<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi.</p>
<p>Well that's a lot modules and lua stuff there.</p>
<p>What's in the '*by_lua_file's ?</p>
<p>Can you run from a specific IP the debug log to see what's happen in nginx?</p>
<p><a href="http://nginx.org/en/docs/debugging_log.html">http://nginx.org/en/docs/debugging_log.html</a></p>
<p>regards</p>
<p>aleks</p>
<p>Am 07-03-2017 10:49, schrieb tjlp@sina.com:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div>Hi, Aleks,<br />
<div><br />
<div>The result of nginx -V is as follow:<br />nginx version: nginx/1.11.1<br />built by gcc 4.9.2 (Debian 4.9.2-10)<br />built with OpenSSL 1.0.1t 3 May 2016<br />TLS SNI support enabled<br />configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05<br />
<div><br />
<div>The nginx conf is:<br />
<div><br /><br />daemon off;<br /><br />worker_processes 2;<br /><br />pid /run/nginx.pid;<br /><br />worker_rlimit_nofile 131072;<br /><br />pcre_jit on;<br /><br />events {<br /> multi_accept on;<br /> worker_connections 16384;<br /> use epoll; <br />}<br /><br />http {<br /><br /> lua_shared_dict server_sessioncnt_dict 20k;<br /> lua_shared_dict server_dict 20k;<br /> lua_shared_dict server_acceptnewconn_dict 20k;<br /> lua_shared_dict sessionid_server_dict 100k;<br /> <br /> <br /> <br /> real_ip_header X-Forwarded-For;<br /> set_real_ip_from 0.0.0.0/0;<br /> real_ip_recursive on;<br /><br /> <br /> <br /> <br /> geoip_country /etc/nginx/GeoIP.dat;<br /> geoip_city /etc/nginx/GeoLiteCity.dat;<br /> geoip_proxy_recursive on;<br /> vhost_traffic_status_zone shared:vhost_traffic_status:10m;<br /> vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;<br /> # lua section to return proper error codes when custom pages are used<br /> lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';<br /><br /> init_by_lua_file /etc/nginx/lua/init_by_lua.lua;<br /><br /> sendfile on;<br /> aio threads;<br /> tcp_nopush on;<br /> tcp_nodelay on;<br /> <br /> log_subrequest on;<br /><br /> reset_timedout_connection on;<br /><br /> keepalive_timeout 75s;<br /><br /> types_hash_max_size 2048;<br /> server_names_hash_max_size 512;<br /> server_names_hash_bucket_size 64;<br /><br /> include /etc/nginx/mime.types;<br /> default_type text/html;<br /> gzip on;<br /> gzip_comp_level 5;<br /> gzip_http_version 1.1;<br /> gzip_min_length 256;<br /> gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; <br /> gzip_proxied any;<br /><br /> client_max_body_size "64m";<br /><br /> log_format upstreaminfo '$remote_addr - '<br /> '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '<br /> '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';<br /><br /> <br /> <br /> map $request $loggable {<br /> default 1;<br /> }<br /><br /> access_log /var/log/nginx/access.log upstreaminfo if=$loggable;<br /> error_log /var/log/nginx/error.log notice;<br /><br /> <br /><br /> map $http_upgrade $connection_upgrade {<br /> default upgrade;<br /> '' close;<br /> }<br /><br /> # trust http_x_forwarded_proto headers correctly indicate ssl offloading<br /> map $http_x_forwarded_proto $pass_access_scheme {<br /> default $http_x_forwarded_proto;<br /> '' $scheme;<br /> }<br /><br /> # Map a response error watching the header Content-Type<br /> map $http_accept $httpAccept {<br /> default html;<br /> application/json json;<br /> application/xml xml;<br /> text/plain text;<br /> }<br /><br /> map $httpAccept $httpReturnType {<br /> default text/html;<br /> json application/json;<br /> xml application/xml;<br /> text text/plain;<br /> }<br /><br /> server_name_in_redirect off;<br /> port_in_redirect off;<br /><br /> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br /><br /> # turn on session caching to drastically improve performance<br /> <br /> ssl_session_cache builtin:1000 shared:SSL:10m;<br /> ssl_session_timeout 10m;<br /> <br /><br /> # allow configuring ssl session tickets<br /> ssl_session_tickets on;<br /><br /> # slightly reduce the time-to-first-byte<br /> ssl_buffer_size 4k;<br /><br /> <br /> # allow configuring custom ssl ciphers<br /> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';<br /> ssl_prefer_server_ciphers on;<br /> <br /><br /> <br /><br /> # In case of errors try the next upstream server before returning an error<br /> proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;<br /><br /> upstream liupeng-sm-rte-svc-13080 {<br /> server 172.77.69.10:13080;<br /> server 172.77.87.9:13080;<br /> <br /> <br /> <br /> <br /> balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;<br /> <br /> }<br /><br /> server {<br /> server_name _;<br /> listen 80;<br /> listen 443 ssl spdy http2;<br /> <br /> # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a <br /> ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;<br /> ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;<br /><br /> more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";<br /><br /> vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> location /SM/ui {<br /> <br /> <br /> <br /><br /> <br /><br /> proxy_set_header Host $host;<br /><br /> # Pass Real IP<br /> proxy_set_header X-Real-IP $remote_addr;<br /><br /> # Allow websocket connections<br /> proxy_set_header Upgrade $http_upgrade;<br /> <br /> proxy_set_header Connection "";<br /> <br /><br /> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br /> proxy_set_header X-Forwarded-Host $host;<br /> proxy_set_header X-Forwarded-Port $server_port;<br /> proxy_set_header X-Forwarded-Proto $pass_access_scheme;<br /><br /> # mitigate HTTPoxy Vulnerability<br /> # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/<br /> proxy_set_header Proxy "";<br /><br /> proxy_connect_timeout 5s;<br /> proxy_send_timeout 60s;<br /> proxy_read_timeout 60s;<br /><br /> proxy_redirect off;<br /> <br /> proxy_buffering off;<br /><br /> proxy_http_version 1.1;<br /><br /> <br /> proxy_pass http://liupeng-sm-rte-svc-13080;<br /> <br /> <br /> rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;<br /><br /> header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;<br /><br /> <br /> }<br /> <br /><br /> }<br />}<br /><br /><br /></div>
</div>
</div>
</div>
</div>
</div>
<div id="origbody">
<div style="background: #f2f2f2;">----- 原始邮件 -----<br />发件人:Aleksandar Lazic <al-nginx@none.at><br />收件人:tjlp@sina.com<br />抄送人:nginx <nginx@nginx.org><br />主题:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br />日期:2017年03月07日 15点39分</div>
<br /><br />Hi Liu Peng.<br />We still don't know your nginx version nor your config!<br />Cite from below:<br />> So now the standard Questions from me:<br />> What's the output of nginx -V ?<br />> What's your config?<br />regards<br />aleks<br />Am 07-03-2017 02:37, schrieb tjlp@sina.com:<br />> Hi, Alexks,<br />> <br />> I try your proposal and it doesn't work. Actually my issue is the same <br />> as this one <br />> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.<br />> <br />> 1. I add "keeplive_request 0". The result is that the "Connection: <br />> close" header is sent to client for every response. That does not match <br />> my requirement. Our application decides whether to finish the <br />> application session using this header.<br />> <br />> 2. I add "proxy_pass_header Connection". Nginx keeps sending <br />> "Connection: keep-alive" header to client even the header is <br />> "Connection: close" from upstream server.<br />> <br />> Seems Nginx has some special handling for the Connection header in <br />> response. The openresty author suggests that the only way for changing <br />> response header change the nginx C code for this issue. See this issue: <br />> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.<br />> <br />> Thanks<br />> Liu Peng<br />> <br />> ----- 原始邮件 -----<br />> 发件人:Aleksandar Lazic <al-nginx@none.at><br />> 收件人:tjlp@sina.com<br />> 抄送人:nginx <nginx@nginx.org><br />> 主题:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br />> 日期:2017年03月04日 17点22分<br />> <br />> Hi Liu Peng.<br />> Am 04-03-2017 09:12, schrieb tjlp@sina.com:<br />>> <br />>> Hi, Alexks,<br />>> <br />>> I don't want to hide the header.<br />>> My problem is that Nginx change the "Connection: close" header in the<br />>> reponse from upstream server to "Connction: keep-alive" and send to<br />>> client. I want to keep the original "Connection: close" header.<br />> Ah that's a clear question.<br />> It took us only 3 rounds to get to this clear question ;-)<br />> So now the standard Questions from me:<br />> What's the output of nginx -V ?<br />> What's your config?<br />> Maybe you have set 'keepalive' in the upstream config<br />> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive<br />> or<br />> 'proxy_http_version 1.1;'<br />> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version<br />> as a last resort you can just pass the header with<br />> 'proxy_pass_header Connection;'.<br />> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header<br />> Choose the solution which fit's to your demand.<br />> I can only guess due to the fact that we don't know your config.<br />> May I ask you to take a look into this document, which exists in <br />> several<br />> languages, thank you very much.<br />> http://www.catb.org/~esr/faqs/smart-questions.html<br />> Best regards<br />> Aleks<br />>> Thanks<br />>> Liu Peng<br />>> <br />>> ----- 原始邮件 -----<br />>> 发件人:Aleksandar Lazic <al-nginx@none.at><br />>> 收件人:tjlp@sina.com<br />>> 抄送人:nginx <nginx@nginx.org><br />>> 主题:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br />>> 日期:2017年03月03日 16点19分<br />>> Hi.<br />>> <br />>> then one directive upward.<br />>> <br />>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header<br />>> <br />>> Cheers<br />>> <br />>> aleks<br />>> <br />>> Am 03-03-2017 06:00, schrieb tjlp@sina.com:<br />>> <br />>>> Hi,<br />>>> <br />>>> What I mention is the header in response from backend server. Your<br />>>> answer about proxy_set_header is the "Connection" header in request.<br />>>> <br />>>> Thanks<br />>>> Liu Peng<br />>>> <br />>>> ----- 原始邮件 -----<br />>>> 发件人:Aleksandar Lazic <al-nginx@none.at><br />>>> 收件人:nginx@nginx.org<br />>>> 抄送人:tjlp@sina.com<br />>>> 主题:Re: Issue about nginx removing the header "Connection" in HTTP<br />>>> response?<br />>>> 日期:2017年03月03日 06点25分<br />>>> <br />>>> Hi.<br />>>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:<br />>>>> Hi, nginx guy,<br />>>>> <br />>>>> In our system, for some special requests, the upstream server will<br />>>>> return a response which the header includes "Connection: Close".<br />>>>> According to HTTP protocol, "Connection" is one-hop header.<br />>>>> So, nginx will remove this header and the client can't do the<br />>>>> business<br />>>>> logic correctly.<br />>>>> <br />>>>> How to handle this scenario?<br />>>> you mean something like this?<br />>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header<br />>>> If the value of a header field is an empty string then this field <br />>>> will<br />>>> not be passed to a proxied server:<br />>>> proxy_set_header Connection "";<br />>>>> Thanks<br />>>>> Liu Peng<br />>>>> _______________________________________________<br />>>>> nginx mailing list<br />>>>> nginx@nginx.org<br />>>>> http://mailman.nginx.org/mailman/listinfo/nginx</div>
</blockquote>
</body></html>