From postmaster at palvelin.fi Mon May 8 18:49:29 2023 From: postmaster at palvelin.fi (Palvelin Postmaster) Date: Mon, 8 May 2023 11:49:29 -0700 Subject: Separate location for files served by php-fpm Message-ID: Hi all! I use php-fpm together with nginx. My PHP app serves files which have hashed filenames and no filename extension from a specific subdirectory url, e.g /files/hash/31b4ba4a0dc6536201c25e92fe464f85 I would like to be able to set, for example, a separate ’expires’ value to these files with nginx (using a separate location block?). Is that achiavable? server { listen 443 ssl http2; server_name my.site.com; root /var/www/vhosts/my.site.com/site/; set $ngspage /index.php?ngspage=$uri$is_args&$args; # PHP file processing configuration location ~ [^/]\.php(/|$) { set $location_name php; fastcgi_pass php74; include fastcgi_params; fastcgi_index index.php; # Regex to split $uri to $fastcgi_script_name and $fastcgi_path fastcgi_split_path_info ^(.+?\.php)(/.*)$; # Bypass the fact that try_files resets $fastcgi_path_info # see: http://trac.nginx.org/nginx/ticket/321 set $path_info $fastcgi_path_info; # Check that the PHP script exists before passing it try_files $ngspage $fastcgi_script_name =404; } From chris.rocholl at gmail.com Tue May 9 12:51:22 2023 From: chris.rocholl at gmail.com (Christian Rocholl) Date: Tue, 9 May 2023 14:51:22 +0200 Subject: listen to https redirect to other page not working Message-ID: Hi guys, I am having a jpro.one parsed javafx webpage/app hosted by an nginx server. It is accessible via http://DOMAIN:8080. This is working as intended. Now I have configured nginx so that it listens on port 80 and 443, so that, http://DOMAINNAME -> return https://DOMAINNAME and https://DOMAINNAME -> return http://localhost:8080, which I want to do. When I enter http://DOMAINNAME:8080, the page works as intended. When I enter https://DOMAINNAME:8080, I get a warning about a bad certificate, since jpro returns http content, so I suppose it is working as intended. Additional question: Is there a way to get rid of the cert warning? When I enter http://DOMAINNAME I get redirected to the https page, so working as intended. BUT: When I enter https://DOMAINNAME, it just says the page is not available. I expected to get redirected to http://localhost:8080. My nginx config, checked with nginx -t, is syntax correct but fails to redirect me on https access. These are my nginx config files in /etc/nginx/conf.d/ I tried: - jpro.conf: ``` proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; proxy_http_version 1.1; ``` and -DOMAIN.conf ``` upstream ppcsc { server localhost:8080; } server { listen 80; server_name DOMAINNAME; return 301 https://$http_host$request_uri; } server { listen 443 ssl; server_name DOMAINNAME; tcp_nodelay on; ssl_certificate FILE.cer; ssl_certificate_key FILE.key; ssl_protocols TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # return 301 http://ppcsc; return 301 http://$http_host:8080$request_uri; # location / { # proxy_pass http://ppcsc; # } } ``` Thanks for the help and kind regards , Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Tue May 9 13:59:59 2023 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 9 May 2023 16:59:59 +0300 Subject: listen to https redirect to other page not working In-Reply-To: References: Message-ID: Hi Christian, On Tue, May 09, 2023 at 02:51:22PM +0200, Christian Rocholl wrote: > Hi guys, > I am having a jpro.one parsed javafx webpage/app hosted by an nginx > server. It is accessible via http://DOMAIN:8080. This is working as > intended. > > Now I have configured nginx so that it listens on port 80 and 443, so that, > http://DOMAINNAME -> return https://DOMAINNAME and https://DOMAINNAME -> > return http://localhost:8080, which I want to do. This isn't a best design for the case. [...] > BUT: When I enter https://DOMAINNAME, it just says the page is not > available. I expected to get redirected to http://localhost:8080. [...] > My nginx config, checked with nginx -t, is syntax correct but fails to > redirect me on https access. These are my nginx config files in > /etc/nginx/conf.d/ I tried: > > - jpro.conf: > ``` > proxy_buffering off; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header Host $http_host; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > proxy_read_timeout 86400; > proxy_http_version 1.1; > ``` > and -DOMAIN.conf > ``` > upstream ppcsc { > server localhost:8080; > } I'd recommend to avoid using an FQDN, so it will look like this: upstream ppcsc { server 127.0.0.1:8080; } > server { > listen 80; > server_name DOMAINNAME; > return 301 https://$http_host$request_uri; > } > server { > listen 443 ssl; > server_name DOMAINNAME; > tcp_nodelay on; > ssl_certificate FILE.cer; > ssl_certificate_key FILE.key; > ssl_protocols TLSv1.3; > ssl_ciphers HIGH:!aNULL:!MD5; > # return 301 http://ppcsc; > return 301 http://$http_host:8080$request_uri; > # location / { # proxy_pass http://ppcsc; # } } The return directive needs to be removed from the configuration file. Also, remove comment from the beginning of the line with location /, so location / { proxy_pass http://ppcsc; } Enable debugging log, http://nginx.org/en/docs/debugging_log.html to see what's going on and how nginx processes a request to an application backend. Hope that helps. -- Sergey A. Osokin From vercaemereduard at gmail.com Sun May 14 04:43:59 2023 From: vercaemereduard at gmail.com (Eduard Vercaemer) Date: Sat, 13 May 2023 22:43:59 -0600 Subject: ssl preread for postgres connection Message-ID: for some context, I recently I tried configuring nginx as a tcp proxy that routes connections based on sni to multiple upstream services the server only exposes one tcp port, and receives all connections there, for example a connection to redis.example.com:1234 would be proxy_pass'ed to some port in the machine, a connection to www.example.com:1234 to another, etc. i used nginx itself to terminate the tls for all services for convenience the problem: now here is the issue, 1: postgres does some weird custom ssl stuff, which means I cannot terminate the ssl from within nginx, and 2: doing a tcp pass through without the ssl termination, and attempting to use ssl_preread and $ssl_preread_server_name _does not_ work for postgres connections (the module fails to extract the server name) what I attempted: what I first thought of was to expand on the ssl_preread module to support postgres connections, I went into the source code and found that the module inserts a handler into the `NGX_STREAM_PREREAD_PHASE` I tried looking into the buffer in this phase and no useful data showed up, I then tried to insert a second handler into the `NGX_STREAM_CONTENT_PHASE` and first noticed it is never used or initialised to begin with, so I did that, but then it looks like no buffer is ever available in this phase any input, pointers, or suggestions are really welcomed thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From arut at nginx.com Sun May 14 05:55:54 2023 From: arut at nginx.com (Roman Arutyunyan) Date: Sun, 14 May 2023 09:55:54 +0400 Subject: ssl preread for postgres connection In-Reply-To: References: Message-ID: <20230514055554.dhclsx2gk6imbk64@N00W24XTQX> Hi Eduard, On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote: > for some context, I recently I tried configuring nginx as a tcp proxy that > routes > connections based on sni to multiple upstream services > > the server only exposes one tcp port, and receives all connections there, > for example > a connection to redis.example.com:1234 would be proxy_pass'ed to some port > in the > machine, a connection to www.example.com:1234 to another, etc. > > i used nginx itself to terminate the tls for all services for convenience > > the problem: > now here is the issue, 1: postgres does some weird custom ssl stuff, which > means I > cannot terminate the ssl from within nginx In this case there must be an SSL error logged in nginx error log. Can you post it? > 2: doing a tcp pass through > without > the ssl termination, and attempting to use ssl_preread and > $ssl_preread_server_name > _does not_ work for postgres connections (the module fails to extract the > server name) > > what I attempted: > what I first thought of was to expand on the ssl_preread module to support > postgres > connections, I went into the source code and found that the module inserts > a handler into > the `NGX_STREAM_PREREAD_PHASE` > I tried looking into the buffer in this phase and no useful data showed up, Incoming data is written to c->buffer as long as the handler returns NGX_AGAIN. You just have to wait long enough and have large enough buffer (see directive preread_buffer_size). > I then tried to > insert a second handler into the `NGX_STREAM_CONTENT_PHASE` and first > noticed > it is never used or initialised to begin with, so I did that, but then it > looks like no buffer > is ever available in this phase > > any input, pointers, or suggestions are really welcomed If you want to register a content phase handler, assign it to cscf->handler. A good example is ngx_stream_return() in src/stream/ngx_stream_return_module.c. -- Roman Arutyunyan From mdounin at mdounin.ru Sun May 14 14:33:10 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 14 May 2023 17:33:10 +0300 Subject: ssl preread for postgres connection In-Reply-To: <20230514055554.dhclsx2gk6imbk64@N00W24XTQX> References: <20230514055554.dhclsx2gk6imbk64@N00W24XTQX> Message-ID: Hello! On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote: > Hi Eduard, > > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote: > > for some context, I recently I tried configuring nginx as a tcp proxy that > > routes > > connections based on sni to multiple upstream services > > > > the server only exposes one tcp port, and receives all connections there, > > for example > > a connection to redis.example.com:1234 would be proxy_pass'ed to some port > > in the > > machine, a connection to www.example.com:1234 to another, etc. > > > > i used nginx itself to terminate the tls for all services for convenience > > > > the problem: > > now here is the issue, 1: postgres does some weird custom ssl stuff, which > > means I > > cannot terminate the ssl from within nginx > > In this case there must be an SSL error logged in nginx error log. > Can you post it? Postgres uses their own protocol with STARTTLS-like interface to initiate SSL handshake, see here: https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12 That is, it's not going to work with neither SSL termination, nor SSL preread, and needs an implementation of the Postgres protocol. [...] -- Maxim Dounin http://mdounin.ru/ From jordanc.carter at outlook.com Sun May 14 18:09:30 2023 From: jordanc.carter at outlook.com (J Carter) Date: Sun, 14 May 2023 19:09:30 +0100 Subject: ssl preread for postgres connection In-Reply-To: References: <20230514055554.dhclsx2gk6imbk64@N00W24XTQX> Message-ID: Hello, > On Sun, 14 May 2023 17:33:10 +0300 > Maxim Dounin wrote: > Hello! > > On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote: > > > Hi Eduard, > > > > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote: > > > for some context, I recently I tried configuring nginx as a tcp > > > proxy that routes > > > connections based on sni to multiple upstream services > > > > > > the server only exposes one tcp port, and receives all > > > connections there, for example > > > a connection to redis.example.com:1234 would be proxy_pass'ed to > > > some port in the > > > machine, a connection to www.example.com:1234 to another, etc. > > > > > > i used nginx itself to terminate the tls for all services for > > > convenience > > > > > > the problem: > > > now here is the issue, 1: postgres does some weird custom ssl > > > stuff, which means I > > > cannot terminate the ssl from within nginx > > > > In this case there must be an SSL error logged in nginx error log. > > Can you post it? > > Postgres uses their own protocol with STARTTLS-like interface to > initiate SSL handshake, see here: > > https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12 > > That is, it's not going to work with neither SSL termination, nor > SSL preread, and needs an implementation of the Postgres protocol. > > [...] > Out of curiosity I looked into what 'others' had done for Postgres's application level negotiation. https://github.com/envoyproxy/envoy/issues/10942 OP, it might be possible for you to hack this into ssl_preread.c in ngx_stream_ssl_preread_handler in a similar fashion to that workaround. It seems you just need to listen / wait for the SSLRequest magic message bytes, send the 'fake' response, then do the normal handshake logic. https://www.postgresql.org/docs/current/protocol-message-formats.html The other issue is if you want TLS from NGINX -> Postgresql Upstream you'd need another hack somewhere in ngx_stream_proxy_module.c (or a custom content handler as mentioned above). From jordanc.carter at outlook.com Sun May 14 18:43:36 2023 From: jordanc.carter at outlook.com (J Carter) Date: Sun, 14 May 2023 19:43:36 +0100 Subject: ssl preread for postgres connection In-Reply-To: <20230514190930.000011c4@outlook.com> References: <20230514055554.dhclsx2gk6imbk64@N00W24XTQX> <20230514190930.000011c4@outlook.com> Message-ID: On Sun, 14 May 2023 19:09:30 +0100 J Carter wrote: > Hello, > > > On Sun, 14 May 2023 17:33:10 +0300 > > Maxim Dounin wrote: > > > Hello! > > > > On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote: > > > > > Hi Eduard, > > > > > > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote: > > > > > > > for some context, I recently I tried configuring nginx as a tcp > > > > proxy that routes > > > > connections based on sni to multiple upstream services > > > > > > > > the server only exposes one tcp port, and receives all > > > > connections there, for example > > > > a connection to redis.example.com:1234 would be proxy_pass'ed to > > > > some port in the > > > > machine, a connection to www.example.com:1234 to another, etc. > > > > > > > > i used nginx itself to terminate the tls for all services for > > > > convenience > > > > > > > > the problem: > > > > now here is the issue, 1: postgres does some weird custom ssl > > > > stuff, which means I > > > > cannot terminate the ssl from within nginx > > > > > > In this case there must be an SSL error logged in nginx error log. > > > Can you post it? > > > > Postgres uses their own protocol with STARTTLS-like interface to > > initiate SSL handshake, see here: > > > > https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12 > > > > That is, it's not going to work with neither SSL termination, nor > > SSL preread, and needs an implementation of the Postgres protocol. > > > > [...] > > > > Out of curiosity I looked into what 'others' had done for Postgres's > application level negotiation. > > https://github.com/envoyproxy/envoy/issues/10942 > > OP, it might be possible for you to hack this into ssl_preread.c in > ngx_stream_ssl_preread_handler in a similar fashion to that > workaround. > > It seems you just need to listen / wait for the SSLRequest magic > message bytes, send the 'fake' response, then do the normal handshake > logic. > > https://www.postgresql.org/docs/current/protocol-message-formats.html > > The other issue is if you want TLS from NGINX -> Postgresql Upstream > you'd need another hack somewhere in ngx_stream_proxy_module.c > (or a custom content handler as mentioned above). Or even in ngx_stream_handler.c to do it properly, similar to how proxy protocol is handled (obviously with writes too). From postmaster at palvelin.fi Mon May 15 22:46:14 2023 From: postmaster at palvelin.fi (Palvelin Postmaster) Date: Mon, 15 May 2023 12:46:14 -1000 Subject: Separate location for files served by php-fpm In-Reply-To: References: Message-ID: <8C6D95CF-8159-460C-A8BE-BD8FF97E0982@palvelin.fi> Can anyone help me with this? > On 8. May 2023, at 8.49, Palvelin Postmaster via nginx wrote: > > Hi all! > > I use php-fpm together with nginx. > > My PHP app serves files which have hashed filenames and no filename extension from a specific subdirectory url, e.g /files/hash/31b4ba4a0dc6536201c25e92fe464f85 > > I would like to be able to set, for example, a separate ’expires’ value to these files with nginx (using a separate location block?). Is that achiavable? > > server { > listen 443 ssl http2; > server_name my.site.com; > root /var/www/vhosts/my.site.com/site/; > set $ngspage /index.php?ngspage=$uri$is_args&$args; > > # PHP file processing configuration > location ~ [^/]\.php(/|$) { > set $location_name php; > fastcgi_pass php74; > include fastcgi_params; > fastcgi_index index.php; > > # Regex to split $uri to $fastcgi_script_name and $fastcgi_path > fastcgi_split_path_info ^(.+?\.php)(/.*)$; > > # Bypass the fact that try_files resets $fastcgi_path_info > # see: http://trac.nginx.org/nginx/ticket/321 > set $path_info $fastcgi_path_info; > > # Check that the PHP script exists before passing it > try_files $ngspage $fastcgi_script_name =404; > } From francis at daoine.org Tue May 16 00:15:42 2023 From: francis at daoine.org (Francis Daly) Date: Tue, 16 May 2023 01:15:42 +0100 Subject: Separate location for files served by php-fpm In-Reply-To: <8C6D95CF-8159-460C-A8BE-BD8FF97E0982@palvelin.fi> References: <8C6D95CF-8159-460C-A8BE-BD8FF97E0982@palvelin.fi> Message-ID: <20230516001542.GI15845@daoine.org> On Mon, May 15, 2023 at 12:46:14PM -1000, Palvelin Postmaster via nginx wrote: > > On 8. May 2023, at 8.49, Palvelin Postmaster via nginx wrote: Hi there, > > I use php-fpm together with nginx. > > > > My PHP app serves files which have hashed filenames and no filename extension from a specific subdirectory url, e.g /files/hash/31b4ba4a0dc6536201c25e92fe464f85 > > > > I would like to be able to set, for example, a separate ’expires’ value to these files with nginx (using a separate location block?). Is that achiavable? In principle, yes. So long as the requests use different urls (excluding query string). In practice: from the words here, it is not entirely clear to me what your overall application is doing. Maybe you can have a location{} dedicated to these file-requests; or maybe it would be "cleaner" for the php side to add the extra Expires header. Can you show one or two sample requests that are made to nginx that you do want to have this extra Expires header; and one or two that you do not want to have this extra Expires header? The aim is to come up with a location{} block that matches only the requests that you want, if that is possible. Thanks, f -- Francis Daly francis at daoine.org From postmaster at palvelin.fi Fri May 19 04:14:42 2023 From: postmaster at palvelin.fi (Palvelin Postmaster) Date: Thu, 18 May 2023 21:14:42 -0700 Subject: Separate location for files served by php-fpm In-Reply-To: <20230516001542.GI15845@daoine.org> References: <8C6D95CF-8159-460C-A8BE-BD8FF97E0982@palvelin.fi> <20230516001542.GI15845@daoine.org> Message-ID: > On 15. May 2023, at 17.15, Francis Daly wrote: > > On Mon, May 15, 2023 at 12:46:14PM -1000, Palvelin Postmaster via nginx wrote: >>> On 8. May 2023, at 8.49, Palvelin Postmaster via nginx wrote: > > Hi there, > >>> I use php-fpm together with nginx. >>> >>> My PHP app serves files which have hashed filenames and no filename extension from a specific subdirectory url, e.g /files/hash/31b4ba4a0dc6536201c25e92fe464f85 >>> >>> I would like to be able to set, for example, a separate ’expires’ value to these files with nginx (using a separate location block?). Is that achiavable? > > In principle, yes. So long as the requests use different urls (excluding > query string). > > In practice: from the words here, it is not entirely clear to me what > your overall application is doing. > > Maybe you can have a location{} dedicated to these file-requests; or maybe > it would be "cleaner" for the php side to add the extra Expires header. > > Can you show one or two sample requests that are made to nginx that you > do want to have this extra Expires header; and one or two that you do > not want to have this extra Expires header? > > The aim is to come up with a location{} block that matches only the > requests that you want, if that is possible. Francis, thanks for your response! I wonder if you saw the server block that I had included in my original message? Doesn’t it answer your question regarding all the other requests? My goal is to serve only requests which include URI /files/hash/* using a separate location block. Everything else should be served by the default location block I included in my previous message. -- Palvelin.fi Hostmaster postmaster at palvelin.fi From dmarquess at gmail.com Fri May 19 23:57:04 2023 From: dmarquess at gmail.com (Dustin Marquess) Date: Fri, 19 May 2023 18:57:04 -0500 Subject: QUIC Stream and Server Push support In-Reply-To: <02a49a9f-2cdc-4389-8e2b-70934e05e63e@Spark> References: <02a49a9f-2cdc-4389-8e2b-70934e05e63e@Spark> Message-ID: <397aecac-adaa-4f07-b862-d875c572ec1f@Spark> I noticed that QUIC Stream and QUIC Server Push support were removed in https://hg.nginx.org/nginx-quic/rev/113e2438dbd4 And https://hg.nginx.org/nginx-quic/rev/f742b1b46901 I'm curious on what the reasoning was, given that none was given in the commit messages? -Dustin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Sat May 20 01:01:32 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 20 May 2023 04:01:32 +0300 Subject: QUIC Stream and Server Push support In-Reply-To: <397aecac-adaa-4f07-b862-d875c572ec1f@Spark> References: <02a49a9f-2cdc-4389-8e2b-70934e05e63e@Spark> <397aecac-adaa-4f07-b862-d875c572ec1f@Spark> Message-ID: Hello! On Fri, May 19, 2023 at 06:57:04PM -0500, Dustin Marquess wrote: > I noticed that QUIC Stream and QUIC Server Push support were > removed in > > https://hg.nginx.org/nginx-quic/rev/113e2438dbd4 > > And > > https://hg.nginx.org/nginx-quic/rev/f742b1b46901 > > I'm curious on what the reasoning was, given that none was given > in the commit messages? These features weren't considered to be usable enough to be merged into the mainline branch, hence were removed before the merge. For QUIC in the stream module, see this message, which provides detailed explanation: https://mailman.nginx.org/pipermail/nginx/2023-April/CZ5L6KMLLZNDP2R6TGAX5MN4VLQA3U3R.html For HTTP/3 Server Push, the main reason is that Server Push is not generally usable, and, in particular, not supported by browsers (notably, removed from Chrome, see https://developer.chrome.com/blog/removing-push/). Removing HTTP/2 Server Push support is also planned sometime during nginx 1.25.x development cycle. -- Maxim Dounin http://mdounin.ru/ From dmarquess at gmail.com Sat May 20 01:31:14 2023 From: dmarquess at gmail.com (Dustin Marquess) Date: Fri, 19 May 2023 20:31:14 -0500 Subject: QUIC Stream and Server Push support In-Reply-To: References: <02a49a9f-2cdc-4389-8e2b-70934e05e63e@Spark> <397aecac-adaa-4f07-b862-d875c572ec1f@Spark> Message-ID: <284738b5-d94f-4a8c-9982-0d3da59baeed@Spark> On May 19, 2023 at 8:01 PM -0500, Maxim Dounin , wrote: > Hello! > > On Fri, May 19, 2023 at 06:57:04PM -0500, Dustin Marquess wrote: > > > I noticed that QUIC Stream and QUIC Server Push support were > > removed in > > > > https://hg.nginx.org/nginx-quic/rev/113e2438dbd4 > > > > And > > > > https://hg.nginx.org/nginx-quic/rev/f742b1b46901 > > > > I'm curious on what the reasoning was, given that none was given > > in the commit messages? > > These features weren't considered to be usable enough to be merged > into the mainline branch, hence were removed before the merge. > > For QUIC in the stream module, see this message, which provides > detailed explanation: > > https://mailman.nginx.org/pipermail/nginx/2023-April/CZ5L6KMLLZNDP2R6TGAX5MN4VLQA3U3R.html > > For HTTP/3 Server Push, the main reason is that Server Push is not > generally usable, and, in particular, not supported by browsers > (notably, removed from Chrome, see > https://developer.chrome.com/blog/removing-push/). Removing > HTTP/2 Server Push support is also planned sometime during nginx 1.25.x > development cycle. Awesome, thanks! -Dusti -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Tue May 23 14:28:01 2023 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 23 May 2023 17:28:01 +0300 Subject: How to create same location to point different proxy server In-Reply-To: References: Message-ID: Hi Abdul, On Tue, May 23, 2023 at 12:34:31PM +0530, abdul kadhar wrote: > Hi, At first, please do not do crossposting to several mailing list, it's a bit far from the good practices. Also, please use nginx-devel list for development purposes only. Thank you. > I need to know how to configure nginx for below scenario. > > I have configured the Load Balancer(Nginx) for ignition. I have created two > upstream(ignapp & ignProdapp) server. For ignapp upstream it is working > fine. I need to configure the below code for upstream server(ignProdapp) in > the same configuration file how to do this. Below is the sample > configuration for the server ignapp. Can you please help me how to > configure the below settings for another upstream server. Below is the > config setting for ignapp same way I need to do it for creating location ~ > /data/, location ~ /system/ , location ~ /res/ , location ~ /idp/, location > ~ /.well-known/ for ignappPro Upstream server . It's not so clear to me what's the goal of this configuration. Usually, the load balancer case means to balance load between more than one application server behind a load balancer. [...] -- Sergey A. Osokin From johnatan-ftm at protonmail.com Tue May 23 14:51:02 2023 From: johnatan-ftm at protonmail.com (Johnatan Hallman) Date: Tue, 23 May 2023 14:51:02 +0000 Subject: http2 error: Invalid HTTP header field was received: Message-ID: Hello List, I have a setup where I put an ancient host running a perl-cgi app behind an nginx reverse proxy. The http reverse proxy works fine however if I try: curl -v --anyauth -k https://app.test.lan/cgi-bin/page.pl I get: http2 error: Invalid HTTP header field was received: frame type: 1, stream: 3, name: [defined(%hash) is deprecated at page.pl line 14.], value: [] However if I define http1.1 it works fine: curl -v --http1.1 --anyauth -k https://app.test.lan/cgi-bin/page.pl I guess all modern browsers default to http2 these days so that I can specify it for curl is not a big help. I need this to work out of the box. I have read that Nginx with the listen 443 ssl http2; directive will downgrade the connection to http1.1 automatically if it's negotiated... otherwise my previous test wouldn't work at all. What I have tried is adding this version directive into the location: location / { proxy_pass http://10.9.0.90/; proxy_http_version 1.1; } Makes no difference. Any idea how to fix this without touching the original app or the original webserver. Thanks From mdounin at mdounin.ru Tue May 23 16:18:25 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 23 May 2023 19:18:25 +0300 Subject: http2 error: Invalid HTTP header field was received: In-Reply-To: References: Message-ID: Hello! On Tue, May 23, 2023 at 02:51:02PM +0000, Johnatan Hallman via nginx wrote: > Hello List, > > I have a setup where I put an ancient host running a perl-cgi > app behind an nginx reverse proxy. > > The http reverse proxy works fine however if I try: > > curl -v --anyauth -k https://app.test.lan/cgi-bin/page.pl > > I get: > > http2 error: Invalid HTTP header field was received: frame type: > 1, stream: 3, name: [defined(%hash) is deprecated at page.pl > line 14.], value: [] > > However if I define http1.1 it works fine: > > curl -v --http1.1 --anyauth -k > https://app.test.lan/cgi-bin/page.pl > > I guess all modern browsers default to http2 these days so that > I can specify it for curl is not a big help. I need this to work > out of the box. > > I have read that Nginx with the listen 443 ssl http2; > directive will downgrade the connection to http1.1 automatically > if it's negotiated... otherwise my previous test wouldn't work > at all. > > What I have tried is adding this version directive into the > location: > > location / { > proxy_pass http://10.9.0.90/; > proxy_http_version 1.1; > } > > Makes no difference. Any idea how to fix this without touching > the original app or the original webserver. It looks like the original app returns an invalid HTTP header (or, more specifically, returns Perl warnings among the HTTP headers). This used to work, but with stricter header checking requirements in HTTP/2 it is rejected by the clients. Further, nginx itself will reject such invalid upstream responses starting with nginx 1.21.1, quoting CHANGES: *) Change: now nginx always returns an error if spaces or control characters are used in a header name. That is, with newer nginx version the only option is to actually fix the upstream server. With older nginx versions, you may try disabling HTTP/2 (that is, on the listen socket) as a temporary workaround, this will likely prevent (at least some) clients from rejecting such invalid responses. Note though that this is, uhm, a workaround, and proper solution is to fix the upstream server. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue May 23 16:32:40 2023 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 23 May 2023 19:32:40 +0300 Subject: nginx-1.25.0 Message-ID: Changes with nginx 1.25.0 23 May 2023 *) Feature: experimental HTTP/3 support. -- Maxim Dounin http://nginx.org/ From maxim at nginx.com Tue May 23 16:37:30 2023 From: maxim at nginx.com (Maxim Konovalov) Date: Tue, 23 May 2023 09:37:30 -0700 Subject: nginx-1.25.0 In-Reply-To: References: Message-ID: <8393ca78-18bc-6c9b-dd50-8226aa0ae23f@nginx.com> On 23.05.2023 09:32, Maxim Dounin wrote: > Changes with nginx 1.25.0 23 May 2023 > > *) Feature: experimental HTTP/3 support. > > Oh, wow. It took almost three years to reach this significant milestone. We went through several severe technical and non-technical challenges but still managed to complete it. I have no doubts that QUIC and HTTP/3 support in nginx will still require significant resources to maintain and extend in the future, but now want to congratulate all of the people involved: Sergey Kandaurov, Roman Arutyunyan, Vladimir Khomutov who are the primary authors of the code, Maxim Dounin, who have been helping with the architecture and code reviews and many other individuals and companies who helped us to make it happen. I am very proud of you. Maxim -- Maxim Konovalov From johnatan-ftm at protonmail.com Tue May 23 17:46:11 2023 From: johnatan-ftm at protonmail.com (Johnatan Hallman) Date: Tue, 23 May 2023 17:46:11 +0000 Subject: http2 error: Invalid HTTP header field was received: In-Reply-To: References: Message-ID: <0ihVkHZy-w0H4s-pDM1zJM4F1eyFsQBlKqdJNxuDr2GhXZC770fZ-VroW2UFQsaEvBN9iCf--STEQrNrkRLOGPnPuX6_uQCmUQuiJJA4MY0=@protonmail.com> Hello, Yes your solution did work with version: nginx version: nginx/1.18.0 built with LibreSSL 3.3.2 I removed http2 from all vhost effectively disabling it on the server and it works fine. I wonder if I even need it for anything :) But as you said this might not even be an option in the future and this is an older nginx install anyway so it would be nice to have some option for these kind of situations in the future. Thanks ------- Original Message ------- On Tuesday, May 23rd, 2023 at 6:18 PM, Maxim Dounin wrote: > Hello! > > On Tue, May 23, 2023 at 02:51:02PM +0000, Johnatan Hallman via nginx wrote: > > > Hello List, > > > > I have a setup where I put an ancient host running a perl-cgi > > app behind an nginx reverse proxy. > > > > The http reverse proxy works fine however if I try: > > > > curl -v --anyauth -k https://app.test.lan/cgi-bin/page.pl > > > > I get: > > > > http2 error: Invalid HTTP header field was received: frame type: > > 1, stream: 3, name: [defined(%hash) is deprecated at page.pl > > line 14.], value: [] > > > > However if I define http1.1 it works fine: > > > > curl -v --http1.1 --anyauth -k > > https://app.test.lan/cgi-bin/page.pl > > > > I guess all modern browsers default to http2 these days so that > > I can specify it for curl is not a big help. I need this to work > > out of the box. > > > > I have read that Nginx with the listen 443 ssl http2; > > directive will downgrade the connection to http1.1 automatically > > if it's negotiated... otherwise my previous test wouldn't work > > at all. > > > > What I have tried is adding this version directive into the > > location: > > > > location / { > > proxy_pass http://10.9.0.90/; > > proxy_http_version 1.1; > > } > > > > Makes no difference. Any idea how to fix this without touching > > the original app or the original webserver. > > > It looks like the original app returns an invalid HTTP header (or, > more specifically, returns Perl warnings among the HTTP headers). > This used to work, but with stricter header checking requirements > in HTTP/2 it is rejected by the clients. > > Further, nginx itself will reject such invalid upstream responses > starting with nginx 1.21.1, quoting CHANGES: > > *) Change: now nginx always returns an error if spaces or control > characters are used in a header name. > > That is, with newer nginx version the only option is to actually > fix the upstream server. > > With older nginx versions, you may try disabling HTTP/2 (that is, > on the listen socket) as a temporary workaround, this will likely > prevent (at least some) clients from rejecting such invalid > responses. Note though that this is, uhm, a workaround, and > proper solution is to fix the upstream server. > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx From francis at daoine.org Wed May 24 17:25:35 2023 From: francis at daoine.org (Francis Daly) Date: Wed, 24 May 2023 18:25:35 +0100 Subject: Separate location for files served by php-fpm In-Reply-To: References: <8C6D95CF-8159-460C-A8BE-BD8FF97E0982@palvelin.fi> <20230516001542.GI15845@daoine.org> Message-ID: <20230524172535.GJ15845@daoine.org> On Thu, May 18, 2023 at 09:14:42PM -0700, Palvelin Postmaster via nginx wrote: Hi there, > My goal is to serve only requests which include URI /files/hash/* > using a separate location block. Everything else should be served by > the default location block I included in my previous message. Untested, but would location ^~ /files/hash/ { fastcgi_pass php74; fastcgi_param SCRIPT_FILENAME /var/your-php-script.php; expires 10d; } meet what your goal is? Adjust the fastcgi_param value to whatever your fastcgi server needs. The important part is probably the "location" line that matches all-and-only these requests. Good luck with it, f -- Francis Daly francis at daoine.org From indiamiten at gmail.com Thu May 25 11:42:26 2023 From: indiamiten at gmail.com (Miten Mehta) Date: Thu, 25 May 2023 17:12:26 +0530 Subject: Reverse proxy to forward proxy to internet access Message-ID: Hi, Can you guide to configuration to put in reverse proxy config file to use forward internet proxy? I have case to use reverse proxy to access intranet urls which is usual configuration but for certain resources i guess its called tunneling or proxying i need to use internet proxy. Ex. Https://myreverseproxy.com/internet-mypub/somepath Should Use forward proxy and request https://mypub/somepath. I hope i was able to explain. I read on internet its not possible and then some examples of proxypass claiming its possible. Regards, Miten -------------- next part -------------- An HTML attachment was scrubbed... URL: From amdeich at gmail.com Thu May 25 19:24:35 2023 From: amdeich at gmail.com (Andrey Kulikov) Date: Thu, 25 May 2023 22:24:35 +0300 Subject: Fwd: Q: http2 and http1 virtual hosts both works via HTTP/2 - bug of feature? In-Reply-To: References: Message-ID: Hello, Observed nginx's version 1.22.1 questionable behaviour with two virtual hosts, one with H2 - enabled, second without http2 support. Both on the same IP and port, with different domain names/server names. When browsers make requests to a second domain, h2 being ALPN-negotiated, and data transferred via HTTP/2, in spite of http2 was not configured on that virtual host. Sample config snippet: http { ... server { listen 1985 http2 ssl; server_name 'mavr.cp.eu'; ssl_certificate domain.cer; ssl_certificate_key domain.key; location / { return 302 https://zavr.cp.eu:1985$request_uri; } } server { listen 1985 ssl; # NO h2! server_name 'zavr.cp.eu'; ssl_certificate domain.cer; ssl_certificate_key domain.key; location / { # Doesn't really matter what's here, for simplicity I've used ngx_lua_module. echo "Server protocol: $server_protocol H2 connection: $http2 ."; } } ... } When I type https://mavr.cp.eu:1985 in browser I see: 1. Browser negotiates h2 ALPN with the server with SNI mavr.cp.eu ; 2. Server replied with 302 redirect to https://zavr.cp.eu:1985 (expected) 3. Browser makes NEW TCP-connection with the server with SNI zavr.cp.eu; (expected) 4. Server replied with h2 ALPN (unexpected) 5. Browser shows "Server protocol: HTTP/2.0 H2 connection: h2 ." When I browsed source code, I spotted following line: http://hg.nginx.org/nginx/file/tip/src/http/modules/ngx_http_ssl_module.c#l460 #if (NGX_HTTP_V2) if (hc->addr_conf->http2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; } else #endif My assumption (could be wrong) that it means, when http2 is enabled on the address, related to (possibly) many virtual hosts, we always add h2 ALPN. Regardless of negotiated SNI. At least I see that ngx_http_find_virtual_server() being called here: http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_request.c#l2236 on already established http(s) connection, not during TLS handshake. This behaviour caused some pain in my neck today, so could please someone be so kind to enlighten me, is it like it supposed to be, or is it possible to change this in the way, so http1 and http2 virtual hosts could be served on the same IP:port? Is it a bug, feature, my misconfiguration or just not needed by anyone? Quick Googling did not reveal that anyone had complained about it too much. If one will manage to implement a patch, correcting this behaviour, will it be even considered to review? -- Andrey P.S. Under "Browser" here I meant Chrome, Chromium, and Firefox on Windows. But, according to unconfirmed information, "some", yet unidentified, versions of browsers do NOT make a second TCP-connection to another domain after redirection in the provided example. And put a second request to the same h2 connection, despite the fact that it was negotiated for different SNI. Shame on them. -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Thu May 25 23:08:43 2023 From: francis at daoine.org (Francis Daly) Date: Fri, 26 May 2023 00:08:43 +0100 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: Message-ID: <20230525230843.GK15845@daoine.org> On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: Hi there, > Can you guide to configuration to put in reverse proxy config file to use > forward internet proxy? nginx does not talk to a proxy server. If you need to talk to a proxy server, you need something other than "stock" nginx. Good luck with it, f -- Francis Daly francis at daoine.org From indiamiten at gmail.com Fri May 26 10:48:59 2023 From: indiamiten at gmail.com (Miten Mehta) Date: Fri, 26 May 2023 16:18:59 +0530 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: <20230525230843.GK15845@daoine.org> References: <20230525230843.GK15845@daoine.org> Message-ID: Hi, Thanks for guidance. If i enable direct internet access from reverse proxy then can i just use proxy_pass $request_uri and have user format his url as https://myreverseproxy.com/https://mypub/somepath. Regards, Miten On Fri 26 May, 2023, 4:39 AM Francis Daly, wrote: > On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: > > Hi there, > > > Can you guide to configuration to put in reverse proxy config file to use > > forward internet proxy? > > nginx does not talk to a proxy server. > > If you need to talk to a proxy server, you need something other than > "stock" nginx. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From r at roze.lv Fri May 26 11:04:41 2023 From: r at roze.lv (Reinis Rozitis) Date: Fri, 26 May 2023 14:04:41 +0300 Subject: Q: http2 and http1 virtual hosts both works via HTTP/2 - bug of feature? In-Reply-To: References: Message-ID: <000001d98fc1$deee9ca0$9ccbd5e0$@roze.lv> > Observed nginx's version 1.22.1 questionable behaviour with two virtual hosts, one with H2 - enabled, second without http2 support. > Both on the same IP and port, with different domain names/server names. > > Is it a bug, feature, my misconfiguration or just not needed by anyone? The short answer is - yes it is supposed to be like that and you would need either to use different ports or different ips for the virtual hosts. If I'm not wrong the longer answer is that nginx groups all the capabilities for ip:port when listening on it and since the http2 selection happens at TLS handshake but the virtual server selection happens later at SNI it's problematic to switch it off at that phase. There have been couple similar requests/questions in past (mainly for specific cipher configuration per virtual server) but out of interest - what is the reason/use case for disabling http2 for a particular virtualhost but leaving it for others? rr From indiamiten at gmail.com Sat May 27 04:21:10 2023 From: indiamiten at gmail.com (Miten Mehta) Date: Sat, 27 May 2023 09:51:10 +0530 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: I consider from your reply that niginx reverse proxy cannot provide internet access through a forward proxy like squid, websense or alike. I understand you mentioned that nginx cannot be used as forward proxy. There are many blogs on net claiming to use nginx as forward proxy and also using upstream forward proxy that is false? I don't see this in official documentation of nginx. Regards, Miten On Fri 26 May, 2023, 4:18 PM Miten Mehta, wrote: > Hi, > > Thanks for guidance. If i enable direct internet access from reverse > proxy then can i just use proxy_pass $request_uri and have user format his > url as https://myreverseproxy.com/https://mypub/somepath. > > Regards, > > Miten > > On Fri 26 May, 2023, 4:39 AM Francis Daly, wrote: > >> On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: >> >> Hi there, >> >> > Can you guide to configuration to put in reverse proxy config file to >> use >> > forward internet proxy? >> >> nginx does not talk to a proxy server. >> >> If you need to talk to a proxy server, you need something other than >> "stock" nginx. >> >> Good luck with it, >> >> f >> -- >> Francis Daly francis at daoine.org >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> https://mailman.nginx.org/mailman/listinfo/nginx >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From venefax at gmail.com Sat May 27 04:39:05 2023 From: venefax at gmail.com (Saint Michael) Date: Sat, 27 May 2023 00:39:05 -0400 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: Check https://1eye.us 100% Nginx On Sat, May 27, 2023 at 12:21 AM Miten Mehta wrote: > I consider from your reply that niginx reverse proxy cannot provide > internet access through a forward proxy like squid, websense or alike. > > I understand you mentioned that nginx cannot be used as forward proxy. > > There are many blogs on net claiming to use nginx as forward proxy and > also using upstream forward proxy that is false? I don't see this in > official documentation of nginx. > > Regards, > > Miten > > On Fri 26 May, 2023, 4:18 PM Miten Mehta, wrote: > >> Hi, >> >> Thanks for guidance. If i enable direct internet access from reverse >> proxy then can i just use proxy_pass $request_uri and have user format his >> url as https://myreverseproxy.com/https://mypub/somepath. >> >> Regards, >> >> Miten >> >> On Fri 26 May, 2023, 4:39 AM Francis Daly, wrote: >> >>> On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: >>> >>> Hi there, >>> >>> > Can you guide to configuration to put in reverse proxy config file to >>> use >>> > forward internet proxy? >>> >>> nginx does not talk to a proxy server. >>> >>> If you need to talk to a proxy server, you need something other than >>> "stock" nginx. >>> >>> Good luck with it, >>> >>> f >>> -- >>> Francis Daly francis at daoine.org >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> https://mailman.nginx.org/mailman/listinfo/nginx >>> >> _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sat May 27 07:48:12 2023 From: francis at daoine.org (Francis Daly) Date: Sat, 27 May 2023 08:48:12 +0100 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: <20230527074812.GL15845@daoine.org> On Fri, May 26, 2023 at 04:18:59PM +0530, Miten Mehta wrote: Hi there, > Thanks for guidance. If i enable direct internet access from reverse proxy > then can i just use proxy_pass $request_uri and have user format his url as > https://myreverseproxy.com/https://mypub/somepath. Here, $request_uri would start with /, so it would not Just Work as-is. I'm not sure how https://myreverseproxy.com/https://mypub/somepath is different from a "normal" https://myreverseproxy.com/mypub/somepath with a "normal" nginx config based on location ^~ /mypub/ { proxy_pass https://mypub/; } (plus the supporting configuration). So then you have a "normal" nginx proxy_pass setup for specific remote web servers. Which should Just Work like any other proxy_pass configuration. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sat May 27 08:13:18 2023 From: francis at daoine.org (Francis Daly) Date: Sat, 27 May 2023 09:13:18 +0100 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: <20230527081318.GM15845@daoine.org> On Sat, May 27, 2023 at 09:51:10AM +0530, Miten Mehta wrote: Hi there, > I consider from your reply that niginx reverse proxy cannot provide > internet access through a forward proxy like squid, websense or alike. "http through a proxy" uses a different form of requests from "http". nginx as a client does not make the "http through a proxy" request when it is talking to a configured upstream server. The general "forward proxy" server will expect clients that talk to it, to make "http through a proxy" requests. Your specific "forward proxy" server might be configured to "transparently" intercept "http" requests and make a best-guess effort at interpreting them as if they had been "http through a proxy" requests. And that might work in many cases. If that works well enough in your specific case, great! Only you can know whether it works well enough in your case, to be worth investigating further for problems. > I understand you mentioned that nginx cannot be used as forward proxy. nginx as a server does not specially interpret any "http through a proxy" requests that it receives, and it does not try to follow the "http proxy server" rules for handling requests and responses. If what it does do, works well enough for you, great! > There are many blogs on net claiming to use nginx as forward proxy and also > using upstream forward proxy that is false? I don't see this in official > documentation of nginx. Maybe those many blogs refer to cases where the combination of their client, their upstream proxy server, and their configuration of nginx, works well enough for them. In which case -- great! You should be able to build a test nginx configuration based on those blogs, to see whether it works well enough for you, too. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sat May 27 08:24:49 2023 From: francis at daoine.org (Francis Daly) Date: Sat, 27 May 2023 09:24:49 +0100 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: <20230527082449.GN15845@daoine.org> On Sat, May 27, 2023 at 12:39:05AM -0400, Saint Michael wrote: Hi there, > 100% Nginx That looks like an ad for a donation button; but it doesn't immediately seem to say "here is how nginx is configured to access a remote web site through a proxy server". Or "here is how nginx is configured to be accessed as if it were a proxy server". (It does seem to indicate "this server acts as a reverse proxy for some specific remote web sites"; but that's pretty much what http://nginx.org/r/proxy_pass does. No doubt there is extra cleverness to handle the "I don't control the upstream server" issues that usually arise; but it does not seem to be relevant to this thread. Am I missing something?) Thanks, f -- Francis Daly francis at daoine.org From venefax at gmail.com Sat May 27 14:42:01 2023 From: venefax at gmail.com (Saint Michael) Date: Sat, 27 May 2023 10:42:01 -0400 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: <20230527082449.GN15845@daoine.org> References: <20230525230843.GK15845@daoine.org> <20230527082449.GN15845@daoine.org> Message-ID: Please look at the links. All those links are a live digital tunnel to each website. For instance, the client clicks on my https://14ymedio.1eye.us/ and I send it forward to https://14ymedio.com except that he is still inside my own domain, secure. It's live. So if the target domain is blocked via DNS, in Cuba, It still works using my domain. This is all using Nginx. The question is: is there a better tool to do this? I am trying to find out. Some domains don't work, so I am still looking for a better solution. Also, Cloudflare blocks me. Federico On Sat, May 27, 2023 at 4:24 AM Francis Daly wrote: > On Sat, May 27, 2023 at 12:39:05AM -0400, Saint Michael wrote: > > Hi there, > > > 100% Nginx > > That looks like an ad for a donation button; but it doesn't immediately > seem to say "here is how nginx is configured to access a remote web site > through a proxy server". > > Or "here is how nginx is configured to be accessed as if it were a > proxy server". > > (It does seem to indicate "this server acts as a reverse proxy > for some specific remote web sites"; but that's pretty much what > http://nginx.org/r/proxy_pass does. No doubt there is extra cleverness > to handle the "I don't control the upstream server" issues that usually > arise; but it does not seem to be relevant to this thread. Am I missing > something?) > > Thanks, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From siembabdavid at gmail.com Sun May 28 03:59:43 2023 From: siembabdavid at gmail.com (David Siembab) Date: Sat, 27 May 2023 23:59:43 -0400 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: What does the project do for you and what would you like it do for you. Share ideas On Sat, May 27, 2023, 12:21 AM Miten Mehta wrote: > I consider from your reply that niginx reverse proxy cannot provide > internet access through a forward proxy like squid, websense or alike. > > I understand you mentioned that nginx cannot be used as forward proxy. > > There are many blogs on net claiming to use nginx as forward proxy and > also using upstream forward proxy that is false? I don't see this in > official documentation of nginx. > > Regards, > > Miten > > On Fri 26 May, 2023, 4:18 PM Miten Mehta, wrote: > >> Hi, >> >> Thanks for guidance. If i enable direct internet access from reverse >> proxy then can i just use proxy_pass $request_uri and have user format his >> url as https://myreverseproxy.com/https://mypub/somepath. >> >> Regards, >> >> Miten >> >> On Fri 26 May, 2023, 4:39 AM Francis Daly, wrote: >> >>> On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: >>> >>> Hi there, >>> >>> > Can you guide to configuration to put in reverse proxy config file to >>> use >>> > forward internet proxy? >>> >>> nginx does not talk to a proxy server. >>> >>> If you need to talk to a proxy server, you need something other than >>> "stock" nginx. >>> >>> Good luck with it, >>> >>> f >>> -- >>> Francis Daly francis at daoine.org >>> _______________________________________________ >>> nginx mailing list >>> nginx at nginx.org >>> https://mailman.nginx.org/mailman/listinfo/nginx >>> >> _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From venefax at gmail.com Sun May 28 04:55:14 2023 From: venefax at gmail.com (Saint Michael) Date: Sun, 28 May 2023 00:55:14 -0400 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> Message-ID: I would like to find a way to do what I do now at https://1eye.us but better. Many websites fail to work. For example https://bing.com/new On Sun, May 28, 2023 at 12:00 AM David Siembab wrote: > What does the project do for you and what would you like it do for you. > Share ideas > > On Sat, May 27, 2023, 12:21 AM Miten Mehta wrote: > >> I consider from your reply that niginx reverse proxy cannot provide >> internet access through a forward proxy like squid, websense or alike. >> >> I understand you mentioned that nginx cannot be used as forward proxy. >> >> There are many blogs on net claiming to use nginx as forward proxy and >> also using upstream forward proxy that is false? I don't see this in >> official documentation of nginx. >> >> Regards, >> >> Miten >> >> On Fri 26 May, 2023, 4:18 PM Miten Mehta, wrote: >> >>> Hi, >>> >>> Thanks for guidance. If i enable direct internet access from reverse >>> proxy then can i just use proxy_pass $request_uri and have user format his >>> url as https://myreverseproxy.com/https://mypub/somepath. >>> >>> Regards, >>> >>> Miten >>> >>> On Fri 26 May, 2023, 4:39 AM Francis Daly, wrote: >>> >>>> On Thu, May 25, 2023 at 05:12:26PM +0530, Miten Mehta wrote: >>>> >>>> Hi there, >>>> >>>> > Can you guide to configuration to put in reverse proxy config file to >>>> use >>>> > forward internet proxy? >>>> >>>> nginx does not talk to a proxy server. >>>> >>>> If you need to talk to a proxy server, you need something other than >>>> "stock" nginx. >>>> >>>> Good luck with it, >>>> >>>> f >>>> -- >>>> Francis Daly francis at daoine.org >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx at nginx.org >>>> https://mailman.nginx.org/mailman/listinfo/nginx >>>> >>> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> https://mailman.nginx.org/mailman/listinfo/nginx >> > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sun May 28 11:56:24 2023 From: francis at daoine.org (Francis Daly) Date: Sun, 28 May 2023 12:56:24 +0100 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: References: <20230525230843.GK15845@daoine.org> <20230527082449.GN15845@daoine.org> Message-ID: <20230528115624.GO15845@daoine.org> On Sat, May 27, 2023 at 10:42:01AM -0400, Saint Michael wrote: Hi there, > Please look at the links. > All those links are a live digital tunnel to each website. Yes; it looks like you are making "normal" use of nginx's proxy_pass directive, to provide indirect access for clients, to some content on the web that you have access to, that someone on either the upstream-server or client-network side had attempted to block direct access to. That looks like a convenient service for a client who wants to avoid those attempted blocks. I'm just not sure how what you wrote relates to what the original poster asked, or to anything else in the thread. And your original mail that I responded to, could just as well have been written in response to pretty much any message on the mailing list, and it would have had the same looks-like-spam appearance. For your follow-up questions about your service: I would have imagined that there would be a bigger readership for a new thread, rather than hiding things in an unrelated thread; but whatever works for you is good. Cheers, f -- Francis Daly francis at daoine.org From indiamiten at gmail.com Mon May 29 11:03:46 2023 From: indiamiten at gmail.com (Miten Mehta) Date: Mon, 29 May 2023 16:33:46 +0530 Subject: Reverse proxy to forward proxy to internet access In-Reply-To: <20230527074812.GL15845@daoine.org> References: <20230525230843.GK15845@daoine.org> <20230527074812.GL15845@daoine.org> Message-ID: Hi Francis Daly, client -> reverse proxy: https://myreverseproxy.com/https://mypub/somepath reverse proxy to forward proxy: I'm not sure how https://forwardproxy.com/ https://mypub/somepath I was trying to append the actual url into the reverse proxy so in its config we can easily user $request_uri and pass it along and may be thinking that is what you meant by "http through proxy" and forward proxy will be able to interpret and do needful. like you said some forward proxy will be able to do it and if so then above looks good to me. On Sat, May 27, 2023 at 1:18 PM Francis Daly wrote: > On Fri, May 26, 2023 at 04:18:59PM +0530, Miten Mehta wrote: > > Hi there, > > > Thanks for guidance. If i enable direct internet access from reverse > proxy > > then can i just use proxy_pass $request_uri and have user format his url > as > > https://myreverseproxy.com/https://mypub/somepath. > > Here, $request_uri would start with /, so it would not Just Work as-is. > > I'm not sure how https://myreverseproxy.com/https://mypub/somepath is > different from a "normal" https://myreverseproxy.com/mypub/somepath > with a "normal" nginx config based on > > location ^~ /mypub/ { proxy_pass https://mypub/; } > > (plus the supporting configuration). So then you have a "normal" nginx > proxy_pass setup for specific remote web servers. > > Which should Just Work like any other proxy_pass configuration. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From y.abadi at f5.com Tue May 30 06:50:19 2023 From: y.abadi at f5.com (Yuval Abadi) Date: Tue, 30 May 2023 06:50:19 +0000 Subject: duplicate ports across servers in nginx.conf In-Reply-To: References: <20230525230843.GK15845@daoine.org> <20230527074812.GL15845@daoine.org> Message-ID: Hi When I have 2 servers in nginx.conf with same listen port if the server have name, nginx issue warning ignore … but nit failed to load. What happens is only the first server in conf binds the socket. And worse, If no server names I did not get a warning. Only if the keyword “default server” used nginx enforces one server to use the port. Why???? How come it warning and error? It misleading option. Thanks Yuval Abadi -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Tue May 30 16:57:19 2023 From: francis at daoine.org (Francis Daly) Date: Tue, 30 May 2023 17:57:19 +0100 Subject: duplicate ports across servers in nginx.conf In-Reply-To: References: <20230525230843.GK15845@daoine.org> <20230527074812.GL15845@daoine.org> Message-ID: <20230530165719.GQ15845@daoine.org> On Tue, May 30, 2023 at 06:50:19AM +0000, Yuval Abadi via nginx wrote: Hi there, > When I have 2 servers in nginx.conf with same listen port if the server have name, nginx issue warning ignore … but nit failed to load. > What happens is only the first server in conf binds the socket. > And worse, If no server names I did not get a warning. Does https://nginx.org/en/docs/http/request_processing.html explain what you are seeing? If not, can you show one small but complete configuration that shows the problem that you are reporting? "name-based virtual servers" are based around listening on the same port, and having the http server responding differently based on the Host: in the incoming request. It would be surprising if that feature became broken. The documentation for "listen" at https://nginx.org/r/listen does note that some parameters only make sense when set once (or set the same each time, if they are set more than once); I don't know if you are hitting one of those cases? Cheers, f -- Francis Daly francis at daoine.org From y.abadi at f5.com Wed May 31 06:14:41 2023 From: y.abadi at f5.com (Yuval Abadi) Date: Wed, 31 May 2023 06:14:41 +0000 Subject: duplicate ports across servers in nginx.conf In-Reply-To: <20230530165719.GQ15845@daoine.org> References: <20230525230843.GK15845@daoine.org> <20230527074812.GL15845@daoine.org> <20230530165719.GQ15845@daoine.org> Message-ID: Hi Thanks for the response. The link explains the problem, I think we could do better work for users. If the configuration has 2 servers sharing the same name and the same port I got this warning: "nginx: [warn] conflicting server name "http://www.mut.com/" on 0.0.0.0:80, ignored" Why not block this mistake? I assume the second server ignored, but why let it possible? If the servers do not have name I got this warning: nginx: [warn] conflicting server name "" on 0.0.0.0:9002, ignored nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored both warning: first no way for NGINX gives good warning, both server looks the same. if user did such mistake, better to block. Why not enforce using at list one server have "listen default_server port"? Why not enforce server names , and not let more than one server with same name? Is NGINX set the bit default_server ,on the first "ngx_http_conf_addr_t", of the first server, that read from conf file? (if no default_server was defined)? Thanks -----Original Message----- From: nginx On Behalf Of Francis Daly Sent: Tuesday, 30 May 2023 19:57 To: Yuval Abadi via nginx Subject: Re: duplicate ports across servers in nginx.conf EXTERNAL MAIL: nginx-bounces at nginx.org On Tue, May 30, 2023 at 06:50:19AM +0000, Yuval Abadi via nginx wrote: Hi there, > When I have 2 servers in nginx.conf with same listen port if the server have name, nginx issue warning ignore … but nit failed to load. > What happens is only the first server in conf binds the socket. > And worse, If no server names I did not get a warning. Does https://nginx.org/en/docs/http/request_processing.html explain what you are seeing? If not, can you show one small but complete configuration that shows the problem that you are reporting? "name-based virtual servers" are based around listening on the same port, and having the http server responding differently based on the Host: in the incoming request. It would be surprising if that feature became broken. The documentation for "listen" at https://nginx.org/r/listen does note that some parameters only make sense when set once (or set the same each time, if they are set more than once); I don't know if you are hitting one of those cases? Cheers, f -- Francis Daly francis at daoine.org _______________________________________________ nginx mailing list nginx at nginx.org https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- A non-text attachment was scrubbed... Name: nginx.conf Type: application/octet-stream Size: 4588 bytes Desc: nginx.conf URL: From francis at daoine.org Wed May 31 07:36:49 2023 From: francis at daoine.org (Francis Daly) Date: Wed, 31 May 2023 08:36:49 +0100 Subject: duplicate ports across servers in nginx.conf In-Reply-To: References: <20230525230843.GK15845@daoine.org> <20230527074812.GL15845@daoine.org> <20230530165719.GQ15845@daoine.org> Message-ID: <20230531073649.GR15845@daoine.org> On Wed, May 31, 2023 at 06:14:41AM +0000, Yuval Abadi via nginx wrote: Hi there, I don't speak for the project, but my guess is: > If the configuration has 2 servers sharing the same name and the same port > I got this warning: > "nginx: [warn] conflicting server name "http://www.mut.com/" on 0.0.0.0:80, ignored" > > Why not block this mistake? If you have 20 server{}s, and 2 share the name and port, should the entire system fail to start (or reload config)? It seems friendlier to me to use the config as-provided, and alert on things that are not used as the administrator apparently expected. Some configuration issues are considered more important than some others. This particular one is currently not considered "fatal". > I assume the second server ignored, but why let it possible? nginx does not control what the administrator types. > If the servers do not have name > I got this warning: > nginx: [warn] conflicting server name "" on 0.0.0.0:9002, ignored > nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored Yes; it's the same message, showing the listen ip:port and server_name values that are unexpected. > both warning: > first no way for NGINX gives good warning, both server looks the same. I agree that it would be even friendlier if the error message indicated the filename and line number that the unexpected configuration came from; I suspect that a patch to change that would be thoughtfully considered. Maybe someone will be interested in providing that patch, now that the issue has been mentioned. (Maybe the only reason the log omits the filename is that no-one thought to add it here, where it is added in other places. Or maybe it is harder than that to implement.) > if user did such mistake, better to block. I disagree. It appears that the current code disagrees too; maybe that will change in the future. > Why not enforce using at list one server have "listen default_server port"? I think that is enforced already -- if you have more than one "default_server", you get an "emerg" failure. If you have none explicitly, then the implicit config applies -- and I would rather not lose the implicit config. > Why not enforce server names , and not let more than one server with same name? I think that is what it is doing already; it considers it a "warning" rather than an "emergency" configuration issue. > Is NGINX set the bit default_server ,on the first "ngx_http_conf_addr_t", of the first server, that read from conf file? (if no default_server was defined)? > I'm not quite sure what you are asking: if it is about the code, it is not hidden and is quite readable; if it is about which server is default_server if none is explicit, then the documentation also describes that -- the "implicit" default_server for a specific ip:port is the first server{} that was read with that (possibly implicit) "listen" config. Cheers, f -- Francis Daly francis at daoine.org