Re: 回复:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?

Aleksandar Lazic al-nginx at none.at
Tue Mar 7 22:25:52 UTC 2017


Hi. 

Well that's a lot modules and lua stuff there. 

What's in the '*by_lua_file's ? 

Can you run from a specific IP the debug log to see what's happen in
nginx? 

http://nginx.org/en/docs/debugging_log.html 

regards 

aleks 

Am 07-03-2017 10:49, schrieb tjlp at sina.com:

> Hi, Aleks,
> 
> The result of nginx -V is as follow:
> nginx version: nginx/1.11.1
> built by gcc 4.9.2 (Debian 4.9.2-10)
> built with OpenSSL 1.0.1t  3 May 2016
> TLS SNI support enabled
> configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05
> 
> The nginx conf is:
> 
> daemon off;
> 
> worker_processes 2;
> 
> pid /run/nginx.pid;
> 
> worker_rlimit_nofile 131072;
> 
> pcre_jit on;
> 
> events {
> multi_accept        on;
> worker_connections  16384;
> use                 epoll; 
> }
> 
> http {
> 
> lua_shared_dict server_sessioncnt_dict 20k;
> lua_shared_dict server_dict 20k;
> lua_shared_dict server_acceptnewconn_dict 20k;
> lua_shared_dict sessionid_server_dict 100k;
> 
> real_ip_header      X-Forwarded-For;
> set_real_ip_from    0.0.0.0/0;
> real_ip_recursive   on;
> 
> geoip_country       /etc/nginx/GeoIP.dat;
> geoip_city          /etc/nginx/GeoLiteCity.dat;
> geoip_proxy_recursive on;
> vhost_traffic_status_zone shared:vhost_traffic_status:10m;
> vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;
> # lua section to return proper error codes when custom pages are used
> lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';
> 
> init_by_lua_file /etc/nginx/lua/init_by_lua.lua;
> 
> sendfile            on;
> aio                 threads;
> tcp_nopush          on;
> tcp_nodelay         on;
> 
> log_subrequest      on;
> 
> reset_timedout_connection on;
> 
> keepalive_timeout 75s;
> 
> types_hash_max_size 2048;
> server_names_hash_max_size 512;
> server_names_hash_bucket_size 64;
> 
> include /etc/nginx/mime.types;
> default_type text/html;
> gzip on;
> gzip_comp_level 5;
> gzip_http_version 1.1;
> gzip_min_length 256;
> gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;    
> gzip_proxied any;
> 
> client_max_body_size "64m";
> 
> log_format upstreaminfo '$remote_addr - '
> '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
> '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';
> 
> map $request $loggable {
> default 1;
> }
> 
> access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
> error_log  /var/log/nginx/error.log notice;
> 
> map $http_upgrade $connection_upgrade {
> default upgrade;
> ''      close;
> }
> 
> # trust http_x_forwarded_proto headers correctly indicate ssl offloading
> map $http_x_forwarded_proto $pass_access_scheme {
> default $http_x_forwarded_proto;
> ''      $scheme;
> }
> 
> # Map a response error watching the header Content-Type
> map $http_accept $httpAccept {
> default          html;
> application/json json;
> application/xml  xml;
> text/plain       text;
> }
> 
> map $httpAccept $httpReturnType {
> default          text/html;
> json             application/json;
> xml              application/xml;
> text             text/plain;
> }
> 
> server_name_in_redirect off;
> port_in_redirect off;
> 
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> 
> # turn on session caching to drastically improve performance
> 
> ssl_session_cache builtin:1000 shared:SSL:10m;
> ssl_session_timeout 10m;
> 
> # allow configuring ssl session tickets
> ssl_session_tickets on;
> 
> # slightly reduce the time-to-first-byte
> ssl_buffer_size 4k;
> 
> # allow configuring custom ssl ciphers
> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
> ssl_prefer_server_ciphers on;
> 
> # In case of errors try the next upstream server before returning an error
> proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504;
> 
> upstream liupeng-sm-rte-svc-13080 {
> server 172.77.69.10:13080;
> server 172.77.87.9:13080;
> 
> balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;
> 
> }
> 
> server {
> server_name _;
> listen 80;
> listen 443  ssl spdy http2;
> 
> # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a        
> ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;
> ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;
> 
> more_set_headers                            "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";
> 
> vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;
> 
> location /SM/ui {
> 
> proxy_set_header Host                   $host;
> 
> # Pass Real IP
> proxy_set_header X-Real-IP              $remote_addr;
> 
> # Allow websocket connections
> proxy_set_header                        Upgrade           $http_upgrade;
> 
> proxy_set_header                        Connection        "";
> 
> proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Host       $host;
> proxy_set_header X-Forwarded-Port       $server_port;
> proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
> 
> # mitigate HTTPoxy Vulnerability
> # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
> proxy_set_header Proxy                  "";
> 
> proxy_connect_timeout                   5s;
> proxy_send_timeout                      60s;
> proxy_read_timeout                      60s;
> 
> proxy_redirect                          off;
> 
> proxy_buffering                         off;
> 
> proxy_http_version                      1.1;
> 
> proxy_pass http://liupeng-sm-rte-svc-13080;
> 
> rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;
> 
> header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;
> 
> }
> 
> }
> }
> 
> ----- 原始邮件 -----
> 发件人:Aleksandar Lazic <al-nginx at none.at>
> 收件人:tjlp at sina.com
> 抄送人:nginx <nginx at nginx.org>
> 主题:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期:2017年03月07日 15点39分 
> 
> Hi Liu Peng.
> We still don't know your nginx version nor your config!
> Cite from below:
>> So now the standard Questions from me:
>> What's the output of nginx -V ?
>> What's your config?
> regards
> aleks
> Am 07-03-2017 02:37, schrieb tjlp at sina.com:
>> Hi, Alexks,
>> 
>> I try your proposal and it doesn't work. Actually my issue is the same 
>> as this one 
>> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.
>> 
>> 1. I add "keeplive_request 0". The result is that the "Connection: 
>> close" header is sent to client for every response. That does not match 
>> my requirement. Our application decides whether to finish the 
>> application session using this header.
>> 
>> 2. I add "proxy_pass_header Connection". Nginx keeps sending 
>> "Connection: keep-alive" header to client even the header is 
>> "Connection: close" from upstream server.
>> 
>> Seems Nginx has some special handling for the Connection header in 
>> response. The openresty author suggests that the only way for changing 
>> response header change the nginx C code for this issue. See this issue: 
>> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.
>> 
>> Thanks
>> Liu Peng
>> 
>> ----- 原始邮件 -----
>> 发件人:Aleksandar Lazic <al-nginx at none.at>
>> 收件人:tjlp at sina.com
>> 抄送人:nginx <nginx at nginx.org>
>> 主题:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
>> 日期:2017年03月04日 17点22分
>> 
>> Hi Liu Peng.
>> Am 04-03-2017 09:12, schrieb tjlp at sina.com:
>>> 
>>> Hi, Alexks,
>>> 
>>> I don't want to hide the header.
>>> My problem is that Nginx change the "Connection: close" header in the
>>> reponse from upstream server to "Connction: keep-alive" and send to
>>> client. I want to keep the original "Connection: close" header.
>> Ah that's a clear question.
>> It took us only 3 rounds to get to this clear question ;-)
>> So now the standard Questions from me:
>> What's the output of nginx -V ?
>> What's your config?
>> Maybe you have set 'keepalive' in the upstream config
>> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
>> or
>> 'proxy_http_version 1.1;'
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
>> as a last resort you can just pass the header with
>> 'proxy_pass_header Connection;'.
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
>> Choose the solution which fit's to your demand.
>> I can only guess due to the fact that we don't know your config.
>> May I ask you to take a look into this document, which exists in 
>> several
>> languages, thank you very much.
>> http://www.catb.org/~esr/faqs/smart-questions.html
>> Best regards
>> Aleks
>>> Thanks
>>> Liu Peng
>>> 
>>> ----- 原始邮件 -----
>>> 发件人:Aleksandar Lazic <al-nginx at none.at>
>>> 收件人:tjlp at sina.com
>>> 抄送人:nginx <nginx at nginx.org>
>>> 主题:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
>>> 日期:2017年03月03日 16点19分
>>> Hi.
>>> 
>>> then one directive upward.
>>> 
>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>>> 
>>> Cheers
>>> 
>>> aleks
>>> 
>>> Am 03-03-2017 06:00, schrieb tjlp at sina.com:
>>> 
>>>> Hi,
>>>> 
>>>> What I mention is the header in response from backend server. Your
>>>> answer about proxy_set_header is the "Connection" header in request.
>>>> 
>>>> Thanks
>>>> Liu Peng
>>>> 
>>>> ----- 原始邮件 -----
>>>> 发件人:Aleksandar Lazic <al-nginx at none.at>
>>>> 收件人:nginx at nginx.org
>>>> 抄送人:tjlp at sina.com
>>>> 主题:Re: Issue about nginx removing the header "Connection" in HTTP
>>>> response?
>>>> 日期:2017年03月03日 06点25分
>>>> 
>>>> Hi.
>>>> Am 01-03-2017 08:29, schrieb tjlp at sina.com:
>>>>> Hi, nginx guy,
>>>>> 
>>>>> In our system, for some special requests, the upstream server will
>>>>> return a response which the header includes "Connection: Close".
>>>>> According to HTTP protocol, "Connection" is one-hop header.
>>>>> So, nginx will remove this header and the client can't do the
>>>>> business
>>>>> logic correctly.
>>>>> 
>>>>> How to handle this scenario?
>>>> you mean something like this?
>>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>>>> If the value of a header field is an empty string then this field 
>>>> will
>>>> not be passed to a proxied server:
>>>> proxy_set_header Connection "";
>>>>> Thanks
>>>>> Liu Peng
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170307/d222a9b9/attachment-0001.html>


More information about the nginx mailing list