f8192c589b872ee3bc86 Range filter: changed type for total length to off_t. Total length of a response with multiple ranges can be larger than a size_t variable can hold, so type changed to off_t. Previously, an incorrect Content-Length was returned when requesting more than 4G of ranges from a large enough file on a 32-bit system. Reported by Shuxin Yang, http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html. diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c --- a/src/http/modules/ngx_http_range_filter_module.c +++ b/src/http/modules/ngx_http_range_filter_module.c @@ -463,7 +463,7 @@ static ngx_int_t ngx_http_range_multipart_header(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx) { - size_t len; + off_t len; ngx_uint_t i; ngx_http_range_t *range; ngx_atomic_uint_t boundary; @@ -569,7 +569,7 @@ ngx_http_range_multipart_header(ngx_http - range[i].content_range.data; len += ctx->boundary_header.len + range[i].content_range.len - + (size_t) (range[i].end - range[i].start); + + (range[i].end - range[i].start); } r->headers_out.content_length_n = len; -- Maxim Dounin http://nginx.org/ From jsharan15 at gmail.com Wed Aug 9 15:16:41 2017 From: jsharan15 at gmail.com (Sharan J) Date: Wed, 9 Aug 2017 20:46:41 +0530 Subject: HTTP/2 custom status codes Message-ID: Hello, I am using Nginx as a reverse proxy and have enabled HTTP/2. For a particular request, my back-end server sends a custom 4 digit status code (say 9999). When connecting via HTTP/1.1, the exact status code is returned to the client but, when connection via HTTP/2, the response headers along with the status(9999) sent by my back-end server is sent in the body and the header has the status code 000. The same works fine if the custom status code is 3-digit (say 999). I know the standard is to use 3 digit status code but, why does Nginx sends the back-end server's response headers in the body? Please help me understand what exactly is happening. Thanks, Shanthu -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Aug 9 15:37:10 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 9 Aug 2017 18:37:10 +0300 Subject: HTTP/2 custom status codes In-Reply-To: References: Message-ID: <20170809153710.GI93611@mdounin.ru> Hello! On Wed, Aug 09, 2017 at 08:46:41PM +0530, Sharan J wrote: > Hello, > > I am using Nginx as a reverse proxy and have enabled HTTP/2. For a > particular request, my back-end server sends a custom 4 digit status code > (say 9999). > > When connecting via HTTP/1.1, the exact status code is returned to the > client but, when connection via HTTP/2, the response headers along with the > status(9999) sent by my back-end server is sent in the body and the header > has the status code 000. > > The same works fine if the custom status code is 3-digit (say 999). I know > the standard is to use 3 digit status code but, why does Nginx sends the > back-end server's response headers in the body? Please help me understand > what exactly is happening. When you return a 4-digit status code from your backend, nginx will fail to parse the HTTP response of the backend, and will assume that backend is using HTTP/0.9. Something like this will be logged to the error log: ... [error] ... upstream sent no valid HTTP/1.0 header while reading response header from upstream ... Since there are no headers in HTTP/0.9, everything returned by the backend will be considered to be a response body. -- Maxim Dounin http://nginx.org/ From jsharan15 at gmail.com Wed Aug 9 16:26:26 2017 From: jsharan15 at gmail.com (Sharan J) Date: Wed, 9 Aug 2017 21:56:26 +0530 Subject: HTTP/2 custom status codes In-Reply-To: <20170809153710.GI93611@mdounin.ru> References: <20170809153710.GI93611@mdounin.ru> Message-ID: Hi, Thanks for the response. > ... [error] ... upstream sent no valid HTTP/1.0 header while reading response header from upstream ... This is logged in the error log for both HTTP/1.1 and HTTP/2. May I know why everything returned by the backend is considered as the response body in HTTP/2 alone? and not in HTTP/1.1? Thanks, Shanthu On Wed, Aug 9, 2017 at 9:07 PM, Maxim Dounin wrote: > Hello! > > On Wed, Aug 09, 2017 at 08:46:41PM +0530, Sharan J wrote: > > > Hello, > > > > I am using Nginx as a reverse proxy and have enabled HTTP/2. For a > > particular request, my back-end server sends a custom 4 digit status code > > (say 9999). > > > > When connecting via HTTP/1.1, the exact status code is returned to the > > client but, when connection via HTTP/2, the response headers along with > the > > status(9999) sent by my back-end server is sent in the body and the > header > > has the status code 000. > > > > The same works fine if the custom status code is 3-digit (say 999). I > know > > the standard is to use 3 digit status code but, why does Nginx sends the > > back-end server's response headers in the body? Please help me understand > > what exactly is happening. > > When you return a 4-digit status code from your backend, nginx > will fail to parse the HTTP response of the backend, and will > assume that backend is using HTTP/0.9. Something like this will > be logged to the error log: > > ... [error] ... upstream sent no valid HTTP/1.0 header while reading > response header from upstream ... > > Since there are no headers in HTTP/0.9, everything returned by > the backend will be considered to be a response body. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.payne at aquicore.com Wed Aug 9 17:21:31 2017 From: michael.payne at aquicore.com (Michael Payne) Date: Wed, 9 Aug 2017 13:21:31 -0400 Subject: post_action, rewrites, and proxy_pass Message-ID: v1.4.6 I'm attempting to proxy pass requests to AWS API Gateway, but they are not reaching the endpoint. Example of my configuration below. Requests come through as something like some.domain.com/some_resource The final post_action hop at the bottom is attempting to pass the request and its params as http://dev-data.app.com/api/v3/some_resource I've confirmed my rewrite logic, though no domain shows up in the log. Same with the additional access_log. I'd love more debug information as to what the final transformation is and the response it gets back. There are NO error or info logs on my http://dev-data.app.com/api/v3/some_resource API. But mainly interested in my use of the syntax and the expectation. Any tips as to what I am doing wrong? server { listen 80 default_server; server_name some.domain.com; #... location / { proxy_ignore_client_abort on; proxy_pass http://app-prod.herokuapp.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host aq-prod.herokuapp.com; post_action @stage; } location @stage { proxy_pass http://stage.myapp.com; post_action @app_log; } location @app_log { proxy_pass http://app-log.herokuapp.com; post_action @dev; } location @dev { #rewrite_log on; rewrite ^ /api/v3$request_uri$1 break; proxy_pass http://dev-data.app.com; #access_log /var/log/nginx/proxy-access.log; } } -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Aug 9 17:22:57 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 9 Aug 2017 20:22:57 +0300 Subject: HTTP/2 custom status codes In-Reply-To: References: <20170809153710.GI93611@mdounin.ru> Message-ID: <20170809172257.GL93611@mdounin.ru> Hello! On Wed, Aug 09, 2017 at 09:56:26PM +0530, Sharan J wrote: > Thanks for the response. > > > ... [error] ... upstream sent no valid HTTP/1.0 header while reading > response header from upstream ... > > This is logged in the error log for both HTTP/1.1 and HTTP/2. May I know > why everything returned by the backend is considered as the response body > in HTTP/2 alone? and not in HTTP/1.1? It is considered to be the response body in both cases. Though in case of HTTP/1.x nginx downgrades client's connection to HTTP/0.9 as well, and returns the HTTP/0.9 response as it was got from the backend. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Thu Aug 10 01:33:59 2017 From: nginx-forum at forum.nginx.org (ptcell) Date: Wed, 09 Aug 2017 21:33:59 -0400 Subject: Is there a wait to get at a module's main conf inside the loc conf's init? Message-ID: <1b30434343b09afc1f35232db22629b2.NginxMailingListEnglish@forum.nginx.org> >From the debugger I can see that it's probably some offset into cf->ctx[index].main_conf, but I don't see anyway of knowing what that index is inside the loc create callback. Is there any other way of getting this? Getting it at loc merge time would be acceptable too. void *ngx_http_my_module_create_conf(ngx_conf_t *cf) { } Thank you. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275998,275998#msg-275998 From mdounin at mdounin.ru Thu Aug 10 10:43:49 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 10 Aug 2017 13:43:49 +0300 Subject: Is there a wait to get at a module's main conf inside the loc conf's init? In-Reply-To: <1b30434343b09afc1f35232db22629b2.NginxMailingListEnglish@forum.nginx.org> References: <1b30434343b09afc1f35232db22629b2.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170810104349.GN93611@mdounin.ru> Hello! On Wed, Aug 09, 2017 at 09:33:59PM -0400, ptcell wrote: > From the debugger I can see that it's probably some offset into > cf->ctx[index].main_conf, but I don't see anyway of knowing what that index > is inside the loc create callback. > > Is there any other way of getting this? Getting it at loc merge time > would be acceptable too. Try ngx_http_conf_get_module_main_conf(). (Doing so in the create_loc_conf callback is probably pointless though, as main conf contents can be changed later.) -- Maxim Dounin http://nginx.org/ From smntov at gmail.com Thu Aug 10 13:29:14 2017 From: smntov at gmail.com (ST) Date: Thu, 10 Aug 2017 16:29:14 +0300 Subject: Whitelisting files with certain extensions Message-ID: <1502371754.1654.28.camel@gmail.com> Hello, we had following problem: one of the developers has saved a .php file as .php.old. This file, if requested directly, was offered by nginx for download and thus exposed. What is the right way to solve this? 1. initial idea was to whitelist all the legitimate file extensions that we use and block the rest. Is this the right approach? If yes - what is the best way to do this? 1.1 we have one directory that has legitimate files without any extension that we also want to serve... how to make an exception for this directory? Thank you! From nginx-forum at forum.nginx.org Thu Aug 10 13:52:50 2017 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 10 Aug 2017 09:52:50 -0400 Subject: Modsecurity dynamic module with Nginx-plus Message-ID: Hi All, I just purchased nginx-plus and since it is delivered in binaries, since this is a case I am unable to install Modsecurity with nginx-plus. I followed various guides and able to compile dynamic_module However when I am enabling the modesecurity in conf file the nginx worker process is getting crashed with below error. Can someone please help!!! 2017/08/10 22:44:57 [notice] 1980#1980: signal 17 (SIGCHLD) received 2017/08/10 22:44:57 [alert] 1980#1980: worker process 1983 exited on signal 11 2017/08/10 22:44:57 [notice] 1980#1980: start worker process 1987 2017/08/10 22:44:57 [notice] 1980#1980: signal 29 (SIGIO) received 2017/08/10 22:44:57 [notice] 1980#1980: signal 17 (SIGCHLD) received 2017/08/10 22:44:57 [alert] 1980#1980: worker process 1984 exited on signal 11 2017/08/10 22:44:57 [notice] 1980#1980: start worker process 1988 2017/08/10 22:44:57 [notice] 1980#1980: signal 29 (SIGIO) received 2017/08/10 22:44:57 [notice] 1980#1980: signal 17 (SIGCHLD) received 2017/08/10 22:44:57 [alert] 1980#1980: worker process 1987 exited on signal 11 2017/08/10 22:44:57 [notice] 1980#1980: start worker process 1989 2017/08/10 22:44:57 [notice] 1980#1980: signal 29 (SIGIO) received 2017/08/10 22:44:57 [notice] 1980#1980: signal 17 (SIGCHLD) received 2017/08/10 22:44:57 [alert] 1980#1980: worker process 1988 exited on signal 11 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276008,276008#msg-276008 From maxim at nginx.com Thu Aug 10 14:36:08 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Thu, 10 Aug 2017 17:36:08 +0300 Subject: Modsecurity dynamic module with Nginx-plus In-Reply-To: References: Message-ID: <99bf6b30-c43d-8bc8-41de-7651e7a7ccf0@nginx.com> On 10/08/2017 16:52, blason wrote: > Hi All, > > I just purchased nginx-plus and since it is delivered in binaries, since > this is a case I am unable to install Modsecurity with nginx-plus. I > followed various guides and able to compile dynamic_module However when I am > enabling the modesecurity in conf file the nginx worker process is getting > crashed with below error. > [...] Just a sidenote: we ship a precompiled modsecurity package for nginx-plus. Please consider to contact sales or support for the module activation. Links you may find useful: https://www.nginx.com/resources/admin-guide/nginx-plus-modsecurity-waf-installation-logging/ https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ -- Maxim Konovalov From nginx-forum at forum.nginx.org Thu Aug 10 14:37:51 2017 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 10 Aug 2017 10:37:51 -0400 Subject: Modsecurity dynamic module with Nginx-plus In-Reply-To: <99bf6b30-c43d-8bc8-41de-7651e7a7ccf0@nginx.com> References: <99bf6b30-c43d-8bc8-41de-7651e7a7ccf0@nginx.com> Message-ID: <7d88db4abda52f8fcbb40f72f16b4212.NginxMailingListEnglish@forum.nginx.org> Unfortunately we do not have budget at this moment and we were unsure at the time of purchasing that paid nginx option does not give source codes to compile hence we are now struggling. Can someone please help us here? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276008,276011#msg-276011 From maxim at nginx.com Thu Aug 10 14:46:17 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Thu, 10 Aug 2017 17:46:17 +0300 Subject: Modsecurity dynamic module with Nginx-plus In-Reply-To: <7d88db4abda52f8fcbb40f72f16b4212.NginxMailingListEnglish@forum.nginx.org> References: <99bf6b30-c43d-8bc8-41de-7651e7a7ccf0@nginx.com> <7d88db4abda52f8fcbb40f72f16b4212.NginxMailingListEnglish@forum.nginx.org> Message-ID: On 10/08/2017 17:37, blason wrote: > Unfortunately we do not have budget at this moment and we were unsure at the > time of purchasing that paid nginx option does not give source codes to > compile hence we are now struggling. Can someone please help us here? > You can use nginx-oss source to compile dynamic modules for nginx-plus. https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/ -- Maxim Konovalov From at.rakotoarimalala at lemurien.net Thu Aug 10 17:54:08 2017 From: at.rakotoarimalala at lemurien.net (Andry Thierry RAKOTOARIMALALA) Date: Thu, 10 Aug 2017 19:54:08 +0200 Subject: No subject Message-ID: Hi, Can an nginx instance use a web server and a stream to do a proxy (pass-thru) with ng_stream_core_module? When I verified the compilation option , I see --with-stream=dynamic. Is that mean the module is load or not? Thanks -- RAKOTO -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Thu Aug 10 18:46:17 2017 From: nginx-forum at forum.nginx.org (ptcell) Date: Thu, 10 Aug 2017 14:46:17 -0400 Subject: Is there a wait to get at a module's main conf inside the loc conf's init? In-Reply-To: <20170810104349.GN93611@mdounin.ru> References: <20170810104349.GN93611@mdounin.ru> Message-ID: <7f63bfd688e69d3ea8d9dab1e137653e.NginxMailingListEnglish@forum.nginx.org> Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Wed, Aug 09, 2017 at 09:33:59PM -0400, ptcell wrote: > > > From the debugger I can see that it's probably some offset into > > cf->ctx[index].main_conf, but I don't see anyway of knowing what > that index > > is inside the loc create callback. > > > > Is there any other way of getting this? Getting it at loc merge > time > > would be acceptable too. > > Try ngx_http_conf_get_module_main_conf(). > > (Doing so in the create_loc_conf callback is probably pointless > though, as main conf contents can be changed later.) > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Thank you. I saw that similar macro for requests, but missed it for configs. I see now the module entity has a static index on it. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275998,276014#msg-276014 From nginx-forum at forum.nginx.org Thu Aug 10 19:53:12 2017 From: nginx-forum at forum.nginx.org (George) Date: Thu, 10 Aug 2017 15:53:12 -0400 Subject: Modsecurity dynamic module with Nginx-plus In-Reply-To: <7d88db4abda52f8fcbb40f72f16b4212.NginxMailingListEnglish@forum.nginx.org> References: <99bf6b30-c43d-8bc8-41de-7651e7a7ccf0@nginx.com> <7d88db4abda52f8fcbb40f72f16b4212.NginxMailingListEnglish@forum.nginx.org> Message-ID: yeah just use nginx open source free version if you need compile support - updated guide at https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276008,276018#msg-276018 From mikydevel at yahoo.fr Thu Aug 10 21:17:14 2017 From: mikydevel at yahoo.fr (Mik J) Date: Thu, 10 Aug 2017 21:17:14 +0000 (UTC) Subject: Reverse proxy for multiple domains References: <1000849938.2050287.1502399834765.ref@mail.yahoo.com> Message-ID: <1000849938.2050287.1502399834765@mail.yahoo.com> Nginx: 1.10.2 Hello, I'm tryging to get reverse proxy working with multiple domains I have application1.org and application2.org. The client requesting these URLs, arrives one the reverse proxy. On this reverse proxy I have a virtual host which looks like that server { listen 80; server_name application1.org; access_log /var/log/nginx/application1.org.access.log; error_log /var/log/nginx/application1.org.error.log; ... location ^~ / { proxy_pass http://10.1.1.10:80/app/application1/; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } And another virtual host for application2 which is similar with proxy_pass http://10.1.1.10:80/app/application2/; The server behind the reverse proxy is the same right now On the web server behind the proxy I just have one virtual host which is the default one server { listen 80 default_server; server_name _; index index.html index.htm index.php; root /var/www/htdocs; location ^~ /app/application1 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application1.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ^~ /app/application2 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application2.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } Questions: 1) Is it the right way to do this ? 2) When I access the application from Internet using application1.org, I am redirected to application1.org/app/application1 I don't know why. And I have to add one more section on the reverse proxy location ^~ /app/application1 { proxy_pass http://10.1.1.10:80/app/application1/; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } Is there a better way to do it ? Thank you From nginx-forum at forum.nginx.org Fri Aug 11 06:47:34 2017 From: nginx-forum at forum.nginx.org (blason) Date: Fri, 11 Aug 2017 02:47:34 -0400 Subject: Content Spoofing vulnerability Message-ID: <2516b89992fc2a570de6fb3f861a85bd.NginxMailingListEnglish@forum.nginx.org> Hi Guys, We have multiple webservers behind Nginx Reverse Proxy and at one of the server we have discovered Content spoofing, the vulnerability is patched on Apache but also needs to be patchef on Nginx server. I googled a lot but unable to find a relevant information. Can someone please suggest the way to mitigate the same on Nginx? here is the Apache remediation RewriteEngine on RewriteCond %{HTTP_HOST} !^abc\.biz RewriteCond %{HTTP_HOST} !^www\.abc\.biz RewriteRule ^(.*)$ - [L,R=404] ErrorDocument 404 "Page Not Found" RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&\%&\,]+\ HTTP/ #RewriteRule .* - [F,NS,L] RewriteRule ^(.*)$ - [L,R=404] ErrorDocument 404 "Page Not Found" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276023,276023#msg-276023 From mayak at australsat.com Fri Aug 11 06:53:36 2017 From: mayak at australsat.com (mayak) Date: Fri, 11 Aug 2017 08:53:36 +0200 Subject: rakoto In-Reply-To: References: Message-ID: An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Aug 11 14:11:10 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Fri, 11 Aug 2017 10:11:10 -0400 Subject: Content Spoofing vulnerability In-Reply-To: <2516b89992fc2a570de6fb3f861a85bd.NginxMailingListEnglish@forum.nginx.org> References: <2516b89992fc2a570de6fb3f861a85bd.NginxMailingListEnglish@forum.nginx.org> Message-ID: <524739333891116b510861f839ba539c.NginxMailingListEnglish@forum.nginx.org> blason Wrote: ------------------------------------------------------- > Hi Guys, > > We have multiple webservers behind Nginx Reverse Proxy and at one of > the server we have discovered Content spoofing, the vulnerability is > patched on Apache but also needs to be patchef on Nginx server. > > I googled a lot but unable to find a relevant information. Can someone > please suggest the way to mitigate the same on Nginx? > > here is the Apache remediation > > RewriteEngine on > RewriteCond %{HTTP_HOST} !^abc\.biz > RewriteCond %{HTTP_HOST} !^www\.abc\.biz > RewriteRule ^(.*)$ - [L,R=404] > ErrorDocument 404 "Page Not Found" > > RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ > [a-zA-Z0-9\.\+_/\-\?\=\&\%&\,]+\ HTTP/ > #RewriteRule .* - [F,NS,L] > RewriteRule ^(.*)$ - [L,R=404] > ErrorDocument 404 "Page Not Found" If your application is vulnerable to those kinds of attacks you should patch it or get a WAF like Naxsi to prevent them. https://www.owasp.org/index.php/Content_Spoofing As the page shows.

Welcome to the Internet!


Hello, !

We are so glad you are here!

The page functionality can be tested by making the following GET request to the page: http://127.0.0.1/vulnerable.php?name=test-exploit-phishing-scam-etc Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276023,276029#msg-276029 From nginx-forum at forum.nginx.org Sat Aug 12 07:21:14 2017 From: nginx-forum at forum.nginx.org (Jamesadamar) Date: Sat, 12 Aug 2017 03:21:14 -0400 Subject: Two domains and multiple server blocks Message-ID: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> Dear community, I am a beginner in the land of nginx and server administration. From what I've read so far, setting up nginx to listen to two domains is fairly easy. All it needs are two distinct server blocks listen to port 80 and with server_name identical to the domains in question. But it will not work. I have to domains: www.3jgkp.de and www.armapedia.de. Both a registered by www.inwx.de and both have A DNS entries to the same server IP 88.99.227.139, which is my server. For 3.jgkp I use one additional subdomain wiki.3jgkp.de, which also redirects to this IP. Now it should suffice to have server { listen 80; listen [::]:80; server_name .3jgkp.de; index index.html index.htm index.php; .... } server { listen *:80; listen [::]:80; server_name wiki.3jgkp.de; return 301 https://wiki.3jgkp.de$request_uri; .... } server { listen *:443 ssl; server_name wiki.3jgkp.de; index index.php; root /var/www/wiki/drupal-8.2.6; ## <-- Your only path reference. client_max_body_size 10m; ssl_certificate /etc/letsencrypt/live/wiki.3jgkp.de-0001/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/wiki.3jgkp.de-0001/privkey.pem; # managed by Certbot .... } for www.3jgkp.de -> that works, both directories are delivered. However, www.armapedia.de does NOT work: server { listen 80; listen [::]:80; server_name .armapedia.de; return 301 https://www.armapedia.de$request_uri; } server { listen 443 ssl; server_name www.armapedia.de; root /var/www/armapedia/; ## <-- Your only path reference. access_log /var/log/nginx/armapedia.de.access.log; error_log /var/log/nginx/armapedia.de.error.log; ssl_certificate /etc/letsencrypt/live/www.armapedia.de/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.armapedia.de/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot } Here, whenever I enter www.armapedia.de in my browser, I am redirected to armapedia.3jgkp.de. I dont understand this behavior at all. All examples about nginx and multiple vhosts with different domains just use the appropriate server_name entries, so I'm really stuck here. Thank you for your help Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276031,276031#msg-276031 From mailinglist at unix-solution.de Sat Aug 12 08:16:25 2017 From: mailinglist at unix-solution.de (basti) Date: Sat, 12 Aug 2017 10:16:25 +0200 Subject: Two domains and multiple server blocks In-Reply-To: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> Message-ID: <10ba6e7b-3cc3-d232-e5db-5f24b2e8156f@unix-solution.de> Hello, your server_name .3jgkp.de; and server_name .armapedia.de; are wrong. Use www.armapedia.de, wildcard, regex or whatever. See http://nginx.org/en/docs/http/server_names.html Best Regards, Basti On 12.08.2017 09:21, Jamesadamar wrote: > Dear community, > > I am a beginner in the land of nginx and server administration. From what > I've read so far, setting up nginx to listen to two domains is fairly easy. > All it needs are two distinct server blocks listen to port 80 and with > server_name identical to the domains in question. But it will not work. > > I have to domains: www.3jgkp.de and www.armapedia.de. Both a registered by > www.inwx.de and both have A DNS entries to the same server IP 88.99.227.139, > which is my server. For 3.jgkp I use one additional subdomain wiki.3jgkp.de, > which also redirects to this IP. > > Now it should suffice to have > > server { > listen 80; > listen [::]:80; > > server_name .3jgkp.de; > > index index.html index.htm index.php; > > .... > } > > server { > listen *:80; > listen [::]:80; > > server_name wiki.3jgkp.de; > return 301 https://wiki.3jgkp.de$request_uri; > > .... > > } > > server { > listen *:443 ssl; > server_name wiki.3jgkp.de; > > index index.php; > root /var/www/wiki/drupal-8.2.6; ## <-- Your only path reference. > client_max_body_size 10m; > ssl_certificate /etc/letsencrypt/live/wiki.3jgkp.de-0001/fullchain.pem; > # managed by Certbot > ssl_certificate_key > /etc/letsencrypt/live/wiki.3jgkp.de-0001/privkey.pem; # managed by Certbot > > .... > } > > for www.3jgkp.de -> that works, both directories are delivered. However, > www.armapedia.de does NOT work: > > server { > listen 80; > listen [::]:80; > server_name .armapedia.de; > return 301 https://www.armapedia.de$request_uri; > > } > > server { > listen 443 ssl; > server_name www.armapedia.de; > > root /var/www/armapedia/; ## <-- Your only path reference. > access_log /var/log/nginx/armapedia.de.access.log; > error_log /var/log/nginx/armapedia.de.error.log; > > ssl_certificate /etc/letsencrypt/live/www.armapedia.de/fullchain.pem; # > managed by Certbot > ssl_certificate_key /etc/letsencrypt/live/www.armapedia.de/privkey.pem; > # managed by Certbot > include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot > } > > Here, whenever I enter www.armapedia.de in my browser, I am redirected to > armapedia.3jgkp.de. I dont understand this behavior at all. All examples > about nginx and multiple vhosts with different domains just use the > appropriate server_name entries, so I'm really stuck here. > > Thank you for your help > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276031,276031#msg-276031 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Sat Aug 12 09:08:23 2017 From: nginx-forum at forum.nginx.org (Jamesadamar) Date: Sat, 12 Aug 2017 05:08:23 -0400 Subject: Two domains and multiple server blocks In-Reply-To: <10ba6e7b-3cc3-d232-e5db-5f24b2e8156f@unix-solution.de> References: <10ba6e7b-3cc3-d232-e5db-5f24b2e8156f@unix-solution.de> Message-ID: <2882476c99b98e88cd9e3d135accf86f.NginxMailingListEnglish@forum.nginx.org> They are not wrong, look here: http://nginx.org/en/docs/http/server_names.html A special wildcard name in the form ?.example.org? can be used to match both the exact name ?example.org? and the wildcard name ?*.example.org?. You should know your own documentation. If it would be wrong, 3.jgkp.de wouldn't work as it did. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276031,276033#msg-276033 From r at roze.lv Sat Aug 12 12:58:20 2017 From: r at roze.lv (Reinis Rozitis) Date: Sat, 12 Aug 2017 15:58:20 +0300 Subject: Two domains and multiple server blocks In-Reply-To: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> Message-ID: <000001d3136a$accc07f0$066417d0$@roze.lv> > Here, whenever I enter www.armapedia.de in my browser, I am redirected to > armapedia.3jgkp.de. I dont understand this behavior at all. All examples about > nginx and multiple vhosts with different domains just use the appropriate > server_name entries, so I'm really stuck here. First - I would try to upgrade nginx / you are using quite an old (~3 years) version 1.6.2. I don't particularly remember at what point but there have been some issues/changes on how nginx handles virtual server priority. At least I've seen a similar issue in serving wrong SSL certificates (as in chosing the wrong virtual server block / SNI not working as expected) which went away after upgrade to a most recent version. While it may not be the case here it's a good point to start for a better support. Looking at the response headers for armapedia.de: Connecting to www.armapedia.de (www.armapedia.de)|88.99.227.139|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Server: nginx/1.6.2 Date: Sat, 12 Aug 2017 12:48:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: wsc30_cookieHash=3fffeb677df909960a434c5f05d66f2007cde491; path=/; domain=armapedia.3jgkp.de; HttpOnly Location: http://armapedia.3jgkp.de/ There is a cookie for armapedia.3jgkp.de .. which means that the request is actually passed to php (also the redirect could come from php not nginx) which shouldn?t happen with: return 301 https://www.armapedia.de$request_uri; what again indicates that the request is handled by the first server {} block rather than the one you expect. rr From medvedev.yp at gmail.com Sat Aug 12 13:02:40 2017 From: medvedev.yp at gmail.com (Iurii Medvedev) Date: Sat, 12 Aug 2017 16:02:40 +0300 Subject: Two domains and multiple server blocks In-Reply-To: <000001d3136a$accc07f0$066417d0$@roze.lv> References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> <000001d3136a$accc07f0$066417d0$@roze.lv> Message-ID: Please don't use server name like .armapedia.de you should USe fqdn 12 ???. 2017 ?. 15:58 ???????????? "Reinis Rozitis" ???????: > > Here, whenever I enter www.armapedia.de in my browser, I am redirected > to > > armapedia.3jgkp.de. I dont understand this behavior at all. All > examples about > > nginx and multiple vhosts with different domains just use the appropriate > > server_name entries, so I'm really stuck here. > > First - I would try to upgrade nginx / you are using quite an old (~3 > years) version 1.6.2. > > I don't particularly remember at what point but there have been some > issues/changes on how nginx handles virtual server priority. At least I've > seen a similar issue in serving wrong SSL certificates (as in chosing the > wrong virtual server block / SNI not working as expected) which went away > after upgrade to a most recent version. > > While it may not be the case here it's a good point to start for a better > support. > > > > Looking at the response headers for armapedia.de: > > Connecting to www.armapedia.de (www.armapedia.de)|88.99.227.139|:80... > connected. > HTTP request sent, awaiting response... > HTTP/1.1 301 Moved Permanently > Server: nginx/1.6.2 > Date: Sat, 12 Aug 2017 12:48:45 GMT > Content-Type: text/html; charset=UTF-8 > Connection: keep-alive > Set-Cookie: wsc30_cookieHash=3fffeb677df909960a434c5f05d66f2007cde491; > path=/; domain=armapedia.3jgkp.de; HttpOnly > Location: http://armapedia.3jgkp.de/ > > > There is a cookie for armapedia.3jgkp.de .. which means that the request > is actually passed to php (also the redirect could come from php not nginx) > which shouldn?t happen with: > return 301 https://www.armapedia.de$request_uri; > > what again indicates that the request is handled by the first server {} > block rather than the one you expect. > > rr > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From r at roze.lv Sat Aug 12 13:11:12 2017 From: r at roze.lv (Reinis Rozitis) Date: Sat, 12 Aug 2017 16:11:12 +0300 Subject: Two domains and multiple server blocks In-Reply-To: References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> <000001d3136a$accc07f0$066417d0$@roze.lv> Message-ID: <000b01d3136c$78a28970$69e79c50$@roze.lv> > Please don't use server name like .armapedia.de you should USe fqdn Unless you care about micro performance gains (as in a bit slower wildcard lookups) from configuration point of view it's fine and nothing wrong to use .domain. rr From medvedev.yp at gmail.com Sat Aug 12 13:16:50 2017 From: medvedev.yp at gmail.com (Iurii Medvedev) Date: Sat, 12 Aug 2017 16:16:50 +0300 Subject: Two domains and multiple server blocks In-Reply-To: <000b01d3136c$78a28970$69e79c50$@roze.lv> References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> <000001d3136a$accc07f0$066417d0$@roze.lv> <000b01d3136c$78a28970$69e79c50$@roze.lv> Message-ID: https://nginx.ru/en/docs/http/ngx_http_core_module.html#server_name 2017-08-12 16:11 GMT+03:00 Reinis Rozitis : > > Please don't use server name like .armapedia.de you should USe fqdn > > Unless you care about micro performance gains (as in a bit slower wildcard > lookups) from configuration point of view it's fine and nothing wrong to > use .domain. > > rr > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- With best regards Iurii Medvedev -------------- next part -------------- An HTML attachment was scrubbed... URL: From r at roze.lv Sat Aug 12 13:26:37 2017 From: r at roze.lv (Reinis Rozitis) Date: Sat, 12 Aug 2017 16:26:37 +0300 Subject: Two domains and multiple server blocks In-Reply-To: References: <6a98cf59c0eac9df80301687aeb907e4.NginxMailingListEnglish@forum.nginx.org> <000001d3136a$accc07f0$066417d0$@roze.lv> <000b01d3136c$78a28970$69e79c50$@roze.lv> Message-ID: <001101d3136e$9fed5da0$dfc818e0$@roze.lv> > From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Iurii Medvedev > > https://nginx.ru/en/docs/http/ngx_http_core_module.html#server_name And? There is clearly written: " The first two of the names mentioned above can be combined in one: server { server_name .example.com; } " Which expands to example.com and *.example.com. The only concern could be performance (similar as with regular expression location blocks). rr From nginx-forum at forum.nginx.org Sat Aug 12 15:07:09 2017 From: nginx-forum at forum.nginx.org (Jamesadamar) Date: Sat, 12 Aug 2017 11:07:09 -0400 Subject: Two domains and multiple server blocks In-Reply-To: <000001d3136a$accc07f0$066417d0$@roze.lv> References: <000001d3136a$accc07f0$066417d0$@roze.lv> Message-ID: Thank you Reinis for the tip with the outdated version of Nginx, now I am using 1.12 ;) But the problem still remains and it is getting weirder with every minute. Even if I disable the 3jgkp.conf completely so only one server block remains, armapedia.de will be redirected to armapedia.3jgkp.de. Maybe that is because of the cookie you mentioned earlier, but I have no clue how to delete this information or where this magic redirection is coming from. Can this be a problem of my DNS configuration? Otherwise, I ran out of any option left to try or to look into... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276031,276039#msg-276039 From r at roze.lv Sat Aug 12 20:00:23 2017 From: r at roze.lv (Reinis Rozitis) Date: Sat, 12 Aug 2017 23:00:23 +0300 Subject: Two domains and multiple server blocks In-Reply-To: References: <000001d3136a$accc07f0$066417d0$@roze.lv> Message-ID: <000001d313a5$a284cc60$e78e6520$@roze.lv> > But the problem still remains and it is getting weirder with every minute.'' I'm not familiar with WoltLab Suite but it feels that it does the same as Wordpress as in it forces redirects to the domain the application is configured. Could it be that you configured it initially on the 3jgkp.de domain? For example you can open http://armapedia.de/images/lato/armapedia.png just fine without redirect. Also if you request http://armapedia.de/somepath it gets redirected to http://armapedia.3jgkp.de/?somepath (which is clearly something based on your provided nginx configuration is not supposed to do) p.s. one thing to note is that at least the IP you provided (and the domain resolves to) actually doesn't listen on 443 (https) port (unless it's not specifically disabled in firewall it's not public). rr From nginx-forum at forum.nginx.org Sat Aug 12 20:09:55 2017 From: nginx-forum at forum.nginx.org (Jamesadamar) Date: Sat, 12 Aug 2017 16:09:55 -0400 Subject: Two domains and multiple server blocks In-Reply-To: <000001d313a5$a284cc60$e78e6520$@roze.lv> References: <000001d313a5$a284cc60$e78e6520$@roze.lv> Message-ID: <971d9cfb04cf44e8ddf71dcb431cf143.NginxMailingListEnglish@forum.nginx.org> You are absolutely right....I'm feeling like an idiot, really! For weeks I've tried to change every single character in nginx configuration and your first tip to look at the request header was worth the number of characters in gold ;) wsc is indeed the default prefix for Woltlab Suite and indeed, the first configuration was with the sub domain and not the standalone domain. I am sorry to wrongly suspected Nginx to be the source of this problem and appreciate your help very much, it really killed a lot of sleep time. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276031,276041#msg-276041 From jazzman at misalpina.net Mon Aug 14 13:15:00 2017 From: jazzman at misalpina.net (Claudiu Rad) Date: Mon, 14 Aug 2017 16:15:00 +0300 Subject: Nginx1.13.4 static on Debian 9 (Stretch) Message-ID: Hello, I'm trying a static build of nginx. Sorry if this may have been answered before but I couldn't find anything closer than https://trac.nginx.org/nginx/ticket/903. Downloaded http://nginx.org/download/nginx-1.13.4.tar.gz. In the sources folder: ./configure --prefix=/opt/nginx --with-cc-opt="-static -static-libgcc" --with-ld-opt="-Bstatic -static -static-libgcc -static-libstdc++" Build fails with the following result ... objs/ngx_modules.o \ -Bstatic -static -static-libgcc -static-libstdc++ -ldl -lpthread -lcrypt -lpcre -lz objs/src/core/nginx.o: In function `ngx_load_module': /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/os/unix/ngx_process_cycle.o: In function `ngx_worker_process_init': /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/core/nginx.o: In function `ngx_set_user': /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': (.text+0x816): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': (.text+0x91b): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': (.text+0xcc5): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': (.text+0xd28): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_free_exec': (.text+0xd6c): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `pcre_jit_free_unused_memory': (.text+0x290d9): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_free_exec': (.text+0xddb): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `pcre_jit_free_unused_memory': (.text+0x29149): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info.part.4': (.text+0x1692): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info_bases': (.text+0x1717): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info_table_bases': (.text+0x17eb): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__deregister_frame_info_bases': (.text+0x188e): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__deregister_frame_info_bases': (.text+0x1916): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `_Unwind_Find_FDE': (.text+0x19e8): undefined reference to `pthread_mutex_lock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `_Unwind_Find_FDE': (.text+0x1a32): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `_Unwind_Find_FDE': (.text+0x1b2b): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info.part.4': (.text+0x16b1): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info_bases': (.text+0x1736): undefined reference to `pthread_mutex_unlock' /usr/lib/gcc/x86_64-linux-gnu/6/libgcc_eh.a(unwind-dw2-fde-dip.o): In function `__register_frame_info_table_bases': (.text+0x180a): undefined reference to `pthread_mutex_unlock' collect2: error: ld returned 1 exit status objs/Makefile:226: recipe for target 'objs/nginx' failed make[1]: *** [objs/nginx] Error 1 make[1]: Leaving directory '/tmp/nginx-static/nginx-1.13.4' Makefile:8: recipe for target 'build' failed make: *** [build] Error 2 Am I missing anything? I tried passing various static instructions to CC/LD as seen for example here: https://trac.nginx.org/nginx/ticket/903. What's the right way to do this? Thank you for your help. -- Claudiu From mdounin at mdounin.ru Mon Aug 14 13:44:58 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 14 Aug 2017 16:44:58 +0300 Subject: Nginx1.13.4 static on Debian 9 (Stretch) In-Reply-To: References: Message-ID: <20170814134458.GT93611@mdounin.ru> Hello! On Mon, Aug 14, 2017 at 04:15:00PM +0300, Claudiu Rad wrote: > Hello, > > I'm trying a static build of nginx. Sorry if this may have been answered > before but I couldn't find anything closer than > https://trac.nginx.org/nginx/ticket/903. > Downloaded http://nginx.org/download/nginx-1.13.4.tar.gz. In the sources > folder: > > ./configure --prefix=/opt/nginx --with-cc-opt="-static -static-libgcc" --with-ld-opt="-Bstatic -static -static-libgcc -static-libstdc++" > > Build fails with the following result > > ... > objs/ngx_modules.o \ > -Bstatic -static -static-libgcc -static-libstdc++ -ldl -lpthread -lcrypt -lpcre -lz > objs/src/core/nginx.o: In function `ngx_load_module': > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > objs/src/os/unix/ngx_process_cycle.o: In function `ngx_worker_process_init': > /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > objs/src/core/nginx.o: In function `ngx_set_user': > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': > /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking > /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': > (.text+0x816): undefined reference to `pthread_mutex_lock' > /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': > (.text+0x91b): undefined reference to `pthread_mutex_unlock' [...] > Am I missing anything? I tried passing various static instructions to > CC/LD as seen for example here: https://trac.nginx.org/nginx/ticket/903. > > What's the right way to do this? Build fails because PCRE requires `-lpthread` on your system. Try something like ./configure --with-ld-opt="-static -lpcre -lpthread" ... See https://trac.nginx.org/nginx/ticket/859 for additional details. -- Maxim Dounin http://nginx.org/ From jazzman at misalpina.net Mon Aug 14 17:59:16 2017 From: jazzman at misalpina.net (Claudiu Rad) Date: Mon, 14 Aug 2017 20:59:16 +0300 Subject: Nginx1.13.4 static on Debian 9 (Stretch) In-Reply-To: <20170814134458.GT93611@mdounin.ru> References: <20170814134458.GT93611@mdounin.ru> Message-ID: On 8/14/2017 4:44 PM, Maxim Dounin wrote: > Hello! > > On Mon, Aug 14, 2017 at 04:15:00PM +0300, Claudiu Rad wrote: > >> Hello, >> >> I'm trying a static build of nginx. Sorry if this may have been answered >> before but I couldn't find anything closer than >> https://trac.nginx.org/nginx/ticket/903. >> Downloaded http://nginx.org/download/nginx-1.13.4.tar.gz. In the sources >> folder: >> >> ./configure --prefix=/opt/nginx --with-cc-opt="-static -static-libgcc" --with-ld-opt="-Bstatic -static -static-libgcc -static-libstdc++" >> >> Build fails with the following result >> >> ... >> objs/ngx_modules.o \ >> -Bstatic -static -static-libgcc -static-libstdc++ -ldl -lpthread -lcrypt -lpcre -lz >> objs/src/core/nginx.o: In function `ngx_load_module': >> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking >> objs/src/os/unix/ngx_process_cycle.o: In function `ngx_worker_process_init': >> /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking >> objs/src/core/nginx.o: In function `ngx_set_user': >> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking >> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking >> objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': >> /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking >> /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': >> (.text+0x816): undefined reference to `pthread_mutex_lock' >> /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): In function `sljit_generate_code': >> (.text+0x91b): undefined reference to `pthread_mutex_unlock' > [...] > >> Am I missing anything? I tried passing various static instructions to >> CC/LD as seen for example here: https://trac.nginx.org/nginx/ticket/903. >> >> What's the right way to do this? > Build fails because PCRE requires `-lpthread` on your system. > Try something like > > ./configure --with-ld-opt="-static -lpcre -lpthread" ... Thank you! Indeed, using ./configure --prefix=/opt/nginx --with-ld-opt="-static -lpcre -lpthread" I only get the following warnings for now: objs/ngx_modules.o \ -static -lpcre -lpthread -ldl -lcrypt -lpcre -lz objs/src/core/nginx.o: In function `ngx_load_module': /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/os/unix/ngx_process_cycle.o: In function `ngx_worker_process_init': /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/core/nginx.o: In function `ngx_set_user': /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking So, first question, maybe a beginner's one, sorry, don't have much experience with this: How should I treat these warnings? I want to deploy the static build on multiple machines, most of them running Debian 8, thus, an older version. Are there things that would not work because I don't have exactly the same library versions? Second thing is that I want to add SSL support of course. Simply adding --with-http_ssl_module would not work until I replaced -lpthread with -pthread option to LD. Downloaded the latest release: https://www.openssl.org/source/openssl-1.1.0f.tar.gz and tried: ./configure --prefix=/opt/nginx --with-http_ssl_module --with-ld-opt="-static -lpcre -pthread" --with-openssl=../openssl-1.1.0f This works, but when actually trying to run it, I get: /opt/nginx/sbin/nginx Illegal instruction And it doesn't start of course. I also tried using the OpenSSL system library, thus omitting --with-openssl= but its the same. Any suggestions? -- Claudiu From nginx-forum at forum.nginx.org Tue Aug 15 01:36:23 2017 From: nginx-forum at forum.nginx.org (BronyGuo) Date: Mon, 14 Aug 2017 21:36:23 -0400 Subject: SSL pass through In-Reply-To: References: Message-ID: <274c02f42c0f8a6db5501bb3471e791f.NginxMailingListEnglish@forum.nginx.org> https://accounts.google.com/o/oauth2/approval/v2/approvalnativeapp?auto=false&response=code%3D4%2FyABgYKIKME6bWlve2h5aP-MhuCA3XpUVMACv2D4ArnM&approvalCode=4%2FyABgYKIKME6bWlve2h5aP-MhuCA3XpUVMACv2D4ArnM Posted at Nginx Forum: https://forum.nginx.org/read.php?2,234641,276064#msg-276064 From nginx-forum at forum.nginx.org Tue Aug 15 09:47:23 2017 From: nginx-forum at forum.nginx.org (foxgab) Date: Tue, 15 Aug 2017 05:47:23 -0400 Subject: is proxy_read_timeout effects for a slow response? Message-ID: <6ab453f605bff502cdce81fc68ef0577.NginxMailingListEnglish@forum.nginx.org> if nginx connect to a proxied server successfully, but the server takes a long time before starting to send the response, will proxy_read_timeout directive effect? if not, is there any other directive do that timeout kind work? when proxy_next_upstream is set to "off", which status code will be respond if timeout? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276066,276066#msg-276066 From jazzman at misalpina.net Wed Aug 16 12:38:28 2017 From: jazzman at misalpina.net (Claudiu Rad) Date: Wed, 16 Aug 2017 15:38:28 +0300 Subject: Nginx1.13.4 static on Debian 9 (Stretch) In-Reply-To: References: <20170814134458.GT93611@mdounin.ru> Message-ID: <487a5376-f50e-3874-b6df-cda0aec4a1be@misalpina.net> On 8/14/2017 8:59 PM, Claudiu Rad wrote: > > > On 8/14/2017 4:44 PM, Maxim Dounin wrote: >> Hello! >> >> On Mon, Aug 14, 2017 at 04:15:00PM +0300, Claudiu Rad wrote: >> >>> Hello, >>> >>> I'm trying a static build of nginx. Sorry if this may have been >>> answered >>> before but I couldn't find anything closer than >>> https://trac.nginx.org/nginx/ticket/903. >>> Downloaded http://nginx.org/download/nginx-1.13.4.tar.gz. In the >>> sources >>> folder: >>> >>> ./configure --prefix=/opt/nginx --with-cc-opt="-static >>> -static-libgcc" --with-ld-opt="-Bstatic -static -static-libgcc >>> -static-libstdc++" >>> >>> Build fails with the following result >>> >>> ... >>> objs/ngx_modules.o \ >>> -Bstatic -static -static-libgcc -static-libstdc++ -ldl -lpthread >>> -lcrypt -lpcre -lz >>> objs/src/core/nginx.o: In function `ngx_load_module': >>> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using >>> 'dlopen' in statically linked applications requires at runtime the >>> shared libraries from the glibc version used for linking >>> objs/src/os/unix/ngx_process_cycle.o: In function >>> `ngx_worker_process_init': >>> /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: >>> warning: Using 'initgroups' in statically linked applications >>> requires at runtime the shared libraries from the glibc version used >>> for linking >>> objs/src/core/nginx.o: In function `ngx_set_user': >>> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using >>> 'getgrnam' in statically linked applications requires at runtime the >>> shared libraries from the glibc version used for linking >>> /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using >>> 'getpwnam' in statically linked applications requires at runtime the >>> shared libraries from the glibc version used for linking >>> objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': >>> /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: >>> Using 'getaddrinfo' in statically linked applications requires at >>> runtime the shared libraries from the glibc version used for linking >>> /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): >>> In function `sljit_generate_code': >>> (.text+0x816): undefined reference to `pthread_mutex_lock' >>> /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libpcre.a(libpcre_la-pcre_jit_compile.o): >>> In function `sljit_generate_code': >>> (.text+0x91b): undefined reference to `pthread_mutex_unlock' >> [...] >> >>> Am I missing anything? I tried passing various static instructions to >>> CC/LD as seen for example here: >>> https://trac.nginx.org/nginx/ticket/903. >>> >>> What's the right way to do this? >> Build fails because PCRE requires `-lpthread` on your system. >> Try something like >> >> ./configure --with-ld-opt="-static -lpcre -lpthread" ... > > Thank you! > Indeed, using > > ./configure --prefix=/opt/nginx --with-ld-opt="-static -lpcre -lpthread" > > I only get the following warnings for now: > > objs/ngx_modules.o \ > -static -lpcre -lpthread -ldl -lcrypt -lpcre -lz > objs/src/core/nginx.o: In function `ngx_load_module': > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using > 'dlopen' in statically linked applications requires at runtime the > shared libraries from the glibc version used for linking > objs/src/os/unix/ngx_process_cycle.o: In function > `ngx_worker_process_init': > /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: > warning: Using 'initgroups' in statically linked applications requires > at runtime the shared libraries from the glibc version used for linking > objs/src/core/nginx.o: In function `ngx_set_user': > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using > 'getgrnam' in statically linked applications requires at runtime the > shared libraries from the glibc version used for linking > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using > 'getpwnam' in statically linked applications requires at runtime the > shared libraries from the glibc version used for linking > objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': > /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: > Using 'getaddrinfo' in statically linked applications requires at > runtime the shared libraries from the glibc version used for linking > > So, first question, maybe a beginner's one, sorry, don't have much > experience with this: How should I treat these warnings? I want to > deploy the static build on multiple machines, most of them running > Debian 8, thus, an older version. Are there things that would not work > because I don't have exactly the same library versions? > > Second thing is that I want to add SSL support of course. Simply > adding --with-http_ssl_module would not work until I replaced > -lpthread with -pthread option to LD. Downloaded the latest release: > https://www.openssl.org/source/openssl-1.1.0f.tar.gz and tried: > > ./configure --prefix=/opt/nginx --with-http_ssl_module > --with-ld-opt="-static -lpcre -pthread" --with-openssl=../openssl-1.1.0f > > This works, but when actually trying to run it, I get: > > /opt/nginx/sbin/nginx > Illegal instruction > > And it doesn't start of course. I also tried using the OpenSSL system > library, thus omitting --with-openssl= but its the same. > Any suggestions? It seems that using older 1.0.2 series works in this scenario: ./configure --prefix=/opt/nginx --with-http_ssl_module --with-ld-opt="-static -lpcre -pthread" --with-openssl=../openssl-1.0.2l So the combination of Debian 9 + OpenSSL 1.1.0 series no longer allows building a valid static binary. At least not with the previous arguments. Is there something I am missing? Where should I file a bug report if this is a bug of some sort? -- Claudiu From mdounin at mdounin.ru Wed Aug 16 14:03:50 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 16 Aug 2017 17:03:50 +0300 Subject: Nginx1.13.4 static on Debian 9 (Stretch) In-Reply-To: <487a5376-f50e-3874-b6df-cda0aec4a1be@misalpina.net> References: <20170814134458.GT93611@mdounin.ru> <487a5376-f50e-3874-b6df-cda0aec4a1be@misalpina.net> Message-ID: <20170816140350.GP93611@mdounin.ru> Hello! On Wed, Aug 16, 2017 at 03:38:28PM +0300, Claudiu Rad wrote: [...] > > I only get the following warnings for now: > > > > objs/ngx_modules.o \ > > -static -lpcre -lpthread -ldl -lcrypt -lpcre -lz > > objs/src/core/nginx.o: In function `ngx_load_module': > > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1522: warning: Using > > 'dlopen' in statically linked applications requires at runtime the > > shared libraries from the glibc version used for linking > > objs/src/os/unix/ngx_process_cycle.o: In function > > `ngx_worker_process_init': > > /tmp/nginx-static/nginx-1.13.4/src/os/unix/ngx_process_cycle.c:835: > > warning: Using 'initgroups' in statically linked applications requires > > at runtime the shared libraries from the glibc version used for linking > > objs/src/core/nginx.o: In function `ngx_set_user': > > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1228: warning: Using > > 'getgrnam' in statically linked applications requires at runtime the > > shared libraries from the glibc version used for linking > > /tmp/nginx-static/nginx-1.13.4/src/core/nginx.c:1216: warning: Using > > 'getpwnam' in statically linked applications requires at runtime the > > shared libraries from the glibc version used for linking > > objs/src/core/ngx_inet.o: In function `ngx_inet_resolve_host': > > /tmp/nginx-static/nginx-1.13.4/src/core/ngx_inet.c:1127: warning: > > Using 'getaddrinfo' in statically linked applications requires at > > runtime the shared libraries from the glibc version used for linking > > > > So, first question, maybe a beginner's one, sorry, don't have much > > experience with this: How should I treat these warnings? I want to > > deploy the static build on multiple machines, most of them running > > Debian 8, thus, an older version. Are there things that would not work > > because I don't have exactly the same library versions? I wouldn't recommend running such a binary on machines not exactly matching the one it was built on. Moreover, make sure to rebuilt the binary on any upgrades which affect the libraries in question. Note well that mismatch of libraries might not be directly visible, that is, compiled binary will run mostly fine, but will experience obscure and seemingly random bugs / crashes. > > Second thing is that I want to add SSL support of course. Simply > > adding --with-http_ssl_module would not work until I replaced > > -lpthread with -pthread option to LD. Downloaded the latest release: > > https://www.openssl.org/source/openssl-1.1.0f.tar.gz and tried: > > > > ./configure --prefix=/opt/nginx --with-http_ssl_module > > --with-ld-opt="-static -lpcre -pthread" --with-openssl=../openssl-1.1.0f > > > > This works, but when actually trying to run it, I get: > > > > /opt/nginx/sbin/nginx > > Illegal instruction > > > > And it doesn't start of course. I also tried using the OpenSSL system > > library, thus omitting --with-openssl= but its the same. > > Any suggestions? > > It seems that using older 1.0.2 series works in this scenario: > > ./configure --prefix=/opt/nginx --with-http_ssl_module > --with-ld-opt="-static -lpcre -pthread" --with-openssl=../openssl-1.0.2l > > So the combination of Debian 9 + OpenSSL 1.1.0 series no longer allows > building a valid static binary. At least not with the previous arguments. > Is there something I am missing? > > Where should I file a bug report if this is a bug of some sort? You may want to try to look into backtrace to find out what exactly happens. I would suggest that there is something in OpenSSL 1.1.0, though I may be wrong. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Thu Aug 17 06:34:20 2017 From: nginx-forum at forum.nginx.org (ptcell) Date: Thu, 17 Aug 2017 02:34:20 -0400 Subject: Is there a wait to get at a module's main conf inside the loc conf's init? In-Reply-To: <20170810104349.GN93611@mdounin.ru> References: <20170810104349.GN93611@mdounin.ru> Message-ID: <6cfd66c463df98a2ebaff75677edf55f.NginxMailingListEnglish@forum.nginx.org> Maxim Dounin Wrote: ------------------------------------------------------- > > Try ngx_http_conf_get_module_main_conf(). > > (Doing so in the create_loc_conf callback is probably pointless > though, as main conf contents can be changed later.) > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx On a related note, is there a way to get the my module's main/srv/loc conf_t instances from the cycle instance passed to the worker process init callback in my module? I see my conf objects created and put into the ctx object before the worker process init is called, so I think there there. >From reading the code, I tried something like: #define ngx_http_cycle_get_module_main_conf(cf, module) \ ((ngx_http_conf_ctx_t *) (cycle)->conf_ctx)->main_conf[(module).ctx_index] /* declared as init process in ngx_module_t */ static ngx_int_t ngx_my_init_worker_process(ngx_cycle_t *cycle) { ngx_http_my_module_conf_t *main_conf; main_conf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_my_module); } but that either just returned Nulls or crashed. I suspect there's a simpler way. Thank you very much! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275998,276080#msg-276080 From mdounin at mdounin.ru Thu Aug 17 12:39:30 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 17 Aug 2017 15:39:30 +0300 Subject: Is there a wait to get at a module's main conf inside the loc conf's init? In-Reply-To: <6cfd66c463df98a2ebaff75677edf55f.NginxMailingListEnglish@forum.nginx.org> References: <20170810104349.GN93611@mdounin.ru> <6cfd66c463df98a2ebaff75677edf55f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170817123930.GT93611@mdounin.ru> Hello! On Thu, Aug 17, 2017 at 02:34:20AM -0400, ptcell wrote: > Maxim Dounin Wrote: > ------------------------------------------------------- > > > > > Try ngx_http_conf_get_module_main_conf(). > > > > (Doing so in the create_loc_conf callback is probably pointless > > though, as main conf contents can be changed later.) > > On a related note, is there a way to get the my module's main/srv/loc conf_t > instances from the cycle instance passed to the worker process init callback > in my module? I see my conf objects created and put into the ctx object > before the worker process init is called, so I think there there. This is something generally better to avoid (because getting a module configuration from a cycle implies that there can be only one http{} block), but it is certainly possible to obtain main configuration via ngx_http_cycle_get_module_main_conf(). For an example, see ngx_http_perl_init_worker() in the perl module: http://hg.nginx.org/nginx/file/tip/src/http/modules/perl/ngx_http_perl_module.c#l1041 > From reading the code, I tried something like: > > #define ngx_http_cycle_get_module_main_conf(cf, module) > \ > ((ngx_http_conf_ctx_t *) > (cycle)->conf_ctx)->main_conf[(module).ctx_index] It is not clear where you get this macro. Defined it yourself? You certainly did it wrong. Correct macro is defined in src/http/ngx_http_config.h as follows: #define ngx_http_cycle_get_module_main_conf(cycle, module) \ (cycle->conf_ctx[ngx_http_module.index] ? \ ((ngx_http_conf_ctx_t *) cycle->conf_ctx[ngx_http_module.index]) \ ->main_conf[module.ctx_index]: \ NULL) You don't need to redefine it, just use it as is. -- Maxim Dounin http://nginx.org/ From francis at daoine.org Thu Aug 17 19:35:48 2017 From: francis at daoine.org (Francis Daly) Date: Thu, 17 Aug 2017 20:35:48 +0100 Subject: Reverse proxy for multiple domains In-Reply-To: <1000849938.2050287.1502399834765@mail.yahoo.com> References: <1000849938.2050287.1502399834765.ref@mail.yahoo.com> <1000849938.2050287.1502399834765@mail.yahoo.com> Message-ID: <20170817193548.GJ365@daoine.org> On Thu, Aug 10, 2017 at 09:17:14PM +0000, Mik J via nginx wrote: Hi there, > I have application1.org and application2.org. > > The client requesting these URLs, arrives one the reverse proxy. > > On this reverse proxy I have a virtual host which looks like that > > server { > server_name application1.org; > location ^~ / { > proxy_pass http://10.1.1.10:80/app/application1/; > } > > And another virtual host for application2 which is similar with > > proxy_pass http://10.1.1.10:80/app/application2/; > > > The server behind the reverse proxy is the same right now > 1) Is it the right way to do this ? I think that trying to reverse-proxy an application at a different part of the url tree to where the app thinks it is installed, is difficult. So if application1 believes that it is installed at /app/application1, I would suggest to expose that to the world. (Or: if you want the world to see it at /, then configure the internal server so that it is at / there too.) Then your external config is mostly just "proxy_pass http://10.1.1.10:80;", possibly with "location = / { return 301 /application/app1/; }" The *internal* config could probably have one server{} for each application as well. > 2) When I access the application from Internet using application1.org, I am redirected to application1.org/app/application1 I don't know why. And I have to add one more section on the reverse proxy > Is there a better way to do it ? I'm not sure why that extra section is necessary, unless the "..." part of your config is important. f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Aug 17 19:54:10 2017 From: francis at daoine.org (Francis Daly) Date: Thu, 17 Aug 2017 20:54:10 +0100 Subject: is proxy_read_timeout effects for a slow response? In-Reply-To: <6ab453f605bff502cdce81fc68ef0577.NginxMailingListEnglish@forum.nginx.org> References: <6ab453f605bff502cdce81fc68ef0577.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170817195410.GK365@daoine.org> On Tue, Aug 15, 2017 at 05:47:23AM -0400, foxgab wrote: Hi there, > if nginx connect to a proxied server successfully, but the server takes a > long time before starting to send the response, will proxy_read_timeout > directive effect? if not, is there any other directive do that timeout kind > work? The documentation at http://nginx.org/r/proxy_read_timeout suggests "yes". A quick test indicates that it does: In one shell, a listener that will be slow to respond: nc -l 127.0.0.1:10880 nginx.conf: server { location / { proxy_read_timeout 6; proxy_pass http://127.0.0.1:10880; } } Test command: date; curl -v http://127.0.0.1/test; date I get a http response after 6 seconds. > when proxy_next_upstream is set to "off", which status code will be respond > if timeout? "Gateway Timeout" is 504. f -- Francis Daly francis at daoine.org From mikydevel at yahoo.fr Fri Aug 18 07:01:26 2017 From: mikydevel at yahoo.fr (Mik J) Date: Fri, 18 Aug 2017 07:01:26 +0000 (UTC) Subject: Reverse proxy for multiple domains In-Reply-To: <20170817193548.GJ365@daoine.org> References: <1000849938.2050287.1502399834765.ref@mail.yahoo.com> <1000849938.2050287.1502399834765@mail.yahoo.com> <20170817193548.GJ365@daoine.org> Message-ID: <247167420.97630.1503039686513@mail.yahoo.com> Thank you Francis for your answer Actually is does this with a simple index.html page# cat index.htmlTEST What would you do if you had ? CLIENT <-> INTERNET <->Reverse_Proxy<->Web_ServerOn de web server I just use one default virtual host with multiple sections. Thats because the pages are called by the reverse proxy server like http://10.1.1.10:80/app/application1/; and it can't use a FQDN because it's in a private adressing Is there a way that the reverse proxy connects to 10.1.1.10 but pretend the GET/POST queries use application1.org ? I'd prefer my application would be accessible by www.application1.org than www.application1.org/app/application1 like right now Le Jeudi 17 ao?t 2017 21h35, Francis Daly a ?crit : On Thu, Aug 10, 2017 at 09:17:14PM +0000, Mik J via nginx wrote: Hi there, > I have application1.org and application2.org. > > The client requesting these URLs, arrives one the reverse proxy. > > On this reverse proxy I have a virtual host which looks like that > > server { > server_name application1.org; > location ^~ / { > proxy_pass? ? ? ? http://10.1.1.10:80/app/application1/; > } > > And another virtual host for application2 which is similar with > > proxy_pass http://10.1.1.10:80/app/application2/; > > > The server behind the reverse proxy is the same right now > 1) Is it the right way to do this ? I think that trying to reverse-proxy an application at a different part of the url tree to where the app thinks it is installed, is difficult. So if application1 believes that it is installed at /app/application1, I would suggest to expose that to the world. (Or: if you want the world to see it at /, then configure the internal server so that it is at / there too.) Then your external config is mostly just "proxy_pass http://10.1.1.10:80;", possibly with "location = / { return 301 /application/app1/; }" The *internal* config could probably have one server{} for each application as well. > 2) When I access the application from Internet using application1.org, I am redirected to application1.org/app/application1 I don't know why. And I have to add one more section on the reverse proxy > Is there a better way to do it ? I'm not sure why that extra section is necessary, unless the "..." part of your config is important. ??? f -- Francis Daly? ? ? ? francis at daoine.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From agentzh at gmail.com Fri Aug 18 23:27:12 2017 From: agentzh at gmail.com (Yichun Zhang (agentzh)) Date: Fri, 18 Aug 2017 16:27:12 -0700 Subject: [ANN] OpenResty 1.11.2.5 released Message-ID: Hi folks, I am excited to announce the new formal release, 1.11.2.5, of the OpenResty web platform based on NGINX and LuaJIT: https://openresty.org/en/download.html Both the (portable) source code distribution, the Win32 binary distribution, and the pre-built binary Linux packages for all those common Linux distributions are provided on this Download page. Special thanks go to all our developers and contributors! And thanks OpenResty Inc. for sponsoring most of the OpenResty core development work. We did not have enough time to upgrade the bundled NGINX core in this release as originally planned. Sorry about that. We'll definitely try upgrading the NGINX core to the mainstream 1.13.4+ versions in the next OpenResty release. We have the following highlights in this release: 1. New real-time in-memory nginx error log capturing API. Now it's easy to inspect nginx error logs on the Lua land without accessing any files. 2. Ability to launch a privileged agent process under the master, which runs under the same system account as master. This process does not handle any incoming traffic, but can do system operations work and nginx master management via signals. The user can run Lua code in this special process via init_worker_by_lua*. This does not work on Win32 though. 3. Now the Lua light threads can voluntarily yield the execution control to the nginx event loop without introducing any extra delays (previously it requires an extra delay of at least 1 millisecond). This is achieved by the ngx.sleep(0) call on the Lua land. 4. New ngx.timer.every() Lua API for easily creating recurring timers on the Lua land. 5. New Lua API function for tuning the JIT stack size of PCRE. 6. New Lua API for fetching the current nginx error_log filtering level in efffect. 7. Now we search for LuaJIT bytecode files *.ljbc in the default Lua module search paths before searching *.lua files. 8. Enforces nginx to do graceful shutdown even in single process mode (i.e., master_process is off). This does not work on Win32 though. The complete change log since the last (formal) release, 1.11.2.4: * feature: applied a patch to the nginx core to make the nginx variable $proxy_add_x_forwarded_for accessible on Lua land. thanks spacewander for the patch. * feature: added the balancer-status-code patch to the nginx core to allow returning arbitrary HTTP status codes inside upstream balancers. thanks Datong Sun for the patch. * feature: we now search LuaJIT bytecode files "*.ljbc" before Lua source files "*.lua" in the default Lua module search paths. * feature: applied the intercept-error-log patch to the nginx core to provide 3rd-party modules a hook to intercept nginx error log data without touching files. 3rd-party modules can register a custom interception hook to "ngx_http_core_main_conf_t.intercept_log_handler". thanks Yuansheng Wang for the patch. * feature: "./configure": the user flags specified by the "--with-luajit-xcflags=FLAGS" option are not appended to the default flags instead of being prepended. thanks spacewander for the report. * feature: applied a small patch to the nginx core to add support for the "privileged agent" process which is run by the same system account as the master. thanks Yuansheng Wang for the patch. * change: applied a patch to the nginx core to turn nginx to openresty in the builtin special response pages' footer. thanks Datong Sun for the patch. * bugfix: the feature test for SSE 4.2 support did not really check if the local CPU indeed has it. thanks Jukka Raimovaara for the patch. * bugfix: applied the single-process-graceful-exit patch to the nginx core to fix the issue that nginx fails to perform graceful exit when "master_process" is turned off. * bugfix: "./configure": the "--without-http_lua_upstream" option alone incorrectly disabled all the Lua stuff. * feature: applied the delayed-posted-events patch to the nginx core for adding "delayed posted events" which run in the next event cycle with 0 delay. this nginx core feature is needed by the "ngx.sleep(0)" feature in ngx_lua, for example. thanks Datong Sun for the patch. * change: swtched to OpenResty's own fork of "ngx_postgres": https://github.com/openresty/ngx_postgres * doc: updated the LuaJIT restydoc indexes to the latest version. * upgraded resty-cli to 0.19. * feature: resty: added new command-line option "--errlog-level LEVEL". thanks Michal Cichra for the patch. * feature: resty: added new command-line option "--rr" to use "rr record" to run the underlying C process. this is for Mozilla rr recording. * feature: resty: added new command-line option "--gdb" to use gdb to run the underlying C process. * feature: resty: implemented the "--http-conf CONF" command-line option. * feature: added the "--ns IP" command line options to override system (or google) nameservers. thanks Aapo Talvensaari for the patch. * bugfix: we did not quote the Lua code chunk names properly. * bugfix: bad Lua file names given on the command line might give rise to strange errors and even hanging. * bugfix: resty: user created timers and unwaited light threads were not handled gracefully upon exit. * bugfix: md2pod.pl: we did not unescape "*". * optimize: resty: now we increase the value of lua_regex_cache_max_entries to 40K. * doc: made it clear that one should install "openresty-resty" and/or "openresty-doc" if they uses the offiical OpenResty pre-built Linux package repositories. * upgraded ngx_lua to 0.10.10. * feature: added pure C API for tuning the "jit_stack_size" option in PCRE. this is used by the ngx.re library of lua-resty-core. thanks Andreas Lubbe for the patch. * feature: added pure C functions "ngx_http_lua_ffi_worker_type()" & "ngx_http_lua_ffi_worker_privileged()" for the ngx.process module in lua-resty-core. thanks Yuansheng Wang for the patch. * feature: added new config directive lua_intercept_error_log for capturing nginx error logs on Lua land. the corresponding Lua API is provided by the ngx.errlog module in lua-resty-core. thanks Yuansheng Wang for the patch and Jan Pracha? for a bug fix. * feature: implemented the ngx.timer.every() API function for creating recurring timers. thanks Dejiang Zhu for the patch. * feature: balancer_by_lua*: now the user Lua code can terminate the current request with arbitrary HTTP response status codes via ngx.exit(). thanks Datong Sun for the patch. * feature: added pure C API function "ngx_http_lua_ffi_errlog_get_sys_filter_level" for the "ngx.errlog" module's "get_sys_filter_level()" function in the lua-resty-core library. thanks spacewander for the patch. * feature: "ngx.sleep(0)" now always yield the control to the nginx event loop. this can be used to do voluntary CPU time slicing when running CPU intensive computations on the Lua land and to avoid such computations from blocking the nginx event loop for too long. this feature requires OpenResty's delayed-posted-event patch for the nginx core. thanks Datong Sun for the patch. * feature: added new pure C API "ngx_http_lua_ffi_process_signal_graceful_exit()" for the signal_graceful_exit() function of the ngx.process module in lua-resty-core. * feature: nginx 1.11.11+ can now build with this module. note: nginx 1.11.11+ are still not an officially supported target yet. thanks Andrei Belov for the patch. * bugfix: the running timer counter might go out of sync when non-timer handlers using fake requests are involved (like ssl_certficate_by_lua* and ssl_session_fetch_by_lua*). thanks guanglinlv for the patch. * bugfix: ngx.encode_args() did not escape "|", ",", "$", "@", and "`". now it is now consistent with what Google Chrome's JavaScript API function "encodeURIComponent()" does. thanks goecho for the patch. * bugfix: ngx.escape_uri() did not escape "|", ",", "$", "@", and "`". * bugfix: segmentation fault would occur when several server {} blocks listen on the same port or unix domain socket file path *and* some of them are using ssl_certificate_by_lua* configurations while some are not. thanks petrovich-ua for the report and original patch. * bugfix: the fake requests/connections might leak when memory allocations fail. thanks skyever for the patch. * bugfix: segmentation fault might happen when a stale read event happens after the downstream cosocket object is closed. thanks Dejiang Zhu for the report. * bugfix: ngx.semaphore: when nginx workers exit, the harmless error message "semaphore gc wait queue is not empty" might be logged. thanks Yuansheng Wang for the patch. * bugfix: fixed typos in error messages. thanks spacewander for the patch. * refactor: ocsp: removed a useless line of code, which unbreak the libressl build. thanks Kyra Zimmer for the original patch. * doc: fixed a typo in a code example for "ngx.re.match". thanks Ming Wen for the patch. * upgraded lua-resty-core to 0.1.12. * feature: added opt() function to the ngx.re Lua module that accepts the "jit_stack_size" option to tune the JIT stack size of PCRE. thanks Andreas Lubbe for the patch. * feature: added new Lua module ngx.process which has functions type() and enable_privileged_agent(). thanks Yuansheng Wang for the patch. * feature: added new Lua module ngx.errlog which provides Lua API to capture nginx error log data on Lua land. thanks Yuansheng Wang for the patch. * feature: added the new signal_graceful_exit() function to the ngx.process Lua module. * feature: ngx.errlog: added the get_sys_filter_level() API function to get the "system" error log filtering level defined in nginx.conf's error_log directive. thanks spacewander for the patch. * bugfix: ngx.re: split() might enter infinite loops when the regex yields matches with empty captures. thanks Thibault Charbonnier for the patch. * optimize: simplified the "BOOL and true or false" expressions. thanks Evgeny S for the patch. * doc: ngx.ssl: added performace notes for set_priv_key() and set_cert(). thanks Filip Slavik for the patch. * doc: ngx.balancer: fixed some typos. thanks detailyang for the patch. * doc: code example: private keys are usually stored in PEM, so we use the func priv_key_pem_to_der in the example to do the conversion. thanks soul11201 for the patch. * doc: ngx.ssl.session: fixed the missing arguments in the code example. thanks soul11201 for the patch. * doc: fixed the code examples since directives "ssl_session_*_by_lua*" are no longer allowed in "server {}". thanks Yuansheng Wang for the patch. * upgraded lua-resty-dns to 0.19. * feature: added support for SOA typed queries. thanks Ming Wen for the patch. * upgraded lua-resty-mysql to 0.20. * feature: connect(): added the charset option to specify the connection charset. thanks Wilhelm Liao for the patch. * feature: added support for "FIELD_TYPE_DECIMAL" for MySQL servers prior to 5.0 and 5.0. thanks panyingxue for the patch. * bugfix: newer versions of MySQL use length-encoded strings for the human readable "info" message in MySQL's "OK packet". thanks zhuanyenan for the report. * upgraded lua-resty-lock to 0.07. * feature: added new method expire() that can change the TTL of the lock being held. thanks Datong Sun for the patch. * upgraded lua-resty-string to 0.10. * bugfix: resty.aes: fixed memory overrun bug when user provided a salt of less than 8 characters but "EVP_BytesToKey()" expects more. disallows salt strings longer than 8 characters to avoid false sense of security. thanks Datong Sun for the patch. * refactor: commented out unneeded locals, and removed unused variable declarations. thanks Aapo Talvensaari for the patch. * doc: typo fixes from Juarez Bochi. * upgraded lua-resty-upstream-healthcheck to 0.05. * optimize: removed useless code. thanks Yuansheng Wang for the patch. * doc: typo fixes from Mike Rostermund. * upgraded lua-resty-limit-traffic to 0.04. * bugfix: reduce race condition between get/incr(key). by using "incr" first, we could avoid overcommits between "get(key)" and "incr(key)". thanks spacewander for the patch. * upgraded lua-resty-lrucache to 0.07. * bugfix: fixed a type mismatch issue found by ?????. the old form still works due to LuaJIT FFI's magic. * upgraded ngx_lua_upstream to 0.07. * bugfix: turning a peer up via set_peer_down() did not reset the peer's "fails" counter, which might get the peer to be marked down again prematurely. thanks letian for the patch. * doc: documented the "down" key in the get_primary_peers() result. thanks Kipras Mancevi?ius for the patch. * upgraded ngx_echo to 0.61. * feature: nginx 1.11.11+ can now build with this module. note: nginx 1.11.11+ are still not an officially supported target yet. thanks Andrei Belov for the patch. * doc: minor typo fixes from mrefish and Mathieu Aubin. * doc: added a note about the empty values of $echo_client_request_headers in HTTP/2 requests. * upgraded ngx_postgres to 1.0. * feature: fixed compilation errors with nginx 1.9.1+. thanks Vadim A. Misbakh-Soloviov for the original patch. * feature: fixed the compilation errors with nginx 1.11.6+. * upgraded LuaJIT to v2.1-20170808: https://github.com/openresty/luajit2/tags * bugfix: FFI C parsers could not parse some C constructs like "__attribute((aligned(N)))" and "#pragma". decoupled hash functions used in comparison (hardcoded) and string table. thanks Shuxin Yang for the patch. this bug had first appeared in v2.1-20170405 (or OpenResty 1.11.2.3). * bugfix: fixed a clang warning in "lj_str.c" regarding unused "str_fastcmp()" when macro "LUAJIT_USE_VALGRIND" is defined. * imported Mike Pall's latest changes: * bugfix: added missing "LJ_MAX_JSLOTS" check, which might lead to JIT stack overflow when exceeding this limit. tracked down the Mozilla rr tool. already merged in upstream LuaJIT. * FreeBSD/x64: Avoid changing resource limits, if not needed. * PPC: Add soft-float support to interpreter. * x64/"LJ_GC64": Fix "emit_rma()". * MIPS64: Add soft-float support to JIT compiler backend. * MIPS: Fix handling of spare long-range jump slots. * MIPS: Use precise search for exit jump patching. * Add FOLD rules for mixed BAND/BOR with constants. * FFI: Compile bitfield loads/stores. * Add workaround for MSVC 2015 stdio changes. * MIPS64: Fix stores of MULTRES. * MIPS64: Fix write barrier in "BC_USETV". * ARM64: Fix stores to vmstate. * From Lua 5.2: Add "lua_tonumberx()" and "lua_tointegerx()". * From Lua 5.2: Add "luaL_setmetatable()". * From Lua 5.2: Add "luaL_testudata()". * From Lua 5.3: Add "lua_isyieldable()". * From Lua 5.2: Add "lua_copy()". * From Lua 5.2: Add "lua_version()". * OSX: Fix build with recent XCode. * Allow building on Haiku OS. Note: this is not an officially supported target. The HTML version of the change log with lots of helpful hyper-links can be browsed here: https://openresty.org/en/changelog-1011002.html OpenResty is a full-fledged web platform by bundling the standard Nginx core, Lua/LuaJIT, lots of 3rd-party Nginx modules and Lua libraries, as well as most of their external dependencies. See OpenResty's homepage for details: https://openresty.org/ We have run extensive testing on our Amazon EC2 test cluster and ensured that all the components (including the Nginx core) play well together. The latest test report can always be found here: https://qa.openresty.org/ We also always run the latest OpenResty version in our own global CDN network (dubbed "mini CDN") powering our openresty.org and other sites. Enjoy! Best regards, -agentzh From larry.martell at gmail.com Sat Aug 19 19:59:06 2017 From: larry.martell at gmail.com (Larry Martell) Date: Sat, 19 Aug 2017 15:59:06 -0400 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket Message-ID: Don't ask why, but on my mac I am running Windows Server 2016 in VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there I am trying to run a django app in a docker container with nginx/uwsgi. The socket is being created, but then when I try and connect to the site it fails with this nginx error: 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) while connecting to upstream, client: 10.0.2.2, server: , request: "GET / HTTP/1.1", upstream: "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: "localhost:9003" I have verified that the app.sock file and all dirs along the path are 777. The /opt/django/CAPgraph dir is a docker volume mounted from a local dir in the vagrant/Virtual Box VM How can I debug this further? From tkadm30 at yandex.com Sat Aug 19 21:20:52 2017 From: tkadm30 at yandex.com (Etienne Robillard) Date: Sat, 19 Aug 2017 17:20:52 -0400 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: Have you tried to run uwsgi as root ? E Le 2017-08-19 ? 15:59, Larry Martell a ?crit?: > Don't ask why, but on my mac I am running Windows Server 2016 in > VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there > I am trying to run a django app in a docker container with > nginx/uwsgi. > > The socket is being created, but then when I try and connect to the > site it fails with this nginx error: > > 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to > unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) > while connecting to upstream, client: 10.0.2.2, server: , request: > "GET / HTTP/1.1", upstream: > "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: > "localhost:9003" > > > I have verified that the app.sock file and all dirs along the path are > 777. The /opt/django/CAPgraph dir is a docker volume mounted from a > local dir in the vagrant/Virtual Box VM > > How can I debug this further? > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From capile at tecnodz.com Sat Aug 19 22:14:36 2017 From: capile at tecnodz.com (=?UTF-8?Q?Guilherme_Capil=C3=A9?=) Date: Sat, 19 Aug 2017 19:14:36 -0300 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: Ola, are you trying to create a linux socket on a directory mounted from a windows disk? afaik, it won't work, it's not only about file permissions, but a socket is a different type of file. Place the socket somewhere else (like /var/run/aoo.sock). Cheers, Guilherme Capil? On Sat, Aug 19, 2017 at 4:59 PM, Larry Martell wrote: > Don't ask why, but on my mac I am running Windows Server 2016 in > VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there > I am trying to run a django app in a docker container with > nginx/uwsgi. > > The socket is being created, but then when I try and connect to the > site it fails with this nginx error: > > 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to > unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) > while connecting to upstream, client: 10.0.2.2, server: , request: > "GET / HTTP/1.1", upstream: > "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: > "localhost:9003" > > > I have verified that the app.sock file and all dirs along the path are > 777. The /opt/django/CAPgraph dir is a docker volume mounted from a > local dir in the vagrant/Virtual Box VM > > How can I debug this further? > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Tecnodesign ? ? ? ? ? ? ? ? ? [55 21] 3042 4468 https://tecnodz.com capile at tecnodz.com From larry.martell at gmail.com Sat Aug 19 23:33:37 2017 From: larry.martell at gmail.com (Larry Martell) Date: Sat, 19 Aug 2017 19:33:37 -0400 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: Inside the docker container the dir is /opt/django/CAPgraph/. That is mounted as a volume in docker from a dir in the vagrant/virtual box VM from /home/vagrant/CAPgraph. That dir is virtual box disk is created as C:\Users\Administrator\VirtualBox VMs\CAPgraph_default_1503066942637_58036\box-disk1.vmdk in the VMware VM. That is created on the Mac as /Users/LarryMartell/Documents/Virtual Machines.localized/Windows Server 2016.vmwarevm. Inside the docker container the file look like a socket: # ls -l app.sock srw-rw-rw- 1 root root 0 Aug 19 16:56 app.sock uwsgi creates it and binds to it without an error. On Sat, Aug 19, 2017 at 6:14 PM, Guilherme Capil? via nginx wrote: > Ola, > > are you trying to create a linux socket on a directory mounted from a > windows disk? afaik, it won't work, it's not only about file > permissions, but a socket is a different type of file. > > Place the socket somewhere else (like /var/run/aoo.sock). > > Cheers, > > Guilherme Capil? > > On Sat, Aug 19, 2017 at 4:59 PM, Larry Martell wrote: >> Don't ask why, but on my mac I am running Windows Server 2016 in >> VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there >> I am trying to run a django app in a docker container with >> nginx/uwsgi. >> >> The socket is being created, but then when I try and connect to the >> site it fails with this nginx error: >> >> 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to >> unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) >> while connecting to upstream, client: 10.0.2.2, server: , request: >> "GET / HTTP/1.1", upstream: >> "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: >> "localhost:9003" >> >> >> I have verified that the app.sock file and all dirs along the path are >> 777. The /opt/django/CAPgraph dir is a docker volume mounted from a >> local dir in the vagrant/Virtual Box VM >> >> How can I debug this further? From larry.martell at gmail.com Sun Aug 20 13:52:49 2017 From: larry.martell at gmail.com (Larry Martell) Date: Sun, 20 Aug 2017 09:52:49 -0400 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: I changed the socket to be in /var/run and that fixed the issue. But now I am getting a 403 on all the static files, e.g: 2017/08/20 13:42:37 [error] 1140#1140: *8 open() "/opt/django/CAPgraph/static/scripts/bootstrap.min.js" failed (13: Permission denied), client: 10.0.2.2, server: , request: "GET /static/scripts/bootstrap.min.js HTTP/1.1", host: "localhost:9003", referrer: "http://localhost:9003/" Any ideas on that? On Sat, Aug 19, 2017 at 7:33 PM, Larry Martell wrote: > Inside the docker container the dir is /opt/django/CAPgraph/. > > That is mounted as a volume in docker from a dir in the > vagrant/virtual box VM from /home/vagrant/CAPgraph. > > That dir is virtual box disk is created as > C:\Users\Administrator\VirtualBox > VMs\CAPgraph_default_1503066942637_58036\box-disk1.vmdk in the VMware > VM. > > That is created on the Mac as /Users/LarryMartell/Documents/Virtual > Machines.localized/Windows Server 2016.vmwarevm. > > Inside the docker container the file look like a socket: > > # ls -l app.sock > srw-rw-rw- 1 root root 0 Aug 19 16:56 app.sock > > uwsgi creates it and binds to it without an error. > > > > On Sat, Aug 19, 2017 at 6:14 PM, Guilherme Capil? via nginx > wrote: >> Ola, >> >> are you trying to create a linux socket on a directory mounted from a >> windows disk? afaik, it won't work, it's not only about file >> permissions, but a socket is a different type of file. >> >> Place the socket somewhere else (like /var/run/aoo.sock). >> >> Cheers, >> >> Guilherme Capil? >> >> On Sat, Aug 19, 2017 at 4:59 PM, Larry Martell wrote: >>> Don't ask why, but on my mac I am running Windows Server 2016 in >>> VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there >>> I am trying to run a django app in a docker container with >>> nginx/uwsgi. >>> >>> The socket is being created, but then when I try and connect to the >>> site it fails with this nginx error: >>> >>> 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to >>> unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) >>> while connecting to upstream, client: 10.0.2.2, server: , request: >>> "GET / HTTP/1.1", upstream: >>> "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: >>> "localhost:9003" >>> >>> >>> I have verified that the app.sock file and all dirs along the path are >>> 777. The /opt/django/CAPgraph dir is a docker volume mounted from a >>> local dir in the vagrant/Virtual Box VM >>> >>> How can I debug this further? From larry.martell at gmail.com Sun Aug 20 14:11:54 2017 From: larry.martell at gmail.com (Larry Martell) Date: Sun, 20 Aug 2017 10:11:54 -0400 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: I found that copying the static files to /var/run (and changing the nginx config) fixed this. On Sun, Aug 20, 2017 at 9:52 AM, Larry Martell wrote: > I changed the socket to be in /var/run and that fixed the issue. But > now I am getting a 403 on all the static files, e.g: > > 2017/08/20 13:42:37 [error] 1140#1140: *8 open() > "/opt/django/CAPgraph/static/scripts/bootstrap.min.js" failed (13: > Permission denied), client: 10.0.2.2, server: , request: "GET > /static/scripts/bootstrap.min.js HTTP/1.1", host: "localhost:9003", > referrer: "http://localhost:9003/" > > Any ideas on that? > > On Sat, Aug 19, 2017 at 7:33 PM, Larry Martell wrote: >> Inside the docker container the dir is /opt/django/CAPgraph/. >> >> That is mounted as a volume in docker from a dir in the >> vagrant/virtual box VM from /home/vagrant/CAPgraph. >> >> That dir is virtual box disk is created as >> C:\Users\Administrator\VirtualBox >> VMs\CAPgraph_default_1503066942637_58036\box-disk1.vmdk in the VMware >> VM. >> >> That is created on the Mac as /Users/LarryMartell/Documents/Virtual >> Machines.localized/Windows Server 2016.vmwarevm. >> >> Inside the docker container the file look like a socket: >> >> # ls -l app.sock >> srw-rw-rw- 1 root root 0 Aug 19 16:56 app.sock >> >> uwsgi creates it and binds to it without an error. >> >> >> >> On Sat, Aug 19, 2017 at 6:14 PM, Guilherme Capil? via nginx >> wrote: >>> Ola, >>> >>> are you trying to create a linux socket on a directory mounted from a >>> windows disk? afaik, it won't work, it's not only about file >>> permissions, but a socket is a different type of file. >>> >>> Place the socket somewhere else (like /var/run/aoo.sock). >>> >>> Cheers, >>> >>> Guilherme Capil? >>> >>> On Sat, Aug 19, 2017 at 4:59 PM, Larry Martell wrote: >>>> Don't ask why, but on my mac I am running Windows Server 2016 in >>>> VMware. In there I am running Ubuntu in vagrant/Virtual Box. In there >>>> I am trying to run a django app in a docker container with >>>> nginx/uwsgi. >>>> >>>> The socket is being created, but then when I try and connect to the >>>> site it fails with this nginx error: >>>> >>>> 2017/08/19 16:56:29 [crit] 1251#1251: *1 connect() to >>>> unix:///opt/django/CAPgraph/app.sock failed (13: Permission denied) >>>> while connecting to upstream, client: 10.0.2.2, server: , request: >>>> "GET / HTTP/1.1", upstream: >>>> "uwsgi://unix:///opt/django/CAPgraph/app.sock:", host: >>>> "localhost:9003" >>>> >>>> >>>> I have verified that the app.sock file and all dirs along the path are >>>> 777. The /opt/django/CAPgraph dir is a docker volume mounted from a >>>> local dir in the vagrant/Virtual Box VM >>>> >>>> How can I debug this further? From francis at daoine.org Sun Aug 20 20:08:37 2017 From: francis at daoine.org (Francis Daly) Date: Sun, 20 Aug 2017 21:08:37 +0100 Subject: Reverse proxy for multiple domains In-Reply-To: <247167420.97630.1503039686513@mail.yahoo.com> References: <1000849938.2050287.1502399834765.ref@mail.yahoo.com> <1000849938.2050287.1502399834765@mail.yahoo.com> <20170817193548.GJ365@daoine.org> <247167420.97630.1503039686513@mail.yahoo.com> Message-ID: <20170820200837.GA10526@daoine.org> On Fri, Aug 18, 2017 at 07:01:26AM +0000, Mik J via nginx wrote: Hi there, > What would you do if you had ? > CLIENT <-> INTERNET <->Reverse_Proxy<->Web_Server That is the normal case, is it not? So just "use nginx as normal". > On de web server I just use one default virtual host with multiple > sections. I think that if you configure your "back-end" server that way, you are more likely to have problems reverse proxying than if you configure "one virtual host = one application". If you want to reverse-proxy an application installed at one part of its local url hierarchy, so that it looks like it is installed at another part of the url hierarchy, then it is your job to make sure that any part of the content returned that the client browser might interpret as a url on this server, is correctly relative to the "another part". (It presumably is by default relative to the "one part".) Unless the application was written with a config option to make that job trivial, I think it is easier to have the "public" url and "private" url be the same. On your system, you can configure it however you want to. > Thats because the pages are called by the reverse proxy server > like http://10.1.1.10:80/app/application1/; and it can't use a FQDN > because it's in a private adressing I don't follow that last part. It can use a hostname if you want it to use a hostname. I expect that it will be easier for you if you use a hostname, or if you use two services listening on different ports. > Is there a way that the reverse proxy connects to 10.1.1.10 but pretend > the GET/POST queries use application1.org ? If you can describe the http request that you want the client to make to nginx; and describe the matching http request that you want nginx to make to the back-end, it may be clearer what you mean. > I'd prefer my application would be accessible by www.application1.org than > www.application1.org/app/application1 like right now >From the config you have shown, nginx makes the application available at www.application1.org. It looks to me like it is the back-end which causes it to appear at www.application1.org/app/application1. Possibly you should remove "proxy_redirect off;", and remove the "proxy_set_header Host $http_host;" line. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sun Aug 20 20:16:00 2017 From: francis at daoine.org (Francis Daly) Date: Sun, 20 Aug 2017 21:16:00 +0100 Subject: nginx and uwsgi in docker in vagrant in vmware - Permission denied on socket In-Reply-To: References: Message-ID: <20170820201600.GB10526@daoine.org> > On Sun, Aug 20, 2017 at 10:11:54AM -0400, Larry Martell wrote: > > On Sun, Aug 20, 2017 at 9:52 AM, Larry Martell wrote: Hi there, > > I changed the socket to be in /var/run and that fixed the issue. But > > now I am getting a 403 on all the static files, e.g: > I found that copying the static files to /var/run (and changing the > nginx config) fixed this. That sounds like you have a permissions issue on the /opt/django/CAPgraph/ part of your filesystem. Are you running an extra "permissions" system, such as selinux, that might be blocking the access before the normal filesystem permissions take effect? If so, check the logs for that, and configure it to do what you want. (Or: if what you have right now works well enough for you, leave it as-is.) f -- Francis Daly francis at daoine.org From zoltan at circle-interactive.co.uk Wed Aug 23 12:10:35 2017 From: zoltan at circle-interactive.co.uk (Zoltan Borsos) Date: Wed, 23 Aug 2017 13:10:35 +0100 Subject: mail module hides client's IP Message-ID: <0346384c-e8ab-4e3b-5535-54f65516b25f@circle-interactive.co.uk> Hello Everyone, thanks for accepting my subscription request. Does anyone have experience how the client's IP address can be passed to the imap server when nginx works as imap proxy? Dovecot and Nginx work on the same server and imap-login entires in mail.log show 12.0.0.1 Thanks, Zoltan From mdounin at mdounin.ru Wed Aug 23 15:26:48 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 23 Aug 2017 18:26:48 +0300 Subject: mail module hides client's IP In-Reply-To: <0346384c-e8ab-4e3b-5535-54f65516b25f@circle-interactive.co.uk> References: <0346384c-e8ab-4e3b-5535-54f65516b25f@circle-interactive.co.uk> Message-ID: <20170823152648.GL93611@mdounin.ru> Hello! On Wed, Aug 23, 2017 at 01:10:35PM +0100, Zoltan Borsos wrote: > Does anyone have experience how the client's IP address can be > passed to the imap server when nginx works as imap proxy? > > Dovecot and Nginx work on the same server and imap-login entires > in mail.log show 12.0.0.1 Currently there is no way, sending additional information is only supported for SMTP (http://nginx.org/r/xclient). -- Maxim Dounin http://nginx.org/ From earlybirds.gm at gmail.com Wed Aug 23 21:09:08 2017 From: earlybirds.gm at gmail.com (Early Bird) Date: Thu, 24 Aug 2017 00:09:08 +0300 Subject: TTFB much higher when accessing a file, using HTTPS (LE) Message-ID: Hi and thanks in advance to all Not sure how to investigate this problem: 1. Nginx 1.10.3 server on Debian 8.6, running on a 1C/2GB Linode VPS 2. Works well as far as I understand 3. However, when activating HTTPS for my sites (Let's Encrypt), I see some strange behavior - the TTFB (first byte delay time) is increasing dramatically with each request. 4. Testing method: running multiple Chrome tabs (3-4) accessing a specific image file (or a big text file), repeating every 2 seconds. Browser cache disabled Example image file on test site - link 5. Result: TTFB for the image file rising from around 200-250ms to 1.2-1.5s after few tabs doing it 6. More info: Doesn't happen without HTTPS, at least not for a reasonable count of tabs (like 20) Any advise? *conf file:* worker_processes auto; worker_rlimit_nofile 100000; pid /run/nginx.pid; events { worker_connections 4096; multi_accept on; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; reset_timedout_connection on; add_header X-Powered-By "EasyEngine 3.7.4"; add_header rt-Fastcgi-Cache $upstream_cache_status; # Limit Request limit_req_status 403; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; # Proxy Settings # set_real_ip_from proxy-server-ip; # real_ip_header X-Forwarded-For; fastcgi_read_timeout 300; client_max_body_size 100m; ## # SSL Settings ## ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_protocols TLSv1.1 TLSv1.2; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security "max-age=15768000" always; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## # Basic Settings ## # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # Log format Settings log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' '$http_host "$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component text/xml text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } *and * additional static files rule location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { add_header "Access-Control-Allow-Origin" "*"; access_log off; log_not_found off; expires max; } -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at lazygranch.com Wed Aug 23 21:44:29 2017 From: lists at lazygranch.com (Gary) Date: Wed, 23 Aug 2017 14:44:29 -0700 Subject: TTFB much higher when accessing a file, using HTTPS (LE) In-Reply-To: Message-ID: An HTML attachment was scrubbed... URL: From earlybirds.gm at gmail.com Thu Aug 24 09:48:24 2017 From: earlybirds.gm at gmail.com (Early Bird) Date: Thu, 24 Aug 2017 12:48:24 +0300 Subject: TTFB much higher when accessing a file, using HTTPS (LE) In-Reply-To: <20170823214446.A93C82C50D3B@mail.nginx.com> References: <20170823214446.A93C82C50D3B@mail.nginx.com> Message-ID: Thanks Gary 1. Disabling browser cache on your end. I do it via the Chrome developer panel 2. The image loads fine. The problem is with TTFB (Time To First Byte) which increases dramatically with each access to this image, when HTTPS is on On Thu, Aug 24, 2017 at 12:44 AM, Gary wrote: > Is the browser cache something I'm supposed to disable on my end, or are > you referring to a cache on your end? > > I'm loading that image on my phone with Chrome and it seems fine. > > > *From:* earlybirds.gm at gmail.com > *Sent:* August 23, 2017 2:09 PM > *To:* nginx at nginx.org > *Reply-to:* nginx at nginx.org > *Subject:* TTFB much higher when accessing a file, using HTTPS (LE) > > Hi and thanks in advance to all > > Not sure how to investigate this problem: > 1. Nginx 1.10.3 server on Debian 8.6, running on a 1C/2GB Linode VPS > 2. Works well as far as I understand > 3. However, when activating HTTPS for my sites (Let's Encrypt), I see some > strange behavior - the TTFB (first byte delay time) is increasing > dramatically with each request. > 4. Testing method: running multiple Chrome tabs (3-4) accessing a specific > image file (or a big text file), repeating every 2 seconds. Browser cache > disabled > Example image file on test site - link > > 5. Result: TTFB for the image file rising from around 200-250ms to > 1.2-1.5s after few tabs doing it > > 6. More info: Doesn't happen without HTTPS, at least not for a reasonable > count of tabs (like 20) > > Any advise? > > *conf file:* > > worker_processes auto; > worker_rlimit_nofile 100000; > pid /run/nginx.pid; > > events { > worker_connections 4096; > multi_accept on; > } > > http { > > sendfile on; > tcp_nopush on; > tcp_nodelay on; > keepalive_timeout 30; > types_hash_max_size 2048; > > server_tokens off; > reset_timedout_connection on; > add_header X-Powered-By "EasyEngine 3.7.4"; > add_header rt-Fastcgi-Cache $upstream_cache_status; > > # Limit Request > limit_req_status 403; > limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; > > # Proxy Settings > # set_real_ip_from proxy-server-ip; > # real_ip_header X-Forwarded-For; > > fastcgi_read_timeout 300; > client_max_body_size 100m; > > ## > # SSL Settings > ## > > ssl_session_timeout 1d; > ssl_session_cache shared:SSL:50m; > ssl_session_tickets off; > ssl_prefer_server_ciphers on; > ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- > GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- > SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; > ssl_protocols TLSv1.1 TLSv1.2; > # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) > add_header Strict-Transport-Security "max-age=15768000" always; > # OCSP Stapling --- > # fetch OCSP records from URL in ssl_certificate and cache them > ssl_stapling on; > ssl_stapling_verify on; > ## > # Basic Settings > ## > # server_names_hash_bucket_size 64; > # server_name_in_redirect off; > > include /etc/nginx/mime.types; > default_type application/octet-stream; > > access_log /var/log/nginx/access.log; > error_log /var/log/nginx/error.log; > > # Log format Settings > log_format rt_cache '$remote_addr $upstream_response_time > $upstream_cache_status [$time_local] ' > '$http_host "$request" $status $body_bytes_sent ' > '"$http_referer" "$http_user_agent"'; > > ## > # Gzip Settings > ## > > gzip on; > gzip_disable "msie6"; > > gzip_vary on; > gzip_proxied any; > gzip_comp_level 6; > gzip_buffers 16 8k; > gzip_http_version 1.1; > gzip_types > application/atom+xml > application/javascript > application/json > application/rss+xml > application/vnd.ms-fontobject > application/x-font-ttf > application/x-web-app-manifest+json > application/xhtml+xml > application/xml > font/opentype > image/svg+xml > image/x-icon > text/css > text/plain > text/x-component > text/xml > text/javascript; > > ## > # Virtual Host Configs > ## > > include /etc/nginx/conf.d/*.conf; > include /etc/nginx/sites-enabled/*; > } > > *and * > > additional static files rule > location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js| > jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ > { > add_header "Access-Control-Allow-Origin" "*"; > access_log off; > log_not_found off; > expires max; > } > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Aug 25 10:33:11 2017 From: nginx-forum at forum.nginx.org (ivy) Date: Fri, 25 Aug 2017 06:33:11 -0400 Subject: Separated reverse proxy for different users Message-ID: <25b81c00e3cc9f13fda97caa8885f6de.NginxMailingListEnglish@forum.nginx.org> Hi, I'm relatively new to HTTP servers and absolutely new to nginx. I have HTTP server which should ask user credentials and redirect every user to its own reverse proxy. The initial setting is: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; set $auth_status 100; server_name localhost; root /usr/share/nginx/html; include /etc/nginx/default.d/*.conf; location / { try_files $uri $uri/ =404; auth_basic "restricted content"; auth_basic_user_file "/home/secure/.passwords"; auth_request_set $auth_status $upstream_status; if ($remote_user = "ivy") { proxy_pass http://localhost:10080; break; } if ($remote_user = "john") { proxy_pass http://localhost:10081; break; } } It works OK. However, I think it's pretty ugly to have separated "if" per user. Therefore, I want to add a map: map $remote_user $rp_port { include /home/secure/reverse_proxy.map; } The map contains: ivy 10080; john 10081; >From documentation I understood this should come before server definition. Then I tried to replace all "ifs" in server body with: proxy_pass http://localhost:$rp_port This configuration gives following errors: 2017/08/25 06:29:38 [error] 26582#26582: *631 invalid port in upstream "localhost:", client: ..., server: localhost, request: "GET / HTTP/1.1", host: "..." 2017/08/25 06:29:48 [error] 26582#26582: *632 no resolver defined to resolve localhost, client: ..., server: localhost, request: "GET / HTTP/1.1", host: "..." It's clear that I miss something in the documentation. Please, help to build a map for reverse proxy by user authentication properly. Thank you. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276150,276150#msg-276150 From nginx-forum at forum.nginx.org Fri Aug 25 12:17:15 2017 From: nginx-forum at forum.nginx.org (cozmo) Date: Fri, 25 Aug 2017 08:17:15 -0400 Subject: Unable to compile Nginx 1.12.1 with ModSecurity Message-ID: <28ce07720b3afef24eaa745a62093567.NginxMailingListEnglish@forum.nginx.org> Hello, We have been using Nginx with ModSecurity for some time. We are moving from Nginx 1.10 to 1.12. Following the same receipe as always, compiling Nginx 1.12.1 with ModSecurity 2.9.2 now gives error: cc: error: /home/rpmbuild/modsecurity-2.9.2/nginx/modsecurity/../../standalone/.libs/standalone.a: No such file or directory make[1]: *** [objs/nginx] Error 1 make[1]: Leaving directory `/home/rpmbuild/rpmbuild/BUILD/nginx-1.12.1' make: *** [build] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.TezlYj (%build) Compiling Nginx 1.10.1 with ModSecurity 2.9.2 the same way works perfectly fine. What am I missing? Is there something that should be done differently when compiling 1.12.1? Regards, Peter Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276154,276154#msg-276154 From nginx-forum at forum.nginx.org Fri Aug 25 14:21:55 2017 From: nginx-forum at forum.nginx.org (garyc) Date: Fri, 25 Aug 2017 10:21:55 -0400 Subject: disable request body buffering for file upload In-Reply-To: <20170720141011.GA93611@mdounin.ru> References: <20170720141011.GA93611@mdounin.ru> Message-ID: Hello, Thanks for the hint I have managed to use the auth request module to check available disk space before accepting the request so I only attempt the upload if there is disk space available. I am now having another problem. Our debian environment uses a rootfs ramdisk which has just under 1GB of memory, when i accept the upload request I can see the rootfs disk fill steadily until it is full at which point the upload POST request is returned with error 500 and the message 'System error - unable to complete file upload'. Are there any configuration settings that would instruct nginx to use another disk when accepting the client request body? I have experimented with client_body_in_file_only and client_body_temp_path and can observe that temporary files are created if they are small enough for the rootfs to handle, files that are rejected when the rootfs fill ups have no temporary file created so presumably this happens after the initial read to the rootfs. Many thanks Gary Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275567,276155#msg-276155 From mikydevel at yahoo.fr Sun Aug 27 11:27:05 2017 From: mikydevel at yahoo.fr (Mik J) Date: Sun, 27 Aug 2017 11:27:05 +0000 (UTC) Subject: Reverse proxy for multiple domains References: <263631856.3895413.1503833225646.ref@mail.yahoo.com> Message-ID: <263631856.3895413.1503833225646@mail.yahoo.com> Hello Francis, Thank you for your answer.I've done many tests since then and yes indeed the problem came from the application => wordpress It's necessary to define these two variables WP_HOME and WP_SITEURL or $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] in wp-config.php >From that question> Thats because the pages are called by the reverse proxy server > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN > because it's in a private adressing Francis: I don't follow that last part.=> I mean that the reverse proxy uses an IP to connect to the backend web server. If it used a fqdn, it has to resolve it, through a dns request I still have problems, the site doesn't diplay properly because it can't load a javascript On the reverse proxyserver { ??? listen 80; ??? listen 443 ssl; ??? server_name application1.org; ... ??? location / { ??????? location ~ /\.ht { deny? all; } ??????? proxy_pass??????? http://10.1.1.10/app1/; ??????? proxy_http_version 1.1; ??????? proxy_set_header? X-Real-IP??????? $remote_addr; ??????? proxy_set_header? X-Forwarded-For? $proxy_add_x_forwarded_for; ??????? proxy_pass_header Set-Cookie; ??? } On the backend serverserver { ??????? listen 80 default_server; ??????? server_name _; ??????? index index.php; ??????? root /var/www/htdocs; ... ??????? location /app1 { ????????? root /var/www/htdocs/; ????????? access_log /var/log/nginx/app1.access.log xforwardedLog; ????????? error_log /var/log/nginx/app1.error.log; ????????? index index.php; ????????? try_files $uri $uri/ /app1/index.php$is_args$args;????????? location ~ /\. { deny? all; } ????????? gzip off; ????????? location ~ \.php$ { ????????????? root?????????? /var/www/htdocs; ????????????? try_files $uri =404; ????????????? fastcgi_pass?? unix:/run/php-fpm.app1.sock; ????????????? fastcgi_split_path_info ^(.+\.php)(/.+)$; ????????????? fastcgi_index? index.php; ????????????? fastcgi_param? SCRIPT_FILENAME $document_root$fastcgi_script_name; ????????????? include??????? fastcgi_params; ????????? } The request for the javascript looks like thathttp://application1.org/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1It arrives on the backend server I see it in the logs (file specified in the stanza location) 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET /app1/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1" 404 5 "http://application1.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" If I access a file from the internet, it works fine http://application1.org/wp-content/themes/Avada/images/divider-02.gifSo there's just a problem with the previous URL Another question, if I want to set expires header, would it be better to do it on the reverse proxy or on the backend server ? Regards Le Dimanche 20 ao?t 2017 22h08, Francis Daly a ?crit : On Fri, Aug 18, 2017 at 07:01:26AM +0000, Mik J via nginx wrote: Hi there, > What would you do if you had ? > CLIENT <-> INTERNET <->Reverse_Proxy<->Web_Server That is the normal case, is it not? So just "use nginx as normal". > On de web server I just use one default virtual host with multiple > sections. I think that if you configure your "back-end" server that way, you are more likely to have problems reverse proxying than if you configure "one virtual host = one application". If you want to reverse-proxy an application installed at one part of its local url hierarchy, so that it looks like it is installed at another part of the url hierarchy, then it is your job to make sure that any part of the content returned that the client browser might interpret as a url on this server, is correctly relative to the "another part". (It presumably is by default relative to the "one part".) Unless the application was written with a config option to make that job trivial, I think it is easier to have the "public" url and "private" url be the same. On your system, you can configure it however you want to. > Thats because the pages are called by the reverse proxy server > like http://10.1.1.10:80/app/application1/; and it can't use a FQDN > because it's in a private adressing I don't follow that last part. It can use a hostname if you want it to use a hostname. I expect that it will be easier for you if you use a hostname, or if you use two services listening on different ports. > Is there a way that the reverse proxy connects to 10.1.1.10 but pretend > the GET/POST queries use application1.org ? If you can describe the http request that you want the client to make to nginx; and describe the matching http request that you want nginx to make to the back-end, it may be clearer what you mean. > I'd prefer my application would be accessible by www.application1.org than > www.application1.org/app/application1 like right now >From the config you have shown, nginx makes the application available at www.application1.org. It looks to me like it is the back-end which causes it to appear at www.application1.org/app/application1. Possibly you should remove "proxy_redirect off;", and remove the "proxy_set_header Host $http_host;" line. Good luck with it, ??? f -- Francis Daly? ? ? ? francis at daoine.org _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sun Aug 27 17:19:26 2017 From: nginx-forum at forum.nginx.org (aledbf) Date: Sun, 27 Aug 2017 13:19:26 -0400 Subject: ssl_preread question Message-ID: <7b82d910fae6fb266ca72b99158ffbb9.NginxMailingListEnglish@forum.nginx.org> Hi, it is possible to preservce the source IP address when ssl_preread is being used? Right now I always get 127.0.0.1 as the source Thanks in advance Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276159,276159#msg-276159 From arut at nginx.com Sun Aug 27 20:41:31 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Sun, 27 Aug 2017 23:41:31 +0300 Subject: ssl_preread question In-Reply-To: <7b82d910fae6fb266ca72b99158ffbb9.NginxMailingListEnglish@forum.nginx.org> References: <7b82d910fae6fb266ca72b99158ffbb9.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170827204131.GB786@Romans-MacBook-Air.local> Hi, On Sun, Aug 27, 2017 at 01:19:26PM -0400, aledbf wrote: > Hi, it is possible to preservce the source IP address when ssl_preread is > being used? ssl_preread has nothing to do with the IP address. > Right now I always get 127.0.0.1 as the source Where exactly do you get it? If you want to keep the address while proxying a TCP connection, you can use the PROXY protocol. http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol -- Roman Arutyunyan From nginx-forum at forum.nginx.org Mon Aug 28 08:59:45 2017 From: nginx-forum at forum.nginx.org (garyc) Date: Mon, 28 Aug 2017 04:59:45 -0400 Subject: disable request body buffering for file upload In-Reply-To: References: <20170720141011.GA93611@mdounin.ru> Message-ID: <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> Please ignore the last message, having learned a bit more about probing the file system we can now see that it is PHP that is caching the file to the system default location (hence rootfs) a small change to the PHP configuration has sorted this. Thanks to everyone for your help Gary Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275567,276162#msg-276162 From nginx-forum at forum.nginx.org Mon Aug 28 16:40:21 2017 From: nginx-forum at forum.nginx.org (231done) Date: Mon, 28 Aug 2017 12:40:21 -0400 Subject: Poor UDP transparent proxy performance Message-ID: Hi, I'm running nginx-1.13.4 and I observe that UDP transparent proxying for bulk traffic is very slow when compared to TCP transparent proxying. I get about 4.00 Gbits/sec when using TCP and about 1.05 Mbits/sec when using UDP. I used iperf to run traffic tests. Is this a known issue? If it is, are there any plans to fix UDP performance issues? Thanks, Joe Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276167,276167#msg-276167 From nginx-forum at forum.nginx.org Mon Aug 28 17:29:25 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Mon, 28 Aug 2017 13:29:25 -0400 Subject: disable request body buffering for file upload In-Reply-To: <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> References: <20170720141011.GA93611@mdounin.ru> <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> Message-ID: <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> garyc Wrote: ------------------------------------------------------- > Please ignore the last message, having learned a bit more about > probing the file system we can now see that it is PHP that is caching > the file to the system default location (hence rootfs) a small change > to the PHP configuration has sorted this. > > Thanks to everyone for your help > > Gary Do you mind sharing your "PHP.ini" solution so that others know what changes to make to their "PHP.ini" to solve the same dilemma ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275567,276169#msg-276169 From r at roze.lv Mon Aug 28 17:38:48 2017 From: r at roze.lv (Reinis Rozitis) Date: Mon, 28 Aug 2017 20:38:48 +0300 Subject: disable request body buffering for file upload In-Reply-To: <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> References: <20170720141011.GA93611@mdounin.ru> <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> Message-ID: > Do you mind sharing your "PHP.ini" solution so that others know what > changes > to make to their "PHP.ini" to solve the same dilemma ? http://php.net/manual/en/ini.core.php#ini.upload-tmp-dir It's usually not set so by default on most linux distros ends up being /tmp rr From r1ch+nginx at teamliquid.net Mon Aug 28 18:07:39 2017 From: r1ch+nginx at teamliquid.net (Richard Stanway) Date: Mon, 28 Aug 2017 20:07:39 +0200 Subject: Poor UDP transparent proxy performance In-Reply-To: References: Message-ID: UDP packets are proxied individually - one socket per packet. This implementation is not suitable for bulk traffic. On Mon, Aug 28, 2017 at 6:40 PM, 231done wrote: > Hi, > I'm running nginx-1.13.4 and I observe that UDP transparent proxying > for > bulk traffic is very slow when compared to TCP transparent proxying. > I get about 4.00 Gbits/sec when using TCP and about 1.05 Mbits/sec when > using UDP. I used iperf to run traffic tests. Is this a known issue? If it > is, are there any plans to fix UDP performance issues? > > Thanks, > Joe > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,276167,276167#msg-276167 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Mon Aug 28 18:25:06 2017 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Mon, 28 Aug 2017 14:25:06 -0400 Subject: x-real-ip issue Message-ID: I've been struggling all day with this, I'm missing something, hoping someone can point out what I'm doing wrong w/ the realip module: nginx.conf: ... log_format xyz '$remote_addr - $remote_user [$time_iso8601] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" $http_x_real_ip'; access_log /var/log/nginx/access.log xyz; ... real_ip_header X-Forwarded-For; real_ip_recursive on; set_real_ip_from 172.0.0.0/8; ... Test command I'm running: curl -v -v -v -H "Host: www.test.com" -H "X-Forwarded-For: 9.1.2.3, 172.16.9.92" http://127.0.0.1/cheese What I see in the error log: 127.0.0.1 - - [2017-08-28T14:20:38-04:00] "GET /cheese HTTP/1.1" 502 166 "-" "curl/7.29.0" "9.1.2.3, 172.16.9.92" - I'm expecting that either $remote_addr or $http_x_real_ip be 9.1.2.3, but the former is 127.0.0.1 and the latter is null. I've tried two versions of Nginx including the latest, so pretty sure its an issue with my config. The config test is successful, no errors in the error log (level debug), the 502 status code is expected and shouldn't impact the realip module. -------------- next part -------------- An HTML attachment was scrubbed... URL: From r1ch+nginx at teamliquid.net Mon Aug 28 20:27:28 2017 From: r1ch+nginx at teamliquid.net (Richard Stanway) Date: Mon, 28 Aug 2017 22:27:28 +0200 Subject: x-real-ip issue In-Reply-To: References: Message-ID: You're connecting to localhost (127.0.0.1) and your set_real_ip_from only accepts X-Forwarded-For from 172.0.0.0/8. On Mon, Aug 28, 2017 at 8:25 PM, CJ Ess wrote: > I've been struggling all day with this, I'm missing something, hoping > someone can point out what I'm doing wrong w/ the realip module: > > nginx.conf: > ... > log_format xyz '$remote_addr - $remote_user [$time_iso8601] ' > '"$request" $status $body_bytes_sent ' > '"$http_referer" "$http_user_agent" > "$http_x_forwarded_for" $http_x_real_ip'; > > access_log /var/log/nginx/access.log xyz; > ... > real_ip_header X-Forwarded-For; > real_ip_recursive on; > set_real_ip_from 172.0.0.0/8; > ... > > > Test command I'm running: > curl -v -v -v -H "Host: www.test.com" -H "X-Forwarded-For: 9.1.2.3, > 172.16.9.92" http://127.0.0.1/cheese > > > What I see in the error log: > 127.0.0.1 - - [2017-08-28T14:20:38-04:00] "GET /cheese HTTP/1.1" 502 166 > "-" "curl/7.29.0" "9.1.2.3, 172.16.9.92" - > > > I'm expecting that either $remote_addr or $http_x_real_ip be 9.1.2.3, but > the former is 127.0.0.1 and the latter is null. > > I've tried two versions of Nginx including the latest, so pretty sure its > an issue with my config. The config test is successful, no errors in the > error log (level debug), the 502 status code is expected and shouldn't > impact the realip module. > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zxcvbn4038 at gmail.com Mon Aug 28 21:14:52 2017 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Mon, 28 Aug 2017 17:14:52 -0400 Subject: x-real-ip issue In-Reply-To: References: Message-ID: That was it! I added "set_real_ip_from 127.0.0.1/32;" and now I'm getting the results I expected. Thank you! On Mon, Aug 28, 2017 at 4:27 PM, Richard Stanway wrote: > You're connecting to localhost (127.0.0.1) and your set_real_ip_from only > accepts X-Forwarded-For from 172.0.0.0/8. > > On Mon, Aug 28, 2017 at 8:25 PM, CJ Ess wrote: > >> I've been struggling all day with this, I'm missing something, hoping >> someone can point out what I'm doing wrong w/ the realip module: >> >> nginx.conf: >> ... >> log_format xyz '$remote_addr - $remote_user [$time_iso8601] ' >> '"$request" $status $body_bytes_sent ' >> '"$http_referer" "$http_user_agent" >> "$http_x_forwarded_for" $http_x_real_ip'; >> >> access_log /var/log/nginx/access.log xyz; >> ... >> real_ip_header X-Forwarded-For; >> real_ip_recursive on; >> set_real_ip_from 172.0.0.0/8; >> ... >> >> >> Test command I'm running: >> curl -v -v -v -H "Host: www.test.com" -H "X-Forwarded-For: 9.1.2.3, >> 172.16.9.92" http://127.0.0.1/cheese >> >> >> What I see in the error log: >> 127.0.0.1 - - [2017-08-28T14:20:38-04:00] "GET /cheese HTTP/1.1" 502 166 >> "-" "curl/7.29.0" "9.1.2.3, 172.16.9.92" - >> >> >> I'm expecting that either $remote_addr or $http_x_real_ip be 9.1.2.3, but >> the former is 127.0.0.1 and the latter is null. >> >> I've tried two versions of Nginx including the latest, so pretty sure its >> an issue with my config. The config test is successful, no errors in the >> error log (level debug), the 502 status code is expected and shouldn't >> impact the realip module. >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Aug 29 09:09:58 2017 From: nginx-forum at forum.nginx.org (garyc) Date: Tue, 29 Aug 2017 05:09:58 -0400 Subject: disable request body buffering for file upload In-Reply-To: <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> References: <20170720141011.GA93611@mdounin.ru> <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <71680e79c8dac9d479b6c38fda894ba9.NginxMailingListEnglish@forum.nginx.org> Hi, Reinis has probably covered this but the default php.ini file has a 'File Upload section' with... ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ; upload_tmp_dir = I just uncommented the attribute and set it to a location on our main disk e.g. upload_tmp_dir = /opt/tmp -- The complete solution involved using the http_auth_request_module. So in our nginx configuration file for big file upload url... # PHP - file upload - bigf location /api/bigf/analysis/upload { auth_request /bigf/auth; error_page 403 =413 /bigfLowDiskSpace.html; error_page 413 /bigfTooBigError.html; fastcgi_request_buffering off; # pass the request straight to php without buffering fastcgi_read_timeout 1h; fastcgi_pass unix:/opt/tmp/php-fpm.sock; include fastcgi_params; # Command specific parameters fastcgi_param PERMITTED_FILETYPE "bigf"; fastcgi_param HOME_FOLDER "/home/instrument"; fastcgi_param DEST_FOLDER "Analysis/Filters"; fastcgi_param SCRIPT_FILENAME $document_root/PHP/uploadFile.php; } # from the auth_request directive in the above block location /bigf/auth { internal; fastcgi_pass_request_body off; fastcgi_pass unix:/opt/tmp/php-fpm.sock; fastcgi_intercept_errors on; include fastcgi_params; fastcgi_param BIGF_UPLOAD_SIZE $content_length; fastcgi_param BIGF_UPLOAD_MARGIN_BYTES 10737418240; # reject if < 10GB free after upload fastcgi_param HOME_FOLDER "/home/instrument"; fastcgi_param DEST_FOLDER "Analysis/Filters"; fastcgi_param CONTENT_LENGTH ""; fastcgi_param SCRIPT_FILENAME $document_root/PHP/bigfAuthUpload.php; } # Custom error pages for the error_page directives specified above location /bigfLowDiskSpace.html { root /opt/lib/webapp/errorPages; allow all; } location /bigfTooBigError.html { root /opt/lib/webapp/errorPages; allow all; } --- The bigfAuthUpload.php script just checks the space available on the destination drive and if the space available minus the approximate incoming file size (as it includes some bytes from the request header) breaks the allowed margin (10G in this case) we reject the upload by calling http_response_code(403). If there is enough space http_response_code(200) is set which 'authorizes' the upload and allows the uploadFile.php script to be called. The error_page 403 =413 redirect allows us to return an error page specific to the rejected bigfAthUpload.php call. The error_page 413 redirect allows us to intercept the nginx file size restriction (we set the directive 'client_max_body_size' to 5G in the server configuration block of our nginx configuration file), i believe the use of 'fastcgi_intercept_errors on;' in our auth block facilitates this. By using the fastcgi_pass_request_body off; directive in the 'bigf/auth' location block the bigfAuthUpload.php script is passed the request header without the body so we can reject the upload before the request body is written to /opt/tmp. The uploadFile.php script effectively copies the file from /opt/tmp to the destination location. It allows us to handle different $_FILES content (dependent on the client used to call our upload service we need to cope with $_FILES['upload'], $_FILES['Data'] and $_FILES['file'] variants to extract the file name) and to rename the file to cope with duplicates. The fastcgi_params file we include in the above location blocks include the lines Hope this helps someone else out, thanks to everyone who contributed! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275567,276176#msg-276176 From nginx-forum at forum.nginx.org Tue Aug 29 09:13:36 2017 From: nginx-forum at forum.nginx.org (stuartweir) Date: Tue, 29 Aug 2017 05:13:36 -0400 Subject: Downloading large ( + 5GB ) files in a multipart fashion from S3 Message-ID: Original Problem domain: Rails/Rack send_data method attempts downloading whole file onto the server in memory, to then send to the client. This would fail with large files because the server ran out of memory. Original Solution: Use Passenger NGINX to create a proxy_pass between the client and the S3 bucket in a secure way (the client never sees the actual S3 bucket URL - opted for this over timed URLs, because the clients might need the URL indefinitely). New Problem domain: NGINX handles the download properly, but then once the download gets to about 5 GB, the download "fails" in Chrome and needs to be "retried" in order to continue downloading the file. This is due to a restriction S3 has with downloading files larger than 5 GB. What I'm hoping to have answered: Is there a way to initiate a multipart-like download using only NGINX? I know that there is such thing as a multipart upload, but I would like a multipart download, of some sort. Because Rails makes a single response to a request (without doing some very clunky magic to make it do otherwise) I'd like to use something like the Range header with NGINX, except I don't want to specify the exact range, because that means I have to make several responses (which is the case with the header, it looks like, and forces me into the clunky rails issue). Thanks for any and all help! -Stu Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276177,276177#msg-276177 From nginx-forum at forum.nginx.org Tue Aug 29 09:15:44 2017 From: nginx-forum at forum.nginx.org (garyc) Date: Tue, 29 Aug 2017 05:15:44 -0400 Subject: disable request body buffering for file upload In-Reply-To: <71680e79c8dac9d479b6c38fda894ba9.NginxMailingListEnglish@forum.nginx.org> References: <20170720141011.GA93611@mdounin.ru> <622562390cdee988150f041201132719.NginxMailingListEnglish@forum.nginx.org> <5eb5064c009e7c6ea7fe71404cfd133e.NginxMailingListEnglish@forum.nginx.org> <71680e79c8dac9d479b6c38fda894ba9.NginxMailingListEnglish@forum.nginx.org> Message-ID: <527418a26555ddba99362dc80e69f96b.NginxMailingListEnglish@forum.nginx.org> Apologies, please ignore the line > The fastcgi_params file we include in the above location blocks include the lines What followed wasn't really relevant (just about overriding php.ini values with the PHP_VALUE command) so i removed it. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275567,276178#msg-276178 From francis at daoine.org Wed Aug 30 17:57:19 2017 From: francis at daoine.org (Francis Daly) Date: Wed, 30 Aug 2017 18:57:19 +0100 Subject: Reverse proxy for multiple domains In-Reply-To: <263631856.3895413.1503833225646@mail.yahoo.com> References: <263631856.3895413.1503833225646.ref@mail.yahoo.com> <263631856.3895413.1503833225646@mail.yahoo.com> Message-ID: <20170830175719.GB20907@daoine.org> On Sun, Aug 27, 2017 at 11:27:05AM +0000, Mik J via nginx wrote: Hi there, > > Thats because the pages are called by the reverse proxy server > > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN > > because it's in a private adressing > Francis: I don't follow that last part.=> I mean that the reverse proxy uses an IP to connect to the backend web server. If it used a fqdn, it has to resolve it, through a dns request The backend web server can care about the IP:port you connect to, and the Host: header you send. You can connect to 10.1.1.10:80 and send a Host: header of "app1" if you want to. No dns resolution involved. Anyway, it sounds like you have this part working now; so that's good. > I still have problems, the site doesn't diplay properly because it can't load a javascript > The request for the javascript looks like thathttp://application1.org/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1It arrives on the backend server I see it in the logs (file specified in the stanza location) > 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET /app1/?wooslider-javascript=load&t=1503832510&ver=1.0.0 HTTP/1.1" 404 5 "http://application1.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" A request for /?some-thing came to nginx; nginx reverse-proxied the request as /app1/?same-thing. That is all you want nginx to do, so it is working. If your back-end wordpress handles that request incorrectly, that is a question for your back-end wordpress configuration. People on this list who know about wordpress configuration are more likely to see the question if it is in a new thread with words like "wordpress" in the Subject: line. (If the actual question is "why does my browser request /?some-thing instead of /thing.js ?", that might also be related to the back-end config.) > Another question, if I want to set expires header, would it be better to do it on the reverse proxy or on the backend server ? Again, I'd suggest that people who know about "wordpress" and "expires" are much more likely to see that question if it is in a thread with an obvious Subject: line. Good luck with it! f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Aug 30 18:09:37 2017 From: francis at daoine.org (Francis Daly) Date: Wed, 30 Aug 2017 19:09:37 +0100 Subject: Separated reverse proxy for different users In-Reply-To: <25b81c00e3cc9f13fda97caa8885f6de.NginxMailingListEnglish@forum.nginx.org> References: <25b81c00e3cc9f13fda97caa8885f6de.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170830180937.GC20907@daoine.org> On Fri, Aug 25, 2017 at 06:33:11AM -0400, ivy wrote: Hi there, > Therefore, I want to add a map: > map $remote_user $rp_port { > include /home/secure/reverse_proxy.map; > } > > The map contains: > ivy 10080; > john 10081; > > From documentation I understood this should come before server definition. > Then I tried to replace all "ifs" in server body with: > proxy_pass http://localhost:$rp_port > > This configuration gives following errors: > 2017/08/25 06:29:38 [error] 26582#26582: *631 invalid port in upstream > "localhost:", client: ..., server: localhost, request: "GET / HTTP/1.1", > host: "..." That is because your map does not have a "default" value, so when $remote_user is empty or does not match one of your listed names, $rp_port is empty and your configuration is effectively proxy_pass http://localhost:; which is invalid. Simplest fix is to always have a value for $rp_port. > 2017/08/25 06:29:48 [error] 26582#26582: *632 no resolver defined to resolve > localhost, client: ..., server: localhost, request: "GET / HTTP/1.1", host: > "..." That is because you use a proxy_pass with variables, and this version of nginx does not try to resolve the hostname at startup, instead resolving it at processing time -- and you have not defined a resolver. Simplest fix is to use 127.0.0.1 instead of localhost here. f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Aug 31 01:04:30 2017 From: nginx-forum at forum.nginx.org (mangysushi) Date: Wed, 30 Aug 2017 21:04:30 -0400 Subject: DNS Load Balancing keeps getting upstream errors Message-ID: <4b5359ed70e5d0847504057e4a663c8d.NginxMailingListEnglish@forum.nginx.org> Hello! I was excited to learn that nginx is one of the few load balnacing software supporting DNS. In my EC2 setup, I have nginx running on an m4.large instance, my DNS test load comes from a t2.micro one. I have two nameservers to be load balanced, each running on t2.medium. Here is my config: $ cat /etc/nginx/nginx.conf # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; worker_rlimit_nofile 65536; # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 4096; } http { server { listen 80 default_server; location / { stub_status on; access_log off; } } } stream { upstream dns_servers { server 10.67.32.10:53 max_fails=2000 fail_timeout=30; server 10.67.16.10:53 max_fails=2000 fail_timeout=30; } server { listen 53 udp; proxy_pass dns_servers; error_log /var/log/nginx/dns.log warn; proxy_responses 1; proxy_timeout 1s; } } For the test load, I use dnsperf as follows (on the other instance): dnsperf -s -d query.txt -l 60 -c 100 -Q 10000 (that is simulating 100 clients collectively making 10k requests/second to the nginx load balancer, for 60 seconds) query.txt contains just a single CNAME managed in Route53. So the test basically repeatedly asks to resolve this CNAME. During the tests, nginx would start to throttle the upstream servers, printing out messages such as these: 2017/08/31 00:45:46 [warn] 31728#0: *605752 upstream server temporarily disabled while proxying connection, udp client: 10.67.15.238, server: 0.0.0.0:53, upstream: "10.67.16.10:53", bytes from/to client:43/0, bytes from/to upstream:0/43 2017/08/31 00:45:46 [warn] 31728#0: *605774 upstream server temporarily disabled while proxying connection, udp client: 10.67.15.238, server: 0.0.0.0:53, upstream: "10.67.16.10:53", bytes from/to client:43/0, bytes from/to upstream:0/43 2017/08/31 00:45:46 [warn] 31728#0: *605786 upstream server temporarily disabled while proxying connection, udp client: 10.67.15.238, server: 0.0.0.0:53, upstream: "10.67.16.10:53", bytes from/to client:43/0, bytes from/to upstream:0/43 2017/08/31 00:45:46 [error] 31728#0: *605805 no live upstreams while connecting to upstream, udp client: 10.67.15.238, server: 0.0.0.0:53, upstream: "dns_servers", bytes from/to client:43/0, bytes from/to upstream:0/0 dnsperf would print lots of requests timing out (limit is 5 seconds), and the overall performance is bad: Queries sent: 94790 Queries completed: 94450 (99.64%) Queries lost: 340 (0.36%) Response codes: NOERROR 94450 (100.00%) Average packet size: request 43, response 106 Run time (s): 60.997054 Queries per second: 1548.435438 Average Latency (s): 0.043772 (min 0.000493, max 1.011284) Latency StdDev (s): 0.202529 As you can see, the queries/s is a mere 1.5k requests/second, instead of 10k/sec as desired. I've verified that each nameserver itself can handle the traffic just fine (running the test against the nameserver directly from the same test instance): dnsperf -s 10.67.16.10 -d query.txt -l 60 -c 100 -Q 10000 [...] Queries sent: 599999 Queries completed: 599581 (99.93%) Queries lost: 418 (0.07%) Response codes: NOERROR 599581 (100.00%) Average packet size: request 43, response 106 Run time (s): 60.000539 Queries per second: 9992.926897 Average Latency (s): 0.000794 (min 0.000645, max 0.026699) Latency StdDev (s): 0.000750 >From I can tell, it seems nginx is throttling the nameservers because of perceived failures in getting responses from them. How can I troubleshoot this further? Also, has anyone tried using nginx for DNS load balancing in production? I'd appreciate learning about your setup as well. Anything special to do to handle the possible TCP traffic when the response is large? Thanks for reading! I greatly appreciate any reply. :") Regards, mangysushi Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276196,276196#msg-276196 From luky-37 at hotmail.com Thu Aug 31 07:41:04 2017 From: luky-37 at hotmail.com (Lukas Tribus) Date: Thu, 31 Aug 2017 07:41:04 +0000 Subject: AW: DNS Load Balancing keeps getting upstream errors In-Reply-To: <4b5359ed70e5d0847504057e4a663c8d.NginxMailingListEnglish@forum.nginx.org> References: <4b5359ed70e5d0847504057e4a663c8d.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello, > Also, has anyone tried using nginx for DNS load balancing in production? I would not recommend using nginx to load-balance DNS traffic at all. nginx is just a dumb UDP proxy and I doubt it performs well enough in a DNS setup. dnsdist [1] is written with this purpose in mind and used in huge DNS deployments. I suggest you consider that one over nginx for your DNS needs. cheers, l [1] https://dnsdist.org/ From lonerr at nginx.com Thu Aug 31 10:58:33 2017 From: lonerr at nginx.com (Oleg A. Mamontov) Date: Thu, 31 Aug 2017 13:58:33 +0300 Subject: NGINX is hiring Message-ID: <20170831105833.6ko7n4av66nnxkon@xenon.mamontov.net> Hello, NGINX is seeking a Russian-speaking technical support engineer: https://www.nginx.com/jobs/enterprise-support-engineer-russian-speaking/ Please feel free to send your questions and CV directly to me: lonerr at nginx.com. Thank you. -- Cheers, Oleg A. Mamontov