From nginx-forum at forum.nginx.org Mon Aug 1 22:29:53 2022 From: nginx-forum at forum.nginx.org (justin_achievable) Date: Mon, 01 Aug 2022 18:29:53 -0400 Subject: Best way to handle large number of frequently updated redirects Message-ID: Hi, I'm looking for advice on the best way to handle a fairly large and frequently updated list of redirects. Basically, I have a CSV file with source, target, and redirect type. There are several hundred entries, with updates made about weekly. We expect this list to grow quickly into the thousands once we have a process in place. >From my research, it feels like a redirect map using (http://nginx.org/en/docs/http/ngx_http_map_module.html) might be the best option. So would the preferred approach be to write a script to process the CSV file into an include that works with map, sync the map file to the server and reload periodically to pick up on the updated config? Any advice would be appreciated. Thank you, Justin Pincar https://achievable.me Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294889,294889#msg-294889 From al-nginx at none.at Tue Aug 2 10:43:59 2022 From: al-nginx at none.at (Aleksandar Lazic) Date: Tue, 2 Aug 2022 12:43:59 +0200 Subject: Best way to handle large number of frequently updated redirects In-Reply-To: References: Message-ID: <6e400632-1b24-8974-c263-11e1bf8cf0e2@none.at> Hi Justin. On 02.08.22 00:29, justin_achievable wrote: > Hi, I'm looking for advice on the best way to handle a fairly large and > frequently updated list of redirects. > > Basically, I have a CSV file with source, target, and redirect type. There > are several hundred entries, with updates made about weekly. We expect this > list to grow quickly into the thousands once we have a process in place. > > From my research, it feels like a redirect map using > (http://nginx.org/en/docs/http/ngx_http_map_module.html) might be the best > option. So would the preferred approach be to write a script to process the > CSV file into an include that works with map, sync the map file to the > server and reload periodically to pick up on the updated config? > > Any advice would be appreciated. Well we have done exactly that. What we have recognized is that a to often reload does not give nginx the time to kill old childs. Our solution was to lookup via ps to old process and only run the next reload when the old process are gone. > Thank you, > > Justin Pincar > https://achievable.me > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294889,294889#msg-294889 > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From nginx-forum at forum.nginx.org Tue Aug 2 15:01:32 2022 From: nginx-forum at forum.nginx.org (libresco_27) Date: Tue, 02 Aug 2022 11:01:32 -0400 Subject: Proxy buffering query Message-ID: <1eb8feaada3874cb9ee1121fb2ab5bac.NginxMailingListEnglish@forum.nginx.org> Hi, What is the relationship between these three directives - proxy_busy_buffers_size, proxy_buffers and proxy_buffer_size? Currently, I'm only using proxy_buffer_size in my location block but whenever I set it to some higher number, for ex: 32k, it throws the following error - nginx: [emerg] "proxy_busy_buffers_size" must be less than the size of all "proxy_buffers" minus one buffer Thanks in advance! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294892,294892#msg-294892 From francis at daoine.org Tue Aug 2 22:34:11 2022 From: francis at daoine.org (Francis Daly) Date: Tue, 2 Aug 2022 23:34:11 +0100 Subject: Questions about real ip module In-Reply-To: <9551b76b-187c-4424-a3ca-ae42b8aade7d@www.fastmail.com> References: <9551b76b-187c-4424-a3ca-ae42b8aade7d@www.fastmail.com> Message-ID: <20220802223411.GQ14648@daoine.org> On Sat, Jul 30, 2022 at 05:13:52AM +0900, nanaya wrote: Hi there, > I have a few questions about the real ip module (tried on nginx/1.22.0): I can see similar curious behaviour to what you report. I'm not sure if it is "intended behaviour", or "that kind of variation was never considered" -- either way, you'll likely need a code change to achieve what you want, unless you can adapt your config to what the current code provides. > 1. is there no way to reset the list of `set_real_ip_from` for a specific subsection? For example to have a completely different set of trusted addresses for a specific server > That one seems to work for me. set_real_ip_from at http level, with another value at server level. A server without the second value uses the http-level one; a server with the second value uses that value only. Can you show a sample config that does not work? > 2. does setting `real_ip_header '';` in a section effectively disable the module for the section? I don't see that it does; and I don't see that the documentation says that it would. So I'd say "no, it does not". > 3. documentation says `real_ip_header` is allowed in location block but it doesn't seem to do anything? > This one is a bit subtle. As far as I can see, if there is no value at http or server level, then the value at location level is effectively used. But if there is something at http or server level, then the value at location level is effectively ignored. That's not the usual way that nginx directive inheritance works; my guess in this case is that the replacement-ip-address-variable is set at the outermost level, and then in the inner level, the variable is seen to have a value and that value is re-used rather than re-calculated. > This still uses address from X-Real-Ip instead of X-Other for allow check and log: > >From playing with 1.22, if you want different real_ip_header header values to apply in different locations, you probably need to only set the directive at location level -- and set it in every location where you want it. Basically -- ensure that there is nothing to be inherited into a section that wants to have a specific value set, so that the curious effective inheritance behaviour of this directive does not take effect. That might let you get the end result that you want today; if you want a future version to work in "the expected" fashion, then you'll want to convince someone that the cost of maintaining the new code to do that is less than the benefit of being able to do that. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Tue Aug 2 22:43:43 2022 From: francis at daoine.org (Francis Daly) Date: Tue, 2 Aug 2022 23:43:43 +0100 Subject: Proxy buffering query In-Reply-To: <1eb8feaada3874cb9ee1121fb2ab5bac.NginxMailingListEnglish@forum.nginx.org> References: <1eb8feaada3874cb9ee1121fb2ab5bac.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20220802224343.GR14648@daoine.org> On Tue, Aug 02, 2022 at 11:01:32AM -0400, libresco_27 wrote: Hi there, > What is the relationship between these three directives - > proxy_busy_buffers_size, proxy_buffers and proxy_buffer_size? http://nginx.org/r/proxy_buffer_size, plus some of the following sections. > Currently, I'm only using proxy_buffer_size in my location block but > whenever I set it to some higher number, for ex: 32k, it throws the > following error - > nginx: [emerg] "proxy_busy_buffers_size" must be less than the size of all > "proxy_buffers" minus one buffer If you have told nginx to use 20 kB of buffers; then also telling nginx that it can have up to 40 kB of those buffers busy sending, is unlikely to be a correct config. I suspect that the error message is to ensure that you do not think that you have configured more buffers than you actually have. Cheers, f -- Francis Daly francis at daoine.org From me at nanaya.pro Wed Aug 3 05:58:59 2022 From: me at nanaya.pro (nanaya) Date: Wed, 03 Aug 2022 14:58:59 +0900 Subject: Questions about real ip module In-Reply-To: <20220802223411.GQ14648@daoine.org> References: <9551b76b-187c-4424-a3ca-ae42b8aade7d@www.fastmail.com> <20220802223411.GQ14648@daoine.org> Message-ID: Hi On Wed, Aug 3, 2022, at 07:34, Francis Daly wrote: > On Sat, Jul 30, 2022 at 05:13:52AM +0900, nanaya wrote: > > >> 1. is there no way to reset the list of `set_real_ip_from` for a specific subsection? For example to have a completely different set of trusted addresses for a specific server >> > > That one seems to work for me. > > set_real_ip_from at http level, with another value at server level. A > server without the second value uses the http-level one; a server with > the second value uses that value only. > > Can you show a sample config that does not work? > It looks like I tested it on location level. I guess it's similar behavior to real_ip_header inheritance you mentioned below? http { set_real_ip_from 10.0.0.1; server { location /a/ { set_real_ip_from 10.0.0.2; access_log /var/log/nginx/test.log; # <- accessing from both 10.0.0.1 and 10.0.0.2 with X-Real-Ip logs the specified header's ip address } } } >> 2. does setting `real_ip_header '';` in a section effectively disable the module for the section? > > I don't see that it does; and I don't see that the documentation says > that it would. So I'd say "no, it does not". > It seems to achieve the same effect though considering it's not really possible to send empty header (or is it?). >> 3. documentation says `real_ip_header` is allowed in location block but it doesn't seem to do anything? >> > > This one is a bit subtle. > > As far as I can see, if there is no value at http or server level, > then the value at location level is effectively used. But if there is > something at http or server level, then the value at location level is > effectively ignored. > > That's not the usual way that nginx directive inheritance works; my guess > in this case is that the replacement-ip-address-variable is set at the > outermost level, and then in the inner level, the variable is seen to > have a value and that value is re-used rather than re-calculated. > >> This still uses address from X-Real-Ip instead of X-Other for allow check and log: >> > > From playing with 1.22, if you want different real_ip_header header > values to apply in different locations, you probably need to only set > the directive at location level -- and set it in every location where > you want it. > > Basically -- ensure that there is nothing to be inherited into a section > that wants to have a specific value set, so that the curious effective > inheritance behaviour of this directive does not take effect. > > That might let you get the end result that you want today; if you want > a future version to work in "the expected" fashion, then you'll want to > convince someone that the cost of maintaining the new code to do that > is less than the benefit of being able to do that. > Thanks. I've reworked the config so it's not needed anymore. From peljasz at yahoo.co.uk Wed Aug 3 08:50:10 2022 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 3 Aug 2022 09:50:10 +0100 Subject: listen on IPs but do not fail if one is absent - ? In-Reply-To: <20220213112450.GH14624@daoine.org> References: <9860ac91-895c-3936-88dd-db97697cd9a2.ref@yahoo.co.uk> <9860ac91-895c-3936-88dd-db97697cd9a2@yahoo.co.uk> <20220212132617.GG14624@daoine.org> <70c93eed-fe0a-d224-ff00-0c392bd2f716@yahoo.co.uk> <20220213112450.GH14624@daoine.org> Message-ID: On 13/02/2022 11:24, Francis Daly wrote: > On Sun, Feb 13, 2022 at 07:56:16AM +0000, lejeczek via nginx wrote: >> On 12/02/2022 13:26, Francis Daly wrote: >>> On Sat, Feb 12, 2022 at 10:11:25AM +0000, lejeczek via nginx wrote: > Hi there, > >>>> having multiple 'listen' with IPs or, just one 'listen' with a hostname >>>> which resolves to more than one IP - is it possible to tell Nginx not fail >>>> when one of IPs is absent, does not exist? >>> I think that stock nginx does not support that. >>> >>> There are possibly ways to avoid the failure; but they all fundamentally >>> are different ways to do "only bind to locally-existing addresses". >> I can confess I return to Nginx after long many years of a divorce and this >> curious fact - if Nginx cannot do that - will be a surprise to me. > Use cases tend to be addressed when a developer has the incentive to > write the code. > > If the feature that you are hoping for, has not been implemented in a > way that you are hoping for, then probably no-one cared enough to ensure > that it was done in that way. > Which amazes me a bit - I'd think that in this age of clouds/virtualization/containers etc. removing iface or IP or both(even hot-plugin hardware) is something what must happen often, if not daily - why people would not need that 'feature' and not think it's silly of Nginx to fail for that reason? - amazes me. Certainly this use case where IP does not exists - perhaps different case would be where IP does exist but cannot be bound to - should be allowed & easy to give to end users an option to "bind" to such non-existent IP with 'continue/remain/insist' or however devel want to call. I read people replies and think they thought it was about 'port' in my case, but I tried to make it clear it's the IP/iface - so "*" does not address the issue I described. many thanks, L. >> I thought such a "feature" would be in Nginx by now, if not devised by >> developers than included by popular demand - looking at the options/params >> to 'listen', something like 'remain' or 'insist' which would instruct Nginx >> to start & continue to work and hook onto the IP when/after it appeared(but >> also continue to work after IP disappeared) > As Maxim indicates in the parallel reply: nginx will not fail if it does > not try to bind() to a non-existing address:port. > > And you can arrange that, by making sure that your "listen ip:port" > directive does not include any of the parameters that require a bind(); > and by making sure that, for each port that you listen on, there is also a > "listen *:port"-equivalent directive somewhere in the config. > > So possibly the feature that you want already exists with restrictions > that you are happy to work within? > > Cheers, > > f From iippolitov at nginx.com Wed Aug 3 09:54:49 2022 From: iippolitov at nginx.com (Igor Ippolitov) Date: Wed, 3 Aug 2022 10:54:49 +0100 Subject: listen on IPs but do not fail if one is absent - ? In-Reply-To: <9860ac91-895c-3936-88dd-db97697cd9a2@yahoo.co.uk> References: <9860ac91-895c-3936-88dd-db97697cd9a2.ref@yahoo.co.uk> <9860ac91-895c-3936-88dd-db97697cd9a2@yahoo.co.uk> Message-ID: <4973fd72-baf5-b8c5-53c3-b60b41cfadf3@nginx.com> Hello, I would give a try to 'net.ipv4.ip_nonlocal_bind' sysctl knob. Set it to true and bind() won't fail. Regards, Igor. On 12/02/2022 10:11, lejeczek via nginx wrote: > Hi guys > > a novice here so go easy on me with this question: > > having multiple 'listen' with IPs or, just one 'listen' with a > hostname which resolves to more than one IP - is it possible to tell > Nginx not fail when one of IPs is absent, does not exist? > > many thanks, L. > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From peljasz at yahoo.co.uk Wed Aug 3 11:05:17 2022 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 3 Aug 2022 12:05:17 +0100 Subject: listen on IPs but do not fail if one is absent - ? In-Reply-To: <4973fd72-baf5-b8c5-53c3-b60b41cfadf3@nginx.com> References: <9860ac91-895c-3936-88dd-db97697cd9a2.ref@yahoo.co.uk> <9860ac91-895c-3936-88dd-db97697cd9a2@yahoo.co.uk> <4973fd72-baf5-b8c5-53c3-b60b41cfadf3@nginx.com> Message-ID: <7b3472b2-13b7-a4fb-cca7-3605cfc6eff6@yahoo.co.uk> On 03/08/2022 10:54, Igor Ippolitov wrote: > Hello, > > I would give a try to 'net.ipv4.ip_nonlocal_bind' sysctl > knob. Set it to true and bind() won't fail. > > Regards, > Igor. > Does the trick for Nginx too! wielkie! dzięki L. From nginx-forum at forum.nginx.org Wed Aug 3 12:49:20 2022 From: nginx-forum at forum.nginx.org (libresco_27) Date: Wed, 03 Aug 2022 08:49:20 -0400 Subject: Proxy buffering query In-Reply-To: <20220802224343.GR14648@daoine.org> References: <20220802224343.GR14648@daoine.org> Message-ID: <3e1485d8dc51bf33ef26f1cfcbe81637.NginxMailingListEnglish@forum.nginx.org> But I'm not explicitly defining the value for proxy_busy_buffers_size to something. Right now it is set with the default value Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294892,294904#msg-294904 From francis at daoine.org Wed Aug 3 22:53:15 2022 From: francis at daoine.org (Francis Daly) Date: Wed, 3 Aug 2022 23:53:15 +0100 Subject: Questions about real ip module In-Reply-To: References: <9551b76b-187c-4424-a3ca-ae42b8aade7d@www.fastmail.com> <20220802223411.GQ14648@daoine.org> Message-ID: <20220803225315.GS14648@daoine.org> On Wed, Aug 03, 2022 at 02:58:59PM +0900, nanaya wrote: > On Wed, Aug 3, 2022, at 07:34, Francis Daly wrote: > > On Sat, Jul 30, 2022 at 05:13:52AM +0900, nanaya wrote: Hi there, > It looks like I tested it on location level. I guess it's similar behavior to real_ip_header inheritance you mentioned below? Ah, I hadn't tested at location{} level. I had thought it would basically be: wherever the real_ip_header that is used is set, use the matching set_real_ip_from. But I see somewhat confusing test results there now too. So it's probably simplest to say that the current code works most clearly when there is exactly one set of directives in the configuration. If someone finds a use-case that they can't configure with the current code, maybe that will inspire someone to change something. > >> 2. does setting `real_ip_header '';` in a section effectively disable the module for the section? > > > > I don't see that it does; and I don't see that the documentation says > > that it would. So I'd say "no, it does not". > > It seems to achieve the same effect though considering it's not really possible to send empty header (or is it?). With the odd effective inheritance that I see, any "inner" directive seems to be effectively ignored. So having an "inner" one with the empty value should not make a difference. But I do not understand fully what it is doing. > Thanks. I've reworked the config so it's not needed anymore. Good that you have a config that now works for you. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Aug 3 23:55:34 2022 From: francis at daoine.org (Francis Daly) Date: Thu, 4 Aug 2022 00:55:34 +0100 Subject: Proxy buffering query In-Reply-To: <3e1485d8dc51bf33ef26f1cfcbe81637.NginxMailingListEnglish@forum.nginx.org> References: <20220802224343.GR14648@daoine.org> <3e1485d8dc51bf33ef26f1cfcbe81637.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20220803235534.GT14648@daoine.org> On Wed, Aug 03, 2022 at 08:49:20AM -0400, libresco_27 wrote: Hi there, > But I'm not explicitly defining the value for proxy_busy_buffers_size to > something. Right now it is set with the default value Oh, sorry. I had misunderstood what you were reporting. I now think that the confusion comes from what "the default value" for proxy_busy_buffers_size is. The documentation has one set of words, which is correct once you know how it is intended to be interpreted. If we can find a set of words that is both correct and clear, we can probably get the documentation changed to help the next person. I think that the key is: if not explicitly defined, the value for proxy_busy_buffers_size is "the bigger of: twice proxy_buffer_size; and the size of two proxy_buffers". By default-default, that is the 8k or 16k that the documentation summary shows. But when you set a big proxy_buffer_size value, you are implicitly increasing proxy_busy_buffers_size as well. And then the other requirement kicks in -- proxy_busy_buffers_size must be not bigger than "proxy_buffers number-minus-one times size". Also, if you want to explicitly set proxy_busy_buffers_size, you cannot make it be smaller than a single proxy_buffers, or than proxy_buffer_size. So with all default values on a 4k page system, proxy_buffers is "8 4k" (32k total, and 28k is the maximum for proxy_busy_buffers_size); proxy_buffer_size is 4k; and proxy_busy_buffers_size is 8k. If you want to set proxy_buffer_size to more than 14k, you must either also increase proxy_buffers (in number or size); or explicitly set proxy_busy_buffers_size to 28k or lower (while not being smaller than proxy_buffer_size). Hopefully this does not make things more confusing... Cheers, f -- Francis Daly francis at daoine.org From jeh253 at gmail.com Thu Aug 4 00:39:32 2022 From: jeh253 at gmail.com (Jay Haines) Date: Wed, 3 Aug 2022 20:39:32 -0400 Subject: location regex? Message-ID: <1c662dd9-e469-ca9a-91a2-2eb609123155@gmail.com> I am trying to weed out requests for any uri that contains the string, "announce" (no quotes). That would include * /announce * /announce/ * /announce.php each with or without query strings. I have the following location blocks in my server context:        location ~* announce {                return 444;        }        location ~* /announce.php {                return 444;        } and my log looks good: "122.100.172.162"       "03/Aug/2022:20:19:00 -0400"    "GET /announce.php?info_hash=%DF%AEF%40%7F%1DA%C9%91S%9F%D4%0D%D6J%E6%992%A3~&peer_id=-BC0171-_sSI%D1n%AA%A9%C3%A5%25%1E&port=15302&natmapped=1&localip=172.18.80.247&port_type=lan&uploaded=46317568&downloaded=11285925264&left=178446055&numwant=50&compact=1&no_peer_id=1&key=38892 HTTP/1.1"        "444"   "0"     "0.000"  "-"     "BitComet/1.71.9.7" until it doesn't: "81.110.165.170"        "03/Aug/2022:20:24:03 -0400"    "GET /announce.php?info_hash=%5B%EA0r%8A*8%C4%DAA%81%02%B4%BF%97%CC%1E%A9y%C8&am_peer_id=-TR300%5A-LDXTt3fAIyq%00&port=43342&uploaded=0&downloaded=0&left=5593535899&event=started&key=0&compact=1&numwant=200 HTTP/1.1" "400"   "150"   "0.000" "-"     "-" I have tried various location prefixes and regexes (and combinations thereof) but can't seem to find the one that works correctly. Thanks for any help -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Thu Aug 4 07:31:37 2022 From: francis at daoine.org (Francis Daly) Date: Thu, 4 Aug 2022 08:31:37 +0100 Subject: location regex? In-Reply-To: <1c662dd9-e469-ca9a-91a2-2eb609123155@gmail.com> References: <1c662dd9-e469-ca9a-91a2-2eb609123155@gmail.com> Message-ID: <20220804073137.GU14648@daoine.org> On Wed, Aug 03, 2022 at 08:39:32PM -0400, Jay Haines wrote: Hi there, > I am trying to weed out requests for any uri that contains the string, > "announce" (no quotes). That would include > > * /announce > * /announce/ > * /announce.php Normal config there would be of the form location ~ announce {} but only in a place where that location will actually have a chance to be matched -- so before any other ~regex location that might match the same request; and any =exact location, or ^~prefix location that is the longest-prefix match, will mean that regex matches are not tried. > each with or without query strings. I have the following location blocks in > my server context: > >        location ~* announce { >                return 444; >        } > >        location ~* /announce.php { >                return 444; >        } In that sequence, that second one will never be used. But that's ok; it has the same handling as the first one. > and my log looks good: > > "122.100.172.162"       "03/Aug/2022:20:19:00 -0400"    "GET /announce.php?info_hash=%DF%AEF%40%7F%1DA%C9%91S%9F%D4%0D%D6J%E6%992%A3~&peer_id=-BC0171-_sSI%D1n%AA%A9%C3%A5%25%1E&port=15302&natmapped=1&localip=172.18.80.247&port_type=lan&uploaded=46317568&downloaded=11285925264&left=178446055&numwant=50&compact=1&no_peer_id=1&key=38892 > HTTP/1.1"        "444"   "0"     "0.000"  "-"     "BitComet/1.71.9.7" > > until it doesn't: > > "81.110.165.170"        "03/Aug/2022:20:24:03 -0400"    "GET /announce.php?info_hash=%5B%EA0r%8A*8%C4%DAA%81%02%B4%BF%97%CC%1E%A9y%C8&am_peer_id=-TR300%5A-LDXTt3fAIyq%00&port=43342&uploaded=0&downloaded=0&left=5593535899&event=started&key=0&compact=1&numwant=200 > HTTP/1.1" "400"   "150"   "0.000" "-"     "-" If those two requests went to the same server{}, and there was no other config that will have handled them differently, they would both be handled in the same location{} (because each request was "/announce.php", as far as location matching is concerned). The second response is 400, which is "Bad Request", which can come from nginx before any location{} matching is attempted. For example -- something claiming to be a HTTP/1.1 request but not having a Host: header can lead to a log line like that. > I have tried various location prefixes and regexes (and combinations > thereof) but can't seem to find the one that works correctly. The first location{} that you have looks correct to me, in normal nginx terms. If you can investigate the 400-request, maybe you can see whether the response came from nginx directly, or came from something later that involved the announce.php code. (With the config shown, I expect it will have been a "real" bad request, so was rejected before the location-matching (and probably also the server-matching) happened.) Cheers, f -- Francis Daly francis at daoine.org From bmvishwas at gmail.com Fri Aug 5 14:10:35 2022 From: bmvishwas at gmail.com (Vishwas Bm) Date: Fri, 5 Aug 2022 19:40:35 +0530 Subject: Nginx upstream zone Message-ID: Hi, What is the use of zone in stream upstream http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone Does it have any impact on how loadbalancing happens when there are multiple worker process? Also how is the size needs to be calculated ? Is 5m size sufficient for 10 worker process? Regards, Vishwas -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Sat Aug 6 14:48:04 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 6 Aug 2022 17:48:04 +0300 Subject: listen on IPs but do not fail if one is absent - ? In-Reply-To: References: <9860ac91-895c-3936-88dd-db97697cd9a2.ref@yahoo.co.uk> <9860ac91-895c-3936-88dd-db97697cd9a2@yahoo.co.uk> <20220212132617.GG14624@daoine.org> <70c93eed-fe0a-d224-ff00-0c392bd2f716@yahoo.co.uk> <20220213112450.GH14624@daoine.org> Message-ID: Hello! On Wed, Aug 03, 2022 at 09:50:10AM +0100, lejeczek via nginx wrote: > On 13/02/2022 11:24, Francis Daly wrote: > > On Sun, Feb 13, 2022 at 07:56:16AM +0000, lejeczek via nginx wrote: > >> On 12/02/2022 13:26, Francis Daly wrote: > >>> On Sat, Feb 12, 2022 at 10:11:25AM +0000, lejeczek via nginx wrote: > > Hi there, > > > >>>> having multiple 'listen' with IPs or, just one 'listen' with a hostname > >>>> which resolves to more than one IP - is it possible to tell Nginx not fail > >>>> when one of IPs is absent, does not exist? > >>> I think that stock nginx does not support that. > >>> > >>> There are possibly ways to avoid the failure; but they all fundamentally > >>> are different ways to do "only bind to locally-existing addresses". > >> I can confess I return to Nginx after long many years of a divorce and this > >> curious fact - if Nginx cannot do that - will be a surprise to me. > > Use cases tend to be addressed when a developer has the incentive to > > write the code. > > > > If the feature that you are hoping for, has not been implemented in a > > way that you are hoping for, then probably no-one cared enough to ensure > > that it was done in that way. > > > Which amazes me a bit - I'd think that in this age of > clouds/virtualization/containers etc. removing iface or IP > or both(even hot-plugin hardware) is something what must > happen often, if not daily - why people would not need that > 'feature' and not think it's silly of Nginx to fail for that > reason? - amazes me. > > Certainly this use case where IP does not exists - perhaps > different case would be where IP does exist but cannot be > bound to - should be allowed & easy to give to end users an > option to "bind" to such non-existent IP with > 'continue/remain/insist' or however devel want to call. > > I read people replies and think they thought it was about > 'port' in my case, but I tried to make it clear it's the > IP/iface - so "*" does not address the issue I described. It is not clear why "*" does not address the issue you've described. You may want to be more specific. In particular, please explain why listen *:80; listen 99.99.99.99:80; does not work for you. The only case I can imagine is when you are not allowed to listen on *:80 for some reason, and have to listen only on specific IP addresses instead. This looks quite uncommon though, and usually instead suggests that IP addresses are perfectly fixed. (See description of the "bind" parameter of the "listen" directive at http://nginx.org/r/listen for additional details.) -- Maxim Dounin http://mdounin.ru/ From bmvishwas at gmail.com Mon Aug 8 02:30:52 2022 From: bmvishwas at gmail.com (Vishwas Bm) Date: Mon, 8 Aug 2022 08:00:52 +0530 Subject: Nginx upstream zone In-Reply-To: References: Message-ID: Any inputs on this ? On Fri, 5 Aug, 2022, 19:40 Vishwas Bm, wrote: > Hi, > > What is the use of zone in stream upstream > http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone > > Does it have any impact on how loadbalancing happens when there are > multiple worker process? > > Also how is the size needs to be calculated ? > Is 5m size sufficient for 10 worker process? > > Regards, > Vishwas > -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Mon Aug 8 02:49:26 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Mon, 8 Aug 2022 05:49:26 +0300 Subject: Nginx upstream zone In-Reply-To: References: Message-ID: Hi, On Fri, Aug 05, 2022 at 07:40:35PM +0530, Vishwas Bm wrote: > > What is the use of zone in stream upstream > http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone Since this is the part of the commercial subscription, I'd recommend to contact NGINX Plus premium support team, please visit the following page to get details, https://www.nginx.com/support/ > Does it have any impact on how loadbalancing happens when there are > multiple worker process? No impact. > Also how is the size needs to be calculated ? > Is 5m size sufficient for 10 worker process? That depends on the actual NGINX Plus configuration and other factors, usually 64k is enough, but that number can be revisited with an extensive testing in a lower environments. Thank you. -- Sergey A. Osokin From bmvishwas at gmail.com Mon Aug 8 07:19:35 2022 From: bmvishwas at gmail.com (Vishwas Bm) Date: Mon, 8 Aug 2022 12:49:35 +0530 Subject: Nginx upstream zone In-Reply-To: References: Message-ID: Thanks for the response. I have below configuration in nginx.conf worker_processes 8; pid /var/run/nginx.pid; worker_rlimit_nofile 196886; worker_shutdown_timeout 10s ; include /etc/nginx/conf.d/main/*.conf; events { multi_accept on; worker_connections 16384; use epoll; } stream { upstream tcp-9005-simple_tcp_echo_go { #zone myzone 5m; server 127.0.0.1:9001; server 127.0.0.1:9002; server 127.0.0.1:9000; server 127.0.0.1:9003; } server { #listen 9005 ; listen 9005 reuseport ; proxy_pass tcp-9005-simple_tcp_echo_go; proxy_timeout 600s; proxy_next_upstream on; proxy_next_upstream_timeout 600s; proxy_next_upstream_tries 3; } } Each of the servers in upstream are the same process which responds after some delay. I am sending 10000 requests in almost parallel using something like below in a loop: *curl 127.0.0.1:9005 & * My expectation is that the 4 upstream servers should get requests in round-robin fashion like req1 - upstream srv 1 req2 - upstream srv 2 req3 - upstream srv 3 req4 - upstream srv 4 ... But I do not see that behaviour, I see something like below where the requests are not being sent in round robin fashion. I have tried with the below config and round robin does not happen as mentioned above. reuse-port on/off multi-accept on/off Try 1 (with reuse-port and multi-accept on): 127.0.0.1:9001 -- 2503 127.0.0.1:9002 -- 2501 127.0.0.1:9000 -- 2499 127.0.0.1:9003 -- 2497 Try 2 (without reuse-port and multi-accept on):: 127.0.0.1:9001 -- 2502 127.0.0.1:9002 -- 2501 127.0.0.1:9000 -- 2500 127.0.0.1:9003 -- 2497 Try 3 (with reuse-port and multi-accept off): 127.0.0.1:9001 -- 2502 127.0.0.1:9002 -- 2502 127.0.0.1:9000 -- 2499 127.0.0.1:9003 -- 2497 Try 4 (without reuse-port and multi-accept off): 127.0.0.1:9001 -- 2505 127.0.0.1:9002 -- 2499 127.0.0.1:9000 -- 2498 127.0.0.1:9003 -- 2498 Looks like round robin is happening wrt to a worker process. When I add the zone configuration or when I set worker-process to 1, it works and gives the expected result. I am using open source nginx 1.22.0 ( http://nginx.org/download/nginx-1.22.0.tar.gz) and have built the source code. Is my understanding of round-robin correct ? I feel something related to the zone is making it work properly. I also see this description in max_conns section: http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#server max_conns=number limits the maximum number of simultaneous connections to the proxied server (1.11.5). Default value is zero, meaning there is no limit. If the server group does not reside in the shared memory, the limitation works per each worker process. *Thanks & Regards,* *Vishwas * On Mon, Aug 8, 2022 at 8:19 AM Sergey A. Osokin wrote: > Hi, > > On Fri, Aug 05, 2022 at 07:40:35PM +0530, Vishwas Bm wrote: > > > > What is the use of zone in stream upstream > > http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone > > Since this is the part of the commercial subscription, I'd recommend > to contact NGINX Plus premium support team, please visit the following > page to get details, https://www.nginx.com/support/ > > > Does it have any impact on how loadbalancing happens when there are > > multiple worker process? > > No impact. > > > Also how is the size needs to be calculated ? > > Is 5m size sufficient for 10 worker process? > > That depends on the actual NGINX Plus configuration and other factors, > usually 64k is enough, but that number can be revisited with an extensive > testing in a lower environments. > > Thank you. > > -- > Sergey A. Osokin > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pluknet at nginx.com Mon Aug 8 11:34:30 2022 From: pluknet at nginx.com (Sergey Kandaurov) Date: Mon, 8 Aug 2022 15:34:30 +0400 Subject: Nginx upstream zone In-Reply-To: References: Message-ID: <7DD30605-C813-4115-BD52-3A65CC0C1F8C@nginx.com> > On 8 Aug 2022, at 06:49, Sergey A. Osokin wrote: > > Hi, > > On Fri, Aug 05, 2022 at 07:40:35PM +0530, Vishwas Bm wrote: >> >> What is the use of zone in stream upstream >> http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone > > Since this is the part of the commercial subscription, I'd recommend > to contact NGINX Plus premium support team, please visit the following > page to get details, https://www.nginx.com/support/ And also included in opensource nginx. > >> Does it have any impact on how loadbalancing happens when there are >> multiple worker process? > > No impact. Actually, enabling upstream zone moves internal peer state storage to shared memory, such that loadbalancing becomes consistent among worker processes. This includes reusing SSL sessions to backends. > >> Also how is the size needs to be calculated ? >> Is 5m size sufficient for 10 worker process? > > That depends on the actual NGINX Plus configuration and other factors, > usually 64k is enough, but that number can be revisited with an extensive > testing in a lower environments. > > Thank you. > It's roughly 500 bytes per upstream server in a simple case. The exact numbers depend on nginx version and configuration. Also, currently upstream zone cannot be configured to be less than 8 page sizes. -- Sergey Kandaurov From bmvishwas at gmail.com Tue Aug 9 10:22:06 2022 From: bmvishwas at gmail.com (Vishwas Bm) Date: Tue, 9 Aug 2022 15:52:06 +0530 Subject: Nginx upstream zone In-Reply-To: <7DD30605-C813-4115-BD52-3A65CC0C1F8C@nginx.com> References: <7DD30605-C813-4115-BD52-3A65CC0C1F8C@nginx.com> Message-ID: Thanks for answering the query. On Mon, 8 Aug, 2022, 17:04 Sergey Kandaurov, wrote: > > > On 8 Aug 2022, at 06:49, Sergey A. Osokin wrote: > > > > Hi, > > > > On Fri, Aug 05, 2022 at 07:40:35PM +0530, Vishwas Bm wrote: > >> > >> What is the use of zone in stream upstream > >> http://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#zone > > > > Since this is the part of the commercial subscription, I'd recommend > > to contact NGINX Plus premium support team, please visit the following > > page to get details, https://www.nginx.com/support/ > > And also included in opensource nginx. > > > > >> Does it have any impact on how loadbalancing happens when there are > >> multiple worker process? > > > > No impact. > > Actually, enabling upstream zone moves internal peer state storage > to shared memory, such that loadbalancing becomes consistent among > worker processes. This includes reusing SSL sessions to backends. > > > > >> Also how is the size needs to be calculated ? > >> Is 5m size sufficient for 10 worker process? > > > > That depends on the actual NGINX Plus configuration and other factors, > > usually 64k is enough, but that number can be revisited with an extensive > > testing in a lower environments. > > > > Thank you. > > > > It's roughly 500 bytes per upstream server in a simple case. > The exact numbers depend on nginx version and configuration. > Also, currently upstream zone cannot be configured to be less > than 8 page sizes. > > -- > Sergey Kandaurov > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Aug 9 18:41:37 2022 From: nginx-forum at forum.nginx.org (nikhilagrawal577) Date: Tue, 09 Aug 2022 14:41:37 -0400 Subject: Application performance of Nginx Message-ID: <844120c9aa7e53269cc3909602cde40d.NginxMailingListEnglish@forum.nginx.org> We are using Nginx open source flavour. We are running few lua scripts in nginx layer. Nginx is very slow in processing those programs. We required to increase number of instance to support load. We want to check why nginx is slow ? How do we check performance of Nginx application ? Not talking about stub-module. Metrics like: 1. CPU breakdown of Nginx app 2. Response time 3. Memory breakfown of nginx app Regards, Nikhil Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294926,294926#msg-294926 From osa at freebsd.org.ru Tue Aug 9 20:05:32 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 9 Aug 2022 23:05:32 +0300 Subject: Application performance of Nginx In-Reply-To: <844120c9aa7e53269cc3909602cde40d.NginxMailingListEnglish@forum.nginx.org> References: <844120c9aa7e53269cc3909602cde40d.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi Nikhil, hope you're doing well. On Tue, Aug 09, 2022 at 02:41:37PM -0400, nikhilagrawal577 wrote: > We are using Nginx open source flavour. We are running few lua scripts in > nginx layer. > Nginx is very slow in processing those programs. We required to increase > number of instance to support load. > > We want to check why nginx is slow ? > How do we check performance of Nginx application ? Not talking about > stub-module. > Metrics like: > 1. CPU breakdown of Nginx app > 2. Response time > 3. Memory breakfown of nginx app It's possible to use DTrace for nginx debugging, [1]. And it's possible to use a debugging log, [2] to see how nginx processes a request. Please note, nginx lua module is the third-party product, so I'd recommend to ask the module's vendor how to debug an execution of a lua script. Also, nginx functionality can be extended with NGINX JavaScript module, [3]. Thank you. References 1. https://nginx.org/en/docs/nginx_dtrace_pid_provider.html 2. https://nginx.org/en/docs/debugging_log.html 3. https://nginx.org/en/docs/njs/ -- Sergey A. Osokin From nginx-forum at forum.nginx.org Tue Aug 9 22:45:21 2022 From: nginx-forum at forum.nginx.org (acidiclight) Date: Tue, 09 Aug 2022 18:45:21 -0400 Subject: If statement with $limit_req_status under location block with proxy_pass not working In-Reply-To: References: Message-ID: This worked great. Thank you for your help! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294407,294929#msg-294929 From nginx-forum at forum.nginx.org Sat Aug 13 08:01:19 2022 From: nginx-forum at forum.nginx.org (petecooper) Date: Sat, 13 Aug 2022 04:01:19 -0400 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` Message-ID: Hello. I have a single-digit fleet of Ubuntu servers, all running a similar configuration: * Ubuntu 20.04LTS, current kernel via `apt` * Nginx 1.23.1 from source, with 3rd party modules * PHP 8.0 or 8.1 from source One of the servers has recently had issues with what appears to be an Nginx segfault, which manifests as high CPU load, repeated `apport` processes spawning, and errors written to `apport.log`. The other servers have a similar config, but are not affected by this issue. The process that spawns is: /usr/bin/python3 /usr/share/apport/apport -p58000 -s11 -c0 -d1 -P58000 -u33 -g33 -- !usr!sbin!nginx …where the `p` and `P` value corresponds to the PID. An excerpt from `apport,log` follows: ERROR: apport (pid 58552) Sat Aug 13 07:23:24 2022: called for pid 58551, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58552) Sat Aug 13 07:23:24 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58552) Sat Aug 13 07:23:24 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58552) Sat Aug 13 07:23:24 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS ERROR: apport (pid 58554) Sat Aug 13 07:23:24 2022: called for pid 58553, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58554) Sat Aug 13 07:23:24 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58554) Sat Aug 13 07:23:24 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58554) Sat Aug 13 07:23:24 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS ERROR: apport (pid 58556) Sat Aug 13 07:23:24 2022: called for pid 58555, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58556) Sat Aug 13 07:23:24 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58556) Sat Aug 13 07:23:24 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58556) Sat Aug 13 07:23:24 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS ERROR: apport (pid 58560) Sat Aug 13 07:23:25 2022: called for pid 58559, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58560) Sat Aug 13 07:23:25 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58560) Sat Aug 13 07:23:25 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58560) Sat Aug 13 07:23:25 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS ERROR: apport (pid 58562) Sat Aug 13 07:23:25 2022: called for pid 58561, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58562) Sat Aug 13 07:23:25 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58562) Sat Aug 13 07:23:25 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58562) Sat Aug 13 07:23:25 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS ERROR: apport (pid 58564) Sat Aug 13 07:23:25 2022: called for pid 58563, signal 11, core limit 0, dump mode 1 ERROR: apport (pid 58564) Sat Aug 13 07:23:25 2022: executable: /usr/sbin/nginx (command line "nginx:\ master\ process\ /usr/sbin/nginx\ -g\ daemon\ on;\ master_process\ on;") ERROR: apport (pid 58564) Sat Aug 13 07:23:25 2022: is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment ERROR: apport (pid 58564) Sat Aug 13 07:23:25 2022: apport: report /var/crash/_usr_sbin_nginx.33.crash already exists and unseen, skipping to avoid disk usage DoS The processes are spawning in quick succession and are enough to take it offline as far as Nginx is concerned, though `sshd` is responsive enough for me to log in. My gut feeling indicates a server-specific issue, perhaps hardware-related, but since this is new territory for me and my research hasn't located much apart from "this might be hardware", I wanted to check in here before I migrate the sites to a new server. I am grateful for any guidance or advice for what might be worth looking at on the server as-is. Thank you, and best wishes to you. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294944,294944#msg-294944 From osa at freebsd.org.ru Sat Aug 13 13:22:18 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Sat, 13 Aug 2022 16:22:18 +0300 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` In-Reply-To: References: Message-ID: Hi, thanks for the report. On Sat, Aug 13, 2022 at 04:01:19AM -0400, petecooper wrote: > Hello. > I have a single-digit fleet of Ubuntu servers, all running a similar > configuration: > > * Ubuntu 20.04LTS, current kernel via `apt` > * Nginx 1.23.1 from source, with 3rd party modules > * PHP 8.0 or 8.1 from source Could you please provide an output of the following command: % nginx -T Also, is there any specific reason to build nginx and php from source? Is there a chance to reproduce the issue without any of party modules? Thank you. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Sun Aug 14 08:46:31 2022 From: nginx-forum at forum.nginx.org (petecooper) Date: Sun, 14 Aug 2022 04:46:31 -0400 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` In-Reply-To: References: Message-ID: <4ce995e9c1705e2c6f2337748eb6d029.NginxMailingListEnglish@forum.nginx.org> Sergey A. Osokin Wrote: ------------------------------------------------------- Hello Sergey. Thank you for your reply. > On Sat, Aug 13, 2022 at 04:01:19AM -0400, petecooper wrote: > > Hello. > > I have a single-digit fleet of Ubuntu servers, all running a similar > > configuration: > > > > * Ubuntu 20.04LTS, current kernel via `apt` > > * Nginx 1.23.1 from source, with 3rd party modules > > * PHP 8.0 or 8.1 from source > > Could you please provide an output of the following command: > > % nginx -T I have included partially inline at the end of this email, but the body is too large to send. The nginx.conf is available here: https://github.com/textpattern/server-config/blob/main/live/servers/files/tarzan.textpattern.net/etc/nginx/nginx.conf …and the `servers-available` blocks are here (they are not inline due to size): https://github.com/textpattern/server-config/tree/main/live/servers/files/tarzan.textpattern.net/etc/nginx/servers-available > Also, is there any specific reason to build nginx and php from > source? Is there a chance to reproduce the issue without any of > party modules? The Nginx source compile is to be able to use the 3rd party modules, and the PHP source compile is to ensure compatibility of our open source project with current PHP. There are currently 6 other servers with an identical Nginx & PHP build, and they are not affected. This server has been running as expected for some months, and I am the sole administrator. Thank you for your time and attention, I appreciate it greatly. Best wishes to you. $ sudo nginx -T nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # configuration file /etc/nginx/nginx.conf: #begin `nginx.conf` at `/etc/nginx/nginx.conf` load_module /usr/lib/nginx/modules/ndk_http_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; load_module /usr/lib/nginx/modules/ngx_http_cache_purge_module.so; load_module /usr/lib/nginx/modules/ngx_http_echo_module.so; load_module /usr/lib/nginx/modules/ngx_http_geoip_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_image_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_length_hiding_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_memc_module.so; #load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so; load_module /usr/lib/nginx/modules/ngx_http_redis2_module.so; load_module /usr/lib/nginx/modules/ngx_http_set_misc_module.so; #load_module /usr/lib/nginx/modules/ngx_http_srcache_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_vhost_traffic_status_module.so; load_module /usr/lib/nginx/modules/ngx_http_xslt_filter_module.so; load_module /usr/lib/nginx/modules/ngx_ipscrub_module.so; load_module /usr/lib/nginx/modules/ngx_nchan_module.so; #load_module /usr/lib/nginx/modules/ngx_pagespeed.so; load_module /usr/lib/nginx/modules/ngx_stream_module.so; pcre_jit on; pid /var/run/nginx.pid; user www-data www-data; worker_processes auto; worker_rlimit_nofile 65535; events { accept_mutex on; multi_accept on; worker_connections 65535; use epoll; } http { #default `log_format` must be declared before `access_log` log_format ipscrubbed '$time_iso8601 ' '$msec ' 'ips="$remote_addr_ipscrub" ' 'rm="$request_method" ' 'r="$request" ' 'ru="$request_uri" ' 'q="$query_string" ' 'u="$uri" ' 'url="$scheme://$host$request_uri" ' 's="$status" ' 'rl="$request_length" ' 'rt="$request_time" ' 'sn="$connection" ' 'cr="$connection_requests" ' 'ct="$connection_time" ' 'bbs="$body_bytes_sent" ' 'gzr="$gzip_ratio" ' 'ups="$upstream_status" ' 'upct="$upstream_connect_time" ' 'uprt="$upstream_response_time" ' 'uprl="$upstream_response_length" ' 'upht="$upstream_header_time" ' 'upbr="$upstream_bytes_received" ' 'upbs="$upstream_bytes_sent" ' 'upcs="$upstream_cache_status" ' 'sa="$server_addr" ' 'srvp="$server_protocol" ' 'tlsp="$ssl_protocol" ' 'tlsc="$ssl_cipher" ' 'tlscs="$ssl_ciphers" ' 'tlsr="$ssl_curves" ' 'tlsed="$ssl_early_data" ' 'tlssr="$ssl_session_reused" ' 'ref="$http_referer" ' 'hua="$http_user_agent" ' 'hxf="$http_x_forwarded_for"' ; access_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.access.log ipscrubbed; autoindex off; charset UTF-8; charset_types text/css text/plain text/vnd.wap.wml text/javascript text/markdown text/calendar text/x-component text/vcard text/cache-manifest text/vtt application/json application/manifest+json ; client_body_buffer_size 2M; client_body_timeout 30s; client_header_buffer_size 4k; client_max_body_size 128M; default_type application/octet-stream; error_log /mnt/tarzan_logs_01/log/nginx/live/nginx/nginx.error.log warn; fastcgi_cache_path /var/cache/nginx/fastcgi levels=1:1 keys_zone=fastcgi-cache:16m max_size=256m inactive=1d; gzip on; gzip_buffers 16 8k; gzip_comp_level 5; gzip_http_version 1.0; gzip_min_length 1024; gzip_proxied any; gzip_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/otf font/ttf image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml ; gzip_vary on; include /etc/nginx/mime.types; keepalive_timeout 30s; large_client_header_buffers 8 16k; length_hiding on; length_hiding_max 1024; limit_conn_zone $binary_remote_addr zone=conPerIp:5m; limit_req_zone $binary_remote_addr zone=reqPerMin1:60m rate=1r/m; limit_req_zone $binary_remote_addr zone=reqPerMin5:60m rate=5r/m; limit_req_zone $binary_remote_addr zone=reqPerMin10:60m rate=10r/m; limit_req_zone $binary_remote_addr zone=reqPerMin20:60m rate=20r/m; limit_req_zone $binary_remote_addr zone=reqPerSec1:5m rate=1r/s; limit_req_zone $binary_remote_addr zone=reqPerSec5:5m rate=5r/s; limit_req_zone $binary_remote_addr zone=reqPerSec10:5m rate=10r/s; limit_req_zone $binary_remote_addr zone=reqPerSec20:5m rate=20r/s; log_format content-security-policy ''; log_format iplogged '$time_iso8601 ' '$msec ' 'ip="$remote_addr" ' 'rm="$request_method" ' 'r="$request" ' 'ru="$request_uri" ' 'q="$query_string" ' 'u="$uri" ' 'url="$scheme://$host$request_uri" ' 's="$status" ' 'rl="$request_length" ' 'rt="$request_time" ' 'sn="$connection" ' 'cr="$connection_requests" ' 'ct="$connection_time" ' 'bbs="$body_bytes_sent" ' 'gzr="$gzip_ratio" ' 'ups="$upstream_status" ' 'upct="$upstream_connect_time" ' 'uprt="$upstream_response_time" ' 'uprl="$upstream_response_length" ' 'upht="$upstream_header_time" ' 'upbr="$upstream_bytes_received" ' 'upbs="$upstream_bytes_sent" ' 'upcs="$upstream_cache_status" ' 'sa="$server_addr" ' 'srvp="$server_protocol" ' 'tlsp="$ssl_protocol" ' 'tlsc="$ssl_cipher" ' 'tlscs="$ssl_ciphers" ' 'tlsr="$ssl_curves" ' 'tlsed="$ssl_early_data" ' 'tlssr="$ssl_session_reused" ' 'ref="$http_referer" ' 'hua="$http_user_agent" ' 'hxf="$http_x_forwarded_for"' ; log_format netdata-web_log ''; log_format network-error ''; log_format permissions-policy ''; log_not_found off; map_hash_bucket_size 128; max_ranges 8; more_clear_headers Server; msie_padding off; proxy_ssl_protocols TLSv1.3 TLSv1.2; request_pool_size 8k; reset_timedout_connection on; resolver 1.1.1.1 9.9.9.9 [2606:4700:4700::1111] [2620:fe::fe] valid=30s; resolver_timeout 5s; sendfile on; send_timeout 15s; #server_names_hash_bucket_size 128; #server_names_hash_max_size 1024; server_tokens off; ssl_buffer_size 4k; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/nginx/certs/dhparam4096-openssl.pem; ssl_ecdh_curve 'prime256v1:secp384r1:secp521r1'; #ssl_ocsp on; #ssl_ocsp_cache shared:OCSP:10m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_timeout 6h; ssl_stapling on; ssl_stapling_verify on; #ssl_trusted_certificate /opt/certs/mozilla-cacert.pem; #ssl_verify_client on; #ssl_verify_depth 2; tcp_nodelay on; tcp_nopush on; types_hash_max_size 2048; variables_hash_max_size 2048; variables_hash_bucket_size 512; vhost_traffic_status_zone; #last but not least include /etc/nginx/includes/deny/10-global-deny.conf; include /etc/nginx/includes/deny/20-undefined-server-deny.conf; include /etc/nginx/includes/monitoring/*.conf; include /etc/nginx/servers-enabled/*.conf; include /etc/nginx/streams-enabled/*.conf; } #end `nginx.conf` # configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/avif avif; image/png png; image/svg+xml svg svgz; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/webp webp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; font/woff woff; font/woff2 woff2; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.oasis.opendocument.graphics odg; application/vnd.oasis.opendocument.presentation odp; application/vnd.oasis.opendocument.spreadsheet ods; application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.wap.wmlc wmlc; application/wasm wasm; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } # configuration file /etc/nginx/includes/deny/10-global-deny.conf: #begin `10-global-deny.conf` server block at `/etc/nginx/includes/deny/10-global-deny.conf` #deny all; #here be dragons #deny 192.0.2.1; #example for a single IPv4 address #deny 192.0.2.0/24; #example for an IPv4 CIDR block #deny 2001:db8::1; #example for a single IPv6 address #deny 2001:db8::/32; #example for an IPv6 CIDR block #end `10-global-deny.conf` server block # configuration file /etc/nginx/includes/deny/20-undefined-server-deny.conf: #begin `20-undefined-server-deny.conf` server block at `/etc/nginx/includes/deny/20-undefined-server-deny.conf` server { access_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.access.log iplogged; error_log /mnt/tarzan_logs_01/log/nginx/live/undefined-server-deny/undefined-server-deny.error.log warn; limit_req zone=reqPerMin5; listen [::]:80 default_server; listen 80 default_server; return 444; server_name _; } #end `20-undefined-server-deny.conf` server block # configuration file /etc/nginx/includes/monitoring/heartbeat.conf: #begin `heartbeat.conf` server block at `/etc/nginx/includes/monitoring/heartbeat.conf` server {#hostname, http -> https redirect access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed; add_header Content-Security-Policy 'default-src \'none\'' always; add_header Permissions-Policy default-src=()' always; add_header Referrer-Policy "strict-origin" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn; index index.html; limit_req zone=reqPerSec5; listen [::]:80; listen 80; return 301 https://$host$request_uri; root /var/www/heartbeat/live/; server_name tarzan.textpattern.net; location ^~ /.well-known/ { allow all; default_type "text/plain"; root /var/www/heartbeat/_well-known/; try_files $uri/ $uri =404; } location ~ /\. { deny all; limit_req zone=reqPerSec1; } location /favicon.ico { access_log off; log_not_found off; } location /robots.txt { access_log off; limit_req zone=reqPerSec1; log_not_found off; } location / { index index.html; limit_except GET HEAD POST { deny all; } try_files $uri $uri/ =404; } location ~ ^.+\.php(?:/.*)?$ { return 502; } } server {#hostname, https access_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.access.log ipscrubbed; set $consecpol_heartbeat ''; set $consecpol_heartbeat '${consecpol_heartbeat}base-uri \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}connect-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}default-src \'none\';'; set $consecpol_heartbeat '${consecpol_heartbeat}font-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}frame-ancestors \'none\';'; set $consecpol_heartbeat '${consecpol_heartbeat}frame-src \'none\';'; set $consecpol_heartbeat '${consecpol_heartbeat}img-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}manifest-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}media-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}object-src \'none\';'; set $consecpol_heartbeat '${consecpol_heartbeat}script-src \'self\';'; set $consecpol_heartbeat '${consecpol_heartbeat}style-src \'self\';'; add_header Content-Security-Policy $consecpol_heartbeat always; set $perpol_heartbeat ''; set $perpol_heartbeat '${perpol_heartbeat}camera=(),'; set $perpol_heartbeat '${perpol_heartbeat}fullscreen=(self),'; set $perpol_heartbeat '${perpol_heartbeat}geolocation=(),'; set $perpol_heartbeat '${perpol_heartbeat}gyroscope=(),'; set $perpol_heartbeat '${perpol_heartbeat}magnetometer=(),'; set $perpol_heartbeat '${perpol_heartbeat}microphone=(),'; set $perpol_heartbeat '${perpol_heartbeat}midi=(),'; set $perpol_heartbeat '${perpol_heartbeat}notifications=(self),'; set $perpol_heartbeat '${perpol_heartbeat}payment=(),'; set $perpol_heartbeat '${perpol_heartbeat}push=(self),'; set $perpol_heartbeat '${perpol_heartbeat}speaker=(),'; set $perpol_heartbeat '${perpol_heartbeat}sync-xhr=(self),'; set $perpol_heartbeat '${perpol_heartbeat}usb=(),'; set $perpol_heartbeat '${perpol_heartbeat}vibrate=()'; #no trailing comma add_header Permissions-Policy $perpol_heartbeat always; add_header Referrer-Policy "strict-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; error_log /mnt/tarzan_logs_01/log/nginx/live/heartbeat/tarzan.textpattern.net.error.log warn; index index.html; listen [::]:443 http2 ssl; listen 443 http2 ssl; root /var/www/heartbeat/live/; server_name tarzan.textpattern.net; ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem; ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem; ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem; location ^~ /.well-known/ { allow all; default_type "text/plain"; root /var/www/heartbeat/_well-known/; try_files $uri/ $uri =404; } location /favicon.ico { access_log off; log_not_found off; } location /robots.txt { access_log off; log_not_found off; } location ~ /\. { deny all; } location / { index index.html; limit_except GET HEAD POST { deny all; } try_files $uri $uri/ =404; } location ~ ^.+\.php(?:/.*)?$ { return 502; } } #end `heartbeat.conf` server block # configuration file /etc/nginx/includes/monitoring/netdata.conf: #begin `netdata` server block at `/etc/nginx/includes/monitoring/netdata.conf` upstream netdata-socket { keepalive 60; server unix:/run/netdata/netdata.sock; } server {#netdata hostname, https access_log off; set $consecpol_netdata ''; set $consecpol_netdata '${consecpol_netdata}connect-src https://api.github.com https://registry.my-netdata.io \'self\';'; set $consecpol_netdata '${consecpol_netdata}default-src \'none\';'; set $consecpol_netdata '${consecpol_netdata}font-src \'self\';'; set $consecpol_netdata '${consecpol_netdata}frame-ancestors \'self\';'; set $consecpol_netdata '${consecpol_netdata}frame-src \'none\';'; set $consecpol_netdata '${consecpol_netdata}img-src data: \'self\';'; set $consecpol_netdata '${consecpol_netdata}manifest-src \'self\';'; set $consecpol_netdata '${consecpol_netdata}media-src \'self\';'; set $consecpol_netdata '${consecpol_netdata}object-src \'self\';'; set $consecpol_netdata '${consecpol_netdata}script-src \'self\' \'unsafe-inline\';'; set $consecpol_netdata '${consecpol_netdata}style-src \'self\' \'unsafe-inline\';'; add_header Content-Security-Policy $consecpol_netdata; set $perpol_netdata ''; set $perpol_netdata '${perpol_netdata}camera=(),'; set $perpol_netdata '${perpol_netdata}fullscreen=(self),'; set $perpol_netdata '${perpol_netdata}geolocation=(),'; set $perpol_netdata '${perpol_netdata}gyroscope=(),'; set $perpol_netdata '${perpol_netdata}magnetometer=(),'; set $perpol_netdata '${perpol_netdata}microphone=(),'; set $perpol_netdata '${perpol_netdata}midi=(),'; set $perpol_netdata '${perpol_netdata}notifications=(self),'; set $perpol_netdata '${perpol_netdata}payment=(),'; set $perpol_netdata '${perpol_netdata}push=(self),'; set $perpol_netdata '${perpol_netdata}speaker=(),'; set $perpol_netdata '${perpol_netdata}sync-xhr=(self),'; set $perpol_netdata '${perpol_netdata}vibrate=()'; #no trailing comma add_header Permissions-Policy $perpol_netdata; add_header Referrer-Policy strict-origin; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; error_log /mnt/tarzan_logs_01/log/nginx/live/netdata/netdata at tarzan.textpattern.net.error.log warn; listen [::]:909 http2 ssl; listen 909 http2 ssl; server_name tarzan.textpattern.net; ssl_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem; ssl_certificate_key /etc/certbot/live/tarzan.textpattern.net/privkey.pem; ssl_trusted_certificate /etc/certbot/live/tarzan.textpattern.net/fullchain.pem; location / { limit_except GET HEAD POST { deny all; } auth_basic "Authentication"; auth_basic_user_file /etc/nginx/auth/passwd-netdata; proxy_http_version 1.1; proxy_pass http://netdata-socket; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_store off; } location = /favicon.ico { log_not_found off; } } #end `netdata` server block # configuration file /etc/nginx/includes/monitoring/nginx-stubstatus.conf: #begin `nginx-stubstatus.conf` server block at `/etc/nginx/includes/monitoring/nginx-stubstatus.conf` server {#Nginx `stub_status`, IPv4 and IPv6 localhost, http allow 127.0.0.1; allow ::1; deny all; listen 127.0.0.1:81; listen [::1]:81; location /stub_status { access_log off; stub_status on; } } #end `nginx-stubstatus.conf` server block # configuration file /etc/nginx/includes/monitoring/php-fpm80-socket.conf: #begin `php-fpm80-socket.conf` at `/etc/nginx/includes/monitoring/php-fpm80-socket.conf` server {#localhost, PHP FastCGI access_log off; allow 127.0.0.1; allow ::1; deny all; index index.html; length_hiding off; listen [::]:880; listen 880; root /var/www/php-fpm/live/; location / { index index.html; } location ~ ^.+\.php(?:/.*)?$ { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php/php-fpm80.sock; include fastcgi_params; } } #end `php-fpm80-socket.conf` # configuration file /etc/nginx/fastcgi_params: fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REQUEST_SCHEME $scheme; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; # configuration file /etc/nginx/includes/monitoring/php-fpm80-status.conf: #begin `php-fpm80-status.conf` at `/etc/nginx/includes/monitoring/php-fpm80-status.conf` server {#PHP-FPM 8.0 status, IPv4 and IPv6 localhost, http allow 127.0.0.1; allow ::1; deny all; listen 127.0.0.1:980; listen [::1]:980; server_name _; location /php-fpm80-status { access_log off; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php/php-fpm80.sock; include fastcgi_params; } } #end `php-fpm80-status.conf` Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294944,294946#msg-294946 From nginx-forum at forum.nginx.org Sun Aug 14 10:37:57 2022 From: nginx-forum at forum.nginx.org (petecooper) Date: Sun, 14 Aug 2022 06:37:57 -0400 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` In-Reply-To: References: Message-ID: petecooper Wrote: ------------------------------------------------------- > Hello. > I have a single-digit fleet of Ubuntu servers, all running a similar > configuration: > > * Ubuntu 20.04LTS, current kernel via `apt` > * Nginx 1.23.1 from source, with 3rd party modules > * PHP 8.0 or 8.1 from source > > One of the servers has recently had issues with what appears to be an > Nginx segfault, which manifests as high CPU load, repeated `apport` > processes spawning, and errors written to `apport.log`. The other > servers have a similar config, but are not affected by this issue. I am providing some follow up for awareness / completeness. According to my logs, the server was upgraded from Nginx 1.23.0 on 2022-07-18, and then upgraded to Nginx 1.23.1 on 2022-08-10: 2022-03-16T16:15:33+00:00 Nginx 1.21.6 compiled 2022-07-18T10:45:47+00:00 Nginx 1.23.0 compiled 2022-08-10T07:04:58+00:00 Nginx 1.23.1 compiled 2022-08-13T08:48:32+00:00 Nginx 1.23.1 compiled This issue first appeared on 2022-08-11 (a reboot resolved it), then 2022-08-12 at the same time of day, and again for 2022-08-13 & 2022-08-14. My provider graphs show the issue occurs at around 07:00 each day, which - perhaps coincidentally - is the same time that the Nginx 1.23.1 build completed. I am rolling back to Nginx 1.23.0 to see if that addresses or affects the issue, I will report back with findings after 07:00 tomorrow. Thank you for your continued attention and expertise, it is greatly appreciated. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294944,294947#msg-294947 From nginx-forum at forum.nginx.org Mon Aug 15 20:35:56 2022 From: nginx-forum at forum.nginx.org (atrocitus) Date: Mon, 15 Aug 2022 16:35:56 -0400 Subject: ngx_http_read_client_request_body not always being called? Message-ID: <923b332936f600aa2d65a44db8241239.NginxMailingListEnglish@forum.nginx.org> (I wanted to post this to the Nginx Development group but it's read only) I'm developing a module which will receive post data then print out "Done". "Done" will be printed out regardless if it's a "POST" or a "GET". Issue I'm having is ngx_http_read_client_request_body is not always calling my call back, I have to wait a few seconds / resubmit form before it works. Is there a caching issue I'm not aware of? I'm doing this from bash command line, a simple CURL command. Here is what I have in my "cmd_handler": { if (r->method == NGX_HTTP_POST) ngx_http_read_client_request_body(r, ngx_http_form_read) ngx_str_set(&r->headers_out.content_type, "text/html") ///....more out data definitions ngx_http_output_filter(r, out); ngx_http_finalize(request, r, NGX_DONE) return NGX_DONE } In my ngx_http_form_read, I have the following: { #if defined(ngx_version) && nginx_version >= 8011 r->main->count--; #endif //form parsing data // no return, this is a void? } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294951,294951#msg-294951 From nginx-forum at forum.nginx.org Tue Aug 16 09:49:59 2022 From: nginx-forum at forum.nginx.org (petecooper) Date: Tue, 16 Aug 2022 05:49:59 -0400 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` In-Reply-To: References: Message-ID: petecooper Wrote: ------------------------------------------------------- > Hello. > I have a single-digit fleet of Ubuntu servers, all running a similar > configuration: > > * Ubuntu 20.04LTS, current kernel via `apt` > * Nginx 1.23.1 from source, with 3rd party modules > * PHP 8.0 or 8.1 from source > > One of the servers has recently had issues with what appears to be an > Nginx segfault, which manifests as high CPU load, repeated `apport` > processes spawning, and errors written to `apport.log`. The other > servers have a similar config, but are not affected by this issue. […] The issue is resolved with the removal of third party module `nchan` [1]. A recent release resolved a reported issue with Nginx 1.23, but given the number of modules I am using it's possible there may be a conflict with another module. Thank you Sergey A Osokin for your assistance and expertise. [1] https://github.com/slact/nchan Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294944,294952#msg-294952 From pluknet at nginx.com Tue Aug 16 14:41:57 2022 From: pluknet at nginx.com (Sergey Kandaurov) Date: Tue, 16 Aug 2022 18:41:57 +0400 Subject: ngx_http_read_client_request_body not always being called? In-Reply-To: <923b332936f600aa2d65a44db8241239.NginxMailingListEnglish@forum.nginx.org> References: <923b332936f600aa2d65a44db8241239.NginxMailingListEnglish@forum.nginx.org> Message-ID: > On 16 Aug 2022, at 00:35, atrocitus wrote: > > (I wanted to post this to the Nginx Development group but it's read only) You can subscribe to the nginx development mailing list: https://mailman.nginx.org/mailman3/lists/nginx-devel.nginx.org/ > > I'm developing a module which will receive post data then print out "Done". > "Done" will be printed out regardless if it's a "POST" or a "GET". Issue I'm > having is ngx_http_read_client_request_body is not always calling my call > back, I have to wait a few seconds / resubmit form before it works. Is there > a caching issue I'm not aware of? I'm doing this from bash command line, a > simple CURL command. > > Here is what I have in my "cmd_handler": > { > if (r->method == NGX_HTTP_POST) > ngx_http_read_client_request_body(r, ngx_http_form_read) > > ngx_str_set(&r->headers_out.content_type, "text/html") > ///....more out data definitions > ngx_http_output_filter(r, out); > ngx_http_finalize(request, r, NGX_DONE) > return NGX_DONE > } > > In my ngx_http_form_read, I have the following: > { > #if defined(ngx_version) && nginx_version >= 8011 > r->main->count--; > #endif > > //form parsing data > // no return, this is a void? > > } > I see numerous issues in your code, including direct manipulation with the request count and missing error handling. See the complete example of handling request body: http://nginx.org/en/docs/dev/development_guide.html#http_request_body -- Sergey Kandaurov From osa at freebsd.org.ru Tue Aug 16 15:10:49 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 16 Aug 2022 18:10:49 +0300 Subject: Nginx segfault - `is_closing_session(): no DBUS_SESSION_BUS_ADDRESS in environment` In-Reply-To: References: Message-ID: Hi, thanks for the update. On Tue, Aug 16, 2022 at 05:49:59AM -0400, petecooper wrote: > > […] > > The issue is resolved with the removal of third party module `nchan` [1]. A > recent release resolved a reported issue with Nginx 1.23, but given the > number of modules I am using it's possible there may be a conflict with > another module. > > Thank you Sergey A Osokin for your assistance and expertise. > > [1] https://github.com/slact/nchan We'd probably need to raise an issue on the vendor side. Thank you. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Thu Aug 18 01:58:58 2022 From: nginx-forum at forum.nginx.org (panamagod25) Date: Wed, 17 Aug 2022 21:58:58 -0400 Subject: Getting List of Output Chains Before the Output Filter Message-ID: <40bf3743b35e0aa7b4508dcc9164a71d.NginxMailingListEnglish@forum.nginx.org> Good evening, I'm following the instructions on the developer guide: http://nginx.org/en/docs/dev/development_guide.html#http_response_body_filters and also this github project: https://github.com/ngchianglin/NginxHtmlHeadFilter/blob/master/ngx_http_html_head_filter_module.c What I'm trying to do is to collect all of the tags on an HTML page, then perform an operation on a certain tag group based on tag count? For example: I want to add a class to all
tags if there are more
tags than tags. So, (kind of) like the html_head_filter module from above, I want the parser to run on all of the HTML, then do some logic, THEN when it hits the output filter, create a c engine which will modify the requisite tag. Any help you can provide would be very appreciated. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,294964,294964#msg-294964 From rob at dogsbody.com Thu Aug 18 12:19:05 2022 From: rob at dogsbody.com (Rob Hooper) Date: Thu, 18 Aug 2022 13:19:05 +0100 Subject: Ubuntu 18 Support Message-ID: Hello! I am using the NGINX stable release from the nginx.org repo on a number of Ubuntu 18 servers and I am making a plan for when these servers reach end of life next year. For the server OS, I will be installing Ubuntu Advantage to extend the EOL to 2028 however I realise third party repos like yourself may have different plans. How long will nginx.org continue to release security updates for Ubuntu 18? From pluknet at nginx.com Fri Aug 19 14:09:24 2022 From: pluknet at nginx.com (Sergey Kandaurov) Date: Fri, 19 Aug 2022 18:09:24 +0400 Subject: Ubuntu 18 Support In-Reply-To: References: Message-ID: <7A81AA2E-0988-49FF-BE29-19C3F170D117@nginx.com> > On 18 Aug 2022, at 16:19, Rob Hooper via nginx wrote: > > > Hello! > > I am using the NGINX stable release from the nginx.org repo on a number of Ubuntu 18 servers and I am making a plan for when these servers reach end of life next year. > > For the server OS, I will be installing Ubuntu Advantage to extend the EOL to 2028 however I realise third party repos like yourself may have different plans. > > How long will nginx.org continue to release security updates for Ubuntu 18? Linux packages are generally updated until the end of standard support of the relevant Linux distribution. For details on Ubuntu, you can check https://wiki.ubuntu.com/Releases -- Sergey Kandaurov From mdounin at mdounin.ru Fri Aug 19 17:23:51 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 19 Aug 2022 20:23:51 +0300 Subject: Getting List of Output Chains Before the Output Filter In-Reply-To: <40bf3743b35e0aa7b4508dcc9164a71d.NginxMailingListEnglish@forum.nginx.org> References: <40bf3743b35e0aa7b4508dcc9164a71d.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Wed, Aug 17, 2022 at 09:58:58PM -0400, panamagod25 wrote: > Good evening, > > I'm following the instructions on the developer guide: > > http://nginx.org/en/docs/dev/development_guide.html#http_response_body_filters > and also this github project: > > https://github.com/ngchianglin/NginxHtmlHeadFilter/blob/master/ngx_http_html_head_filter_module.c > > > What I'm trying to do is to collect all of the tags on an HTML page, then > perform an operation on a certain tag group based on tag count? For example: > I want to add a class to all
tags if there are more
tags than > tags. > > So, (kind of) like the html_head_filter module from above, I want the parser > to run on all of the HTML, then do some logic, THEN when it hits the output > filter, create a c engine which will modify the requisite tag. > > Any help you can provide would be very appreciated. Normally, the full response body is not available in nginx, since response bodies can be arbitrary big. Instead, nginx processes the response body as a stream, handling individual buffers with data. If in your particular use case response bodies are guaranteed to be of limited size, and you have to do some processing which needs the whole response body, you'll have to buffer it in your response body filter. Examples of such buffering can be found in the image filter (src/http/modules/ngx_http_image_filter_module.c) and the xslt filter (src/http/modules/ngx_http_xslt_filter_module.c). Hope this helps. -- Maxim Dounin http://mdounin.ru/ From ramakanth.varala at gmail.com Sun Aug 21 11:29:57 2022 From: ramakanth.varala at gmail.com (ramakanth varala) Date: Sun, 21 Aug 2022 16:59:57 +0530 Subject: nginx: lua modules Message-ID: Hi All, Want to use lua pages with nginx . Can you please suggest what are the correct modules ?. also where can i find the same?. Thanks vlrk -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgnet.dev at gmail.com Sun Aug 21 17:08:00 2022 From: pgnet.dev at gmail.com (PGNet Dev) Date: Sun, 21 Aug 2022 13:08:00 -0400 Subject: nginx: lua modules In-Reply-To: References: Message-ID: <3514468a-d90a-9df5-0674-06773a1a54a7@gmail.com> > Want to use lua pages with nginx . > > Can you please suggest what are the correct modules ?. > also where can i find the same?. LUA support with nginx is third-party -- via OpenResty https://www.nginx.com/resources/wiki/modules/lua/ https://openresty.org/en/ OpenResty is packaged as a standalone web platform, bundling a modified version of Nginx's opensource core. It's possible, though not trivial, to extract lua bits from OpenResty source, and build for official Nginx. In 2019, Nginx chose to develop its own native scripting tools -- njs, https://github.com/nginx/njs/issues/179 https://nginx.org/en/docs/njs/ A useful example read re: Lua 'vs' njs script support/usage in Nginx, https://www.rkatz.xyz/post/2021-09-13-nginx-njs-experiments/ From nginx-forum at forum.nginx.org Tue Aug 23 07:11:48 2022 From: nginx-forum at forum.nginx.org (arunr039) Date: Tue, 23 Aug 2022 03:11:48 -0400 Subject: proxy_hide header not working In-Reply-To: <2c2c4a2ca9d3f81c53f11b09d13902ba.NginxMailingListEnglish@forum.nginx.org> References: <2c2c4a2ca9d3f81c53f11b09d13902ba.NginxMailingListEnglish@forum.nginx.org> Message-ID: <7bc116602b6ee0f99c3f2bf86d47f6fb.NginxMailingListEnglish@forum.nginx.org> Hi team, i have a problem on my nginx proxy,i need to hide http OPTION method on my nginx configuration, i tried the below format to hide but no changes.kindly help me to solve the problem, thanks in advance proxy_hide_header 'Access-Control-Allow-Method' 'OPTION' Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293336,294978#msg-294978 From fusca14 at gmail.com Wed Aug 24 20:22:10 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Wed, 24 Aug 2022 17:22:10 -0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 Message-ID: Hi... I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server with one NIC and 2 IPs, with the following config: * config based on https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled): server { listen 10.0.0.1:443 ssl http2; server_name secure.example.com; ssl_session_cache shared:SSL_intermediate:10m; ssl_dhparam /etc/nginx/dhparams.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ... } 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled): server { listen 10.0.0.2:443 ssl http2; server_name insecure.example.com; ssl_session_cache shared:SSL_old:10m; ssl_dhparam /etc/nginx/dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; ssl_prefer_server_ciphers on; ... } $ netstat -nlpt | grep nginx | sort tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN 1337/nginx: master p tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN 1337/nginx: master p Trying TLS 1.0: $ openssl s_client -connect insecure.example.com:443 -tls1 CONNECTED(00000003) 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 135 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1661371345 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- Trying TLS 1.1: $ openssl s_client -connect insecure.example.com:443 -tls1_1 CONNECTED(00000003) 00FC0A99AB7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 135 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1661371360 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? I have separated the "ssl_protocols" by IP and there is no others "ssl_protocols" directives configured outside of server{} block. Thanks. From mdounin at mdounin.ru Wed Aug 24 20:44:39 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 24 Aug 2022 23:44:39 +0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: Hello! On Wed, Aug 24, 2022 at 05:22:10PM -0300, Fabiano Furtado Pessoa Coelho wrote: > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > with one NIC and 2 IPs, with the following config: > > * config based on > https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6 > > 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled): > > server { > listen 10.0.0.1:443 ssl http2; > server_name secure.example.com; [...] > 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled): > > server { > listen 10.0.0.2:443 ssl http2; > server_name insecure.example.com; [...] > $ netstat -nlpt | grep nginx | sort > tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN > 1337/nginx: master p > tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN > 1337/nginx: master p > > > Trying TLS 1.0: > > $ openssl s_client -connect insecure.example.com:443 -tls1 > CONNECTED(00000003) > 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 [...] What's the IP address of "insecure.example.com" in your tests? What happens when you test with IP addresses you've configured, 10.0.0.1 and 10.0.0.2, rather than names? -- Maxim Dounin http://mdounin.ru/ From iippolitov at nginx.com Wed Aug 24 20:46:57 2022 From: iippolitov at nginx.com (Igor Ippolitov) Date: Wed, 24 Aug 2022 21:46:57 +0100 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: <7a6099bc-5d2b-4080-f27f-f6cd3f956bf1@nginx.com> Fabiano, Is it possible that you have nginx.org/r/ssl_reject_handshake configured in another server block listening on 10.0.0.2:443? Is there anything useful in nginx error log? My guess, using -servername option will resolve the issue for you. Regards, Igor. On 24/08/2022 21:22, Fabiano Furtado Pessoa Coelho wrote: > Hi... > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > with one NIC and 2 IPs, with the following config: > > * config based on > https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6 > > 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled): > > server { > listen 10.0.0.1:443 ssl http2; > server_name secure.example.com; > > ssl_session_cache shared:SSL_intermediate:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1.2 TLSv1.3; > ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers off; > ... > } > > 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled): > > server { > listen 10.0.0.2:443 ssl http2; > server_name insecure.example.com; > > ssl_session_cache shared:SSL_old:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; > ssl_prefer_server_ciphers on; > ... > } > > > $ netstat -nlpt | grep nginx | sort > tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN > 1337/nginx: master p > tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN > 1337/nginx: master p > > > Trying TLS 1.0: > > $ openssl s_client -connect insecure.example.com:443 -tls1 > CONNECTED(00000003) > 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371345 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Trying TLS 1.1: > > $ openssl s_client -connect insecure.example.com:443 -tls1_1 > CONNECTED(00000003) > 00FC0A99AB7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371360 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? > > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? > > I have separated the "ssl_protocols" by IP and there is no others > "ssl_protocols" directives configured outside of server{} block. > > Thanks. > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From noloader at gmail.com Wed Aug 24 21:09:06 2022 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 24 Aug 2022 17:09:06 -0400 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: On Wed, Aug 24, 2022 at 4:25 PM Fabiano Furtado Pessoa Coelho wrote: > > Hi... > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > with one NIC and 2 IPs, with the following config: > > * config based on > https://ssl-config.mozilla.org/#server=nginx&version=1.22.0&config=intermediate&openssl=3.0.5&guideline=5.6 > > 1st) IP 10.0.0.1 with intermediate config (only TLS 1.2 and 1.3 enabled): > > server { > listen 10.0.0.1:443 ssl http2; > server_name secure.example.com; > > ssl_session_cache shared:SSL_intermediate:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1.2 TLSv1.3; > ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; > ssl_prefer_server_ciphers off; > ... > } > > 2nd) IP 10.0.0.2 with old config (TLS 1.0 through 1.3 enabled): > > server { > listen 10.0.0.2:443 ssl http2; > server_name insecure.example.com; > > ssl_session_cache shared:SSL_old:10m; > > ssl_dhparam /etc/nginx/dhparams.pem; > > ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; > ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; > ssl_prefer_server_ciphers on; > ... > } > > > $ netstat -nlpt | grep nginx | sort > tcp 0 0 10.0.0.1:443 0.0.0.0:* LISTEN > 1337/nginx: master p > tcp 0 0 10.0.0.2:443 0.0.0.0:* LISTEN > 1337/nginx: master p > > > Trying TLS 1.0: > > $ openssl s_client -connect insecure.example.com:443 -tls1 > CONNECTED(00000003) > 00FCC7F5507F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371345 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Trying TLS 1.1: > > $ openssl s_client -connect insecure.example.com:443 -tls1_1 > CONNECTED(00000003) > 00FC0A99AB7F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 > alert protocol version:ssl/record/rec_layer_s3.c:1584:SSL alert number > 70 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 135 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1661371360 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? > > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? > > I have separated the "ssl_protocols" by IP and there is no others > "ssl_protocols" directives configured outside of server{} block. > > Thanks. The HTTP/2 spec says TLS 1.2 when using secure sockets. See https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-http2-17#section-9.2 . Jeff From fusca14 at gmail.com Thu Aug 25 00:16:51 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Wed, 24 Aug 2022 21:16:51 -0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: Hi... same behavior! :( secure.example.com = 10.0.0.1 insecure.example.com = 10.0.0.2 Using curl with "host" header: $ curl -kv --tlsv1.0 --tls-max 1.1 -H 'host: insecure.example.com' https://10.0.0.2/ * Trying 10.0.0.2:443... * Connected to 10.0.0.2 (10.0.0.2) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.1 (OUT), TLS handshake, Client hello (1): * TLSv1.1 (IN), TLS header, Unknown (21): * TLSv1.1 (IN), TLS alert, internal error (592): * error:0A000438:SSL routines::tlsv1 alert internal error * Closing connection 0 curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error Using curl without "host" header: $ curl -kv --tlsv1.0 --tls-max 1.1 https://10.0.0.2/ * Trying 10.0.0.2:443... * Connected to 10.0.0.2 (10.0.0.2) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.1 (OUT), TLS handshake, Client hello (1): * TLSv1.1 (IN), TLS header, Unknown (21): * TLSv1.1 (IN), TLS alert, internal error (592): * error:0A000438:SSL routines::tlsv1 alert internal error * Closing connection 0 curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error On Wed, Aug 24, 2022 at 5:45 PM Maxim Dounin wrote: > > Hello! > > On Wed, Aug 24, 2022 at 05:22:10PM -0300, Fabiano Furtado Pessoa Coelho wrote: > > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > > with one NIC and 2 IPs, with the following config: [...] > What's the IP address of "insecure.example.com" in your tests? > What happens when you test with IP addresses you've configured, > 10.0.0.1 and 10.0.0.2, rather than names? > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From fusca14 at gmail.com Thu Aug 25 00:34:26 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Wed, 24 Aug 2022 21:34:26 -0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: Unfortunately, no! :( I've deleted all http2 references from the listen directive with 10.0.0.2 IP. On Wed, Aug 24, 2022 at 6:10 PM Jeffrey Walton wrote: > > On Wed, Aug 24, 2022 at 4:25 PM Fabiano Furtado Pessoa Coelho > wrote: [...] > > The HTTP/2 spec says TLS 1.2 when using secure sockets. See > https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-http2-17#section-9.2 > . > > Jeff > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From pluknet at nginx.com Thu Aug 25 15:57:57 2022 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 25 Aug 2022 19:57:57 +0400 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: Message-ID: <64CADA22-C7CE-41A8-9E29-CC12D76BC178@nginx.com> > On 25 Aug 2022, at 00:22, Fabiano Furtado Pessoa Coelho wrote: > > Hi... > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > with one NIC and 2 IPs, with the following config: > > [...] > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? > > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? > TLS 1.0 and 1.1 are de-facto disabled by default in OpenSSL 3.0+. See for more details: https://trac.nginx.org/nginx/ticket/2250 -- Sergey Kandaurov From fusca14 at gmail.com Thu Aug 25 16:59:39 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Thu, 25 Aug 2022 13:59:39 -0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: <64CADA22-C7CE-41A8-9E29-CC12D76BC178@nginx.com> References: <64CADA22-C7CE-41A8-9E29-CC12D76BC178@nginx.com> Message-ID: Hi... On Thu, Aug 25, 2022 at 12:59 PM Sergey Kandaurov wrote: > > > > On 25 Aug 2022, at 00:22, Fabiano Furtado Pessoa Coelho wrote: > > > > Hi... > > > > I'm using NGINX 1.22.0 with OpenSSL 3.0.5 in a Linux x86_64 server > > with one NIC and 2 IPs, with the following config: > > > > [...] > > Why I can't connect with TLS 1.0 or 1.1 on insecure.example.com? > > > > Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1? > > > > TLS 1.0 and 1.1 are de-facto disabled by default in OpenSSL 3.0+. > See for more details: https://trac.nginx.org/nginx/ticket/2250 Hi Sergey... Thanks for the help, but I have tried... "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0;" and "ssl_ciphers DEFAULT:@SECLEVEL=0;" but, unfortunately, I still can't connect with TLS 1.0 and 1.1. :( Is there another "ssl_ciphers" where I could try? Thanks again. Fabiano Furtado From lukas at ltri.eu Thu Aug 25 19:30:21 2022 From: lukas at ltri.eu (Lukas Tribus) Date: Thu, 25 Aug 2022 21:30:21 +0200 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: <64CADA22-C7CE-41A8-9E29-CC12D76BC178@nginx.com> Message-ID: Hello, the *client* you are using to test this is just as important. Adjust CipherString in /etc/ssl/openssl.cnf or the client parameters (-cipher "DEFAULT:@SECLEVEL=0") too. ~# grep SEC /etc/ssl/openssl.cnf CipherString = DEFAULT:@SECLEVEL=2 ~# ~# openssl s_client -connect www.google.com:443 -tls1 CONNECTED(00000003) 804BDAE0FF7E0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ~# openssl s_client -connect www.google.com:443 -tls1 -cipher "DEFAULT:@SECLEVEL=0" CONNECTED(00000003) depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify return:1 depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 verify return:1 depth=0 CN = www.google.com verify return:1 [...] cheers, lukas From fusca14 at gmail.com Thu Aug 25 20:03:23 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Thu, 25 Aug 2022 17:03:23 -0300 Subject: Client can't negotiate with TLS 1.0 and 1.1 In-Reply-To: References: <64CADA22-C7CE-41A8-9E29-CC12D76BC178@nginx.com> Message-ID: WOW! It worked!!! THANKS!!! I configured my NGINX with "ssl_ciphers ...:@SECLEVEL=0;". Thank you!!!! Thank you!!! On Thu, Aug 25, 2022 at 4:31 PM Lukas Tribus wrote: > > Hello, > > > the *client* you are using to test this is just as important. Adjust > CipherString in /etc/ssl/openssl.cnf or the client parameters (-cipher > "DEFAULT:@SECLEVEL=0") too. > > ~# grep SEC /etc/ssl/openssl.cnf > CipherString = DEFAULT:@SECLEVEL=2 > ~# > ~# openssl s_client -connect www.google.com:443 -tls1 > CONNECTED(00000003) > 804BDAE0FF7E0000:error:0A0000BF:SSL routines:tls_setup_handshake:no > protocols available:../ssl/statem/statem_lib.c:104: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 7 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > ~# openssl s_client -connect www.google.com:443 -tls1 -cipher > "DEFAULT:@SECLEVEL=0" > CONNECTED(00000003) > depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 > verify return:1 > depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 > verify return:1 > depth=0 CN = www.google.com > verify return:1 > [...] > > > > cheers, > lukas > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From maxim at nginx.com Tue Aug 30 17:24:13 2022 From: maxim at nginx.com (Maxim Konovalov) Date: Tue, 30 Aug 2022 10:24:13 -0700 Subject: nginx 2022 survey (Was: nginx brand survey, we are looking for your feedback) In-Reply-To: References: Message-ID: <8a8ff342-b386-df11-2adb-61e4ddd0553f@nginx.com> Hi, We've just launched our annual nginx survey and welcome you to share your feedback: https://survey.developernation.net/name/nis1 Thanks, Maxim On 10.09.2021 02:42, Maxim Konovalov wrote: > Hi everyone, > > This is just a reminder that our marketing team is looking for your > participation in the nginx community survey: > > https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB > > We'll be grateful for your participation. > > Thanks, > > Maxim > > On 24.08.2021 14:43, Maxim Konovalov wrote: >> Hi, >> >> On behalf of our marketing team I'd like to invite you, NGINX community >> members, users and developers, to participate in the NGINX Annual >> Community Survey. >> >> There are 20 questions there. It will take around 10 minutes of your >> valuable time to fill it: >> >> The NGINX Annual Community Survey is open, and we would like to hear >> from you. Over the past seven years, you've helped us improve our >> solutions and evolve our product roadmap. >> >> Please continue to share your experiences and ideas with us — we value >> your feedback. >> >> The anonymous survey is here: >> >> https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB >> >> >> Upon completion, you will receive an exclusive 90% discount code for the >> NGINX swag store. >> >> Thank you for helping shape the future of NGINX. >> >> Regards, >> NGINX team >> > > -- Maxim Konovalov From droidbittin at gmail.com Tue Aug 30 17:34:19 2022 From: droidbittin at gmail.com (Luna Jernberg) Date: Tue, 30 Aug 2022 19:34:19 +0200 Subject: nginx 2022 survey (Was: nginx brand survey, we are looking for your feedback) In-Reply-To: <8a8ff342-b386-df11-2adb-61e4ddd0553f@nginx.com> References: <8a8ff342-b386-df11-2adb-61e4ddd0553f@nginx.com> Message-ID: Answered it during the Nginx Sprint :) On 8/30/22, Maxim Konovalov wrote: > Hi, > > We've just launched our annual nginx survey and welcome you to share > your feedback: > > https://survey.developernation.net/name/nis1 > > Thanks, > > Maxim > > > On 10.09.2021 02:42, Maxim Konovalov wrote: >> Hi everyone, >> >> This is just a reminder that our marketing team is looking for your >> participation in the nginx community survey: >> >> https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB >> >> We'll be grateful for your participation. >> >> Thanks, >> >> Maxim >> >> On 24.08.2021 14:43, Maxim Konovalov wrote: >>> Hi, >>> >>> On behalf of our marketing team I'd like to invite you, NGINX community >>> members, users and developers, to participate in the NGINX Annual >>> Community Survey. >>> >>> There are 20 questions there. It will take around 10 minutes of your >>> valuable time to fill it: >>> >>> The NGINX Annual Community Survey is open, and we would like to hear >>> from you. Over the past seven years, you've helped us improve our >>> solutions and evolve our product roadmap. >>> >>> Please continue to share your experiences and ideas with us — we value >>> your feedback. >>> >>> The anonymous survey is here: >>> >>> https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB >>> >>> >>> Upon completion, you will receive an exclusive 90% discount code for the >>> NGINX swag store. >>> >>> Thank you for helping shape the future of NGINX. >>> >>> Regards, >>> NGINX team >>> >> >> > > > -- > Maxim Konovalov > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > From xeioex at nginx.com Tue Aug 30 23:00:50 2022 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 30 Aug 2022 16:00:50 -0700 Subject: njs-0.7.7 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). Notable new features: - advances fs API: New API allows to open a file and read from and write to at specified location without reading the whole file. import fs from 'fs'; async function modifying_large_file() { let fh = await fs.promises.open('/my/path'); let buf = Buffer.alloc(4); await fh.read(buf, 0, 4, 64); console.log(`read ${buf.toString('hex')}`); // modify part buf[0] = buf[0] ^ buf[3]; await fh.write(buf, 0, 4, 64); console.log(`written ${buf.toString('hex')}`); await fh.close(); } Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github: https://github.com/nginx/njs-examples Changes with njs 0.7.7 30 Aug 2022 nginx modules: *) Feature: the number of nginx configuration contexts where js directives can be specified is extended. HTTP: js_import, js_path, js_set and js_var are allowed in server and location contexts. js_content, js_body_filter and js_header_filter are allowed in 'if' context. Stream: js_import, js_path, js_set and js_var are allowed in server context. *) Feature: added r.internal property. *) Bugfix: fixed reading response body in fetch API. *) Bugfix: fixed "js_fetch_timeout" in stream module. *) Bugfix: fixed socket leak with 0 fetch timeout. Core: *) Feature: extended "fs" module. Added fs.openSync(), fs.promises.open(), fs.fstatSync(), fs.readSync(), fs.writeSync(). The following properties of FileHandle are implemented: fd, read(), stat(), write(), close(). *) Bugfix: fixed parseInt(), parseFloat(), Symbol.for() with no arguments. From nginx-forum at forum.nginx.org Wed Aug 31 15:16:23 2022 From: nginx-forum at forum.nginx.org (LewisMM) Date: Wed, 31 Aug 2022 11:16:23 -0400 Subject: Securing URLs with Secure Link + HLS Message-ID: Hi, I've been following this resource: https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/ On that page, the final section "Securing Segment Files with an Expiration Date". It does not work. map $uri $file_name { default none; "~*/s/(?.*).m3u8" $name; "~*/s/(?.*).ts" $name; } server { listen 80; server_name secure-link-demo; location /s { root /opt; secure_link $arg_md5,$arg_expires; secure_link_md5 "$secure_link_expires$file_name$http_user_agent enigma"; if ($secure_link = "") { return 403; } if ($secure_link = "0") { return 410; } } } This works with the .M3U8 playlist file. It successfully secures it. However, when the playlist tries to load the segment files (.ts) files, I get a 403 error. Nginx is not passing the MD5 hash to the segment files. Does anyone know how to fix this? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295058,295058#msg-295058 From francis at daoine.org Wed Aug 31 21:23:31 2022 From: francis at daoine.org (Francis Daly) Date: Wed, 31 Aug 2022 22:23:31 +0100 Subject: Securing URLs with Secure Link + HLS In-Reply-To: References: Message-ID: <20220831212331.GW14648@daoine.org> On Wed, Aug 31, 2022 at 11:16:23AM -0400, LewisMM wrote: Hi there, > I've been following this resource: > https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/ > This works with the .M3U8 playlist file. It successfully secures it. > However, when the playlist tries to load the segment files (.ts) files, I > get a 403 error. Nginx is not passing the MD5 hash to the segment files. What request do you make to nginx? (That might be in the nginx access log, or error log.) What file on the filesystem do you want nginx to send you, instead of the 403 response? Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Wed Aug 31 21:42:27 2022 From: nginx-forum at forum.nginx.org (LewisMM) Date: Wed, 31 Aug 2022 17:42:27 -0400 Subject: Securing URLs with Secure Link + HLS In-Reply-To: <20220831212331.GW14648@daoine.org> References: <20220831212331.GW14648@daoine.org> Message-ID: <99d30ea2c0a6fc45582921206f165ab4.NginxMailingListEnglish@forum.nginx.org> Hi, I make a request with the .m3u8 file with the MD5 Hash and expiration. It receives a 200 code. Then the m3u8 playlist file tries to load the first segment in the playlist, however, I receive 403 "Not Authorised" error. Nginx isn't passing the MD5 hash and expiration to the segment file. Like so: http://0.0.0.0:80/video/hls/bunny.m3u8?md5=cAsEEb6J96haWy3CMOSgDg&expires=1672531140 200. Then tries to load segment (which is correct): http://0.0.0.0/video/hls/bunny.ts 403, forbidden. It's not passing the hash. It should be 200. I hope you understand my problem. Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295058,295065#msg-295065 From paulo at cole.tec.br Wed Aug 31 21:48:57 2022 From: paulo at cole.tec.br (Paulo Paracatu) Date: Wed, 31 Aug 2022 18:48:57 -0300 Subject: Securing URLs with Secure Link + HLS In-Reply-To: <99d30ea2c0a6fc45582921206f165ab4.NginxMailingListEnglish@forum.nginx.org> References: <20220831212331.GW14648@daoine.org> <99d30ea2c0a6fc45582921206f165ab4.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi there, As far as I know, you need to modify your m3u8 files to include the *hash* and *expire* on every .ts segment. I used to stream HLS using the secure link module and I remember needing to rewrite the files on-the-fly to make them include those. Nginx will not automatically generate a m3u8 file with all the hashes for you. Unless things changed in the last few years and I'm outdated now, haha. On Wed, Aug 31, 2022 at 6:43 PM LewisMM wrote: > Hi, > > I make a request with the .m3u8 file with the MD5 Hash and expiration. It > receives a 200 code. Then the m3u8 playlist file tries to load the first > segment in the playlist, however, I receive 403 "Not Authorised" error. > Nginx isn't passing the MD5 hash and expiration to the segment file. > > Like so: > > > http://0.0.0.0:80/video/hls/bunny.m3u8?md5=cAsEEb6J96haWy3CMOSgDg&expires=1672531140 > > 200. Then tries to load segment (which is correct): > > http://0.0.0.0/video/hls/bunny.ts > > 403, forbidden. > > It's not passing the hash. It should be 200. > > I hope you understand my problem. > > Thanks. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,295058,295065#msg-295065 > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Aug 31 22:06:09 2022 From: nginx-forum at forum.nginx.org (biscotty) Date: Wed, 31 Aug 2022 18:06:09 -0400 Subject: nginx not listening on port 443 Message-ID: <38be34323579a3f91abf8413aa28a6b9.NginxMailingListEnglish@forum.nginx.org> On Fedora 36 nginx runs fine and i can access it on localhost and the LAN. However I'm having trouble enabling ssl. When I try with https I get ERR_CONNECTION_REFUSED. nginx error log reports no error. I'd really appreciate some help because I've been working at this all day. This is my nginx.conf: ``` user nginx; worker_processes 1; error_log logs/error.log; error_log logs/error.log notice; error_log logs/error.log info; pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; access_log logs/host.access.log main; location / { root html; index index.html index.htm; } error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } ''' and this is my conf.d/ssl.conf ``` NGINX_SSL=true server { listen: 80; listen [::]:80; server_name biscotty.dev; return 301 https://$host$request_uri; } server { listen 443 http2 ssl default_server; listen [::]:443 http2 ssl default_server; server_name biscotty.dev; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; root /usr/share/nginx/html; location / { } error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } ``` Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295067,295067#msg-295067 From nginx-forum at forum.nginx.org Wed Aug 31 22:13:41 2022 From: nginx-forum at forum.nginx.org (LewisMM) Date: Wed, 31 Aug 2022 18:13:41 -0400 Subject: Securing URLs with Secure Link + HLS In-Reply-To: References: Message-ID: Hi Paulo, Very confused by the wording in the link I posted (my first post in this thread): "Here’s another example of a secured URL with expiration date, used to protect both the playlist for a media asset and the segment files." Which implies it is in fact possible, but alas the code does not work. I've been pulling my hair out trying to solve this issue but no one seems to know the answer. I think I might have to use my backend to serve the videos instead of Nginx - I just figured Nginx would have much better performance. Thanks for your response. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295058,295068#msg-295068 From francis at daoine.org Wed Aug 31 22:18:47 2022 From: francis at daoine.org (Francis Daly) Date: Wed, 31 Aug 2022 23:18:47 +0100 Subject: Securing URLs with Secure Link + HLS In-Reply-To: <99d30ea2c0a6fc45582921206f165ab4.NginxMailingListEnglish@forum.nginx.org> References: <20220831212331.GW14648@daoine.org> <99d30ea2c0a6fc45582921206f165ab4.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20220831221847.GX14648@daoine.org> On Wed, Aug 31, 2022 at 05:42:27PM -0400, LewisMM wrote: Hi there, > I make a request with the .m3u8 file with the MD5 Hash and expiration. It > receives a 200 code. Then the m3u8 playlist file tries to load the first > segment in the playlist, however, I receive 403 "Not Authorised" error. > Nginx isn't passing the MD5 hash and expiration to the segment file. The client is not including the MD5 hash and expiration in its second request, because nothing told the client to include it. And nginx is configured not to allow requests without MD5 hash and expiration. So the system is acting as it is configured to do. Just not as you would it to. > I hope you understand my problem. I think that you may have the same misunderstanding of how secure_link and m3u8/ts files should work together, as was displayed initially in the (long-ish) thread at https://forum.nginx.org/read.php?2,284473,284473 If you read through that entire thread, maybe the various design possibilities will become clear. (Don't worry about the S3 part; it is only the secure_link that is relevant here.) Basically, you have to decide why you are using secure_link, and whether you want that to happen just for the m3u8 file, or also for the ts files. And if you decide "yes" for the ts files, then you need to ensure that the client knows to include the information in the request that it sends to nginx -- either by you changing the m3u8 file so that each link has the information needed; or by you changing your url layout so that the simple m3u8 file "just works". Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Aug 31 22:35:51 2022 From: francis at daoine.org (Francis Daly) Date: Wed, 31 Aug 2022 23:35:51 +0100 Subject: nginx not listening on port 443 In-Reply-To: <38be34323579a3f91abf8413aa28a6b9.NginxMailingListEnglish@forum.nginx.org> References: <38be34323579a3f91abf8413aa28a6b9.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20220831223551.GY14648@daoine.org> On Wed, Aug 31, 2022 at 06:06:09PM -0400, biscotty wrote: Hi there, > http { > include mime.types; ... > server { > listen 80; ... > } > } That file does not "include" any files other than mime.types. It looks like you want it to "include conf.d/*.conf" somewhere, or something like that? $ sudo /usr/sbin/nginx -T | grep '^# conf' should show you which configuration files are actually read; if the ones that you want / expect are not listed there, you'll want to change the config to include them. Cheers, f -- Francis Daly francis at daoine.org