<div>Hi, Aleks,<br><div><div><br><div>This nginx conf is generated by Kubernetes nginx ingress controller. We use the Nginx in the kubernetes cluster. So many modules are there.<br><br></div></div><div>The lua script is supported by the open sourced OpenResty. You can google it to find how and why use it. We use it for our special load balancing. <br><div><br><div>For the log, I am not sure what you need.<br><div><br>Thanks<br></div> </div></div></div></div></div><div id="origbody"><div style="background: #f2f2f2;">----- 原始邮件 -----<br>发件人:Aleksandar Lazic <al-nginx@none.at><br>收件人:tjlp@sina.com<br>抄送人:nginx <nginx@nginx.org><br>主题:Re:_回复:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br>日期:2017年03月08日 06点26分<br></div><br>
<p>Hi.</p>
<p>Well that's a lot modules and lua stuff there.</p>
<p>What's in the '*by_lua_file's ?</p>
<p>Can you run from a specific IP the debug log to see what's happen in nginx?</p>
<p><a target="_blank" href="http://nginx.org/en/docs/debugging_log.html">http://nginx.org/en/docs/debugging_log.html</a></p>
<p>regards</p>
<p>aleks</p>
<p>Am 07-03-2017 10:49, schrieb tjlp@sina.com:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div>Hi, Aleks,<br>
<div><br>
<div>The result of nginx -V is as follow:<br>nginx version: nginx/1.11.1<br>built by gcc 4.9.2 (Debian 4.9.2-10)<br>built with OpenSSL 1.0.1t 3 May 2016<br>TLS SNI support enabled<br>configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05<br>
<div><br>
<div>The nginx conf is:<br>
<div><br><br>daemon off;<br><br>worker_processes 2;<br><br>pid /run/nginx.pid;<br><br>worker_rlimit_nofile 131072;<br><br>pcre_jit on;<br><br>events {<br> multi_accept on;<br> worker_connections 16384;<br> use epoll; <br>}<br><br>http {<br><br> lua_shared_dict server_sessioncnt_dict 20k;<br> lua_shared_dict server_dict 20k;<br> lua_shared_dict server_acceptnewconn_dict 20k;<br> lua_shared_dict sessionid_server_dict 100k;<br> <br> <br> <br> real_ip_header X-Forwarded-For;<br> set_real_ip_from 0.0.0.0/0;<br> real_ip_recursive on;<br><br> <br> <br> <br> geoip_country /etc/nginx/GeoIP.dat;<br> geoip_city /etc/nginx/GeoLiteCity.dat;<br> geoip_proxy_recursive on;<br> vhost_traffic_status_zone shared:vhost_traffic_status:10m;<br> vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;<br> # lua section to return proper error codes when custom pages are used<br> lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';<br><br> init_by_lua_file /etc/nginx/lua/init_by_lua.lua;<br><br> sendfile on;<br> aio threads;<br> tcp_nopush on;<br> tcp_nodelay on;<br> <br> log_subrequest on;<br><br> reset_timedout_connection on;<br><br> keepalive_timeout 75s;<br><br> types_hash_max_size 2048;<br> server_names_hash_max_size 512;<br> server_names_hash_bucket_size 64;<br><br> include /etc/nginx/mime.types;<br> default_type text/html;<br> gzip on;<br> gzip_comp_level 5;<br> gzip_http_version 1.1;<br> gzip_min_length 256;<br> gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; <br> gzip_proxied any;<br><br> client_max_body_size "64m";<br><br> log_format upstreaminfo '$remote_addr - '<br> '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '<br> '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';<br><br> <br> <br> map $request $loggable {<br> default 1;<br> }<br><br> access_log /var/log/nginx/access.log upstreaminfo if=$loggable;<br> error_log /var/log/nginx/error.log notice;<br><br> <br><br> map $http_upgrade $connection_upgrade {<br> default upgrade;<br> '' close;<br> }<br><br> # trust http_x_forwarded_proto headers correctly indicate ssl offloading<br> map $http_x_forwarded_proto $pass_access_scheme {<br> default $http_x_forwarded_proto;<br> '' $scheme;<br> }<br><br> # Map a response error watching the header Content-Type<br> map $http_accept $httpAccept {<br> default html;<br> application/json json;<br> application/xml xml;<br> text/plain text;<br> }<br><br> map $httpAccept $httpReturnType {<br> default text/html;<br> json application/json;<br> xml application/xml;<br> text text/plain;<br> }<br><br> server_name_in_redirect off;<br> port_in_redirect off;<br><br> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br><br> # turn on session caching to drastically improve performance<br> <br> ssl_session_cache builtin:1000 shared:SSL:10m;<br> ssl_session_timeout 10m;<br> <br><br> # allow configuring ssl session tickets<br> ssl_session_tickets on;<br><br> # slightly reduce the time-to-first-byte<br> ssl_buffer_size 4k;<br><br> <br> # allow configuring custom ssl ciphers<br> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';<br> ssl_prefer_server_ciphers on;<br> <br><br> <br><br> # In case of errors try the next upstream server before returning an error<br> proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;<br><br> upstream liupeng-sm-rte-svc-13080 {<br> server 172.77.69.10:13080;<br> server 172.77.87.9:13080;<br> <br> <br> <br> <br> balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;<br> <br> }<br><br> server {<br> server_name _;<br> listen 80;<br> listen 443 ssl spdy http2;<br> <br> # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a <br> ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;<br> ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;<br><br> more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";<br><br> vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;<br> <br> <br> <br> <br> <br> <br> <br> <br> <br> location /SM/ui {<br> <br> <br> <br><br> <br><br> proxy_set_header Host $host;<br><br> # Pass Real IP<br> proxy_set_header X-Real-IP $remote_addr;<br><br> # Allow websocket connections<br> proxy_set_header Upgrade $http_upgrade;<br> <br> proxy_set_header Connection "";<br> <br><br> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br> proxy_set_header X-Forwarded-Host $host;<br> proxy_set_header X-Forwarded-Port $server_port;<br> proxy_set_header X-Forwarded-Proto $pass_access_scheme;<br><br> # mitigate HTTPoxy Vulnerability<br> # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/<br> proxy_set_header Proxy "";<br><br> proxy_connect_timeout 5s;<br> proxy_send_timeout 60s;<br> proxy_read_timeout 60s;<br><br> proxy_redirect off;<br> <br> proxy_buffering off;<br><br> proxy_http_version 1.1;<br><br> <br> proxy_pass http://liupeng-sm-rte-svc-13080;<br> <br> <br> rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;<br><br> header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;<br><br> <br> }<br> <br><br> }<br>}<br><br><br></div>
</div>
</div>
</div>
</div>
</div>
<div id="origbody">
<div style="background: #f2f2f2;">----- 原始邮件 -----<br>发件人:Aleksandar Lazic <al-nginx@none.at><br>收件人:tjlp@sina.com<br>抄送人:nginx <nginx@nginx.org><br>主题:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br>日期:2017年03月07日 15点39分</div>
<br><br>Hi Liu Peng.<br>We still don't know your nginx version nor your config!<br>Cite from below:<br>> So now the standard Questions from me:<br>> What's the output of nginx -V ?<br>> What's your config?<br>regards<br>aleks<br>Am 07-03-2017 02:37, schrieb tjlp@sina.com:<br>> Hi, Alexks,<br>> <br>> I try your proposal and it doesn't work. Actually my issue is the same <br>> as this one <br>> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.<br>> <br>> 1. I add "keeplive_request 0". The result is that the "Connection: <br>> close" header is sent to client for every response. That does not match <br>> my requirement. Our application decides whether to finish the <br>> application session using this header.<br>> <br>> 2. I add "proxy_pass_header Connection". Nginx keeps sending <br>> "Connection: keep-alive" header to client even the header is <br>> "Connection: close" from upstream server.<br>> <br>> Seems Nginx has some special handling for the Connection header in <br>> response. The openresty author suggests that the only way for changing <br>> response header change the nginx C code for this issue. See this issue: <br>> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.<br>> <br>> Thanks<br>> Liu Peng<br>> <br>> ----- 原始邮件 -----<br>> 发件人:Aleksandar Lazic <al-nginx@none.at><br>> 收件人:tjlp@sina.com<br>> 抄送人:nginx <nginx@nginx.org><br>> 主题:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br>> 日期:2017年03月04日 17点22分<br>> <br>> Hi Liu Peng.<br>> Am 04-03-2017 09:12, schrieb tjlp@sina.com:<br>>> <br>>> Hi, Alexks,<br>>> <br>>> I don't want to hide the header.<br>>> My problem is that Nginx change the "Connection: close" header in the<br>>> reponse from upstream server to "Connction: keep-alive" and send to<br>>> client. I want to keep the original "Connection: close" header.<br>> Ah that's a clear question.<br>> It took us only 3 rounds to get to this clear question ;-)<br>> So now the standard Questions from me:<br>> What's the output of nginx -V ?<br>> What's your config?<br>> Maybe you have set 'keepalive' in the upstream config<br>> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive<br>> or<br>> 'proxy_http_version 1.1;'<br>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version<br>> as a last resort you can just pass the header with<br>> 'proxy_pass_header Connection;'.<br>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header<br>> Choose the solution which fit's to your demand.<br>> I can only guess due to the fact that we don't know your config.<br>> May I ask you to take a look into this document, which exists in <br>> several<br>> languages, thank you very much.<br>> http://www.catb.org/~esr/faqs/smart-questions.html<br>> Best regards<br>> Aleks<br>>> Thanks<br>>> Liu Peng<br>>> <br>>> ----- 原始邮件 -----<br>>> 发件人:Aleksandar Lazic <al-nginx@none.at><br>>> 收件人:tjlp@sina.com<br>>> 抄送人:nginx <nginx@nginx.org><br>>> 主题:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?<br>>> 日期:2017年03月03日 16点19分<br>>> Hi.<br>>> <br>>> then one directive upward.<br>>> <br>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header<br>>> <br>>> Cheers<br>>> <br>>> aleks<br>>> <br>>> Am 03-03-2017 06:00, schrieb tjlp@sina.com:<br>>> <br>>>> Hi,<br>>>> <br>>>> What I mention is the header in response from backend server. Your<br>>>> answer about proxy_set_header is the "Connection" header in request.<br>>>> <br>>>> Thanks<br>>>> Liu Peng<br>>>> <br>>>> ----- 原始邮件 -----<br>>>> 发件人:Aleksandar Lazic <al-nginx@none.at><br>>>> 收件人:nginx@nginx.org<br>>>> 抄送人:tjlp@sina.com<br>>>> 主题:Re: Issue about nginx removing the header "Connection" in HTTP<br>>>> response?<br>>>> 日期:2017年03月03日 06点25分<br>>>> <br>>>> Hi.<br>>>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:<br>>>>> Hi, nginx guy,<br>>>>> <br>>>>> In our system, for some special requests, the upstream server will<br>>>>> return a response which the header includes "Connection: Close".<br>>>>> According to HTTP protocol, "Connection" is one-hop header.<br>>>>> So, nginx will remove this header and the client can't do the<br>>>>> business<br>>>>> logic correctly.<br>>>>> <br>>>>> How to handle this scenario?<br>>>> you mean something like this?<br>>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header<br>>>> If the value of a header field is an empty string then this field <br>>>> will<br>>>> not be passed to a proxied server:<br>>>> proxy_set_header Connection "";<br>>>>> Thanks<br>>>>> Liu Peng<br>>>>> _______________________________________________<br>>>>> nginx mailing list<br>>>>> nginx@nginx.org<br>>>>> http://mailman.nginx.org/mailman/listinfo/nginx</div>
</blockquote>
</div>