The Wikimedia Foundation has been running nginx-1.9.3 patched for
multi-certificate support for all production TLS traffic for a few
weeks now without incident, for all inbound requests to Wikipedia and
other associated projects of the Foundation.
We initially used the older March variant of Filipe's patches (
), and last week we switched to using the April 27 variant (
), which is the last known public variant I'm aware of.
These were in turn based on kyprizel's patch (
), which was based on Rob's patch from nearly two years ago (
). It has a long and colorful history at this point :)
We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we're running is available here
in our repo:
Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:
Obviously, we'd rather get this work (or something similar) upstreamed
so that we don't have to maintain local patches for this indefinitely,
and so that everyone else can use it easily too. I'm assuming the
reason it wasn't merged in the past is there may be other issues
blocking the merge that just weren't relevant to our particular
configuration, or are just matters of cleanliness or implementation
I'd be happy to work with whoever on resolving that and getting this
patchset into a merge-able state. Does anyone know what the
outstanding issues were/are? Some of the past list traffic on this is
a bit fragmented.
Some background: nginx 1.9.2, used as a cache, can get into the state
when it stops evicting the objects and eventually stops caching without
being able to recover. This happens when the disk is full. Consider the
following nginx.conf fragment:
proxy_cache_path /cache/nginx levels=1:2
proxy_temp_path /cache/nginx-tmp 1 2;
The disk is filled because the workers have been fetching the data from
the backend faster than the cache manager is able to evict:
$ df -h | grep cache
/dev/sdb1 8.7T 8.7T 16M 100% /cache
tmpfs 2.0G 0 2.0G 0% /cache/nginx-tmp
Since /cache and /cache/nginx-tmp are separate mount points, nginx has to
perform copy instead of rename. The copy functions fails due to ENOSPC,
but the ngx_ext_rename_file() does not clean up the failed target. At this
point, based on ngx_http_file_cache_sh_t::size, the cache manager believes
that the 8.5 TB threshold has not been crossed and nginx fails to recover.
Please find the patch attached.
I am using nginx with an OpenSSL engine (Safenet Luna) which is a
wrapper over PKCS#11.
The handles return by ENGINE_load_private_key cannot be used in child
processes, aka, workers due to PKCS#11, thus causing SSL connection
The private key seems to be loaded in ngx_ssl_certificate(); is there
a way to tell nginx to call this function per child process?
I checked nginx code repository as well as Internet to see if I can
get a Dockerfile to build nginx. I got a few references (like
https://github.com/dockerfile/nginx) but those are essentially to
_run_ nginx, not _build_ it.
I am looking to build different versions of nginx (say
top-of-the-tree, latest-stable etc.) easily. It would be very
convenient if a Dockerfile is presented with the source code which
will build one of the versions mentioned above. If required, a slight
modification can then build any version of nginx.
I would highly appreciate if somebody could point me to a source where
I can get a Dockerfile which builds nginx.
user: Valentin Bartenev <vbart(a)nginx.com>
date: Mon Aug 31 23:26:33 2015 +0300
Decreased the NGX_HTTP_MAX_SUBREQUESTS limit.
There is no much sense in such a big value since its semantics
has been changed in 06e850859a26 to limit recursive subrequests.
src/http/ngx_http_request.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r 8c6e71722aff -r 281863981d0b src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h Mon Aug 31 23:25:16 2015 +0300
+++ b/src/http/ngx_http_request.h Mon Aug 31 23:26:33 2015 +0300
@@ -10,7 +10,7 @@
#define NGX_HTTP_MAX_URI_CHANGES 10
-#define NGX_HTTP_MAX_SUBREQUESTS 200
+#define NGX_HTTP_MAX_SUBREQUESTS 50
/* must be 2^n */
#define NGX_HTTP_LC_HEADER_LEN 32
This is my first post so take easy on me. :)
I'm doing a security research about HTTP(S) web servers and I'm trying
to understand a little bit of nginx source code.
In my research I need to understand how the function ngx_execute_proc
works and in which use cases this function is invoked.
I tried to read the source code to understand but I'm not familiar
with nginx source code and there's no much comments on it.
I tried to find a specific material about the source code using google
or the resource pages but I couldn't find.
Is there any material that I can read and get a better understand of
how ngx_execute_proc works and in which use cases this function is
Thanks in advanced!
We are setting up a new server(from a VM image) and it works absolutely
fine with nginx 1.6. When we upgrade to latest stable version(1.8.0), nginx
fails to start with following error:
nginx: [emerg] unknown directive "set_escape_uri" in
nginx: configuration file /etc/nginx/nginx.conf test failed
We upgraded nginx version to 1.9.3 and nginx is starting perfectly fine. So
before moving with 1.9.3, just wanted to check if it's a know issue with
1.8.0 or we might be missing something. Please let me know if I can share
some more information to help us.
Have a great day ahead.
Thanks & Regards,
"Quality is never an accident. It is always result of intelligent effort" -