<div dir="ltr">Hi All,<div><br></div><div>Any update for my issue guys ? <br><br> 2. Help: Using Nginx Reverse Proxy bypass traffic in to a<br></div> application running in a container (Amila Gunathilaka)<br><br>Thanks</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 18, 2021 at 4:44 PM <<a href="mailto:nginx-request@nginx.org">nginx-request@nginx.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send nginx mailing list submissions to<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:nginx-request@nginx.org" target="_blank">nginx-request@nginx.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:nginx-owner@nginx.org" target="_blank">nginx-owner@nginx.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of nginx digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Memory usage in nginx proxy setup and use of min_uses<br>
(Maxim Dounin)<br>
2. Help: Using Nginx Reverse Proxy bypass traffic in to a<br>
application running in a container (Amila Gunathilaka)<br>
3. How to spawn fastcgi c++ app on windows? (hkaroly)<br>
4. net::ERR_HTTP2_SERVER_REFUSED_STREAM (Anoop Alias)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 18 May 2021 04:27:02 +0300<br>
From: Maxim Dounin <<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>><br>
To: <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
Subject: Re: Memory usage in nginx proxy setup and use of min_uses<br>
Message-ID: <<a href="mailto:YKMX5jSb%2BQr1oA70@mdounin.ru" target="_blank">YKMX5jSb+Qr1oA70@mdounin.ru</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
Hello!<br>
<br>
On Mon, May 17, 2021 at 07:33:43PM +0000, Lucas Rolff wrote:<br>
<br>
> Hi Maxim!<br>
> <br>
> > - The attack you are considering is not about "poisoning". At <br>
> > most, it can be used to make the cache less efficient.<br>
> <br>
> Poisoning is probably the wrong word indeed, and since nginx <br>
> doesn't really handle reaching the limit of keys_zone, it simply <br>
> starts to return a 500 internal server error. So I don't think <br>
> it's making the cache less efficient (Other than you won't be <br>
> able to cache that much), you're ending up breaking nginx <br>
> because when the keys_zone limit has been reached, nginx simply <br>
> starts returning 500 internal server error for items that are <br>
> not already in proxy_cache - if it would do an LRU/LFU on the <br>
> keys - then yes, you could probably end up with a cache less <br>
> efficient.<br>
<br>
While 500 is possible in some cases, especially in configurations <br>
with many worker processes and high request concurrency, even in <br>
the worst case it's expected to happen at most for half of the <br>
requests, usually much less than that. Further, cache manager <br>
monitors the number of cache items in the keys_zone, cleaning <br>
things in advance, making 500 almost impossible in practice.<br>
<br>
If you nevertheless observe 500 being returned in practice, this <br>
might be the actual thing to focus on.<br>
<br>
[...]<br>
<br>
> Unless nginx very recently implemented that reaching keys_zone <br>
> limit, will start purging old cache - then no, it would still <br>
> break the nginx for non-cached requests (returning 500 internal <br>
> server error). If nginx has started to purge old things if the <br>
> limit is reached, then sure the attacker would still be able to <br>
> wipe out the cache.<br>
<br>
Clearing old cache items when it is not possible to allocate a <br>
cache node dates back to initial cache support in nginx 0.7.44[1]. <br>
And cache manager monitoring of the keys_zone and clearing it in <br>
advance dates back to nginx 1.9.13 released about five years <br>
ago[2]. Not sure any of these counts as "very recently".<br>
<br>
> But let's say we have an "inactive" set to 24+ hours (Which is <br>
> often used for static files) - an attack where someone would <br>
> append random query strings - those keys would first be removed <br>
> after 24 hours (or higher, depending on the limit) - with a <br>
> separate flag, one could set this counter to something like 60 <br>
> seconds (So delete the key from memory if the key haven't <br>
> reached it's min_uses within 60 seconds) - this way, you're <br>
> still rotating those keys out *a lot* faster.<br>
<br>
While this may be preferable for some use cases (and sounds close <br>
to the "Segmented LRU" cache policy[3]), this certainly don't <br>
protect from the attack you've initially described. As previously <br>
suggested, an attacker can easily request the same resource <br>
several times, moving it to the "normal" category, so it will stay <br>
in the cache for 24+ hours you've configured. So instead this <br>
distinction might make things worse, making it harder for actually <br>
requested resources to get into cache.<br>
<br>
> > In particular, this can be done with limit_req<br>
> <br>
> If we'd limit this to 20 req/s, this would allow a single IP to <br>
> use up 1.78 million keys in the keys_zone if "inactive" is 24 <br>
> hours - do this with 10 IPs, we're at 17.8 million.<br>
<br>
The basic idea of burst-based limiting the limit_req module <br>
implements is that you don't need to set high rates for IP <br>
addresses. Rather, you have to configure something you expect to <br>
be seen on average per hour (or even day), and allow large enough <br>
bursts. So instead of limiting to 20 r/s you can limit to 1 r/m <br>
with burst set to, say, 1000.<br>
<br>
[...]<br>
<br>
[1] <a href="http://hg.nginx.org/nginx/rev/3a8a53c0c42f#l19.478" rel="noreferrer" target="_blank">http://hg.nginx.org/nginx/rev/3a8a53c0c42f#l19.478</a><br>
[2] <a href="http://hg.nginx.org/nginx/rev/c9d680b00744" rel="noreferrer" target="_blank">http://hg.nginx.org/nginx/rev/c9d680b00744</a><br>
[3] <a href="https://en.wikipedia.org/wiki/Cache_replacement_policies#Segmented_LRU_(SLRU)" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Cache_replacement_policies#Segmented_LRU_(SLRU)</a><br>
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 18 May 2021 07:29:20 +0530<br>
From: Amila Gunathilaka <<a href="mailto:amila.kdam@gmail.com" target="_blank">amila.kdam@gmail.com</a>><br>
To: <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a>, <a href="mailto:nginx-request@nginx.org" target="_blank">nginx-request@nginx.org</a><br>
Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a<br>
application running in a container<br>
Message-ID:<br>
<CALqQtdzar46fDhYTGOkbjAn0vhUeG3HWpYAxK9m=<a href="mailto:0NegXm2WXg@mail.gmail.com" target="_blank">0NegXm2WXg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
><br>
> Hello All !<br>
<br>
<br>
I have nginx installed on my linux host and* listen on http port 80* and I<br>
want to bypass external traffic coming from external load balancer<br>
(up-stream server) into my *nginx reverse proxy server (80 port) *and want<br>
to bypass that http traffic into y application running in a docker<br>
container (application host port 9091),<br>
<br>
But my nginx configuration file didn't work as it always says *405 method<br>
not allowed* error when request passing from nginx into the external load<br>
balancer (up-stream server).<br>
<br>
Is anyone familiar with this kind of problem? my nginx configuration file<br>
is below.<br>
<br>
http {<br>
server {<br>
listen 80 proxy_protocol;<br>
#listen [::]:80 proxy_protocol;<br>
server_name 172.25.234.105;<br>
set_real_ip_from 172.25.234.2;<br>
real_ip_header proxy_protocol;<br>
<br>
location / {<br>
proxy_pass <a href="http://127.0.0.1:9091" rel="noreferrer" target="_blank">http://127.0.0.1:9091</a>;<br>
#proxy_http_version 1.1;<br>
proxy_set_header Upgrade $http_upgrade;<br>
proxy_set_header Connection 'upgrade';<br>
proxy_set_header Host $host;<br>
proxy_set_header X-Real-IP $proxy_protocol_addr;<br>
proxy_set_header X-Forwarded-For $proxy_protocol_addr;<br>
proxy_cache_bypass $http_upgrade;<br>
auth_basic "PROMETHEUS PUSHGATEWAY Login Area";<br>
auth_basic_user_file /etc/nginx/.htpasswd;<br>
}<br>
}<br>
}<br>
<br>
--<br>
Amila<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nginx.org/pipermail/nginx/attachments/20210518/f4d248f5/attachment-0001.htm" rel="noreferrer" target="_blank">http://mailman.nginx.org/pipermail/nginx/attachments/20210518/f4d248f5/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 18 May 2021 07:02:08 -0400<br>
From: "hkaroly" <<a href="mailto:nginx-forum@forum.nginx.org" target="_blank">nginx-forum@forum.nginx.org</a>><br>
To: <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
Subject: How to spawn fastcgi c++ app on windows?<br>
Message-ID:<br>
<<a href="mailto:88445089077dd6ece3a75d7d5ba882fc.NginxMailingListEnglish@forum.nginx.org" target="_blank">88445089077dd6ece3a75d7d5ba882fc.NginxMailingListEnglish@forum.nginx.org</a>><br>
<br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
I followed<br>
<a href="http://chriswu.me/blog/writing-hello-world-in-fcgi-with-c-plus-plus/" rel="noreferrer" target="_blank">http://chriswu.me/blog/writing-hello-world-in-fcgi-with-c-plus-plus/</a> to<br>
create a C++ fastcgi server app together with nginx. On linux is working<br>
fine. <br>
<br>
On Windows 10 however the server process is started by spawn-fcgi but later<br>
the FCGI_Accept_r() will return with an "Unkown listenType" internal error.<br>
I have the suspicion that spawn-fcgi is broken on Windows since the very<br>
same c++ build is working fine with apache. In case of apache there is no<br>
need to use spawn-fcgi , it can spawn the fastcgi process by it's own. I<br>
think spawn-fcgi is not forwarding the standard input/output and the<br>
standard error. <br>
<br>
I used Cygwin to build spawn-fcgi on windows.<br>
<br>
Is there an alternative to spawn-fcgi on windows ?<br>
<br>
Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,291545,291545#msg-291545" rel="noreferrer" target="_blank">https://forum.nginx.org/read.php?2,291545,291545#msg-291545</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Tue, 18 May 2021 16:44:26 +0530<br>
From: Anoop Alias <<a href="mailto:anoopalias01@gmail.com" target="_blank">anoopalias01@gmail.com</a>><br>
To: Nginx <<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a>><br>
Subject: net::ERR_HTTP2_SERVER_REFUSED_STREAM<br>
Message-ID:<br>
<CAO6TEX3pfPNak23mbLu9fLKsz2uE4XU-70J1O=<a href="mailto:OnJwvexiFiUg@mail.gmail.com" target="_blank">OnJwvexiFiUg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
Browser consoles are showing error net::ERR_HTTP2_SERVER_REFUSED_STREAM and<br>
resources are not loading when enabling http2 ( see attached screenshot)<br>
<br>
The error go away when http2 is disabled<br>
<br>
#################################################<br>
[root@vps ~]# nginx -V<br>
nginx version: nginx/1.19.10<br>
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)<br>
built with OpenSSL 1.1.1k 25 Mar 2021<br>
TLS SNI support enabled<br>
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx<br>
--modules-path=/etc/nginx/modules --with-pcre=./pcre-8.44 --with-pcre-jit<br>
--with-zlib=./zlib-1.2.11 --with-openssl=./openssl-1.1.1k<br>
--with-openssl-opt=enable-tls1_3 --conf-path=/etc/nginx/nginx.conf<br>
--error-log-path=/var/log/nginx/error_log<br>
--http-log-path=/var/log/nginx/access_log --pid-path=/var/run/nginx.pid<br>
--lock-path=/var/run/nginx.lock<br>
--http-client-body-temp-path=/dev/shm/client_temp<br>
--http-proxy-temp-path=/dev/shm/proxy_temp<br>
--http-fastcgi-temp-path=/dev/shm/fastcgi_temp<br>
--http-uwsgi-temp-path=/dev/shm/uwsgi_temp<br>
--http-scgi-temp-path=/dev/shm/scgi_temp --user=nobody --group=nobody<br>
--with-http_ssl_module --with-http_realip_module<br>
--with-http_addition_module --with-http_sub_module --with-http_dav_module<br>
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module<br>
--with-http_gzip_static_module --with-http_random_index_module<br>
--with-http_secure_link_module --with-http_stub_status_module<br>
--with-http_auth_request_module --with-file-aio --with-threads<br>
--with-stream --with-stream_ssl_module --with-http_slice_module<br>
--with-compat --with-http_v2_module<br>
--add-dynamic-module=/usr/local/rvm/gems/ruby-2.6.6/gems/passenger-6.0.7/src/nginx_module<br>
--add-dynamic-module=echo-nginx-module-0.61<br>
--add-dynamic-module=headers-more-nginx-module-0.32<br>
--add-dynamic-module=ngx_http_redis-0.3.8<br>
--add-dynamic-module=redis2-nginx-module<br>
--add-dynamic-module=srcache-nginx-module-0.31<br>
--add-dynamic-module=ngx_devel_kit-0.3.0<br>
--add-dynamic-module=set-misc-nginx-module-0.31<br>
--add-dynamic-module=ngx_http_geoip2_module<br>
--add-dynamic-module=testcookie-nginx-module --with-cc-opt='-O2 -g -pipe<br>
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong<br>
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'<br>
--with-ld-opt=-Wl,-E<br>
######################################################<br>
<br>
I had enabled debug logging, but it is hard to decipher for me the exact<br>
cause<br>
from the debug log<br>
<br>
I am using the latest nginx so <a href="https://trac.nginx.org/nginx/ticket/2155" rel="noreferrer" target="_blank">https://trac.nginx.org/nginx/ticket/2155</a> is<br>
ruled out as well<br>
<br>
Debug log -- <a href="https://autom8n.com/nginx_debug.txt" rel="noreferrer" target="_blank">https://autom8n.com/nginx_debug.txt</a><br>
<br>
Any help is much appreciated<br>
<br>
-- <br>
*Anoop P Alias*<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nginx.org/pipermail/nginx/attachments/20210518/20362cc2/attachment.htm" rel="noreferrer" target="_blank">http://mailman.nginx.org/pipermail/nginx/attachments/20210518/20362cc2/attachment.htm</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: x2.png<br>
Type: image/png<br>
Size: 146746 bytes<br>
Desc: not available<br>
URL: <<a href="http://mailman.nginx.org/pipermail/nginx/attachments/20210518/20362cc2/attachment.png" rel="noreferrer" target="_blank">http://mailman.nginx.org/pipermail/nginx/attachments/20210518/20362cc2/attachment.png</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
<br>
------------------------------<br>
<br>
End of nginx Digest, Vol 139, Issue 19<br>
**************************************<br>
</blockquote></div>