回复:Re:_回复:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
tjlp at sina.com
tjlp at sina.com
Wed Mar 8 00:58:49 UTC 2017
Hi, Aleks,
This nginx conf is generated by Kubernetes nginx ingress controller. We use the Nginx in the kubernetes cluster. So many modules are there.
The lua script is supported by the open sourced OpenResty. You can google it to find how and why use it. We use it for our special load balancing.
For the log, I am not sure what you need.
Thanks
----- 原始邮件 -----
发件人:Aleksandar Lazic <al-nginx at none.at>
收件人:tjlp at sina.com
抄送人:nginx <nginx at nginx.org>
主题:Re:_回复:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期:2017年03月08日 06点26分
Hi.
Well that's a lot modules and lua stuff there.
What's in the '*by_lua_file's ?
Can you run from a specific IP the debug log to see what's happen in nginx?
http://nginx.org/en/docs/debugging_log.html
regards
aleks
Am 07-03-2017 10:49, schrieb tjlp at sina.com:
Hi, Aleks,
The result of nginx -V is as follow:
nginx version: nginx/1.11.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05
The nginx conf is:
daemon off;
worker_processes 2;
pid /run/nginx.pid;
worker_rlimit_nofile 131072;
pcre_jit on;
events {
multi_accept on;
worker_connections 16384;
use epoll;
}
http {
lua_shared_dict server_sessioncnt_dict 20k;
lua_shared_dict server_dict 20k;
lua_shared_dict server_acceptnewconn_dict 20k;
lua_shared_dict sessionid_server_dict 100k;
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
real_ip_recursive on;
geoip_country /etc/nginx/GeoIP.dat;
geoip_city /etc/nginx/GeoLiteCity.dat;
geoip_proxy_recursive on;
vhost_traffic_status_zone shared:vhost_traffic_status:10m;
vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;
# lua section to return proper error codes when custom pages are used
lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';
init_by_lua_file /etc/nginx/lua/init_by_lua.lua;
sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;
log_subrequest on;
reset_timedout_connection on;
keepalive_timeout 75s;
types_hash_max_size 2048;
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type text/html;
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
gzip_proxied any;
client_max_body_size "64m";
log_format upstreaminfo '$remote_addr - '
'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';
map $request $loggable {
default 1;
}
access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
error_log /var/log/nginx/error.log notice;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
# Map a response error watching the header Content-Type
map $http_accept $httpAccept {
default html;
application/json json;
application/xml xml;
text/plain text;
}
map $httpAccept $httpReturnType {
default text/html;
json application/json;
xml application/xml;
text text/plain;
}
server_name_in_redirect off;
port_in_redirect off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# turn on session caching to drastically improve performance
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;
# allow configuring ssl session tickets
ssl_session_tickets on;
# slightly reduce the time-to-first-byte
ssl_buffer_size 4k;
# allow configuring custom ssl ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
upstream liupeng-sm-rte-svc-13080 {
server 172.77.69.10:13080;
server 172.77.87.9:13080;
balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;
}
server {
server_name _;
listen 80;
listen 443 ssl spdy http2;
# PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a
ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;
ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;
more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";
vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;
location /SM/ui {
proxy_set_header Host $host;
# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_pass http://liupeng-sm-rte-svc-13080;
rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;
header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;
}
}
}
----- 原始邮件 -----
发件人:Aleksandar Lazic <al-nginx at none.at>
收件人:tjlp at sina.com
抄送人:nginx <nginx at nginx.org>
主题:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期:2017年03月07日 15点39分
Hi Liu Peng.
We still don't know your nginx version nor your config!
Cite from below:
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
regards
aleks
Am 07-03-2017 02:37, schrieb tjlp at sina.com:
> Hi, Alexks,
>
> I try your proposal and it doesn't work. Actually my issue is the same
> as this one
> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.
>
> 1. I add "keeplive_request 0". The result is that the "Connection:
> close" header is sent to client for every response. That does not match
> my requirement. Our application decides whether to finish the
> application session using this header.
>
> 2. I add "proxy_pass_header Connection". Nginx keeps sending
> "Connection: keep-alive" header to client even the header is
> "Connection: close" from upstream server.
>
> Seems Nginx has some special handling for the Connection header in
> response. The openresty author suggests that the only way for changing
> response header change the nginx C code for this issue. See this issue:
> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.
>
> Thanks
> Liu Peng
>
> ----- 原始邮件 -----
> 发件人:Aleksandar Lazic <al-nginx at none.at>
> 收件人:tjlp at sina.com
> 抄送人:nginx <nginx at nginx.org>
> 主题:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期:2017年03月04日 17点22分
>
> Hi Liu Peng.
> Am 04-03-2017 09:12, schrieb tjlp at sina.com:
>>
>> Hi, Alexks,
>>
>> I don't want to hide the header.
>> My problem is that Nginx change the "Connection: close" header in the
>> reponse from upstream server to "Connction: keep-alive" and send to
>> client. I want to keep the original "Connection: close" header.
> Ah that's a clear question.
> It took us only 3 rounds to get to this clear question ;-)
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
> Maybe you have set 'keepalive' in the upstream config
> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
> or
> 'proxy_http_version 1.1;'
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
> as a last resort you can just pass the header with
> 'proxy_pass_header Connection;'.
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
> Choose the solution which fit's to your demand.
> I can only guess due to the fact that we don't know your config.
> May I ask you to take a look into this document, which exists in
> several
> languages, thank you very much.
> http://www.catb.org/~esr/faqs/smart-questions.html
> Best regards
> Aleks
>> Thanks
>> Liu Peng
>>
>> ----- 原始邮件 -----
>> 发件人:Aleksandar Lazic <al-nginx at none.at>
>> 收件人:tjlp at sina.com
>> 抄送人:nginx <nginx at nginx.org>
>> 主题:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
>> 日期:2017年03月03日 16点19分
>> Hi.
>>
>> then one directive upward.
>>
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>>
>> Cheers
>>
>> aleks
>>
>> Am 03-03-2017 06:00, schrieb tjlp at sina.com:
>>
>>> Hi,
>>>
>>> What I mention is the header in response from backend server. Your
>>> answer about proxy_set_header is the "Connection" header in request.
>>>
>>> Thanks
>>> Liu Peng
>>>
>>> ----- 原始邮件 -----
>>> 发件人:Aleksandar Lazic <al-nginx at none.at>
>>> 收件人:nginx at nginx.org
>>> 抄送人:tjlp at sina.com
>>> 主题:Re: Issue about nginx removing the header "Connection" in HTTP
>>> response?
>>> 日期:2017年03月03日 06点25分
>>>
>>> Hi.
>>> Am 01-03-2017 08:29, schrieb tjlp at sina.com:
>>>> Hi, nginx guy,
>>>>
>>>> In our system, for some special requests, the upstream server will
>>>> return a response which the header includes "Connection: Close".
>>>> According to HTTP protocol, "Connection" is one-hop header.
>>>> So, nginx will remove this header and the client can't do the
>>>> business
>>>> logic correctly.
>>>>
>>>> How to handle this scenario?
>>> you mean something like this?
>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>>> If the value of a header field is an empty string then this field
>>> will
>>> not be passed to a proxied server:
>>> proxy_set_header Connection "";
>>>> Thanks
>>>> Liu Peng
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170308/ecd17c78/attachment-0001.html>
More information about the nginx
mailing list