From Nitsan.Matsliah at cellebrite.com Tue Mar 1 09:26:23 2022 From: Nitsan.Matsliah at cellebrite.com (Nitsan Matsliah) Date: Tue, 1 Mar 2022 09:26:23 +0000 Subject: Upstream certificate validation - Servers in a server group Message-ID: Assuming I have 2 servers in an upstream server group: 1. Test1.server.local 2. Test2.server.local Each one of these servers holds their own FQDN in their respective certificates. Test1.server.local will have test1.server.local as its subject and subject alternative name in the certificate it serves. Test2.server.local will have test2.server.local as its subject and subject alternative name in the certificate it serves. Now, let’s assume that the name of the upstream group or proxy_ssl_name is Test.server.local, nginx will compare the subject name from each certificate (either test1.server.local or test2.server.local) to the upstream group name - test.server.local and would complain about a mismatch. Unless test.server.local is added to each upstream server certificate this issue will persist. Is there any way around this using maybe nginx plus or any other alternative? Thanks This e-mail and the information it contains may be privileged and/or confidential. It is intended solely for the use of the named recipient(s). If you are not the intended recipient you may not disclose, copy, distribute or retain any part of this message or attachments. If you have received this e-mail in error please notify the sender immediately [by clicking 'Reply'] and delete this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Mar 1 14:05:17 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 1 Mar 2022 17:05:17 +0300 Subject: Upstream certificate validation - Servers in a server group In-Reply-To: References: Message-ID: Hello! On Tue, Mar 01, 2022 at 09:26:23AM +0000, Nitsan Matsliah via nginx wrote: > Assuming I have 2 servers in an upstream server group: > > 1. Test1.server.local > 2. Test2.server.local > Each one of these servers holds their own FQDN in their > respective certificates. > Test1.server.local will have test1.server.local as its subject > and subject alternative name in the certificate it serves. > Test2.server.local will have test2.server.local as its subject > and subject alternative name in the certificate it serves. > > Now, let’s assume that the name of the upstream group or > proxy_ssl_name is Test.server.local, nginx will compare the > subject name from each certificate (either test1.server.local or > test2.server.local) to the upstream group name - > test.server.local and would complain about a mismatch. > Unless test.server.local is added to each upstream server > certificate this issue will persist. > > Is there any way around this using maybe nginx plus or any other > alternative? That's expected behaviour: an upstream group is essentially a more sophisticated replacement for a domain name which resolves to multiple IP addresses. All servers in the upstream group are expected to be equal: to be able to answer to the same requests, respond to the same SNI name (assuming proxy_ssl_server_name is used), and to return SSL certificates matching the same name. You can use the proxy_ssl_name to change the expected name, for example, if the name of the upstream group does not match the name in the certificates used. That is, if you are using "upstream test {...}" in the configuration, but servers use the "test.example.com" in the certificates. But this directive cannot be used to provide different names for different servers in the upstream group. Much like you cannot use proxy_set_header to add different headers to requests sent to different servers. Proper solution for your configuration would be to provide appropriate (and the same) name in certificates used by all servers in the upstream group. If for some reason you have to connect to servers which are using different names in the certificates, consider using separate upstream blocks for such servers. -- Maxim Dounin http://mdounin.ru/ From gk at leniwiec.biz Tue Mar 1 20:40:48 2022 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Tue, 1 Mar 2022 21:40:48 +0100 Subject: Strange problem with expires? Message-ID: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> Hello, I am using nginx 1.21.0 to serve static files for one domain and when I have: location = / { expires epoch; } expire headers are not added for / but when I remove '=' they are. Is this some bug or just me doing something stupid? Can anybody reproduce it too? -- Grzegorz Kulewski From me at davidte.ch Tue Mar 1 20:43:56 2022 From: me at davidte.ch (David Hu) Date: Tue, 01 Mar 2022 20:43:56 +0000 Subject: Strange problem with expires? In-Reply-To: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> References: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> Message-ID: On 1 March 2022 20:40:48 UTC, Grzegorz Kulewski wrote: >Hello, > >I am using nginx 1.21.0 to serve static files for one domain and when I have: > > location = / { > expires epoch; > } > >expire headers are not added for / but when I remove '=' they are. > >Is this some bug or just me doing something stupid? > >Can anybody reproduce it too? > This is expected behaviour From lucas at lucasrolff.com Tue Mar 1 20:48:31 2022 From: lucas at lucasrolff.com (Lucas Rolff) Date: Tue, 1 Mar 2022 20:48:31 +0000 Subject: Strange problem with expires? In-Reply-To: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> References: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> Message-ID: = is for exact matches, so unless your static file is called / - it obviously won’t match that exact location. No modifier (so no =) means it’s a prefix Get Outlook for iOS ________________________________ From: Grzegorz Kulewski Sent: Wednesday, March 2, 2022 4:40:48 AM To: nginx at nginx.org Subject: Strange problem with expires? Hello, I am using nginx 1.21.0 to serve static files for one domain and when I have: location = / { expires epoch; } expire headers are not added for / but when I remove '=' they are. Is this some bug or just me doing something stupid? Can anybody reproduce it too? -- Grzegorz Kulewski _______________________________________________ nginx mailing list -- nginx at nginx.org To unsubscribe send an email to nginx-leave at nginx.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From gk at leniwiec.biz Tue Mar 1 20:49:44 2022 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Tue, 1 Mar 2022 21:49:44 +0100 Subject: Strange problem with expires? In-Reply-To: References: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> Message-ID: <255cf09b-537c-2277-7d1d-53aa271a92e1@leniwiec.biz> W dniu 01.03.2022 o 21:43, David Hu pisze: > On 1 March 2022 20:40:48 UTC, Grzegorz Kulewski wrote: >> Hello, >> >> I am using nginx 1.21.0 to serve static files for one domain and when I have: >> >> location = / { >> expires epoch; >> } >> >> expire headers are not added for / but when I remove '=' they are. >> >> Is this some bug or just me doing something stupid? >> >> Can anybody reproduce it too? >> > > This is expected behaviour But... why? Is it documented somewhere? I don't see it here: http://nginx.org/en/docs/http/ngx_http_headers_module.html#expires and it seems quite normal to me to have different cache settings for main page than for assets. -- Grzegorz Kulewski From gk at leniwiec.biz Tue Mar 1 20:57:25 2022 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Tue, 1 Mar 2022 21:57:25 +0100 Subject: Strange problem with expires? In-Reply-To: <255cf09b-537c-2277-7d1d-53aa271a92e1@leniwiec.biz> References: <6ef545d5-1916-2f51-49e4-ac4af8f8dccc@leniwiec.biz> <255cf09b-537c-2277-7d1d-53aa271a92e1@leniwiec.biz> Message-ID: <6d26e61d-d61c-42de-8521-bc624af854a3@leniwiec.biz> W dniu 01.03.2022 o 21:49, Grzegorz Kulewski pisze: > W dniu 01.03.2022 o 21:43, David Hu pisze: >> On 1 March 2022 20:40:48 UTC, Grzegorz Kulewski wrote: >>> Hello, >>> >>> I am using nginx 1.21.0 to serve static files for one domain and when I have: >>> >>> location = / { >>> expires epoch; >>> } >>> >>> expire headers are not added for / but when I remove '=' they are. >>> >>> Is this some bug or just me doing something stupid? >>> >>> Can anybody reproduce it too? >>> >> >> This is expected behaviour > > But... why? > > Is it documented somewhere? I don't see it here: http://nginx.org/en/docs/http/ngx_http_headers_module.html#expires and it seems quite normal to me to have different cache settings for main page than for assets. Ok, it works when I changed it to location = /index.html. I forgot that index module is doing an internal rewrite and that rules are re-checked with /index.html. Thank you. Maybe somebody should add a warning about that to location docs. -- Grzegorz Kulewski From morgan at doveria.com Wed Mar 2 15:45:15 2022 From: morgan at doveria.com (Morgan Kisienya) Date: Wed, 2 Mar 2022 18:45:15 +0300 Subject: Session Persistence Message-ID: Hi, We are running nginx opensource with modsecuity. Nginnx is a proxy server. We are also running an application, (which we proxy using nginx) that creates reports and downloads images. We are facing an issue with nginx session persistence. During report creation, not all images are downloaded to the report. When the page is refreshed, other images different from the initial ones are displayed. Nginx access.log shows the following GET /prod/reportImage?rnd=1661411659&image=img_0_0_5 HTTP/1.1" 500 1692 Modscurity log shows the following !doctype html>HTTP Status 500 \xe2\x80\x93 Internal Server Error

HTTP Status 500 \xe2\x80\x93 Internal Server Error

Type Exception Report

Message No JasperPrint documents found on the HTTP session.

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException: *No
JasperPrint documents found on the HTTP
session.*\x0a\x09net.sf.jasperreports.j2ee.servlets.ImageServlet.service(ImageServlet.java:95)\x0a\x09javax.servlet.http.HttpServlet.service(HttpServlet.java:742)\x0a\x09org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\x0a\x09com.ltc.app.server.ClickjackFilter.doFilter(ClickjackFilter.java:117)\x0a\x09org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)\x0a

Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/8.5.41

Appreciate your help *Morgan Kisienya* *Managed Security Services* *PO Box 139 Wahroonga NSW 2076* *Mobile: +254 733 698 394* *Web : www.doveria.com Email : **morgan at doveria.com * The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. Doveria puts the security of the client at a high priority. Therefore, we have put efforts into ensuring that the message is error and virus-free. Unfortunately, full security of the email cannot be ensured as, despite our efforts, the data included in emails could be infected, intercepted, or corrupted. Therefore, the recipient should check the email for threats with proper software, as the sender does not accept liability for any damage inflicted by viewing the content of this email. Please do not print this email unless it is necessary. Every un-printed email helps the environment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Wed Mar 2 15:59:42 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 2 Mar 2022 18:59:42 +0300 Subject: Session Persistence In-Reply-To: References: Message-ID: Hi Morgan, hope you're doing well. On Wed, Mar 02, 2022 at 06:45:15PM +0300, Morgan Kisienya wrote: > Hi, > > We are running nginx opensource with modsecuity. Nginnx is a proxy server. > > We are also running an application, (which we proxy using nginx) that > creates reports and downloads images. > > We are facing an issue with nginx session persistence. > > During report creation, not all images are downloaded to the report. When > the page is refreshed, other images different from the initial ones are > displayed. > > Nginx access.log shows the following > > GET /prod/reportImage?rnd=1661411659&image=img_0_0_5 HTTP/1.1" 500 1692 > > Modscurity log shows the following [...] The hash-based [1] session persistence supported by the NGINX OSS, NGINX Plus supports cookie-based session persistence, including sticky cookie [2], https://www.nginx.com/products/nginx/load-balancing/#session-persistence References: [1] http://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash [2] http://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky -- Sergey A. Osokin From nginx-forum at forum.nginx.org Thu Mar 3 18:26:51 2022 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 03 Mar 2022 13:26:51 -0500 Subject: Getting weird issue with Nginx reverse Proxy Message-ID: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> Hi Team, My portal name is lets say fs.example.com and it is configured on apache server which is then proxied to internet using Nginx reverse proxy. However I tried everything I was aware of and I am consistently getting below error whenever this URL is accessed. I am running out of ideas about troubleshooting the issue and I need a help on it. Here is Nginx config file ``` server { listen 443 http2 ssl; server_name fs.example.com; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/nginx/ssls/isncert/isnwild.crt; ssl_certificate_key /etc/nginx/ssls/isncert/star.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:E CDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256 -SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RS A-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: DES-CBC3-SHA:!DSS'; ssl_dhparam /etc/ssl/dhparams2048.pem; ssl_session_timeout 1d; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; include /config/nginx/authelia.conf; access_log /var/log/nginx/fs/access.log; error_log /var/log/nginx/fs/error.log; location / { client_max_body_size 10m; #proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_buffers 4 256k; proxy_buffer_size 16k; proxy_pass http://fs.example.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; include /config/nginx/auth.conf; include /config/nginx/restconfig.conf; } } ``` And here is the error Bad Request Your browser sent a request that this server could not understand. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293780#msg-293780 From nginx-forum at forum.nginx.org Thu Mar 3 18:56:33 2022 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 03 Mar 2022 13:56:33 -0500 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> References: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> Message-ID: <523065049fe120f193c58548b4698fcd.NginxMailingListEnglish@forum.nginx.org> Here are the debug logs - If that would help https://pastebin.com/K3521Cnk Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293781#msg-293781 From osa at freebsd.org.ru Thu Mar 3 20:00:45 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 3 Mar 2022 23:00:45 +0300 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> References: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi there, hope you're doing well these days. On Thu, Mar 03, 2022 at 01:26:51PM -0500, blason wrote: > Hi Team, > > My portal name is lets say fs.example.com and it is configured on apache > server which is then proxied to internet using Nginx reverse proxy. However > I tried everything I was aware of and I am consistently getting below error > whenever this URL is accessed. I am running out of ideas about > troubleshooting the issue and I need a help on it. Here is Nginx config > file > > ``` > server { > listen 443 http2 ssl; > server_name fs.example.com; > ssl_protocols TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > ssl_certificate /etc/nginx/ssls/isncert/isnwild.crt; > ssl_certificate_key /etc/nginx/ssls/isncert/star.key; > ssl_ciphers > 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:E > CDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256 > -SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RS > A-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: > DES-CBC3-SHA:!DSS'; > ssl_dhparam /etc/ssl/dhparams2048.pem; > ssl_session_timeout 1d; > ssl_session_tickets off; > ssl_stapling on; > ssl_stapling_verify on; > resolver 8.8.8.8 8.8.4.4 valid=300s; > include /config/nginx/authelia.conf; > access_log /var/log/nginx/fs/access.log; > error_log /var/log/nginx/fs/error.log; > location / { > client_max_body_size 10m; > #proxy_headers_hash_max_size 512; > proxy_headers_hash_bucket_size 128; > proxy_busy_buffers_size 256k; > proxy_temp_file_write_size 256k; > proxy_buffers 4 256k; > proxy_buffer_size 16k; > proxy_pass http://fs.example.com; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > add_header X-Content-Type-Options nosniff; > add_header X-XSS-Protection "1; mode=block"; > add_header Referrer-Policy "no-referrer-when-downgrade"; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains" always; > include /config/nginx/auth.conf; > include /config/nginx/restconfig.conf; > } > } > ``` > > And here is the error > > Bad Request > Your browser sent a request that this server could not understand. I'd recommend to run # nginx -T |& tee /tmp/output.log remote/anonimyse all restricted information in the /tmp/output.log file and share the configuration here. Thank you. -- Sergey A. Osokin From rainer at ultra-secure.de Thu Mar 3 21:09:28 2022 From: rainer at ultra-secure.de (Rainer Duffner) Date: Thu, 3 Mar 2022 22:09:28 +0100 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> References: <1a90a9855528f119bb46dd823ed2579d.NginxMailingListEnglish@forum.nginx.org> Message-ID: <8CDFE961-5724-4B48-973C-62BC3ED4D5FA@ultra-secure.de> > Am 03.03.2022 um 19:26 schrieb blason : > > Hi Team, > > My portal name is lets say fs.example.com and it is configured on apache > server which is then proxied to internet using Nginx reverse proxy. However And what does the apache config look like? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Thu Mar 3 22:21:35 2022 From: nginx-forum at forum.nginx.org (aishwarya.deshmukh) Date: Thu, 03 Mar 2022 17:21:35 -0500 Subject: Nginx access log and error log Message-ID: Hi Currently the access log and error log are written with the below permission -rw-r-----. 1 nginx adm 268 Mar 4 03:43 error.log However I want them to write in -rwxr-xr-x but everytime it writes the access or error logs, it writes in a read format. I can manually change their permission but I want them to originally write it with the correct permissions Can you please confirm how to get this done? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293786,293786#msg-293786 From osa at freebsd.org.ru Thu Mar 3 23:37:30 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Fri, 4 Mar 2022 02:37:30 +0300 Subject: Nginx access log and error log In-Reply-To: References: Message-ID: Hi, On Thu, Mar 03, 2022 at 05:21:35PM -0500, aishwarya.deshmukh wrote: > Hi > > Currently the access log and error log are written with the below > permission > > -rw-r-----. 1 nginx adm 268 Mar 4 03:43 error.log > > However I want them to write in -rwxr-xr-x but everytime it writes the > access or error logs, it writes in a read format. I can manually change > their permission but I want them to originally write it with the correct > permissions Not sure why do want to add an execution bit to a log file, what's the case? > Can you please confirm how to get this done? -- Sergey A. Osokin From nginx-forum at forum.nginx.org Fri Mar 4 03:37:59 2022 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 03 Mar 2022 22:37:59 -0500 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: <8CDFE961-5724-4B48-973C-62BC3ED4D5FA@ultra-secure.de> References: <8CDFE961-5724-4B48-973C-62BC3ED4D5FA@ultra-secure.de> Message-ID: Here is Apache config ServerAdmin webmaster at example.com DocumentRoot /var/www/fs/ ServerName fs.example.com ServerAlias fs.example.com ErrorLog /var/log/apache2/fs/error.log CustomLog /var/log/apache2/fs/access.log combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy #SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded #CustomLog "logs/access_log" combined env=!forwarded #CustomLog "logs/access_log" proxy env=forwarded Options Indexes FollowSymLinks Includes ExecCGI Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293788#msg-293788 From nginx-forum at forum.nginx.org Fri Mar 4 03:41:59 2022 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 03 Mar 2022 22:41:59 -0500 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: References: Message-ID: user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; load_module modules/ngx_http_modsecurity_module.so; events { worker_connections 768; # multi_accept on; } http { map $http_upgrade $connection_upgrade { default upgrade; '' close; } ## # Basic Settings ## sendfile on; tcp_nopush on; types_hash_max_size 2048; server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; #include /etc/nginx/sites-enabled/*; geoip_country /usr/share/GeoIP/GeoLite2-Country.mmdb; map $geoip_country_code $allowed_country_isn { default yes; PK no; CN no; AF no; KP no; LY no; UA no; } } # configuration file /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf: load_module modules/ngx_http_auth_pam_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf: load_module modules/ngx_http_dav_ext_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-echo.conf: load_module modules/ngx_http_echo_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf: load_module modules/ngx_http_geoip_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf: load_module modules/ngx_http_image_filter_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf: load_module modules/ngx_http_subs_filter_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf: load_module modules/ngx_http_upstream_fair_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf: load_module modules/ngx_http_xslt_filter_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-mail.conf: load_module modules/ngx_mail_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-ssl-ct.conf: load_module modules/ngx_ssl_ct_module.so; load_module modules/ngx_http_ssl_ct_module.so; # configuration file /etc/nginx/modules-enabled/50-mod-stream.conf: load_module modules/ngx_stream_module.so; # configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip.conf: load_module modules/ngx_stream_geoip_module.so; # configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf: load_module modules/ngx_stream_geoip2_module.so; # configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; image/webp webp; application/font-woff woff; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } server { listen 443 http2 ssl; server_name fs.example.com; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/nginx/ssls/isncert/isnwild.crt; ssl_certificate_key /etc/nginx/ssls/isncert/star.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_dhparam /etc/ssl/dhparams2048.pem; ssl_session_timeout 1d; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; include /config/nginx/authelia.conf; access_log /var/log/nginx/fs/access.log; error_log /var/log/nginx/fs/error.log ; location / { client_max_body_size 10m; #proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_buffers 4 256k; proxy_buffer_size 16k; proxy_pass http://fs.example.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer-when-downgrade"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; include /config/nginx/auth.conf; include /config/nginx/restconfig.conf; } } auth.conf # Basic Authelia Config # Send a subsequent request to Authelia to verify if the user is authenticated # and has the right permissions to access the resource. auth_request /authelia; # Set the `target_url` variable based on the request. It will be used to build the portal # URL with the correct redirection parameter. auth_request_set $target_url $scheme://$http_host$request_uri; # Set the X-Forwarded-User and X-Forwarded-Groups with the headers # returned by Authelia for the backends which can consume them. # This is not safe, as the backend must make sure that they come from the # proxy. In the future, it's gonna be safe to just use OAuth. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; # If Authelia returns 401, then nginx redirects the user to the login portal. # If it returns 200, then the request pass through to the backend. # For other type of errors, nginx will handle them as usual. error_page 401 =302 https://mfa.example.com/?rd=$target_url; restconfig.conf; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; #proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; #proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293789#msg-293789 From rainer at ultra-secure.de Fri Mar 4 20:00:11 2022 From: rainer at ultra-secure.de (Rainer Duffner) Date: Fri, 4 Mar 2022 21:00:11 +0100 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: References: <8CDFE961-5724-4B48-973C-62BC3ED4D5FA@ultra-secure.de> Message-ID: > Am 04.03.2022 um 04:37 schrieb blason : > > Here is Apache config > > > ServerAdmin webmaster at example.com > DocumentRoot /var/www/fs/ > ServerName fs.example.com > ServerAlias fs.example.com > ErrorLog /var/log/apache2/fs/error.log > CustomLog /var/log/apache2/fs/access.log combined > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" proxy > #SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded > #CustomLog "logs/access_log" combined env=!forwarded > #CustomLog "logs/access_log" proxy env=forwarded > > > Options Indexes FollowSymLinks Includes ExecCGI > > > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293788#msg-293788 > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org Have you done a tcpdump on port 80 to see what is actually coming through? I assume curl on port 80 works? The error messages comes from apache or NGINX? From nginx-forum at forum.nginx.org Sun Mar 6 01:45:09 2022 From: nginx-forum at forum.nginx.org (pablop) Date: Sat, 05 Mar 2022 20:45:09 -0500 Subject: =?UTF-8?Q?cache=E2=80=91slice=20with=20a=20lock?= Message-ID: <82a41682ec66bd807777018d7ba4b01e.NginxMailingListEnglish@forum.nginx.org> Hi What happens when multiple clients are accessing the same byte-range using the Cache Slice module at the same time? Will requests wait for the slice to be ready or will they bypass the proxy and get it directly from the origin? Is it possible (and needed) to combine slice with proxy_cache_lock? https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293792,293792#msg-293792 From nginx-forum at forum.nginx.org Sun Mar 6 13:42:20 2022 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 06 Mar 2022 08:42:20 -0500 Subject: Getting weird issue with Nginx reverse Proxy In-Reply-To: References: Message-ID: Thanks team for your help but I had to find an alternative and instead I hosted the site on Nginx server itself. Which currently is working fine. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293780,293795#msg-293795 From jongsun89 at naver.com Mon Mar 7 12:26:42 2022 From: jongsun89 at naver.com (=?utf-8?B?67Cx7KKF7ISg?=) Date: Mon, 07 Mar 2022 21:26:42 +0900 Subject: =?utf-8?B?cXVlcnkgYWJvdXQgbmdpbnggcGx1Z2luIG1vZHVsZSBmb3IgcmV2ZXJzZSBwcm94eSA=?= Message-ID: <694adc04e05ab9f6498ed066f67794@cweb018.nm.nfra.io> Hello, nginx team. I'm using nginx as reverse proxy . I'm trying to make nginx plugin module(I'm noob of this) for some purpose . I have back-server opening websocket behind nginx . client <-> nginx(reverse proxy) <-> back-server(websocket) back-server is listening 3 numbers of websocket. - websocket(A) - websocket(B) - websocket(C) I'd like to watch websocket(only A) connection status(connection fail/opened/closed) in nginx plugin module for some purpose. i can catch the request websocket 'A' connection in nginx plugin module by registering NGX_HTTP_ACCESS_PHASE handler(parse header and compare subprotocol(A) of http request). Query : Now, how can i get the websocket connection status(connection fail/opened/closed) event with the same http request context getting from NGX_HTTP_ACCESS_PHASE handler ? scenario : 1. get websocket(A) connection request in nginx plugin module . 2. catch event in nginx plugin moudle when the request failed / opened and closed . 3. when the connection is opened or closed,i do some work . More query : Is the context from NGX_HTTP_ACCESS_PHASE handler valid until websocket connection closed? (ngx_http_foo_handler(ngx_http_request_t *r) <- context r ) If not , is there another context valid from http-requested to websocket connection closed? API & simple sample code will be very helpful . Thank you for your support -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at bitbrew.com Mon Mar 7 19:53:04 2022 From: ben at bitbrew.com (Ben Mills) Date: Mon, 7 Mar 2022 19:53:04 +0000 Subject: Nginx Reverse Proxy - Stale proxy_pass URL Message-ID: Greetings nginx, nginx version: nginx/1.18.0 running an AWS EC2 instance with an Amazon Linux 2 AMI. Using this nginx.conf for reverse proxy and mutual authentication of some specialized mobile devices. server { listen 443 ssl ; server_name serviceapi.company.com; root /usr/share/nginx/html/....; index app.php app_dev.php config.php; location / { proxy_pass https://upstream; } ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/pki/nginx/private/...crt; ssl_certificate_key /etc/pki/nginx/private/...key; ssl_client_certificate /etc/pki/nginx/private/...pem; ssl_verify_client on; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_verify_depth 3; } This works well but has one critical issue. The proxy_pass directive URL (upstream) is an endpoint in AWS Route53 defined by an API gateway that is fronted by an ELB. That is, https://upstream resolves to the IPv4 addresses of an ELB in AWS. The issue is that nginx is only resolving this endpoint when it starts. Let's say: dig upstream +short 1.2.3.4 1.2.3.5 As long as these two ELB IPs do not change, then device traffic gets proxied to upstream without issue. However if the ELB resource is recreated in AWS and these IPs change: dig upstream +short 6.7.8.9 6.7.8.10 this causes: 2022/03/04 20:57:21 [error] 18352#0: *30682 connect() failed (111: Connection refused) while connecting to upstream, client: , server: serviceapi.company.com, request: "GET //pending HTTP/1.1", upstream: "https://1.2.3.4//pending", host: "" The nginx service has cached 1.2.3.4 at runtime and the fact that the https://upstream now resolves to different IPs has broken the proxy. Restarting the nginx service fixes the issue since it then resolves https://upstream to the new ELB IPs. Question-1 Is there a directive to add to our nginx.conf server block that will force nginx to re-resolve its proxy_pass URL upon error? If not upon error, then perhaps at some configurable time interval? I have my eye on proxy_cache_use_stale, but not sure if this is suited to our use case. Question-2 The devices using this setup are specialized and testing is not easy. Is there a command line option that will allow a user with SSH access to the EC2 instance where nginx is running to verify what nginx currently has in its cache for https://upstream? (i.e. rather than having to wait for a real device to error). The access.log does not display this information, only the error.log does. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Tue Mar 8 02:47:30 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 8 Mar 2022 05:47:30 +0300 Subject: Nginx Reverse Proxy - Stale proxy_pass URL In-Reply-To: References: Message-ID: Hi Ben, hope you're doing well. On Mon, Mar 07, 2022 at 07:53:04PM +0000, Ben Mills wrote: > Greetings nginx, > > nginx version: nginx/1.18.0 running an AWS EC2 instance with an Amazon Linux 2 AMI. I'd highly recommend to update the nginx OSS to the recent stable version, 1.20.2 [1]. [...] > The nginx service has cached 1.2.3.4 at runtime and the fact that the https://upstream > now resolves to different IPs has broken the proxy. Restarting the nginx service > fixes the issue since it then resolves https://upstream to the new ELB IPs. > > Question-1 > > Is there a directive to add to our nginx.conf server block that will force nginx to > re-resolve its proxy_pass URL upon error? If not upon error, then perhaps at some > configurable time interval? It's a bit tricky, but it's possible to use the set directive [2] to set up a variable with a backend name for dynamic resolvoing, i.e.: set $backend http://dyn-backned.example.com:8080; proxy_pass $backend; Please note that the resolver directive [3] with a proper nameserver's IP address and a valid parameter is a requirement and needs to be defined as well. > I have my eye on proxy_cache_use_stale, but not sure if this is suited to our use > case. > > Question-2 > > The devices using this setup are specialized and testing is not easy. Is there a > command line option that will allow a user with SSH access to the EC2 instance > where nginx is running to verify what nginx currently has in its cache for > https://upstream? (i.e. rather than having to wait for a real device to error). > The access.log does not display this information, only the error.log does. Sure, it's possible to use find(1) command line utility to walk through a file hierarchy with nginx cache path, please follow the corresponding man page to get more details. References: [1] http://nginx.org/en/linux_packages.html#Amazon-Linux [2] https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#set [3] https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver -- Sergey A. Osokin From nginx-forum at forum.nginx.org Tue Mar 8 03:39:53 2022 From: nginx-forum at forum.nginx.org (blason) Date: Mon, 07 Mar 2022 22:39:53 -0500 Subject: Change customer Server Header without compiling it? Message-ID: Hi Team, I have Ubuntu 20.04 and Nginx 1.20.1 installed from Official Nginx repository. I already have made the server_tokens to off however wondering if customer header can be added without recompiling it? With any modules or packages on ubuntu 20.04? TIA Blason R Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293801,293801#msg-293801 From osa at freebsd.org.ru Tue Mar 8 03:52:36 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 8 Mar 2022 06:52:36 +0300 Subject: Change customer Server Header without compiling it? In-Reply-To: References: Message-ID: Hi Blason, On Mon, Mar 07, 2022 at 10:39:53PM -0500, blason wrote: > Hi Team, > > I have Ubuntu 20.04 and Nginx 1.20.1 installed from Official Nginx > repository. I already have made the server_tokens to off however wondering > if customer header can be added without recompiling it? With any modules or > packages on ubuntu 20.04? It's possible to use server_tokens [1] directive with the following parameters: - on (enable, default); - off (disable); - build (enable build name) [2]; - string (available as a part of the commercial subscription [3]). References: [1] https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens [2] https://nginx.org/en/docs/configure.html#build [3] https://nginx.com/products/ Hope that helps. -- Sergey A. Osokin From francis at daoine.org Tue Mar 8 08:12:52 2022 From: francis at daoine.org (Francis Daly) Date: Tue, 8 Mar 2022 08:12:52 +0000 Subject: Nginx Reverse Proxy - Stale proxy_pass URL In-Reply-To: References: Message-ID: <20220308081252.GN14624@daoine.org> On Mon, Mar 07, 2022 at 07:53:04PM +0000, Ben Mills wrote: Hi there, > Question-1 > > Is there a directive to add to our nginx.conf server block that will force nginx to re-resolve its proxy_pass URL upon error? If not upon error, then perhaps at some configurable time interval? > As the parallel response says: for nginx, you can use resolver (http://nginx.org/r/resolver) plus a hostname string that is not known at startup (http://nginx.org/r/proxy_pass) -- note that using a variable in proxy_pass, does have some limitations which do not apply in the config that you showed. "resolver" will re-resolve based on time -- either configured, or based on the provided TTL value. I don't know that it can be triggered on proxy_pass error. (For information: nginx-plus does include some more options, outlined in the "upstream" module documentation; they might be interesting if the nginx application does not easily do what you want.) > I have my eye on proxy_cache_use_stale, but not sure if this is suited to our use case. I think "not entirely" -- that is for "this response has expired; shall I send it anyway, instead of waiting for the upstream response". It will send a response to the current request; but by itself it will never cause the upstream address to be re-resolved. > Question-2 > > The devices using this setup are specialized and testing is not easy. Is there a command line option that will allow a user with SSH access to the EC2 instance where nginx is running to verify what nginx currently has in its cache for https://upstream? (i.e. rather than having to wait for a real device to error). The access.log does not display this information, only the error.log does. > I think this is looking for "what IP address(es) does nginx currently associate with that upstream hostname". As far as I know, no, there is not a command line option to learn that. I think I would make a request to a known "test" url, and either watch the error log, or watch the "tcpdump" output, to see what one IP address attempts to be accessed. (And maybe make more requests to see if other addresses are used as well; that does depend on the "hash" or other load-balancing/persistence configuration.) But: if you are not using "resolver", then you know that nginx is still using what ever IP addresses it learned at startup. So "old logs" still hold useful information. Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Tue Mar 8 14:04:40 2022 From: nginx-forum at forum.nginx.org (felipesmendes) Date: Tue, 08 Mar 2022 09:04:40 -0500 Subject: 405 Not Allowed Message-ID: Hello Nginx Team, I'm trying to use a WebDav server called sabredav (https://sabre.io/dav/install/) , so I installed everything and seens to work, but when I try to connect to this server by WinSCP client i'm gotting 405 Not allowed, on access log comes this: 201.48.168.101 - - [08/Mar/2022:14:00:38 +0000] "OPTIONS / HTTP/1.1" 405 182 "-" "WinSCP/5.19.6 neon/0.31.2" In the documentation of sabredav is telling if we got 405 error follow these instructions: Nginx Older versions of nginx have had issues with so-called "Chunked Transfer Encoding", in particular when the client sumbits requests in this transfer encoding. Known clients that use this include OS X finder and Transmit. If you plan to support any of these, and you are running into issues with empty (0 byte) files ending up on the server, make sure you are running a recent version of nginx. Nginx versions 1.3.9 or higher should work. My version of nginx is 1.10.3 so its higher than 1.3.9 Someone have some idea of how to solve this? Thank you so much for support. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293805,293805#msg-293805 From osa at freebsd.org.ru Tue Mar 8 14:23:56 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 8 Mar 2022 17:23:56 +0300 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: Hi, On Tue, Mar 08, 2022 at 09:04:40AM -0500, felipesmendes wrote: > Hello Nginx Team, > > I'm trying to use a WebDav server called sabredav > (https://sabre.io/dav/install/) , so I installed everything and seens to > work, but when I try to connect to this server by WinSCP client i'm gotting > 405 Not allowed, on access log comes this: > > 201.48.168.101 - - [08/Mar/2022:14:00:38 +0000] "OPTIONS / HTTP/1.1" 405 182 > "-" "WinSCP/5.19.6 neon/0.31.2" > > In the documentation of sabredav is telling if we got 405 error follow these > instructions: > > Nginx > Older versions of nginx have had issues with so-called "Chunked Transfer > Encoding", in particular when the client sumbits requests in this transfer > encoding. > > Known clients that use this include OS X finder and Transmit. If you plan to > support any of these, and you are running into issues with empty (0 byte) > files ending up on the server, make sure you are running a recent version of > nginx. > > Nginx versions 1.3.9 or higher should work. > My version of nginx is 1.10.3 so its higher than 1.3.9 I'd recommend to upgrade to the recent version of nginx first: recent stable version is 1.20.2. Also, I'd recommend to share the nginx configuration file without any sensitive information. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Tue Mar 8 15:18:57 2022 From: nginx-forum at forum.nginx.org (felipesmendes) Date: Tue, 08 Mar 2022 10:18:57 -0500 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: Hello Sergey, I did what you told, update to nginx (1.16.1-0+xenial1). And here is the config of server: # The server directive says Nginx that this is a new server configuration server { # This has to be the domain you want to use server_name webdav.inoprime.com.br; # This is the document root root /var/www/html/webdav/; # This is the file which gets loaded by default. index.html gets loaded if there is no index.php index index.php index.html server.php; access_log /var/log/nginx/webdav.access.log; error_log /var/log/nginx/webdav.error.log error; #proxy_buffering on; #proxy_request_buffering on; # This configuration prevent the logger to log not found favicon location = /favicon.ico { log_not_found off; access_log off; } # Same as favicon but for robots.txt location = /robots.txt { allow all; log_not_found off; access_log off; } # This says the Nginx server to rewrite any requests which do not access a valid file to rewrite on to the index.php location / { try_files $uri $uri/ /server.php?$args; } # This gets all requests from the location above and sends them to the php-fpm socket which will execute the php location ~ \.php$ { include fastcgi.conf; fastcgi_intercept_errors on; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/run/php/php5.6-fpm.sock; fastcgi_read_timeout 600; } # This says that all files with the given endings should be cached by the client location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/webdav.inoprime.com.br/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/webdav.inoprime.com.br/privkey.pem; # managed by Certbot # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = webdav.inoprime.com.br) { return 301 https://$host$request_uri; } # managed by Certbot server_name webdav.inoprime.com.br; listen 80; return 404; # managed by Certbot } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293805,293807#msg-293807 From jstaylor at xmission.com Tue Mar 8 23:55:53 2022 From: jstaylor at xmission.com (Jim Taylor) Date: Tue, 8 Mar 2022 16:55:53 -0700 Subject: newbie location error give error 403 Message-ID: This is my server configuration.  I want to display a PDF file.  If I out the PDF in /data/images, it displays correctly in my browser (Firefoc).  If I put the PDF in /data/documents I get error 403. Obviously, I'm doing something stupid.  Is it really impossible to have both a documents and an images directory> Jim Taylor server  {         listen 443 ssl;         server_name  www.jstaylor.com;         ssl_certificate /etc/nginx/ssl/combined.crt;         ssl_certificate_key /etc/nginx/ssl/jstaylor.key;         location / {                 try_files $uri $uri/ =404;                 root /data/www;                 index index.html index.htm;                 }         location /css/ {                 root /data;                 }         location /images/ {                 root /data;                 }         location /documents/ {                 root /data;                 }         } From osa at freebsd.org.ru Wed Mar 9 01:44:07 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Mar 2022 04:44:07 +0300 Subject: newbie location error give error 403 In-Reply-To: References: Message-ID: Hi Jim, On Tue, Mar 08, 2022 at 04:55:53PM -0700, Jim Taylor wrote: > This is my server configuration.  I want to display a PDF file.  If I > out the PDF in /data/images, it displays correctly in my browser > (Firefoc).  If I put the PDF in /data/documents I get error 403. > Obviously, I'm doing something stupid.  Is it really impossible to have > both a documents and an images directory> [...] > >         location /images/ { >             root /data; >         } >         location /documents/ { >             root /data; >         } Let's review the permissions on: - those two directories, i.e. run % ls -la /data/images % ls -la /data/documents - those two PDF files, i.e. run % ls -la /data/images/thePDFfile.pdf % ls -la /data/documents/thePDFfile.pdf -- Sergey A. Osokin From osa at freebsd.org.ru Wed Mar 9 02:36:16 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Mar 2022 05:36:16 +0300 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: Hi, thanks for the update. [...] Have you sent/tested any other request to the sabre/dav through nginx? And if so, could you share a result in from the nginx logfile. Also, let's return back to the request: 201.48.168.101 - - [08/Mar/2022:14:00:38 +0000] "OPTIONS / HTTP/1.1" 405 182 "-" "WinSCP/5.19.6 neon/0.31.2" At first look that's the problem with the application backend, i.e. sabre/dav, but in any cases is there any chance to enable debugging log as it's described https://nginx.org/en/docs/debugging_log.html, send a request once again and share the log file. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Wed Mar 9 11:16:50 2022 From: nginx-forum at forum.nginx.org (felipesmendes) Date: Wed, 09 Mar 2022 06:16:50 -0500 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: <6aed77bd24fa032e9ddd904252ff91b6.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, Thank you for support. I managed to solve this problem. I add this configuration in vhost then it works: dav_methods PUT DELETE MKCOL COPY MOVE; dav_ext_methods PROPFIND OPTIONS; create_full_put_path on; dav_access user:rw group:rw all:rw; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293805,293813#msg-293813 From 877509395 at qq.com Wed Mar 9 08:18:37 2022 From: 877509395 at qq.com (=?ISO-8859-1?B?aHVpbWluZw==?=) Date: Wed, 9 Mar 2022 16:18:37 +0800 Subject: different ssl_cerficate/ssl_cerficate_key pair for different $host in same server directive In-Reply-To: References: Message-ID: hi Hello,       Is below configuration valid? nginx report      "nginx: [emerg] "ssl_certificate" directive is not allowed here in /usr/local/nginx/clientcfg/www.waf.soptest.com.443.conf:16"     I hope different ssl_cerficate/ssl_cerficate_key pair for different $host in same server , it is possible?     server {         sever www         if ( $host = "www.baidu.com" )         {             ssl_certificate /usr/local/nginx/cert/sdp.sopteset.com.443/sdp.sopteset.com.pem;             ssl_certificate_key /usr/local/nginx/cert/sdp.sopteset.com.443/sdp.sopteset.com.key;          }          .......     } thanks huiming -------------- next part -------------- An HTML attachment was scrubbed... URL: From rainer at ultra-secure.de Wed Mar 9 18:26:00 2022 From: rainer at ultra-secure.de (Rainer Duffner) Date: Wed, 9 Mar 2022 19:26:00 +0100 Subject: different ssl_cerficate/ssl_cerficate_key pair for different $host in same server directive In-Reply-To: References: Message-ID: > Am 09.03.2022 um 09:18 schrieb huiming via nginx : > > hi Hello, > > Is below configuration valid? nginx report > "nginx: [emerg] "ssl_certificate" directive is not allowed here in /usr/local/nginx/clientcfg/www.waf.soptest.com.443.conf:16" > > I hope different ssl_cerficate/ssl_cerficate_key pair for different $host in same server , it is possible? > No. Why not create two vhosts? From osa at freebsd.org.ru Wed Mar 9 21:51:12 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 10 Mar 2022 00:51:12 +0300 Subject: 405 Not Allowed In-Reply-To: <6aed77bd24fa032e9ddd904252ff91b6.NginxMailingListEnglish@forum.nginx.org> References: <6aed77bd24fa032e9ddd904252ff91b6.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi, thanks for the update. On Wed, Mar 09, 2022 at 06:16:50AM -0500, felipesmendes wrote: > Hi Sergey, > > Thank you for support. > > I managed to solve this problem. I'm glad you solved the issue. > I add this configuration in vhost then it works: > > dav_methods PUT DELETE MKCOL COPY MOVE; > dav_ext_methods PROPFIND OPTIONS; > create_full_put_path on; > dav_access user:rw group:rw all:rw; So, you've decided to review and change the previous application archicture by moving WebDAV functionality from the sabre/dav to nginx. What was a reason for that? -- Sergey A. Osokin From 877509395 at qq.com Thu Mar 10 01:36:37 2022 From: 877509395 at qq.com (=?ISO-8859-1?B?aHVpbWluZw==?=) Date: Thu, 10 Mar 2022 09:36:37 +0800 Subject: different ssl_cerficate/ssl_cerficate_key pair for different $host in same server directive In-Reply-To: References: Message-ID:     I hope a server directive includes all sites of user. The benefit of such configuration is that the limit_rate/limit_conn can take effect for the user's all sites.      Is there any other configuration to implement this requirement? ------------------ Original ------------------ From: "nginx" From nginx-forum at forum.nginx.org Thu Mar 10 11:43:18 2022 From: nginx-forum at forum.nginx.org (felipesmendes) Date: Thu, 10 Mar 2022 06:43:18 -0500 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: <70493070327f6fd8584f661164e68251.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, I didn't realize this because I didn't know Nginx, so now I removed those settings and went back to using saber/dav and I'll follow your advice to try to debug the 405 error. I'll be back soon with updates. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293805,293820#msg-293820 From nginx-forum at forum.nginx.org Thu Mar 10 11:49:16 2022 From: nginx-forum at forum.nginx.org (felipesmendes) Date: Thu, 10 Mar 2022 06:49:16 -0500 Subject: 405 Not Allowed In-Reply-To: References: Message-ID: <635e86048aa04d7105337d4a35828dae.NginxMailingListEnglish@forum.nginx.org> Here is the log of debug level on Nginx 2022/03/10 11:47:41 [debug] 28458#28458: *757 accept: 201.48.168.101:60280 fd:14 2022/03/10 11:47:41 [debug] 28458#28458: *757 event timer add: 14: 60000:59237613689 2022/03/10 11:47:41 [debug] 28458#28458: *757 reusable connection: 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 epoll add event: fd:14 op:1 ev:80002001 2022/03/10 11:47:41 [debug] 28458#28458: *757 http check ssl handshake 2022/03/10 11:47:41 [debug] 28458#28458: *757 http recv(): 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 https ssl handshake: 0x16 2022/03/10 11:47:41 [debug] 28458#28458: *757 tcp_nodelay 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL server name: "webdav.inoprime.com.br" 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_do_handshake: -1 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_get_error: 2 2022/03/10 11:47:41 [debug] 28458#28458: *757 reusable connection: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL handshake handler: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_do_handshake: 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD" 2022/03/10 11:47:41 [debug] 28458#28458: *757 reusable connection: 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 http wait request handler 2022/03/10 11:47:41 [debug] 28458#28458: *757 malloc: 000055D2082CDE80:1024 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_read: -1 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_get_error: 2 2022/03/10 11:47:41 [debug] 28458#28458: *757 free: 000055D2082CDE80 2022/03/10 11:47:41 [debug] 28458#28458: *757 http wait request handler 2022/03/10 11:47:41 [debug] 28458#28458: *757 malloc: 000055D2082CDE80:1024 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_read: 153 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_read: -1 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_get_error: 2 2022/03/10 11:47:41 [debug] 28458#28458: *757 reusable connection: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 posix_memalign: 000055D2082EE030:4096 @16 2022/03/10 11:47:41 [debug] 28458#28458: *757 http process request line 2022/03/10 11:47:41 [debug] 28458#28458: *757 http request line: "OPTIONS /public HTTP/1.1" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http uri: "/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http args: "" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http exten: "" 2022/03/10 11:47:41 [debug] 28458#28458: *757 posix_memalign: 000055D2082900D0:4096 @16 2022/03/10 11:47:41 [debug] 28458#28458: *757 http process request header line 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header: "User-Agent: WinSCP/5.19.6 neon/0.31.2" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header: "Keep-Alive: " 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header: "Connection: TE, Keep-Alive" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header: "TE: trailers" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header: "Host: webdav.inoprime.com.br" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http header done 2022/03/10 11:47:41 [debug] 28458#28458: *757 event timer del: 14: 59237613689 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 rewrite phase: 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 test location: "/" 2022/03/10 11:47:41 [debug] 28458#28458: *757 test location: "robots.txt" 2022/03/10 11:47:41 [debug] 28458#28458: *757 test location: "favicon.ico" 2022/03/10 11:47:41 [debug] 28458#28458: *757 test location: ~ "\.php$" 2022/03/10 11:47:41 [debug] 28458#28458: *757 test location: ~ "\.(js|css|png|jpg|jpeg|gif|ico)$" 2022/03/10 11:47:41 [debug] 28458#28458: *757 using configuration "/" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http cl:-1 max:1048576 2022/03/10 11:47:41 [debug] 28458#28458: *757 rewrite phase: 3 2022/03/10 11:47:41 [debug] 28458#28458: *757 post rewrite phase: 4 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 5 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 6 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 7 2022/03/10 11:47:41 [debug] 28458#28458: *757 access phase: 8 2022/03/10 11:47:41 [debug] 28458#28458: *757 access phase: 9 2022/03/10 11:47:41 [debug] 28458#28458: *757 access phase: 10 2022/03/10 11:47:41 [debug] 28458#28458: *757 access phase: 11 2022/03/10 11:47:41 [debug] 28458#28458: *757 post access phase: 12 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 13 2022/03/10 11:47:41 [debug] 28458#28458: *757 try files handler 2022/03/10 11:47:41 [debug] 28458#28458: *757 http script var: "/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 trying to use file: "/public" "/var/www/html/webdav/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http script var: "/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 trying to use dir: "/public" "/var/www/html/webdav/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 try file uri: "/public" 2022/03/10 11:47:41 [debug] 28458#28458: *757 generic phase: 14 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 15 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 16 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 17 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 18 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 19 2022/03/10 11:47:41 [debug] 28458#28458: *757 content phase: 20 2022/03/10 11:47:41 [debug] 28458#28458: *757 http finalize request: 405, "/public?" a:1, c:1 2022/03/10 11:47:41 [debug] 28458#28458: *757 http special response: 405, "/public?" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http set discard body 2022/03/10 11:47:41 [debug] 28458#28458: *757 xslt filter header 2022/03/10 11:47:41 [debug] 28458#28458: *757 HTTP/1.1 405 Not Allowed Server: nginx/1.16.1 Date: Thu, 10 Mar 2022 11:47:41 GMT Content-Type: text/html Content-Length: 157 Connection: keep-alive 2022/03/10 11:47:41 [debug] 28458#28458: *757 write new buf t:1 f:0 000055D2082EEF78, pos 000055D2082EEF78, size: 157 file: 0, size: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 http write filter: l:0 f:0 s:157 2022/03/10 11:47:41 [debug] 28458#28458: *757 http output filter "/public?" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http copy filter: "/public?" 2022/03/10 11:47:41 [debug] 28458#28458: *757 image filter 2022/03/10 11:47:41 [debug] 28458#28458: *757 xslt filter body 2022/03/10 11:47:41 [debug] 28458#28458: *757 http postpone filter "/public?" 000055D2082905E8 2022/03/10 11:47:41 [debug] 28458#28458: *757 write old buf t:1 f:0 000055D2082EEF78, pos 000055D2082EEF78, size: 157 file: 0, size: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 write new buf t:0 f:0 0000000000000000, pos 000055D2077F4600, size: 104 file: 0, size: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 write new buf t:0 f:0 0000000000000000, pos 000055D2077F4DE0, size: 53 file: 0, size: 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 http write filter: l:1 f:0 s:314 2022/03/10 11:47:41 [debug] 28458#28458: *757 http write filter limit 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 posix_memalign: 000055D2082F4720:512 @16 2022/03/10 11:47:41 [debug] 28458#28458: *757 malloc: 000055D20834EC40:16384 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL buf copy: 157 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL buf copy: 104 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL buf copy: 53 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL to write: 314 2022/03/10 11:47:41 [debug] 28458#28458: *757 SSL_write: 314 2022/03/10 11:47:41 [debug] 28458#28458: *757 http write filter 0000000000000000 2022/03/10 11:47:41 [debug] 28458#28458: *757 http copy filter: 0 "/public?" 2022/03/10 11:47:41 [debug] 28458#28458: *757 http finalize request: 0, "/public?" a:1, c:1 2022/03/10 11:47:41 [debug] 28458#28458: *757 set http keepalive handler 2022/03/10 11:47:41 [debug] 28458#28458: *757 http close request 2022/03/10 11:47:41 [debug] 28458#28458: *757 http log handler 2022/03/10 11:47:41 [debug] 28458#28458: *757 free: 000055D2082EE030, unused: 10 2022/03/10 11:47:41 [debug] 28458#28458: *757 free: 000055D2082900D0, unused: 2579 2022/03/10 11:47:41 [debug] 28458#28458: *757 free: 000055D2082CDE80 2022/03/10 11:47:41 [debug] 28458#28458: *757 hc free: 0000000000000000 2022/03/10 11:47:41 [debug] 28458#28458: *757 hc busy: 0000000000000000 0 2022/03/10 11:47:41 [debug] 28458#28458: *757 free: 000055D20834EC40 2022/03/10 11:47:41 [debug] 28458#28458: *757 reusable connection: 1 2022/03/10 11:47:41 [debug] 28458#28458: *757 event timer add: 14: 65000:59237619093 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293805,293821#msg-293821 From jstaylor at xmission.com Fri Mar 11 00:47:40 2022 From: jstaylor at xmission.com (James Taylor) Date: Thu, 10 Mar 2022 17:47:40 -0700 Subject: Newbie location error gives error 404 Message-ID: <7d6c4dd0-5368-122c-97cd-ccd90b7d10a0@xmission.com> Thank you Sergey! I tried every thing I could think of, but I couldn’t think of giving the new directory the correct permissions. Thanks again! From nginx-forum at forum.nginx.org Mon Mar 14 02:52:02 2022 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 13 Mar 2022 22:52:02 -0400 Subject: Change customer Server Header without compiling it? In-Reply-To: References: Message-ID: Right - And that helped a lot. Thanks for the quick help Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293801,293829#msg-293829 From nginx-forum at forum.nginx.org Mon Mar 14 17:55:23 2022 From: nginx-forum at forum.nginx.org (borys_85) Date: Mon, 14 Mar 2022 13:55:23 -0400 Subject: nginx load balance TLS elasticsearch Message-ID: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> Hi I'm a new on nginx configuration, I've tried today to up load balancer for my elasticsearch service instances I don't know what's wrong? "/docker-entrypoint.sh: Configuration complete; ready for start up 2022/03/14 17:46:54 [emerg] 1#1: "server" directive is not allowed here in /etc/nginx/nginx.conf:42 nginx: [emerg] "server" directive is not allowed here in /etc/nginx/nginx.conf:42 " Below You can find my configuration: docker compose: version: "3.3" services: nginx_load_balancer: image: nginx volumes: - /home/elasticsearch/kickstart_elk_cluster/nginx_1.conf:/etc/nginx/nginx.conf - /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.crt:/etc/ssl/certs/coordination_3.crt - /home/elasticsearch/certificates/es_coordination_3/es_coordination_3.key:/etc/ssl/certs/coordination_3.key - /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.crt:/etc/ssl/certs/coordination_2.crt - /home/elasticsearch/certificates/es_coordination_2/es_coordination_2.key:/etc/ssl/certs/coordination_2.key - /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.key:/etc/ssl/certs/coordination_1.key - /home/elasticsearch/certificates/es_coordination_1/es_coordination_1.key:/etc/ssl/certs/coordination_1.key - /home/elasticsearch/certificates/ca/ca.crt:/etc/ssl/certs/ca.crt ports: - "9200:80" networks: - kickstartelkcluster_elastic networks: kickstartelkcluster_elastic: external: true ========= and nginx_1.conf more nginx_1.conf http { #... upstream elasticsearch_servers { zone elasticsearch_servers 64K; server 10.210.12.10:9201; server 10.210.12.11:9238; server 10.210.12.12:9219; } server { listen 9200; server_name 10.210.12.10; #... location /upstream { proxy_pass https://elasticsearch_servers; proxy_ssl_certificate /etc/nginx/coordination_1.crt; proxy_ssl_certificate_key /etc/nginx/coordination_1.key; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers HIGH:!aNULL:!MD5; proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } server { listen 9201 ssl; server_name 10.210.12.10; ssl_certificate /etc/ssl/certs/coordination_1.crt; ssl_certificate_key /etc/ssl/certs/coordination_1.key; ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client optional; location /yourapp { proxy_pass http://10.210.12.10; #... } server { listen 9238 ssl; server_name 10.210.12.11; ssl_certificate /etc/ssl/certs/coordination_2.crt; ssl_certificate_key /etc/ssl/certs/coordination_2.key; ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client optional; location /yourapp { proxy_pass http://10.210.12.10; #... } } server { listen 9219 ssl; server_name 10.210.12.12; ssl_certificate /etc/ssl/certs/coordination_3.crt; ssl_certificate_key /etc/ssl/certs/coordination_3.key; ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_verify_client optional; location /yourapp { proxy_pass http://10.210.12.10; #... } } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293831,293831#msg-293831 From nginx-forum at forum.nginx.org Mon Mar 14 17:58:10 2022 From: nginx-forum at forum.nginx.org (borys_85) Date: Mon, 14 Mar 2022 13:58:10 -0400 Subject: nginx load balance TLS elasticsearch In-Reply-To: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> References: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> Message-ID: <75f1a86f7d622af39129874efc803d54.NginxMailingListEnglish@forum.nginx.org> I was referring to https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293831,293832#msg-293832 From nginx-forum at forum.nginx.org Mon Mar 14 18:32:24 2022 From: nginx-forum at forum.nginx.org (borys_85) Date: Mon, 14 Mar 2022 14:32:24 -0400 Subject: nginx load balance TLS elasticsearch In-Reply-To: <75f1a86f7d622af39129874efc803d54.NginxMailingListEnglish@forum.nginx.org> References: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> <75f1a86f7d622af39129874efc803d54.NginxMailingListEnglish@forum.nginx.org> Message-ID: <4f261a77dc672e76cb9470a46d7dcdbe.NginxMailingListEnglish@forum.nginx.org> ah I found the missed "}" curly brac..... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293831,293834#msg-293834 From francis at daoine.org Mon Mar 14 18:33:52 2022 From: francis at daoine.org (Francis Daly) Date: Mon, 14 Mar 2022 18:33:52 +0000 Subject: nginx load balance TLS elasticsearch In-Reply-To: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> References: <60cd7e9acc76c286cabf4694638447da.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20220314183352.GO14624@daoine.org> On Mon, Mar 14, 2022 at 01:55:23PM -0400, borys_85 wrote: Hi there, > I'm a new on nginx configuration, I've tried today to up load balancer for > my elasticsearch service instances > I don't know what's wrong? > "/docker-entrypoint.sh: Configuration complete; ready for start up > 2022/03/14 17:46:54 [emerg] 1#1: "server" directive is not allowed here in > /etc/nginx/nginx.conf:42 > nginx: [emerg] "server" directive is not allowed here in > /etc/nginx/nginx.conf:42 What is line 42 of /etc/nginx/nginx.conf? That, and the surrounding context, might indicate why "server" is not allowed there. Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Mon Mar 14 19:15:43 2022 From: nginx-forum at forum.nginx.org (borys_85) Date: Mon, 14 Mar 2022 15:15:43 -0400 Subject: nginx load balance TLS elasticsearch In-Reply-To: <20220314183352.GO14624@daoine.org> References: <20220314183352.GO14624@daoine.org> Message-ID: Thanks I've already found this missed curly bracket, but I'm forcing in my environment setup on nginx for Elasticsearch: -what I have a problem with the correct configuration for connect NGINX over TLS to my nodes below You can find my configuration,maybe You can point me out what's wrong in this part, I'm using also crt and key per node so there I need to break it down into groups/location Do You have some examples config with TLS? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293831,293836#msg-293836 From nginx-forum at forum.nginx.org Mon Mar 14 19:55:38 2022 From: nginx-forum at forum.nginx.org (borys_85) Date: Mon, 14 Mar 2022 15:55:38 -0400 Subject: nginx load balance TLS elasticsearch In-Reply-To: References: <20220314183352.GO14624@daoine.org> Message-ID: <708e6cebf38132458ee41b3927884ac7.NginxMailingListEnglish@forum.nginx.org> should I use ssl settings for "listen 9290 ssl" in the proxy part? server { listen 9290 ssl; server_name 10.210.12.10; #... location /upstream { proxy_pass https://elasticsearch_servers; proxy_ssl_certificate /etc/ssl/certs/coordination_1.crt; proxy_ssl_certificate_key /etc/ssl/certs/coordination_1.key; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; proxy_ssl_ciphers HIGH:!aNULL:!MD5; proxy_ssl_trusted_certificate /etc/ssl/certs/ca.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293831,293837#msg-293837 From francis at daoine.org Tue Mar 15 23:49:13 2022 From: francis at daoine.org (Francis Daly) Date: Tue, 15 Mar 2022 23:49:13 +0000 Subject: nginx load balance TLS elasticsearch In-Reply-To: References: <20220314183352.GO14624@daoine.org> Message-ID: <20220315234913.GQ14624@daoine.org> On Mon, Mar 14, 2022 at 03:15:43PM -0400, borys_85 wrote: Hi there, > Thanks I've already found this missed curly bracket, but Good that you found the fix :-) > I'm forcing in my environment setup on nginx for Elasticsearch: > -what I have a problem with the correct configuration for connect NGINX over > TLS to my nodes > > below You can find my configuration,maybe You can point me out what's wrong > in this part, I'm using also crt and key per node so there I need to > break it down into groups/location > Do You have some examples config with TLS? I'm not sure what exactly you want. If the client should talk to nginx using https, then you need "listen _port_ ssl" in this server{}, along with ssl_certificate and ssl_certificate_key accessible in this server{}. The client will have to trust that certificate. If nginx should talk to upstream using https for some requests, then you need proxy_pass https://_upstream_server_ in the location{} for those requests; if *that* upstream server wants nginx to authenticate using a client certificate, then you need proxy_ssl_certificate and proxy_ssl_certificate_key accessible in this location{}. (And if you want nginx to validate the certificate provided by that upstream server, you want proxy_ssl_trusted_certificate accessible in this location{}.) In the example config included, your "listen 9200" means that nginx is listening for http not https, and the proxy_pass means that nginx is talking https to the upstream servers. Your "listen 9201 ssl" means that nginx is listening for https not http, and the proxy_pass means that nginx is talking http to the upstream servers. And the same for the 9238 and 9210 server{}s. Once you decide how the client should talk to nginx (http or https), and how nginx should talk to upstream (http or https), you can set the "listen" and "proxy_pass" directives appropriately; and then you can make one test request from the client and see what the response is. Good luck with it, f -- Francis Daly francis at daoine.org From jeremy at ardley.org Wed Mar 16 07:36:03 2022 From: jeremy at ardley.org (Jeremy Ardley) Date: Wed, 16 Mar 2022 15:36:03 +0800 Subject: logging in mail {} stanza and STARTTLS error Message-ID: Hi, I'm attempting to implement an IMAP proxy using ngx_mail module. How do I enable logging inside a mail {} stanza, or indeed anywhere other than an http {} stanza which doesn't seem to log any mail {} related traffic. Secondly, the reason I want to log activity is because the mail module returns an error "BAD  invalid command" when my IMAP client issues a STARTTLS. Any suggestions? -- Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From osa at freebsd.org.ru Thu Mar 17 02:02:55 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 17 Mar 2022 05:02:55 +0300 Subject: logging in mail {} stanza and STARTTLS error In-Reply-To: References: Message-ID: Hi Jeremy, hope you're doing well these days. On Wed, Mar 16, 2022 at 03:36:03PM +0800, Jeremy Ardley wrote: > Hi, > > I'm attempting to implement an IMAP proxy using ngx_mail module. > > How do I enable logging inside a mail {} stanza, or indeed anywhere > other than an http {} stanza which doesn't seem to log any mail {} > related traffic. Here's the answer [1]. > Secondly, the reason I want to log activity is because the mail module > returns an error "BAD  invalid command" when my IMAP client issues a > STARTTLS. Any suggestions? If [1] can't help, you'd probably need to start with a debugging log [2]. References: [1] https://mailman.nginx.org/pipermail/nginx/2018-January/055490.html [2] https://nginx.org/en/docs/debugging_log.html -- Sergey A. Osokin From jeremy at ardley.org Thu Mar 17 02:39:39 2022 From: jeremy at ardley.org (Jeremy Ardley) Date: Thu, 17 Mar 2022 10:39:39 +0800 Subject: logging in mail {} stanza and STARTTLS error In-Reply-To: References: Message-ID: On 17/3/22 10:02 am, Sergey A. Osokin wrote: > References: > > [1] https://mailman.nginx.org/pipermail/nginx/2018-January/055490.html > [2] https://nginx.org/en/docs/debugging_log.html Hello Sergey, Coincidentally I have made a small progress on resolving the problems and discovered at least a part of the problem was my authentication server uses https. I changed the authentication server request URL from : auth_http  my.mail.server:808/mail/auth.php; to auth_http  https://my.mail.server:808/mail/auth.php; With nginx -t I got an error of invalid port I changed my authentication server to http and this URL worked : auth_http  http://my.mail.server:808/mail/auth.php; It's still not working but at least I have traffic to the authorisation server that gets to execute the php script. At least one new issue is that authorisation using PLAIN needs https, but it seems that is not supported right now by nginx mail? -- Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From nginx-forum at forum.nginx.org Fri Mar 18 00:38:03 2022 From: nginx-forum at forum.nginx.org (adhprash) Date: Thu, 17 Mar 2022 20:38:03 -0400 Subject: Help with ssl_write() failed issue on nginx Message-ID: <9331538ca041268eea8a134ee0c6ec35.NginxMailingListEnglish@forum.nginx.org> I am doing mTLS authentication . I am having trouble pinpointing the exact issue because this happens intermittently. I have two clients setup for this and this happens especially on only one client. Below errors seem to randomly pop up [info] 31561#31561: *359835776 SSL_write() failed (104: Connection reset by peer) while sending to client, client [info] 11969#11969: *402978165 SSL_write() failed (32: Broken pipe) while sending to client This is my nginx version nginx version: nginx/1.20.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.1.1g FIPS 21 Apr 2020 TLS SNI support enabled Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293852,293852#msg-293852 From osa at freebsd.org.ru Fri Mar 18 03:51:41 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Fri, 18 Mar 2022 06:51:41 +0300 Subject: Help with ssl_write() failed issue on nginx In-Reply-To: <9331538ca041268eea8a134ee0c6ec35.NginxMailingListEnglish@forum.nginx.org> References: <9331538ca041268eea8a134ee0c6ec35.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi there, hope you're doing well. On Thu, Mar 17, 2022 at 08:38:03PM -0400, adhprash wrote: > I am doing mTLS authentication . I am having trouble pinpointing the exact > issue because this happens intermittently. I have two clients setup for this > and this happens especially on only one client. > Below errors seem to randomly pop up > > [info] 31561#31561: *359835776 SSL_write() failed (104: Connection reset by > peer) while sending to client, client > [info] 11969#11969: *402978165 SSL_write() failed (32: Broken pipe) while > sending to client > > This is my nginx version > > nginx version: nginx/1.20.1 > built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) > built with OpenSSL 1.1.1g FIPS 21 Apr 2020 > TLS SNI support enabled Could you please provide an output of the `nginx -T' command. It seems like the OS is RHEL 7.9, please confirm that. The supported version of OpenSSL for that version of the OS is 1.0.2. So, I'm curious how is NGINX been built and deployed in that case. Thank you. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Fri Mar 18 17:00:50 2022 From: nginx-forum at forum.nginx.org (adhprash) Date: Fri, 18 Mar 2022 13:00:50 -0400 Subject: Help with ssl_write() failed issue on nginx In-Reply-To: References: Message-ID: <772399927aa664a9e24e11c979b730ce.NginxMailingListEnglish@forum.nginx.org> Please find below output from nginx -t nginx -T nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # configuration file /etc/nginx/nginx.conf: user nginx; worker_processes auto; error_log /var/log/nginx/error.log info; # CIS 3.3 Ensure error logging is enabled and set to the info logging level (Scored) pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; worker_rlimit_nofile 8192; events { worker_connections 4096; } http { sendfile on; tcp_nopush on; tcp_nodelay on; types_hash_max_size 2048; server_tokens off; # CIS 2.5.1 Ensure server_tokens directive is set to 'off' (Scored) keepalive_timeout 0; # CIS 2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Scored) send_timeout 60; # CIS 2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Scored) # 3.1 Ensure detailed logging is enabled (Not Scored) log_format main 'time_local="$time_local" server="$server_name" host="$host" dest_port="$server_port" http_status="$status" ' 'src="$remote_addr" ip="$realip_remote_addr" user="$remote_user" ' 'http_referer="$http_referer" http_user_agent="$http_user_agent" ' 'http_x_forwarded_for="$http_x_forwarded_for" ' 'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" ' 'ssl_protocol/ssl_cipher="$ssl_protocol/$ssl_cipher" client_Issuer_DN="$ssl_client_i_dn" ' 'client_DN="$ssl_client_s_dn" end_date_client_cert="$ssl_client_v_end" ' 'client_cert_serial="$ssl_client_serial" thumbrint_sha1="$ssl_client_fingerprint" ' 'client_verification_status="$ssl_client_verify" ' 'request=$request http_method="$request_method"'; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1.2; # CIS 4.1.4 Ensure only modern TLS protocols are used (Scored) ssl_prefer_server_ciphers on; access_log /var/log/nginx/access.log main; # 3.2 Ensure access logging is enabled (Scored) error_log /var/log/nginx/error.log info; gzip off; # CIS 2.1.3 Ensure modules with gzip functionality are disabled (Scored) map $ssl_client_s_dn $partner_id { default $ssl_client_s_dn; some_condition; } include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } # configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/svg+xml svg svgz; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/webp webp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; font/woff woff; font/woff2 woff2; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.oasis.opendocument.graphics odg; application/vnd.oasis.opendocument.presentation odp; application/vnd.oasis.opendocument.spreadsheet ods; application/vnd.oasis.opendocument.text odt; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.wap.wmlc wmlc; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } # configuration file /etc/nginx/sites-enabled/default: server { listen 443 ssl http2 default_server; # CIS 4.1.14 Ensure HTTP/2.0 is used (Not Scored) server_name _; client_max_body_size 1000m; client_body_timeout 120; client_header_timeout 120; large_client_header_buffers 4 8k; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # CIS 4.1.6 Ensure custom Diffie-Hellman parameters are used (Scored) ssl_certificate "/path/to/certificate/"; ssl_certificate_key "/path/to/key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_client_certificate "/path/to/mtls_cert"; ssl_verify_client on; ssl_verify_depth 10; ssl_crl "/path/to/crl"; ssl_session_tickets off; underscores_in_headers on; add_header Strict-Transport-Security "max-age=15768000;"; # 4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Scored) location / { rewrite "^.*$" break; if ($ssl_client_verify != SUCCESS) { return 403; } proxy_ignore_client_abort on; proxy_ssl_protocols TLSv1.2; proxy_ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4; proxy_hide_header X-Powered-By; proxy_hide_header Server; proxy_set_header Host $host; proxy_set_header partner-id $partner_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_pass https://alb-name/path; proxy_read_timeout 120; proxy_pass_request_headers on; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293852,293854#msg-293854 From nginx-forum at forum.nginx.org Fri Mar 18 17:25:34 2022 From: nginx-forum at forum.nginx.org (adhprash) Date: Fri, 18 Mar 2022 13:25:34 -0400 Subject: Help with ssl_write() failed issue on nginx In-Reply-To: <772399927aa664a9e24e11c979b730ce.NginxMailingListEnglish@forum.nginx.org> References: <772399927aa664a9e24e11c979b730ce.NginxMailingListEnglish@forum.nginx.org> Message-ID: <28d6b109a5bde8dbb044ad1b1c05f03f.NginxMailingListEnglish@forum.nginx.org> And you are right, it is RHEL 7.9 NAME="Red Hat Enterprise Linux Server" VERSION="7.9 (Maipo)" ID="rhel" ID_LIKE="fedora" Below is our openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293852,293855#msg-293855 From nginx-forum at forum.nginx.org Mon Mar 21 07:55:39 2022 From: nginx-forum at forum.nginx.org (bkannadassan) Date: Mon, 21 Mar 2022 03:55:39 -0400 Subject: Reg: Gradual buildup of nginx memory Message-ID: Hi All, We are seeing a gradual buildup of NGINX memory to the tune of 1-2 MB every 15 mins or so. This memory doesn't comedown, please let us know how can we know what is the reason for the same. Please note this is a free version of NGINX. rgds Balaji Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293859,293859#msg-293859 From osa at freebsd.org.ru Mon Mar 21 09:44:48 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Mon, 21 Mar 2022 12:44:48 +0300 Subject: Reg: Gradual buildup of nginx memory In-Reply-To: References: Message-ID: Hi Balaji, hope you're doing well. On Mon, Mar 21, 2022 at 03:55:39AM -0400, bkannadassan wrote: > We are seeing a gradual buildup of NGINX memory to the tune of 1-2 MB > every 15 mins or so. This memory doesn't comedown, please let us know how > can we know what is the reason for the same. Please note this is a free > version of NGINX. Is there any third-party modules in use? Please provide `nginx -T' output. Thank you. -- Sergey A. Osokin From anoopalias01 at gmail.com Mon Mar 21 09:56:52 2022 From: anoopalias01 at gmail.com (Anoop Alias) Date: Mon, 21 Mar 2022 15:26:52 +0530 Subject: Reg: Gradual buildup of nginx memory In-Reply-To: References: Message-ID: I have seen similar behavior in the mod_sec2 module On Mon, Mar 21, 2022 at 1:29 PM bkannadassan wrote: > Hi All, > > We are seeing a gradual buildup of NGINX memory to the tune of 1-2 MB > every 15 mins or so. This memory doesn't comedown, please let us know how > can we know what is the reason for the same. Please note this is a free > version of NGINX. > > rgds > Balaji > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,293859,293859#msg-293859 > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > -- *Anoop P Alias* -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Tue Mar 22 03:11:41 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 22 Mar 2022 06:11:41 +0300 Subject: Help with ssl_write() failed issue on nginx In-Reply-To: <28d6b109a5bde8dbb044ad1b1c05f03f.NginxMailingListEnglish@forum.nginx.org> References: <772399927aa664a9e24e11c979b730ce.NginxMailingListEnglish@forum.nginx.org> <28d6b109a5bde8dbb044ad1b1c05f03f.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Fri, Mar 18, 2022 at 01:25:34PM -0400, adhprash wrote: > And you are right, it is RHEL 7.9 > NAME="Red Hat Enterprise Linux Server" > VERSION="7.9 (Maipo)" > ID="rhel" > ID_LIKE="fedora" > > Below is our openssl version > > OpenSSL 1.0.2k-fips 26 Jan 2017 Thanks for the update. Could you run `nginx -V' and share the output. Also, could you provide an output of the `openssl version' command. -- Sergey A. Osokin From nginx-forum at forum.nginx.org Tue Mar 22 16:17:52 2022 From: nginx-forum at forum.nginx.org (adhprash) Date: Tue, 22 Mar 2022 12:17:52 -0400 Subject: Help with ssl_write() failed issue on nginx In-Reply-To: References: Message-ID: Please find the output of nginx -V nginx version: nginx/1.20.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.1.1g FIPS 21 Apr 2020 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --eg/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/p-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_mh_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module -er_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_li_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-ail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt=Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-ic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' This is my openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293852,293864#msg-293864 From nginx-forum at forum.nginx.org Thu Mar 24 13:28:49 2022 From: nginx-forum at forum.nginx.org (allenhe) Date: Thu, 24 Mar 2022 09:28:49 -0400 Subject: Can stream module proxy grpc traffics transparently? Message-ID: <8c5d2029fbb7c51931ebe64df6b85e82.NginxMailingListEnglish@forum.nginx.org> If yes and what are the drawbacks comparing with the grpc support by http module? thanks, Allen Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293868,293868#msg-293868 From osa at freebsd.org.ru Thu Mar 24 19:58:51 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 24 Mar 2022 22:58:51 +0300 Subject: Can stream module proxy grpc traffics transparently? In-Reply-To: <8c5d2029fbb7c51931ebe64df6b85e82.NginxMailingListEnglish@forum.nginx.org> References: <8c5d2029fbb7c51931ebe64df6b85e82.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi Allen, hope you're doing well. On Thu, Mar 24, 2022 at 09:28:49AM -0400, allenhe wrote: > If yes and what are the drawbacks comparing with the grpc support by http > module? Is it [1] something we're looking for? Thanks. References: [1] http://nginx.org/en/docs/http/ngx_http_grpc_module.html -- Sergey A. Osokin From nginx-forum at forum.nginx.org Fri Mar 25 01:01:54 2022 From: nginx-forum at forum.nginx.org (allenhe) Date: Thu, 24 Mar 2022 21:01:54 -0400 Subject: Can stream module proxy grpc traffics transparently? In-Reply-To: References: Message-ID: <2c9a2b315596747143d4ffcc660f5049.NginxMailingListEnglish@forum.nginx.org> Hi, Thanks for the quick reply. Yes, I know that ngx_http_grpc_module already supports grpc proxy. the fact is that we have a legacy product running with a pretty old nginx version and hope that it can be used to proxy grpc as well, so, can stream module proxy the grpc request/response correctly? Thanks, Allen Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293868,293870#msg-293870 From nginx-forum at forum.nginx.org Sun Mar 27 06:04:10 2022 From: nginx-forum at forum.nginx.org (sukeerthiadiga) Date: Sun, 27 Mar 2022 02:04:10 -0400 Subject: Nginx with OpenSSL 1.1.1n Message-ID: The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and it is vulnerable. Is there any plan to release another version of Nginx with the latest OpenSSL(i.e 1.1.1n)? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293877,293877#msg-293877 From lists at lazygranch.com Sun Mar 27 06:33:34 2022 From: lists at lazygranch.com (lists) Date: Sat, 26 Mar 2022 23:33:34 -0700 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: Message-ID: Isn't Openssl part of your OS?   Original Message   From: nginx-forum at forum.nginx.org Sent: March 26, 2022 11:07 PM To: nginx at nginx.org Reply-to: nginx at nginx.org Subject: Nginx with OpenSSL 1.1.1n The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and it is vulnerable. Is there any plan to release another version of Nginx with the latest OpenSSL(i.e 1.1.1n)? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293877,293877#msg-293877 _______________________________________________ nginx mailing list -- nginx at nginx.org To unsubscribe send an email to nginx-leave at nginx.org From osa at freebsd.org.ru Sun Mar 27 13:58:25 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Sun, 27 Mar 2022 16:58:25 +0300 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: Hi, On Sun, Mar 27, 2022 at 02:04:10AM -0400, sukeerthiadiga wrote: > The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and > it is vulnerable. That's a bit far from true. NGINX, as many other products, depends on other open source software components, like openssl, pcre, zlib. Library of those components are supported by an operating system vendor. I'd recommend to contact to the vendor of a corresponding OS to get an update of a component. > Is there any plan to release another version of Nginx with the latest > OpenSSL(i.e 1.1.1n)? I don't think that such plans are available. -- Sergey A. Osokin From ekgermann at semperen.com Sun Mar 27 14:37:11 2022 From: ekgermann at semperen.com (Eric Germann) Date: Sun, 27 Mar 2022 10:37:11 -0400 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: Compile yourself. I do that and can build it with any OpenSSL version I like. Why? Centos 6 doesn’t update the packages anymore and I’m too lazy to rebuild a reverse proxy. Eric > On Mar 27, 2022, at 10:00, Sergey A. Osokin wrote: > > Hi, > >> On Sun, Mar 27, 2022 at 02:04:10AM -0400, sukeerthiadiga wrote: >> The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and >> it is vulnerable. > > That's a bit far from true. NGINX, as many other products, depends on other > open source software components, like openssl, pcre, zlib. Library of those > components are supported by an operating system vendor. I'd recommend > to contact to the vendor of a corresponding OS to get an update of a > component. > >> Is there any plan to release another version of Nginx with the latest >> OpenSSL(i.e 1.1.1n)? > > I don't think that such plans are available. > > -- > Sergey A. Osokin > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From lukas at ltri.eu Sun Mar 27 14:49:09 2022 From: lukas at ltri.eu (Lukas Tribus) Date: Sun, 27 Mar 2022 16:49:09 +0200 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: On Sun, 27 Mar 2022 at 15:58, Sergey A. Osokin wrote: > > Hi, > > On Sun, Mar 27, 2022 at 02:04:10AM -0400, sukeerthiadiga wrote: > > The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and > > it is vulnerable. > > That's a bit far from true. NGINX, as many other products, depends on other > open source software components, like openssl, pcre, zlib. Library of those > components are supported by an operating system vendor. I'd recommend > to contact to the vendor of a corresponding OS to get an update of a > component. Actually, nginx.org provides windows binaries with openssl statically compiled in: http://nginx.org/download/nginx-1.21.6.zip C:\nginx-1.21.6>nginx -V nginx version: nginx/1.21.6 built by cl 16.00.40219.01 for 80x86 built with OpenSSL 1.1.1m 14 Dec 2021 TLS SNI support enabled configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre2-10.39 --with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.1.1m --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module C:\nginx-1.21.6> Lukas From nginx-forum at forum.nginx.org Mon Mar 28 05:21:34 2022 From: nginx-forum at forum.nginx.org (sukeerthiadiga) Date: Mon, 28 Mar 2022 01:21:34 -0400 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: <7d475f0edd908697112fc83204e461ec.NginxMailingListEnglish@forum.nginx.org> Yes, My question was more closely related to the windows binaries with OpenSSL statically compiled. As of now Nginx version 1.21.6 has OpenSSL 1.1.1m. I was looking for the answer to see whether Nginx is planning to do another release with OpenSSL 1.1.1n statically compiled. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293877,293883#msg-293883 From nginx-forum at forum.nginx.org Mon Mar 28 05:26:26 2022 From: nginx-forum at forum.nginx.org (sukeerthiadiga) Date: Mon, 28 Mar 2022 01:26:26 -0400 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: <7879cb6131d4fa311536c2b45c918c48.NginxMailingListEnglish@forum.nginx.org> Yes, My question was more closely related to the windows binaries with OpenSSL statically compiled. As of now Nginx version 1.21.6 has OpenSSL 1.1.1m. I was looking for the answer to see whether Nginx is planning to do another release with OpenSSL 1.1.1n statically compiled. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293877,293884#msg-293884 From nginx-forum at forum.nginx.org Mon Mar 28 05:30:29 2022 From: nginx-forum at forum.nginx.org (sukeerthiadiga) Date: Mon, 28 Mar 2022 01:30:29 -0400 Subject: Nginx with OpenSSL 1.1.1n In-Reply-To: References: Message-ID: <221306c1d7c365a03ce75a453cf2772a.NginxMailingListEnglish@forum.nginx.org> gariac Wrote: ------------------------------------------------------- > Isn't Openssl part of your OS? > > > > > >   Original Message   > > > From: nginx-forum at forum.nginx.org > Sent: March 26, 2022 11:07 PM > To: nginx at nginx.org > Reply-to: nginx at nginx.org > Subject: Nginx with OpenSSL 1.1.1n > > > The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version > 1.1.1m and > it is vulnerable. > Is there any plan to release another version of Nginx with the latest > OpenSSL(i.e 1.1.1n)? > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,293877,293877#msg-293877 > > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org I am using nginx.exe which nginx.org provides. It has OpenSSL version 1.1.1m statically compiled in. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293877,293885#msg-293885 From fusca14 at gmail.com Mon Mar 28 19:32:05 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Mon, 28 Mar 2022 16:32:05 -0300 Subject: NGINX "--with-zlib=..." linker error Message-ID: Hi... I'm using https://nginx.org/packages/rhel/8/SRPMS/nginx-1.20.2-1.el8.ngx.src.rpm to compile NGINX to RHEL 8.5, with "--with-openssl=/openssl_1_1_1n" parameter in the "%define BASE_CONFIGURE_ARGS" .SPEC file, and it works fine. The NGINX package is compiled without errors. Now I want to add the "--with-zlib=/zlib_1_2_12" parameter, to compile NGINX with the latest zlib version 1.2.12, and I get these linker errors: ... objs/ngx_modules.o \ -Wl,-z,relro -Wl,-z,now -pie -ldl -lpthread -lpthread -lcrypt -lpcre /openssl_1_1_1n/.openssl/lib/libssl.a /openssl_1_1_1n/.openssl/lib/libcrypto.a -ldl -lpthread /zlib_1_2_12/libz.a \ -Wl,-E /usr/bin/ld: /zlib_1_2_12/libz.a(deflate.o): relocation R_X86_64_32S against symbol `_length_code' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(inflate.o): relocation R_X86_64_32S against symbol `zcfree' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(inftrees.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(trees.o): relocation R_X86_64_32S against symbol `_length_code' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(zutil.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(crc32.o): relocation R_X86_64_32S against `.rodata' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: /zlib_1_2_12/libz.a(inffast.o): relocation R_X86_64_32S against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC /usr/bin/ld: final link failed: Nonrepresentable section on output collect2: error: ld returned 1 exit status ... Is there a solution for this linker issue? Thanks in advance. From noloader at gmail.com Mon Mar 28 19:42:22 2022 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 28 Mar 2022 15:42:22 -0400 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: On Mon, Mar 28, 2022 at 3:35 PM Fabiano Furtado Pessoa Coelho wrote: > > Hi... > > I'm using https://nginx.org/packages/rhel/8/SRPMS/nginx-1.20.2-1.el8.ngx.src.rpm > to compile NGINX to RHEL 8.5, with "--with-openssl=/openssl_1_1_1n" > parameter in the "%define BASE_CONFIGURE_ARGS" .SPEC file, and it > works fine. The NGINX package is compiled without errors. > > Now I want to add the "--with-zlib=/zlib_1_2_12" parameter, to compile > NGINX with the latest zlib version 1.2.12, and I get these linker > errors: > > ... > objs/ngx_modules.o \ > -Wl,-z,relro -Wl,-z,now -pie -ldl -lpthread -lpthread -lcrypt -lpcre > /openssl_1_1_1n/.openssl/lib/libssl.a > /openssl_1_1_1n/.openssl/lib/libcrypto.a -ldl -lpthread > /zlib_1_2_12/libz.a \ > -Wl,-E > /usr/bin/ld: /zlib_1_2_12/libz.a(deflate.o): relocation R_X86_64_32S > against symbol `_length_code' can not be used when making a PIE > object; recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inflate.o): relocation R_X86_64_32S > against symbol `zcfree' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inftrees.o): relocation R_X86_64_32S > against `.rodata' can not be used when making a PIE object; recompile > with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(trees.o): relocation R_X86_64_32S > against symbol `_length_code' can not be used when making a PIE > object; recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(zutil.o): relocation R_X86_64_32 > against `.rodata.str1.1' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(crc32.o): relocation R_X86_64_32S > against `.rodata' can not be used when making a PIE object; recompile > with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inffast.o): relocation R_X86_64_32S > against `.rodata.str1.1' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: final link failed: Nonrepresentable section on output > collect2: error: ld returned 1 exit status > ... > > Is there a solution for this linker issue? Rebuild zLib. Use -fPIC when building it. zlib is an old makefile-based library. You usually need to patch it heavily to get it to honor CPPFLAGS, CFLAGS and CXXFLAGS. The easiest thing to do would be open the makefile and just add the flag by hand. Here's an example of a zlib patch to generalize the makefile so it honors user flags: https://github.com/noloader/Build-Scripts/blob/master/patch/zlib.patch . Jeff From fusca14 at gmail.com Mon Mar 28 20:01:59 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Mon, 28 Mar 2022 17:01:59 -0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Hi, Jeffrey! The official documentation at http://nginx.org/en/docs/configure.html said: --with-zlib=path sets the path to the sources of the zlib library. The library distribution (version 1.1.3 — 1.2.11) needs to be downloaded from the zlib site and extracted. The rest is done by nginx’s ./configure and make. The library is required for the ngx_http_gzip_module module. ... and I thought the source files directory needed to be untouchable! :) I'm gonna try it tomorrow. Thanks. On Mon, Mar 28, 2022 at 4:45 PM Jeffrey Walton wrote: > > On Mon, Mar 28, 2022 at 3:35 PM Fabiano Furtado Pessoa Coelho > wrote: > > > > Hi... > > > > I'm using https://nginx.org/packages/rhel/8/SRPMS/nginx-1.20.2-1.el8.ngx.src.rpm > > to compile NGINX to RHEL 8.5, with "--with-openssl=/openssl_1_1_1n" > > parameter in the "%define BASE_CONFIGURE_ARGS" .SPEC file, and it > > works fine. The NGINX package is compiled without errors. > > > > Now I want to add the "--with-zlib=/zlib_1_2_12" parameter, to compile > > NGINX with the latest zlib version 1.2.12, and I get these linker > > errors: > > > > ... > > objs/ngx_modules.o \ > > -Wl,-z,relro -Wl,-z,now -pie -ldl -lpthread -lpthread -lcrypt -lpcre > > /openssl_1_1_1n/.openssl/lib/libssl.a > > /openssl_1_1_1n/.openssl/lib/libcrypto.a -ldl -lpthread > > /zlib_1_2_12/libz.a \ > > -Wl,-E > > /usr/bin/ld: /zlib_1_2_12/libz.a(deflate.o): relocation R_X86_64_32S > > against symbol `_length_code' can not be used when making a PIE > > object; recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inflate.o): relocation R_X86_64_32S > > against symbol `zcfree' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inftrees.o): relocation R_X86_64_32S > > against `.rodata' can not be used when making a PIE object; recompile > > with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(trees.o): relocation R_X86_64_32S > > against symbol `_length_code' can not be used when making a PIE > > object; recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(zutil.o): relocation R_X86_64_32 > > against `.rodata.str1.1' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(crc32.o): relocation R_X86_64_32S > > against `.rodata' can not be used when making a PIE object; recompile > > with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inffast.o): relocation R_X86_64_32S > > against `.rodata.str1.1' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: final link failed: Nonrepresentable section on output > > collect2: error: ld returned 1 exit status > > ... > > > > Is there a solution for this linker issue? > > Rebuild zLib. Use -fPIC when building it. > > zlib is an old makefile-based library. You usually need to patch it > heavily to get it to honor CPPFLAGS, CFLAGS and CXXFLAGS. The easiest > thing to do would be open the makefile and just add the flag by hand. > > Here's an example of a zlib patch to generalize the makefile so it > honors user flags: > https://github.com/noloader/Build-Scripts/blob/master/patch/zlib.patch > . > > Jeff > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From mdounin at mdounin.ru Mon Mar 28 22:05:10 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 29 Mar 2022 01:05:10 +0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Hello! On Mon, Mar 28, 2022 at 04:32:05PM -0300, Fabiano Furtado Pessoa Coelho wrote: > Hi... > > I'm using https://nginx.org/packages/rhel/8/SRPMS/nginx-1.20.2-1.el8.ngx.src.rpm > to compile NGINX to RHEL 8.5, with "--with-openssl=/openssl_1_1_1n" > parameter in the "%define BASE_CONFIGURE_ARGS" .SPEC file, and it > works fine. The NGINX package is compiled without errors. > > Now I want to add the "--with-zlib=/zlib_1_2_12" parameter, to compile > NGINX with the latest zlib version 1.2.12, and I get these linker > errors: > > ... > objs/ngx_modules.o \ > -Wl,-z,relro -Wl,-z,now -pie -ldl -lpthread -lpthread -lcrypt -lpcre > /openssl_1_1_1n/.openssl/lib/libssl.a > /openssl_1_1_1n/.openssl/lib/libcrypto.a -ldl -lpthread > /zlib_1_2_12/libz.a \ > -Wl,-E > /usr/bin/ld: /zlib_1_2_12/libz.a(deflate.o): relocation R_X86_64_32S > against symbol `_length_code' can not be used when making a PIE > object; recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inflate.o): relocation R_X86_64_32S > against symbol `zcfree' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inftrees.o): relocation R_X86_64_32S > against `.rodata' can not be used when making a PIE object; recompile > with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(trees.o): relocation R_X86_64_32S > against symbol `_length_code' can not be used when making a PIE > object; recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(zutil.o): relocation R_X86_64_32 > against `.rodata.str1.1' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(crc32.o): relocation R_X86_64_32S > against `.rodata' can not be used when making a PIE object; recompile > with -fPIC > /usr/bin/ld: /zlib_1_2_12/libz.a(inffast.o): relocation R_X86_64_32S > against `.rodata.str1.1' can not be used when making a PIE object; > recompile with -fPIC > /usr/bin/ld: final link failed: Nonrepresentable section on output > collect2: error: ld returned 1 exit status > ... > > Is there a solution for this linker issue? Try also adding "--with-zlib-opt=-fPIC" configure argument, should help. -- Maxim Dounin http://mdounin.ru/ From fusca14 at gmail.com Mon Mar 28 23:25:47 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Mon, 28 Mar 2022 20:25:47 -0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Thank you, Maxim! It worked!!!! Amazing!!!! Just one more thing.... I was looking in the source code and found it: ... auto/cc/gcc:131:if [ ".$ZLIB_OPT" = "." ]; then auto/cc/gcc:132: ZLIB_OPT="-O2 -fomit-frame-pointer $PIPE $CPU_OPT" auto/cc/gcc-133-else auto/cc/gcc:134: ZLIB_OPT="$ZLIB_OPT $PIPE" auto/cc/gcc-135-fi ... Do I need to specify "--with-zlib-opt=-fPIC -O2 -fomit-frame-pointer" because of these ZLIB_OPT default values? Thanks in advance. On Mon, Mar 28, 2022 at 7:07 PM Maxim Dounin wrote: > > Hello! > > On Mon, Mar 28, 2022 at 04:32:05PM -0300, Fabiano Furtado Pessoa Coelho wrote: > > > Hi... > > > > I'm using https://nginx.org/packages/rhel/8/SRPMS/nginx-1.20.2-1.el8.ngx.src.rpm > > to compile NGINX to RHEL 8.5, with "--with-openssl=/openssl_1_1_1n" > > parameter in the "%define BASE_CONFIGURE_ARGS" .SPEC file, and it > > works fine. The NGINX package is compiled without errors. > > > > Now I want to add the "--with-zlib=/zlib_1_2_12" parameter, to compile > > NGINX with the latest zlib version 1.2.12, and I get these linker > > errors: > > > > ... > > objs/ngx_modules.o \ > > -Wl,-z,relro -Wl,-z,now -pie -ldl -lpthread -lpthread -lcrypt -lpcre > > /openssl_1_1_1n/.openssl/lib/libssl.a > > /openssl_1_1_1n/.openssl/lib/libcrypto.a -ldl -lpthread > > /zlib_1_2_12/libz.a \ > > -Wl,-E > > /usr/bin/ld: /zlib_1_2_12/libz.a(deflate.o): relocation R_X86_64_32S > > against symbol `_length_code' can not be used when making a PIE > > object; recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inflate.o): relocation R_X86_64_32S > > against symbol `zcfree' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inftrees.o): relocation R_X86_64_32S > > against `.rodata' can not be used when making a PIE object; recompile > > with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(trees.o): relocation R_X86_64_32S > > against symbol `_length_code' can not be used when making a PIE > > object; recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(zutil.o): relocation R_X86_64_32 > > against `.rodata.str1.1' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(crc32.o): relocation R_X86_64_32S > > against `.rodata' can not be used when making a PIE object; recompile > > with -fPIC > > /usr/bin/ld: /zlib_1_2_12/libz.a(inffast.o): relocation R_X86_64_32S > > against `.rodata.str1.1' can not be used when making a PIE object; > > recompile with -fPIC > > /usr/bin/ld: final link failed: Nonrepresentable section on output > > collect2: error: ld returned 1 exit status > > ... > > > > Is there a solution for this linker issue? > > Try also adding "--with-zlib-opt=-fPIC" configure argument, should > help. > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org From mdounin at mdounin.ru Tue Mar 29 12:02:50 2022 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 29 Mar 2022 15:02:50 +0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Hello! On Mon, Mar 28, 2022 at 08:25:47PM -0300, Fabiano Furtado Pessoa Coelho wrote: > Just one more thing.... > > I was looking in the source code and found it: > ... > auto/cc/gcc:131:if [ ".$ZLIB_OPT" = "." ]; then > auto/cc/gcc:132: ZLIB_OPT="-O2 -fomit-frame-pointer $PIPE $CPU_OPT" > auto/cc/gcc-133-else > auto/cc/gcc:134: ZLIB_OPT="$ZLIB_OPT $PIPE" > auto/cc/gcc-135-fi > ... > > Do I need to specify "--with-zlib-opt=-fPIC -O2 -fomit-frame-pointer" > because of these ZLIB_OPT default values? Yes if you want to match optimizations used by nginx by default when building the zlib library. But that's just optimizations, so it's completely optional. -- Maxim Dounin http://mdounin.ru/ From fusca14 at gmail.com Tue Mar 29 19:03:19 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Tue, 29 Mar 2022 16:03:19 -0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Hi Maxim... I have a ./configure error with two or more parameters on "--with-zlib-opt=...". I've tried: * --with-zlib-opt=-O2 -fPIC * --with-zlib-opt="-O2 -fPIC" * --with-zlib-opt='-O2 -fPIC' * --with-zlib-opt=-O2-fPIC * --with-zlib-opt=\-O2\ \-fPIC ... and none of these syntax works. It works with only one parameter and my solution is to modify the auto/cc/gcc file. Thinking about a possible RHEL .spec file bug, I also tried in Arch Linux, modifying PKGBUILD file and got the same issue. Thanks again for your help. On Tue, Mar 29, 2022 at 9:05 AM Maxim Dounin wrote: > ... > > Do I need to specify "--with-zlib-opt=-fPIC -O2 -fomit-frame-pointer" > > because of these ZLIB_OPT default values? > > Yes if you want to match optimizations used by nginx by default > when building the zlib library. But that's just optimizations, so > it's completely optional. From jimpop at domainmail.org Tue Mar 29 19:25:40 2022 From: jimpop at domainmail.org (Jim Popovitch) Date: Tue, 29 Mar 2022 15:25:40 -0400 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 2022-03-29 at 16:03 -0300, Fabiano Furtado Pessoa Coelho wrote: > Hi Maxim... > > I have a ./configure error with two or more parameters on "--with-zlib-opt=...". > > I've tried: >   * --with-zlib-opt=-O2 -fPIC >   * --with-zlib-opt="-O2 -fPIC" >   * --with-zlib-opt='-O2 -fPIC' >   * --with-zlib-opt=-O2-fPIC >   * --with-zlib-opt=\-O2\ \-fPIC > ... and none of these syntax works. > > It works with only one parameter and my solution is to modify the > auto/cc/gcc file. You should do: --with-zlib-opt="-O2 -fPIC" hth, - -Jim P. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3RmV4WutJ2KyCS2zPcxbabkKGJ8FAmJDXTQACgkQPcxbabkK GJ9hqg//akqv7BtyLViYmteyLKfEsspYb7tUkgTW/sir6zXxzmCY2j3MgzassT0B bX1It46D/SYJmbCjUjMtxRKnDIW0sZ+Mw6dQeAkvi3SnwquBnSSUal98RqiT6wVO MVqupyOjE7QIQjOmQqwdHtTaj50kXMqEho05KewonK3EFLKrlc7hDGMQ1j4roFhO ZZvGM+pEuTdsY67S9/iOFW8blGaHjtfzOgOXGAMmuRnLYemKOJS+1BQ4Xe3s6yvv DRmQdiRZr7X2ZSqmLo/dYd3ZewDJChwigyjQblIbxcQRhZQC5Nzu+TdQe6FA5PBP qLOwRC0M/cf3Hsvzt781u/mUTPOpREw+wo6FTxvykfUcBdZ0f6f1eiKf6+mwT0yH 3CeIscPerDhFP3JABrL7nXGnz0P5LZEEJcrBiTHLidUZBF0bRLrDgk4+cjwyxr83 AIDjDfyBEDK8xC3tmFD9QeGQbPhBGH2F/59z/9APEwtXf4JLixfRVkztkcQggutJ rvp74NA/JY4cXPoHMKSkja0/3gYrePadF5qCnEbPv/ioDxM1MQgrq0hmGEa2iuSr jfcx4okCnR9PXHnzX1JKa/tvUOFBYmejsLlPv07AEYuKbom3ntBJ0v6EM1DZhbpL eymk2n85tv49InkayzD60VLjt+1KIS1V+GmmkKvd0uIKRocPf7M= =J69Q -----END PGP SIGNATURE----- From fusca14 at gmail.com Wed Mar 30 13:21:49 2022 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Wed, 30 Mar 2022 10:21:49 -0300 Subject: NGINX "--with-zlib=..." linker error In-Reply-To: References: Message-ID: Hi.... Now I realize what I was doing wrong. It worked! Sorry to bother you with this e-mail and thanks again for the help. Your experience helped me a lot. On Tue, Mar 29, 2022 at 4:03 PM Fabiano Furtado Pessoa Coelho wrote: > > Hi Maxim... > > I have a ./configure error with two or more parameters on "--with-zlib-opt=...". > > I've tried: > * --with-zlib-opt=-O2 -fPIC > * --with-zlib-opt="-O2 -fPIC" > * --with-zlib-opt='-O2 -fPIC' > * --with-zlib-opt=-O2-fPIC > * --with-zlib-opt=\-O2\ \-fPIC > ... and none of these syntax works. > > It works with only one parameter and my solution is to modify the > auto/cc/gcc file. > > Thinking about a possible RHEL .spec file bug, I also tried in Arch > Linux, modifying PKGBUILD file and got the same issue. > > Thanks again for your help. > > On Tue, Mar 29, 2022 at 9:05 AM Maxim Dounin wrote: > > ... > > > Do I need to specify "--with-zlib-opt=-fPIC -O2 -fomit-frame-pointer" > > > because of these ZLIB_OPT default values? > > > > Yes if you want to match optimizations used by nginx by default > > when building the zlib library. But that's just optimizations, so > > it's completely optional. From soeren.reinecke at trufi-association.org Thu Mar 31 18:09:25 2022 From: soeren.reinecke at trufi-association.org (=?UTF-8?Q?S=c3=b6ren_Reinecke?=) Date: Thu, 31 Mar 2022 20:09:25 +0200 Subject: "js_import" is not allowed here, "js_content" is unknown Message-ID: <385fdcf9-5162-0847-6680-e6139528d57c@trufi-association.org> Hello NGINX community, nginx gives me the error messages - "js_import" is not allowed here and - "js_content" is unknown and don't know what I did wrong. I have the following NGINX config at '/etc/nginx/nginx.conf' load_module modules/ngx_stream_js_module.so; user    nginx; worker_processes    auto; error_log    /var/log/nginx/error.log notice; pid    /var/run/nginx.pid; events {     worker_connections  1024; } http {     #js_path inc/js;     js_import http.js ;     include    /etc/nginx/mime.types;     default_type    application/octet-stream;     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '                       '$status $body_bytes_sent "$http_referer" '                       '"$http_user_agent" "$http_x_forwarded_for"';     access_log  /var/log/nginx/access.log  main;     sendfile        on;     #tcp_nopush     on;     keepalive_timeout  65;     #gzip  on;     include /etc/nginx/conf.d/*.conf; } . NGINX complains about `js_import` [emerg] 1#1: "js_import" directive is not allowed here in /etc/nginx/nginx.conf:15 and about unknown directive "js_content" in /etc/nginx/conf.d/app.conf:7 The file '/etc/nginx/conf.d/app.conf' contains the following server {     listen 80;     location /njs {         js_content http.hello ; #        root /var/www/html ;     } } I am using the docker image of NGINX. Cheers Sören Reinecke -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Thu Mar 31 18:51:08 2022 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 31 Mar 2022 21:51:08 +0300 Subject: "js_import" is not allowed here, "js_content" is unknown In-Reply-To: <385fdcf9-5162-0847-6680-e6139528d57c@trufi-association.org> References: <385fdcf9-5162-0847-6680-e6139528d57c@trufi-association.org> Message-ID: On Thu, Mar 31, 2022 at 08:09:25PM +0200, Sören Reinecke wrote: > Hello NGINX community, > > nginx gives me the error messages > - "js_import" is not allowed here > and > - "js_content" is unknown > > and don't know what I did wrong. > > > I have the following NGINX config at '/etc/nginx/nginx.conf' > > load_module modules/ngx_stream_js_module.so; You'd need to load another NJS module to support http: load_module modules/ngx_http_js_module.so; -- Sergey A. Osokin From soeren.reinecke at trufi-association.org Thu Mar 31 19:23:31 2022 From: soeren.reinecke at trufi-association.org (=?UTF-8?Q?S=C3=B6ren_Reinecke?=) Date: Thu, 31 Mar 2022 21:23:31 +0200 Subject: "js_import" is not allowed here, "js_content" is unknown In-Reply-To: References: <385fdcf9-5162-0847-6680-e6139528d57c@trufi-association.org> Message-ID: Oh thx. This error comes from too much changes. On Thu, 31 Mar 2022, 20:53 Sergey A. Osokin, wrote: > On Thu, Mar 31, 2022 at 08:09:25PM +0200, Sören Reinecke wrote: > > Hello NGINX community, > > > > nginx gives me the error messages > > - "js_import" is not allowed here > > and > > - "js_content" is unknown > > > > and don't know what I did wrong. > > > > > > I have the following NGINX config at '/etc/nginx/nginx.conf' > > > > load_module modules/ngx_stream_js_module.so; > > You'd need to load another NJS module to support http: > > load_module modules/ngx_http_js_module.so; > > -- > Sergey A. Osokin > _______________________________________________ > nginx mailing list -- nginx at nginx.org > To unsubscribe send an email to nginx-leave at nginx.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: