302 Found

From minoru.nishikubo at lyz.jp Wed Mar 1 00:56:38 2017 From: minoru.nishikubo at lyz.jp (Nishikubo Minoru) Date: Wed, 1 Mar 2017 09:56:38 +0900 Subject: set_real_ip_from, real_ip_header directive in ngx_http_realip_module In-Reply-To: <20170228134015.GL34777@mdounin.ru> References: <20170228134015.GL34777@mdounin.ru> Message-ID: Hello, Maxim I understand your explanation and thanks for reply. I tried to replace $binary_remote_addr (not $remote_addr for performance reason) with True-Client-IP header which is Akamai CDN Server will send, via ngx_http_limit_req_module and use as a shared memory zone key. On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin wrote: > Hello! > > On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote: > > > Hello, > > I tried to limit an IPv4 Address with ngx_http_limit_req module and > > ngx_realip_module via Akamai would send True-Client-IP headers. > > > > According to the document ngx_http_readip_module( > > http://nginx.org/en/docs/http/ngx_http_realip_module.html), > > we can write set_real_ip_from and real-_ip_header directive in http, > > server, location context. > > > > But, in the above case(ngx_http_limit_req module is defined the key in > http > > context), directives on ngx_http_realip_module must be defined before the > > keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed > > limit_req_zone directive in http context. > > Not really. There is no such requirement, that is, there is need > to place limit_req_zone and set_real_ip_from on the same level or > even in a particular order. > > For example, the following configuration will work perfectly: > > limit_req_zone $remote_addr zone=limit:1m rate=1r/m; > limit_req zone=limit; > > server { > listen 80; > > location / { > set_real_ip_from 127.0.0.1; > real_ip_header X-Real-IP; > } > } > > A problem may happen though if you configured the realip module in > a location context, but use the address in different contexts. > For example, the following will limit requests based on the > connection's address, not the one set with realip: > > limit_req_zone $remote_addr zone=limit:1m rate=1r/m; > limit_req zone=limit; > > server { > listen 80; > > location / { > try_files $uri @fallback; > } > > location @fallback { > set_real_ip_from 127.0.0.1; > real_ip_header X-Real-IP; > proxy_pass ... > } > } > > In the above configuration, limit_req will work at the "location /" > context, and the realip module in "location @fallback" won't be > effective. For more confusion, the $remote_addr variable will be > cached once used by limit_req, and attempts to use it even in the > location @fallback will return the original value, not changed by > the realip module. > > Summing up the above, it is certainly possible to use the realip > module with limit_req regardless of levels. They may interact > unexpectedly in complex configurations though, and hence it is > a good idea to avoid using set_real_ip_from / real_ip_header in > location context unless you understand what you are doing. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aldernetwork at gmail.com Wed Mar 1 01:18:59 2017 From: aldernetwork at gmail.com (Alder Netw) Date: Tue, 28 Feb 2017 17:18:59 -0800 Subject: Nginx with a ICAP-like front-end In-Reply-To: References:

Message-ID: Rajeev, you meant asking the validator or client to set X-Accel-Redirect? Could you elaborate here? Thanks, On Mon, Feb 27, 2017 at 9:14 AM, Rajeev J Sebastian < rajeev.sebastian at gmail.com> wrote: > Adler, maybe you should try X-Accel-Redirect to avoid this conversion of > POST to GET? > > On Mon, Feb 27, 2017 at 10:41 PM, Rajeev J Sebastian < > rajeev.sebastian at gmail.com> wrote: > >> From the docs it seems that this will work for all requests EXCEPT that, >> the @success fallback request will always be GET. >> >> On Mon, Feb 27, 2017 at 10:30 PM, Alder Netw >> wrote: >> >>> Thanks Rajeev for the recipe, I was looking into using subrequest but >>> found subrequest >>> only works for filter module. This looks much simpler! The only concern >>> is error_page >>> is only for GET/HEAD not for POST? >>> >>> >>> >>> On Sun, Feb 26, 2017 at 11:48 PM, Rajeev J Sebastian < >>> rajeev.sebastian at gmail.com> wrote: >>> >>>> Not sure if this is foolproof ... but maybe you can use the error_page >>>> fallback by responding with a special status_code. >>>> >>>> http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page >>>> >>>> location / { >>>> >>>> proxy_pass http://validator; >>>> error_page 510 = @success; >>>> } >>>> >>>> location @success { >>>> proxy_pass http://realbackend; >>>> } >>>> >>>> >>>> On Mon, Feb 27, 2017 at 3:41 AM, Alder Netw >>>> wrote: >>>> >>>>> Or is there any existing module that can be adapted to achieve this? >>>>> Appreciate if someone can shed some light. Thx, >>>>> - Alder >>>>> >>>>> On Sat, Feb 25, 2017 at 9:24 PM, Alder Netw >>>>> wrote: >>>>> >>>>>> Hi I want to add an ICAP-like front-end validation server V with >>>>>> nginx. >>>>>> The user scenario is like this: >>>>>> >>>>>> The client will usually access the real app server R via nginx, but >>>>>> with >>>>>> a validation server V, the client request will first pass to V, V >>>>>> will dp certain >>>>>> validation and upon sucess the request will be forwarded to R and R >>>>>> will >>>>>> return directly to clients; Upon failure, the request will be denied. >>>>>> >>>>>> Is there any easy nginx config which can achieve this? Thanks, >>>>>> >>>>>> - Alder >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> nginx mailing list >>>>> nginx at nginx.org >>>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>>> >>>> >>>> >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>>> >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >> >> > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjlp at sina.com Wed Mar 1 07:29:32 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Wed, 01 Mar 2017 15:29:32 +0800 Subject: Issue about nginx removing the header "Connection" in HTTP response? Message-ID: <20170301072932.CFCB94C09D6@webmail.sinamail.sina.com.cn> Hi, nginx guy, In our system, for some special requests, the upstream server will return a response which the header includes "Connection: Close". According to HTTP protocol, "Connection" is one-hop header. So, nginx will remove this header and the client can't do the business logic correctly. How to handle this scenario? Thanks Liu Peng -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Mar 1 08:57:22 2017 From: nginx-forum at forum.nginx.org (zaidahmd) Date: Wed, 01 Mar 2017 03:57:22 -0500 Subject: NGINX - Reverse Proxy With Authentication at 2 Layers Message-ID: ** Problem Background ** I have an application, say app-A, which is running on a private network unreachable by public network. Now a new requirement needs to deliver the webpages of app-A to external users over public network. As a solution to expose app-A, I want to use NGINX as reverse proxy and will use two layers of authentication as explained below. Kindly advise if i am moving in the right direction in implementing the secure entry using NGINX. Reference Images attached at the end of email. ** Authentication Level 1 ** NGINX Auth Service As a solution to expose app-A, I want to use NGINX as reverse proxy and API gateway for External users to access the application in internal network. Once NGINX authenticates the request it will forward to app-A. ** Authentication Level 2 ** App-A performs Authentication After receiving request from nginx, app-A will perform its own authentication, ignoring that the request came pre-authenticated from NGINX. app-A will perform the authentication as app-A is to be kept unaware of the new NGINX reverse proxy and app-A will continue to work as is. ** Problem Situation ** NGINX Authentication service authenticates the request and sets a session-id in response so that it can identify the next request coming from the same client. As app-A also authenticates the request and puts the session-id in response. The problem here is that one session-id will get overriden by the other. Questions/Options in consideration : 1. (Image-ref-1) Is there anyway that I can configure NGINX to keep both the session-ids seperate in the request so that Auth service and app-A can recognise there own session informations for authenticated client. 2. (image-Ref-2) If both the session info cannot be saved, then can we configure NGINX to store session-id response of app-A and auth service both in its memory and only send the session-id of auth service back to client. And when the request comes back with Auth Service's session-id, NGINX should correlate the session of App-A and forward App-A's session to app-A. This way the request would get authenticated at both layers. 3. Which solution can be performed from the above 2 ? 4. Is it good approach to have 2 layers of authentication when NGINX's API gateway is used? If not then what configuration is required in app-A to not perform authentication for the requests coming from NGINX? Application environment java spring.? ** Links to Images ** Image-Ref-1 : http://i64.tinypic.com/27zbthj.gif Image-Ref-2 : http://i63.tinypic.com/35a2lbp.png Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272674,272674#msg-272674 From nginx-forum at forum.nginx.org Wed Mar 1 10:54:35 2017 From: nginx-forum at forum.nginx.org (user384829) Date: Wed, 01 Mar 2017 05:54:35 -0500 Subject: IPv6 upstream problem In-Reply-To: <44b29027-0666-bc2d-7442-5184caca747f@xtremenitro.org> References: <44b29027-0666-bc2d-7442-5184caca747f@xtremenitro.org> Message-ID: Did anyone have a solution for this? I also have many of these errors logged because I am using Google Container Engine that does not support IPv6. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272660,272675#msg-272675 From nginx-forum at forum.nginx.org Wed Mar 1 12:32:03 2017 From: nginx-forum at forum.nginx.org (user384829) Date: Wed, 01 Mar 2017 07:32:03 -0500 Subject: Large latency increase when using a resolver for proxy_pass Message-ID: Hi, I am wanting to resolve upstream hostnames used for proxy_pass inline with the TTL of the DNS record but when I add this configuration the response from nginx is MUCH slower. I've run tcpdump and the upstream DNS record is be resolved and reresolved as TTL would dictate. But requests are slower even when the TTL has not expired and nginx is not attempting to resolve the record. The difference is quite large: 0.3s vs 1s. Measured like this: curl -w "%{response_code} %{time_total}\n" -s -o /dev/null 'http://my_nginx_host/api/something_something == Slow Configuration === resolver 8.8.8.8 8.8.4.4 ipv6=off; server { listen 80; set $upstream_host https://my.upstream-host.com; location ~ /api/ { rewrite /api/(.*) /$1 break; proxy_pass $upstream_host; } } And tcpdump: 12:56:16.697158 IP 10.180.32.6.19343 > 10.76.8.92.80: Flags [P.], seq 2024041718:2024042038, ack 2611558079, win 4136, options [nop,nop,TS val 829926189 ecr 2513956729], length 320: HTTP: GET /api/something_something HTTP/1.1 12:56:16.697175 IP 10.76.8.92.80 > 10.180.32.6.19343: Flags [.], ack 320, win 229, options [nop,nop,TS val 2513956752 ecr 829926189], length 0 12:56:16.697287 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [S], seq 239123061, win 28400, options [mss 1420,sackOK,TS val 2513956752 ecr 0,nop,wscale 7], length 0 12:56:16.841393 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [S.], seq 2824997386, ack 239123062, win 28960, options [mss 1460,sackOK,TS val 1717524764 ecr 2513956752,nop,wscale 5], length 0 12:56:16.841423 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [.], ack 1, win 222, options [nop,nop,TS val 2513956896 ecr 1717524764], length 0 12:56:16.841585 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [P.], seq 1:290, ack 1, win 222, options [nop,nop,TS val 2513956896 ecr 1717524764], length 289 12:56:16.985287 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [.], ack 290, win 939, options [nop,nop,TS val 1717524908 ecr 2513956896], length 0 12:56:16.985428 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [P.], seq 1:4097, ack 290, win 939, options [nop,nop,TS val 1717524908 ecr 2513956896], length 4096 12:56:16.985442 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [.], ack 4097, win 286, options [nop,nop,TS val 2513957040 ecr 1717524908], length 0 12:56:16.986672 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [P.], seq 4097:4736, ack 290, win 939, options [nop,nop,TS val 1717524909 ecr 2513956896], length 639 12:56:16.986679 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [.], ack 4736, win 308, options [nop,nop,TS val 2513957041 ecr 1717524909], length 0 12:56:16.987530 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [P.], seq 290:416, ack 4736, win 308, options [nop,nop,TS val 2513957042 ecr 1717524909], length 126 12:56:17.131482 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [P.], seq 4736:4962, ack 416, win 939, options [nop,nop,TS val 1717525054 ecr 2513957042], length 226 12:56:17.131714 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [P.], seq 416:779, ack 4962, win 330, options [nop,nop,TS val 2513957186 ecr 1717525054], length 363 12:56:17.315103 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [.], ack 779, win 972, options [nop,nop,TS val 1717525238 ecr 2513957186], length 0 12:56:17.649290 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [P.], seq 4962:5766, ack 779, win 972, options [nop,nop,TS val 1717525572 ecr 2513957186], length 804 12:56:17.649310 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [P.], seq 5766:5797, ack 779, win 972, options [nop,nop,TS val 1717525572 ecr 2513957186], length 31 12:56:17.649366 IP 23.210.228.34.443 > 10.76.8.92.48696: Flags [F.], seq 5797, ack 779, win 972, options [nop,nop,TS val 1717525572 ecr 2513957186], length 0 12:56:17.649377 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [.], ack 5797, win 352, options [nop,nop,TS val 2513957704 ecr 1717525572], length 0 12:56:17.649566 IP 10.76.8.92.48696 > 23.210.228.34.443: Flags [F.], seq 779, ack 5798, win 352, options [nop,nop,TS val 2513957704 ecr 1717525572], length 0 12:56:17.649599 IP 10.76.8.92.80 > 10.180.32.6.19343: Flags [P.], seq 1:789, ack 320, win 229, options [nop,nop,TS val 2513957704 ecr 829926189], length 788: HTTP: HTTP/1.1 200 OK == Fast Configuration === server { listen 80; location ~ /api/ { rewrite /api/(.*) /$1 break; proxy_pass https://my.upstream-host.com; } } And tcpdump: 12:49:13.058495 IP 10.180.32.5.15708 > 10.76.5.82.80: Flags [P.], seq 4214721185:4214721506, ack 57908483, win 4136, options [nop,nop,TS val 829505219 ecr 2514027940], length 321: HTTP: GET /api/something_something HTTP/1.1 12:49:13.058510 IP 10.76.5.82.80 > 10.180.32.5.15708: Flags [.], ack 321, win 229, options [nop,nop,TS val 2514027965 ecr 829505219], length 0 12:49:13.058696 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [S], seq 722986122, win 28400, options [mss 1420,sackOK,TS val 2514027965 ecr 0,nop,wscale 7], length 0 12:49:13.064657 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [S.], seq 3299173152, ack 722986123, win 28960, options [mss 1460,sackOK,TS val 1717551633 ecr 2514027965,nop,wscale 5], length 0 12:49:13.064677 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [.], ack 1, win 222, options [nop,nop,TS val 2514027971 ecr 1717551633], length 0 12:49:13.064808 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [P.], seq 1:482, ack 1, win 222, options [nop,nop,TS val 2514027971 ecr 1717551633], length 481 12:49:13.070245 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [.], ack 482, win 939, options [nop,nop,TS val 1717551639 ecr 2514027971], length 0 12:49:13.070423 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [P.], seq 1:138, ack 482, win 939, options [nop,nop,TS val 1717551639 ecr 2514027971], length 137 12:49:13.070432 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [.], ack 138, win 231, options [nop,nop,TS val 2514027977 ecr 1717551639], length 0 12:49:13.070619 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [P.], seq 482:533, ack 138, win 231, options [nop,nop,TS val 2514027977 ecr 1717551639], length 51 12:49:13.070663 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [P.], seq 533:896, ack 138, win 231, options [nop,nop,TS val 2514027977 ecr 1717551639], length 363 12:49:13.076080 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [.], ack 896, win 972, options [nop,nop,TS val 1717551644 ecr 2514027977], length 0 12:49:13.287759 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [P.], seq 138:942, ack 896, win 972, options [nop,nop,TS val 1717551856 ecr 2514027977], length 804 12:49:13.287832 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [P.], seq 942:973, ack 896, win 972, options [nop,nop,TS val 1717551856 ecr 2514027977], length 31 12:49:13.287843 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [.], ack 973, win 243, options [nop,nop,TS val 2514028194 ecr 1717551856], length 0 12:49:13.287845 IP 23.66.26.5.443 > 10.76.5.82.32816: Flags [F.], seq 973, ack 896, win 972, options [nop,nop,TS val 1717551856 ecr 2514027977], length 0 12:49:13.287972 IP 10.76.5.82.32816 > 23.66.26.5.443: Flags [F.], seq 896, ack 974, win 243, options [nop,nop,TS val 2514028194 ecr 1717551856], length 0 12:49:13.288004 IP 10.76.5.82.80 > 10.180.32.5.15708: Flags [P.], seq 1:789, ack 321, win 229, options [nop,nop,TS val 2514028194 ecr 829505219], length 788: HTTP: HTTP/1.1 200 OK I know the upstreams in the two tcpdump examples here have different IP addresses but the upstream is Akamai with a TTL on 19s so they are constantly changing. But the the response time is absolutely consistent at 0.3s vs 1s. What am I missing here? Is it because the upstream host is using HTTPS? I am using version 1.11.10. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272679,272679#msg-272679 From mdounin at mdounin.ru Wed Mar 1 12:44:19 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 1 Mar 2017 15:44:19 +0300 Subject: Large latency increase when using a resolver for proxy_pass In-Reply-To: References: Message-ID: <20170301124419.GQ34777@mdounin.ru> Hello! On Wed, Mar 01, 2017 at 07:32:03AM -0500, user384829 wrote: > Hi, > I am wanting to resolve upstream hostnames used for proxy_pass inline with > the TTL of the DNS record but when I add this configuration the response > from nginx is MUCH slower. > I've run tcpdump and the upstream DNS record is be resolved and reresolved > as TTL would dictate. > But requests are slower even when the TTL has not expired and nginx is not > attempting to resolve the record. > > The difference is quite large: 0.3s vs 1s. > > Measured like this: > curl -w "%{response_code} %{time_total}\n" -s -o /dev/null > 'http://my_nginx_host/api/something_something > > > == Slow Configuration === > > resolver 8.8.8.8 8.8.4.4 ipv6=off; > server { > listen 80; > set $upstream_host https://my.upstream-host.com; > location ~ /api/ { > rewrite /api/(.*) /$1 break; > proxy_pass $upstream_host; > } > } [...] > What am I missing here? Is it because the upstream host is using HTTPS? I am > using version 1.11.10. Yes. You are using https and you are using dynamic address resolution, so SSL session caching doesn't work. See detailed explaination in the response as send on this mailing list yesterday, http://mailman.nginx.org/pipermail/nginx/2017-February/053042.html. -- Maxim Dounin http://nginx.org/ From luky-37 at hotmail.com Wed Mar 1 14:04:27 2017 From: luky-37 at hotmail.com (Lukas Tribus) Date: Wed, 1 Mar 2017 14:04:27 +0000 Subject: AW: IPv6 upstream problem In-Reply-To: References: <44b29027-0666-bc2d-7442-5184caca747f@xtremenitro.org>, Message-ID: > Did anyone have a solution for this? I also have many of these errors logged > because I am using Google Container Engine that does not support IPv6. Try ?man gai.conf? to configure getaddrinfo behavior [1]. You could also try forcing a ipv6=no nginx resolver by using a variable: set $blablaserver "dual-stack-ipv4-ipv6.xtremenitro.org"; server $blablaserver; Not sure if that works with upstream servers, it does work with proxy_pass. cheers, lukas [1] http://man7.org/linux/man-pages/man5/gai.conf.5.html From nginx-forum at forum.nginx.org Wed Mar 1 14:05:32 2017 From: nginx-forum at forum.nginx.org (user384829) Date: Wed, 01 Mar 2017 09:05:32 -0500 Subject: Large latency increase when using a resolver for proxy_pass In-Reply-To: <20170301124419.GQ34777@mdounin.ru> References: <20170301124419.GQ34777@mdounin.ru> Message-ID: Hi Maxim, OK thanks for the reply but how do I resolve this? Am I supposed to use upstream blocks with hostnames in them? My impression is that these won't be resolved inline with the TTL. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272679,272684#msg-272684 From mdounin at mdounin.ru Wed Mar 1 15:07:43 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 1 Mar 2017 18:07:43 +0300 Subject: Large latency increase when using a resolver for proxy_pass In-Reply-To: References: <20170301124419.GQ34777@mdounin.ru> Message-ID: <20170301150743.GS34777@mdounin.ru> Hello! On Wed, Mar 01, 2017 at 09:05:32AM -0500, user384829 wrote: > OK thanks for the reply but how do I resolve this? Am I supposed to use > upstream blocks with hostnames in them? My impression is that these won't be > resolved inline with the TTL. If you control your backends, consider using normal nginx procedure with configuration reload to re-resolve names instead. Alternatively, consider using plain http to communicate with backends, or tuning SSL for faster handshakes (using ECDSA certs on backends will help a lot). A perfect solution for your specific case would probably be an upstream block with "server ... resolve", but this functionality is only available in nginx-plus (http://nginx.org/en/docs/http/ngx_http_upstream_module.html#resolve). -- Maxim Dounin http://nginx.org/ From anonymouscross at gmail.com Wed Mar 1 16:20:33 2017 From: anonymouscross at gmail.com (Anonymous cross) Date: Wed, 1 Mar 2017 10:20:33 -0600 Subject: Nginx support - transparent Forward proxy for internet traffic and reverse proxy for local Web server traffic Message-ID: Hi All, We are planning to integrate Nginx in our router. Basically, we wanted to confirm whether Nginx supports the below functionalities 1) As a reverse proxy + Forward transparent proxy - To route the traffic from specific domains to a local web server and all other traffic to public internet 2) Websocket support over reverse proxy - To support WebSocket communication between client and local web server in Nginx reverse proxy mode -- Regards, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From santosh.kumar.mahapatra at gmail.com Thu Mar 2 01:30:49 2017 From: santosh.kumar.mahapatra at gmail.com (Santosh Mahapatra) Date: Wed, 1 Mar 2017 17:30:49 -0800 Subject: Support for TLS extended master secret extension Message-ID: Hello, Does nginx support TLS extended master secret extension(RFC 7627: https://tools.ietf.org/html/rfc7627 )? If so what directive is available to enable or disable it? Thanks, Santosh -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Mar 2 01:49:49 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 2 Mar 2017 04:49:49 +0300 Subject: Support for TLS extended master secret extension In-Reply-To: References: Message-ID: <20170302014949.GA34777@mdounin.ru> Hello! On Wed, Mar 01, 2017 at 05:30:49PM -0800, Santosh Mahapatra wrote: > Does nginx support TLS extended master secret extension(RFC 7627: > https://tools.ietf.org/html/rfc7627 )? > > If so what directive is available to enable or disable it? OpenSSL supports Extended Master Secret extension starting with OpenSSL 1.1.0, and there is no way to disable it. So in nginx you'll see Extended Master Secret extension supported once you are running nginx with OpenSSL 1.1.0 or later. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Thu Mar 2 10:17:22 2017 From: nginx-forum at forum.nginx.org (p0lak) Date: Thu, 02 Mar 2017 05:17:22 -0500 Subject: One NGINX server to 2 backend servers In-Reply-To: References: Message-ID: <93bf2e043569cbbc5ba30128cadacbbe.NginxMailingListEnglish@forum.nginx.org> Yes, you're right ! I forgot proxy_pass statement but do not know why I cannot set proxy_pass with the full path name as http://mysite/forum/index.html Proxy_pass statement redirect me to root of my virtualhost so http://mysite/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272606,272708#msg-272708 From nginx-forum at forum.nginx.org Thu Mar 2 14:40:28 2017 From: nginx-forum at forum.nginx.org (polder_trash) Date: Thu, 02 Mar 2017 09:40:28 -0500 Subject: Balancing NGINX reverse proxy Message-ID: <3a79824d76eaffe5907a5d8d7a0d450c.NginxMailingListEnglish@forum.nginx.org> Hi, I have been reading the documentation and also searching this forum for a while, but could not find an answer to my question. Currently, I have a 2 NGINX nodes acting as a reverse proxy (in a failover setup using keepalived). The revproxy injects an authentication header, for an online website (transport is https). As the number of users grows, the load on the current machine starts to get uncomfortably high and I would like to be able to spread the load over both nodes. What would be the best way to set this up? I already tried adding both IP addresses to the DNS. But this, rather predictably, only sent a handful of users to the secondary node. I now plan about setting up an NGINX node in front of these revproxy nodes, acting as a round-robin load balancer. Will this work? Given the fact that traffic is over HTTPS, terminating the request will probably put all the load on the load balancer and therefore does not solve my issue. Your advice and help is greatly appreciated. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272713,272713#msg-272713 From dewanggaba at xtremenitro.org Thu Mar 2 16:34:55 2017 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Thu, 2 Mar 2017 23:34:55 +0700 Subject: AW: IPv6 upstream problem In-Reply-To: References: <44b29027-0666-bc2d-7442-5184caca747f@xtremenitro.org> Message-ID: <129c79b3-799e-e2b2-bae6-cde4e503b099@xtremenitro.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello! Yes I've force my system to read IPv4 first. But, just curios, why IPv6 upstream can't serve the traffic? If I access the IP Address using browser, it's normal. I am using Cent OS 7. On 03/01/2017 09:04 PM, Lukas Tribus wrote: >> Did anyone have a solution for this? I also have many of these >> errors logged because I am using Google Container Engine that >> does not support IPv6. > > Try ?man gai.conf? to configure getaddrinfo behavior [1]. > > > You could also try forcing a ipv6=no nginx resolver by using a > variable: > > set $blablaserver "dual-stack-ipv4-ipv6.xtremenitro.org"; server > $blablaserver; > > Not sure if that works with upstream servers, it does work with > proxy_pass. > > > cheers, lukas > > [1] http://man7.org/linux/man-pages/man5/gai.conf.5.html > _______________________________________________ nginx mailing list > nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQI4BAEBCAAiBQJYuEmoGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcK0SEACqb3fBlvvN7K5rf+3xQ7Cr7CssL0XnKwAoF/UbtvLZITsHcxyy /FO2xqKQ9QG5eTqtMCPMkG+VoyZmpOBbzErYyF4+8AKPFlADyuk3zC3W0Wfpy2TE FXUOBL/fQvJa3F4HW1q7YTLxt2TUyPXxdjZkVaZTAaExpJRDZWuzq00l2ycmvLPL RmvVy14p+1XFZSEzHcn0pC49OCrhPHv8Moo7e+HbLS3+f/LYAyKT7tzVtdn9UXYO sBf4k46ZoVW2kYBz7NgQ6RMSMbaAySStSbTPUifmQFR3h87a6mHpDzJ7DK9VDh1v W37ROP0SWBs2BpA3iPwe9z+dGp+a2jmx3FbZCjnD5A++eGapY6+mqSFFdDM6fZmf y2e9mM5nFQi0aRw+M53a2UI6HcE0pxQLBG1cpPLGtK6PMcB1dOTVvrZHN2R+HIAp zDsh90r08u/Ntxj8M6eapLrhGQz4xKP3MoJJhtUON3fxiP5j6Edyf5+Z+XOpIyf/ 2ipoEJIt+0zc5fJcHVbmqrXkDE0GPeYlxpIqCb4LIRpxLZ4DsHLNZGlAtPCTudgS XCUiYduGSgir+Ga02Knprbk01OS5Jczg/ZtWtcIO4CH0A8aYKMB3gnuQhAMYHI6P uaxMFIiq04KL9g+k763U0pR0y+URXRU+7Y2ZAVeVaIDDk4Y+MCr85Y7WyQ== =PHsr -----END PGP SIGNATURE----- From paulr at rcom-software.com Thu Mar 2 18:35:22 2017 From: paulr at rcom-software.com (Paul Romero) Date: Thu, 2 Mar 2017 10:35:22 -0800 Subject: MySQL Access w/ Nginx Message-ID: <58B865EA.4050509@rcom-software.com> Dear Nginx Community: Do you think NGinx is a viable and advisable solution for providing MySQL server access to my application ? The basic requirements and goals of the application are described below. Although, NGinx is classified as a Web Server which can act as a Reverse Proxy or Load Balancer, my application does not need exactly that kind of functionality in the short term. The short term need is to allow mobile platforms to access a single MySQL server. Eventually, there will be multiple MySQL servers and load balancing and failure fallback will be issues, and perahs caching. That means the basic architecture is as follows. | Mobile | <--> Internet <--> | NGinx | <--> | MySQL | <--> | MySQL | | System | (TCP/IP) | Backend | | Server| Initially NGinx, the MySQL Backend, and MySQL Server will all be on the same Linux host. My main concern is how the MySQL Backend fits and operates within that architecture. (i.e. I am not sure about the correct terminology for the MySQL Backend.) I assume, but am not sure, it can interact with the NGinx without additional components, such as Drupal. The basic requirement is the ability to perform remote MySQL queries and operations with syntax and semantics which are virtually the same as the corresponding manual operations. However, the remote system does not need to use the same syntax and semantics as the module that performs MySQL operations. Also, smooth interaction with LAMP PHP and MySQL components is a requirement. (i.e. I think Apache is not an issue.) Note that application clients will put a large volume of data into the MySQL database and interaction with a Web Server is not an issue at this point. The priority is to allow a mobile system such as an Android, and eventually an Apple, to access an MySQL server on a Unix/Linux system securely. However, the priority for the same functionality in a conventional Internet host is almost as high. The essential connection and authentication requirements are as follows. * SSL encryption/authentication * MySQL authentication * No passwords etc. are transmitted in the open. * Support for multiple concurrent connections from the same or multiple systems. * Each remote MySQL user must perform SSL authentication separately and there is 1-1 relationship between the SSL and MySQL authentication data. Best Regards, Paul R. -- Paul Romero ----------- RCOM Communications Software EMAIL: paulr at rcom-software.com PHONE: (510)482-2769 From nginx-forum at forum.nginx.org Thu Mar 2 20:40:55 2017 From: nginx-forum at forum.nginx.org (itpp2012) Date: Thu, 02 Mar 2017 15:40:55 -0500 Subject: MySQL Access w/ Nginx In-Reply-To: <58B865EA.4050509@rcom-software.com> References: <58B865EA.4050509@rcom-software.com> Message-ID: <87093893ed896614fb50dd8aa84ffb5e.NginxMailingListEnglish@forum.nginx.org> With Lua you will find many examples how to interact (non-blocking) with mysql, Lua also contains a load balancer which can be adapted to loadbalance sql instances. See also https://www.google.nl/#q=nginx+lua+mysql Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272718,272719#msg-272719 From alex at samad.com.au Thu Mar 2 22:06:04 2017 From: alex at samad.com.au (Alex Samad) Date: Fri, 3 Mar 2017 09:06:04 +1100 Subject: Balancing NGINX reverse proxy In-Reply-To: <3a79824d76eaffe5907a5d8d7a0d450c.NginxMailingListEnglish@forum.nginx.org> References: <3a79824d76eaffe5907a5d8d7a0d450c.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi if I am reading this right, you currently have too much load on 1 nginx server and you wish to releave this by adding another nginx server in front of it ? What I have is 2 nodes, but I use pacemaker instead of keepalive - i like it as a better solution - but thats for another thread. what you can do with pacemaker is have 1 ip address distributed between multiple machines - up to 16 nodes I think from memory. It uses linux iptables module for doing this. It is dependant on the source ip's being distributed, if there are clamp together the hashing algo will not make it any better. How many requests are you getting to overload nginx - i thought it was able to handle very large amounts ? are your nodes big enough do you need more CPU's or memory or ?? Alex On 3 March 2017 at 01:40, polder_trash wrote: > Hi, > > I have been reading the documentation and also searching this forum for a > while, but could not find an answer to my question. > Currently, I have a 2 NGINX nodes acting as a reverse proxy (in a failover > setup using keepalived). The revproxy injects an authentication header, for > an online website (transport is https). > > As the number of users grows, the load on the current machine starts to get > uncomfortably high and I would like to be able to spread the load over both > nodes. > > What would be the best way to set this up? > > I already tried adding both IP addresses to the DNS. But this, rather > predictably, only sent a handful of users to the secondary node. > I now plan about setting up an NGINX node in front of these revproxy nodes, > acting as a round-robin load balancer. Will this work? Given the fact that > traffic is over HTTPS, terminating the request will probably put all the > load on the load balancer and therefore does not solve my issue. > > Your advice and help is greatly appreciated. > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272713,272713#msg-272713 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From al-nginx at none.at Thu Mar 2 22:25:11 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Thu, 02 Mar 2017 23:25:11 +0100 Subject: Issue about nginx removing the header "Connection" in HTTP response? In-Reply-To: <20170301072932.CFCB94C09D6@webmail.sinamail.sina.com.cn> References: <20170301072932.CFCB94C09D6@webmail.sinamail.sina.com.cn> Message-ID: Hi. Am 01-03-2017 08:29, schrieb tjlp at sina.com: > Hi, nginx guy, > > In our system, for some special requests, the upstream server will > return a response which the header includes "Connection: Close". > According to HTTP protocol, "Connection" is one-hop header. > So, nginx will remove this header and the client can't do the business > logic correctly. > > How to handle this scenario? you mean something like this? http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header If the value of a header field is an empty string then this field will not be passed to a proxied server: proxy_set_header Connection ""; > Thanks > Liu Peng > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From al-nginx at none.at Thu Mar 2 22:37:24 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Thu, 02 Mar 2017 23:37:24 +0100 Subject: NGINX - Reverse Proxy With Authentication at 2 Layers In-Reply-To: References: Message-ID: Hi. Am 01-03-2017 09:57, schrieb zaidahmd: > ** Problem Background ** > I have an application, say app-A, which is running on a private network > unreachable by public network. Now a new requirement needs to deliver > the > webpages of app-A to external users over public network. > > As a solution to expose app-A, I want to use NGINX as reverse proxy and > will > use two layers of authentication as explained below. Kindly advise if i > am > moving in the right direction in implementing the secure entry using > NGINX. > > Reference Images attached at the end of email. > > ** Authentication Level 1 ** NGINX Auth Service As a solution to > expose > app-A, I want to use NGINX as reverse proxy and API gateway for > External > users to access the application in internal network. Once NGINX > authenticates the request it will forward to app-A. For this you can use http://nginx.org/en/docs/http/ngx_http_auth_request_module.html > ** Authentication Level 2 ** App-A performs Authentication After > receiving request from nginx, app-A will perform its own > authentication, > ignoring that the request came pre-authenticated from NGINX. app-A will > perform the authentication as app-A is to be kept unaware of the new > NGINX > reverse proxy and app-A will continue to work as is. For this you will use http://nginx.org/en/docs/http/ngx_http_upstream_module.html > ** Problem Situation ** > NGINX Authentication service authenticates the request and sets a > session-id > in response so that it can identify the next request coming from the > same > client. As app-A also authenticates the request and puts the session-id > in > response. The problem here is that one session-id will get overriden by > the > other. > > Questions/Options in consideration : > > 1. (Image-ref-1) Is there anyway that I can configure NGINX to keep > both > the session-ids seperate in the request so that Auth service and app-A > can > recognise there own session informations for authenticated client. you an set the session id to another variable with. http://nginx.org/en/docs/http/ngx_http_auth_request_module.html#auth_request_set > 2. (image-Ref-2) If both the session info cannot be saved, then can > we > configure NGINX to store session-id response of app-A and auth service > both > in its memory and only send the session-id of auth service back to > client. > And when the request comes back with Auth Service's session-id, NGINX > should > correlate the session of App-A and forward App-A's session to app-A. > This > way the request would get authenticated at both layers. I assume you can safe the session-id in memcache with. http://nginx.org/en/docs/http/ngx_http_memcached_module.html > 3. Which solution can be performed from the above 2 ? I think both. I would prefer the second one because this could save some request on the auth service. > 4. Is it good approach to have 2 layers of authentication when > NGINX's > API gateway is used? If not then what configuration is required in > app-A to > not perform authentication for the requests coming from NGINX? > Application > environment java spring.? Due to the fact that you haven't told us which auth method the auth service can offer I suggest to use openid connect to perform a kind of SSO. There is a http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html which is part of the n+. If you don't want to buy n+ you can use the modules which I have mentioned above. The best way would be to adopt the app-A to be able to handle both situations. A available session-id, in your case the one from nginx, and no session-id. > ** Links to Images ** > Image-Ref-1 : http://i64.tinypic.com/27zbthj.gif > Image-Ref-2 : http://i63.tinypic.com/35a2lbp.png > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,272674,272674#msg-272674 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From zxcvbn4038 at gmail.com Fri Mar 3 00:38:39 2017 From: zxcvbn4038 at gmail.com (CJ Ess) Date: Thu, 2 Mar 2017 19:38:39 -0500 Subject: Hiding PHP's WSOD with Nginx Message-ID: My employer uses Nginx in front of PHP-FPM to generate their web content. They have PHP's error reporting shut off in production so when something does go wrong in their PHP scripts they end up with a "White Screen Of Death". From a protocol level the white screen of death is a 200 response with no content. They were wondering if there was a way to detect the WSOD within Nginx and substitute their 500 error page. PHP-FPM typically uses chunked encoding so I don't think the content-length header is going to help me. Does anyone have any suggestions how I might best accomplish this? I looked around with Google but all of the hits were people wanting to turn on error reporting, or looking help getting php-fpm working with Nginx to begin with. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Mar 3 03:54:55 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Thu, 02 Mar 2017 22:54:55 -0500 Subject: Hiding PHP's WSOD with Nginx In-Reply-To: References: Message-ID: <1dcc1d01d08096a33304ffcf0efd6f0e.NginxMailingListEnglish@forum.nginx.org> You should view http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_catch_stderr Might be what you seek for a empty blank page output or specific text that would be a Fatal error etc. CJ Ess Wrote: ------------------------------------------------------- > My employer uses Nginx in front of PHP-FPM to generate their web > content. > They have PHP's error reporting shut off in production so when > something > does go wrong in their PHP scripts they end up with a "White Screen Of > Death". From a protocol level the white screen of death is a 200 > response > with no content. They were wondering if there was a way to detect the > WSOD > within Nginx and substitute their 500 error page. > > PHP-FPM typically uses chunked encoding so I don't think the > content-length > header is going to help me. > > Does anyone have any suggestions how I might best accomplish this? > > I looked around with Google but all of the hits were people wanting to > turn > on error reporting, or looking help getting php-fpm working with Nginx > to > begin with. > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272724,272726#msg-272726 From tjlp at sina.com Fri Mar 3 05:00:36 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Fri, 03 Mar 2017 13:00:36 +0800 Subject: =?UTF-8?Q?=E5=9B=9E=E5=A4=8D=EF=BC=9ARe=3A_Issue_about_nginx_removing_the_?= =?UTF-8?Q?header_=22Connection=22_in_HTTP_response=3F?= Message-ID: <20170303050036.10E294C0955@webmail.sinamail.sina.com.cn> Hi, What I mention is the header in response from backend server. Your answer about proxy_set_header is the "Connection" header in request. Thanks Liu Peng ----- ???? ----- ????Aleksandar Lazic ????nginx at nginx.org ????tjlp at sina.com ???Re: Issue about nginx removing the header "Connection" in HTTP response? ???2017?03?03? 06?25? Hi. Am 01-03-2017 08:29, schrieb tjlp at sina.com: > Hi, nginx guy, > > In our system, for some special requests, the upstream server will > return a response which the header includes "Connection: Close". > According to HTTP protocol, "Connection" is one-hop header. > So, nginx will remove this header and the client can't do the business > logic correctly. > > How to handle this scenario? you mean something like this? http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header If the value of a header field is an empty string then this field will not be passed to a proxied server: proxy_set_header Connection ""; > Thanks > Liu Peng > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From al-nginx at none.at Fri Mar 3 08:19:44 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Fri, 03 Mar 2017 09:19:44 +0100 Subject: =?UTF-8?Q?Re=3A_=E5=9B=9E=E5=A4=8D=EF=BC=9ARe=3A_Issue_about_nginx_removin?= =?UTF-8?Q?g_the_header_=22Connection=22_in_HTTP_response=3F?= In-Reply-To: <20170303050036.10E294C0955@webmail.sinamail.sina.com.cn> References: <20170303050036.10E294C0955@webmail.sinamail.sina.com.cn> Message-ID: Hi. then one directive upward. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header Cheers aleks Am 03-03-2017 06:00, schrieb tjlp at sina.com: > Hi, > > What I mention is the header in response from backend server. Your answer about proxy_set_header is the "Connection" header in request. > > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????nginx at nginx.org > ????tjlp at sina.com > ???Re: Issue about nginx removing the header "Connection" in HTTP response? > ???2017?03?03? 06?25? > > Hi. > Am 01-03-2017 08:29, schrieb tjlp at sina.com: >> Hi, nginx guy, >> >> In our system, for some special requests, the upstream server will >> return a response which the header includes "Connection: Close". >> According to HTTP protocol, "Connection" is one-hop header. >> So, nginx will remove this header and the client can't do the business >> logic correctly. >> >> How to handle this scenario? > you mean something like this? > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header > If the value of a header field is an empty string then this field will > not be passed to a proxied server: > proxy_set_header Connection ""; >> Thanks >> Liu Peng >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Mar 3 08:33:18 2017 From: nginx-forum at forum.nginx.org (polder_trash) Date: Fri, 03 Mar 2017 03:33:18 -0500 Subject: Balancing NGINX reverse proxy In-Reply-To: References: Message-ID: <25490575d14ffef383dbad6adc909775.NginxMailingListEnglish@forum.nginx.org> Alexsamad, I might not have been clear, allow me to try again: * currently 2 NGINX revproxy nodes, 1 active the other on standby in case node 1 fails. * Since I am injecting an authentication header into the request, the HTTPS request has to be offloaded at the node and introduces additional load compared to injecting into non-encrypted requests. * Current peak load ~60 concurrent requests, ~100% load on CPU. Concurrent requests expected to more than double, so revproxy will be bottleneck. The NGINX revproxies run as a VM and I can ramp up the machine specs a little bit, but I do not expect this to completely solve the issue here. Therefore I am looking for some method of spreading the requests over multiple backend revproxies, without the load balancer frontend having to deal with SSL offloading. >From the KEMP LoadMaster documentation I found that this technique is called SSL Passthrough. I am currently looking if that is also supported by NGINX. What do you think? Will this solve my issue? Am I on the wrong track? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272713,272729#msg-272729 From luky-37 at hotmail.com Fri Mar 3 09:02:48 2017 From: luky-37 at hotmail.com (Lukas Tribus) Date: Fri, 3 Mar 2017 09:02:48 +0000 Subject: AW: AW: IPv6 upstream problem In-Reply-To: <129c79b3-799e-e2b2-bae6-cde4e503b099@xtremenitro.org> References: <44b29027-0666-bc2d-7442-5184caca747f@xtremenitro.org> , <129c79b3-799e-e2b2-bae6-cde4e503b099@xtremenitro.org> Message-ID: > But, just curios, why IPv6 upstream can't serve the traffic? Because if you configure IPv6 on your system but don't have IPv6 connectivity, it will try and fail. > If I access the IP Address using browser, it's normal. Because the browser probably recognizes the broken configuration and works around it. Use curl to check, not a browser. From nginx-forum at forum.nginx.org Fri Mar 3 09:15:02 2017 From: nginx-forum at forum.nginx.org (abhipower.abhi) Date: Fri, 03 Mar 2017 04:15:02 -0500 Subject: Nginx configuration Issue Message-ID: <151f67fd79e076520392a0de438c2992.NginxMailingListEnglish@forum.nginx.org> I am using nginx-1.10.3 as a load balancer. In my architecture, I have two servers- Hostname - sal15062hkb152, IP Address - 172.15.54.116 Hostname - sal15062hkb184, IP Address - 172.15.54.105 I want both should work in active-passive mode with nginx. My application is running on both servers and client can access my application using URL - https://sal15062hkb152/views or https://sal15062hkb184/views My nginx.conf is - #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name sal15062hkb152; #http://sal15062hkb152/oneview/; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # server { listen 443 ssl; server_name sal15062hkb152; #ssl_certificate cert.pem; #ssl_certificate_key cert.key; ssl_certificate iperspective.crt; ssl_certificate_key iperspective.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root http://oneview; index index.html index.htm; } } } I am trying to access https://sal15062hkb152/views but I am getting "404 Not Found" in browser. I believe, my nginx.conf file configuration is not correct. Please let me know proper configuration for my nginx.conf file. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272731,272731#msg-272731 From nginx-forum at forum.nginx.org Fri Mar 3 09:53:56 2017 From: nginx-forum at forum.nginx.org (user384829) Date: Fri, 03 Mar 2017 04:53:56 -0500 Subject: Large latency increase when using a resolver for proxy_pass In-Reply-To: <20170301150743.GS34777@mdounin.ru> References: <20170301150743.GS34777@mdounin.ru> Message-ID: <7a1fe9523d74469a4ccc9a66dd6c268f.NginxMailingListEnglish@forum.nginx.org> Hi Maxim, Thanks for the reply. What about if we used a stream/tcp proxy_pass with resolver? Something like this: resolver 8.8.8.8 8.8.4.4 ipv6=off; stream { server { listen localhost:81; set $upstream_host my.upstream-host.com; proxy_pass $upstream_host:443; } } server { listen 80; location ~ /api/ { rewrite /api/(.*) /$1 break; proxy_ssl_verify off; proxy_pass https://localhost:81; } } Would this work? Thanks, Max Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272679,272732#msg-272732 From dewanggaba at xtremenitro.org Fri Mar 3 09:59:03 2017 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Fri, 3 Mar 2017 16:59:03 +0700 Subject: Nginx configuration Issue In-Reply-To: <151f67fd79e076520392a0de438c2992.NginxMailingListEnglish@forum.nginx.org> References: <151f67fd79e076520392a0de438c2992.NginxMailingListEnglish@forum.nginx.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello! On 03/03/2017 04:15 PM, abhipower.abhi wrote: > I am using nginx-1.10.3 as a load balancer. In my architecture, I > have two servers- > > Hostname - sal15062hkb152, IP Address - 172.15.54.116 Hostname - > sal15062hkb184, IP Address - 172.15.54.105 I want both should work > in active-passive mode with nginx. My application is running on > both servers and client can access my application using URL - > > https://sal15062hkb152/views or https://sal15062hkb184/views > > My nginx.conf is - > > #user nobody; worker_processes 1; > > #error_log logs/error.log; #error_log logs/error.log notice; > #error_log logs/error.log info; > > #pid logs/nginx.pid; > > > events { worker_connections 1024; } > > > http { include mime.types; default_type > application/octet-stream; > > #log_format main '$remote_addr - $remote_user [$time_local] > "$request" ' # '$status $body_bytes_sent > "$http_referer" ' # '"$http_user_agent" > "$http_x_forwarded_for"'; > > #access_log logs/access.log main; > > sendfile on; #tcp_nopush on; > > #keepalive_timeout 0; keepalive_timeout 65; > > #gzip on; > > server { listen 80; server_name sal15062hkb152; > > #http://sal15062hkb152/oneview/; > > #charset koi8-r; > > #access_log logs/host.access.log main; > > location / { root html; index index.html index.htm; } > > #error_page 404 /404.html; > > # redirect server error pages to the static page /50x.html # > error_page 500 502 503 504 /50x.html; location = /50x.html { > root html; } > > # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # > #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} > > # pass the PHP scripts to FastCGI server listening on > 127.0.0.1:9000 # #location ~ \.php$ { # root html; # > fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # > fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # > include fastcgi_params; #} > > # deny access to .htaccess files, if Apache's document root # > concurs with nginx's one # #location ~ /\.ht { # deny all; #} > } > > > # another virtual host using mix of IP-, name-, and port-based > configuration # #server { # listen 8000; # listen > somename:8080; # server_name somename alias another.alias; > > # location / { # root html; # index index.html > index.htm; # } #} > > > # HTTPS server # server { > > listen 443 ssl; server_name sal15062hkb152; > > #ssl_certificate cert.pem; #ssl_certificate_key cert.key; > > ssl_certificate iperspective.crt; ssl_certificate_key > iperspective.key; > > ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; > > ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; > [..] > location / { root http://oneview; index index.html index.htm; } What do you expect for this directive? root[1] directive should be on local path, if you want proxying response to another backend. try using proxy_pass[2]. [1] http://nginx.org/en/docs/http/ngx_http_core_module.html#root [2] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass > } > > } > > I am trying to access https://sal15062hkb152/views but I am getting > "404 Not Found" in browser. I believe, my nginx.conf file > configuration is not correct. Please let me know proper > configuration for my nginx.conf file. Thanks > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,272731,272731#msg-272731 > > _______________________________________________ nginx mailing list > nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQI4BAEBCAAiBQJYuT5kGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcFnxD/oCSqZG6BLx2+i7qRDlPFtjs65yCc25UYTigT0GEKgzi9Sa9TsJ wcxnbreOtaZxjG6lM7L890mkZ7xaRCd5hZea4TfaBUKfUESzbCUi9mFQUh4yWhei RksO+CmYmbGZ1t8EFI+bzw7jJyNYyvsdHpEAjnLBs7NtWogsKMSV9e0G58E/XIts mfQUc5L0O4XeUL/DSD/+ie3Mx54Wdjw4SHr5XnogNpowvKRYqL76aOvjT0zxBFNX u1lHnRHR6m2t2dZZGnZ3jNswiZx1JI3P1gDFKHHV9PAZgV3poc6jU4WqvJuZLIDr 2IghYg8c7xwmPnvncNKOr0XNpBpiwyR9KWR3A+cWzGHzNxQJXaLIt55VLJxIP9uF v99xY6S6ONkRPyVywSWUa6eOr9cc0f0Un8sdqIWLyUcihR0JrTBTtl2Ycu8bR5g9 g8+kQQW6ryP9X79LB9hICoIeXwij4gWC8g7EfVnYmElKkRwp2msuVgc1FGvfW/9o HT6oBRw0V7JmcCTCVZ7ycmDsl1PdUvWm5/6LvUwlCYzFTyPFl7ZcDuGxF4bknVQM 8eEbwb/HgwLIq1jYc2GStv2WjNdLds9KsPIjggmKxqZPpk3IKMKLhA9BjcCitqsP 93KkxLCHC0SyVREEoX7aG3DOvYyHUrDPNi7t2L6nW9hnwJfHWaLtzS8kAA== =Ac+6 -----END PGP SIGNATURE----- From mdounin at mdounin.ru Fri Mar 3 12:41:41 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 3 Mar 2017 15:41:41 +0300 Subject: Large latency increase when using a resolver for proxy_pass In-Reply-To: <7a1fe9523d74469a4ccc9a66dd6c268f.NginxMailingListEnglish@forum.nginx.org> References: <20170301150743.GS34777@mdounin.ru> <7a1fe9523d74469a4ccc9a66dd6c268f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170303124141.GG34777@mdounin.ru> Hello! On Fri, Mar 03, 2017 at 04:53:56AM -0500, user384829 wrote: > What about if we used a stream/tcp proxy_pass with resolver? Something like > this: > > resolver 8.8.8.8 8.8.4.4 ipv6=off; > > stream { > server { > listen localhost:81; > set $upstream_host my.upstream-host.com; > proxy_pass $upstream_host:443; > } > } > > server { > listen 80; > location ~ /api/ { > rewrite /api/(.*) /$1 break; > proxy_ssl_verify off; > proxy_pass https://localhost:81; > } > } > > Would this work? The result will be exactly the same: it will work, but SSL sessions won't be cached. -- Maxim Dounin http://nginx.org/ From al-nginx at none.at Fri Mar 3 15:35:53 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Fri, 03 Mar 2017 16:35:53 +0100 Subject: [no subject] In-Reply-To: References: Message-ID: <21698758d05bb06b3d89346a4c60b33a@none.at> Hi Anto. Am 26-02-2017 23:32, schrieb Anto: > Hi Aleksandar, > > Thank you , my requirement is i need LB to redirect to same OHS server > where i have multiple httpd server's running. So you need a stickyness, right?! There is a rather long post with a stickiness description https://www.nginx.com/resources/deployment-guides/load-balance-apache-tomcat/#session-persistence-basic. Btw.: what's a OHS Server? BR Aleks > Regards > > "" Anto Telvin Mathew "" > > On Sat, Feb 25, 2017 at 4:29 AM, Aleksandar Lazic > wrote: > Hi Anto. > > Am 24-02-2017 19:03, schrieb Anto: > > Hi Team , > > Would like to know how i can configure Ngnix LB with SSL termination ? > In addition to the above would like to configure LB with multiple > httpd's with single IP. > Can you guide me how i can do the same with proxy pass ? > > Note : I have a single OHS server with 2 different httpd.conf files > listening to two different ports. > Need to configure LB with SSL termination to redirect to same servers . > > Need a step by step guideline help - thanks How about to start with > this blog post. > > https://www.nginx.com/resources/admin-guide/nginx-https-upstreams/ > > Best regards > Aleks From nginx-forum at forum.nginx.org Fri Mar 3 15:47:26 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Fri, 03 Mar 2017 10:47:26 -0500 Subject: Nginx Map how to check value if empty Message-ID: <6ac5c02bbc781fee8e58adb6a4b04b44.NginxMailingListEnglish@forum.nginx.org> So I have the following Map map $http_cf_connecting_ip $client_ip_from_cf { default $http_cf_connecting_ip; } How can I make it so if the client did not send that $http_ header it makes $client_ip_from_cf variable value = $binary_remote_addr Not sure how to check in a map if that http header is present. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272744#msg-272744 From tjlp at sina.com Sat Mar 4 08:12:42 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Sat, 04 Mar 2017 16:12:42 +0800 Subject: =?UTF-8?B?5Zue5aSN77yaUmU6X+WbnuWkje+8mlJlOl9Jc3N1ZV9hYm91dF9uZ2lueF9yZW1v?= =?UTF-8?B?dmluZ190aGVfaGVhZGVyXyJDb25uZWN0aW9uIl9pbl9IVFRQX3Jlc3BvbnNl?= =?UTF-8?B?Pw==?= Message-ID: <20170304081242.16C9610200E3@webmail.sinamail.sina.com.cn> Hi, Alexks, I don't want to hide the header. My problem is that Nginx change the "Connection: close" header in the reponse from upstream server to "Connction: keep-alive" and send to client. I want to keep the original "Connection: close" header. Thanks Liu Peng ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?03? 16?19? Hi. then one directive upward. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header Cheers aleks Am 03-03-2017 06:00, schrieb tjlp at sina.com: Hi, What I mention is the header in response from backend server. Your answer about proxy_set_header is the "Connection" header in request. Thanks Liu Peng ----- ???? ----- ????Aleksandar Lazic ????nginx at nginx.org ????tjlp at sina.com ???Re: Issue about nginx removing the header "Connection" in HTTP response? ???2017?03?03? 06?25? Hi. Am 01-03-2017 08:29, schrieb tjlp at sina.com: > Hi, nginx guy, > > In our system, for some special requests, the upstream server will > return a response which the header includes "Connection: Close". > According to HTTP protocol, "Connection" is one-hop header. > So, nginx will remove this header and the client can't do the business > logic correctly. > > How to handle this scenario? you mean something like this? http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header If the value of a header field is an empty string then this field will not be passed to a proxied server: proxy_set_header Connection ""; > Thanks > Liu Peng > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sat Mar 4 08:14:33 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 4 Mar 2017 08:14:33 +0000 Subject: Nginx Map how to check value if empty In-Reply-To: <6ac5c02bbc781fee8e58adb6a4b04b44.NginxMailingListEnglish@forum.nginx.org> References: <6ac5c02bbc781fee8e58adb6a4b04b44.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170304081433.GA15209@daoine.org> On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: Hi there, > map $http_cf_connecting_ip $client_ip_from_cf { > default $http_cf_connecting_ip; > } > > How can I make it so if the client did not send that $http_ header it makes > $client_ip_from_cf variable value = $binary_remote_addr > > Not sure how to check in a map if that http header is present. If the http header is absent, the matching variable is empty. So it will have the value "". Use that as the first half of your "map" pair. f -- Francis Daly francis at daoine.org From francis at daoine.org Sat Mar 4 08:26:15 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 4 Mar 2017 08:26:15 +0000 Subject: Websocket, set Sec-Websocket-Protocol In-Reply-To: References: Message-ID: <20170304082615.GB15209@daoine.org> On Fri, Feb 24, 2017 at 01:24:11AM -0500, ashoba wrote: Hi there, > How I can set Sec-WebSocket-Protocol in config? > I've tried proxy_set_header Sec-WebSocket-Protocol "v10.stomp, v11.stomp"; > and add_header Sec-WebSocket-Protocol "v10.stomp, v11.stomp". > In response, I'm not getting 'Sec-WebSocket-Protocol' header. If you want to add a header to the response that nginx sends to a client using stock nginx, "add_header" (http://nginx.org/r/add_header) is the directive to use. That directive needs to apply within the location{} that nginx uses to handle the request that you make. And it only applies to certain http response codes, per the documentation. What is the config that you use that gives a response that you do not want? (There is also a non-stock "headers more" module that can set headers. Depending on your requirements, that may be interesting to you.) f -- Francis Daly francis at daoine.org From francis at daoine.org Sat Mar 4 08:43:59 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 4 Mar 2017 08:43:59 +0000 Subject: One NGINX server to 2 backend servers In-Reply-To: References: Message-ID: <20170304084359.GC15209@daoine.org> On Fri, Feb 24, 2017 at 06:17:51AM -0500, p0lak wrote: Hi there, > I want to define this behavior > > NGINX Server (Public IP) >>> listening on port 80 >>> redirect to a LAN > Server on port 80 (http://mylocalserver/virtualhost1) > NGINX Server (Public IP) >>> listening on port 81 >>> redirect to a LAN > Server on port 80 (http://mylocalserver/virtualhost2) Some of the terms you use here do have specific meanings in a http context, and it may or may not be the case that you mean the same thing. For clarification: if you access your two internal web areas directly, do you access things like http://servername/directory1/ and http://servername/directory2/ or http://servername1/ and http://servername2/ ? (You do say the first; but the term "virtual host" would usually refer to the second. And the nginx config will differ depending on which it is.) If it is the first, then it is probably easier for you just to have nginx listening on public port 80, and accept requests for /directory1/ and /directory2/ and proxy_pass them as-is to the internal server. If instead you want one nginx listener on port 80 and another on port 81, then you will possibly have to make sure that the internal web areas are happy with being proxy_pass'ed like that -- they may need extra configuration to know the public url that refers to them if they create absolute urls within the html they return, for example. Cheers, f -- Francis Daly francis at daoine.org From al-nginx at none.at Sat Mar 4 09:21:51 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Sat, 04 Mar 2017 10:21:51 +0100 Subject: =?UTF-8?B?UmU6IOWbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpfSXNzdWVfYWJvdXRfbmdpbnhf?= =?UTF-8?B?cmVtb3ZpbmdfdGhlX2hlYWRlcl8iQ29ubmVjdGlvbiJfaW5fSFRUUF9yZXNw?= =?UTF-8?B?b25zZT8=?= In-Reply-To: <20170304081242.16C9610200E3@webmail.sinamail.sina.com.cn> References: <20170304081242.16C9610200E3@webmail.sinamail.sina.com.cn> Message-ID: <1edf47702a52c8afe938e5e6a632dbdc@none.at> Hi Liu Peng. Am 04-03-2017 09:12, schrieb tjlp at sina.com: > > Hi, Alexks, > > I don't want to hide the header. > My problem is that Nginx change the "Connection: close" header in the > reponse from upstream server to "Connction: keep-alive" and send to > client. I want to keep the original "Connection: close" header. Ah that's a clear question. It took us only 3 rounds to get to this clear question ;-) So now the standard Questions from me: What's the output of nginx -V ? What's your config? Maybe you have set 'keepalive' in the upstream config http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive or 'proxy_http_version 1.1;' http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version as a last resort you can just pass the header with 'proxy_pass_header Connection;'. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header Choose the solution which fit's to your demand. I can only guess due to the fact that we don't know your config. May I ask you to take a look into this document, which exists in several languages, thank you very much. http://www.catb.org/~esr/faqs/smart-questions.html Best regards Aleks > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?03? 16?19? > Hi. > > then one directive upward. > > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header > > Cheers > > aleks > > Am 03-03-2017 06:00, schrieb tjlp at sina.com: > >> Hi, >> >> What I mention is the header in response from backend server. Your >> answer about proxy_set_header is the "Connection" header in request. >> >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????nginx at nginx.org >> ????tjlp at sina.com >> ???Re: Issue about nginx removing the header "Connection" in HTTP >> response? >> ???2017?03?03? 06?25? >> >> Hi. >> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>> Hi, nginx guy, >>> >>> In our system, for some special requests, the upstream server will >>> return a response which the header includes "Connection: Close". >>> According to HTTP protocol, "Connection" is one-hop header. >>> So, nginx will remove this header and the client can't do the >>> business >>> logic correctly. >>> >>> How to handle this scenario? >> you mean something like this? >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >> If the value of a header field is an empty string then this field will >> not be passed to a proxied server: >> proxy_set_header Connection ""; >>> Thanks >>> Liu Peng >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx From francis at daoine.org Sat Mar 4 12:03:09 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 4 Mar 2017 12:03:09 +0000 Subject: How to cache image urls with query strings? In-Reply-To: <547156602b6ad415d4e04574b73d59f4.NginxMailingListEnglish@forum.nginx.org> References: <547156602b6ad415d4e04574b73d59f4.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170304120309.GD15209@daoine.org> On Fri, Feb 24, 2017 at 07:33:19AM -0500, 0liver wrote: Hi there, > Can anybody point to me to the necessary pieces of information to get > caching for resources with query strings to work? There should be nothing special needed on the nginx side for this to work -- it caches what it is told to cache by configuration and response from upstream. Since the only change you made to the requests is the query string, the most likely thing is that the upstream server sends different response headers for requests with and without query-strings. Possibly the response from upstream now has a "do not cache this" indication. Can you compare the http responses from the upstream server for the old and new cases? If it does say "do not cache", then you can either configure it not to say that; or configure nginx not to agree to that part of the response, as was shown in an earlier reply. If it does not, then more investigation is needed. Good luck with it, f -- Francis Daly francis at daoine.org From tjlp at sina.com Sat Mar 4 15:57:51 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Sat, 04 Mar 2017 23:57:51 +0800 Subject: =?UTF-8?B?5Zue5aSN77yaUmU6X+WbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpfSXNzdWVfYWJv?= =?UTF-8?B?dXRfbmdpbnhfcmVtb3ZpbmdfdGhlX2hlYWRlcl8iQ29ubmVjdGlvbiJfaW5f?= =?UTF-8?B?SFRUUF9yZXNwb25zZT8=?= Message-ID: <20170304155751.5A43B102056C@webmail.sinamail.sina.com.cn> Hi, Aleks, Actually I read what you mention. The document about "proxy_pass_header" just pass the headers listed in "proxy_hide_header" which do not include "Connection", so I think it might doesn't work. I will try this. BTW, this module ngx_http_upstream_module should be built by default right, because the directive proxy_pass is supported by this module. My output of "nginx -V" doesn't not include this module. Thanks Liu Peng ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?04? 17?22? Hi Liu Peng. Am 04-03-2017 09:12, schrieb tjlp at sina.com: > > Hi, Alexks, > > I don't want to hide the header. > My problem is that Nginx change the "Connection: close" header in the > reponse from upstream server to "Connction: keep-alive" and send to > client. I want to keep the original "Connection: close" header. Ah that's a clear question. It took us only 3 rounds to get to this clear question ;-) So now the standard Questions from me: What's the output of nginx -V ? What's your config? Maybe you have set 'keepalive' in the upstream config http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive or 'proxy_http_version 1.1;' http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version as a last resort you can just pass the header with 'proxy_pass_header Connection;'. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header Choose the solution which fit's to your demand. I can only guess due to the fact that we don't know your config. May I ask you to take a look into this document, which exists in several languages, thank you very much. http://www.catb.org/~esr/faqs/smart-questions.html Best regards Aleks > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?03? 16?19? > Hi. > > then one directive upward. > > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header > > Cheers > > aleks > > Am 03-03-2017 06:00, schrieb tjlp at sina.com: > >> Hi, >> >> What I mention is the header in response from backend server. Your >> answer about proxy_set_header is the "Connection" header in request. >> >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????nginx at nginx.org >> ????tjlp at sina.com >> ???Re: Issue about nginx removing the header "Connection" in HTTP >> response? >> ???2017?03?03? 06?25? >> >> Hi. >> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>> Hi, nginx guy, >>> >>> In our system, for some special requests, the upstream server will >>> return a response which the header includes "Connection: Close". >>> According to HTTP protocol, "Connection" is one-hop header. >>> So, nginx will remove this header and the client can't do the >>> business >>> logic correctly. >>> >>> How to handle this scenario? >> you mean something like this? >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >> If the value of a header field is an empty string then this field will >> not be passed to a proxied server: >> proxy_set_header Connection ""; >>> Thanks >>> Liu Peng >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sat Mar 4 21:52:36 2017 From: nginx-forum at forum.nginx.org (173279834462) Date: Sat, 04 Mar 2017 16:52:36 -0500 Subject: conditional expression Message-ID: <79e009fd1882239dd89951e73209d5a4.NginxMailingListEnglish@forum.nginx.org> Hello, Our local policy demands the rejection of any query; we do this as follows: if ($is_args) { return 301 /; } The introduction of Thunderbird autoconfiguration demands an exception to the above policy, because of "GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddre=uname%40example.com". The resulting rule would be if (($is_args) && ($args !~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { return 301 /; } The rule does not work, because nginx does not parse the AND condition. Of course, you cannot just remove $is_args, because $args is usually empty. The alternative would be if ($args ~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { allow all; } else { return 301 /; }, but nginx does not parse if-then-else statements. Are we stuck in the cage? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272758,272758#msg-272758 From nginx-forum at forum.nginx.org Sat Mar 4 22:35:21 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Sat, 04 Mar 2017 17:35:21 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: <20170304081433.GA15209@daoine.org> References: <20170304081433.GA15209@daoine.org> Message-ID: Thank's Francis much appreciated it seems to be working good :) Francis Daly Wrote: ------------------------------------------------------- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > > How can I make it so if the client did not send that $http_ header > it makes > > $client_ip_from_cf variable value = $binary_remote_addr > > > > Not sure how to check in a map if that http header is present. > > If the http header is absent, the matching variable is empty. So it > will > have the value "". > > Use that as the first half of your "map" pair. > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272759#msg-272759 From kevin at nginx.com Sun Mar 5 03:06:03 2017 From: kevin at nginx.com (Kevin Jones) Date: Sat, 4 Mar 2017 19:06:03 -0800 Subject: conditional expression In-Reply-To: <79e009fd1882239dd89951e73209d5a4.NginxMailingListEnglish@forum.nginx.org> References: <79e009fd1882239dd89951e73209d5a4.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi, You would be better to accomplish this with map. Would this work? map $args $redirect { ~emailaddress=.+%40[a-zA-Z0-9\.\-] ''; default "1"; } server { ... location / { ... } location /foo { if ($redirect) { return 301 /; } ... } } On Sat, Mar 4, 2017 at 1:52 PM, 173279834462 wrote: > Hello, > > Our local policy demands the rejection of any query; we do this as follows: > if ($is_args) { return 301 /; } > > The introduction of Thunderbird autoconfiguration demands an exception to > the above policy, because of > "GET > /.well-known/autoconfig/mail/config-v1.1.xml?emailaddre=uname% > 40example.com". > > The resulting rule would be > > if (($is_args) && ($args !~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { return > 301 /; } > > The rule does not work, because nginx does not parse the AND condition. > > Of course, you cannot just remove $is_args, because $args is usually empty. > > > The alternative would be if ($args ~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) > { > allow all; } else { return 301 /; }, > but nginx does not parse if-then-else statements. > > Are we stuck in the cage? > > Posted at Nginx Forum: https://forum.nginx.org/read.p > hp?2,272758,272758#msg-272758 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin at nginx.com Sun Mar 5 03:20:11 2017 From: kevin at nginx.com (Kevin Jones) Date: Sat, 4 Mar 2017 19:20:11 -0800 Subject: conditional expression In-Reply-To: References: <79e009fd1882239dd89951e73209d5a4.NginxMailingListEnglish@forum.nginx.org> Message-ID: Also, It might be better to check the $arg_*argument *variable instead and also set a check for $is_args. NGINX will process them in order within the configuration. map $is_args $redirect { "?" "1"; default ""; } map $arg_emailaddress $redirect { ~.+%40[a-zA-Z0-9\.\-] ''; default "1"; } On Sat, Mar 4, 2017 at 7:06 PM, Kevin Jones wrote: > Hi, > > You would be better to accomplish this with map. Would this work? > > map $args $redirect { > ~emailaddress=.+%40[a-zA-Z0-9\.\-] ''; > default "1"; > } > > server { > ... > location / { > ... > } > > location /foo { > if ($redirect) { return 301 /; } > ... > } > > } > > On Sat, Mar 4, 2017 at 1:52 PM, 173279834462 > wrote: > >> Hello, >> >> Our local policy demands the rejection of any query; we do this as >> follows: >> if ($is_args) { return 301 /; } >> >> The introduction of Thunderbird autoconfiguration demands an exception to >> the above policy, because of >> "GET >> /.well-known/autoconfig/mail/config-v1.1.xml?emailaddre=uname% >> 40example.com". >> >> The resulting rule would be >> >> if (($is_args) && ($args !~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { return >> 301 /; } >> >> The rule does not work, because nginx does not parse the AND condition. >> >> Of course, you cannot just remove $is_args, because $args is usually >> empty. >> >> >> The alternative would be if ($args ~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) >> { >> allow all; } else { return 301 /; }, >> but nginx does not parse if-then-else statements. >> >> Are we stuck in the cage? >> >> Posted at Nginx Forum: https://forum.nginx.org/read.p >> hp?2,272758,272758#msg-272758 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > -- Kevin Jones Technical Solutions Architect | NGINX, Inc. kevin at nginx.com Skype/Twitter @webopsx -------------- next part -------------- An HTML attachment was scrubbed... URL: From aldernetwork at gmail.com Sun Mar 5 05:58:57 2017 From: aldernetwork at gmail.com (Alder Netw) Date: Sat, 4 Mar 2017 21:58:57 -0800 Subject: questions on module developer Message-ID: Anybody here can tell me when these twe function init_process(), and exit_process() in a module (ngx_module_t) be called? init_process being called once when nginx starts or when a query matched with a location defined in nginx.conf is received? When would the exit_process() gets called? At process exits or never gets called as long as nginx is alive? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From dewanggaba at xtremenitro.org Sun Mar 5 11:29:57 2017 From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam) Date: Sun, 5 Mar 2017 18:29:57 +0700 Subject: stale-while-revalidate and stale-if-error implementation Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello! I tried to use "stale-if-error=864000" and "stale-while-revalidate=864000" co-exist with "expires max;" directive. Is it possible? My configurations looks like : ... snip ... expires max; add_header Cache-Control "stale-while-revalidate=864000, stale-if-error=864000"; ... snip ... And header response return : cache-control:max-age=315360000 cache-control:stale-while-revalidate=864000, stale-if-error=864000 Is it ok and acceptable in major modern browser? Or, should I changes the header to : add_header Cache-Control "max-age=315360000, stale-while-revalidate=864000, stale-if-error=864000"; Any feedbacks and helps would be appreciated. Thanks in advance. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQI4BAEBCAAiBQJYu/avGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl f9IgoCjNcDy+D/0Vt2QvGF9RES6ZbWsyMdKiaQOWo11uU73ZDjqJNCTFbrlA6DgF XYBdqugrcrLn6zlMP95KRmRgyNHHDsrbnVya5Sj0PhNno61k7i56nZZpt2AQ7fii HaZ12PFIWB7RCa+Wbx4efj8PN5orhXVhg6R/bnOu5aN1ht0MLlcO0Y2mywQnSTZ1 kUsRWQZQRvH5gel/DewVYitvZ+a+FePLN2O/BgO6FoW0HNRmtySfTgKtHGARn+Zn itPXSsM6gNYteNWFeWWC+2NrCTMBcPtlP9IzSS43Htmnmlkih7nEpSwSPNGAiTsf 3d3h6yl27URmbP1P33P7ef8ohKdoa3CXBlvETLCMEct+LApuAlY8bqhpGoeI4tHX HfPo5g+cdI7l60bUQeQNQKTCe4NnfVXfKzp29Lj2WsHYlLfaaG46mbccUma4g665 dNk4ETWnk9ea3XPuFEx6x66j8JNW/+PBOJPvONZoiIWGp0fNmOiBhjMqIEEYGkI+ mFmqTQwmm2U7iRCM0umWvhnnqaSidjCviRYq/oeEH4sVULinM3SbUL5JSosa9+T2 xaAtqibqzCI9wnHQM7QFRdxY+E+h8EI3d8NFZrrfB9c0Y5CQMLX4GCCLQe6fHYCn AAqWshuqWo1FckQO83cbQwRDOolPF8TOi6WYzrNzJjKIKGz5mbbhivTnkw== =9/H5 -----END PGP SIGNATURE----- From nginx-forum at forum.nginx.org Sun Mar 5 16:31:32 2017 From: nginx-forum at forum.nginx.org (173279834462) Date: Sun, 05 Mar 2017 11:31:32 -0500 Subject: conditional expression In-Reply-To: References: Message-ID: <32bef57dcdf9f142ee4d84dbd03494ee.NginxMailingListEnglish@forum.nginx.org> Works for me (so far): map $query_string $bad_query { "~[^&;]+([&;][^&;]*){1,}" 1; # deny two or more parameters "~emailaddress=[^@]+%40[^@]+" 0; # allow Thunderbird autoconf "~.+=.+" 1; # deny any other query default 0; # allow (no parameters) } if ($bad_query = 1) { return 444; break; } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272758,272764#msg-272764 From nginx-forum at forum.nginx.org Sun Mar 5 21:00:35 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Sun, 05 Mar 2017 16:00:35 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: <20170304081433.GA15209@daoine.org> References: <20170304081433.GA15209@daoine.org> Message-ID: <26f36df2afe4d8d0ca2bc04b5c582d51.NginxMailingListEnglish@forum.nginx.org> Francis Daly Wrote: ------------------------------------------------------- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > > How can I make it so if the client did not send that $http_ header > it makes > > $client_ip_from_cf variable value = $binary_remote_addr > > > > Not sure how to check in a map if that http header is present. > > If the http header is absent, the matching variable is empty. So it > will > have the value "". > > Use that as the first half of your "map" pair. > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Hey Francis, HTTP BLOCK log_format cf_custom 'CFIP:$http_cf_connecting_ip - $remote_addr - $remote_user [$time_local] ' '"$request" Status:$status $body_bytes_sent ' '"$http_referer" "$http_user_agent"' '$http_cf_ray'; map $status $loggable { ~^[23] 0; default 1; } access_log logs/access.log cf_custom if=$loggable; map $remote_addr $client_ip_from_cf { default $remote_addr; } Access.log output CFIP:- - 10.108.22.40 - - [05/Mar/2017:21:27:50 +0100] "GET Any idea why the remote_addr is empty surely it should display to me the clients IP address i am not proxying traffic or anything like that. I expected to see an IP there instead it seems the value is empty. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272766#msg-272766 From reallfqq-nginx at yahoo.fr Sun Mar 5 21:37:50 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Sun, 5 Mar 2017 22:37:50 +0100 Subject: Nginx Map how to check value if empty In-Reply-To: <26f36df2afe4d8d0ca2bc04b5c582d51.NginxMailingListEnglish@forum.nginx.org> References: <20170304081433.GA15209@daoine.org> <26f36df2afe4d8d0ca2bc04b5c582d51.NginxMailingListEnglish@forum.nginx.org> Message-ID: That is because it is not: your eyes deceived you having a too quick look at the log line. Your 'empty' variables are actually showing the value '-' in this log line. It probably does not help debugging to have static '-' mixed in the format of your log lines where you put them. --- *B. R.* On Sun, Mar 5, 2017 at 10:00 PM, c0nw0nk wrote: > Francis Daly Wrote: > ------------------------------------------------------- > > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > > > Hi there, > > > > > map $http_cf_connecting_ip $client_ip_from_cf { > > > default $http_cf_connecting_ip; > > > } > > > > > > How can I make it so if the client did not send that $http_ header > > it makes > > > $client_ip_from_cf variable value = $binary_remote_addr > > > > > > Not sure how to check in a map if that http header is present. > > > > If the http header is absent, the matching variable is empty. So it > > will > > have the value "". > > > > Use that as the first half of your "map" pair. > > > > f > > -- > > Francis Daly francis at daoine.org > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > Hey Francis, > > > HTTP BLOCK > log_format cf_custom 'CFIP:$http_cf_connecting_ip - $remote_addr - > $remote_user [$time_local] ' > '"$request" Status:$status $body_bytes_sent ' > '"$http_referer" "$http_user_agent"' > '$http_cf_ray'; > map $status $loggable { > ~^[23] 0; > default 1; > } > access_log logs/access.log cf_custom if=$loggable; > > map $remote_addr $client_ip_from_cf { > default $remote_addr; > } > > > Access.log output > CFIP:- - 10.108.22.40 - - [05/Mar/2017:21:27:50 +0100] "GET > > > Any idea why the remote_addr is empty surely it should display to me the > clients IP address i am not proxying traffic or anything like that. I > expected to see an IP there instead it seems the value is empty. > > Posted at Nginx Forum: https://forum.nginx.org/read.p > hp?2,272744,272766#msg-272766 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sun Mar 5 21:50:53 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Sun, 05 Mar 2017 16:50:53 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: References: Message-ID: <377e02fab51fe3a329b75a8079f30323.NginxMailingListEnglish@forum.nginx.org> Thank's for the info :) But why is $remote_addr outputting a hyphen instead of the users IP... I still expect to see the client's IP address. B.R. via nginx Wrote: ------------------------------------------------------- > That is because it is not: your eyes deceived you having a too quick > look > at the log line. > > Your 'empty' variables are actually showing the value '-' in this log > line. > It probably does not help debugging to have static '-' mixed in the > format > of your log lines where you put them. > --- > *B. R.* > > On Sun, Mar 5, 2017 at 10:00 PM, c0nw0nk > wrote: > > > Francis Daly Wrote: > > ------------------------------------------------------- > > > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > > > > > Hi there, > > > > > > > map $http_cf_connecting_ip $client_ip_from_cf { > > > > default $http_cf_connecting_ip; > > > > } > > > > > > > > How can I make it so if the client did not send that $http_ > header > > > it makes > > > > $client_ip_from_cf variable value = $binary_remote_addr > > > > > > > > Not sure how to check in a map if that http header is present. > > > > > > If the http header is absent, the matching variable is empty. So > it > > > will > > > have the value "". > > > > > > Use that as the first half of your "map" pair. > > > > > > f > > > -- > > > Francis Daly francis at daoine.org > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > Hey Francis, > > > > > > HTTP BLOCK > > log_format cf_custom 'CFIP:$http_cf_connecting_ip - $remote_addr - > > $remote_user [$time_local] ' > > '"$request" Status:$status $body_bytes_sent ' > > '"$http_referer" "$http_user_agent"' > > '$http_cf_ray'; > > map $status $loggable { > > ~^[23] 0; > > default 1; > > } > > access_log logs/access.log cf_custom if=$loggable; > > > > map $remote_addr $client_ip_from_cf { > > default $remote_addr; > > } > > > > > > Access.log output > > CFIP:- - 10.108.22.40 - - [05/Mar/2017:21:27:50 +0100] "GET > > > > > > Any idea why the remote_addr is empty surely it should display to me > the > > clients IP address i am not proxying traffic or anything like that. > I > > expected to see an IP there instead it seems the value is empty. > > > > Posted at Nginx Forum: https://forum.nginx.org/read.p > > hp?2,272744,272766#msg-272766 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272768#msg-272768 From alex at samad.com.au Sun Mar 5 23:00:17 2017 From: alex at samad.com.au (Alex Samad) Date: Mon, 6 Mar 2017 10:00:17 +1100 Subject: Balancing NGINX reverse proxy In-Reply-To: <25490575d14ffef383dbad6adc909775.NginxMailingListEnglish@forum.nginx.org> References: <25490575d14ffef383dbad6adc909775.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi Firstly, I am fairly new to nginx. >From what I understand you have a standard sort of setup. 2 nodes (vm's) with haproxy, allowing nginx to be active / passive. You have SSL requests which once nginx terminates the SSL, it injects a security header / token and then I presume it passes this on to a back end, i presume that the nginx to application server is non SSL. You are having performance issue with the SSL + header inject part, which seems to be limiting you to approx 60req per sec before you hit 100% cpu.. This seems very very low to me looking at my prod setup - similar to yours I am seeing 600 connections and req/s ranging from 8-400 / sec. all whilst the cpu stay very very low. We try and use long lived TCP / SSL sessions, but we also use a thick client as well so have more control. Not sure about KEMP loadmaster. What I describe to you was our potential plans for when the load gets too much on the active/passive setup. It would allow you to take your 60 session ? and distributed it between 2 or upto 16 (I believe this is the max for pacemaker). an active / active setup The 2 node setup would be the same as yours router -> vlan with the 2 nodes > Node A would only process node a data and node B would only process node b data. This in theory would have the potential to double your req / sec. Alex On 3 March 2017 at 19:33, polder_trash wrote: > Alexsamad, > I might not have been clear, allow me to try again: > > * currently 2 NGINX revproxy nodes, 1 active the other on standby in case > node 1 fails. > * Since I am injecting an authentication header into the request, the HTTPS > request has to be offloaded at the node and introduces additional load > compared to injecting into non-encrypted requests. > * Current peak load ~60 concurrent requests, ~100% load on CPU. Concurrent > requests expected to more than double, so revproxy will be bottleneck. > > The NGINX revproxies run as a VM and I can ramp up the machine specs a > little bit, but I do not expect this to completely solve the issue here. > Therefore I am looking for some method of spreading the requests over > multiple backend revproxies, without the load balancer frontend having to > deal with SSL offloading. > > From the KEMP LoadMaster documentation I found that this technique is > called > SSL Passthrough. I am currently looking if that is also supported by NGINX. > > What do you think? Will this solve my issue? Am I on the wrong track? > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272713,272729#msg-272729 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter_booth at me.com Mon Mar 6 01:13:56 2017 From: peter_booth at me.com (Peter Booth) Date: Sun, 05 Mar 2017 20:13:56 -0500 Subject: Balancing NGINX reverse proxy In-Reply-To: References: <25490575d14ffef383dbad6adc909775.NginxMailingListEnglish@forum.nginx.org> Message-ID: <54C325EE-5FBF-41AE-BA9A-D0D01AD03281@me.com> So I have a few different thoughts: 1. Yes nginx does support SSL pass through . You can configure nginx to stream your request to your SSL backend. I do this when I don't have control of the backend and it has to be SSL. I don't think that's your situation. 2. I suspect that there's something wrong with your SSL configuration and/or your nginx VMs are underpowered. Can you test the throughput that you are requesting http static resources ? Check with webpagetest.org that the expense is only being paid on the first request. 3. It's generally better to terminate SSL as early as possible and have the bulk of your communication be unencrypted. What spec are your VMs? Sent from my iPhone > On Mar 5, 2017, at 6:00 PM, Alex Samad wrote: > > Hi > > Firstly, I am fairly new to nginx. > > > From what I understand you have a standard sort of setup. > > > 2 nodes (vm's) with haproxy, allowing nginx to be active / passive. > > You have SSL requests which once nginx terminates the SSL, it injects a security header / token and then I presume it passes this on to a back end, i presume that the nginx to application server is non SSL. > > You are having performance issue with the SSL + header inject part, which seems to be limiting you to approx 60req per sec before you hit 100% cpu.. This seems very very low to me looking at my prod setup - similar to yours I am seeing 600 connections and req/s ranging from 8-400 / sec. all whilst the cpu stay very very low. > > We try and use long lived TCP / SSL sessions, but we also use a thick client as well so have more control. > > Not sure about KEMP loadmaster. > > What I describe to you was our potential plans for when the load gets too much on the active/passive setup. > > It would allow you to take your 60 session ? and distributed it between 2 or upto 16 (I believe this is the max for pacemaker). an active / active setup > > The 2 node setup would be the same as yours > > > router -> vlan with the 2 nodes > Node A would only process node a data and node B would only process node b data. This in theory would have the potential to double your req / sec. > > > > Alex > > >> On 3 March 2017 at 19:33, polder_trash wrote: >> Alexsamad, >> I might not have been clear, allow me to try again: >> >> * currently 2 NGINX revproxy nodes, 1 active the other on standby in case >> node 1 fails. >> * Since I am injecting an authentication header into the request, the HTTPS >> request has to be offloaded at the node and introduces additional load >> compared to injecting into non-encrypted requests. >> * Current peak load ~60 concurrent requests, ~100% load on CPU. Concurrent >> requests expected to more than double, so revproxy will be bottleneck. >> >> The NGINX revproxies run as a VM and I can ramp up the machine specs a >> little bit, but I do not expect this to completely solve the issue here. >> Therefore I am looking for some method of spreading the requests over >> multiple backend revproxies, without the load balancer frontend having to >> deal with SSL offloading. >> >> From the KEMP LoadMaster documentation I found that this technique is called >> SSL Passthrough. I am currently looking if that is also supported by NGINX. >> >> What do you think? Will this solve my issue? Am I on the wrong track? >> >> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272713,272729#msg-272729 >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Mar 6 02:58:47 2017 From: nginx-forum at forum.nginx.org (Nomad Worker) Date: Sun, 05 Mar 2017 21:58:47 -0500 Subject: ssl_session_timeout issues Message-ID: <97b02fc5f51caf3b9a323ee096f7b1c6.NginxMailingListEnglish@forum.nginx.org> I read the code of ssl module, the directive ssl_session_timeout seems only used for ssl session cache, not for ssl session ticket. the document describes the directive as 'Specifies a time during which a client may reuse the session parameters.' Is it not exactly? Is there any timeout for ssl session ticket ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272772,272772#msg-272772 From steve at greengecko.co.nz Mon Mar 6 03:11:01 2017 From: steve at greengecko.co.nz (steve) Date: Mon, 6 Mar 2017 16:11:01 +1300 Subject: Balancing NGINX reverse proxy In-Reply-To: <3a79824d76eaffe5907a5d8d7a0d450c.NginxMailingListEnglish@forum.nginx.org> References: <3a79824d76eaffe5907a5d8d7a0d450c.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1cc3f5a0-a427-6649-6240-35dfe9312801@greengecko.co.nz> Hi, On 03/03/17 03:40, polder_trash wrote: > Hi, > > > I already tried adding both IP addresses to the DNS. But this, rather > predictably, only sent a handful of users to the secondary node. > This should not be the case ( well, for bind anyway ), as it should be delivering them in a round robin fashion. Alternatively ( bind again ) you can set up a split horizon DNS to deliver as a function of source ip address. Maybe the TTL hadn't expired on existing lookups, or the client is doing something strange? Steve -- Steve Holdoway BSc(Hons) MIITP https://www.greengecko.co.nz/ Linkedin: https://www.linkedin.com/in/steveholdoway Skype: sholdowa From sca at andreasschulze.de Mon Mar 6 11:39:56 2017 From: sca at andreasschulze.de (A. Schulze) Date: Mon, 06 Mar 2017 12:39:56 +0100 Subject: ssl_session_timeout issues In-Reply-To: <97b02fc5f51caf3b9a323ee096f7b1c6.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170306123956.Horde.0PKdRhqnlp52QtyfWtYV0K_@andreasschulze.de> Nomad Worker: > I read the code of ssl module, the directive ssl_session_timeout seems only > used for ssl session cache, not for ssl session ticket. > the document describes the directive as 'Specifies a time during which a > client may reuse the session parameters.' Is it not exactly? > Is there any timeout for ssl session ticket ? or more general: is the usage of ssl session tickets suggested at all? these two links motivated me to set "ssl_session_tickets off" - https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/ - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ What are others opinions? Andreas From reallfqq-nginx at yahoo.fr Mon Mar 6 12:02:47 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 6 Mar 2017 13:02:47 +0100 Subject: Nginx Map how to check value if empty In-Reply-To: <377e02fab51fe3a329b75a8079f30323.NginxMailingListEnglish@forum.nginx.org> References: <377e02fab51fe3a329b75a8079f30323.NginxMailingListEnglish@forum.nginx.org> Message-ID: Again, it is not empty, nor containing an hyphen... Look slowly to the log line and compare it to the log format. You use hyphens as separators, which, again, might not be a good idea at this precise location. ?The IP address you get is a private one though, so not 'client' but rather 'downstream'.? ?It seems you are hiding behind CloudFlare, you should read their doc to see how to get the real client IP address. The HTTP header you tried to use seems to be empty (ie 'dash'. As for using hyphens rather than real emptiness, I guess that helps validating there is no real value, ?differentating this case from a bogus 'empty' which would be a sign of a bug. --- *B. R.* On Sun, Mar 5, 2017 at 10:50 PM, c0nw0nk wrote: > Thank's for the info :) > > But why is $remote_addr outputting a hyphen instead of the users IP... > > I still expect to see the client's IP address. > > B.R. via nginx Wrote: > ------------------------------------------------------- > > That is because it is not: your eyes deceived you having a too quick > > look > > at the log line. > > > > Your 'empty' variables are actually showing the value '-' in this log > > line. > > It probably does not help debugging to have static '-' mixed in the > > format > > of your log lines where you put them. > > --- > > *B. R.* > > > > On Sun, Mar 5, 2017 at 10:00 PM, c0nw0nk > > wrote: > > > > > Francis Daly Wrote: > > > ------------------------------------------------------- > > > > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > > > > > > > Hi there, > > > > > > > > > map $http_cf_connecting_ip $client_ip_from_cf { > > > > > default $http_cf_connecting_ip; > > > > > } > > > > > > > > > > How can I make it so if the client did not send that $http_ > > header > > > > it makes > > > > > $client_ip_from_cf variable value = $binary_remote_addr > > > > > > > > > > Not sure how to check in a map if that http header is present. > > > > > > > > If the http header is absent, the matching variable is empty. So > > it > > > > will > > > > have the value "". > > > > > > > > Use that as the first half of your "map" pair. > > > > > > > > f > > > > -- > > > > Francis Daly francis at daoine.org > > > > _______________________________________________ > > > > nginx mailing list > > > > nginx at nginx.org > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > > > Hey Francis, > > > > > > > > > HTTP BLOCK > > > log_format cf_custom 'CFIP:$http_cf_connecting_ip - $remote_addr - > > > $remote_user [$time_local] ' > > > '"$request" Status:$status $body_bytes_sent ' > > > '"$http_referer" "$http_user_agent"' > > > '$http_cf_ray'; > > > map $status $loggable { > > > ~^[23] 0; > > > default 1; > > > } > > > access_log logs/access.log cf_custom if=$loggable; > > > > > > map $remote_addr $client_ip_from_cf { > > > default $remote_addr; > > > } > > > > > > > > > Access.log output > > > CFIP:- - 10.108.22.40 - - [05/Mar/2017:21:27:50 +0100] "GET > > > > > > > > > Any idea why the remote_addr is empty surely it should display to me > > the > > > clients IP address i am not proxying traffic or anything like that. > > I > > > expected to see an IP there instead it seems the value is empty. > > > > > > Posted at Nginx Forum: https://forum.nginx.org/read.p > > > hp?2,272744,272766#msg-272766 > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272744,272768#msg-272768 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Mon Mar 6 14:02:33 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 6 Mar 2017 17:02:33 +0300 Subject: ssl_session_timeout issues In-Reply-To: <97b02fc5f51caf3b9a323ee096f7b1c6.NginxMailingListEnglish@forum.nginx.org> References: <97b02fc5f51caf3b9a323ee096f7b1c6.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170306140232.GC23126@mdounin.ru> Hello! On Sun, Mar 05, 2017 at 09:58:47PM -0500, Nomad Worker wrote: > I read the code of ssl module, the directive ssl_session_timeout seems only > used for ssl session cache, not for ssl session ticket. > the document describes the directive as 'Specifies a time during which a > client may reuse the session parameters.' Is it not exactly? > Is there any timeout for ssl session ticket ? The documentation is correct here, and your reading of the code is wrong or you are reading a very outdated version of the code. SSL_CTX_set_timeout() is always called, so ssl_session_timeout applies to all forms of session resumption, that is, both session cache and session tickets. See this commit for details: http://hg.nginx.org/nginx/rev/767aa37f12de -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Mon Mar 6 19:12:40 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Mon, 06 Mar 2017 14:12:40 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: References: Message-ID: So I figured out the problem is a bit of a dynamic one. My Nginx accepts some connections via cloudflare's proxy and other's via their DNS only and other connections go through a load balancing ip that sets a x-forwarded-for header containing the real IP, While others can avoid all of that and connect to a specific origin servers IP (remote_addr is the real IP for these connections). So to explain how to get the origin IP for each method someone could be using here is the list : Cloudflares proxied traffic : sets the header $http_cf_connecting_ip so use this header to get the Client's real IP Traffic from cloudflare via the DNS only connections : These would not have the $http_cf_connecting_ip header present. But those connections hit a load balancing ip what sets the header $http_x_forwarded_for header so that is the way to get the Clients real ip via those connections. And then some connections don't hit my load balancing IP and go directly to a specific origin server these connections can use $remote_addr. My Solution / conclusion : How to come up with a fix that allows me to obtain the real IP in a dynamic situation like this ? I have solved my issue with the following. map $http_x_forwarded_for $client_ip_x_forwarded_for { "" $remote_addr; #if this header missing set remote_addr as real ip default $http_x_forwarded_for; } map $http_cf_connecting_ip $client_ip_from_cf { "" $client_ip_x_forwarded_for; #if this header missing set x-forwarded-for as real ip default $http_cf_connecting_ip; } So if the cf_connecting_ip header from cloudflares proxied traffic is missing we fall back to the x_forwarded_for header to get the clients real ip. And if that x_forwarded_for header was also missing then we fall back to setting their IP as $remote_addr. Thank's for explaining my log output to me helped me realise what the root of the issue was :) and thanks to Francis for telling me that my map just needed "" as a if empty check. B.R. via nginx Wrote: ------------------------------------------------------- > Again, it is not empty, nor containing an hyphen... > Look slowly to the log line and compare it to the log format. You use > hyphens as separators, which, again, might not be a good idea at this > precise location. > > ?The IP address you get is a private one though, so not 'client' but > rather > 'downstream'.? > ?It seems you are hiding behind CloudFlare, you should read their doc > to > see how to get the real client IP address. The HTTP header you tried > to use > seems to be empty (ie 'dash'. > > As for using hyphens rather than real emptiness, I guess that helps > validating there is no real value, ?differentating this case from a > bogus > 'empty' which would be a sign of a bug. > --- > *B. R.* > > On Sun, Mar 5, 2017 at 10:50 PM, c0nw0nk > wrote: > > > Thank's for the info :) > > > > But why is $remote_addr outputting a hyphen instead of the users > IP... > > > > I still expect to see the client's IP address. > > > > B.R. via nginx Wrote: > > ------------------------------------------------------- > > > That is because it is not: your eyes deceived you having a too > quick > > > look > > > at the log line. > > > > > > Your 'empty' variables are actually showing the value '-' in this > log > > > line. > > > It probably does not help debugging to have static '-' mixed in > the > > > format > > > of your log lines where you put them. > > > --- > > > *B. R.* > > > > > > On Sun, Mar 5, 2017 at 10:00 PM, c0nw0nk > > > > wrote: > > > > > > > Francis Daly Wrote: > > > > ------------------------------------------------------- > > > > > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > > > > > > > > > Hi there, > > > > > > > > > > > map $http_cf_connecting_ip $client_ip_from_cf { > > > > > > default $http_cf_connecting_ip; > > > > > > } > > > > > > > > > > > > How can I make it so if the client did not send that $http_ > > > header > > > > > it makes > > > > > > $client_ip_from_cf variable value = $binary_remote_addr > > > > > > > > > > > > Not sure how to check in a map if that http header is > present. > > > > > > > > > > If the http header is absent, the matching variable is empty. > So > > > it > > > > > will > > > > > have the value "". > > > > > > > > > > Use that as the first half of your "map" pair. > > > > > > > > > > f > > > > > -- > > > > > Francis Daly francis at daoine.org > > > > > _______________________________________________ > > > > > nginx mailing list > > > > > nginx at nginx.org > > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > > > > > > Hey Francis, > > > > > > > > > > > > HTTP BLOCK > > > > log_format cf_custom 'CFIP:$http_cf_connecting_ip - $remote_addr > - > > > > $remote_user [$time_local] ' > > > > '"$request" Status:$status $body_bytes_sent ' > > > > '"$http_referer" "$http_user_agent"' > > > > '$http_cf_ray'; > > > > map $status $loggable { > > > > ~^[23] 0; > > > > default 1; > > > > } > > > > access_log logs/access.log cf_custom if=$loggable; > > > > > > > > map $remote_addr $client_ip_from_cf { > > > > default $remote_addr; > > > > } > > > > > > > > > > > > Access.log output > > > > CFIP:- - 10.108.22.40 - - [05/Mar/2017:21:27:50 +0100] "GET > > > > > > > > > > > > Any idea why the remote_addr is empty surely it should display > to me > > > the > > > > clients IP address i am not proxying traffic or anything like > that. > > > I > > > > expected to see an IP there instead it seems the value is empty. > > > > > > > > Posted at Nginx Forum: https://forum.nginx.org/read.p > > > > hp?2,272744,272766#msg-272766 > > > > > > > > _______________________________________________ > > > > nginx mailing list > > > > nginx at nginx.org > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > Posted at Nginx Forum: https://forum.nginx.org/read. > > php?2,272744,272768#msg-272768 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272779#msg-272779 From mikydevel at yahoo.fr Mon Mar 6 21:35:03 2017 From: mikydevel at yahoo.fr (Mik J) Date: Mon, 6 Mar 2017 21:35:03 +0000 (UTC) Subject: Reverse proxy problem with an application References: <1797319055.5405349.1488836103023.ref@mail.yahoo.com> Message-ID: <1797319055.5405349.1488836103023@mail.yahoo.com> Hello, I have run an application behind a nginx reverse proxy and I can't make it to work a) if I access this application using https://1.1.1.1:443 it works (certificate warning)b) if I access this application using https://myapp.mydomain.org, I get access to the login page??? location ^~ / { ??????? proxy_pass??????? https://1.1.1.1:443; ??????? proxy_redirect??? off; ??????? proxy_set_header? Host???????????? $http_host; ??????? proxy_set_header? X-Real-IP??????? $remote_addr; ??????? proxy_set_header? X-Forwarded-For? $proxy_add_x_forwarded_for; ??????? proxy_hide_header X-Frame-Options;??????? proxy_hide_header X-Content-Security-Policy; ??????? proxy_hide_header X-Content-Type-Options; ??????? proxy_hide_header X-WebKit-CSP; ??????? proxy_hide_header content-security-policy; ??????? proxy_hide_header x-xss-protection; ??????? proxy_set_header? X-NginX-Proxy true; ??????? proxy_ssl_session_reuse off; ??? } c) I log in in the page and after some time (2/3 seconds) the application logs me out When I log in directly case a) I notice that I have (firebug) CookieSaveStateCookie=root; APPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled Whereas when I log in in case c) I haveAPPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled So I feel there's a problem with the session or something like that.PS: There is only one backend server and I can't run plain http (disable https) Does anyone has an idea ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjlp at sina.com Tue Mar 7 01:37:54 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Tue, 07 Mar 2017 09:37:54 +0800 Subject: =?UTF-8?B?5Zue5aSN77yaUmU6X+WbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpfSXNzdWVfYWJv?= =?UTF-8?B?dXRfbmdpbnhfcmVtb3ZpbmdfdGhlX2hlYWRlcl8iQ29ubmVjdGlvbiJfaW5f?= =?UTF-8?B?SFRUUF9yZXNwb25zZT8=?= Message-ID: <20170307013754.66B16B000D0@webmail.sinamail.sina.com.cn> Hi, Alexks, I try your proposal and it doesn't work. Actually my issue is the same as this one http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. 1. I add "keeplive_request 0". The result is that the "Connection: close" header is sent to client for every response. That does not match my requirement. Our application decides whether to finish the application session using this header. 2. I add "proxy_pass_header Connection". Nginx keeps sending "Connection: keep-alive" header to client even the header is "Connection: close" from upstream server. Seems Nginx has some special handling for the Connection header in response. The openresty author suggests that the only way for changing response header change the nginx C code for this issue. See this issue: https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. Thanks Liu Peng ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?04? 17?22? Hi Liu Peng. Am 04-03-2017 09:12, schrieb tjlp at sina.com: > > Hi, Alexks, > > I don't want to hide the header. > My problem is that Nginx change the "Connection: close" header in the > reponse from upstream server to "Connction: keep-alive" and send to > client. I want to keep the original "Connection: close" header. Ah that's a clear question. It took us only 3 rounds to get to this clear question ;-) So now the standard Questions from me: What's the output of nginx -V ? What's your config? Maybe you have set 'keepalive' in the upstream config http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive or 'proxy_http_version 1.1;' http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version as a last resort you can just pass the header with 'proxy_pass_header Connection;'. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header Choose the solution which fit's to your demand. I can only guess due to the fact that we don't know your config. May I ask you to take a look into this document, which exists in several languages, thank you very much. http://www.catb.org/~esr/faqs/smart-questions.html Best regards Aleks > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?03? 16?19? > Hi. > > then one directive upward. > > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header > > Cheers > > aleks > > Am 03-03-2017 06:00, schrieb tjlp at sina.com: > >> Hi, >> >> What I mention is the header in response from backend server. Your >> answer about proxy_set_header is the "Connection" header in request. >> >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????nginx at nginx.org >> ????tjlp at sina.com >> ???Re: Issue about nginx removing the header "Connection" in HTTP >> response? >> ???2017?03?03? 06?25? >> >> Hi. >> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>> Hi, nginx guy, >>> >>> In our system, for some special requests, the upstream server will >>> return a response which the header includes "Connection: Close". >>> According to HTTP protocol, "Connection" is one-hop header. >>> So, nginx will remove this header and the client can't do the >>> business >>> logic correctly. >>> >>> How to handle this scenario? >> you mean something like this? >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >> If the value of a header field is an empty string then this field will >> not be passed to a proxied server: >> proxy_set_header Connection ""; >>> Thanks >>> Liu Peng >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Mar 7 05:49:51 2017 From: nginx-forum at forum.nginx.org (Nomad Worker) Date: Tue, 07 Mar 2017 00:49:51 -0500 Subject: ssl_session_timeout issues In-Reply-To: <20170306140232.GC23126@mdounin.ru> References: <20170306140232.GC23126@mdounin.ru> Message-ID: <3bb27db6be5b5857d19739d79297d9bd.NginxMailingListEnglish@forum.nginx.org> Thank you Maxim, my reading is wrong, this line of code is in function ngx_ssl_session_cache, and I ignored it. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272772,272783#msg-272783 From al-nginx at none.at Tue Mar 7 07:39:41 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Tue, 07 Mar 2017 08:39:41 +0100 Subject: =?UTF-8?B?UmU6IOWbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpf5Zue5aSN77yaUmU6X0lzc3Vl?= =?UTF-8?B?X2Fib3V0X25naW54X3JlbW92aW5nX3RoZV9oZWFkZXJfIkNvbm5lY3Rpb24i?= =?UTF-8?B?X2luX0hUVFBfcmVzcG9uc2U/?= In-Reply-To: <20170307013754.66B16B000D0@webmail.sinamail.sina.com.cn> References: <20170307013754.66B16B000D0@webmail.sinamail.sina.com.cn> Message-ID: <6f6180c753696973e64fc30b97fba968@none.at> Hi Liu Peng. We still don't know your nginx version nor your config! Cite from below: > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? regards aleks Am 07-03-2017 02:37, schrieb tjlp at sina.com: > Hi, Alexks, > > I try your proposal and it doesn't work. Actually my issue is the same > as this one > http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. > > 1. I add "keeplive_request 0". The result is that the "Connection: > close" header is sent to client for every response. That does not match > my requirement. Our application decides whether to finish the > application session using this header. > > 2. I add "proxy_pass_header Connection". Nginx keeps sending > "Connection: keep-alive" header to client even the header is > "Connection: close" from upstream server. > > Seems Nginx has some special handling for the Connection header in > response. The openresty author suggests that the only way for changing > response header change the nginx C code for this issue. See this issue: > https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. > > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?04? 17?22? > > Hi Liu Peng. > Am 04-03-2017 09:12, schrieb tjlp at sina.com: >> >> Hi, Alexks, >> >> I don't want to hide the header. >> My problem is that Nginx change the "Connection: close" header in the >> reponse from upstream server to "Connction: keep-alive" and send to >> client. I want to keep the original "Connection: close" header. > Ah that's a clear question. > It took us only 3 rounds to get to this clear question ;-) > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? > Maybe you have set 'keepalive' in the upstream config > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive > or > 'proxy_http_version 1.1;' > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version > as a last resort you can just pass the header with > 'proxy_pass_header Connection;'. > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header > Choose the solution which fit's to your demand. > I can only guess due to the fact that we don't know your config. > May I ask you to take a look into this document, which exists in > several > languages, thank you very much. > http://www.catb.org/~esr/faqs/smart-questions.html > Best regards > Aleks >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????tjlp at sina.com >> ????nginx >> ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >> ???2017?03?03? 16?19? >> Hi. >> >> then one directive upward. >> >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header >> >> Cheers >> >> aleks >> >> Am 03-03-2017 06:00, schrieb tjlp at sina.com: >> >>> Hi, >>> >>> What I mention is the header in response from backend server. Your >>> answer about proxy_set_header is the "Connection" header in request. >>> >>> Thanks >>> Liu Peng >>> >>> ----- ???? ----- >>> ????Aleksandar Lazic >>> ????nginx at nginx.org >>> ????tjlp at sina.com >>> ???Re: Issue about nginx removing the header "Connection" in HTTP >>> response? >>> ???2017?03?03? 06?25? >>> >>> Hi. >>> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>>> Hi, nginx guy, >>>> >>>> In our system, for some special requests, the upstream server will >>>> return a response which the header includes "Connection: Close". >>>> According to HTTP protocol, "Connection" is one-hop header. >>>> So, nginx will remove this header and the client can't do the >>>> business >>>> logic correctly. >>>> >>>> How to handle this scenario? >>> you mean something like this? >>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >>> If the value of a header field is an empty string then this field >>> will >>> not be passed to a proxied server: >>> proxy_set_header Connection ""; >>>> Thanks >>>> Liu Peng >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx From tjlp at sina.com Tue Mar 7 09:49:10 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Tue, 07 Mar 2017 17:49:10 +0800 Subject: =?UTF-8?B?5Zue5aSN77yaUmU6X+WbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpf5Zue5aSN77ya?= =?UTF-8?B?UmU6X0lzc3VlX2Fib3V0X25naW54X3JlbW92aW5nX3RoZV9oZWFkZXJfIkNv?= =?UTF-8?B?bm5lY3Rpb24iX2luX0hUVFBfcmVzcG9uc2U/?= Message-ID: <20170307094910.43F30B000D0@webmail.sinamail.sina.com.cn> Hi, Aleks, The result of nginx -V is as follow: nginx version: nginx/1.11.1 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05 The nginx conf is: daemon off; worker_processes 2; pid /run/nginx.pid; worker_rlimit_nofile 131072; pcre_jit on; events { multi_accept on; worker_connections 16384; use epoll; } http { lua_shared_dict server_sessioncnt_dict 20k; lua_shared_dict server_dict 20k; lua_shared_dict server_acceptnewconn_dict 20k; lua_shared_dict sessionid_server_dict 100k; real_ip_header X-Forwarded-For; set_real_ip_from 0.0.0.0/0; real_ip_recursive on; geoip_country /etc/nginx/GeoIP.dat; geoip_city /etc/nginx/GeoLiteCity.dat; geoip_proxy_recursive on; vhost_traffic_status_zone shared:vhost_traffic_status:10m; vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; # lua section to return proper error codes when custom pages are used lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;'; init_by_lua_file /etc/nginx/lua/init_by_lua.lua; sendfile on; aio threads; tcp_nopush on; tcp_nodelay on; log_subrequest on; reset_timedout_connection on; keepalive_timeout 75s; types_hash_max_size 2048; server_names_hash_max_size 512; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type text/html; gzip on; gzip_comp_level 5; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; gzip_proxied any; client_max_body_size "64m"; log_format upstreaminfo '$remote_addr - ' '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; map $request $loggable { default 1; } access_log /var/log/nginx/access.log upstreaminfo if=$loggable; error_log /var/log/nginx/error.log notice; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # trust http_x_forwarded_proto headers correctly indicate ssl offloading map $http_x_forwarded_proto $pass_access_scheme { default $http_x_forwarded_proto; '' $scheme; } # Map a response error watching the header Content-Type map $http_accept $httpAccept { default html; application/json json; application/xml xml; text/plain text; } map $httpAccept $httpReturnType { default text/html; json application/json; xml application/xml; text text/plain; } server_name_in_redirect off; port_in_redirect off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # turn on session caching to drastically improve performance ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 10m; # allow configuring ssl session tickets ssl_session_tickets on; # slightly reduce the time-to-first-byte ssl_buffer_size 4k; # allow configuring custom ssl ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; upstream liupeng-sm-rte-svc-13080 { server 172.77.69.10:13080; server 172.77.87.9:13080; balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua; } server { server_name _; listen 80; listen 443 ssl spdy http2; # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem; ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem; more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /SM/ui { proxy_set_header Host $host; # Pass Real IP proxy_set_header X-Real-IP $remote_addr; # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_pass http://liupeng-sm-rte-svc-13080; rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua; header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua; } } } ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?07? 15?39? Hi Liu Peng. We still don't know your nginx version nor your config! Cite from below: > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? regards aleks Am 07-03-2017 02:37, schrieb tjlp at sina.com: > Hi, Alexks, > > I try your proposal and it doesn't work. Actually my issue is the same > as this one > http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. > > 1. I add "keeplive_request 0". The result is that the "Connection: > close" header is sent to client for every response. That does not match > my requirement. Our application decides whether to finish the > application session using this header. > > 2. I add "proxy_pass_header Connection". Nginx keeps sending > "Connection: keep-alive" header to client even the header is > "Connection: close" from upstream server. > > Seems Nginx has some special handling for the Connection header in > response. The openresty author suggests that the only way for changing > response header change the nginx C code for this issue. See this issue: > https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. > > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?04? 17?22? > > Hi Liu Peng. > Am 04-03-2017 09:12, schrieb tjlp at sina.com: >> >> Hi, Alexks, >> >> I don't want to hide the header. >> My problem is that Nginx change the "Connection: close" header in the >> reponse from upstream server to "Connction: keep-alive" and send to >> client. I want to keep the original "Connection: close" header. > Ah that's a clear question. > It took us only 3 rounds to get to this clear question ;-) > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? > Maybe you have set 'keepalive' in the upstream config > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive > or > 'proxy_http_version 1.1;' > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version > as a last resort you can just pass the header with > 'proxy_pass_header Connection;'. > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header > Choose the solution which fit's to your demand. > I can only guess due to the fact that we don't know your config. > May I ask you to take a look into this document, which exists in > several > languages, thank you very much. > http://www.catb.org/~esr/faqs/smart-questions.html > Best regards > Aleks >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????tjlp at sina.com >> ????nginx >> ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >> ???2017?03?03? 16?19? >> Hi. >> >> then one directive upward. >> >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header >> >> Cheers >> >> aleks >> >> Am 03-03-2017 06:00, schrieb tjlp at sina.com: >> >>> Hi, >>> >>> What I mention is the header in response from backend server. Your >>> answer about proxy_set_header is the "Connection" header in request. >>> >>> Thanks >>> Liu Peng >>> >>> ----- ???? ----- >>> ????Aleksandar Lazic >>> ????nginx at nginx.org >>> ????tjlp at sina.com >>> ???Re: Issue about nginx removing the header "Connection" in HTTP >>> response? >>> ???2017?03?03? 06?25? >>> >>> Hi. >>> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>>> Hi, nginx guy, >>>> >>>> In our system, for some special requests, the upstream server will >>>> return a response which the header includes "Connection: Close". >>>> According to HTTP protocol, "Connection" is one-hop header. >>>> So, nginx will remove this header and the client can't do the >>>> business >>>> logic correctly. >>>> >>>> How to handle this scenario? >>> you mean something like this? >>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >>> If the value of a header field is an empty string then this field >>> will >>> not be passed to a proxied server: >>> proxy_set_header Connection ""; >>>> Thanks >>>> Liu Peng >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Mar 7 12:33:58 2017 From: nginx-forum at forum.nginx.org (zaidahmd) Date: Tue, 07 Mar 2017 07:33:58 -0500 Subject: Can NGINX Forward the 401 Response to Upstream server to Destroy Temp User data Message-ID: <8234620e528b80f80c85ec93453e1761.NginxMailingListEnglish@forum.nginx.org> I have and NGINX reverse proxy and upstream server. NGINX authenticates the incoming request and forwards the request to upstream server, which also authenticates the request first and then creates a session for the user. I want to know if the user session gets expired in NGINX, will NGINX forward the request to upstream server to also destroy the user session OR NGINX will just destroy the session in its authentication service and will not inform the upstream server to destroy the session ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272796,272796#msg-272796 From nginx-forum at forum.nginx.org Tue Mar 7 13:18:02 2017 From: nginx-forum at forum.nginx.org (alweiss) Date: Tue, 07 Mar 2017 08:18:02 -0500 Subject: Efficient CRL checking at Nginx In-Reply-To: <23ac810b9b4d0f3f03fc8ffa9743aca3.NginxMailingListEnglish@forum.nginx.org> References: <20141217154720.GQ45960@mdounin.ru> <23ac810b9b4d0f3f03fc8ffa9743aca3.NginxMailingListEnglish@forum.nginx.org> Message-ID: <8948412cdda62d1392ba30ee36c4aae7.NginxMailingListEnglish@forum.nginx.org> Hi Maxim For specific needs, if i don't add the ssl_crl directive to my ssl configuration, would nginx just don't check anything or would it issue a live query on the url indicated as a crl distribution point in the client certificate, introducing high latency ...? In other words, how to completely disable.crl checking on client authentication ? Thanks ! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,255509,272798#msg-272798 From mdounin at mdounin.ru Tue Mar 7 13:36:18 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Mar 2017 16:36:18 +0300 Subject: Efficient CRL checking at Nginx In-Reply-To: <8948412cdda62d1392ba30ee36c4aae7.NginxMailingListEnglish@forum.nginx.org> References: <20141217154720.GQ45960@mdounin.ru> <23ac810b9b4d0f3f03fc8ffa9743aca3.NginxMailingListEnglish@forum.nginx.org> <8948412cdda62d1392ba30ee36c4aae7.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170307133617.GI23126@mdounin.ru> Hello! On Tue, Mar 07, 2017 at 08:18:02AM -0500, alweiss wrote: > Hi Maxim > For specific needs, if i don't add the ssl_crl directive to my ssl > configuration, would nginx just don't check anything or would it issue a > live query on the url indicated as a crl distribution point in the client > certificate, introducing high latency ...? > > In other words, how to completely disable.crl checking on client > authentication ? CRL checking is only enabled when you explicitly load a CRL using the ssl_crl directive. That is, CRL checking is disabled by default, you don't need to do anything to disable it. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Tue Mar 7 14:01:46 2017 From: nginx-forum at forum.nginx.org (alweiss) Date: Tue, 07 Mar 2017 09:01:46 -0500 Subject: Efficient CRL checking at Nginx In-Reply-To: <20170307133617.GI23126@mdounin.ru> References: <20170307133617.GI23126@mdounin.ru> Message-ID: Understood. Thanks much for your quick reply ! Alex Posted at Nginx Forum: https://forum.nginx.org/read.php?2,255509,272800#msg-272800 From nginx-forum at forum.nginx.org Tue Mar 7 19:50:57 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Tue, 07 Mar 2017 14:50:57 -0500 Subject: Reverse Proxy with 500k connections Message-ID: Hi, we are operating native nginx 1.8.1 on RHEL as a reverse proxy. The nginx routes requests to a backend server that can be reached from the proxy via a single internal IP address. We have to support a large number of concurrent websocket connections - say 100k to 500k. As we don't want to increase the number of proxy instances (with different IPs) and we cannot use the "proxy_bind transarent" option (was introduced in a later nginx release, upgrade is not possible) we wanted to configure the nginx to use different source IPs then routing to the backend. Thus, we want nginx to select an available source ip + source port when a connection is established with the backend. For that we assigned ten internal IPs to the proxy server and used the proxy_bind directive bound to 0.0.0.0. But this approach seems not to work. The nginx instance seems always use the first IP as source IP. Using multiple proxy_bind's is not possible. So my question is: How can I configure nginx to select from a pool of source IPs? Or generally: to overcome the 64k problem? Best Regards Lars ------- extract from config upstream backend { server 192.168.1.21:443; } server { listen 443 ssl; proxy_bind 0.0.0.0; location /service { proxy_pass https://backend; ... } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272808,272808#msg-272808 From nelsonmarcos at gmail.com Tue Mar 7 21:12:24 2017 From: nelsonmarcos at gmail.com (Nelson Marcos) Date: Tue, 7 Mar 2017 18:12:24 -0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References: Message-ID: Do you really need to use different source ips or it's a solution that you picked? Also, is it a option to set the keepalive option in your upstream configure section? http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive Um abra?o, NM 2017-03-07 16:50 GMT-03:00 larsg : > Hi, > > we are operating native nginx 1.8.1 on RHEL as a reverse proxy. > The nginx routes requests to a backend server that can be reached from the > proxy via a single internal IP address. > We have to support a large number of concurrent websocket connections - say > 100k to 500k. > > As we don't want to increase the number of proxy instances (with different > IPs) and we cannot use the "proxy_bind transarent" option (was introduced > in > a later nginx release, upgrade is not possible) we wanted to configure the > nginx to use different source IPs then routing to the backend. Thus, we > want > nginx to select an available source ip + source port when a connection is > established with the backend. > > For that we assigned ten internal IPs to the proxy server and used the > proxy_bind directive bound to 0.0.0.0. > But this approach seems not to work. The nginx instance seems always use > the > first IP as source IP. > Using multiple proxy_bind's is not possible. > > So my question is: How can I configure nginx to select from a pool of > source > IPs? Or generally: to overcome the 64k problem? > > Best Regards > Lars > > ------- extract from config > > upstream backend { > server 192.168.1.21:443; > } > > server { > listen 443 ssl; > proxy_bind 0.0.0.0; > > location /service { > proxy_pass https://backend; > ... > } > } > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272808,272808#msg-272808 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From efeldhusen.lists at gmail.com Tue Mar 7 21:21:56 2017 From: efeldhusen.lists at gmail.com (Eric Feldhusen) Date: Tue, 7 Mar 2017 16:21:56 -0500 Subject: Nginx reverse proxy for TFTP UDP port 69 traffic Message-ID: <04D23F0F-B586-42A5-8C9E-AFA77F5ECEBB@gmail.com> I?m trying to use Nginx to reverse proxy TFTP UDP port 69 traffic and I?m having a problem with getting files through the nginx reverse proxy. My configuration is simple, I?m running TFTP on one Centos 6.x server and the Nginx reserve proxy on another Centos 6.x server with the latest Nginx mainline 1.11.10 from the nginx.org repository. TFTP connections to the TFTP server directly work. Using the same commands through the Nginx reverse proxy, connects, but will not download or upload a file through it. If you have any suggestions, I?d appreciate a nudge in the right direction. I?m assuming it?s something I?m missing. Eric Feldhusen My configuration is below. The TFTP server is at 192.168.1.11 and the Nginx reverse proxy is at 192.168.1.145. No firewalls on either server. stream { upstream staging_tftp_servers { server 192.168.1.70:69; } server { listen 69 udp; #udp proxy_pass staging_tftp_servers; error_log /var/log/nginx/tftp.log info; } } I?m seeing these in the tftp.log 2017/03/06 14:34:44 [info] 32676#32676: *554 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36 2017/03/06 14:34:46 [info] 32676#32676: *556 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36 2017/03/06 14:34:47 [info] 32676#32676: *1439 udp client 10.1.0.14:2277 connected to 0.0.0.0:69 2017/03/06 14:34:47 [info] 32676#32676: *1439 udp proxy 192.168.1.145:37961 connected to 192.168.1.11:69 2017/03/06 14:34:48 [info] 32676#32676: *558 udp upstream disconnected, bytes from/to client:23/0, bytes from/to upstream:0/23 2017/03/06 14:34:48 [info] 32676#32676: *560 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36 2017/03/06 14:34:49 [info] 32676#32676: *1441 udp client 10.1.0.15:1090 connected to 0.0.0.0:69 2017/03/06 14:34:49 [info] 32676#32676: *1441 udp proxy 192.168.1.145:38526 connected to 192.168.1.11:69 2017/03/06 14:34:50 [info] 32676#32676: *562 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36 2017/03/06 14:34:53 [info] 32676#32676: *1443 udp client 10.1.0.14:2277 connected to 0.0.0.0:69 2017/03/06 14:34:53 [info] 32676#32676: *1443 udp proxy 192.168.1.145:38689 connected to 192.168.1.11:69 2017/03/06 14:34:56 [info] 32676#32676: *564 udp upstream disconnected, bytes from/to client:23/0, bytes from/to upstream:0/23 2017/03/06 14:34:56 [info] 32676#32676: *566 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rainer at ultra-secure.de Tue Mar 7 21:21:48 2017 From: rainer at ultra-secure.de (Rainer Duffner) Date: Tue, 7 Mar 2017 22:21:48 +0100 Subject: Reverse Proxy with 500k connections In-Reply-To: References: Message-ID: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de> > Am 07.03.2017 um 22:12 schrieb Nelson Marcos : > > Do you really need to use different source ips or it's a solution that you picked? > > Also, is it a option to set the keepalive option in your upstream configure section? > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive I?m not sure if you can proxy web socket connections like http-connections. After all, they are persistent (hence the large number of connections). Why can?t you (OP) do the upgrade to 1.10? I thought it?s the only ?supported" version anyway? -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Tue Mar 7 21:23:59 2017 From: francis at daoine.org (Francis Daly) Date: Tue, 7 Mar 2017 21:23:59 +0000 Subject: Nginx Map how to check value if empty In-Reply-To: References: Message-ID: <20170307212359.GE15209@daoine.org> On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote: Hi there, good that you've found some more answers. There's still some to be worked on, though, I suspect. > So to explain how to get the origin IP for each method someone could be > using here is the list : > > Cloudflares proxied traffic : > sets the header $http_cf_connecting_ip so use this header to get the > Client's real IP Stock nginx has the realip module which will allow you to use a value from one specific http header, as if it were the connecting address. And stock nginx knows that the client can set any header to any value, so it can be configured to only believe the value if it was set by a trusted source. (More or less). It looks like this $http_cf_connecting_ip contains a single IP address, which is the address of the thing that connected to Cloudflare -- either the client, or a proxy that it uses. And it can be trusted, if the incoming request went through the Cloudflare reverse proxy. (And, presumably, it is spoofed if the incoming request did not go through the Cloudflare reverse proxy.) > Traffic from cloudflare via the DNS only connections : > These would not have the $http_cf_connecting_ip header present. > But those connections hit a load balancing ip what sets the header > $http_x_forwarded_for header so that is the way to get the Clients real ip > via those connections. $http_x_forwarded_for is common enough; it can hold a list of IP addresses. The realip module knows how to deal with it. Whatever method you use to read it, you should be aware that the header is not necessarily exactly one IP address. And the client can set the header to any initial value; the "load balancing ip" (unless documented otherwise) probably creates-or-adds-to the header, rather than creates-or-replaces. > And then some connections don't hit my load balancing IP and go directly to > a specific origin server these connections can use $remote_addr. They can. But those connections might also have $http_x_forwarded_for. And $http_cf_connecting_ip. So you will need a reliable way of distinguishing between case#1 and case#2 and case#3, if you care about that. (Probably, the majority of "innocent" requests will not have spoofed headers. If that is good enough for what you are trying to achieve, then you're ok.) > My Solution / conclusion : > > How to come up with a fix that allows me to obtain the real IP in a dynamic > situation like this ? I would suggest one of: * go to extra measures to cause there to exist a new feature in nginx, such that the realip module will look at more than one header to determine the address to use or * recognise that if Cloudflare put in a CF-Connecting-IP header, they probably also put in a X-Forwarded-For header; ignore CF-Connecting-IP and just use the realip module with X-Forwarded-For. http://nginx.org/r/real_ip_header and the rest of that page. > I have solved my issue with the following. This will work, with the above caveats. If you have time to experiment, you may find that the realip module does something similar in a less fragile way. Cheers, f -- Francis Daly francis at daoine.org From simowitz at google.com Tue Mar 7 21:38:04 2017 From: simowitz at google.com (Jonathan Simowitz) Date: Tue, 7 Mar 2017 16:38:04 -0500 Subject: Passing $upstream_response_time in a header Message-ID: Hello, I have an nginx server that runs as reverse proxy and I would like to pass the $upstream_response_time value in a header. I find that when I do the value is actually a linux timestamp with millisecond resolution instead of a value of seconds with millisecond resolution. Apparently this is automatically converted when written to the logs. Is there a way to trigger the conversion for passing in a header? Thank you, ~Jonathan -- Jonathan Simowitz | Jigsaw | Software Engineer | simowitz at google.com | 631-223-8608 -------------- next part -------------- An HTML attachment was scrubbed... URL: From vl at nginx.com Tue Mar 7 21:58:06 2017 From: vl at nginx.com (Vladimir Homutov) Date: Wed, 8 Mar 2017 00:58:06 +0300 Subject: Nginx reverse proxy for TFTP UDP port 69 traffic In-Reply-To: <04D23F0F-B586-42A5-8C9E-AFA77F5ECEBB@gmail.com> References: <04D23F0F-B586-42A5-8C9E-AFA77F5ECEBB@gmail.com> Message-ID: <2fd0e5d5-bd51-cff5-64e9-fdb254f519ed@nginx.com> On 08.03.2017 00:21, Eric Feldhusen wrote: > I?m trying to use Nginx to reverse proxy TFTP UDP port 69 traffic and > I?m having a problem with getting files through the nginx reverse proxy. > > My configuration is simple, I?m running TFTP on one Centos 6.x server > and the Nginx reserve proxy on another Centos 6.x server with the latest > Nginx mainline 1.11.10 from the nginx.org repository. > > TFTP connections to the TFTP server directly work. Using the same > commands through the Nginx reverse proxy, connects, but will not > download or upload a file through it. > > If you have any suggestions, I?d appreciate a nudge in the right > direction. I?m assuming it?s something I?m missing. > > Eric Feldhusen Unfortunately, TFTP will not work, because it requires that after initial server's reply client will send packets to the port, chosen by server (i.e. not 69. but some auto-assigned). also, TFTP server recognizes clients by its source port and it changes when a packet passes proxy - each packet is originating from a new source port on proxy. From tolga.ceylan at gmail.com Tue Mar 7 22:10:24 2017 From: tolga.ceylan at gmail.com (Tolga Ceylan) Date: Tue, 7 Mar 2017 14:10:24 -0800 Subject: Reverse Proxy with 500k connections In-Reply-To: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de> References: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de> Message-ID: How about using split_clients "${remote_addr}AAA" $proxy_ip { 10% 192.168.1.10; 10% 192.168.1.11; ... * 192.168.1.19; } proxy_bind $proxy_ip; where $proxy_ip is populated via split clients module to spread the traffic to 10 internal IPs. or add 10 new listener ports (or ips) to your backend server instead, (and perhaps use least connected load balancing) in upstream {} set of 10 backends. eg: upstream backend { least_conn; server 192.168.1.21:443; server 192.168.1.21:444; server 192.168.1.21:445; server 192.168.1.21:446; server 192.168.1.21:447; server 192.168.1.21:448; server 192.168.1.21:449; server 192.168.1.21:450; server 192.168.1.21:451; server 192.168.1.21:452; } On Tue, Mar 7, 2017 at 1:21 PM, Rainer Duffner wrote: > > Am 07.03.2017 um 22:12 schrieb Nelson Marcos : > > Do you really need to use different source ips or it's a solution that you > picked? > > Also, is it a option to set the keepalive option in your upstream configure > section? > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive > > > > > I?m not sure if you can proxy web socket connections like http-connections. > > After all, they are persistent (hence the large number of connections). > > Why can?t you (OP) do the upgrade to 1.10? I thought it?s the only > ?supported" version anyway? > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From al-nginx at none.at Tue Mar 7 22:25:52 2017 From: al-nginx at none.at (Aleksandar Lazic) Date: Tue, 07 Mar 2017 23:25:52 +0100 Subject: =?UTF-8?B?UmU6IOWbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpf5Zue5aSN77yaUmU6X+Wbng==?= =?UTF-8?B?5aSN77yaUmU6X0lzc3VlX2Fib3V0X25naW54X3JlbW92aW5nX3RoZV9oZWFk?= =?UTF-8?B?ZXJfIkNvbm5lY3Rpb24iX2luX0hUVFBfcmVzcG9uc2U/?= In-Reply-To: <20170307094910.43F30B000D0@webmail.sinamail.sina.com.cn> References: <20170307094910.43F30B000D0@webmail.sinamail.sina.com.cn> Message-ID: <902b60ba58740ab75c31f22379306670@none.at> Hi. Well that's a lot modules and lua stuff there. What's in the '*by_lua_file's ? Can you run from a specific IP the debug log to see what's happen in nginx? http://nginx.org/en/docs/debugging_log.html regards aleks Am 07-03-2017 10:49, schrieb tjlp at sina.com: > Hi, Aleks, > > The result of nginx -V is as follow: > nginx version: nginx/1.11.1 > built by gcc 4.9.2 (Debian 4.9.2-10) > built with OpenSSL 1.0.1t 3 May 2016 > TLS SNI support enabled > configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05 > > The nginx conf is: > > daemon off; > > worker_processes 2; > > pid /run/nginx.pid; > > worker_rlimit_nofile 131072; > > pcre_jit on; > > events { > multi_accept on; > worker_connections 16384; > use epoll; > } > > http { > > lua_shared_dict server_sessioncnt_dict 20k; > lua_shared_dict server_dict 20k; > lua_shared_dict server_acceptnewconn_dict 20k; > lua_shared_dict sessionid_server_dict 100k; > > real_ip_header X-Forwarded-For; > set_real_ip_from 0.0.0.0/0; > real_ip_recursive on; > > geoip_country /etc/nginx/GeoIP.dat; > geoip_city /etc/nginx/GeoLiteCity.dat; > geoip_proxy_recursive on; > vhost_traffic_status_zone shared:vhost_traffic_status:10m; > vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; > # lua section to return proper error codes when custom pages are used > lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;'; > > init_by_lua_file /etc/nginx/lua/init_by_lua.lua; > > sendfile on; > aio threads; > tcp_nopush on; > tcp_nodelay on; > > log_subrequest on; > > reset_timedout_connection on; > > keepalive_timeout 75s; > > types_hash_max_size 2048; > server_names_hash_max_size 512; > server_names_hash_bucket_size 64; > > include /etc/nginx/mime.types; > default_type text/html; > gzip on; > gzip_comp_level 5; > gzip_http_version 1.1; > gzip_min_length 256; > gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; > gzip_proxied any; > > client_max_body_size "64m"; > > log_format upstreaminfo '$remote_addr - ' > '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' > '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; > > map $request $loggable { > default 1; > } > > access_log /var/log/nginx/access.log upstreaminfo if=$loggable; > error_log /var/log/nginx/error.log notice; > > map $http_upgrade $connection_upgrade { > default upgrade; > '' close; > } > > # trust http_x_forwarded_proto headers correctly indicate ssl offloading > map $http_x_forwarded_proto $pass_access_scheme { > default $http_x_forwarded_proto; > '' $scheme; > } > > # Map a response error watching the header Content-Type > map $http_accept $httpAccept { > default html; > application/json json; > application/xml xml; > text/plain text; > } > > map $httpAccept $httpReturnType { > default text/html; > json application/json; > xml application/xml; > text text/plain; > } > > server_name_in_redirect off; > port_in_redirect off; > > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > > # turn on session caching to drastically improve performance > > ssl_session_cache builtin:1000 shared:SSL:10m; > ssl_session_timeout 10m; > > # allow configuring ssl session tickets > ssl_session_tickets on; > > # slightly reduce the time-to-first-byte > ssl_buffer_size 4k; > > # allow configuring custom ssl ciphers > ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; > ssl_prefer_server_ciphers on; > > # In case of errors try the next upstream server before returning an error > proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; > > upstream liupeng-sm-rte-svc-13080 { > server 172.77.69.10:13080; > server 172.77.87.9:13080; > > balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua; > > } > > server { > server_name _; > listen 80; > listen 443 ssl spdy http2; > > # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a > ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem; > ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem; > > more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; > > vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; > > location /SM/ui { > > proxy_set_header Host $host; > > # Pass Real IP > proxy_set_header X-Real-IP $remote_addr; > > # Allow websocket connections > proxy_set_header Upgrade $http_upgrade; > > proxy_set_header Connection ""; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Port $server_port; > proxy_set_header X-Forwarded-Proto $pass_access_scheme; > > # mitigate HTTPoxy Vulnerability > # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ > proxy_set_header Proxy ""; > > proxy_connect_timeout 5s; > proxy_send_timeout 60s; > proxy_read_timeout 60s; > > proxy_redirect off; > > proxy_buffering off; > > proxy_http_version 1.1; > > proxy_pass http://liupeng-sm-rte-svc-13080; > > rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua; > > header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua; > > } > > } > } > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?07? 15?39? > > Hi Liu Peng. > We still don't know your nginx version nor your config! > Cite from below: >> So now the standard Questions from me: >> What's the output of nginx -V ? >> What's your config? > regards > aleks > Am 07-03-2017 02:37, schrieb tjlp at sina.com: >> Hi, Alexks, >> >> I try your proposal and it doesn't work. Actually my issue is the same >> as this one >> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. >> >> 1. I add "keeplive_request 0". The result is that the "Connection: >> close" header is sent to client for every response. That does not match >> my requirement. Our application decides whether to finish the >> application session using this header. >> >> 2. I add "proxy_pass_header Connection". Nginx keeps sending >> "Connection: keep-alive" header to client even the header is >> "Connection: close" from upstream server. >> >> Seems Nginx has some special handling for the Connection header in >> response. The openresty author suggests that the only way for changing >> response header change the nginx C code for this issue. See this issue: >> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. >> >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????tjlp at sina.com >> ????nginx >> ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >> ???2017?03?04? 17?22? >> >> Hi Liu Peng. >> Am 04-03-2017 09:12, schrieb tjlp at sina.com: >>> >>> Hi, Alexks, >>> >>> I don't want to hide the header. >>> My problem is that Nginx change the "Connection: close" header in the >>> reponse from upstream server to "Connction: keep-alive" and send to >>> client. I want to keep the original "Connection: close" header. >> Ah that's a clear question. >> It took us only 3 rounds to get to this clear question ;-) >> So now the standard Questions from me: >> What's the output of nginx -V ? >> What's your config? >> Maybe you have set 'keepalive' in the upstream config >> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive >> or >> 'proxy_http_version 1.1;' >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version >> as a last resort you can just pass the header with >> 'proxy_pass_header Connection;'. >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header >> Choose the solution which fit's to your demand. >> I can only guess due to the fact that we don't know your config. >> May I ask you to take a look into this document, which exists in >> several >> languages, thank you very much. >> http://www.catb.org/~esr/faqs/smart-questions.html >> Best regards >> Aleks >>> Thanks >>> Liu Peng >>> >>> ----- ???? ----- >>> ????Aleksandar Lazic >>> ????tjlp at sina.com >>> ????nginx >>> ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >>> ???2017?03?03? 16?19? >>> Hi. >>> >>> then one directive upward. >>> >>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header >>> >>> Cheers >>> >>> aleks >>> >>> Am 03-03-2017 06:00, schrieb tjlp at sina.com: >>> >>>> Hi, >>>> >>>> What I mention is the header in response from backend server. Your >>>> answer about proxy_set_header is the "Connection" header in request. >>>> >>>> Thanks >>>> Liu Peng >>>> >>>> ----- ???? ----- >>>> ????Aleksandar Lazic >>>> ????nginx at nginx.org >>>> ????tjlp at sina.com >>>> ???Re: Issue about nginx removing the header "Connection" in HTTP >>>> response? >>>> ???2017?03?03? 06?25? >>>> >>>> Hi. >>>> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>>>> Hi, nginx guy, >>>>> >>>>> In our system, for some special requests, the upstream server will >>>>> return a response which the header includes "Connection: Close". >>>>> According to HTTP protocol, "Connection" is one-hop header. >>>>> So, nginx will remove this header and the client can't do the >>>>> business >>>>> logic correctly. >>>>> >>>>> How to handle this scenario? >>>> you mean something like this? >>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >>>> If the value of a header field is an empty string then this field >>>> will >>>> not be passed to a proxied server: >>>> proxy_set_header Connection ""; >>>>> Thanks >>>>> Liu Peng >>>>> _______________________________________________ >>>>> nginx mailing list >>>>> nginx at nginx.org >>>>> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Tue Mar 7 22:45:30 2017 From: francis at daoine.org (Francis Daly) Date: Tue, 7 Mar 2017 22:45:30 +0000 Subject: Passing $upstream_response_time in a header In-Reply-To: References: Message-ID: <20170307224530.GF15209@daoine.org> On Tue, Mar 07, 2017 at 04:38:04PM -0500, Jonathan Simowitz via nginx wrote: Hi there, > I have an nginx server that runs as reverse proxy and I would like to pass > the $upstream_response_time value in a header. I find that when I do the > value is actually a linux timestamp with millisecond resolution instead of > a value of seconds with millisecond resolution. My reading of http://nginx.org/r/$upstream_response_time says that what you report should not be happening. Do you have a sample config / request / response which shows the problem? Cheers, f -- Francis Daly francis at daoine.org From efeldhusen.lists at gmail.com Tue Mar 7 22:54:49 2017 From: efeldhusen.lists at gmail.com (Eric Feldhusen) Date: Tue, 7 Mar 2017 17:54:49 -0500 Subject: Nginx reverse proxy for TFTP UDP port 69 traffic In-Reply-To: <2fd0e5d5-bd51-cff5-64e9-fdb254f519ed@nginx.com> References: <04D23F0F-B586-42A5-8C9E-AFA77F5ECEBB@gmail.com> <2fd0e5d5-bd51-cff5-64e9-fdb254f519ed@nginx.com> Message-ID: > On Mar 7, 2017, at 4:58 PM, Vladimir Homutov wrote: > > On 08.03.2017 00:21, Eric Feldhusen wrote: >> I?m trying to use Nginx to reverse proxy TFTP UDP port 69 traffic and >> I?m having a problem with getting files through the nginx reverse proxy. >> >> My configuration is simple, I?m running TFTP on one Centos 6.x server >> and the Nginx reserve proxy on another Centos 6.x server with the latest >> Nginx mainline 1.11.10 from the nginx.org repository. >> >> TFTP connections to the TFTP server directly work. Using the same >> commands through the Nginx reverse proxy, connects, but will not >> download or upload a file through it. >> >> If you have any suggestions, I?d appreciate a nudge in the right >> direction. I?m assuming it?s something I?m missing. >> >> Eric Feldhusen > > Unfortunately, TFTP will not work, because it requires > that after initial server's reply client will send packets > to the port, chosen by server (i.e. not 69. but some auto-assigned). > also, TFTP server recognizes clients by its source port and > it changes when a packet passes proxy - each packet is originating > from a new source port on proxy. Ah, I had just started to look up specifically how TFTP connections work, so I hadn?t seen this yet, but that makes sense with what I was seeing. Thank you for the quick reply, I appreciate it. Eric Feldhusen From defan at nginx.com Tue Mar 7 23:39:27 2017 From: defan at nginx.com (Andrei Belov) Date: Wed, 8 Mar 2017 02:39:27 +0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de> Message-ID: Yes, split_clients solution fits perfectly in the described use case. Also, nginx >= 1.11.4 has support for IP_BIND_ADDRESS_NO_PORT socket option ([1], [2]) on supported systems (Linux kernel >= 4.2, glibc >= 2.23) which may be helpful as well. Quote from [1]: [..] Add IP_BIND_ADDRESS_NO_PORT to overcome bind(0) limitations: When an application needs to force a source IP on an active TCP socket it has to use bind(IP, port=x). As most applications do not want to deal with already used ports, x is often set to 0, meaning the kernel is in charge to find an available port. But kernel does not know yet if this socket is going to be a listener or be connected. This patch adds a new SOL_IP socket option, asking kernel to ignore the 0 port provided by application in bind(IP, port=0) and only remember the given IP address. The port will be automatically chosen at connect() time, in a way that allows sharing a source port as long as the 4-tuples are unique. [..] [1] https://kernelnewbies.org/Linux_4.2#head-8ccffc90738ffcb0c20caa96bae6799694b8ba3a [2] https://git.kernel.org/torvalds/c/90c337da1524863838658078ec34241f45d8394d > On 08 Mar 2017, at 01:10, Tolga Ceylan wrote: > > How about using > > split_clients "${remote_addr}AAA" $proxy_ip { > 10% 192.168.1.10; > 10% 192.168.1.11; > ... > * 192.168.1.19; > } > > proxy_bind $proxy_ip; > > where $proxy_ip is populated via split clients module to spread the > traffic to 10 internal IPs. > > or add 10 new listener ports (or ips) to your backend server instead, > (and perhaps use least connected load balancing) in upstream {} set of > 10 backends. eg: > > upstream backend { > least_conn; > server 192.168.1.21:443; > server 192.168.1.21:444; > server 192.168.1.21:445; > server 192.168.1.21:446; > server 192.168.1.21:447; > server 192.168.1.21:448; > server 192.168.1.21:449; > server 192.168.1.21:450; > server 192.168.1.21:451; > server 192.168.1.21:452; > } > > > > > On Tue, Mar 7, 2017 at 1:21 PM, Rainer Duffner wrote: >> >> Am 07.03.2017 um 22:12 schrieb Nelson Marcos : >> >> Do you really need to use different source ips or it's a solution that you >> picked? >> >> Also, is it a option to set the keepalive option in your upstream configure >> section? >> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive >> >> >> >> >> I?m not sure if you can proxy web socket connections like http-connections. >> >> After all, they are persistent (hence the large number of connections). >> >> Why can?t you (OP) do the upgrade to 1.10? I thought it?s the only >> ?supported" version anyway? >> >> >> >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Tue Mar 7 23:44:05 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Tue, 07 Mar 2017 18:44:05 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: <20170307212359.GE15209@daoine.org> References: <20170307212359.GE15209@daoine.org> Message-ID: <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> Hey, I was just looking at the realip module but that module does not seem to support fallback methods like I demonstrated I was in need of. (If it does support multiple headers and fallback conditions can someone provide a demonstration) If real_ip_header CF-Connecting-IP; is missing then fallback to real_ip_header X-Forwarded-For; and if that header is missing use $binary_remote_addr; I guess to prevent spoofing what if we merge the map's with a IP header check map so we can keep our dynamic capabilities but check that only the matching whitelisted IP's / IP ranges may send one of those headers. If a non whitelisted IP sends one of those headers we fall back to $binary_remote_addr; making their spoofing pointless. That is the solution I can think of to prevent spoofing is to add to the map's unless anyone has better or known way's that could be simple or more easy. Francis Daly Wrote: ------------------------------------------------------- > On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote: > > Hi there, > > good that you've found some more answers. > > There's still some to be worked on, though, I suspect. > > > So to explain how to get the origin IP for each method someone could > be > > using here is the list : > > > > Cloudflares proxied traffic : > > sets the header $http_cf_connecting_ip so use this header to get the > > Client's real IP > > Stock nginx has the realip module which will allow you to use a value > from one specific http header, as if it were the connecting address. > > And stock nginx knows that the client can set any header to any value, > so it can be configured to only believe the value if it was set by a > trusted source. (More or less). > > It looks like this $http_cf_connecting_ip contains a single IP > address, > which is the address of the thing that connected to Cloudflare -- > either > the client, or a proxy that it uses. And it can be trusted, if the > incoming request went through the Cloudflare reverse proxy. (And, > presumably, it is spoofed if the incoming request did not go through > the Cloudflare reverse proxy.) > > > Traffic from cloudflare via the DNS only connections : > > These would not have the $http_cf_connecting_ip header present. > > But those connections hit a load balancing ip what sets the header > > $http_x_forwarded_for header so that is the way to get the Clients > real ip > > via those connections. > > $http_x_forwarded_for is common enough; it can hold a list of IP > addresses. The realip module knows how to deal with it. > > Whatever method you use to read it, you should be aware that the > header is not necessarily exactly one IP address. And the client can > set the header to any initial value; the "load balancing ip" (unless > documented otherwise) probably creates-or-adds-to the header, rather > than creates-or-replaces. > > > And then some connections don't hit my load balancing IP and go > directly to > > a specific origin server these connections can use $remote_addr. > > They can. But those connections might also have $http_x_forwarded_for. > And > $http_cf_connecting_ip. So you will need a reliable way of > distinguishing > between case#1 and case#2 and case#3, if you care about that. > > (Probably, the majority of "innocent" requests will not have spoofed > headers. If that is good enough for what you are trying to achieve, > then you're ok.) > > > My Solution / conclusion : > > > > How to come up with a fix that allows me to obtain the real IP in a > dynamic > > situation like this ? > > I would suggest one of: > > * go to extra measures to cause there to exist a new feature in nginx, > such that the realip module will look at more than one header to > determine > the address to use > > or > > * recognise that if Cloudflare put in a CF-Connecting-IP header, they > probably also put in a X-Forwarded-For header; ignore CF-Connecting-IP > and just use the realip module with X-Forwarded-For. > > http://nginx.org/r/real_ip_header and the rest of that page. > > > I have solved my issue with the following. > > This will work, with the above caveats. > > If you have time to experiment, you may find that the realip module > does > something similar in a less fragile way. > > Cheers, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272820#msg-272820 From tolga.ceylan at gmail.com Wed Mar 8 00:57:49 2017 From: tolga.ceylan at gmail.com (Tolga Ceylan) Date: Tue, 7 Mar 2017 16:57:49 -0800 Subject: Reverse Proxy with 500k connections In-Reply-To: References: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de>

Message-ID: Of course, with split_clients, you are at the mercy of the hashing and hope that this distribution will spread work evenly based on incoming client address space and the duration of these connections, so you might run into the limits despite having enough port capacity. More importantly, in case of failures, your clients will see errors, since nginx will not retry (and even if it did, the hashing will land on the same exhausted port/ip set.) Upstream {} with multiple backends approach is a bit more robust as if the ports are ever exhausted, nginx can try the next upstream. And you can try to control this further by using least_conn backend selection. On Tue, Mar 7, 2017 at 3:39 PM, Andrei Belov wrote: > Yes, split_clients solution fits perfectly in the described use case. > > Also, nginx >= 1.11.4 has support for IP_BIND_ADDRESS_NO_PORT socket > option ([1], [2]) on supported systems (Linux kernel >= 4.2, glibc >= 2.23) which > may be helpful as well. > > Quote from [1]: > > [..] > Add IP_BIND_ADDRESS_NO_PORT to overcome bind(0) limitations: When an > application needs to force a source IP on an active TCP socket it has to use > bind(IP, port=x). As most applications do not want to deal with already used > ports, x is often set to 0, meaning the kernel is in charge to find an > available port. But kernel does not know yet if this socket is going to be a > listener or be connected. This patch adds a new SOL_IP socket option, asking > kernel to ignore the 0 port provided by application in bind(IP, port=0) and > only remember the given IP address. The port will be automatically chosen at > connect() time, in a way that allows sharing a source port as long as the > 4-tuples are unique. > [..] > > > [1] https://kernelnewbies.org/Linux_4.2#head-8ccffc90738ffcb0c20caa96bae6799694b8ba3a > [2] https://git.kernel.org/torvalds/c/90c337da1524863838658078ec34241f45d8394d > > >> On 08 Mar 2017, at 01:10, Tolga Ceylan wrote: >> >> How about using >> >> split_clients "${remote_addr}AAA" $proxy_ip { >> 10% 192.168.1.10; >> 10% 192.168.1.11; >> ... >> * 192.168.1.19; >> } >> >> proxy_bind $proxy_ip; >> >> where $proxy_ip is populated via split clients module to spread the >> traffic to 10 internal IPs. >> >> or add 10 new listener ports (or ips) to your backend server instead, >> (and perhaps use least connected load balancing) in upstream {} set of >> 10 backends. eg: >> >> upstream backend { >> least_conn; >> server 192.168.1.21:443; >> server 192.168.1.21:444; >> server 192.168.1.21:445; >> server 192.168.1.21:446; >> server 192.168.1.21:447; >> server 192.168.1.21:448; >> server 192.168.1.21:449; >> server 192.168.1.21:450; >> server 192.168.1.21:451; >> server 192.168.1.21:452; >> } >> >> >> >> >> On Tue, Mar 7, 2017 at 1:21 PM, Rainer Duffner wrote: >>> >>> Am 07.03.2017 um 22:12 schrieb Nelson Marcos : >>> >>> Do you really need to use different source ips or it's a solution that you >>> picked? >>> >>> Also, is it a option to set the keepalive option in your upstream configure >>> section? >>> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive >>> >>> >>> >>> >>> I?m not sure if you can proxy web socket connections like http-connections. >>> >>> After all, they are persistent (hence the large number of connections). >>> >>> Why can?t you (OP) do the upgrade to 1.10? I thought it?s the only >>> ?supported" version anyway? >>> >>> >>> >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From tjlp at sina.com Wed Mar 8 00:58:49 2017 From: tjlp at sina.com (tjlp at sina.com) Date: Wed, 08 Mar 2017 08:58:49 +0800 Subject: =?UTF-8?B?5Zue5aSN77yaUmU6X+WbnuWkje+8mlJlOl/lm57lpI3vvJpSZTpf5Zue5aSN77ya?= =?UTF-8?B?UmU6X+WbnuWkje+8mlJlOl9Jc3N1ZV9hYm91dF9uZ2lueF9yZW1vdmluZ190?= =?UTF-8?B?aGVfaGVhZGVyXyJDb25uZWN0aW9uIl9pbl9IVFRQX3Jlc3BvbnNlPw==?= Message-ID: <20170308005849.67DE1B000D0@webmail.sinamail.sina.com.cn> Hi, Aleks, This nginx conf is generated by Kubernetes nginx ingress controller. We use the Nginx in the kubernetes cluster. So many modules are there. The lua script is supported by the open sourced OpenResty. You can google it to find how and why use it. We use it for our special load balancing. For the log, I am not sure what you need. Thanks ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?08? 06?26? Hi. Well that's a lot modules and lua stuff there. What's in the '*by_lua_file's ? Can you run from a specific IP the debug log to see what's happen in nginx? http://nginx.org/en/docs/debugging_log.html regards aleks Am 07-03-2017 10:49, schrieb tjlp at sina.com: Hi, Aleks, The result of nginx -V is as follow: nginx version: nginx/1.11.1 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05 The nginx conf is: daemon off; worker_processes 2; pid /run/nginx.pid; worker_rlimit_nofile 131072; pcre_jit on; events { multi_accept on; worker_connections 16384; use epoll; } http { lua_shared_dict server_sessioncnt_dict 20k; lua_shared_dict server_dict 20k; lua_shared_dict server_acceptnewconn_dict 20k; lua_shared_dict sessionid_server_dict 100k; real_ip_header X-Forwarded-For; set_real_ip_from 0.0.0.0/0; real_ip_recursive on; geoip_country /etc/nginx/GeoIP.dat; geoip_city /etc/nginx/GeoLiteCity.dat; geoip_proxy_recursive on; vhost_traffic_status_zone shared:vhost_traffic_status:10m; vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; # lua section to return proper error codes when custom pages are used lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;'; init_by_lua_file /etc/nginx/lua/init_by_lua.lua; sendfile on; aio threads; tcp_nopush on; tcp_nodelay on; log_subrequest on; reset_timedout_connection on; keepalive_timeout 75s; types_hash_max_size 2048; server_names_hash_max_size 512; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type text/html; gzip on; gzip_comp_level 5; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; gzip_proxied any; client_max_body_size "64m"; log_format upstreaminfo '$remote_addr - ' '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; map $request $loggable { default 1; } access_log /var/log/nginx/access.log upstreaminfo if=$loggable; error_log /var/log/nginx/error.log notice; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # trust http_x_forwarded_proto headers correctly indicate ssl offloading map $http_x_forwarded_proto $pass_access_scheme { default $http_x_forwarded_proto; '' $scheme; } # Map a response error watching the header Content-Type map $http_accept $httpAccept { default html; application/json json; application/xml xml; text/plain text; } map $httpAccept $httpReturnType { default text/html; json application/json; xml application/xml; text text/plain; } server_name_in_redirect off; port_in_redirect off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # turn on session caching to drastically improve performance ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 10m; # allow configuring ssl session tickets ssl_session_tickets on; # slightly reduce the time-to-first-byte ssl_buffer_size 4k; # allow configuring custom ssl ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; upstream liupeng-sm-rte-svc-13080 { server 172.77.69.10:13080; server 172.77.87.9:13080; balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua; } server { server_name _; listen 80; listen 443 ssl spdy http2; # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem; ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem; more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /SM/ui { proxy_set_header Host $host; # Pass Real IP proxy_set_header X-Real-IP $remote_addr; # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_pass http://liupeng-sm-rte-svc-13080; rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua; header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua; } } } ----- ???? ----- ????Aleksandar Lazic ????tjlp at sina.com ????nginx ???Re:_???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? ???2017?03?07? 15?39? Hi Liu Peng. We still don't know your nginx version nor your config! Cite from below: > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? regards aleks Am 07-03-2017 02:37, schrieb tjlp at sina.com: > Hi, Alexks, > > I try your proposal and it doesn't work. Actually my issue is the same > as this one > http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. > > 1. I add "keeplive_request 0". The result is that the "Connection: > close" header is sent to client for every response. That does not match > my requirement. Our application decides whether to finish the > application session using this header. > > 2. I add "proxy_pass_header Connection". Nginx keeps sending > "Connection: keep-alive" header to client even the header is > "Connection: close" from upstream server. > > Seems Nginx has some special handling for the Connection header in > response. The openresty author suggests that the only way for changing > response header change the nginx C code for this issue. See this issue: > https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. > > Thanks > Liu Peng > > ----- ???? ----- > ????Aleksandar Lazic > ????tjlp at sina.com > ????nginx > ???Re:_???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > ???2017?03?04? 17?22? > > Hi Liu Peng. > Am 04-03-2017 09:12, schrieb tjlp at sina.com: >> >> Hi, Alexks, >> >> I don't want to hide the header. >> My problem is that Nginx change the "Connection: close" header in the >> reponse from upstream server to "Connction: keep-alive" and send to >> client. I want to keep the original "Connection: close" header. > Ah that's a clear question. > It took us only 3 rounds to get to this clear question ;-) > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? > Maybe you have set 'keepalive' in the upstream config > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive > or > 'proxy_http_version 1.1;' > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version > as a last resort you can just pass the header with > 'proxy_pass_header Connection;'. > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header > Choose the solution which fit's to your demand. > I can only guess due to the fact that we don't know your config. > May I ask you to take a look into this document, which exists in > several > languages, thank you very much. > http://www.catb.org/~esr/faqs/smart-questions.html > Best regards > Aleks >> Thanks >> Liu Peng >> >> ----- ???? ----- >> ????Aleksandar Lazic >> ????tjlp at sina.com >> ????nginx >> ???Re:_???Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >> ???2017?03?03? 16?19? >> Hi. >> >> then one directive upward. >> >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header >> >> Cheers >> >> aleks >> >> Am 03-03-2017 06:00, schrieb tjlp at sina.com: >> >>> Hi, >>> >>> What I mention is the header in response from backend server. Your >>> answer about proxy_set_header is the "Connection" header in request. >>> >>> Thanks >>> Liu Peng >>> >>> ----- ???? ----- >>> ????Aleksandar Lazic >>> ????nginx at nginx.org >>> ????tjlp at sina.com >>> ???Re: Issue about nginx removing the header "Connection" in HTTP >>> response? >>> ???2017?03?03? 06?25? >>> >>> Hi. >>> Am 01-03-2017 08:29, schrieb tjlp at sina.com: >>>> Hi, nginx guy, >>>> >>>> In our system, for some special requests, the upstream server will >>>> return a response which the header includes "Connection: Close". >>>> According to HTTP protocol, "Connection" is one-hop header. >>>> So, nginx will remove this header and the client can't do the >>>> business >>>> logic correctly. >>>> >>>> How to handle this scenario? >>> you mean something like this? >>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >>> If the value of a header field is an empty string then this field >>> will >>> not be passed to a proxied server: >>> proxy_set_header Connection ""; >>>> Thanks >>>> Liu Peng >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From tolga.ceylan at gmail.com Wed Mar 8 01:21:34 2017 From: tolga.ceylan at gmail.com (Tolga Ceylan) Date: Tue, 7 Mar 2017 17:21:34 -0800 Subject: keepalive_requests default 100 Message-ID: Does anybody have any history/rationale on why keepalive_requests use default of 100 requests in nginx? This same default is also used in Apache. But the default seems very small in today's standards. http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests Regards, Tolga From nginx-forum at forum.nginx.org Wed Mar 8 06:56:04 2017 From: nginx-forum at forum.nginx.org (c0nw0nk) Date: Wed, 08 Mar 2017 01:56:04 -0500 Subject: Nginx Map how to check value if empty In-Reply-To: <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> References: <20170307212359.GE15209@daoine.org> <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hey again, So I modified my config to this as to prevent client's IP spoofing. map $http_x_forwarded_for $client_ip_x_forwarded_for { "" $remote_addr; #if this header missing set remote_addr as real ip default $http_x_forwarded_for; } map $http_cf_connecting_ip $client_ip_from_cf { "" $client_ip_x_forwarded_for; #if this header missing set x-forwarded-for as real ip default $http_cf_connecting_ip; } map $remote_addr $client_ip_output { 192.168.0.12 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 192.168.0.13 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 192.168.0.14 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 192.168.0.15 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) default $remote_addr; #if none of ip matched then default to remote_addr } Don't know if i can do ranges in my map example above so I made a geo map too doing the exact same thing in case it may be better suited. geo $remote_addr $client_ip_output { #most likely should use geo for the range capability and other benefits 127.0.0.1 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 192.168.1.0/24 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 10.1.0.0/16 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) ::1 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) 2001:0db8::/32 $client_ip_from_cf; #if ip match then it is a trusted ip (whitelist) default $remote_addr; #if none of ip matched then default to remote_addr } The usage of the final output is as easy as this. "$client_ip_output;" limit_req_zone $client_ip_output zone=one:10m rate=1r/s; #usage example for the resulting output after all fallback checks and ip whitelist checks etc. Based of what I showed here can anyone point out any problems they see with it etc from what I want to achieve I think it should work fine. IP whitelist basis, Fallback header's in case one is missing it goes to the next header for the realip, If the next header is missing it goes to the next until no more potential realip headers exist so we set their IP as their connection $remote_addr. Be nice if the realip module did this but lucky we don't need the realip module this shows and can do so with map's and geo maps. c0nw0nk Wrote: ------------------------------------------------------- > Hey, > > I was just looking at the realip module but that module does not seem > to support fallback methods like I demonstrated I was in need of. (If > it does support multiple headers and fallback conditions can someone > provide a demonstration) > > If real_ip_header CF-Connecting-IP; is missing then fallback to > real_ip_header X-Forwarded-For; and if that header is missing use > $binary_remote_addr; > > I guess to prevent spoofing what if we merge the map's with a IP > header check map so we can keep our dynamic capabilities but check > that only the matching whitelisted IP's / IP ranges may send one of > those headers. > If a non whitelisted IP sends one of those headers we fall back to > $binary_remote_addr; making their spoofing pointless. > > That is the solution I can think of to prevent spoofing is to add to > the map's unless anyone has better or known way's that could be simple > or more easy. > > Francis Daly Wrote: > ------------------------------------------------------- > > On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote: > > > > Hi there, > > > > good that you've found some more answers. > > > > There's still some to be worked on, though, I suspect. > > > > > So to explain how to get the origin IP for each method someone > could > > be > > > using here is the list : > > > > > > Cloudflares proxied traffic : > > > sets the header $http_cf_connecting_ip so use this header to get > the > > > Client's real IP > > > > Stock nginx has the realip module which will allow you to use a > value > > from one specific http header, as if it were the connecting > address. > > > > And stock nginx knows that the client can set any header to any > value, > > so it can be configured to only believe the value if it was set by > a > > trusted source. (More or less). > > > > It looks like this $http_cf_connecting_ip contains a single IP > > address, > > which is the address of the thing that connected to Cloudflare -- > > either > > the client, or a proxy that it uses. And it can be trusted, if the > > incoming request went through the Cloudflare reverse proxy. (And, > > presumably, it is spoofed if the incoming request did not go > through > > the Cloudflare reverse proxy.) > > > > > Traffic from cloudflare via the DNS only connections : > > > These would not have the $http_cf_connecting_ip header present. > > > But those connections hit a load balancing ip what sets the > header > > > $http_x_forwarded_for header so that is the way to get the > Clients > > real ip > > > via those connections. > > > > $http_x_forwarded_for is common enough; it can hold a list of IP > > addresses. The realip module knows how to deal with it. > > > > Whatever method you use to read it, you should be aware that the > > header is not necessarily exactly one IP address. And the client > can > > set the header to any initial value; the "load balancing ip" > (unless > > documented otherwise) probably creates-or-adds-to the header, > rather > > than creates-or-replaces. > > > > > And then some connections don't hit my load balancing IP and go > > directly to > > > a specific origin server these connections can use $remote_addr. > > > > They can. But those connections might also have > $http_x_forwarded_for. > > And > > $http_cf_connecting_ip. So you will need a reliable way of > > distinguishing > > between case#1 and case#2 and case#3, if you care about that. > > > > (Probably, the majority of "innocent" requests will not have > spoofed > > headers. If that is good enough for what you are trying to achieve, > > then you're ok.) > > > > > My Solution / conclusion : > > > > > > How to come up with a fix that allows me to obtain the real IP in > a > > dynamic > > > situation like this ? > > > > I would suggest one of: > > > > * go to extra measures to cause there to exist a new feature in > nginx, > > such that the realip module will look at more than one header to > > determine > > the address to use > > > > or > > > > * recognise that if Cloudflare put in a CF-Connecting-IP header, > they > > probably also put in a X-Forwarded-For header; ignore > CF-Connecting-IP > > and just use the realip module with X-Forwarded-For. > > > > http://nginx.org/r/real_ip_header and the rest of that page. > > > > > I have solved my issue with the following. > > > > This will work, with the above caveats. > > > > If you have time to experiment, you may find that the realip module > > does > > something similar in a less fragile way. > > > > Cheers, > > > > f > > -- > > Francis Daly francis at daoine.org > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272744,272824#msg-272824 From reallfqq-nginx at yahoo.fr Wed Mar 8 09:39:40 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 8 Mar 2017 10:39:40 +0100 Subject: Nginx Map how to check value if empty In-Reply-To: References: <20170307212359.GE15209@daoine.org> <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> Message-ID: This kind of logic, as you found out, can be handled in nginx with the help of the proper tools, namely the map module. You are one step away: you can actually program what you require to be feeding the realip module with the HTTP header name you ended up with. Rather than having contiguous maps, head towards some cascading ones. Have a look at the following example, specifically the precedence it enforces and the fallback value (as needed) it provides. map $http_x_foo $fooHeader { default X-Foo; "" "Nothing"; } map $http_x_bar $myValue { default X-Bar; "" $fooHeader; } ?This is scalable, configuration-wise.? However, even if nginx is efficient at processing, it is always best to keep in mind those maps will be evaluated for each request. --- *B. R.* On Wed, Mar 8, 2017 at 7:56 AM, c0nw0nk wrote: > Hey again, > > So I modified my config to this as to prevent client's IP spoofing. > > > map $http_x_forwarded_for $client_ip_x_forwarded_for { > "" $remote_addr; #if this header missing set remote_addr as real ip > default $http_x_forwarded_for; > } > map $http_cf_connecting_ip $client_ip_from_cf { > "" $client_ip_x_forwarded_for; #if this header missing set x-forwarded-for > as real ip > default $http_cf_connecting_ip; > } > map $remote_addr $client_ip_output { > 192.168.0.12 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 192.168.0.13 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 192.168.0.14 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 192.168.0.15 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > > default $remote_addr; #if none of ip matched then default to remote_addr > } > > > > > Don't know if i can do ranges in my map example above so I made a geo map > too doing the exact same thing in case it may be better suited. > > geo $remote_addr $client_ip_output { #most likely should use geo for the > range capability and other benefits > 127.0.0.1 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 192.168.1.0/24 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 10.1.0.0/16 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > ::1 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > 2001:0db8::/32 $client_ip_from_cf; #if ip match then it is a trusted ip > (whitelist) > > default $remote_addr; #if none of ip matched then default to remote_addr > } > > > The usage of the final output is as easy as this. "$client_ip_output;" > limit_req_zone $client_ip_output zone=one:10m rate=1r/s; #usage example for > the resulting output after all fallback checks and ip whitelist checks etc. > > > Based of what I showed here can anyone point out any problems they see with > it etc from what I want to achieve I think it should work fine. > > IP whitelist basis, Fallback header's in case one is missing it goes to the > next header for the realip, If the next header is missing it goes to the > next until no more potential realip headers exist so we set their IP as > their connection $remote_addr. > > Be nice if the realip module did this but lucky we don't need the realip > module this shows and can do so with map's and geo maps. > > > c0nw0nk Wrote: > ------------------------------------------------------- > > Hey, > > > > I was just looking at the realip module but that module does not seem > > to support fallback methods like I demonstrated I was in need of. (If > > it does support multiple headers and fallback conditions can someone > > provide a demonstration) > > > > If real_ip_header CF-Connecting-IP; is missing then fallback to > > real_ip_header X-Forwarded-For; and if that header is missing use > > $binary_remote_addr; > > > > I guess to prevent spoofing what if we merge the map's with a IP > > header check map so we can keep our dynamic capabilities but check > > that only the matching whitelisted IP's / IP ranges may send one of > > those headers. > > If a non whitelisted IP sends one of those headers we fall back to > > $binary_remote_addr; making their spoofing pointless. > > > > That is the solution I can think of to prevent spoofing is to add to > > the map's unless anyone has better or known way's that could be simple > > or more easy. > > > > Francis Daly Wrote: > > ------------------------------------------------------- > > > On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote: > > > > > > Hi there, > > > > > > good that you've found some more answers. > > > > > > There's still some to be worked on, though, I suspect. > > > > > > > So to explain how to get the origin IP for each method someone > > could > > > be > > > > using here is the list : > > > > > > > > Cloudflares proxied traffic : > > > > sets the header $http_cf_connecting_ip so use this header to get > > the > > > > Client's real IP > > > > > > Stock nginx has the realip module which will allow you to use a > > value > > > from one specific http header, as if it were the connecting > > address. > > > > > > And stock nginx knows that the client can set any header to any > > value, > > > so it can be configured to only believe the value if it was set by > > a > > > trusted source. (More or less). > > > > > > It looks like this $http_cf_connecting_ip contains a single IP > > > address, > > > which is the address of the thing that connected to Cloudflare -- > > > either > > > the client, or a proxy that it uses. And it can be trusted, if the > > > incoming request went through the Cloudflare reverse proxy. (And, > > > presumably, it is spoofed if the incoming request did not go > > through > > > the Cloudflare reverse proxy.) > > > > > > > Traffic from cloudflare via the DNS only connections : > > > > These would not have the $http_cf_connecting_ip header present. > > > > But those connections hit a load balancing ip what sets the > > header > > > > $http_x_forwarded_for header so that is the way to get the > > Clients > > > real ip > > > > via those connections. > > > > > > $http_x_forwarded_for is common enough; it can hold a list of IP > > > addresses. The realip module knows how to deal with it. > > > > > > Whatever method you use to read it, you should be aware that the > > > header is not necessarily exactly one IP address. And the client > > can > > > set the header to any initial value; the "load balancing ip" > > (unless > > > documented otherwise) probably creates-or-adds-to the header, > > rather > > > than creates-or-replaces. > > > > > > > And then some connections don't hit my load balancing IP and go > > > directly to > > > > a specific origin server these connections can use $remote_addr. > > > > > > They can. But those connections might also have > > $http_x_forwarded_for. > > > And > > > $http_cf_connecting_ip. So you will need a reliable way of > > > distinguishing > > > between case#1 and case#2 and case#3, if you care about that. > > > > > > (Probably, the majority of "innocent" requests will not have > > spoofed > > > headers. If that is good enough for what you are trying to achieve, > > > then you're ok.) > > > > > > > My Solution / conclusion : > > > > > > > > How to come up with a fix that allows me to obtain the real IP in > > a > > > dynamic > > > > situation like this ? > > > > > > I would suggest one of: > > > > > > * go to extra measures to cause there to exist a new feature in > > nginx, > > > such that the realip module will look at more than one header to > > > determine > > > the address to use > > > > > > or > > > > > > * recognise that if Cloudflare put in a CF-Connecting-IP header, > > they > > > probably also put in a X-Forwarded-For header; ignore > > CF-Connecting-IP > > > and just use the realip module with X-Forwarded-For. > > > > > > http://nginx.org/r/real_ip_header and the rest of that page. > > > > > > > I have solved my issue with the following. > > > > > > This will work, with the above caveats. > > > > > > If you have time to experiment, you may find that the realip module > > > does > > > something similar in a less fragile way. > > > > > > Cheers, > > > > > > f > > > -- > > > Francis Daly francis at daoine.org > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272744,272824#msg-272824 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From reallfqq-nginx at yahoo.fr Wed Mar 8 10:36:22 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 8 Mar 2017 11:36:22 +0100 Subject: keepalive_requests default 100 In-Reply-To: References: Message-ID: I suspect nginx' team chose this value for the very reason it was adapted to the use of Apache (remember that nginx is, since its beginning, largely used as a reverse Web proxy in front of Apache farms). I guess the intent here is to probably mimic Apache behavior by default so adoption of that technology is eased. In the Apache world, long-lasting connections may result in resource starvation, since 1 connection = expensive resources allocated. Thus, you can quickly end-up with a few (relatively and even infrequently) active clients saturating a Web server machine, leaving no spots free for newcomers, especially nowadays with multithreaded/processed browsers. Recycling connections often is an attempt at fighting that. Unless I am overlooking something, there seems not to have any technical ground for such a limit to be pertinent with nginx. As debated in the past on this ML (and at the 1st nginx conference), some other default values might not be right anymore, but changing default value might silently break backwards-compatibility with setups which do not comply with the new defaults. History repeatedly shows that changing old defaults and even deprecating the use of rotten algorithms is faced with huge resistance. IE6? SSLv3? RC4?, HTTP/1.0? Amongst many others... Thus the nginx team position has (so far?) been to never touch the built-in defaults (and neither maybe the default nginx.conf? I have not checked that) and let people override them through configuration. --- *B. R.* On Wed, Mar 8, 2017 at 2:21 AM, Tolga Ceylan wrote: > Does anybody have any history/rationale on why keepalive_requests > use default of 100 requests in nginx? This same default is also used in > Apache. But the default seems very small in today's standards. > > http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests > > Regards, > Tolga > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxim at nginx.com Wed Mar 8 11:18:46 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Wed, 8 Mar 2017 14:18:46 +0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References: <14E44683-8D28-47A2-B371-7167A5F72A12@ultra-secure.de>

Message-ID: <76657f90-c47a-6fc5-901c-9d1602426ec8@nginx.com> On 3/8/17 3:57 AM, Tolga Ceylan wrote: > Of course, with split_clients, you are at the mercy of the hashing and > hope that this distribution will spread work > evenly based on incoming client address space and the duration of > these connections, so you might run into > the limits despite having enough port capacity. More importantly, in > case of failures, your clients will see > errors, since nginx will not retry (and even if it did, the hashing > will land on the same exhausted port/ip set.) > IP_BIND_ADDRESS_NO_PORT in fresh linux kernels made the trick for nginx. This is basically why we added it not that recently. You can find patches that work around without this feature though. > Upstream {} with multiple backends approach is a bit more robust as if > the ports are ever exhausted, nginx > can try the next upstream. And you can try to control this further by > using least_conn backend selection. > > > On Tue, Mar 7, 2017 at 3:39 PM, Andrei Belov wrote: >> Yes, split_clients solution fits perfectly in the described use case. >> >> Also, nginx >= 1.11.4 has support for IP_BIND_ADDRESS_NO_PORT socket >> option ([1], [2]) on supported systems (Linux kernel >= 4.2, glibc >= 2.23) which >> may be helpful as well. >> >> Quote from [1]: >> >> [..] >> Add IP_BIND_ADDRESS_NO_PORT to overcome bind(0) limitations: When an >> application needs to force a source IP on an active TCP socket it has to use >> bind(IP, port=x). As most applications do not want to deal with already used >> ports, x is often set to 0, meaning the kernel is in charge to find an >> available port. But kernel does not know yet if this socket is going to be a >> listener or be connected. This patch adds a new SOL_IP socket option, asking >> kernel to ignore the 0 port provided by application in bind(IP, port=0) and >> only remember the given IP address. The port will be automatically chosen at >> connect() time, in a way that allows sharing a source port as long as the >> 4-tuples are unique. >> [..] >> >> >> [1] https://kernelnewbies.org/Linux_4.2#head-8ccffc90738ffcb0c20caa96bae6799694b8ba3a >> [2] https://git.kernel.org/torvalds/c/90c337da1524863838658078ec34241f45d8394d >> >> >>> On 08 Mar 2017, at 01:10, Tolga Ceylan wrote: >>> >>> How about using >>> >>> split_clients "${remote_addr}AAA" $proxy_ip { >>> 10% 192.168.1.10; >>> 10% 192.168.1.11; >>> ... >>> * 192.168.1.19; >>> } >>> >>> proxy_bind $proxy_ip; >>> >>> where $proxy_ip is populated via split clients module to spread the >>> traffic to 10 internal IPs. >>> >>> or add 10 new listener ports (or ips) to your backend server instead, >>> (and perhaps use least connected load balancing) in upstream {} set of >>> 10 backends. eg: >>> >>> upstream backend { >>> least_conn; >>> server 192.168.1.21:443; >>> server 192.168.1.21:444; >>> server 192.168.1.21:445; >>> server 192.168.1.21:446; >>> server 192.168.1.21:447; >>> server 192.168.1.21:448; >>> server 192.168.1.21:449; >>> server 192.168.1.21:450; >>> server 192.168.1.21:451; >>> server 192.168.1.21:452; >>> } >>> >>> >>> >>> >>> On Tue, Mar 7, 2017 at 1:21 PM, Rainer Duffner wrote: >>>> >>>> Am 07.03.2017 um 22:12 schrieb Nelson Marcos : >>>> >>>> Do you really need to use different source ips or it's a solution that you >>>> picked? >>>> >>>> Also, is it a option to set the keepalive option in your upstream configure >>>> section? >>>> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive >>>> >>>> >>>> >>>> >>>> I?m not sure if you can proxy web socket connections like http-connections. >>>> >>>> After all, they are persistent (hence the large number of connections). >>>> >>>> Why can?t you (OP) do the upgrade to 1.10? I thought it?s the only >>>> ?supported" version anyway? >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Maxim Konovalov From maxim at nginx.com Wed Mar 8 11:20:58 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Wed, 8 Mar 2017 14:20:58 +0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References: Message-ID: On 3/7/17 10:50 PM, larsg wrote: > Hi, > > we are operating native nginx 1.8.1 on RHEL as a reverse proxy. > The nginx routes requests to a backend server that can be reached from the > proxy via a single internal IP address. > We have to support a large number of concurrent websocket connections - say > 100k to 500k. > > As we don't want to increase the number of proxy instances (with different > IPs) and we cannot use the "proxy_bind transarent" option (was introduced in > a later nginx release, upgrade is not possible) we wanted to configure the > nginx to use different source IPs then routing to the backend. Thus, we want > nginx to select an available source ip + source port when a connection is > established with the backend. > > For that we assigned ten internal IPs to the proxy server and used the > proxy_bind directive bound to 0.0.0.0. > But this approach seems not to work. The nginx instance seems always use the > first IP as source IP. > Using multiple proxy_bind's is not possible. > > So my question is: How can I configure nginx to select from a pool of source > IPs? Or generally: to overcome the 64k problem? > We ever wrote a blog post for you! https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/ As a side note: I'd really encourage all of you to add our blog rss to your feeds. While there is some marketing "noise" we are still trying to make it useful for tech people too. -- Maxim Konovalov From reallfqq-nginx at yahoo.fr Wed Mar 8 13:02:53 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Wed, 8 Mar 2017 14:02:53 +0100 Subject: Reverse proxy problem with an application In-Reply-To: <1797319055.5405349.1488836103023@mail.yahoo.com> References: <1797319055.5405349.1488836103023.ref@mail.yahoo.com> <1797319055.5405349.1488836103023@mail.yahoo.com> Message-ID: This clearly looks like an application problem and not a nginx-related one. nginx does not remove cookies nor, as the configuration snippet you shared suggest, handles authentication. If you use DNS, make sure all requests are served by the instance of nginx you quote, including redirects which might happen on login (have a look at access logs). You can also investigate the content of cookies received either from downstream or upstream if you think it is related to your problem. If you got a question on the nginx configuration this ML is here to help. Otherwise, you'll need to rereoute your question where appropriate. --- *B. R.* On Mon, Mar 6, 2017 at 10:35 PM, Mik J via nginx wrote: > Hello, > > I have run an application behind a nginx reverse proxy and I can't make it > to work > > a) if I access this application using https://1.1.1.1:443 > it works (certificate warning) > b) if I access this application using https://myapp.mydomain.org, I get > access to the login page > location ^~ / { > proxy_pass https://1.1.1.1:443; > proxy_redirect off; > proxy_set_header Host $http_host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_hide_header X-Frame-Options; > proxy_hide_header X-Content-Security-Policy; > proxy_hide_header X-Content-Type-Options; > proxy_hide_header X-WebKit-CSP; > proxy_hide_header content-security-policy; > proxy_hide_header x-xss-protection; > proxy_set_header X-NginX-Proxy true; > proxy_ssl_session_reuse off; > } > c) I log in in the page and after some time (2/3 seconds) the application > logs me out > > When I log in directly case a) I notice that I have (firebug) > CookieSaveStateCookie=root; APPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; > testcookieenabled > > Whereas when I log in in case c) I have > APPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled > > > So I feel there's a problem with the session or something like that. > PS: There is only one backend server and I can't run plain http (disable > https) > > Does anyone has an idea ? > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Mar 8 13:09:00 2017 From: nginx-forum at forum.nginx.org (bongtv) Date: Wed, 08 Mar 2017 08:09:00 -0500 Subject: MP4 progressive download needs hint tracks in MP4 file? Message-ID: <3e1d4c21cc9cfc21c48cf73af476e8d8.NginxMailingListEnglish@forum.nginx.org> I'm wondering if RTP hint tracks in MP4 files are necessary to provide progressive download functionality over my NGINX server configuration. I can't remember where but I read somewhere that these additional tracks support the server by seeking operations (byte-range). Thanks for your feedback, Hannes Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272831,272831#msg-272831 From mikydevel at yahoo.fr Wed Mar 8 14:06:17 2017 From: mikydevel at yahoo.fr (Mik J) Date: Wed, 8 Mar 2017 14:06:17 +0000 (UTC) Subject: Reverse proxy problem with an application In-Reply-To: References: <1797319055.5405349.1488836103023.ref@mail.yahoo.com> <1797319055.5405349.1488836103023@mail.yahoo.com> Message-ID: <1343931890.726349.1488981977764@mail.yahoo.com> Hello BR,Thank you for your answer and for the hints. I'll investigate further in that direction.Have a nice week Le Mercredi 8 mars 2017 14h03, B.R. via nginx a ?crit : This clearly looks like an application problem and not a nginx-related one. nginx does not remove cookies nor, as the configuration snippet you shared suggest, handles authentication. If you use DNS, make sure all requests are served by the instance of nginx you quote, including redirects which might happen on login (have a look at access logs). You can also investigate the content of cookies received either from downstream or upstream if you think it is related to your problem. If you got a question on the nginx configuration this ML is here to help. Otherwise, you'll need to rereoute your question where appropriate. --- B. R. On Mon, Mar 6, 2017 at 10:35 PM, Mik J via nginx wrote: Hello, I have run an application behind a nginx reverse proxy and I can't make it to work a) if I access this application using https://1.1.1.1:443 it works (certificate warning)b) if I access this application using https://myapp.mydomain.org, I get access to the login page??? location ^~ / { ??????? proxy_pass??????? https://1.1.1.1:443; ??????? proxy_redirect??? off; ??????? proxy_set_header? Host???????????? $http_host; ??????? proxy_set_header? X-Real-IP??????? $remote_addr; ??????? proxy_set_header? X-Forwarded-For? $proxy_add_x_forwarded_for; ??????? proxy_hide_header X-Frame-Options;??????? proxy_hide_header X-Content-Security-Policy; ??????? proxy_hide_header X-Content-Type-Options; ??????? proxy_hide_header X-WebKit-CSP; ??????? proxy_hide_header content-security-policy; ??????? proxy_hide_header x-xss-protection; ??????? proxy_set_header? X-NginX-Proxy true; ??????? proxy_ssl_session_reuse off; ??? } c) I log in in the page and after some time (2/3 seconds) the application logs me out When I log in directly case a) I notice that I have (firebug) CookieSaveStateCookie=root; APPSESSIONID= 070ABC6AE433D2CAEDCFFB1E430744 16; testcookieenabled Whereas when I log in in case c) I haveAPPSESSIONID= 070ABC6AE433D2CAEDCFFB1E430744 16; testcookieenabled So I feel there's a problem with the session or something like that.PS: There is only one backend server and I can't run plain http (disable https) Does anyone has an idea ? ______________________________ _________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/ mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Mar 8 14:40:05 2017 From: nginx-forum at forum.nginx.org (shashik) Date: Wed, 08 Mar 2017 09:40:05 -0500 Subject: mp4 recording using nginx rtmp module Message-ID: <0b70f0e08dae9249273edf252e6fae09.NginxMailingListEnglish@forum.nginx.org> We are using wowza streaming engine to record Live TV shows which gives recorded output in the mp4 format. We are evaluating Nginx RTMP module to do same mp4 recording. However it is observed that this module does recording only in the flv format. Is there any way to do direct recording of live stream in the mp4 format? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272833,272833#msg-272833 From tolga.ceylan at gmail.com Wed Mar 8 18:45:54 2017 From: tolga.ceylan at gmail.com (Tolga Ceylan) Date: Wed, 8 Mar 2017 10:45:54 -0800 Subject: Reverse Proxy with 500k connections In-Reply-To: References:

Message-ID: is IP_BIND_ADDRESS_NO_PORT the best solution for OP's case? Unlike the blog post with two backends, OP's case has one backend server. If any of the hash slots exceed the 65K port limit, there's no chance to recover. Despite having enough port capacity, the client will receive an error if the client ip/port hashed to a full slot. IMHO picking bind IP based on a client ip/port hash is not very robust in this case since you can't really make sure you really are directing %10 of the traffic. This solution does not consider long connections (web sockets) and the hash slot could get out of balance over time. On Wed, Mar 8, 2017 at 3:20 AM, Maxim Konovalov wrote: > On 3/7/17 10:50 PM, larsg wrote: >> Hi, >> >> we are operating native nginx 1.8.1 on RHEL as a reverse proxy. >> The nginx routes requests to a backend server that can be reached from the >> proxy via a single internal IP address. >> We have to support a large number of concurrent websocket connections - say >> 100k to 500k. >> >> As we don't want to increase the number of proxy instances (with different >> IPs) and we cannot use the "proxy_bind transarent" option (was introduced in >> a later nginx release, upgrade is not possible) we wanted to configure the >> nginx to use different source IPs then routing to the backend. Thus, we want >> nginx to select an available source ip + source port when a connection is >> established with the backend. >> >> For that we assigned ten internal IPs to the proxy server and used the >> proxy_bind directive bound to 0.0.0.0. >> But this approach seems not to work. The nginx instance seems always use the >> first IP as source IP. >> Using multiple proxy_bind's is not possible. >> >> So my question is: How can I configure nginx to select from a pool of source >> IPs? Or generally: to overcome the 64k problem? >> > We ever wrote a blog post for you! > > https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/ > > As a side note: I'd really encourage all of you to add our blog rss > to your feeds. While there is some marketing "noise" we are still > trying to make it useful for tech people too. > > -- > Maxim Konovalov > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From francis at daoine.org Wed Mar 8 20:03:06 2017 From: francis at daoine.org (Francis Daly) Date: Wed, 8 Mar 2017 20:03:06 +0000 Subject: Nginx Map how to check value if empty In-Reply-To: <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> References: <20170307212359.GE15209@daoine.org> <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170308200306.GG15209@daoine.org> On Tue, Mar 07, 2017 at 06:44:05PM -0500, c0nw0nk wrote: Hi there, > I was just looking at the realip module but that module does not seem to > support fallback methods like I demonstrated I was in need of. I'm not convinced that you need anything other than what the realip module provides; but it's your system and you can configure it however you want. If you can (temporarily) add a second access log file which uses a format like: remote_addr is $remote_addr and http_x_forwarded_for is $http_x_forwarded_for and http_cf_connecting_ip is $http_cf_connecting_ip then you should be able to show one line which has $remote_addr being a trusted address and the "end" bit of $http_x_forwarded_for not being exactly what you want to use. > (If it does > support multiple headers and fallback conditions can someone provide a > demonstration) It doesn't; so if you need that, then you must build your own work-alike (like you've done); or write or encourage some to write the code to improve the realip module for this use case. f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Mar 8 20:17:13 2017 From: francis at daoine.org (Francis Daly) Date: Wed, 8 Mar 2017 20:17:13 +0000 Subject: Nginx Map how to check value if empty In-Reply-To: References: <20170307212359.GE15209@daoine.org> <6bca319b739893fcbc4734247e82370f.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20170308201713.GH15209@daoine.org> On Wed, Mar 08, 2017 at 01:56:04AM -0500, c0nw0nk wrote: Hi there, > The usage of the final output is as easy as this. "$client_ip_output;" > limit_req_zone $client_ip_output zone=one:10m rate=1r/s; #usage example for > the resulting output after all fallback checks and ip whitelist checks etc. > > Based of what I showed here can anyone point out any problems they see with > it etc from what I want to achieve I think it should work fine. How many requests should I make with a really long (but different every time) X-Forwarded-For header before your zone fills? Cheers, f -- Francis Daly francis at daoine.org From tecnologiaterabyte at gmail.com Wed Mar 8 20:57:18 2017 From: tecnologiaterabyte at gmail.com (Wilmer Arambula) Date: Wed, 8 Mar 2017 16:57:18 -0400 Subject: virtual host conf. Message-ID: I'm new using nginx, I see the difference in performance, my question is the following I have the following virtual host: example.conf [example.conf] # create new server { listen 80; server_name www.example.com; location / { root /home/example/public_html; fastcgi_pass 127.0.0.1:7000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; index index.php index.html index.htm; } location /phpMyAdmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpMyAdmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:7000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/phpMyAdmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } } As I can add the alias to phpMyAdmin, what would be the best way to do that, another option would be convenient to add, I have installed nginx + php-fpm + spawn-fcgi, Thks, -- *Wilmer Arambula.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From he.hailong5 at zte.com.cn Thu Mar 9 03:37:50 2017 From: he.hailong5 at zte.com.cn (he.hailong5 at zte.com.cn) Date: Thu, 9 Mar 2017 11:37:50 +0800 (CST) Subject: unbearable reload downtime when introducing a new server block Message-ID: <201703091137506771142@zte.com.cn> SGksDQoNCg0KDQoNCg0KSW4gbXkgY2FzZSwgSSBuZWVkIHRvIGFkZCBuZXcgc2VydmVyIGJsb2Nr IGZyb20gdGltZSB0byB0aW1lIGluIG5naW54LiBhZnRlciByZWxvYWRpbmcsIGl0IGlzIG9ic2Vy dmVkIHRoYXQgdGhlIG5ld2x5IGFkZGVkIHNlcnZlciBpcyBub3QgYXZhaWxhYmxlIGZvciBzZWNv bmRzLiBpcyB0aGlzIGFzIGV4cGVjdGVkPyBob3cgdG8gaW1wcm92ZSBpdD8NCg0KDQoNCg0KQlIs DQoNCkpvZQ== -------------- next part -------------- An HTML attachment was scrubbed... URL: From anoopalias01 at gmail.com Thu Mar 9 05:31:38 2017 From: anoopalias01 at gmail.com (Anoop Alias) Date: Thu, 9 Mar 2017 11:01:38 +0530 Subject: map directive doubt Message-ID: Hi, Just have a doubt in map directive map $http_user_agent $upstreamname { default desktop; ~(iPhone|Android) mobile; } is correct ? ######################## or does the regex need to fully match the variable? map $http_user_agent $upstreamname { default desktop; ~*.*Android.* mobile; ~*.*iPhone.* mobile; } -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From he.hailong5 at zte.com.cn Thu Mar 9 05:50:16 2017 From: he.hailong5 at zte.com.cn (he.hailong5 at zte.com.cn) Date: Thu, 9 Mar 2017 13:50:16 +0800 (CST) Subject: unbearable reload downtime when introducing a new server block References: 201703091132355270899@zte.com.cn Message-ID: <201703091350162254282@zte.com.cn> SGksDQoNCg0KDQoNCg0KSW4gbXkgY2FzZSwgSSBuZWVkIHRvIGFkZCBuZXcgc2VydmVyIGJsb2Nr IGZyb20gdGltZSB0byB0aW1lIGluIG5naW54LiBhZnRlciByZWxvYWRpbmcsIGl0IGlzIG9ic2Vy dmVkIHRoYXQgdGhlIG5ld2x5IGFkZGVkIHNlcnZlciBpcyBub3QgYXZhaWxhYmxlIGZvciBzZWNv bmRzLiBpcyB0aGlzIGFzIGV4cGVjdGVkPyBob3cgdG8gaW1wcm92ZSBpdD8NCg0KDQoNCg0KQlIs DQoNCkpvZQ== -------------- next part -------------- An HTML attachment was scrubbed... URL: From anoopalias01 at gmail.com Thu Mar 9 07:01:55 2017 From: anoopalias01 at gmail.com (Anoop Alias) Date: Thu, 9 Mar 2017 12:31:55 +0530 Subject: combining map Message-ID: Hi, I have 3 maps defined ############################ map $request_method $requestnocache { default 0; POST 1; } map $query_string $querystringnc { default 1; "" 0; } map $http_cookie $mccookienocache { default 0; _mcnc 1; } ############################### I need to create a single variable that is 1 if either of the 3 above is 1 and 0 if all are 0. Will the following be enough map "$requestnocache$querystringnc$mccookienocache" { default 0; ~1 1; } Thanks, -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From iippolitov at nginx.com Thu Mar 9 08:09:17 2017 From: iippolitov at nginx.com (Igor A. Ippolitov) Date: Thu, 9 Mar 2017 11:09:17 +0300 Subject: combining map In-Reply-To: References: Message-ID: <99bb8a6c-9626-b188-b6d7-b7a19390f965@nginx.com> If you are going to use it inside proxy_no_cache directive, you can combine proxy_cache_method (POST is not included by default) and 'proxy_no_cache $query_string$cookie__mcnc' The latter will not cache the request until there is query string or a cookie with a value set. So basically, it looks like you can avoid using maps in this case. On 09.03.2017 10:01, Anoop Alias wrote: > Hi, > > I have 3 maps defined > ############################ > map $request_method $requestnocache { > default 0; > POST 1; > } > > map $query_string $querystringnc { > default 1; > "" 0; > } > > map $http_cookie $mccookienocache { > default 0; > _mcnc 1; > } > ############################### > > I need to create a single variable that is 1 if either of the 3 above > is 1 and 0 if all are 0. Will the following be enough > > map "$requestnocache$querystringnc$mccookienocache" { > default 0; > ~1 1; > } > > > > Thanks, > -- > *Anoop P Alias* > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From anoopalias01 at gmail.com Thu Mar 9 08:35:20 2017 From: anoopalias01 at gmail.com (Anoop Alias) Date: Thu, 9 Mar 2017 14:05:20 +0530 Subject: combining map In-Reply-To: <99bb8a6c-9626-b188-b6d7-b7a19390f965@nginx.com> References: <99bb8a6c-9626-b188-b6d7-b7a19390f965@nginx.com> Message-ID: Hi Igor, I need to use this with ################## srcache_fetch_skip $skip_cache; srcache_store_skip $skip_cache; ################## As per srcache docs the value must be 0 for not skipping and anything other than 0 will be considered for skipping Will combining the variables work here too? Thanks, On Thu, Mar 9, 2017 at 1:39 PM, Igor A. Ippolitov wrote: > If you are going to use it inside proxy_no_cache directive, you can > combine proxy_cache_method (POST is not included by default) and > 'proxy_no_cache $query_string$cookie__mcnc' > The latter will not cache the request until there is query string or a > cookie with a value set. > So basically, it looks like you can avoid using maps in this case. > > > On 09.03.2017 10:01, Anoop Alias wrote: > > Hi, > > I have 3 maps defined > ############################ > map $request_method $requestnocache { > default 0; > POST 1; > } > > map $query_string $querystringnc { > default 1; > "" 0; > } > > map $http_cookie $mccookienocache { > default 0; > _mcnc 1; > } > ############################### > > I need to create a single variable that is 1 if either of the 3 above is 1 > and 0 if all are 0. Will the following be enough > > map "$requestnocache$querystringnc$mccookienocache" { > default 0; > ~1 1; > } > > > > Thanks, > -- > *Anoop P Alias* > > > > _______________________________________________ > nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From iippolitov at nginx.com Thu Mar 9 08:53:29 2017 From: iippolitov at nginx.com (Igor A. Ippolitov) Date: Thu, 9 Mar 2017 11:53:29 +0300 Subject: combining map In-Reply-To: References: <99bb8a6c-9626-b188-b6d7-b7a19390f965@nginx.com> Message-ID: <035b8498-9e3c-8f26-7731-0cdafef17094@nginx.com> No, it won't. You can try something like map $request_method $requestnocache { default ""; POST whatever; } map $requestnocache$query_string$cookie__mcnc $skip_cache { default 0; ~. 1; } So basically, "don't skip by default, but skip, if there are any letters" You can test this by extending your log format with variables used/produced by the map and comparing results to what you expect there to be. On 09.03.2017 11:35, Anoop Alias wrote: > Hi Igor, > > I need to use this with > > ################## > srcache_fetch_skip $skip_cache; > srcache_store_skip $skip_cache; > ################## > > As per srcache docs the value must be 0 for not skipping and anything > other than 0 will be considered for skipping > > Will combining the variables work here too? > > Thanks, > > On Thu, Mar 9, 2017 at 1:39 PM, Igor A. Ippolitov > > wrote: > > If you are going to use it inside proxy_no_cache directive, you > can combine proxy_cache_method (POST is not included by default) > and 'proxy_no_cache $query_string$cookie__mcnc' > The latter will not cache the request until there is query string > or a cookie with a value set. > So basically, it looks like you can avoid using maps in this case. > > > On 09.03.2017 10:01, Anoop Alias wrote: >> Hi, >> >> I have 3 maps defined >> ############################ >> map $request_method $requestnocache { >> default 0; >> POST 1; >> } >> >> map $query_string $querystringnc { >> default 1; >> "" 0; >> } >> >> map $http_cookie $mccookienocache { >> default 0; >> _mcnc 1; >> } >> ############################### >> >> I need to create a single variable that is 1 if either of the 3 >> above is 1 and 0 if all are 0. Will the following be enough >> >> map "$requestnocache$querystringnc$mccookienocache" { >> default 0; >> ~1 1; >> } >> >> >> >> Thanks, >> -- >> *Anoop P Alias* >> >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> > > _______________________________________________ nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > -- > *Anoop P Alias* > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxim at nginx.com Thu Mar 9 09:35:18 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Thu, 9 Mar 2017 12:35:18 +0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References:

Message-ID: This is just a matter of number of ip addresses you have in a proxy_bind pool and suitable hash function for the split_clients map. Adding additional logic to proxy_bind ip address selection you still can face the same problem. On 3/8/17 9:45 PM, Tolga Ceylan wrote: > is IP_BIND_ADDRESS_NO_PORT the best solution for OP's case? Unlike the > blog post with two backends, OP's case has one backend server. If any > of the hash slots exceed the 65K port limit, there's no chance to > recover. Despite having enough port capacity, the client will receive > an error if the client ip/port hashed to a full slot. > > IMHO picking bind IP based on a client ip/port hash is not very robust > in this case since > you can't really make sure you really are directing %10 of the > traffic. This solution does > not consider long connections (web sockets) and the hash slot could > get out of balance > over time. > > > On Wed, Mar 8, 2017 at 3:20 AM, Maxim Konovalov wrote: >> On 3/7/17 10:50 PM, larsg wrote: >>> Hi, >>> >>> we are operating native nginx 1.8.1 on RHEL as a reverse proxy. >>> The nginx routes requests to a backend server that can be reached from the >>> proxy via a single internal IP address. >>> We have to support a large number of concurrent websocket connections - say >>> 100k to 500k. >>> >>> As we don't want to increase the number of proxy instances (with different >>> IPs) and we cannot use the "proxy_bind transarent" option (was introduced in >>> a later nginx release, upgrade is not possible) we wanted to configure the >>> nginx to use different source IPs then routing to the backend. Thus, we want >>> nginx to select an available source ip + source port when a connection is >>> established with the backend. >>> >>> For that we assigned ten internal IPs to the proxy server and used the >>> proxy_bind directive bound to 0.0.0.0. >>> But this approach seems not to work. The nginx instance seems always use the >>> first IP as source IP. >>> Using multiple proxy_bind's is not possible. >>> >>> So my question is: How can I configure nginx to select from a pool of source >>> IPs? Or generally: to overcome the 64k problem? >>> >> We ever wrote a blog post for you! >> >> https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/ >> >> As a side note: I'd really encourage all of you to add our blog rss >> to your feeds. While there is some marketing "noise" we are still >> trying to make it useful for tech people too. >> >> -- >> Maxim Konovalov >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Maxim Konovalov From ru at nginx.com Thu Mar 9 09:53:50 2017 From: ru at nginx.com (Ruslan Ermilov) Date: Thu, 9 Mar 2017 12:53:50 +0300 Subject: combining map In-Reply-To: References: <99bb8a6c-9626-b188-b6d7-b7a19390f965@nginx.com> Message-ID: <20170309095350.GA50187@lo0.su> On Thu, Mar 09, 2017 at 02:05:20PM +0530, Anoop Alias wrote: > Hi Igor, > > I need to use this with > > ################## > srcache_fetch_skip $skip_cache; > srcache_store_skip $skip_cache; > ################## > > As per srcache docs the value must be 0 for not skipping and anything other > than 0 will be considered for skipping The value can also be an empty string for not skipping. > Will combining the variables work here too? You can have three maps as you initially suggested but with an empty string as a default value (which is the default for "map"). You can then combine three of them in the srcache_*_skip directive. > Thanks, > > On Thu, Mar 9, 2017 at 1:39 PM, Igor A. Ippolitov > wrote: > > > If you are going to use it inside proxy_no_cache directive, you can > > combine proxy_cache_method (POST is not included by default) and > > 'proxy_no_cache $query_string$cookie__mcnc' > > The latter will not cache the request until there is query string or a > > cookie with a value set. > > So basically, it looks like you can avoid using maps in this case. > > > > > > On 09.03.2017 10:01, Anoop Alias wrote: > > > > Hi, > > > > I have 3 maps defined > > ############################ > > map $request_method $requestnocache { > > default 0; > > POST 1; > > } > > > > map $query_string $querystringnc { > > default 1; > > "" 0; > > } > > > > map $http_cookie $mccookienocache { > > default 0; > > _mcnc 1; > > } > > ############################### > > > > I need to create a single variable that is 1 if either of the 3 above is 1 > > and 0 if all are 0. Will the following be enough > > > > map "$requestnocache$querystringnc$mccookienocache" { > > default 0; > > ~1 1; > > } > > > > > > > > Thanks, > > -- > > *Anoop P Alias* > > > > > > > > _______________________________________________ > > nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > -- > *Anoop P Alias* > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Ruslan Ermilov Assume stupidity not malice From yongtao_you at yahoo.com Thu Mar 9 12:58:23 2017 From: yongtao_you at yahoo.com (Yongtao You) Date: Thu, 9 Mar 2017 12:58:23 +0000 (UTC) Subject: Conflict between form-input-nginx-module and nginx-auth-request-module? References: <1719659735.1981960.1489064303554.ref@mail.yahoo.com> Message-ID: <1719659735.1981960.1489064303554@mail.yahoo.com> Hi, I was able to get both form-input-nginx-module and nginx-auth-request-module work fine, individually, with nginx-1.9.9. Putting them together, and the HTTP POST request just timeout (I never got any response back). Any one had any experience using both of them in the same location block? Thanks.Yongtao -------------- next part -------------- An HTML attachment was scrubbed... URL: From efeldhusen.lists at gmail.com Thu Mar 9 13:08:22 2017 From: efeldhusen.lists at gmail.com (Eric Feldhusen) Date: Thu, 9 Mar 2017 08:08:22 -0500 Subject: Nginx reverse proxy for TFTP UDP port 69 traffic In-Reply-To: <2fd0e5d5-bd51-cff5-64e9-fdb254f519ed@nginx.com> References: <04D23F0F-B586-42A5-8C9E-AFA77F5ECEBB@gmail.com> <2fd0e5d5-bd51-cff5-64e9-fdb254f519ed@nginx.com> Message-ID: On Mar 7, 2017, at 4:58 PM, Vladimir Homutov wrote: On 08.03.2017 00:21, Eric Feldhusen wrote: I?m trying to use Nginx to reverse proxy TFTP UDP port 69 traffic and I?m having a problem with getting files through the nginx reverse proxy. My configuration is simple, I?m running TFTP on one Centos 6.x server and the Nginx reserve proxy on another Centos 6.x server with the latest Nginx mainline 1.11.10 from the nginx.org repository. TFTP connections to the TFTP server directly work. Using the same commands through the Nginx reverse proxy, connects, but will not download or upload a file through it. If you have any suggestions, I?d appreciate a nudge in the right direction. I?m assuming it?s something I?m missing. Eric Feldhusen Unfortunately, TFTP will not work, because it requires that after initial server's reply client will send packets to the port, chosen by server (i.e. not 69. but some auto-assigned). also, TFTP server recognizes clients by its source port and it changes when a packet passes proxy - each packet is originating from a new source port on proxy. Ah, I had just started to look up specifically how TFTP connections work, so I hadn?t seen this yet. But that makes sense with what I was seeing. Thank you for the quick reply, I appreciate it. Eric Feldhusen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Mar 9 14:03:49 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 9 Mar 2017 17:03:49 +0300 Subject: Passing $upstream_response_time in a header In-Reply-To: References: Message-ID: <20170309140349.GO23126@mdounin.ru> Hello! On Tue, Mar 07, 2017 at 04:38:04PM -0500, Jonathan Simowitz via nginx wrote: > Hello, > > I have an nginx server that runs as reverse proxy and I would like to pass > the $upstream_response_time value in a header. I find that when I do the > value is actually a linux timestamp with millisecond resolution instead of > a value of seconds with millisecond resolution. Apparently this is > automatically converted when written to the logs. Is there a way to trigger > the conversion for passing in a header? The $upstream_response_time variable is the full time of receiving the response from the upstream server. When sending a response header full time is not yet known, and the variable will contain garbage. If you want to return something known when sending a response header, use $upstream_header_time instead. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Thu Mar 9 14:05:31 2017 From: nginx-forum at forum.nginx.org (maznislav) Date: Thu, 09 Mar 2017 09:05:31 -0500 Subject: Fastcgi_cache permissions Message-ID: Hello, I was searching for an answer for this question quite a bit, but unfortunately I was not able to find such, so any help is much appreciated. The issue is the following - I have enabled Fastcgi_cache for my server and I have noticed that the cache has very restricted permissions 700 to be precise. I need to be able to change those permissions, but unfortunately I am not able to do so. I do not see any configuration variable that is responsible for this, neither the nginx process uses the umask value set for generating the permissions for those files. If someone has an idea how can I make nginx to use custom permissions for the cache that would great. Thanks a lot. Regards. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272853,272853#msg-272853 From nginx-forum at forum.nginx.org Thu Mar 9 14:52:13 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Thu, 09 Mar 2017 09:52:13 -0500 Subject: Reverse Proxy with 500k connections In-Reply-To: References: Message-ID: <2cb35a797b5eeef506c4511fd751b78e.NginxMailingListEnglish@forum.nginx.org> Thanks for the advice. I implemented this approach. Unfortunately not with 100% success. When enabling sysctl option "net.ipv4.ip_nonlocal_bind = 1" it is possible to use local IP addresses (192.168.1.130-139) as proxy_bind address. But than using such an address (other than 0.0.0.0), nginx will produce an error message. Interesting aspect is: attribute "server" in the log entry is empty. When using 0.0.0.0 as proxy_bind, everything is fine. Do you have any ideas? 2017/03/09 14:27:09 [crit] 69765#0: *478633 connect() to 192.168.1.21:443 failed (22: Invalid argument) while connecting to upstream, client: x.x.x.x, server: , request: "GET /myservice HTTP/1.1", upstream: "https://192.168.1.21:443/myservice", host: "xxxxxxx:44301" split_clients "${remote_addr}AAAA" $proxy_ip { # does not work 100% 192.168.1.130; # works 100% 0.0.0.0; } server { listen 44301 ssl backlog=163840; #works #proxy_bind 0.0.0.0; #does not work #proxy_bind 192.168.1.130; proxy_bind $proxy_ip; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272808,272854#msg-272854 From maxozerov at i-free.com Thu Mar 9 14:58:38 2017 From: maxozerov at i-free.com (Maxim Ozerov) Date: Thu, 9 Mar 2017 14:58:38 +0000 Subject: Fastcgi_cache permissions In-Reply-To: References: Message-ID: And what is the purpose of changing permissions? In other words - nginx.conf - user www-data; So for example, Directories Access: (0700/drwx) with Uid: (33/www-data) And no one forbids you to access the cache from this user for manipulating files (allow other process (for example php-fpm runs as www-data) to delete Nginx cache files). -----Original Message----- From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of maznislav Sent: Thursday, March 9, 2017 5:06 PM To: nginx at nginx.org Subject: Fastcgi_cache permissions Hello, I was searching for an answer for this question quite a bit, but unfortunately I was not able to find such, so any help is much appreciated. The issue is the following - I have enabled Fastcgi_cache for my server and I have noticed that the cache has very restricted permissions 700 to be precise. I need to be able to change those permissions, but unfortunately I am not able to do so. I do not see any configuration variable that is responsible for this, neither the nginx process uses the umask value set for generating the permissions for those files. If someone has an idea how can I make nginx to use custom permissions for the cache that would great. Thanks a lot. Regards. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272853,272853#msg-272853 _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Thu Mar 9 15:57:10 2017 From: nginx-forum at forum.nginx.org (maznislav) Date: Thu, 09 Mar 2017 10:57:10 -0500 Subject: Fastcgi_cache permissions In-Reply-To: References: Message-ID: <874cc1ef738cfd3df9cb504c054d7f15.NginxMailingListEnglish@forum.nginx.org> Hi Maxim, thanks for the reply. The use case that I have is when php-fpm is running as a user different than the nginx one. In this case the permissions being set as 0700 basically deny any manipulation of the cached files from php scripts. Everytime you try something like this you get permission denied. A similar scenario and possible solution which unfortunately doesn't work is described in this thread. https://github.com/rtCamp/nginx-helper/issues/63 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272853,272856#msg-272856 From r at roze.lv Thu Mar 9 17:08:52 2017 From: r at roze.lv (Reinis Rozitis) Date: Thu, 9 Mar 2017 19:08:52 +0200 Subject: Reverse Proxy with 500k connections In-Reply-To: <2cb35a797b5eeef506c4511fd751b78e.NginxMailingListEnglish@forum.nginx.org> References: <2cb35a797b5eeef506c4511fd751b78e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <000001d298f7$d3c87700$7b596500$@roze.lv> > When enabling sysctl option "net.ipv4.ip_nonlocal_bind = 1" it is possible > to use local IP addresses (192.168.1.130-139) as proxy_bind address. > But than using such an address (other than 0.0.0.0), nginx will produce an > error message. Do the 192.168.1.130-139 IPs actually exist and are configured on the server? While you can bind to the IP it doesn't mean you can make an actual tcp connection to the upstream. net.ipv4.ip_nonlocal_bind is usually used when there is a need for a service to listen to a specific interface which doesn't exist yet on the server like in case of VRRP / Keepalived balancing etc. rr From nginx-forum at forum.nginx.org Thu Mar 9 17:20:22 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Thu, 09 Mar 2017 12:20:22 -0500 Subject: Reverse Proxy with 500k connections In-Reply-To: <2cb35a797b5eeef506c4511fd751b78e.NginxMailingListEnglish@forum.nginx.org> References: <2cb35a797b5eeef506c4511fd751b78e.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi everybody, ok, I recognized another linux network problem that I solved now. Situation now is like following: When I call my upstream address via curl (on the nginx host) by selecting the corresponding local interface (eth0-9 = 192.168.1.130-139) everything is fine. curl https://192.168.1.21:443/remote/events --insecure --interface eth0 But when I specify the same IP address that refers to eth0 (eth1-9 etc.) I get an "110: Connection timed out". Does anybody know this situation? Checked by sysctl config but it looks fine... split_clients "${remote_addr}${remote_port}AAAA" $proxy_ip { 100% 192.168.1.130; } server { listen 44301 ssl backlog=163840; proxy_bind $proxy_ip; #proxy_bind 192.168.1.130; .. 2017/03/09 16:54:33 [error] 30081#0: *11 upstream timed out (110: Connection timed out) while connecting to upstream, client: x.x.x.x, server: , request: "GET /remote/events HTTP/1.1", upstream: "https://192.168.1.21:443/remote/events", host: "xxxxx:44301" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272808,272858#msg-272858 From r at roze.lv Thu Mar 9 17:24:21 2017 From: r at roze.lv (Reinis Rozitis) Date: Thu, 9 Mar 2017 19:24:21 +0200 Subject: Fastcgi_cache permissions In-Reply-To: <874cc1ef738cfd3df9cb504c054d7f15.NginxMailingListEnglish@forum.nginx.org> References: <874cc1ef738cfd3df9cb504c054d7f15.NginxMailingListEnglish@forum.nginx.org> Message-ID: <000501d298f9$fda4cb80$f8ee6280$@roze.lv> > thanks for the reply. The use case that I have is when php-fpm is running as a > user different than the nginx one. In this case the permissions being set as 0700 > basically deny any manipulation of the cached files from php scripts. Everytime > you try something like this you get permission denied. Why would you manipulate nginx cache files from php directly (or even if you do so why not run the nginx and phpfpm under same user then)? If you want to purge the request (only valid reason which comes to my mind) you should configure fastcgi_cache_purge ( http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_purge ). The drawback is that's only for the commercial version. As an alternative you could use a third party module http://labs.frickle.com/nginx_ngx_cache_purge/ I'm not 100% sure about the compability with the newest nginx releases but you can contact the author about that (he is also in this list). rr From maxozerov at i-free.com Thu Mar 9 17:33:30 2017 From: maxozerov at i-free.com (Maxim Ozerov) Date: Thu, 9 Mar 2017 17:33:30 +0000 Subject: Fastcgi_cache permissions In-Reply-To: <000501d298f9$fda4cb80$f8ee6280$@roze.lv> References: <874cc1ef738cfd3df9cb504c054d7f15.NginxMailingListEnglish@forum.nginx.org> <000501d298f9$fda4cb80$f8ee6280$@roze.lv> Message-ID: <2f3d26a792844995bae4ac758135086b@srv-exch-mb02.i-free.local> > Why would you manipulate nginx cache files from php directly (or even if you do so why not run the nginx and phpfpm under same user then)? Yeah... For example: with php-fpm you can run each site with its own uid/gid (pool configuration), and with address on which to accept FastCGI requests So, create a new pool file with the right user:group ... and send the specific purge request. -----Original Message----- From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Reinis Rozitis Sent: Thursday, March 9, 2017 8:24 PM To: nginx at nginx.org Subject: RE: RE: Fastcgi_cache permissions > thanks for the reply. The use case that I have is when php-fpm is > running as a user different than the nginx one. In this case the > permissions being set as 0700 basically deny any manipulation of the > cached files from php scripts. Everytime you try something like this you get permission denied. Why would you manipulate nginx cache files from php directly (or even if you do so why not run the nginx and phpfpm under same user then)? If you want to purge the request (only valid reason which comes to my mind) you should configure fastcgi_cache_purge ( http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_purge ). The drawback is that's only for the commercial version. As an alternative you could use a third party module http://labs.frickle.com/nginx_ngx_cache_purge/ I'm not 100% sure about the compability with the newest nginx releases but you can contact the author about that (he is also in this list). rr _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Thu Mar 9 18:10:33 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Thu, 09 Mar 2017 13:10:33 -0500 Subject: Reverse Proxy with 500k connections In-Reply-To: <000001d298f7$d3c87700$7b596500$@roze.lv> References: <000001d298f7$d3c87700$7b596500$@roze.lv> Message-ID: Hi Reinis, yes, IPs exist: ifconfig eth0: flags=4163 mtu 1500 inet 192.168.1.130 netmask 255.255.255.0 broadcast 192.168.1.255 ether fa:16:3e:1e:ad:da txqueuelen 1000 (Ethernet) ... eth1: flags=4163 mtu 1500 inet 192.168.1.131 netmask 255.255.255.0 broadcast 192.168.1.255 okay, I enabled net.ipv4.ip_nonlocal_bind=1 because nginx complained with an error message "cannot bind/assign address". net.ipv4.ip_nonlocal_bind solved that problem. But now with our other kernel adjustments (Reverse Path Forwarding mode 2 ? Loose mode as defined in RFC 3704) this option does not have any effect. So I disabled net.ipv4.ip_nonlocal_bind again. But same result....upstream timed out... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272808,272862#msg-272862 From thresh at nginx.com Thu Mar 9 19:25:29 2017 From: thresh at nginx.com (Konstantin Pavlov) Date: Thu, 9 Mar 2017 22:25:29 +0300 Subject: Reverse Proxy with 500k connections In-Reply-To: References: <000001d298f7$d3c87700$7b596500$@roze.lv> Message-ID: On 09/03/2017 21:10, larsg wrote: > Hi Reinis, > > yes, IPs exist: > > ifconfig > eth0: flags=4163 mtu 1500 > inet 192.168.1.130 netmask 255.255.255.0 broadcast 192.168.1.255 > ether fa:16:3e:1e:ad:da txqueuelen 1000 (Ethernet) > ... > eth1: flags=4163 mtu 1500 > inet 192.168.1.131 netmask 255.255.255.0 broadcast 192.168.1.255 Are those addresses reachable outside this particular VM in your Openstack environment? -- Konstantin Pavlov From nginx-forum at forum.nginx.org Thu Mar 9 20:10:13 2017 From: nginx-forum at forum.nginx.org (Vanhels) Date: Thu, 09 Mar 2017 15:10:13 -0500 Subject: configuration nginx server block [virtual host] with Ipv6. Message-ID: Hi, I have installed nginx + php-fpm (php5.4 / php5.6), i'm trying to set everything up for ipv6 in Centos 7.3, install from official nginx repo: [/etc/nginx/nginx.conf]: user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } [/etc/nginx/conf.d/default.conf]: server { listen [::]:80; server_name localhost; location ~ \.php$ { root html; fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files $uri =404; fastcgi_pass [::]:9056; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } location / { root /usr/share/nginx/html; index index.php index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } [domain1.conf]: # create new server { listen [::]:80; root /home/domain1/public_html; index index.php index.html index.htm; server_name domain1 www.domain1; location / { try_files $uri $uri/ =404; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass [::]:9056; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } } [subdomain.domain1.conf]: # create new server { listen [::]:80; root /home/domain1/public_html/subdomain; index index.php index.html index.htm; server_name subdomain.domain1 www.subdomain.domain1; location / { try_files $uri $uri/ =404; } location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass [::]:9056; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } } If in [domain.conf] change to: Listen 80; fastcgi_pass 127.0.0.1:9056; It works perfect, because this behavior I'm doing wrong, thank you in advance for your answers, Wilmer. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272864,272864#msg-272864 From francis at daoine.org Thu Mar 9 22:35:53 2017 From: francis at daoine.org (Francis Daly) Date: Thu, 9 Mar 2017 22:35:53 +0000 Subject: configuration nginx server block [virtual host] with Ipv6. In-Reply-To: References: Message-ID: <20170309223553.GI15209@daoine.org> On Thu, Mar 09, 2017 at 03:10:13PM -0500, Vanhels wrote: Hi there, > Hi, I have installed nginx + php-fpm (php5.4 / php5.6), i'm trying to set > everything up for ipv6 in Centos 7.3, install from official nginx repo: What part fails for you? Does nginx listen on the IPv6 port? Does the client connect to nginx? Does the fastcgi server listen on the IPv6 port? Does nginx connect to the fastcgi server? You suggest that something is bad with > listen [::]:80; > fastcgi_pass [::]:9056; but is good with > Listen 80; > fastcgi_pass 127.0.0.1:9056; One difference there is that your fastcgi_pass in IPv4 connects to an address:port, while in IPv6 it does not. I would guess that using [::1]:9056 might have a chance of helping. But only if you can already fetch a file from nginx on IPv6 when fastcgi is not involved. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Mar 9 22:50:25 2017 From: francis at daoine.org (Francis Daly) Date: Thu, 9 Mar 2017 22:50:25 +0000 Subject: map directive doubt In-Reply-To: References: Message-ID: <20170309225025.GJ15209@daoine.org> On Thu, Mar 09, 2017 at 11:01:38AM +0530, Anoop Alias wrote: Hi there, > Just have a doubt in map directive > > map $http_user_agent $upstreamname { > default desktop; > ~(iPhone|Android) mobile; > } > > is correct ? That doesn't look too hard to test. == server { listen 8880; return 200 "user agent = $http_user_agent; map = $upstreamname\n"; } == $ curl -H User-Agent:xxAndroidxx http://localhost:8880/x f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Mar 9 23:06:05 2017 From: nginx-forum at forum.nginx.org (Vanhels) Date: Thu, 09 Mar 2017 18:06:05 -0500 Subject: configuration nginx server block [virtual host] with Ipv6. In-Reply-To: References: Message-ID: Thanks for your answer, I'll specify it better: Config Work Fine: [domain1.conf]: server { listen [::]:80; root /home/domain1/public_html; index index.php index.html index.htm; server_name domain1 www.domain1; location ~ \.php$ { fastcgi_pass [::]:9056; } } [subdomain.domain1.conf]: server { listen 80; root /home/domain1/public_html/subdomain; index index.php index.html index.htm; server_name subdomain.domain1 www.subdomain.domain1; location ~ \.php$ { fastcgi_pass 127.0.0.1:9056; } } Config No Work : [domain1.conf]: server { listen [::]:80; root /home/domain1/public_html; index index.php index.html index.htm; server_name domain1 www.domain1; location ~ \.php$ { fastcgi_pass [::]:9056; } } [subdomain.domain1.conf]: server { listen [::]:80; root /home/domain1/public_html/subdomain; index index.php index.html index.htm; server_name subdomain.domain1 www.subdomain.domain1; location ~ \.php$ { fastcgi_pass [::]:9056; } } The error happens when Listen and fastcgi_pass have the same port address in both domains, Thks, Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272864,272867#msg-272867 From nginx-forum at forum.nginx.org Fri Mar 10 09:04:32 2017 From: nginx-forum at forum.nginx.org (javiii) Date: Fri, 10 Mar 2017 04:04:32 -0500 Subject: proxy_cache_use_stale based on IP address Message-ID: <413343029e3987ed294aae426a4cbf2a.NginxMailingListEnglish@forum.nginx.org> Hi! Is it possible to send a stale version of the website based on the IP address of the client? Thank you in advance Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272868,272868#msg-272868 From ranshalit at gmail.com Fri Mar 10 17:01:03 2017 From: ranshalit at gmail.com (Ran Shalit) Date: Fri, 10 Mar 2017 19:01:03 +0200 Subject: upload xml file Message-ID: Hello, I am new with web servers and nginx. I would like to ask if nginx support xml , and what does it mean to upload xml to web server ? Does it just keep the xml as file in some directory , or does it do parse the xml file and do some actions ? Thank you, Ran From jeff.dyke at gmail.com Fri Mar 10 22:19:19 2017 From: jeff.dyke at gmail.com (Jeff Dyke) Date: Fri, 10 Mar 2017 17:19:19 -0500 Subject: upload xml file In-Reply-To: References: Message-ID: what do you want it to do? if you're talking nginx without any application backend you could do a lot with some lua locations, or you're going to pass that request to another process, or serve a static (xml) file from the file system. Nginx does support XML just fine, its all a matter of what you want your application to do. On Fri, Mar 10, 2017 at 12:01 PM, Ran Shalit wrote: > Hello, > > I am new with web servers and nginx. > I would like to ask if nginx support xml , and what does it mean to > upload xml to web server ? > Does it just keep the xml as file in some directory , or does it do > parse the xml file and do some actions ? > > Thank you, > Ran > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sat Mar 11 01:00:11 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 11 Mar 2017 01:00:11 +0000 Subject: configuration nginx server block [virtual host] with Ipv6. In-Reply-To: References: Message-ID: <20170311010011.GK15209@daoine.org> On Thu, Mar 09, 2017 at 06:06:05PM -0500, Vanhels wrote: Hi there, > The error happens when Listen and fastcgi_pass have the same port address in > both domains, What's the error? What do you do / what do you see / what do you want to see instead? f -- Francis Daly francis at daoine.org From tecnologiaterabyte at gmail.com Sat Mar 11 01:06:03 2017 From: tecnologiaterabyte at gmail.com (Wilmer Arambula) Date: Fri, 10 Mar 2017 21:06:03 -0400 Subject: configuration nginx server block [virtual host] with Ipv6. In-Reply-To: <20170311010011.GK15209@daoine.org> References: <20170311010011.GK15209@daoine.org> Message-ID: The websites pages do not load, not open, and write anything in te log, Thks, Wilmer. El 10/3/2017 21:00, "Francis Daly" escribi?: On Thu, Mar 09, 2017 at 06:06:05PM -0500, Vanhels wrote: Hi there, > The error happens when Listen and fastcgi_pass have the same port address in > both domains, What's the error? What do you do / what do you see / what do you want to see instead? f -- Francis Daly francis at daoine.org _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sat Mar 11 01:36:57 2017 From: francis at daoine.org (Francis Daly) Date: Sat, 11 Mar 2017 01:36:57 +0000 Subject: configuration nginx server block [virtual host] with Ipv6. In-Reply-To: References: <20170311010011.GK15209@daoine.org> Message-ID: <20170311013657.GL15209@daoine.org> On Fri, Mar 10, 2017 at 09:06:03PM -0400, Wilmer Arambula wrote: Hi there, > The websites pages do not load, not open, and write anything in te log, What response do you get when you do something like curl -v -g -H Host:domain1.com 'http://[::1]:80/' on the server itself? "Nothing in the log" usually means that the request is not getting to nginx at all. f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sat Mar 11 03:41:47 2017 From: nginx-forum at forum.nginx.org (patweb99) Date: Fri, 10 Mar 2017 22:41:47 -0500 Subject: Random rewrite/proxy_pass timeouts Message-ID: I'm seeing some strange behavior with nginx. I using it to proxy requests from one domain to another. What I'm seeing is at times requests to help.example.com start hanging. In order to fix it I need to either reload or restart the nginx service, which makes me think it's a resource issue but thought I'd check here first. Has anyone experienced anything like this before? Here are a few technical details: - nginx version: nginx/1.10.1 - t2.small in AWS - Fronted by a classic ELB I've also attached my nginx.conf and site.conf for reference. I have a few other sites in use that also use proxy_pass and it works just fine. So I'm thinking it may have something to do with the rewrite, but not 100% sure. ngnix.conf include /usr/share/nginx/modules/*; # nginx Configuration File # http://wiki.nginx.org/Configuration # Run as a less privileged user for security reasons. user www-data; # How many worker threads to run; # "auto" sets it to the number of CPU cores available in the system, and # offers the best performance. Don't set it higher than the number of CPU # cores if changing this parameter. # The maximum number of connections for Nginx is calculated by: # max_clients = worker_processes * worker_connections worker_processes 1; # Maximum open file descriptors per process; # should be > worker_connections. worker_rlimit_nofile 8192; events { # When you need > 8000 * cpu_cores connections, you start optimizing your OS, # and this is probably the point at which you hire people who are smarter than # you, as this is *a lot* of requests. worker_connections 8000; } # Default error log file # (this is only used when you don't override error_log on a server{} level) # options are also notice and info error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; http { # Hide nginx version information. server_tokens off; # Define the MIME types for files. include /etc/nginx/mime.types; default_type application/octet-stream; # Update charset_types due to updated mime.types charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json; # Format to use in log files log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Default log file # (this is only used when you don't override access_log on a server{} level) access_log /var/log/nginx/access.log main; # How long to allow each connection to stay idle; longer values are better # for each individual client, particularly for SSL, but means that worker # connections are tied up longer. (Default: 65) keepalive_timeout 35; # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). sendfile on; # Tell Nginx not to send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. (adds TCP_CORK) tcp_nopush on; # Compression # Enable Gzip compressed. gzip on; # Compression level (1-9). # 5 is a perfect compromise between size and cpu usage, offering about # 75% reduction for most ascii files (almost identical to level 9). gzip_comp_level 5; # Don't compress anything that's already small and unlikely to shrink much # if at all (the default is 20 bytes, which is bad as that usually leads to # larger files after gzipping). gzip_min_length 256; # Compress data even for clients that are connecting to us via proxies, # identified by the "Via" header (required for CloudFront). gzip_proxied any; # Tell proxies to cache both the gzipped and regular version of a resource # whenever the client's Accept-Encoding capabilities header varies; # Avoids the issue where a non-gzip capable client (which is extremely rare # today) would display gibberish if their proxy gave them the gzipped version. gzip_vary on; # Compress all output labeled with one of the following MIME-types. gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/opentype image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/css text/javascript text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml; # text/html is always compressed by HttpGzipModule # This should be turned on if you are going to have pre-compressed copies (.gz) of # static files available. If not it should be left off as it will cause extra I/O # for the check. It is best if you enable this in a location{} block for # a specific directory, or on an individual server{} level. # gzip_static on; # For behind a load balancer real_ip_header X-Forwarded-For; set_real_ip_from 0.0.0.0/0; client_max_body_size 100m; # default blank catch-all server { listen 80 default_server; root /var/www/html/default; index index.html; } # Include files in the sites-enabled folder. server{} configuration files should be # placed in the sites-available folder, and then the configuration should be enabled # by creating a symlink to it in the sites-available folder. # See doc/sites-enabled.md for more info. include /etc/nginx/sites-enabled/*; } site.conf server { listen 80; server_name help.example.com; access_log /var/log/nginx/access.log access; error_log /var/log/nginx/error.log error; location /assets/ { proxy_pass https://site.help/assets/; proxy_set_header Host site.help; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Scheme https; } location /_api/ { proxy_pass https://site.help/_api/; proxy_set_header Host site.help; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Scheme https; } location / { rewrite ^/(.*)/$ /example/$1/ permanent; proxy_pass https://site.help; proxy_set_header Host help.site.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; } # Deny config files location ~* \.(sh|lock|json)$ { deny all; } # Deny any hidden and old version of files location ~ /\. { access_log off; log_not_found off; deny all; } location ~ ~$ { access_log off; log_not_found off; deny all; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272887,272887#msg-272887 From yongtao_you at yahoo.com Sat Mar 11 05:13:38 2017 From: yongtao_you at yahoo.com (Yongtao You) Date: Sat, 11 Mar 2017 05:13:38 +0000 (UTC) Subject: Conflict between form-input-nginx-module and nginx-auth-request-module? In-Reply-To: <1719659735.1981960.1489064303554@mail.yahoo.com> References: <1719659735.1981960.1489064303554.ref@mail.yahoo.com> <1719659735.1981960.1489064303554@mail.yahoo.com> Message-ID: <1583805220.3341540.1489209218867@mail.yahoo.com> To answer my own question, even though I still don't see why it has anything to do with the auth-request module, but the reason requests are timing out is because form-input module called ngx_http_read_client_request_body(), which then set write_event_handler to ngx_http_request_empty_handler to block write events. This seems to block the event from being forwarded to the backend (via proxy_pass). I modified the ngx_http_read_client_request_body() implementation to not override the request's write_event_handler, and everything started working. No more timeouts. I don't know enough to understand the ramification of my change, even though it seems to fixed my immediate problem. Any insights will be greatly appreciated. Thanks.Yongtao On Thursday, March 9, 2017 8:58 PM, Yongtao You via nginx wrote: Hi, I was able to get both form-input-nginx-module and nginx-auth-request-module work fine, individually, with nginx-1.9.9. Putting them together, and the HTTP POST request just timeout (I never got any response back). Any one had any experience using both of them in the same location block? Thanks.Yongtao _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From ranshalit at gmail.com Sat Mar 11 07:07:06 2017 From: ranshalit at gmail.com (Ran Shalit) Date: Sat, 11 Mar 2017 09:07:06 +0200 Subject: upload xml file Message-ID: On Sat, Mar 11, 2017 at 12:19 AM, Jeff Dyke wrote: > what do you want it to do? if you're talking nginx without any application > backend you could do a lot with some lua locations, or you're going to pass > that request to another process, or serve a static (xml) file from the file > system. Hi Jeff, Thank you very much. I have requirement that application should "support webserver which includes xml and save xml file to filesystem" Does it mean that it actually should " serve a static (xml) file from the file" (the second option you mentioned). If yes - can you give some hints about it or where to read further about it ? Does it mean it just save and retrieve file parsing it to other commands ? (I have read somewhere that uploading a file parse the file, so I am a bit confused here) I am new with nginx, still learning it. Many thanks, Ran Nginx does support XML just fine, its all a matter of what you want > your application to do. > > On Fri, Mar 10, 2017 at 12:01 PM, Ran Shalit wrote: >> >> Hello, >> >> I am new with web servers and nginx. >> I would like to ask if nginx support xml , and what does it mean to >> upload xml to web server ? >> Does it just keep the xml as file in some directory , or does it do >> parse the xml file and do some actions ? >> >> Thank you, >> Ran >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From trashcan at ellael.org Sat Mar 11 08:07:54 2017 From: trashcan at ellael.org (Michael Grimm) Date: Sat, 11 Mar 2017 09:07:54 +0100 Subject: proxy_pass and weird behaviour Message-ID: <80B90152-6508-4AF2-B8AE-B5E0FF18BF22@ellael.org> Hi ? (This is nginx 1.11.10 and up to date FreeBSD STABLE-11) I recently implemented LE certificates for my virtual domains, which will be served at two hosts, accessed by round-robin DNS, aka two IP addresses. In order to get the acme challenges running, I did implement the following configuration: Host A and Host B: # port 80 server { include include/IPs-80; server_name example.com; location / { # redirect letsencrypt ACME challenge requests to local-at-host-A.lan location /.well-known/acme-challenge/ { proxy_pass http://local-at-host-A.lan; } # all other requests are redirect to https, permanently return 301 https://$server_name$request_uri; } } # port 443 [snip] Server local-at-host-A.lan (LE acme) finally serves the acme challenge directory: server { include include/IPs-80; server_name local-at-host-A.lan; # redirect all letsencrypt ACME challenges to one global directory location /.well-known/acme-challenge/ { root /var/www/acme/; } } Well, that is working, somehow, except: If the LE server addresses Host A, the challenge file is going to be retrieved instantaneously. If the LE server addresses Host B, only every *other* request is being served instantaneously: 1. access: immediately download 2. access: 60 s wait, then download 3. access: immediately download 4. access: 60 s wait, then download etc. Hmm, default proxy_connect_timeout is 60s, I know. But why every other connect? Every feedback on how to solve/debug that issue is highly welcome. Thanks and regards, Michael From igal at lucee.org Sat Mar 11 19:04:27 2017 From: igal at lucee.org (Igal @ Lucee.org) Date: Sat, 11 Mar 2017 11:04:27 -0800 Subject: upload xml file In-Reply-To: References: Message-ID: Ran, You would probably want to use an Application Server behind the Web Server (nginx). Then you would use the nginx to proxy the request to the application server, where you can write code in the language that the application server supports (for example, I use Lucee as an application server, but many people use PHP or JSP or a bunch of other technologies). In the application server you can do whatever you want with the request, e.g. read request parameters and build an XML document on the fly, and send it back to nginx which will send it back to the client. nginx is a web server, similar in function to apache httpd or IIS, but much better in my opinion (and in the opinion of most users on this list, I would think), but if you want to serve dynamic content then you should have an application server behind it. HTH, Igal Sapir Lucee Core Developer Lucee.org On 3/10/2017 11:07 PM, Ran Shalit wrote: > On Sat, Mar 11, 2017 at 12:19 AM, Jeff Dyke wrote: >> what do you want it to do? if you're talking nginx without any application >> backend you could do a lot with some lua locations, or you're going to pass >> that request to another process, or serve a static (xml) file from the file >> system. > Hi Jeff, > > Thank you very much. > I have requirement that application should "support webserver which > includes xml and save xml file to filesystem" > Does it mean that it actually should " serve a static (xml) file from > the file" (the second option you mentioned). > If yes - can you give some hints about it or where to read further about it ? > > Does it mean it just save and retrieve file parsing it to other > commands ? (I have read somewhere that uploading a file parse the > file, so I am a bit confused here) > > I am new with nginx, still learning it. > > Many thanks, > Ran > > Nginx does support XML just fine, its all a matter of what you want >> your application to do. >> >> On Fri, Mar 10, 2017 at 12:01 PM, Ran Shalit wrote: >>> Hello, >>> >>> I am new with web servers and nginx. >>> I would like to ask if nginx support xml , and what does it mean to >>> upload xml to web server ? >>> Does it just keep the xml as file in some directory , or does it do >>> parse the xml file and do some actions ? >>> >>> Thank you, >>> Ran >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From ranshalit at gmail.com Sun Mar 12 05:08:50 2017 From: ranshalit at gmail.com (Ran Shalit) Date: Sun, 12 Mar 2017 07:08:50 +0200 Subject: upload xml file In-Reply-To: References:

Message-ID: On Mar 11, 2017 9:04 PM, "Igal @ Lucee.org" wrote: > > Ran, > > You would probably want to use an Application Server behind the Web Server (nginx). Then you would use the nginx to proxy the request to the application server, where you can write code in the language that the application server supports (for example, I use Lucee as an application server, but many people use PHP or JSP or a bunch of other technologies). > > In the application server you can do whatever you want with the request, e.g. read request parameters and build an XML document on the fly, and send it back to nginx which will send it back to the client. Hi, In case we just want to save xml file(like a binary file) and later read it, Is there any need for application in server or is it only nginx server required for such reuirement? Thank you, Ran > > nginx is a web server, similar in function to apache httpd or IIS, but much better in my opinion (and in the opinion of most users on this list, I would think), but if you want to serve dynamic content then you should have an application server behind it. > > HTH, > > Igal Sapir > Lucee Core Developer > Lucee.org > > On 3/10/2017 11:07 PM, Ran Shalit wrote: >> >> On Sat, Mar 11, 2017 at 12:19 AM, Jeff Dyke wrote: >>> >>> what do you want it to do? if you're talking nginx without any application >>> backend you could do a lot with some lua locations, or you're going to pass >>> that request to another process, or serve a static (xml) file from the file >>> system. >> >> Hi Jeff, >> >> Thank you very much. >> I have requirement that application should "support webserver which >> includes xml and save xml file to filesystem" >> Does it mean that it actually should " serve a static (xml) file from >> the file" (the second option you mentioned). >> If yes - can you give some hints about it or where to read further about it ? >> >> Does it mean it just save and retrieve file parsing it to other >> commands ? (I have read somewhere that uploading a file parse the >> file, so I am a bit confused here) >> >> I am new with nginx, still learning it. >> >> Many thanks, >> Ran >> >> Nginx does support XML just fine, its all a matter of what you want >>> >>> your application to do. >>> >>> On Fri, Mar 10, 2017 at 12:01 PM, Ran Shalit wrote: >>>> >>>> Hello, >>>> >>>> I am new with web servers and nginx. >>>> I would like to ask if nginx support xml , and what does it mean to >>>> upload xml to web server ? >>>> Does it just keep the xml as file in some directory , or does it do >>>> parse the xml file and do some actions ? >>>> >>>> Thank you, >>>> Ran >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx >>> >>> >>> >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> http://mailman.nginx.org/mailman/listinfo/nginx >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From igal at lucee.org Sun Mar 12 05:26:22 2017 From: igal at lucee.org (Igal @ Lucee.org) Date: Sat, 11 Mar 2017 21:26:22 -0800 Subject: upload xml file In-Reply-To: References:

Message-ID: If this is a static file, i.e. a file that you upload to the server and is served as-is, then you do not need anything beyond nginx. nginx does a great job at serving static content. Igal Sapir Lucee Core Developer Lucee.org On 3/11/2017 9:08 PM, Ran Shalit wrote: > > > On Mar 11, 2017 9:04 PM, "Igal @ Lucee.org" > wrote: > > > > Ran, > > > > You would probably want to use an Application Server behind the Web > Server (nginx). Then you would use the nginx to proxy the request to > the application server, where you can write code in the language that > the application server supports (for example, I use Lucee as an > application server, but many people use PHP or JSP or a bunch of other > technologies). > > > > In the application server you can do whatever you want with the > request, e.g. read request parameters and build an XML document on the > fly, and send it back to nginx which will send it back to the client. > > Hi, > In case we just want to save xml file(like a binary file) and later > read it, Is there any need for application in server or is it only > nginx server required for such reuirement? > Thank you, > Ran > > > > > nginx is a web server, similar in function to apache httpd or IIS, > but much better in my opinion (and in the opinion of most users on > this list, I would think), but if you want to serve dynamic content > then you should have an application server behind it. > > > > HTH, > > > > Igal Sapir > > Lucee Core Developer > > Lucee.org > > > > On 3/10/2017 11:07 PM, Ran Shalit wrote: > >> > >> On Sat, Mar 11, 2017 at 12:19 AM, Jeff Dyke > wrote: > >>> > >>> what do you want it to do? if you're talking nginx without any > application > >>> backend you could do a lot with some lua locations, or you're > going to pass > >>> that request to another process, or serve a static (xml) file from > the file > >>> system. > >> > >> Hi Jeff, > >> > >> Thank you very much. > >> I have requirement that application should "support webserver which > >> includes xml and save xml file to filesystem" > >> Does it mean that it actually should " serve a static (xml) file from > >> the file" (the second option you mentioned). > >> If yes - can you give some hints about it or where to read further > about it ? > >> > >> Does it mean it just save and retrieve file parsing it to other > >> commands ? (I have read somewhere that uploading a file parse the > >> file, so I am a bit confused here) > >> > >> I am new with nginx, still learning it. > >> > >> Many thanks, > >> Ran > >> > >> Nginx does support XML just fine, its all a matter of what you want > >>> > >>> your application to do. > >>> > >>> On Fri, Mar 10, 2017 at 12:01 PM, Ran Shalit > wrote: > >>>> > >>>> Hello, > >>>> > >>>> I am new with web servers and nginx. > >>>> I would like to ask if nginx support xml , and what does it mean to > >>>> upload xml to web server ? > >>>> Does it just keep the xml as file in some directory , or does it do > >>>> parse the xml file and do some actions ? > >>>> > >>>> Thank you, > >>>> Ran > >>>> _______________________________________________ > >>>> nginx mailing list > >>>> nginx at nginx.org > >>>> http://mailman.nginx.org/mailman/listinfo/nginx > >>> > >>> > >>> > >>> _______________________________________________ > >>> nginx mailing list > >>> nginx at nginx.org > >>> http://mailman.nginx.org/mailman/listinfo/nginx > >> > >> _______________________________________________ > >> nginx mailing list > >> nginx at nginx.org > >> http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From fsantiago at garbage-juice.com Sun Mar 12 15:54:15 2017 From: fsantiago at garbage-juice.com (Fabian A. Santiago) Date: Sun, 12 Mar 2017 15:54:15 +0000 Subject: Nginx serving extra ssl certs Message-ID: Hello nginx world, I hope you can help me track down my issue. First, I'm running: Centos 7.3.1611 Nginx 1.11.10 Openssl 1.0.1e-fips My issue is I run 11 virtual sites, all listening on both ipv4 & 6, same two addresses, so obviously I rely on SNI. One site also listens on tor. When I check the ssl responses using either ssllabs server test or openssl s_client, my sites work fine but also serve an extra 2nd cert meant for the wrong hostname. I'm confused as I see no issue with my config files. I've attached a sample of my config files for one site for your perusal. You can also check this domain for yourself: server1.garbage-juice.com Thanks for your help. -- Thanks. Fabian S. -------------- next part -------------- A non-text attachment was scrubbed... Name: Documents.7z Type: application/octet-stream Size: 1304 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 870 bytes Desc: not available URL: From r1ch+nginx at teamliquid.net Sun Mar 12 19:58:41 2017 From: r1ch+nginx at teamliquid.net (Richard Stanway) Date: Sun, 12 Mar 2017 20:58:41 +0100 Subject: Nginx serving extra ssl certs In-Reply-To: References: Message-ID: Your configs look fine, what you are seeing is the certificate that is sent if a client does not support SNI. You can control which certificate is chosen using the default_server parameter on your listen directive. On Sun, Mar 12, 2017 at 4:54 PM, Fabian A. Santiago < fsantiago at garbage-juice.com> wrote: > Hello nginx world, > > I hope you can help me track down my issue. > > First, I'm running: > > Centos 7.3.1611 > Nginx 1.11.10 > Openssl 1.0.1e-fips > > My issue is I run 11 virtual sites, all listening on both ipv4 & 6, same > two addresses, so obviously I rely on SNI. One site also listens on tor. > > When I check the ssl responses using either ssllabs server test or openssl > s_client, my sites work fine but also serve an extra 2nd cert meant for the > wrong hostname. I'm confused as I see no issue with my config files. > > I've attached a sample of my config files for one site for your perusal. > > You can also check this domain for yourself: > > server1.garbage-juice.com > > Thanks for your help. > > > -- > Thanks. > Fabian S. > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fsantiago at garbage-juice.com Sun Mar 12 20:27:58 2017 From: fsantiago at garbage-juice.com (Fabian A. Santiago) Date: Sun, 12 Mar 2017 20:27:58 +0000 Subject: Nginx serving extra ssl certs In-Reply-To: References:

Message-ID: <87045FD9-A69E-433A-AF0B-6BB7E794AE6A@garbage-juice.com> On March 12, 2017 3:58:41 PM EDT, Richard Stanway wrote: >Your configs look fine, what you are seeing is the certificate that is >sent >if a client does not support SNI. You can control which certificate is >chosen using the default_server parameter on your listen directive. > >On Sun, Mar 12, 2017 at 4:54 PM, Fabian A. Santiago < >fsantiago at garbage-juice.com> wrote: > >> Hello nginx world, >> >> I hope you can help me track down my issue. >> >> First, I'm running: >> >> Centos 7.3.1611 >> Nginx 1.11.10 >> Openssl 1.0.1e-fips >> >> My issue is I run 11 virtual sites, all listening on both ipv4 & 6, >same >> two addresses, so obviously I rely on SNI. One site also listens on >tor. >> >> When I check the ssl responses using either ssllabs server test or >openssl >> s_client, my sites work fine but also serve an extra 2nd cert meant >for the >> wrong hostname. I'm confused as I see no issue with my config files. >> >> I've attached a sample of my config files for one site for your >perusal. >> >> You can also check this domain for yourself: >> >> server1.garbage-juice.com >> >> Thanks for your help. >> >> >> -- >> Thanks. >> Fabian S. >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> Oh, that makes sense. Ok, I guess I just never noticed that before. And also thought that default site wouldn't be sent unless it knew of no SNI already. Thanks. That was easy. -- Thanks. Fabian S. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 870 bytes Desc: not available URL: From nginx-forum at forum.nginx.org Mon Mar 13 06:13:10 2017 From: nginx-forum at forum.nginx.org (nginxsantos) Date: Mon, 13 Mar 2017 02:13:10 -0400 Subject: OAuth Access token validation Message-ID: <840acdde6121f8301091ce84736220f3.NginxMailingListEnglish@forum.nginx.org> Hi, Does Nginx provide the support for verifying the access token in the incoming request from an Identity Server? Regards, Santos Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272899,272899#msg-272899 From reallfqq-nginx at yahoo.fr Mon Mar 13 11:01:46 2017 From: reallfqq-nginx at yahoo.fr (B.R.) Date: Mon, 13 Mar 2017 12:01:46 +0100 Subject: OAuth Access token validation In-Reply-To: <840acdde6121f8301091ce84736220f3.NginxMailingListEnglish@forum.nginx.org> References: <840acdde6121f8301091ce84736220f3.NginxMailingListEnglish@forum.nginx.org> Message-ID: nginx can authenticate users based on subrequests to an identity server, yes, RTFM: https://nginx.org/en/docs/http/ngx_http_auth_request_module.html If you want to use JSON Web Tokens, only the non-FOSS version will be able to help you: https://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html --- *B. R.* On Mon, Mar 13, 2017 at 7:13 AM, nginxsantos wrote: > Hi, > > Does Nginx provide the support for verifying the access token in the > incoming request from an Identity Server? > > > Regards, Santos > > Posted at Nginx Forum: https://forum.nginx.org/read. > php?2,272899,272899#msg-272899 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Mon Mar 13 12:44:31 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Mar 2017 15:44:31 +0300 Subject: proxy_pass and weird behaviour In-Reply-To: <80B90152-6508-4AF2-B8AE-B5E0FF18BF22@ellael.org> References: <80B90152-6508-4AF2-B8AE-B5E0FF18BF22@ellael.org> Message-ID: <20170313124431.GB13617@mdounin.ru> Hello! On Sat, Mar 11, 2017 at 09:07:54AM +0100, Michael Grimm wrote: [...] > Well, that is working, somehow, except: If the LE server > addresses Host A, the challenge file is going to be retrieved > instantaneously. If the LE server addresses Host B, only every > *other* request is being served instantaneously: > > 1. access: immediately download > 2. access: 60 s wait, then download > 3. access: immediately download > 4. access: 60 s wait, then download > etc. > > > Hmm, default proxy_connect_timeout is 60s, I know. But why every > other connect? You are using "proxy_pass http://local-at-host-A.lan;" in your configuration. What are the IP addresses it resolves to? The behaviour observed suggests that the name resolves to 2 different addresses, so nginx uses round-robin to balance between these addresses, and only one of these addresses is reacheable. The exact pattern also requires more than 10 seconds between (2) and (4), else (4) will be directed to a properly working address, see http://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout. Though it is something likely to happen when testing manually. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Mar 13 13:38:03 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Mar 2017 16:38:03 +0300 Subject: Conflict between form-input-nginx-module and nginx-auth-request-module? In-Reply-To: <1583805220.3341540.1489209218867@mail.yahoo.com> References: <1719659735.1981960.1489064303554.ref@mail.yahoo.com> <1719659735.1981960.1489064303554@mail.yahoo.com> <1583805220.3341540.1489209218867@mail.yahoo.com> Message-ID: <20170313133803.GD13617@mdounin.ru> Hello! On Sat, Mar 11, 2017 at 05:13:38AM +0000, Yongtao You via nginx wrote: > To answer my own question, even though I still don't see why it has anything to do with the auth-request module, but the reason requests are timing out is because form-input module called ngx_http_read_client_request_body(), which then set write_event_handler to ngx_http_request_empty_handler to block write events. This seems to block the event from being forwarded to the backend (via proxy_pass). I modified the ngx_http_read_client_request_body() implementation to not override the request's write_event_handler, and everything started working. No more timeouts. > I don't know enough to understand the ramification of my change, even though it seems to fixed my immediate problem. Any insights will be greatly appreciated. The ngx_http_read_client_request_body() function must overwrite request handlers, including r->write_event_handler, or an write event while reading a request body will result in unexpected additional processing. Proper solution would be to fix the form-input module to restore r->write_event_handler to ngx_http_core_run_phases() after the request body has been read (and before the module calls ngx_http_core_run_phases() again). -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Mon Mar 13 14:22:09 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Mon, 13 Mar 2017 10:22:09 -0400 Subject: Reverse Proxy with 500k connections In-Reply-To: References: Message-ID: <526e090e93b14086f8f48677f21a3006.NginxMailingListEnglish@forum.nginx.org> Hi Guys, we solved the problem and I wanted to give you feedback about the solution. Finally it was an problem with our linux ip routes. After implementing source based policy routing this nginx configuration worked. Thank you for your support! Kind Regards Lars Summary of Solution: split_clients "${remote_addr}${remote_port}AAAA" $source_ip { 10% 192.168.1.130; 10% 192.168.1.131; ... * 192.168.1.139; } server { listen 443 ssl backlog=163840; proxy_bind $source_ip; ... ip rule ls 0: from all lookup local 32754: from 192.168.1.139 lookup es-source-eth9 ... 32756: from 192.168.1.130 lookup es-source-eth0 32766: from all lookup main 32767: from all lookup default ip route list table es-source-eth9 192.168.1.0/24 dev eth9 scope link Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272808,272915#msg-272915 From nginx-forum at forum.nginx.org Mon Mar 13 14:38:12 2017 From: nginx-forum at forum.nginx.org (larsg) Date: Mon, 13 Mar 2017 10:38:12 -0400 Subject: proxy_bind with hostname from /etc/hosts possible? Message-ID: Hi! is it possible to use an hostname from local /etc/hosts as proxy_bind value? In our current Background: We use nginx 1.8.1 as reverse proxy. In order to overcome the "Overcoming Ephemeral Port Exhaustion" problem (64k+ connections), we use proxy_bind to iterate over all loccally available IP addresses and assign them as source IP (see https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/) In order to have an generic nginx configuration for all of our nginx instances, we don't want to hard code server specific IPs in the nginx.conf but use hostnames that are defined in the local /etc/hosts. You can see our current configuration above. Unfortunately nginx cannot resolve the hostname (localip0 etc.). There is an error log "invalid local address "localip0"...). We also tested the usage of upstream directive. Same result. I'm worry that I only can use explicit IP addresses in this situation. Or do you have an alternative solution? /etc/host: 192.168.1.130 localip0 192.168.1.132 localip1 ... nginx.conf: split_clients "${remote_addr}${remote_port}AAAA" $source_ip { 10% localip0; 10% localip1; ... } server { listen 443; proxy_bind $source_ip; ... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272918,272918#msg-272918 From simpot at simpot.com Tue Mar 14 07:20:35 2017 From: simpot at simpot.com (Dmitry Saratsky) Date: Tue, 14 Mar 2017 07:20:35 +0000 Subject: adding LUA module into yum repo? In-Reply-To: References: Message-ID: Hello, Is there any plans to add LUA module into official nginx Yum repository? Thanks a lot! -------------- next part -------------- An HTML attachment was scrubbed... URL:

302 Found

301 Moved Permanently

Index of /data/foo/