From francis at daoine.org  Sat Apr  1 07:32:58 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 1 Apr 2017 08:32:58 +0100
Subject: curl 301 moved permanently if I don't use slash at the end of the
 url
In-Reply-To: <a8ceb4623e3f203b5b8701506d7d3d78.NginxMailingListEnglish@forum.nginx.org>
References: <a8ceb4623e3f203b5b8701506d7d3d78.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170401073258.GA3428@daoine.org>

On Tue, Mar 28, 2017 at 12:56:13PM -0400, c4rl wrote:

Hi there,

> I need to list the content of some directories with curl without to use a
> '/' at the end of the url.

There's a relative-url reason why that is usually not a good idea,
which is probably why the defaults for many web servers' "auto-index"
feature do not do it, and instead issue the http 301.

It is reasonable and possible to do the directory listing the way you
want, but it is likely to include some extra coding (rather than just
configuration) on your part.

> If I do not use the slash then I receive the message below, otherwise the
> content is showed. I tried many rewrite rules without success.
> 
> [user at localhost ~]$ curl http://mydomain.example.com/data/foo

The important part of that response is in the http headers, that you
can see by (for example) adding "-i" after "curl". It will show the 301
response code, and the Location: header that includes the trailing /.

> [user at localhost ~]$ curl http://mydomain.example.com/data/foo/
> 
> <html>
> <head><title>Index of /data/foo/</title></head>
> <body bgcolor="white">
> <h1>Index of /data/foo/</h1><hr><pre><a href="../">../</a>
> <a href="57581/">57581/</a>                                            
> 12-Jul-2016 01:56                   -
> <a href="57582/">57582/</a>                                            
> 13-Jul-2016 01:55                   -
> <a href="57583/">57583/</a>                                            
> 14-Jul-2016 00:34                   -
> </pre><hr></body>
> </html>

You will have to write something that happens before nginx's in-built
default for a request with no trailing / that corresponds to a directory
name on the filesystem.

If you want the response to be html usable by a client, then the output
will not be identical to the above; instead the entries will have to be
of the form

 <a href="foo/57583/">57583/</a>
 14-Jul-2016 00:34                   -

(and you may or may not want one or both of the trailing / characters
there.)

> This is my vhost configuration:

>      location /data/foo {
>              alias /data/foo;
>              autoindex on;
>      }

I suspect that you would need something like

  location = /data/foo {
    my_special_autoindex on;
  }

where you must write the code behind "my_special_autoindex" yourself.

Or, more likely, use something like "try_files" (possibly in a chain)
to handle a generic url; if it does not end in / and does correspond
to a directory, then invoke your extra code -- which might be handled
by a fastcgi script you write, or by something you write in one of the
embedded languages in nginx.

It is possible that someone has already wanted the same thing as you,
and written a module to do it.

I'm not aware of that module.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr  1 08:04:09 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 1 Apr 2017 09:04:09 +0100
Subject: HTTP To TCP Conversion
In-Reply-To: <53963b88395836b0e4e13cd79bdd6f94.NginxMailingListEnglish@forum.nginx.org>
References: <250638451f747492a2e999de027298bb.NginxMailingListEnglish@forum.nginx.org>
 <53963b88395836b0e4e13cd79bdd6f94.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170401080409.GB3428@daoine.org>

On Wed, Mar 29, 2017 at 12:44:09PM -0400, nginxsantos wrote:

Hi there,

> Can someone please guide me on how this can be done. I am quite familiar
> with nginx code. If someone can guide me how this can be achieved (passing
> the incoming traffic over tcp connection to tcp clients), I can pick up...

Is there some part of the previously-mentioned nchan module design or
source that is unclear or inappropriate here?

I suspect that you may have a better chance of getting a specific answer,
if you ask a specific question.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From 451174619 at qq.com  Sat Apr  1 10:52:29 2017
From: 451174619 at qq.com (=?gb18030?B?xq7Grs/j?=)
Date: Sat, 1 Apr 2017 18:52:29 +0800
Subject: No subject
Message-ID: <tencent_7B9BF78D69E935633BBFB9A4@qq.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170401/ac3db5e7/attachment.html>

From francis at daoine.org  Sat Apr  1 11:36:41 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 1 Apr 2017 12:36:41 +0100
Subject: how to proxy a proxy (subrequest with corporate proxy)
In-Reply-To: <e8fc10006ac031f08f4d39a4abc69288.NginxMailingListEnglish@forum.nginx.org>
References: <e8fc10006ac031f08f4d39a4abc69288.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170401113641.GC3428@daoine.org>

On Thu, Mar 30, 2017 at 06:13:59PM -0400, CeeGeeDev wrote:

Hi there,

> It's not clear to us how to configure a "web proxy" for a subrequest, since
> the subrequest itself is already basically a "proxy" call.

Stock nginx does not speak proxied-http to a http proxy.

I suspect that the facility will only become available when someone
wants it enough to write the code, or to cause the code to be written.


If you have a config that works well-enough on your system (as in: your
proxy server is configured in a transparent-like manner, and accepts http
requests to itself and then reverse-proxies the world), then continuing
to use that config is probably appropriate.

That is: if

>     location /custom/main/request/url {
>           proxy_buffering off;
>           proxy_pass_header on;
>           proxy_set_header Host "www.origin-server.com";
>           proxy_pass http://corporate_proxy;
>     }

does everything that you want normally, then something like

> location /subrequest {
>     proxy_buffering off;
>     proxy_pass_header on;
>     proxy_set_header Host "rest_server";
>     proxy_pass http://corporate_proxy;
> }

may work for your subrequests.

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr  1 11:57:28 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 1 Apr 2017 12:57:28 +0100
Subject: Nginx cookie map regex remove + character
In-Reply-To: <1f42674cd2c11aa7d9eed7cc33fb3887.NginxMailingListEnglish@forum.nginx.org>
References: <1f42674cd2c11aa7d9eed7cc33fb3887.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170401115728.GD3428@daoine.org>

On Fri, Mar 24, 2017 at 05:18:23PM -0400, c0nw0nk wrote:

Hi there,

> The cookie name = a MD5 sum the full / complete value of the cookie seems to
> cut of at a plus + symbol

Your regex piece is

(?<session_value>[\w]{1,}+)

which says to match one or more \w characters ({1,}), one or more times (+)

\w is "word character", which is alnum-or-underscore.

> What would the correct regex to be to ignore / remove + symbols from
> "session_value"

If you want to match "word character or plus", use something like [\w+].

And then also probably remove one of "{1,}" and "+", since they mean
the same thing and having both is redundant.

	f
-- 
Francis Daly        francis at daoine.org

From nginx-forum at forum.nginx.org  Sat Apr  1 12:06:53 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Sat, 01 Apr 2017 08:06:53 -0400
Subject: Memory issue
In-Reply-To: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <b353adfaa74389fe2a8b3a472bf1f983.NginxMailingListEnglish@forum.nginx.org>

We made a lot of tests, removing brotli, geoip, we can't solve the issue

i suspect : 	
nginx: cache manager process
simple bug !

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273303#msg-273303


From dynasticspace at gmail.com  Sun Apr  2 06:42:00 2017
From: dynasticspace at gmail.com (Dynastic Space)
Date: Sun, 2 Apr 2017 09:42:00 +0300
Subject: Configuring a subnet in an upstream server
Message-ID: <CAEU5HDagpe=p2+TUpCo7Z1avpN2F7eF5iX1pTArufYinuR2=Uw@mail.gmail.com>

Is it possible to configure a collection of servers using subnet notation
in the upstream server knob? e.g. server 192.168.0.0/16.

Thanks,

Dynastic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170402/0faa2c8a/attachment.html>

From alexshe at wix.com  Sun Apr  2 11:33:07 2017
From: alexshe at wix.com (Alex Shemshurenko)
Date: Sun, 2 Apr 2017 14:33:07 +0300
Subject: Cashing packages for npm registry with NGINX
Message-ID: <CACbOrbYo_4CaaOPureL-OG4dO3NP2-MJ9EsbPiZgThf5s7SQ-w@mail.gmail.com>

My project is javascript app. I have lots of dependencies. I/O for npm
registry takes major portion of CI execution. So my idea is to setup NGINX
in front of npm registry and cache tgz files downloads. Im running Ubuntu
14.04. NGINX version is 1.4.6

This is my nginx configuration script

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    # access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
    #   include /etc/nginx/sites-enabled/*;
    # HTTP 1.1 support
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $proxy_connection;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
    proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
    proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;

    # If we receive X-Forwarded-Proto, pass it through; otherwise,
pass along the
    # scheme used to connect to this server
    map $http_x_forwarded_proto $proxy_x_forwarded_proto {
        default $http_x_forwarded_proto;
        ''      $scheme;
    }

    # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
    # server port the client connected to
    map $http_x_forwarded_port $proxy_x_forwarded_port {
        default $http_x_forwarded_port;
        ''      $server_port;
    }

    # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
    # Connection header that may have been passed to this server
    map $http_upgrade $proxy_connection {
        default upgrade;
        '' close;
    }

    # Set appropriate X-Forwarded-Ssl header
    map $scheme $proxy_x_forwarded_ssl {
        default off;
        https on;
    }

    server {
        listen 80 default_server;

       location / {
            access_log /var/log/nginx/root.log;
            root       /var/tmp/nginx/npm;
            try_files  $request_uri @fetch;
        }

        location @fetch {
                internal;
                proxy_pass              http://nmregistry:4873$request_uri;
                proxy_store             /var/tmp/nginx/npm$request_uri;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_store_access      user:rw group:rw all:r;
        }
    }
}

It works, i can install packages but they are not cached on NGINX machine.
Cant see any tgz files in /var/tmp/nginx/npm

What am i doing wrong here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170402/945f0662/attachment-0001.html>

From nginx-forum at forum.nginx.org  Sun Apr  2 16:35:36 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Sun, 02 Apr 2017 12:35:36 -0400
Subject: Memory issue
In-Reply-To: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <8ba2a49360d927558c886494f23834a7.NginxMailingListEnglish@forum.nginx.org>

After upgrade and recompilation, issue is much less important, it increase
only by 0.17% for an antire stats processing cycle, but issue remain
unsolved....



[root at web1 ~]# nginx -V
nginx version: nginx/1.11.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with LibreSSL 2.5.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--modules-path=/etc/nginx/modules --with-pcre=./pcre-8.40 --with-pcre-jit
--with-zlib=./zlib-1.2.11 --with-openssl=./libressl-2.5.1
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log
--http-log-path=/var/log/nginx/access_log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody
--group=nobody --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-http_dav_module
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_stub_status_module
--with-http_auth_request_module --add-dynamic-module=naxsi-http2/naxsi_src
--with-file-aio --with-threads --with-stream --with-stream_ssl_module
--with-http_slice_module --with-compat --with-http_v2_module
--with-http_geoip_module=dynamic
--add-dynamic-module=ngx_pagespeed-release-1.11.33.4-beta
--add-dynamic-module=/usr/local/rvm/gems/ruby-2.3.1/gems/passenger-5.1.2/src/nginx_module
--add-dynamic-module=ngx_brotli --add-dynamic-module=echo-nginx-module-0.60
--add-dynamic-module=headers-more-nginx-module-0.32
--add-dynamic-module=ngx_http_redis-0.3.8
--add-dynamic-module=redis2-nginx-module
--add-dynamic-module=srcache-nginx-module-0.31
--add-dynamic-module=ngx_devel_kit-0.3.0
--add-dynamic-module=set-misc-nginx-module-0.31
--add-dynamic-module=ModSecurity-nginx --with-cc-opt='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
--with-ld-opt=-Wl,-E


#Core Functionality

user  nobody;
worker_processes  8;
pid        /var/run/nginx.pid;
pcre_jit on;
error_log /var/log/nginx/error_log;
#error_log /home/abackup/debug.log debug;
worker_rlimit_nofile 300000;

#Load Dynamic Modules
include /etc/nginx/modules.d/*.load;

events {
worker_connections 8192;
use epoll;
multi_accept on;
accept_mutex off;
}

#Settings For other core modules like for example the stream module
include /etc/nginx/conf.d/main_custom_include.conf;

#Settings for the http core module
include /etc/nginx/conf.d/http_settings_custom.conf;

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273304#msg-273304


From nginx-forum at forum.nginx.org  Mon Apr  3 05:09:14 2017
From: nginx-forum at forum.nginx.org (t.nishiyori)
Date: Mon, 03 Apr 2017 01:09:14 -0400
Subject: slice module got error when contents of upstream was updated
Message-ID: <4ef1fc0f6fa76c990ec96744742637fb.NginxMailingListEnglish@forum.nginx.org>

Helle, 

I'm using nginx with slice module as a proxy.

One day, I got an error log such like a "etag mismatch in slice response
while reading response header from upstream".

The cause of this error was occurred when that some parts of response was
cached before updating the upstream contents but others was not cached.
So it's not be solved until the cache period is expired.

Do you have any solutions for this error?
I hope the slice module change the status of related caches to disable, when
the slice module got this error.

Thank you.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273307,273307#msg-273307


From nginx-forum at forum.nginx.org  Mon Apr  3 06:15:01 2017
From: nginx-forum at forum.nginx.org (sv_91)
Date: Mon, 03 Apr 2017 02:15:01 -0400
Subject: slow keep-alive with generic kernel
In-Reply-To: <b504ac08451930f8235330d09f7ac014.NginxMailingListEnglish@forum.nginx.org>
References: <b504ac08451930f8235330d09f7ac014.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <71d26618dda870c8d76560644ca44f98.NginxMailingListEnglish@forum.nginx.org>

Here is a demo example
https://gist.github.com/magisterRab/6b7132e0b9e88baa4b7e0e69a2ff0aab
if in line 120 remove writeRequest(fd), then the speed of the test will fall
2 times

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273276,273308#msg-273308


From reallfqq-nginx at yahoo.fr  Mon Apr  3 08:04:46 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Mon, 3 Apr 2017 10:04:46 +0200
Subject: Configuring a subnet in an upstream server
In-Reply-To: <CAEU5HDagpe=p2+TUpCo7Z1avpN2F7eF5iX1pTArufYinuR2=Uw@mail.gmail.com>
References: <CAEU5HDagpe=p2+TUpCo7Z1avpN2F7eF5iX1pTArufYinuR2=Uw@mail.gmail.com>
Message-ID: <CALqce=1zf5553tBju7ph9WxbP7o2d0NHyeoJu15ud8BGpKRA5g@mail.gmail.com>

What would be the meaning of that?

How do you route traffic to 192.168.0.0? Do you really want to send
requests to 192.168.255.255?
How would you handle requests sent to some servers (but not all) if some
are not responsive?

I suspect what you want to use is dynamic IP addresses for your backends.
Good news: you can use domain names.?
---
*B. R.*

On Sun, Apr 2, 2017 at 8:42 AM, Dynastic Space <dynasticspace at gmail.com>
wrote:

> Is it possible to configure a collection of servers using subnet notation
> in the upstream server knob? e.g. server 192.168.0.0/16.
>
> Thanks,
>
> Dynastic
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/02ab720d/attachment.html>

From reallfqq-nginx at yahoo.fr  Mon Apr  3 08:12:04 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Mon, 3 Apr 2017 10:12:04 +0200
Subject: Nginx cookie map regex remove + character
In-Reply-To: <20170401115728.GD3428@daoine.org>
References: <1f42674cd2c11aa7d9eed7cc33fb3887.NginxMailingListEnglish@forum.nginx.org>
 <20170401115728.GD3428@daoine.org>
Message-ID: <CALqce=128ijQo7GiCXno-orafmWxEdz0y8krcq4pYUFXeeECbQ@mail.gmail.com>

On Sat, Apr 1, 2017 at 1:57 PM, Francis Daly <francis at daoine.org> wrote:

> If you want to match "word character or plus", use something like [\w+].
>

?Defining a pattern over a simple assertion is kinda strange?. '[' & ']'
are useless here, since you are not matching several symbols.
Use (?<session_value>\w+) and you should be all set.

Btw, if you were to use '+', [\w+] and [\w]+ have different meaning: first
quantifier applies to '\w' only while latter applies to all the symbols in
the pattern.
?---
*B. R.*?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/edd5976c/attachment.html>

From ignatenko at estaxi.ru  Mon Apr  3 08:17:19 2017
From: ignatenko at estaxi.ru (=?UTF-8?B?0JjQs9C90LDRgtC10L3QutC+INCc0LDQutGB0LjQvA==?=)
Date: Mon, 3 Apr 2017 14:17:19 +0600
Subject: Nginx redirect preserving source hostname
Message-ID: <73da404a-13ac-8123-f35d-3d52ad1d414b@estaxi.ru>

I have an NGINX as reverse proxy with PHP-fpm. Nginx is set up for 
serving www.somehost.com. I added another host www.anotherhost.com. Now 
I need to setup redirect in this way: If user type www.anotherhost.com 
then it redirects to www.somehost.com/someurl, but url in browser bar 
shouldn't change. If I set up rewrite it works, but it rewrites url in 
browser too.

|if ($host = "www.anotherhost.com") { rewrite ^ 
http://www.somehost.com/someurl; }|


Is it possible to redirect preserving url ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/f203c1a1/attachment-0001.html>

From arut at nginx.com  Mon Apr  3 10:36:52 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Mon, 3 Apr 2017 13:36:52 +0300
Subject: slice module got error when contents of upstream was updated
In-Reply-To: <4ef1fc0f6fa76c990ec96744742637fb.NginxMailingListEnglish@forum.nginx.org>
References: <4ef1fc0f6fa76c990ec96744742637fb.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170403103652.GA97890@Romans-MacBook-Air.local>

Hi,

On Mon, Apr 03, 2017 at 01:09:14AM -0400, t.nishiyori wrote:
> Helle, 
> 
> I'm using nginx with slice module as a proxy.
> 
> One day, I got an error log such like a "etag mismatch in slice response
> while reading response header from upstream".
> 
> The cause of this error was occurred when that some parts of response was
> cached before updating the upstream contents but others was not cached.
> So it's not be solved until the cache period is expired.
> 
> Do you have any solutions for this error?
> I hope the slice module change the status of related caches to disable, when
> the slice module got this error.

It's supposed that the proxied response never changes.  If it does, the module
aborts sending the response and produces the error you have mentioned.
There's no simple way of making the output consistent for changeable responses
without introducing a significant overhead.

-- 
Roman Arutyunyan

From nginx-forum at forum.nginx.org  Mon Apr  3 13:21:10 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Mon, 03 Apr 2017 09:21:10 -0400
Subject: How to encrypt proxy cache
Message-ID: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>

Hi,

We are testing using nginx as a file cache  in front of our app, but the
contents of the proxy cache directory are readable to any body who has
access to the machine. Is there a way to encrypt the files stored in the
proxy cache folder so that it' not exposed to the naked eye but nginx
decrypts it on the fly before serving it to the user. 

Thanks
Sachin

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273311#msg-273311


From rainer at ultra-secure.de  Mon Apr  3 13:42:28 2017
From: rainer at ultra-secure.de (rainer at ultra-secure.de)
Date: Mon, 03 Apr 2017 15:42:28 +0200
Subject: How to encrypt proxy cache
In-Reply-To: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
References: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <02a961b2830ed7a5da4ef399fcf325d5@ultra-secure.de>

Am 2017-04-03 15:21, schrieb sachin.shetty at gmail.com:
> Hi,
> 
> We are testing using nginx as a file cache  in front of our app, but 
> the
> contents of the proxy cache directory are readable to any body who has
> access to the machine. Is there a way to encrypt the files stored in 
> the
> proxy cache folder so that it' not exposed to the naked eye but nginx
> decrypts it on the fly before serving it to the user.



Run it on a machine that only authorized users have access to.

Servers from HP let you encrypt the harddrives through the 
RAID-controller.




From mdounin at mdounin.ru  Mon Apr  3 14:04:21 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Mon, 3 Apr 2017 17:04:21 +0300
Subject: How to encrypt proxy cache
In-Reply-To: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
References: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170403140420.GX13617@mdounin.ru>

Hello!

On Mon, Apr 03, 2017 at 09:21:10AM -0400, sachin.shetty at gmail.com wrote:

> We are testing using nginx as a file cache  in front of our app, but the
> contents of the proxy cache directory are readable to any body who has
> access to the machine. Is there a way to encrypt the files stored in the
> proxy cache folder so that it' not exposed to the naked eye but nginx
> decrypts it on the fly before serving it to the user. 

Files in the proxy cache folder are protected using normal access 
control, nginx uses 0600 access mask for all cache files and 
directories.  They aren't expected to be readable by anyone except 
nginx itself.  This is believed to be enough to prevent any 
unauthorized access on software level.

If you also want to protect data from attackers with physical 
access to the server, consider using disk encryption and/or 
filesystem-level encryption.  It is not likely to solve the 
problem completely, but may help in some simple cases.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Mon Apr  3 15:50:22 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Mon, 03 Apr 2017 11:50:22 -0400
Subject: How to encrypt proxy cache
In-Reply-To: <20170403140420.GX13617@mdounin.ru>
References: <20170403140420.GX13617@mdounin.ru>
Message-ID: <fe9a19167bd9cc2d165f02f476d54d83.NginxMailingListEnglish@forum.nginx.org>

Thanks Maxim for the reply. We have evaluated disk based encryption etc, but
that does not prevent sysadmins from viewing user data which is a problem
for us. 

Do you think we could build something using lua and intercept read and
wriite call from cache?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273354#msg-273354


From rainer at ultra-secure.de  Mon Apr  3 15:57:23 2017
From: rainer at ultra-secure.de (rainer at ultra-secure.de)
Date: Mon, 03 Apr 2017 17:57:23 +0200
Subject: How to encrypt proxy cache
In-Reply-To: <fe9a19167bd9cc2d165f02f476d54d83.NginxMailingListEnglish@forum.nginx.org>
References: <20170403140420.GX13617@mdounin.ru>
 <fe9a19167bd9cc2d165f02f476d54d83.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <3bcdb813a81e34c5aaf7a432b5ae4d4c@ultra-secure.de>

Am 2017-04-03 17:50, schrieb sachin.shetty at gmail.com:
> Thanks Maxim for the reply. We have evaluated disk based encryption 
> etc, but
> that does not prevent sysadmins from viewing user data which is a 
> problem
> for us.

Then you should put your servers someplace where you trust your the 
sysadmins.

Because ultimately, you will have to.

They could just replace the lua-script with something that makes an 
unencrypted copy to some other place, couldn't they?

From dynasticspace at gmail.com  Mon Apr  3 16:09:12 2017
From: dynasticspace at gmail.com (Dynastic Space)
Date: Mon, 3 Apr 2017 19:09:12 +0300
Subject: Configuring a subnet in an upstream server
In-Reply-To: <CALqce=1zf5553tBju7ph9WxbP7o2d0NHyeoJu15ud8BGpKRA5g@mail.gmail.com>
References: <CAEU5HDagpe=p2+TUpCo7Z1avpN2F7eF5iX1pTArufYinuR2=Uw@mail.gmail.com>
 <CALqce=1zf5553tBju7ph9WxbP7o2d0NHyeoJu15ud8BGpKRA5g@mail.gmail.com>
Message-ID: <CAEU5HDYbW150N+bu2EG8_QrdjRQVV40fsQmDQp_3b-P7hnZXvg@mail.gmail.com>

I used a poor example.
The functionality I was interested in was adding a range of application
servers, all part of the same domain.

D

On Mon, Apr 3, 2017 at 11:04 AM, B.R. via nginx <nginx at nginx.org> wrote:

> What would be the meaning of that?
>
> How do you route traffic to 192.168.0.0? Do you really want to send
> requests to 192.168.255.255?
> How would you handle requests sent to some servers (but not all) if some
> are not responsive?
>
> I suspect what you want to use is dynamic IP addresses for your backends.
> Good news: you can use domain names.?
> ---
> *B. R.*
>
> On Sun, Apr 2, 2017 at 8:42 AM, Dynastic Space <dynasticspace at gmail.com>
> wrote:
>
>> Is it possible to configure a collection of servers using subnet notation
>> in the upstream server knob? e.g. server 192.168.0.0/16.
>>
>> Thanks,
>>
>> Dynastic
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/e910a698/attachment.html>

From lists-nginx at swsystem.co.uk  Mon Apr  3 16:14:59 2017
From: lists-nginx at swsystem.co.uk (Steve Wilson)
Date: Mon, 03 Apr 2017 17:14:59 +0100
Subject: How to encrypt proxy cache
In-Reply-To: <fe9a19167bd9cc2d165f02f476d54d83.NginxMailingListEnglish@forum.nginx.org>
References: <20170403140420.GX13617@mdounin.ru>
 <fe9a19167bd9cc2d165f02f476d54d83.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <70400adc98e893e43ced9f283b8bd044@swsystem.co.uk>

On 03/04/2017 16:50, sachin.shetty at gmail.com wrote:
> Thanks Maxim for the reply. We have evaluated disk based encryption 
> etc, but
> that does not prevent sysadmins from viewing user data which is a 
> problem
> for us.
> 
> Do you think we could build something using lua and intercept read and
> wriite call from cache?
> 
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273311,273354#msg-273354
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

With root level access I doubt you'll be able to meet your requirements. 
There's tools like ssldump which can be used to decrypt the network 
traffic, even implementing something via a module/lua would require the 
encryption key to be read and available for the sysadmins to use.

Personally I'd look at avoiding caching if it's got sensitive data by 
identifying common request data (paths/cookies etc) and excluding from 
the cache.

Alternatively, as Maxim has said, review and restrict access to the 
server.

Steve.

From dewanggaba at xtremenitro.org  Mon Apr  3 16:42:45 2017
From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam)
Date: Mon, 3 Apr 2017 23:42:45 +0700
Subject: How to encrypt proxy cache
In-Reply-To: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
References: <828054c9fa2636011d2975d783306112.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <5ea92758-9d76-7fb8-dc2e-3fa8af5ab302@xtremenitro.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

On 04/03/2017 08:21 PM, sachin.shetty at gmail.com wrote:
> Hi,
> 
> We are testing using nginx as a file cache  in front of our app,
> but the contents of the proxy cache directory are readable to any
> body who has access to the machine.

[..]

> Is there a way to encrypt the files stored in the proxy cache
> folder so that it' not exposed to the naked eye but nginx decrypts
> it on the fly before serving it to the user.

I didn't get your expectations and why you doing this. Then if the
content can publicly visible over nginx, why the sysadmin or other
trying to break the proxy cache directly?

I think they (your engineer) will call the URL directly over the
browser. (eg. http://localhost/this/should/be/secret) isn't it?

If your expectations is encrypt/encode the url and should be visible
to authorized user only, it's more possible.

> 
> Thanks Sachin
> 
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273311,273311#msg-273311
> 
> _______________________________________________ nginx mailing list 
> nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY4nuBGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcAxNEACatmZrvqDVQ2NGCfZ/T73qcPnTe4daLSkXo8/3VPdhTPDdilzx
Q6HWTWxarkbt2WX9/3F/Xpmp244UGUIySdGS2jMrC7dcx7mJD/Ts0G13XZk/X9aS
S1bbOUpuCMCkypaENkQAe7nubYiFZfeB3uANfhiOrJOa7DUN7QQJCDZzubBd/FV/
eRz5tfV7z0wI5PkwSn670lq/lTiaMamkjEEvOMFz2O7gA0+jl+OxC2wM9NJRTmkl
Z1NamP5CgYUmcXdx7AS0hBh7UFdAV+Nk/qfs1PtyXqssmbm9dZ869Ppixh84k+3i
foG1zMdMUHZIFdnLjEtcEruzv4fLuQCgqEmWRA5FGylQ0v3zBjfst6aj06s1R5Dk
dwdIsNTB2F4tYsL4fusmdbrFY+/4igsuDtEZpF0KTyKGPquDUxN7MZRN4D5OoBhn
U6i6d2qr5iE4Xs/2E1rOtEIEiZYZTHdCXj9xE5+hJjVuYb6V2G6XTLMF8ToYLNlF
VBpewPJ3IkLyRbiRw9ssqank/al//BICXa/dklDcUM2N4F57gXdvuFn10u22DYhr
8Dz2NKFM0YftVcNmqJ8yNit5WUQEr1fhX4GWrHhle0GTlz19lrsuc/QsQEqrHVUU
oDBahO35+B7ifXlrwY7Rpy3EjmvyYws/422pH3y2fsZBbHB6oJJEGsrpuw==
=hU4o
-----END PGP SIGNATURE-----

From nginx-forum at forum.nginx.org  Mon Apr  3 17:56:24 2017
From: nginx-forum at forum.nginx.org (shivramg94)
Date: Mon, 03 Apr 2017 13:56:24 -0400
Subject: Nginx upstream server certificate verification
In-Reply-To: <C7DF9D5A-C046-40EF-A8DE-C620C596ECA1@nginx.com>
References: <C7DF9D5A-C046-40EF-A8DE-C620C596ECA1@nginx.com>
Message-ID: <dd5fe98d54b1ab3c90db8990afde12eb.NginxMailingListEnglish@forum.nginx.org>

Thank Sergey, for you response.

I have one more question. If I have multiple upstream server host names in
the upstream server block, then how can I specify the specific upstream
server host name to which the request is being proxied, in the
proxy_ssl_name directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273355#msg-273355


From vukomir at ianculov.ro  Mon Apr  3 19:57:55 2017
From: vukomir at ianculov.ro (Vucomir Ianculov)
Date: Mon, 3 Apr 2017 21:57:55 +0200 (CEST)
Subject: fastcgi_pass and http upstream
In-Reply-To: <472601813.102.1490887692149.JavaMail.vukomir@DESKTOP-9I7P6HN>
References: <1839306171.950.1490211424022.JavaMail.vukomir@DESKTOP-9I7P6HN>
 <946720374.959.1490212018452.JavaMail.vukomir@DESKTOP-9I7P6HN>
 <CABDaVUPkW1C5btbfLq_Gc_kKy4my+05BOVEA9rdfu3LUzJjjDQ@mail.gmail.com>
 <472601813.102.1490887692149.JavaMail.vukomir@DESKTOP-9I7P6HN>
Message-ID: <540425890.43.1491249475361.JavaMail.vukomir@DESKTOP-9I7P6HN>

cab someone please help me with an example? 



----- Original Message -----

From: "Vucomir Ianculov via nginx" <nginx at nginx.org> 
To: "Yuriy Medvedev" <medvedev.yp at gmail.com> 
Cc: "Vucomir Ianculov" <vukomir at ianculov.ro>, nginx at nginx.org 
Sent: Thursday, March 30, 2017 6:28:16 PM 
Subject: Re: fastcgi_pass and http upstream 


Hi 

i have search on the documentation but i was not able to find it, can you please give me an example on who it's done? 


Thanks. 

----- Original Message -----

From: "Yuriy Medvedev" <medvedev.yp at gmail.com> 
To: nginx at nginx.org 
Cc: "Vucomir Ianculov" <vukomir at ianculov.ro> 
Sent: Wednesday, March 22, 2017 9:57:40 PM 
Subject: Re: fastcgi_pass and http upstream 


Yes, it is possible. Please read the documentation. 


22 ????? 2017 ?. 22:47 ???????????? "Vucomir Ianculov via nginx" < nginx at nginx.org > ???????: 




corrected question 

i have a situation where i have 2 Apache backed server and 2 php-fpm backed server. i would like to setup up a upstream to include all 4 back-ends or somehow to balance the requestion on all 4 back-ends back-ends. 
is it possible? 

Thanks. 


Br, 
Vuko 



From: "Vucomir Ianculov via nginx" < nginx at nginx.org > 
To: "nginx" < nginx at nginx.org > 
Cc: "Vucomir Ianculov" < vukomir at ianculov.ro > 
Sent: Wednesday, March 22, 2017 9:37:04 PM 
Subject: fastcgi_pass and http upstream 


Hi, 

is is possible to have a upstream that contains point to http and phpfpm? 



_______________________________________________ 
nginx mailing list 
nginx at nginx.org 
http://mailman.nginx.org/mailman/listinfo/nginx 

_______________________________________________ 
nginx mailing list 
nginx at nginx.org 
http://mailman.nginx.org/mailman/listinfo/nginx 




_______________________________________________ 
nginx mailing list 
nginx at nginx.org 
http://mailman.nginx.org/mailman/listinfo/nginx 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/9de2a6fd/attachment.html>

From francis at daoine.org  Mon Apr  3 22:32:39 2017
From: francis at daoine.org (Francis Daly)
Date: Mon, 3 Apr 2017 23:32:39 +0100
Subject: fastcgi_pass and http upstream
In-Reply-To: <946720374.959.1490212018452.JavaMail.vukomir@DESKTOP-9I7P6HN>
References: <1839306171.950.1490211424022.JavaMail.vukomir@DESKTOP-9I7P6HN>
 <946720374.959.1490212018452.JavaMail.vukomir@DESKTOP-9I7P6HN>
Message-ID: <20170403223239.GE3428@daoine.org>

On Wed, Mar 22, 2017 at 08:47:00PM +0100, Vucomir Ianculov via nginx wrote:

Hi there,

> i have a situation where i have 2 Apache backed server and 2 php-fpm backed server. i would like to setup up a upstream to include all 4 back-ends or somehow to balance the requestion on all 4 back-ends back-ends. 
> is it possible? 

You have two http servers, and two fastcgi servers; and you want nginx
to handle a single request by using the appropriate one of proxy_pass
and fastcgi_pass, with telling nginx which one to use?

I do not think that it can be done.

You can share certain requests among the http servers; and you can share
certain other requests among the fastcgi servers; but I believe you
can't have a single incoming request balanced across different protocols
in stock nginx.

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Mon Apr  3 22:37:20 2017
From: francis at daoine.org (Francis Daly)
Date: Mon, 3 Apr 2017 23:37:20 +0100
Subject: Nginx cookie map regex remove + character
In-Reply-To: <CALqce=128ijQo7GiCXno-orafmWxEdz0y8krcq4pYUFXeeECbQ@mail.gmail.com>
References: <1f42674cd2c11aa7d9eed7cc33fb3887.NginxMailingListEnglish@forum.nginx.org>
 <20170401115728.GD3428@daoine.org>
 <CALqce=128ijQo7GiCXno-orafmWxEdz0y8krcq4pYUFXeeECbQ@mail.gmail.com>
Message-ID: <20170403223720.GF3428@daoine.org>

On Mon, Apr 03, 2017 at 10:12:04AM +0200, B.R. via nginx wrote:
> On Sat, Apr 1, 2017 at 1:57 PM, Francis Daly <francis at daoine.org> wrote:
> 
> > If you want to match "word character or plus", use something like [\w+].
> >
> 
> ?Defining a pattern over a simple assertion is kinda strange?. '[' & ']'
> are useless here, since you are not matching several symbols.

I think we may be reading the original question differently.

I read it that the current regex matches one or more letter-or-number, and
what is wanted is something to match one or more letter-or-number-or-plus.

> Use (?<session_value>\w+) and you should be all set.
> 
> Btw, if you were to use '+', [\w+] and [\w]+ have different meaning: first
> quantifier applies to '\w' only while latter applies to all the symbols in
> the pattern.

The first + is not a quantifier. At least, in the regex engine I use.

	f
-- 
Francis Daly        francis at daoine.org

From marc at soda.fm  Tue Apr  4 02:04:27 2017
From: marc at soda.fm (Marc Soda)
Date: Mon, 3 Apr 2017 22:04:27 -0400
Subject: Binary upgrade with systemd
Message-ID: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>

Hello,

I?m using nginx 1.10.3 custom built on Ubuntu 16.04.  I?m also using the recommended systemd service file:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

I?m try to do a no downtime upgrade with the USR2 and WINCH signals.  Here is my process list before:

root     32277  0.0  0.4 1056672 71148 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process

and here it is after sending USR2:

root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
root     32461  5.5  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process

Notice how the new master is a child of the old master.  If I send a WINCH I get:

root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
root     32461  0.2  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process

which is not what I?m looking for.  Is this a limitation when running with systemd?

Thanks,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170403/77f2bdbf/attachment-0001.html>

From nginx-forum at forum.nginx.org  Tue Apr  4 02:42:38 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Mon, 03 Apr 2017 22:42:38 -0400
Subject: How to encrypt proxy cache
In-Reply-To: <5ea92758-9d76-7fb8-dc2e-3fa8af5ab302@xtremenitro.org>
References: <5ea92758-9d76-7fb8-dc2e-3fa8af5ab302@xtremenitro.org>
Message-ID: <bddaaa6a2c6686949a8c605ed4544ddc.NginxMailingListEnglish@forum.nginx.org>

Hi,

The information is not publicly available, it is protected by
authentication, we have an auth plugin which makes sure auth happens before
the request is routed to this cache.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273363#msg-273363


From dritto77 at gmail.com  Tue Apr  4 07:31:19 2017
From: dritto77 at gmail.com (Jagannath Naidu)
Date: Tue, 4 Apr 2017 13:01:19 +0530
Subject: Nginx map module regex in file
Message-ID: <CAHD7qx3jLzJZ97AdmW0Wd=HKXObkYhGOV_bPahkuZv6NSL4E-g@mail.gmail.com>

Hi,

I am trying to redirect some urls to a different document path. My
configuration file is as follows


############ /etc/nginx/conf.d/site.conf ############################
*map_hash_max_size 2048;*
*map_hash_bucket_size 128;*
*map $uri $new {*
*        include list_4;*
*}*
resolver  127.0.0.1;
server {
        listen         81;
        server_name abcexample.com;
        access_log /var/log/nginx/abcexample-access.log main;
        error_log  /var/log/nginx/abcexample-error.log;
        location / {
*                if ($new) {*
*                  rewrite ^ $new redirect;*
*                }*
              proxy_pass http://127.0.0.1:8000;
        }

################# /etc/nginx/list_4 ##############################
/abc/1.html /abc/hello;
/max/1.html /max/;
~^/xyz/(?<abc>.*)$ /xyz/123;
*~^/kkkk/abcdef(?<abc>.*)$ /tttt/bbbbb/jjjj$abc;*

*~^/kaka/(?<abc>.*)$ /tata/$abc;*


Note:
line 1,2 and 3 redirects are working fine.
But line 4 and 5 are not working.


*root at Hell1:~# curl -I abcexample.com/kkkk/abcef111.html
<http://abcexample.com/kkkk/abcef111.html> *
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 04 Apr 2017 07:08:47 GMT
Content-Type: text/html
Content-Length: 154
*Location: http://abcdexample.com/tttt/bbbbb/jjjj$abc
<http://abcdexample.com/tttt/bbbbb/jjjj$abc>*
Connection: keep-alive

My Question is:
What changes do I have to do in list_4 file to get results as follows
*Location: http://abcdexample.com/news/bbbbb/jjjj111.html
<http://abcdexample.com/news/bbbbb/jjjj111.html> *


Thanks in advance
- Jagan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/953e2db0/attachment.html>

From mailinglist at unix-solution.de  Tue Apr  4 08:33:13 2017
From: mailinglist at unix-solution.de (basti)
Date: Tue, 4 Apr 2017 10:33:13 +0200
Subject: Allow /.well-known/acme-challenge but deny dot files
Message-ID: <afd8d801-9bf6-9ed0-caab-b4e6b119b815@unix-solution.de>

Hello,

at the Moment I use this config

# Deny access to all .invisible files.
location ~ /\. { deny  all; access_log off; log_not_found off; }


Now I need access to Let's Encrypt acme-challenge and add this to my
config before deny all .invisible files, now it looks like

...
# Allow Let's Encrypt acme-challenge
location /.well-known/acme-challenge { allow all; access_log on; }

# Deny access to all .invisible files.
location ~ /\. { deny  all; access_log off; log_not_found off; }
...

I have reload nginx but I have no access to
http://example.com/.well-known/acme-challenge

Log say "access forbidden by rule."
Is there a way to allow /.well-known/ and deny all other?

Best Regards,
basti

From martin at martin-wolfert.de  Tue Apr  4 08:36:05 2017
From: martin at martin-wolfert.de (Martin Wolfert)
Date: Tue, 4 Apr 2017 10:36:05 +0200
Subject: Allow /.well-known/acme-challenge but deny dot files
In-Reply-To: <afd8d801-9bf6-9ed0-caab-b4e6b119b815@unix-solution.de>
References: <afd8d801-9bf6-9ed0-caab-b4e6b119b815@unix-solution.de>
Message-ID: <209e8cba-b001-6588-7994-163b17a07be1@martin-wolfert.de>

Hi,

try this:

# Allow access to the letsencrypt ACME Challenge
location ~ /\.well-known\/acme-challenge {
     allow all;
}

Best,
Martin


Am 04.04.2017 um 10:33 schrieb basti:
> Hello,
>
> at the Moment I use this config
>
> # Deny access to all .invisible files.
> location ~ /\. { deny  all; access_log off; log_not_found off; }
>
>
> Now I need access to Let's Encrypt acme-challenge and add this to my
> config before deny all .invisible files, now it looks like
>
> ...
> # Allow Let's Encrypt acme-challenge
> location /.well-known/acme-challenge { allow all; access_log on; }
>
> # Deny access to all .invisible files.
> location ~ /\. { deny  all; access_log off; log_not_found off; }
> ...
>
> I have reload nginx but I have no access to
> http://example.com/.well-known/acme-challenge
>
> Log say "access forbidden by rule."
> Is there a way to allow /.well-known/ and deny all other?
>
> Best Regards,
> basti
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


From lucas at lucasrolff.com  Tue Apr  4 08:43:48 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Tue, 4 Apr 2017 08:43:48 +0000
Subject: Binary upgrade with systemd
In-Reply-To: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>
References: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>
Message-ID: <0C53A9B0-9050-4128-9B0E-094920A12D75@lucasrolff.com>

Hello Marc,

For which PID do you send the WINCH signal?


From: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> on behalf of Marc Soda <marc at soda.fm<mailto:marc at soda.fm>>
Reply-To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Date: Tuesday, 4 April 2017 at 04.04
To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Subject: Binary upgrade with systemd

Hello,

I?m using nginx 1.10.3 custom built on Ubuntu 16.04.  I?m also using the recommended systemd service file:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

I?m try to do a no downtime upgrade with the USR2 and WINCH signals.  Here is my process list before:

root     32277  0.0  0.4 1056672 71148 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process

and here it is after sending USR2:

root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
root     32461  5.5  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process

Notice how the new master is a child of the old master.  If I send a WINCH I get:

root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
root     32461  0.2  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process

which is not what I?m looking for.  Is this a limitation when running with systemd?

Thanks,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/9ed0ec2c/attachment-0001.html>

From anoopalias01 at gmail.com  Tue Apr  4 08:45:28 2017
From: anoopalias01 at gmail.com (Anoop Alias)
Date: Tue, 4 Apr 2017 14:15:28 +0530
Subject: Allow /.well-known/acme-challenge but deny dot files
In-Reply-To: <209e8cba-b001-6588-7994-163b17a07be1@martin-wolfert.de>
References: <afd8d801-9bf6-9ed0-caab-b4e6b119b815@unix-solution.de>
 <209e8cba-b001-6588-7994-163b17a07be1@martin-wolfert.de>
Message-ID: <CAO6TEX1aSC6jaon3XCkveRoLD8j5Obedtj0wSAuKkD3RgRShsg@mail.gmail.com>

You can put it above the other deny location
# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}



On Tue, Apr 4, 2017 at 2:06 PM, Martin Wolfert <martin at martin-wolfert.de>
wrote:

> Hi,
>
> try this:
>
> # Allow access to the letsencrypt ACME Challenge
> location ~ /\.well-known\/acme-challenge {
>     allow all;
> }
>
> Best,
> Martin
>
>
>
> Am 04.04.2017 um 10:33 schrieb basti:
>
>> Hello,
>>
>> at the Moment I use this config
>>
>> # Deny access to all .invisible files.
>> location ~ /\. { deny  all; access_log off; log_not_found off; }
>>
>>
>> Now I need access to Let's Encrypt acme-challenge and add this to my
>> config before deny all .invisible files, now it looks like
>>
>> ...
>> # Allow Let's Encrypt acme-challenge
>> location /.well-known/acme-challenge { allow all; access_log on; }
>>
>> # Deny access to all .invisible files.
>> location ~ /\. { deny  all; access_log off; log_not_found off; }
>> ...
>>
>> I have reload nginx but I have no access to
>> http://example.com/.well-known/acme-challenge
>>
>> Log say "access forbidden by rule."
>> Is there a way to allow /.well-known/ and deny all other?
>>
>> Best Regards,
>> basti
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/9bee2894/attachment.html>

From me at myconan.net  Tue Apr  4 08:53:17 2017
From: me at myconan.net (nanaya)
Date: Tue, 04 Apr 2017 17:53:17 +0900
Subject: Allow /.well-known/acme-challenge but deny dot files
Message-ID: <1491295997.255390.933478024.36571118@webmail.messagingengine.com>

Hi,

On Tue, Apr 4, 2017, at 17:45, Anoop Alias wrote:
> You can put it above the other deny location
> # Allow "Well-Known URIs" as per RFC 5785
> location ~* ^/.well-known/ {
> allow all;
> }
> 

Or use "^~" because it's of higher precedence compared to "~".

> If the longest matching prefix location has the ?^~? modifier then regular expressions are not checked. 

http://nginx.org/r/location

location ^~ /.well-known/ { }

From shahzaib.cb at gmail.com  Tue Apr  4 11:24:48 2017
From: shahzaib.cb at gmail.com (shahzaib mushtaq)
Date: Tue, 4 Apr 2017 16:24:48 +0500
Subject: No referrer header on leacher's site !!
Message-ID: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>

Hi,

We came across a website who is playing our video links remotely. Since
we've hotlinking protection enabled based on referrer headers so i checked
the request header by playing that video & found out that *referrer header
was missing* in the browser's requests header tab.

Then to generate same issue on our end, i statically added the video link
in player on different domain & tried to play that video remotely which was
successfully forbidden & browser *had referrer header *as well.

Please have a note that he didn't embedded the video from our website, he's
putting direct mp4 links & they are being played without any referrer
header in the requests.

Thanks for your help in advance !!

Regards.
Shahzaib
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/b27b1f7e/attachment.html>

From me at myconan.net  Tue Apr  4 11:32:06 2017
From: me at myconan.net (nanaya)
Date: Tue, 04 Apr 2017 20:32:06 +0900
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
Message-ID: <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>

Hi,

On Tue, Apr 4, 2017, at 20:24, shahzaib mushtaq wrote:
> Hi,
> 
> We came across a website who is playing our video links remotely. Since
> we've hotlinking protection enabled based on referrer headers so i
> checked
> the request header by playing that video & found out that *referrer
> header
> was missing* in the browser's requests header tab.
> 

If your site isn't https but his site is, some browsers by default don't
send referrer header. There are also various other referrer policies
with varying level of support:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

http://caniuse.com/#search=referrer%20policy

From shahzaib.cb at gmail.com  Tue Apr  4 11:39:23 2017
From: shahzaib.cb at gmail.com (shahzaib mushtaq)
Date: Tue, 4 Apr 2017 16:39:23 +0500
Subject: No referrer header on leacher's site !!
In-Reply-To: <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
 <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
Message-ID: <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>

Hi,

Thanks for quick response. Well its reverse, he's putting our HTTPS video
link on his HTTP website. Could that create issue as well? If yes, what's
the fix of it.

Again thanks for your help.

On Tue, Apr 4, 2017 at 4:32 PM, nanaya <me at myconan.net> wrote:

> Hi,
>
> On Tue, Apr 4, 2017, at 20:24, shahzaib mushtaq wrote:
> > Hi,
> >
> > We came across a website who is playing our video links remotely. Since
> > we've hotlinking protection enabled based on referrer headers so i
> > checked
> > the request header by playing that video & found out that *referrer
> > header
> > was missing* in the browser's requests header tab.
> >
>
> If your site isn't https but his site is, some browsers by default don't
> send referrer header. There are also various other referrer policies
> with varying level of support:
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
>
> http://caniuse.com/#search=referrer%20policy
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/34cc73d5/attachment.html>

From marc at soda.fm  Tue Apr  4 11:41:00 2017
From: marc at soda.fm (Marc Soda)
Date: Tue, 4 Apr 2017 07:41:00 -0400
Subject: Binary upgrade with systemd
In-Reply-To: <0C53A9B0-9050-4128-9B0E-094920A12D75@lucasrolff.com>
References: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>
 <0C53A9B0-9050-4128-9B0E-094920A12D75@lucasrolff.com>
Message-ID: <878FBB66-318B-458B-9792-90C2767518C6@soda.fm>

I sent WINCH to the old master.  In this case 32277.

After sending WINCH, I can send QUIT to the old master and it exits.  Everything looks fine at that point.  But it seems a little odd to have to do this.

> On Apr 4, 2017, at 4:43 AM, Lucas Rolff <lucas at lucasrolff.com> wrote:
> 
> Hello Marc,
> 
> For which PID do you send the WINCH signal?
> 
> 
> From: nginx <nginx-bounces at nginx.org <mailto:nginx-bounces at nginx.org>> on behalf of Marc Soda <marc at soda.fm <mailto:marc at soda.fm>>
> Reply-To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org <mailto:nginx at nginx.org>>
> Date: Tuesday, 4 April 2017 at 04.04
> To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org <mailto:nginx at nginx.org>>
> Subject: Binary upgrade with systemd
> 
> Hello,
> 
> I?m using nginx 1.10.3 custom built on Ubuntu 16.04.  I?m also using the recommended systemd service file:
> 
> [Unit]
> Description=The NGINX HTTP and reverse proxy server
> After=syslog.target network.target remote-fs.target nss-lookup.target
> 
> [Service]
> Type=forking
> PIDFile=/run/nginx.pid
> ExecStartPre=/usr/sbin/nginx -t
> ExecStart=/usr/sbin/nginx
> ExecReload=/bin/kill -s HUP $MAINPID
> ExecStop=/bin/kill -s QUIT $MAINPID
> PrivateTmp=true
> 
> [Install]
> WantedBy=multi-user.target
> 
> I?m try to do a no downtime upgrade with the USR2 and WINCH signals.  Here is my process list before:
> 
> root     32277  0.0  0.4 1056672 71148 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
> www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
> 
> and here it is after sending USR2:
> 
> root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
> www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
> www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
> root     32461  5.5  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
> www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
> www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process
> 
> Notice how the new master is a child of the old master.  If I send a WINCH I get:
> 
> root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
> root     32461  0.2  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
> www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
> www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
> www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process
> 
> which is not what I?m looking for.  Is this a limitation when running with systemd?
> 
> Thanks,
> Marc
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/bc83374f/attachment-0001.html>

From lucas at slcoding.com  Tue Apr  4 11:45:46 2017
From: lucas at slcoding.com (Lucas Rolff)
Date: Tue, 04 Apr 2017 13:45:46 +0200
Subject: Binary upgrade with systemd
In-Reply-To: <878FBB66-318B-458B-9792-90C2767518C6@soda.fm>
References: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>
 <0C53A9B0-9050-4128-9B0E-094920A12D75@lucasrolff.com>
 <878FBB66-318B-458B-9792-90C2767518C6@soda.fm>
Message-ID: <58E3876A.5030801@slcoding.com>

According to the documentation: 
http://nginx.org/en/docs/control.html#upgrade

You'd have to send the QUIT signal to finish off upgrading (replacing) 
the binary during runtime.

Marc Soda wrote:
> I sent WINCH to the old master.  In this case 32277.
>
> After sending WINCH, I can send QUIT to the old master and it exits. 
>  Everything looks fine at that point.  But it seems a little odd to 
> have to do this.
>
>> On Apr 4, 2017, at 4:43 AM, Lucas Rolff <lucas at lucasrolff.com 
>> <mailto:lucas at lucasrolff.com>> wrote:
>>
>> Hello Marc,
>>
>> For which PID do you send the WINCH signal?
>>
>>
>> From: nginx <nginx-bounces at nginx.org 
>> <mailto:nginx-bounces at nginx.org>> on behalf of Marc Soda 
>> <marc at soda.fm <mailto:marc at soda.fm>>
>> Reply-To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org 
>> <mailto:nginx at nginx.org>>
>> Date: Tuesday, 4 April 2017 at 04.04
>> To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org 
>> <mailto:nginx at nginx.org>>
>> Subject: Binary upgrade with systemd
>>
>>     Hello,
>>
>>     I?m using nginx 1.10.3 custom built on Ubuntu 16.04.  I?m also
>>     using the recommended systemd service file:
>>
>>     [Unit]
>>     Description=The NGINX HTTP and reverse proxy server
>>     After=syslog.target network.target remote-fs.target nss-lookup.target
>>
>>     [Service]
>>     Type=forking
>>     PIDFile=/run/nginx.pid
>>     ExecStartPre=/usr/sbin/nginx -t
>>     ExecStart=/usr/sbin/nginx
>>     ExecReload=/bin/kill -s HUP $MAINPID
>>     ExecStop=/bin/kill -s QUIT $MAINPID
>>     PrivateTmp=true
>>
>>     [Install]
>>     WantedBy=multi-user.target
>>
>>     I?m try to do a no downtime upgrade with the USR2 and WINCH
>>     signals.  Here is my process list before:
>>
>>     root     32277  0.0  0.4 1056672 71148 ?       Ss   21:51   0:00
>>     nginx: master process /usr/local/nginx/sbin/nginx
>>     www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00
>>      \_ nginx: cache manager process
>>
>>     and here it is after sending USR2:
>>
>>     root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00
>>     nginx: master process /usr/local/nginx/sbin/nginx
>>     www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00
>>      \_ nginx: worker process
>>     www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00
>>      \_ nginx: cache manager process
>>     root     32461  5.5  0.5 1056676 82316 ?       S    22:01   0:00
>>      \_ nginx: master process /usr/local/nginx/sbin/nginx
>>     www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00
>>          \_ nginx: cache manager process
>>     www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00
>>          \_ nginx: cache loader process
>>
>>     Notice how the new master is a child of the old master.  If I
>>     send a WINCH I get:
>>
>>     root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00
>>     nginx: master process /usr/local/nginx/sbin/nginx
>>     root     32461  0.2  0.5 1056676 82316 ?       S    22:01   0:00
>>      \_ nginx: master process /usr/local/nginx/sbin/nginx
>>     www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00
>>          \_ nginx: worker process
>>     www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00
>>          \_ nginx: cache manager process
>>     www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00
>>          \_ nginx: cache loader process
>>
>>     which is not what I?m looking for.  Is this a limitation when
>>     running with systemd?
>>
>>     Thanks,
>>     Marc
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/bb89fd23/attachment.html>

From marc at soda.fm  Tue Apr  4 11:46:36 2017
From: marc at soda.fm (Marc Soda)
Date: Tue, 4 Apr 2017 07:46:36 -0400
Subject: Binary upgrade with systemd
In-Reply-To: <878FBB66-318B-458B-9792-90C2767518C6@soda.fm>
References: <13581B52-CB54-41F0-B01A-0B160C024E00@soda.fm>
 <0C53A9B0-9050-4128-9B0E-094920A12D75@lucasrolff.com>
 <878FBB66-318B-458B-9792-90C2767518C6@soda.fm>
Message-ID: <F336336B-4D8D-49D1-89D5-8839F89F1B70@soda.fm>

It seems that it?s working as designed.  I thought the old master would exit automatically.  But it sticks around in case you want to fail back.

Thanks and sorry for the noise.


> On Apr 4, 2017, at 7:41 AM, Marc Soda <marc at soda.fm> wrote:
> 
> I sent WINCH to the old master.  In this case 32277.
> 
> After sending WINCH, I can send QUIT to the old master and it exits.  Everything looks fine at that point.  But it seems a little odd to have to do this.
> 
>> On Apr 4, 2017, at 4:43 AM, Lucas Rolff <lucas at lucasrolff.com <mailto:lucas at lucasrolff.com>> wrote:
>> 
>> Hello Marc,
>> 
>> For which PID do you send the WINCH signal?
>> 
>> 
>> From: nginx <nginx-bounces at nginx.org <mailto:nginx-bounces at nginx.org>> on behalf of Marc Soda <marc at soda.fm <mailto:marc at soda.fm>>
>> Reply-To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org <mailto:nginx at nginx.org>>
>> Date: Tuesday, 4 April 2017 at 04.04
>> To: "nginx at nginx.org <mailto:nginx at nginx.org>" <nginx at nginx.org <mailto:nginx at nginx.org>>
>> Subject: Binary upgrade with systemd
>> 
>> Hello,
>> 
>> I?m using nginx 1.10.3 custom built on Ubuntu 16.04.  I?m also using the recommended systemd service file:
>> 
>> [Unit]
>> Description=The NGINX HTTP and reverse proxy server
>> After=syslog.target network.target remote-fs.target nss-lookup.target
>> 
>> [Service]
>> Type=forking
>> PIDFile=/run/nginx.pid
>> ExecStartPre=/usr/sbin/nginx -t
>> ExecStart=/usr/sbin/nginx
>> ExecReload=/bin/kill -s HUP $MAINPID
>> ExecStop=/bin/kill -s QUIT $MAINPID
>> PrivateTmp=true
>> 
>> [Install]
>> WantedBy=multi-user.target
>> 
>> I?m try to do a no downtime upgrade with the USR2 and WINCH signals.  Here is my process list before:
>> 
>> root     32277  0.0  0.4 1056672 71148 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
>> www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
>> 
>> and here it is after sending USR2:
>> 
>> root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
>> www      32278  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32279  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32280  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32281  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32282  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32283  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32288  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32289  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32290  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32291  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32292  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32293  0.0  0.4 1057924 73152 ?       S<   21:51   0:00  \_ nginx: worker process
>> www      32294  0.0  0.4 1056672 72212 ?       S    21:51   0:00  \_ nginx: cache manager process
>> root     32461  5.5  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
>> www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
>> www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process
>> 
>> Notice how the new master is a child of the old master.  If I send a WINCH I get:
>> 
>> root     32277  0.0  0.4 1056672 71868 ?       Ss   21:51   0:00 nginx: master process /usr/local/nginx/sbin/nginx
>> root     32461  0.2  0.5 1056676 82316 ?       S    22:01   0:00  \_ nginx: master process /usr/local/nginx/sbin/nginx
>> www      32465  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32466  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32467  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32468  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32469  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32470  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32471  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32472  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32473  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32474  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32475  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32476  0.0  0.4 1057928 73052 ?       S<   22:01   0:00      \_ nginx: worker process
>> www      32477  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache manager process
>> www      32478  0.0  0.4 1056676 72176 ?       S    22:01   0:00      \_ nginx: cache loader process
>> 
>> which is not what I?m looking for.  Is this a limitation when running with systemd?
>> 
>> Thanks,
>> Marc
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org <mailto:nginx at nginx.org>
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/63f3b97c/attachment-0001.html>

From mdounin at mdounin.ru  Tue Apr  4 13:23:50 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 4 Apr 2017 16:23:50 +0300
Subject: Nginx map module regex in file
In-Reply-To: <CAHD7qx3jLzJZ97AdmW0Wd=HKXObkYhGOV_bPahkuZv6NSL4E-g@mail.gmail.com>
References: <CAHD7qx3jLzJZ97AdmW0Wd=HKXObkYhGOV_bPahkuZv6NSL4E-g@mail.gmail.com>
Message-ID: <20170404132349.GB13617@mdounin.ru>

Hello!

On Tue, Apr 04, 2017 at 01:01:19PM +0530, Jagannath Naidu wrote:

> I am trying to redirect some urls to a different document path. My
> configuration file is as follows
> 
> 
> ############ /etc/nginx/conf.d/site.conf ############################
> *map_hash_max_size 2048;*
> *map_hash_bucket_size 128;*
> *map $uri $new {*
> *        include list_4;*
> *}*
> resolver  127.0.0.1;
> server {
>         listen         81;
>         server_name abcexample.com;
>         access_log /var/log/nginx/abcexample-access.log main;
>         error_log  /var/log/nginx/abcexample-error.log;
>         location / {
> *                if ($new) {*
> *                  rewrite ^ $new redirect;*
> *                }*
>               proxy_pass http://127.0.0.1:8000;
>         }
> 
> ################# /etc/nginx/list_4 ##############################
> /abc/1.html /abc/hello;
> /max/1.html /max/;
> ~^/xyz/(?<abc>.*)$ /xyz/123;
> *~^/kkkk/abcdef(?<abc>.*)$ /tttt/bbbbb/jjjj$abc;*
> 
> *~^/kaka/(?<abc>.*)$ /tata/$abc;*
> 
> 
> Note:
> line 1,2 and 3 redirects are working fine.
> But line 4 and 5 are not working.
> 
> 
> *root at Hell1:~# curl -I abcexample.com/kkkk/abcef111.html
> <http://abcexample.com/kkkk/abcef111.html> *
> HTTP/1.1 302 Moved Temporarily
> Server: nginx
> Date: Tue, 04 Apr 2017 07:08:47 GMT
> Content-Type: text/html
> Content-Length: 154
> *Location: http://abcdexample.com/tttt/bbbbb/jjjj$abc
> <http://abcdexample.com/tttt/bbbbb/jjjj$abc>*
> Connection: keep-alive
> 
> My Question is:
> What changes do I have to do in list_4 file to get results as follows
> *Location: http://abcdexample.com/news/bbbbb/jjjj111.html
> <http://abcdexample.com/news/bbbbb/jjjj111.html> *

Check your nginx version.

You are trying to use a combination of text and variables as a 
resulting value of the map.  This is supported only in nginx 
1.11.0+, see http://nginx.org/r/map.

-- 
Maxim Dounin
http://nginx.org/

From mdounin at mdounin.ru  Tue Apr  4 15:15:29 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 4 Apr 2017 18:15:29 +0300
Subject: nginx-1.11.13
Message-ID: <20170404151529.GH13617@mdounin.ru>

Changes with nginx 1.11.13                                       04 Apr 2017

    *) Feature: the "http_429" parameter of the "proxy_next_upstream",
       "fastcgi_next_upstream", "scgi_next_upstream", and
       "uwsgi_next_upstream" directives.
       Thanks to Piotr Sikora.

    *) Bugfix: in memory allocation error handling.

    *) Bugfix: requests might hang when using the "sendfile" and
       "timer_resolution" directives on Linux.

    *) Bugfix: requests might hang when using the "sendfile" and "aio_write"
       directives with subrequests.

    *) Bugfix: in the ngx_http_v2_module.
       Thanks to Piotr Sikora.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2.

    *) Bugfix: requests might hang when using the "limit_rate",
       "sendfile_max_chunk", "limit_req" directives, or the $r->sleep()
       embedded perl method with subrequests.

    *) Bugfix: in the ngx_http_slice_module.


-- 
Maxim Dounin
http://nginx.org/

From kworthington at gmail.com  Tue Apr  4 15:47:18 2017
From: kworthington at gmail.com (Kevin Worthington)
Date: Tue, 4 Apr 2017 11:47:18 -0400
Subject: [nginx-announce] nginx-1.11.13
In-Reply-To: <20170404151537.GI13617@mdounin.ru>
References: <20170404151537.GI13617@mdounin.ru>
Message-ID: <CAGo79UU+6pTo+-F3n60y=CCS1soR_rvyXJz=UsuoCO4Jix49HA@mail.gmail.com>

Hello Nginx users,

Now available: Nginx 1.11.13 for Windows
https://kevinworthington.com/nginxwin11113
(32-bit and 64-bit versions)

These versions are to support legacy users who are already using Cygwin
based builds of Nginx. Officially supported native Windows binaries are at
nginx.org.

Announcements are also available here:
Twitter http://twitter.com/kworthington
Google+ https://plus.google.com/+KevinWorthington/

Thank you,
Kevin
--
Kevin Worthington
kworthington *@* (gmail]  [dot} {com)
http://kevinworthington.com/
http://twitter.com/kworthington
https://plus.google.com/+KevinWorthington/

On Tue, Apr 4, 2017 at 11:15 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Changes with nginx 1.11.13                                       04 Apr
> 2017
>
>     *) Feature: the "http_429" parameter of the "proxy_next_upstream",
>        "fastcgi_next_upstream", "scgi_next_upstream", and
>        "uwsgi_next_upstream" directives.
>        Thanks to Piotr Sikora.
>
>     *) Bugfix: in memory allocation error handling.
>
>     *) Bugfix: requests might hang when using the "sendfile" and
>        "timer_resolution" directives on Linux.
>
>     *) Bugfix: requests might hang when using the "sendfile" and
> "aio_write"
>        directives with subrequests.
>
>     *) Bugfix: in the ngx_http_v2_module.
>        Thanks to Piotr Sikora.
>
>     *) Bugfix: a segmentation fault might occur in a worker process when
>        using HTTP/2.
>
>     *) Bugfix: requests might hang when using the "limit_rate",
>        "sendfile_max_chunk", "limit_req" directives, or the $r->sleep()
>        embedded perl method with subrequests.
>
>     *) Bugfix: in the ngx_http_slice_module.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-announce mailing list
> nginx-announce at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-announce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/5794f58e/attachment.html>

From kgorlo at gmail.com  Tue Apr  4 17:22:58 2017
From: kgorlo at gmail.com (Kamil Gorlo)
Date: Tue, 04 Apr 2017 17:22:58 +0000
Subject: Limit number of connections to server
Message-ID: <CAHzX=KBd2URJzXHOpwYCgNtWetSYORAZtKTkYLA=rskJx+pvKQ@mail.gmail.com>

Hi,

is there a way to limit total number of open connections per listening port
in Nginx? I know that there is limit_conn module but as far as I understand
it only works on "request" layer, which means connections are counted only
when request headers have been already read.

I have problem when number of SSL connections to my server is very high
(CPU is 100% and server becomes unresponsive), and I would like to "cut"
new connections after some defined threshold is exceeded. It would possibly
save some CPU cycles needed to handle SSL handshake, etc.

Is it possible?

Regards,
Kamil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170404/347f30d3/attachment.html>

From r1ch+nginx at teamliquid.net  Tue Apr  4 19:15:00 2017
From: r1ch+nginx at teamliquid.net (Richard Stanway)
Date: Tue, 4 Apr 2017 21:15:00 +0200
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
 <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
 <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
Message-ID: <CAKWQeyjRTvZMs6=vLeW3-LHYvJUDnwFOqPMdCm12qD3hAt4a2Q@mail.gmail.com>

With the controls sites have over the referrer header, it's not very
effective as an access control mechanism. You can use something like
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
instead.

On Tue, Apr 4, 2017 at 1:39 PM, shahzaib mushtaq <shahzaib.cb at gmail.com> wrote:
> Hi,
>
> Thanks for quick response. Well its reverse, he's putting our HTTPS video
> link on his HTTP website. Could that create issue as well? If yes, what's
> the fix of it.
>
> Again thanks for your help.
>
> On Tue, Apr 4, 2017 at 4:32 PM, nanaya <me at myconan.net> wrote:
>>
>> Hi,
>>
>> On Tue, Apr 4, 2017, at 20:24, shahzaib mushtaq wrote:
>> > Hi,
>> >
>> > We came across a website who is playing our video links remotely. Since
>> > we've hotlinking protection enabled based on referrer headers so i
>> > checked
>> > the request header by playing that video & found out that *referrer
>> > header
>> > was missing* in the browser's requests header tab.
>> >
>>
>> If your site isn't https but his site is, some browsers by default don't
>> send referrer header. There are also various other referrer policies
>> with varying level of support:
>>
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
>>
>> http://caniuse.com/#search=referrer%20policy
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

From francis at daoine.org  Tue Apr  4 20:54:08 2017
From: francis at daoine.org (Francis Daly)
Date: Tue, 4 Apr 2017 21:54:08 +0100
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
 <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
 <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
Message-ID: <20170404205408.GG3428@daoine.org>

On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:

Hi there,

> Thanks for quick response. Well its reverse, he's putting our HTTPS video
> link on his HTTP website. Could that create issue as well? If yes, what's
> the fix of it.

nginx does not know (or care) what the linking site does. All it can
see is the request made to it.

The browser entirely controls what request headers the browser sends.

If you want to deny all requests that have no Referer header, you can
do that.

If you want to deny only some requests that have no Referer header,
you will need to tell nginx which requests to deny and which requests to
allow. But before you can do that, you will have to know how to identify
the requests in one of the sets.

	f
-- 
Francis Daly        francis at daoine.org

From vbart at nginx.com  Tue Apr  4 20:58:16 2017
From: vbart at nginx.com (Valentin V. Bartenev)
Date: Tue, 04 Apr 2017 23:58:16 +0300
Subject: Limit number of connections to server
In-Reply-To: <CAHzX=KBd2URJzXHOpwYCgNtWetSYORAZtKTkYLA=rskJx+pvKQ@mail.gmail.com>
References: <CAHzX=KBd2URJzXHOpwYCgNtWetSYORAZtKTkYLA=rskJx+pvKQ@mail.gmail.com>
Message-ID: <3867014.Xybq91EcAu@vbart-workstation>

On Tuesday 04 April 2017 17:22:58 Kamil Gorlo wrote:
> Hi,
> 
> is there a way to limit total number of open connections per listening port
> in Nginx? I know that there is limit_conn module but as far as I understand
> it only works on "request" layer, which means connections are counted only
> when request headers have been already read.
> 
> I have problem when number of SSL connections to my server is very high
> (CPU is 100% and server becomes unresponsive), and I would like to "cut"
> new connections after some defined threshold is exceeded. It would possibly
> save some CPU cycles needed to handle SSL handshake, etc.
> 
> Is it possible?
> 

You should use system firewall.  Most of *nix systems have one out of the box.

  wbr, Valentin V. Bartenev


From francis at daoine.org  Tue Apr  4 21:10:11 2017
From: francis at daoine.org (Francis Daly)
Date: Tue, 4 Apr 2017 22:10:11 +0100
Subject: Nginx redirect preserving source hostname
In-Reply-To: <73da404a-13ac-8123-f35d-3d52ad1d414b@estaxi.ru>
References: <73da404a-13ac-8123-f35d-3d52ad1d414b@estaxi.ru>
Message-ID: <20170404211011.GH3428@daoine.org>

On Mon, Apr 03, 2017 at 02:17:19PM +0600, ????????? ?????? wrote:

Hi there,

> I have an NGINX as reverse proxy with PHP-fpm. Nginx is set up for
> serving www.somehost.com. I added another host www.anotherhost.com.
> Now I need to setup redirect in this way: If user type
> www.anotherhost.com then it redirects to www.somehost.com/someurl,
> but url in browser bar shouldn't change.

> Is it possible to redirect preserving url ?

A "redirect" is an "external rewrite", which asks the browser to make
a new request, and therefore change the url the browser shows.

If you want the browser not to make a new request, you need to handle
the request internally, within nginx, possibly by means of a proxy_pass
(if the desired resource is only available in another server{}).

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From lists at lazygranch.com  Tue Apr  4 22:12:57 2017
From: lists at lazygranch.com (lists at lazygranch.com)
Date: Tue, 04 Apr 2017 15:12:57 -0700
Subject: Limit number of connections to server
In-Reply-To: <3867014.Xybq91EcAu@vbart-workstation>
References: <CAHzX=KBd2URJzXHOpwYCgNtWetSYORAZtKTkYLA=rskJx+pvKQ@mail.gmail.com>
 <3867014.Xybq91EcAu@vbart-workstation>
Message-ID: <20170404221257.5709911.91575.25470@lazygranch.com>

You would probably want to also limit the number of connections per IP address, else one IP could lock up the entire site.


? Original Message ?
From: Valentin V. Bartenev
Sent: Tuesday, April 4, 2017 1:58 PM
To: nginx at nginx.org
Reply To: nginx at nginx.org
Subject: Re: Limit number of connections to server

On Tuesday 04 April 2017 17:22:58 Kamil Gorlo wrote:
> Hi,
> 
> is there a way to limit total number of open connections per listening port
> in Nginx? I know that there is limit_conn module but as far as I understand
> it only works on "request" layer, which means connections are counted only
> when request headers have been already read.
> 
> I have problem when number of SSL connections to my server is very high
> (CPU is 100% and server becomes unresponsive), and I would like to "cut"
> new connections after some defined threshold is exceeded. It would possibly
> save some CPU cycles needed to handle SSL handshake, etc.
> 
> Is it possible?
> 

You should use system firewall. Most of *nix systems have one out of the box.

wbr, Valentin V. Bartenev

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

From pchychi at gmail.com  Wed Apr  5 01:55:19 2017
From: pchychi at gmail.com (Payam Chychi)
Date: Wed, 05 Apr 2017 01:55:19 +0000
Subject: Limit number of connections to server
In-Reply-To: <20170404221257.5709911.91575.25470@lazygranch.com>
References: <CAHzX=KBd2URJzXHOpwYCgNtWetSYORAZtKTkYLA=rskJx+pvKQ@mail.gmail.com>
 <3867014.Xybq91EcAu@vbart-workstation>
 <20170404221257.5709911.91575.25470@lazygranch.com>
Message-ID: <CAJMkcM2MQ0Aa4cjFNX6OSvwsSEk9Zv0TGPWJUZx3RAnND-MEhg@mail.gmail.com>

You can also use ulimit but simple iptable/ipfw/pf will do the job


On Tue, Apr 4, 2017 at 3:13 PM <lists at lazygranch.com> wrote:

> You would probably want to also limit the number of connections per IP
> address, else one IP could lock up the entire site.
>
>
>   Original Message
> From: Valentin V. Bartenev
> Sent: Tuesday, April 4, 2017 1:58 PM
> To: nginx at nginx.org
> Reply To: nginx at nginx.org
> Subject: Re: Limit number of connections to server
>
> On Tuesday 04 April 2017 17:22:58 Kamil Gorlo wrote:
> > Hi,
> >
> > is there a way to limit total number of open connections per listening
> port
> > in Nginx? I know that there is limit_conn module but as far as I
> understand
> > it only works on "request" layer, which means connections are counted
> only
> > when request headers have been already read.
> >
> > I have problem when number of SSL connections to my server is very high
> > (CPU is 100% and server becomes unresponsive), and I would like to "cut"
> > new connections after some defined threshold is exceeded. It would
> possibly
> > save some CPU cycles needed to handle SSL handshake, etc.
> >
> > Is it possible?
> >
>
> You should use system firewall. Most of *nix systems have one out of the
> box.
>
> wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170405/0371e841/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr  5 05:02:15 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Wed, 05 Apr 2017 01:02:15 -0400
Subject: Memory issue
In-Reply-To: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <89360c715d40fb102ea16b8cd6b18340.NginxMailingListEnglish@forum.nginx.org>

Uprgraded to last nginx version :
memory still increase it seems

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273411#msg-273411


From nginx-forum at forum.nginx.org  Wed Apr  5 06:27:04 2017
From: nginx-forum at forum.nginx.org (t.nishiyori)
Date: Wed, 05 Apr 2017 02:27:04 -0400
Subject: slice module got error when contents of upstream was updated
In-Reply-To: <20170403103652.GA97890@Romans-MacBook-Air.local>
References: <20170403103652.GA97890@Romans-MacBook-Air.local>
Message-ID: <214bd44475ec89f9d421bd37b1e74518.NginxMailingListEnglish@forum.nginx.org>

Hi Roman,

The slice module is awesome for caching my large content effectively.
But my contents are updated in any times.
I decide to implement some external tools for this error to hear your
answer.
Such like a monitoring error logs and purge unnecessary cache.

Thank you.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273307,273412#msg-273412


From sca at andreasschulze.de  Wed Apr  5 09:16:27 2017
From: sca at andreasschulze.de (A. Schulze)
Date: Wed, 05 Apr 2017 11:16:27 +0200
Subject: minor manpage fix
Message-ID: <20170405111627.Horde.tDdUpZNOQyul9urGq94w0dw@andreasschulze.de>


hello

by buildsystem warn about a minor glitch in nginx.8
patch attached

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hyphen-used-as-minus-sign.patch
Type: text/x-diff
Size: 662 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170405/4029504c/attachment.bin>

From shahzaib.cb at gmail.com  Wed Apr  5 11:13:58 2017
From: shahzaib.cb at gmail.com (shahzaib mushtaq)
Date: Wed, 5 Apr 2017 16:13:58 +0500
Subject: Content mismatch random error !!
Message-ID: <CAD3xhrPR3U8ZHmSrXHWOkeYJNRiibiQH53GNs6B9XTHwDj+6WA@mail.gmail.com>

Hi,

Sometimes we encounter Content mismatch error in browser on website &
refreshing the page fix this issue. The full error is :
http://prntscr.com/esp3jr

Here is nginx.conf file : https://pastebin.com/VF5L1xXy

Some people on different forums saying its due to proxy cache but we're not
using any kind of cache except for File-Descriptors cache config in nginx.
The setup is built on pure NGINX+Php-fpm.

Thanks for the help in advance !!

Shahzaib
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170405/1a33e8f0/attachment-0001.html>

From nginx-forum at forum.nginx.org  Wed Apr  5 11:32:01 2017
From: nginx-forum at forum.nginx.org (IgorR)
Date: Wed, 05 Apr 2017 07:32:01 -0400
Subject: proxy_cache_background_update after cache expiry
Message-ID: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>

Hello,

I'm trying to configure nginx to use proxy_cache_background_update but it
seems like after expiry it still waits for the full roundtrip to the
backend, returning a MISS in X-Cache-Status. What am I MISSing?

I'm using nginx 1.11.12 under ubuntu 14.04 running inside docker, but
hopefully this is too much detail.

location ~ ^/?(\d+/[^/]+)?/?$
{
   expires 20s;

   proxy_cache app_cache;
   proxy_cache_lock on;

   proxy_cache_bypass $http_upgrade;

   proxy_pass http://172.17.0.2:5000;
   proxy_http_version 1.1;
   error_log    /nginxerror.log debug;

   add_header X-Cache-Status $upstream_cache_status;

   proxy_cache_use_stale error timeout updating http_500 http_502 http_503
http_504;
   proxy_cache_background_update on;

   break;
}

NB: This is a duplicate of my so question, I was kindly advised on the nginx
IRC to repost here for better chances, the original question is here:
http://stackoverflow.com/questions/43223993/nginx-proxy-cache-background-update-after-cache-expiry

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273417,273417#msg-273417


From ru at nginx.com  Wed Apr  5 12:14:12 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Wed, 5 Apr 2017 15:14:12 +0300
Subject: minor manpage fix
In-Reply-To: <20170405111627.Horde.tDdUpZNOQyul9urGq94w0dw@andreasschulze.de>
References: <20170405111627.Horde.tDdUpZNOQyul9urGq94w0dw@andreasschulze.de>
Message-ID: <20170405121412.GA15734@lo0.su>

On Wed, Apr 05, 2017 at 11:16:27AM +0200, A. Schulze wrote:
> hello
> 
> by buildsystem warn about a minor glitch in nginx.8
> patch attached

"\-" is a "minus sign in the current font", while "-" is
a dash character, which is the correct character for the
utility arguments.

Applying this patch and generating a PostScript output
would generate an example output than cannot be pasted
back to the shell.

> Description: fix minor manpage errors
> Author: A. Schulze
> ---
> This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
> Index: nginx-1.11.13/man/nginx.8
> ===================================================================
> --- nginx-1.11.13.orig/man/nginx.8
> +++ nginx-1.11.13/man/nginx.8
> @@ -180,8 +180,8 @@ Test configuration file
>  .Pa ~/mynginx.conf
>  with global directives for PID and quantity of worker processes:
>  .Bd -literal -offset indent
> -nginx -t -c ~/mynginx.conf \e
> -	-g "pid /var/run/mynginx.pid; worker_processes 2;"
> +nginx \-t \-c ~/mynginx.conf \e
> +	\-g "pid /var/run/mynginx.pid; worker_processes 2;"
>  .Ed
>  .Sh SEE ALSO
>  .\"Xr nginx.conf 5

From hemelaar at desikkel.nl  Wed Apr  5 14:05:42 2017
From: hemelaar at desikkel.nl (Jean-Paul Hemelaar)
Date: Wed, 5 Apr 2017 16:05:42 +0200
Subject: proxy_cache_background_update after cache expiry
In-Reply-To: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
References: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CA+DSZZ643evpWwtm1kxvsjuNCUJeyAr2g1CQBgSjhyPas7O03A@mail.gmail.com>

Hi,

I have a similar issue:
http://mailman.nginx.org/pipermail/nginx/2017-March/053198.html

I noticed (using tcpdump) that all data except the last package is send
immediately.
Can you verify it that's happening in your case as well?

JP

On Wed, Apr 5, 2017 at 1:32 PM, IgorR <nginx-forum at forum.nginx.org> wrote:

> Hello,
>
> I'm trying to configure nginx to use proxy_cache_background_update but it
> seems like after expiry it still waits for the full roundtrip to the
> backend, returning a MISS in X-Cache-Status. What am I MISSing?
>
> I'm using nginx 1.11.12 under ubuntu 14.04 running inside docker, but
> hopefully this is too much detail.
>
> location ~ ^/?(\d+/[^/]+)?/?$
> {
>    expires 20s;
>
>    proxy_cache app_cache;
>    proxy_cache_lock on;
>
>    proxy_cache_bypass $http_upgrade;
>
>    proxy_pass http://172.17.0.2:5000;
>    proxy_http_version 1.1;
>    error_log    /nginxerror.log debug;
>
>    add_header X-Cache-Status $upstream_cache_status;
>
>    proxy_cache_use_stale error timeout updating http_500 http_502 http_503
> http_504;
>    proxy_cache_background_update on;
>
>    break;
> }
>
> NB: This is a duplicate of my so question, I was kindly advised on the
> nginx
> IRC to repost here for better chances, the original question is here:
> http://stackoverflow.com/questions/43223993/nginx-
> proxy-cache-background-update-after-cache-expiry
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,273417,273417#msg-273417
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170405/05cbd2d7/attachment.html>

From mdounin at mdounin.ru  Wed Apr  5 14:30:03 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 5 Apr 2017 17:30:03 +0300
Subject: Memory issue
In-Reply-To: <89360c715d40fb102ea16b8cd6b18340.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
 <89360c715d40fb102ea16b8cd6b18340.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170405143003.GO13617@mdounin.ru>

Hello!

On Wed, Apr 05, 2017 at 01:02:15AM -0400, JohnCarne wrote:

> Uprgraded to last nginx version :
> memory still increase it seems

You may have better luck describing your issue: what you do, what 
you see as a result, and why you think this is an issue.  Posting 
messages saying "I still have an issue" is unlikely to help.

-- 
Maxim Dounin
http://nginx.org/

From mdounin at mdounin.ru  Wed Apr  5 14:52:29 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 5 Apr 2017 17:52:29 +0300
Subject: proxy_cache_background_update after cache expiry
In-Reply-To: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
References: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170405145228.GP13617@mdounin.ru>

Hello!

On Wed, Apr 05, 2017 at 07:32:01AM -0400, IgorR wrote:

> Hello,
> 
> I'm trying to configure nginx to use proxy_cache_background_update but it
> seems like after expiry it still waits for the full roundtrip to the
> backend, returning a MISS in X-Cache-Status. What am I MISSing?
> 
> I'm using nginx 1.11.12 under ubuntu 14.04 running inside docker, but
> hopefully this is too much detail.
> 
> location ~ ^/?(\d+/[^/]+)?/?$
> {
>    expires 20s;
> 
>    proxy_cache app_cache;
>    proxy_cache_lock on;
> 
>    proxy_cache_bypass $http_upgrade;
> 
>    proxy_pass http://172.17.0.2:5000;
>    proxy_http_version 1.1;
>    error_log    /nginxerror.log debug;
> 
>    add_header X-Cache-Status $upstream_cache_status;
> 
>    proxy_cache_use_stale error timeout updating http_500 http_502 http_503
> http_504;
>    proxy_cache_background_update on;
> 
>    break;
> }

"MISS" in $upstream_cache_status indicate that the relevant 
resource is not present in the cache, and therefore there is 
no stale response to return.

Most likely the problem is the resource was never saved to the 
cache, because of the cacheability flags in the response.  
Consider testing if the resource is at all saved to cache, 
the proxy_cache_background_update is certainly irrelevant.

Note that cacheability of a resource is determinded by nginx based 
on multiple factors.  Cache-Control, Expires, X-Accel-Expires, 
Set-Cookie, and Vary response headers affect caching.  If there 
are no response headers which explicitly allow caching and set 
expiration time, only responses with appropriate proxy_cache_valid 
are cached.

For more information see http://nginx.org/r/proxy_cache_valid.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Wed Apr  5 22:14:21 2017
From: nginx-forum at forum.nginx.org (phwaap)
Date: Wed, 05 Apr 2017 18:14:21 -0400
Subject: Conditional expires in location
Message-ID: <b27f73ca0020cf91a22d3992911c9fbf.NginxMailingListEnglish@forum.nginx.org>

Hi everyone,

I have a generic location that servers many others via rewrite/proxy_pass. 
The generic location calls expires by including a file which disables
caching.  I have new location with its own expiration logic that needs to
bypass this.  What is the best way to do this?

# Generic service.
location = /generic.js {
            fastcgi_pass 'unix:/tmp/generic.socket';
            include fastcgi.conf;
            # only does: expires -1s;
            include expires.conf;   
}

location = /new.js {
        set $new_upstream https://new.lskjdflsj.com/;
        rewrite ^/new.js /generic.js?type=new;
        proxy_pass $new_upstream;
}


I've read that if statements are undesirable in location although that seems
to work.  I've also tried setting an expires variable via a map which also
works. But doesn't this execute for every request?

Zach

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273434,273434#msg-273434


From nginx-forum at forum.nginx.org  Thu Apr  6 01:32:41 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Wed, 05 Apr 2017 21:32:41 -0400
Subject: Memory issue
In-Reply-To: <20170405143003.GO13617@mdounin.ru>
References: <20170405143003.GO13617@mdounin.ru>
Message-ID: <bba52964748597ef70c924e7ff88e133.NginxMailingListEnglish@forum.nginx.org>

We described it properly when opening ticket, I reformulate :

Usually, 1 nginx worker process consumes 1.16-2% of RAM maximum on this
server, and it remain stable.
For some days after nginx upgrades, every overnight, during daily stat
generation process of cpanel which happens on overnight like set, there is
many nginx reloads due to stat generation (= normal), but this is now
causing an ever increasing memory use of RAM by nginx worker process,
usually it stays around 1-2% RAM, we now see it cumulating after stat
generation process increasing itself at begin with 1-2% RAM each time, which
will lead after some weaks to a saturated server in term of RAM if nginx is
not started. When we saw the issue first time, Nginx was consuming 12% of
server RAM considering we have 128 GB RAM on this shared hosting server.

After recent nginx upgrade :
The increase is around 0.20% daily, instead of 1-2% RAM

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273436#msg-273436


From nginx-forum at forum.nginx.org  Thu Apr  6 05:14:54 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 01:14:54 -0400
Subject: Memory issue
In-Reply-To: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <0788a57b9fe5437be0165502235d25d6.NginxMailingListEnglish@forum.nginx.org>

It looks like i don't speak english properly to be understood, others will
open a thread on this issue, and may be explain better

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273437#msg-273437


From schwaderer at daz-services.de  Thu Apr  6 05:59:07 2017
From: schwaderer at daz-services.de (Christian Schwaderer)
Date: Thu, 6 Apr 2017 07:59:07 +0200
Subject: Websocket security
Message-ID: <b3d8209e-459b-2584-71af-79b8cb53e55d@daz-services.de>

Dear all,

I ran NodeJS as a kind of Webapplication Server serving an AngularJS 
frontend. They communicate solely over WebSockets, using the SailsJS 
implementation of Socket.IO. Between frontend (client) and the NodeJS 
backend, sits nginx as a proxy, configured like so:

|server { listen 1337 ssl; location /socket.io/ { proxy_pass 
https://localhost:1338; proxy_set_header Upgrade $http_upgrade; 
proxy_set_header Connection "upgrade"; proxy_http_version 1.1; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } |

So far, so good. I now want to monitor and secure the Websocket 
connection. In particular, I want to prevent XSS attacks and exclude IPs 
trying to brute force the login to my application. I'm pretty new to 
that stuff, but I've found out that there are tools working together 
with nginx which can fulfill my needs here. (In particular, fail2ban and 
nginx-naxsi)

However, I did not find out till now, whether and how these tools would 
work with my design (proxied websocket).

fail2ban works on log files. Right now, nginx does *not* log the 
websocket traffic. Is it possible to configure nginx so that it logs the 
proxied websocket traffic? I mean, the actual traffic, not the 
establishing of the socket connection, but what is actually being 
exchanged between client (browser) and server (NodeJS). That should 
appear in some nginx log file in order to make fail2ban work.

Same goes for nginx-naxsi, I guess.
Does nginx, in my configuration, even care about what browser and NodeJS 
are exchanging via websocket? How can I make nginx inspect the content 
of the websocket connection so that I can filter out malicious requests 
based on nginx-naxsi rules?

Thanks in advance for any hints!
Best,
Christian

(PS: Already had asked a similar question on serverfault, but not no avail.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/4b4ebe8a/attachment-0001.html>

From nginx-forum at forum.nginx.org  Thu Apr  6 07:25:37 2017
From: nginx-forum at forum.nginx.org (IgorR)
Date: Thu, 06 Apr 2017 03:25:37 -0400
Subject: proxy_cache_background_update after cache expiry
In-Reply-To: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
References: <f09410717d0959c665f00f892f664065.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <c448f540e1f81cd4871663c66db7de9c.NginxMailingListEnglish@forum.nginx.org>

thank you Maxim, 

the resourse was saved to cache but was quickly expiring in the browser
causing a Cache-Control: no-cache header to be sent.

Sending something like 

Cache-Control:
public,max-age=15,s-maxage=240;must-revalidate,stale-while-revalidate=240

together with Last-Modified/ETag from the upstream server seem to be getting
me where I want.

Thanks for pointing me in the right direction.


@jeanpaul: I didn't have the chance to check your idea since taking a closer
look at the headers really helped moving forward.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273417,273439#msg-273439


From nginx-forum at forum.nginx.org  Thu Apr  6 07:40:56 2017
From: nginx-forum at forum.nginx.org (mex)
Date: Thu, 06 Apr 2017 03:40:56 -0400
Subject: Websocket security
In-Reply-To: <b3d8209e-459b-2584-71af-79b8cb53e55d@daz-services.de>
References: <b3d8209e-459b-2584-71af-79b8cb53e55d@daz-services.de>
Message-ID: <135f4402b4636408fd580adc36f41df4.NginxMailingListEnglish@forum.nginx.org>

Hello christian,


naxsi-contributor first

bad news first:

naxsi wouldnt work on websockets.

Any other security for websockets you have to implement yourself.


list of usefull reads:
- https://devcenter.heroku.com/articles/websocket-security
-
https://security.stackexchange.com/questions/48378/anti-dos-websockets-best-practices/
- https://gist.github.com/subudeepak/9897212
- https://kaazing.com/2012/02/28/html5-websocket-security-is-strong/



regards, 


mex

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273438,273440#msg-273440


From shahzaib.cb at gmail.com  Thu Apr  6 07:41:33 2017
From: shahzaib.cb at gmail.com (shahzaib mushtaq)
Date: Thu, 6 Apr 2017 12:41:33 +0500
Subject: Content mismatch random error !!
In-Reply-To: <CAD3xhrPR3U8ZHmSrXHWOkeYJNRiibiQH53GNs6B9XTHwDj+6WA@mail.gmail.com>
References: <CAD3xhrPR3U8ZHmSrXHWOkeYJNRiibiQH53GNs6B9XTHwDj+6WA@mail.gmail.com>
Message-ID: <CAD3xhrOyV6FpororKT093RQNtqDEum8yC02y7Oq_ENsF+gdh7Q@mail.gmail.com>

Hi,

Anyone ?

Regards.

On Wed, Apr 5, 2017 at 4:13 PM, shahzaib mushtaq <shahzaib.cb at gmail.com>
wrote:

> Hi,
>
> Sometimes we encounter Content mismatch error in browser on website &
> refreshing the page fix this issue. The full error is :
> http://prntscr.com/esp3jr
>
> Here is nginx.conf file : https://pastebin.com/VF5L1xXy
>
> Some people on different forums saying its due to proxy cache but we're
> not using any kind of cache except for File-Descriptors cache config in
> nginx. The setup is built on pure NGINX+Php-fpm.
>
> Thanks for the help in advance !!
>
> Shahzaib
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/9c1d1acf/attachment.html>

From shahzaib.cb at gmail.com  Thu Apr  6 07:50:01 2017
From: shahzaib.cb at gmail.com (shahzaib mushtaq)
Date: Thu, 6 Apr 2017 12:50:01 +0500
Subject: No referrer header on leacher's site !!
In-Reply-To: <20170404205408.GG3428@daoine.org>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
 <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
 <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
 <20170404205408.GG3428@daoine.org>
Message-ID: <CAD3xhrNrZeC5BvGQKndQ84QCEMJOnK8axsZBvVhFeDf4SasYtw@mail.gmail.com>

>>With the controls sites have over the referrer header, it's not very
effective as an access control mechanism. You can use something like
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
instead.

We're also using Nginx secure link module based on HASH + expiry but
somehow this secure link is exploited by that website. The video link hash
on his website is exactly matching with ours means no matter if hash get
expire & new takes it place that leacher is also getting the new hash &
we're unable to find how he exploited us. Though on digging more into this
we found that he's using following script to fetch video links from our
website :

https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py

His website name is also dizibox1.


On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <francis at daoine.org> wrote:

> On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:
>
> Hi there,
>
> > Thanks for quick response. Well its reverse, he's putting our HTTPS video
> > link on his HTTP website. Could that create issue as well? If yes, what's
> > the fix of it.
>
> nginx does not know (or care) what the linking site does. All it can
> see is the request made to it.
>
> The browser entirely controls what request headers the browser sends.
>
> If you want to deny all requests that have no Referer header, you can
> do that.
>
> If you want to deny only some requests that have no Referer header,
> you will need to tell nginx which requests to deny and which requests to
> allow. But before you can do that, you will have to know how to identify
> the requests in one of the sets.
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/39677fe6/attachment.html>

From al-nginx at none.at  Thu Apr  6 09:59:18 2017
From: al-nginx at none.at (Aleksandar Lazic)
Date: Thu, 06 Apr 2017 11:59:18 +0200
Subject: Memory issue
In-Reply-To: <0788a57b9fe5437be0165502235d25d6.NginxMailingListEnglish@forum.nginx.org>
References: <f9b894c82cbf4d618eec8dc6afdcd9e4.NginxMailingListEnglish@forum.nginx.org>
 <0788a57b9fe5437be0165502235d25d6.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <56f50c96672c622ef464f6ffb3970cd0@none.at>



Am 06-04-2017 07:14, schrieb JohnCarne:
> It looks like i don't speak english properly to be understood, others 
> will
> open a thread on this issue, and may be explain better

Well how about to remove the additionally modules and watch if the 
memory issue still exists.

###
--add-dynamic-module=ngx_pagespeed-release-1.11.33.4-beta
--add-dynamic-module=/usr/local/rvm/gems/ruby-2.3.1/gems/passenger-5.1.2/src/nginx_module
--add-dynamic-module=ngx_brotli 
--add-dynamic-module=echo-nginx-module-0.60
--add-dynamic-module=headers-more-nginx-module-0.32
--add-dynamic-module=ngx_http_redis-0.3.8
--add-dynamic-module=redis2-nginx-module
--add-dynamic-module=srcache-nginx-module-0.31
--add-dynamic-module=ngx_devel_kit-0.3.0
--add-dynamic-module=set-misc-nginx-module-0.31
--add-dynamic-module=ModSecurity-nginx
###

Maybe some of this modules are the reasons for the memory issue.

Regards
Aleks

From nginx-forum at forum.nginx.org  Thu Apr  6 10:01:43 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 06:01:43 -0400
Subject: Memory issue
In-Reply-To: <56f50c96672c622ef464f6ffb3970cd0@none.at>
References: <56f50c96672c622ef464f6ffb3970cd0@none.at>
Message-ID: <d48fcc08905d984066db7dcf4077b059.NginxMailingListEnglish@forum.nginx.org>

I let dev Anoop answer to you... he has a clue about the issue :

https://github.com/SpiderLabs/ModSecurity-nginx/issues/45

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273444#msg-273444


From anoopalias01 at gmail.com  Thu Apr  6 10:12:42 2017
From: anoopalias01 at gmail.com (Anoop Alias)
Date: Thu, 6 Apr 2017 15:42:42 +0530
Subject: Memory issue
In-Reply-To: <d48fcc08905d984066db7dcf4077b059.NginxMailingListEnglish@forum.nginx.org>
References: <56f50c96672c622ef464f6ffb3970cd0@none.at>
 <d48fcc08905d984066db7dcf4077b059.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CAO6TEX33-KzPGBVfk0XgqHVcQegSdpsuWdyXT4i9tT76ie5ORQ@mail.gmail.com>

If a module is dynamic loadable has issue and if we do not load the module
, will it still cause the error ?

In the case above , ModSecurity-nginx was compiled as a dynamic module and
not loaded .


On Thu, Apr 6, 2017 at 3:31 PM, JohnCarne <nginx-forum at forum.nginx.org>
wrote:

> I let dev Anoop answer to you... he has a clue about the issue :
>
> https://github.com/SpiderLabs/ModSecurity-nginx/issues/45
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,273274,273444#msg-273444
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/1a6bd0ef/attachment-0001.html>

From nginx-forum at forum.nginx.org  Thu Apr  6 10:45:23 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Thu, 06 Apr 2017 06:45:23 -0400
Subject: Checking multiple caches before forwarding request to upstream
Message-ID: <71665a76fa9ffeb54de53e99e5d51032.NginxMailingListEnglish@forum.nginx.org>

Hi,

We want to define multiple caches based on certain request headers (time
stamp) so that we can put files modified in last 10 days on SSDs, last 30
days on HDDs and so on. I understand that we could use map feature to pick a
cache dynamically which is good and works for us. 

But when serving a file, we want to check in all the caches because file
modified in last 11 days could still be on SSDs, so we don't wan't to
unnecessarily pull it out from backend and put it on HDDs.

so net, net we want to check multiple caches before pulling from the
backend. Is there a way to do that? We can only define one proxy_cache in a
location block, so I figured if we some how use try files or error page
attribute to failover multiple blocks and check one cache in each block, we
could check multiple caches. 

following is my simplified config:

server {
        listen       7800 ;
        server_name  localhost;
        resolver 8.8.8.8 ipv6=off;

        location / {

            set $served_by "cache";
            set $cache_key $request_uri;
            proxy_cache cache_recent;
            proxy_cache_key $cache_key;

            error_page 418 = @go-to-cloud-storage; return 418;
            #try_files /does-not-exist @go-to-cloud-storage;

        }

        location @go-to-cloud-storage  {
            set $served_by "cloud";

            proxy_cache cache_recent;
            proxy_cache_key $cache_key;

            proxy_set_header Host $host;
            proxy_pass https://$http_host$request_uri;
        }

    }

But in the above config,   @go-to-cloud-storage storage is always executed
even when object is in cache for the / block. 

Thanks
Sachin

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273446,273446#msg-273446


From nginx-forum at forum.nginx.org  Thu Apr  6 11:33:03 2017
From: nginx-forum at forum.nginx.org (c0nw0nk)
Date: Thu, 06 Apr 2017 07:33:03 -0400
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAD3xhrNrZeC5BvGQKndQ84QCEMJOnK8axsZBvVhFeDf4SasYtw@mail.gmail.com>
References: <CAD3xhrNrZeC5BvGQKndQ84QCEMJOnK8axsZBvVhFeDf4SasYtw@mail.gmail.com>
Message-ID: <908cc7ff647d594dba016bdc8c491f26.NginxMailingListEnglish@forum.nginx.org>

Hello There,

I had this same issue and fixed it by the following method.

For example in HTML :
<source src="file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353"
type="video/mp4" />

That is what your media stream link would look like.

But if you use JavaScript like the following example :

<script type="text/javascript">
window.onload = MediaReplacement()
function MediaReplacement() {
var _video =
"/file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353";

var videoTags = document.getElementsByTagName("source");
videoTags[0].src = _video;
}
</script>
<video width="320" height="240" controls="controls">
<!-- MP4 for Safari, IE9, iPhone, iPad, Android, and Windows Phone 7 -->
<source src="" type="video/mp4" /> <!-- NOTICE HOW I MADE THIS EMPTY BECAUSE
JAVASCRIPT WILL INSERT THIS NOW -->
</video> 

And you insert your stream link into the page using JavaScript it unlocks
the ability to make it hard for their python script to
scrape/hotlink/content leech of your web pages.

You can obfuscate JavaScript you can change the var names you can make it
incredibly dynamic and difficult breaking their apps completely the more
dynamic it is the harder and harder it is for them to obtain your stream
links.


Also you should blocked the following two user agents that those apps use.

Kodi
XBMC

(I would suggest making them non case sensitive matches too)

Where I posted in regards to this.
https://forum.nginx.org/read.php?2,270705,270739#msg-270739
https://github.com/C0nw0nk/Nginx-Lua-Secure-Link-Anti-Hotlinking

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273405,273447#msg-273447


From amnesia.victim at gmail.com  Thu Apr  6 11:50:18 2017
From: amnesia.victim at gmail.com (Dmitry S. Polyakov)
Date: Thu, 06 Apr 2017 11:50:18 +0000
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAD3xhrNrZeC5BvGQKndQ84QCEMJOnK8axsZBvVhFeDf4SasYtw@mail.gmail.com>
References: <CAD3xhrNF-EWWv_kXF9POfr+EgTfdJ1FWeAH=sNgQvaxX3NwvgQ@mail.gmail.com>
 <1491305526.712318.933610512.31DF5DC8@webmail.messagingengine.com>
 <CAD3xhrMoACZ0p5DGt35MAydLDdLm1Z6=iv4+kh223yRtmgQ8wg@mail.gmail.com>
 <20170404205408.GG3428@daoine.org>
 <CAD3xhrNrZeC5BvGQKndQ84QCEMJOnK8axsZBvVhFeDf4SasYtw@mail.gmail.com>
Message-ID: <CAAhr1CfNJtbdLz+i4kCV2CFZD1LuoD2ZNdx=6aKT1cTa6Zj=BQ@mail.gmail.com>

On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb at gmail.com> wrote:

> >>With the controls sites have over the referrer header, it's not very
> effective as an access control mechanism. You can use something like
> http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
> instead.
>
> We're also using Nginx secure link module based on HASH + expiry but
> somehow this secure link is exploited by that website. The video link hash
> on his website is exactly matching with ours means no matter if hash get
> expire & new takes it place that leacher is also getting the new hash &
> we're unable to find how he exploited us. Though on digging more into this
> we found that he's using following script to fetch video links from our
> website :
>
>
> https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py
>
> His website name is also dizibox1.
>
IT happens because your secure  links hash doesn't have any end user unique
attributes like ip address
If you'll include enduser ip to the secure link hash, secure link become
unique for the end user. Any direct video link grabbed and shared by the
enduser or some script become useless.


>
> On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <francis at daoine.org> wrote:
>
> On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:
>
> Hi there,
>
> > Thanks for quick response. Well its reverse, he's putting our HTTPS video
> > link on his HTTP website. Could that create issue as well? If yes, what's
> > the fix of it.
>
> nginx does not know (or care) what the linking site does. All it can
> see is the request made to it.
>
> The browser entirely controls what request headers the browser sends.
>
> If you want to deny all requests that have no Referer header, you can
> do that.
>
> If you want to deny only some requests that have no Referer header,
> you will need to tell nginx which requests to deny and which requests to
> allow. But before you can do that, you will have to know how to identify
> the requests in one of the sets.
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/9778f949/attachment.html>

From nginx-forum at forum.nginx.org  Thu Apr  6 12:03:19 2017
From: nginx-forum at forum.nginx.org (c0nw0nk)
Date: Thu, 06 Apr 2017 08:03:19 -0400
Subject: No referrer header on leacher's site !!
In-Reply-To: <CAAhr1CfNJtbdLz+i4kCV2CFZD1LuoD2ZNdx=6aKT1cTa6Zj=BQ@mail.gmail.com>
References: <CAAhr1CfNJtbdLz+i4kCV2CFZD1LuoD2ZNdx=6aKT1cTa6Zj=BQ@mail.gmail.com>
Message-ID: <68d306e00b322c80fda3a225fbf35fc7.NginxMailingListEnglish@forum.nginx.org>

Dmitry S. Polyakov Wrote:
-------------------------------------------------------
> On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb at gmail.com>
> wrote:
> 
> > >>With the controls sites have over the referrer header, it's not
> very
> > effective as an access control mechanism. You can use something like
> > http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
> > instead.
> >
> > We're also using Nginx secure link module based on HASH + expiry but
> > somehow this secure link is exploited by that website. The video
> link hash
> > on his website is exactly matching with ours means no matter if hash
> get
> > expire & new takes it place that leacher is also getting the new
> hash &
> > we're unable to find how he exploited us. Though on digging more
> into this
> > we found that he's using following script to fetch video links from
> our
> > website :
> >
> >
> >
> https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.sal
> tsrd.lite/scrapers/dizibox_scraper.py
> >
> > His website name is also dizibox1.
> >
> IT happens because your secure  links hash doesn't have any end user
> unique
> attributes like ip address
> If you'll include enduser ip to the secure link hash, secure link
> become
> unique for the end user. Any direct video link grabbed and shared by
> the
> enduser or some script become useless.


You would think that but with Kodi/XBMC that is not the case their App grabs
and sends a HTML request on a per user basis.

So each and every request comes from a users Kodi box or app on their phone
etc what when the page generates the HTML response to that user it also
generated the response for their IP address.

It is like real web traffic.

I prevented them as I explained here
https://forum.nginx.org/read.php?2,273405,273447#msg-273447

Also if you browse and view pornhub, pornsocket, youtube what ever streaming
sites etc you will see they now hide and obfuscate their stream links in
JavaScript to break these kodi box users as I explained in the link above.

Here is proof :
<script type="text/javascript">
	/*This entire area would be their broken up url link obfuscated to be put
back together again by JavaScript making it unreadable for these kodi/xbmc
users */ = quality_720p;
	
	loadScriptUniqueId.push('111418492');
	loadScriptVar.push(flashvars_111418492);

	playerObjList.playerDiv_111418492 = {
		'flashvars'	: {"embedId":111418492},
		'embedSWF'	:
{"url":"https:\/\/bi.phncdn.com\/www-static\/flash\/","element":"playerDiv_111418492","width":"100%","height":"100%","version":"9.0.0"}	};
</script>
	<div id="playerDiv_111418492" class="playerFlvContainer" data-enlarge="1"
data-showautoplayoption="1" data-share="1">
		<noscript>
			<video style="width:100%; height:100%;" controls="controls"
autobuffer="autobuffer" class="player-html5" preload="metadata">
				<source src="" type="video/mp4">
			</video>
		</noscript>

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273405,273449#msg-273449


From mdounin at mdounin.ru  Thu Apr  6 14:53:57 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 6 Apr 2017 17:53:57 +0300
Subject: Checking multiple caches before forwarding request to upstream
In-Reply-To: <71665a76fa9ffeb54de53e99e5d51032.NginxMailingListEnglish@forum.nginx.org>
References: <71665a76fa9ffeb54de53e99e5d51032.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170406145357.GT13617@mdounin.ru>

Hello!

On Thu, Apr 06, 2017 at 06:45:23AM -0400, sachin.shetty at gmail.com wrote:

> Hi,
> 
> We want to define multiple caches based on certain request headers (time
> stamp) so that we can put files modified in last 10 days on SSDs, last 30
> days on HDDs and so on. I understand that we could use map feature to pick a
> cache dynamically which is good and works for us. 
> 
> But when serving a file, we want to check in all the caches because file
> modified in last 11 days could still be on SSDs, so we don't wan't to
> unnecessarily pull it out from backend and put it on HDDs.
> 
> so net, net we want to check multiple caches before pulling from the
> backend. Is there a way to do that? We can only define one proxy_cache in a
> location block, so I figured if we some how use try files or error page
> attribute to failover multiple blocks and check one cache in each block, we
> could check multiple caches. 
> 
> following is my simplified config:
> 
> server {
>         listen       7800 ;
>         server_name  localhost;
>         resolver 8.8.8.8 ipv6=off;
> 
>         location / {
> 
>             set $served_by "cache";
>             set $cache_key $request_uri;
>             proxy_cache cache_recent;
>             proxy_cache_key $cache_key;
> 
>             error_page 418 = @go-to-cloud-storage; return 418;
>             #try_files /does-not-exist @go-to-cloud-storage;
> 
>         }
> 
>         location @go-to-cloud-storage  {
>             set $served_by "cloud";
> 
>             proxy_cache cache_recent;
>             proxy_cache_key $cache_key;
> 
>             proxy_set_header Host $host;
>             proxy_pass https://$http_host$request_uri;
>         }
> 
>     }
> 
> But in the above config,   @go-to-cloud-storage storage is always executed
> even when object is in cache for the / block. 

That's because you unconditionally return 418 before any other 
processing.  Rewrite directives, including "return", are executed 
when nginx searches for a configuration to use, see details here:

http://nginx.org/en/docs/http/ngx_http_rewrite_module.html

Moreover, proxy_cache only works when you proxy somewhere, and 
there is no proxy_pass in your "location /".

To check multiple caches consider actual proxying instead, this 
will allow you to naturally use multiple caching layers.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Thu Apr  6 15:04:30 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Thu, 06 Apr 2017 11:04:30 -0400
Subject: Checking multiple caches before forwarding request to upstream
In-Reply-To: <20170406145357.GT13617@mdounin.ru>
References: <20170406145357.GT13617@mdounin.ru>
Message-ID: <8ffb3bfb1376ff8ed6c38d84244921e8.NginxMailingListEnglish@forum.nginx.org>

Thanks, I guess actual proxying is the only way out. I will try it out.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273446,273454#msg-273454


From mdounin at mdounin.ru  Thu Apr  6 15:23:20 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 6 Apr 2017 18:23:20 +0300
Subject: Memory issue
In-Reply-To: <bba52964748597ef70c924e7ff88e133.NginxMailingListEnglish@forum.nginx.org>
References: <20170405143003.GO13617@mdounin.ru>
 <bba52964748597ef70c924e7ff88e133.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170406152320.GU13617@mdounin.ru>

Hello!

On Wed, Apr 05, 2017 at 09:32:41PM -0400, JohnCarne wrote:

> We described it properly when opening ticket, I reformulate :
> 
> Usually, 1 nginx worker process consumes 1.16-2% of RAM maximum on this
> server, and it remain stable.
> For some days after nginx upgrades, every overnight, during daily stat
> generation process of cpanel which happens on overnight like set, there is
> many nginx reloads due to stat generation (= normal), but this is now
> causing an ever increasing memory use of RAM by nginx worker process,
> usually it stays around 1-2% RAM, we now see it cumulating after stat
> generation process increasing itself at begin with 1-2% RAM each time, which
> will lead after some weaks to a saturated server in term of RAM if nginx is
> not started. When we saw the issue first time, Nginx was consuming 12% of
> server RAM considering we have 128 GB RAM on this shared hosting server.
> 
> After recent nginx upgrade :
> The increase is around 0.20% daily, instead of 1-2% RAM

So, you observe one nginx worker process consuming about 12% of 
your server RAM, that is, more than 10GB of memory, correct?  You 
may want to provide something like "ps alx | grep nginx" output 
to illustrate the problem.

You may start with the following basic steps:

- Check your "nginx -V" output and nginx configuration; disable 
  3rd party modules if there are any, and check if the problem 
  persists.  In many cases various obscure problems are introduced 
  by bugs in 3rd party modules.

- Make sure you are talking about a single worker process memory 
  consumption, and not overral memory consumption of all nginx 
  worker processes.  Multiple configuration reloads can leave 
  multiple nginx worker processes in the "shutting down..." state 
  for a long time which depends on the particular workload, and it 
  is not a surprise you need memory if you do lots of configuration 
  reloads.

- Check your nginx configuration to see if there natural reasons 
  to consume memory - multiple connections and large buffers 
  configured, thousands of complex location configurtions, large 
  shared memory zones, and so on.

- Try to find out what exactly causes increased memory 
  consumption.  The "stats generation process" you write about is 
  not something nginx does by itself, and it is completely unknown 
  what it means for anyone except you.

If the above won't be enough for you to identify the problem, 
consider providing additional information about the observed 
proble, including "ps alx" output which demonstrates the problem, 
"nginx -V" output, and full nginx configuration (shown with 
"nginx -T").

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Thu Apr  6 15:32:45 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 11:32:45 -0400
Subject: Memory issue
In-Reply-To: <20170406152320.GU13617@mdounin.ru>
References: <20170406152320.GU13617@mdounin.ru>
Message-ID: <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>

cpanel stat generation cause thet nginx makes a lot of reload to grab new
file descriptor... no issue on that

Issue is nginx, I show you situation now with 2.58% used for 1 work, which
is same value for others, but gloably, nginx uses now 2.58%, this number is
increasing slowly at the rythm of nginx reloads asked...


[root at web1 ~]# ps alx | grep nginx
5    99  711213  913692  20   0 3917936 3397132 ep_pol S ?          0:22
nginx: worker process
5    99  711224  913692  20   0 3918128 3397300 ep_pol S ?          0:24
nginx: worker process
5    99  711229  913692  20   0 3918392 3397456 ep_pol S ?          0:26
nginx: worker process
5    99  711238  913692  20   0 3918128 3397228 ep_pol S ?          0:20
nginx: worker process
5    99  711245  913692  20   0 3917936 3397144 ep_pol S ?          0:23
nginx: worker process
5    99  711248  913692  20   0 3918096 3397296 ep_pol S ?          0:18
nginx: worker process
5    99  711252  913692  20   0 3918392 3397392 ep_pol S ?          0:21
nginx: worker process
5    99  711255  913692  20   0 3918128 3397132 -   R    ?          0:19
nginx: worker process
5    99  711257  913692  20   0 3917580 3394632 ep_pol S ?          0:00
nginx: cache manager process
0     0  767011  766950  20   0 112652   956 pipe_w S+   pts/2      0:00
grep --color=auto nginx
5     0  913692       1  20   0 3917576 3396176 sigsus Ss ?        74:26
nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf


Output of nginx -T is taking 100's of pages, i can't pu it here...

[root at web1 ~]# nginx -V
nginx version: nginx/1.11.13
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with LibreSSL 2.5.2
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--modules-path=/etc/nginx/modules --with-pcre=./pcre-8.40 --with-pcre-jit
--with-zlib=./zlib-1.2.11 --with-openssl=./libressl-2.5.2
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log
--http-log-path=/var/log/nginx/access_log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody
--group=nobody --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-http_dav_module
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_stub_status_module
--with-http_auth_request_module --add-dynamic-module=naxsi-http2/naxsi_src
--with-file-aio --with-threads --with-stream --with-stream_ssl_module
--with-http_slice_module --with-compat --with-http_v2_module
--with-http_geoip_module=dynamic
--add-dynamic-module=ngx_pagespeed-release-1.11.33.4-beta
--add-dynamic-module=/usr/local/rvm/gems/ruby-2.3.1/gems/passenger-5.1.2/src/nginx_module
--add-dynamic-module=ngx_brotli --add-dynamic-module=echo-nginx-module-0.60
--add-dynamic-module=headers-more-nginx-module-0.32
--add-dynamic-module=ngx_http_redis-0.3.8
--add-dynamic-module=redis2-nginx-module
--add-dynamic-module=srcache-nginx-module-0.31
--add-dynamic-module=ngx_devel_kit-0.3.0
--add-dynamic-module=set-misc-nginx-module-0.31
--add-dynamic-module=ModSecurity-nginx --with-cc-opt='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
--with-ld-opt=-Wl,-E
[root at web1 ~]#


Anoop is dev of Xtendweb stack using nginx core, he is investigating, and it
seems his solution if to use a pre-approved nginx core :
https://openresty.org/en/
and that it could solve many issues with 3rd party modules which we need to
use absolutely...

Indeed, we are all tired to do 3 upgrades /month

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273456#msg-273456


From vbart at nginx.com  Thu Apr  6 15:37:40 2017
From: vbart at nginx.com (Valentin V. Bartenev)
Date: Thu, 06 Apr 2017 18:37:40 +0300
Subject: Memory issue
In-Reply-To: <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
References: <20170406152320.GU13617@mdounin.ru>
 <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <15539872.b5U4JGvMUM@vbart-workstation>

On Thursday 06 April 2017 11:32:45 JohnCarne wrote:
> cpanel stat generation cause thet nginx makes a lot of reload to grab new
> file descriptor... no issue on that
> 
[..]

JFYI, reloading nginx isn't required to reopen log files.
See for details: http://nginx.org/en/docs/control.html#logs

  wbr, Valentin V. Bartenev


From nginx-forum at forum.nginx.org  Thu Apr  6 15:39:23 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 11:39:23 -0400
Subject: Memory issue
In-Reply-To: <15539872.b5U4JGvMUM@vbart-workstation>
References: <15539872.b5U4JGvMUM@vbart-workstation>
Message-ID: <fe6dde646b1e9bacfffc7061d4f08f8f.NginxMailingListEnglish@forum.nginx.org>

Thanks for info, Anoop will read this, he is subscribed

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273458#msg-273458


From lucas at lucasrolff.com  Thu Apr  6 16:36:05 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Thu, 6 Apr 2017 16:36:05 +0000
Subject: Memory issue
In-Reply-To: <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
References: <20170406152320.GU13617@mdounin.ru>
 <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <0D7F678E-2678-4ADE-A592-446962269F48@lucasrolff.com>

> cpanel stat generation cause thet nginx makes a lot of reload to grab new file descriptor... no issue on that

Even though this is off-topic - if you issue a lot of reloads during cPanel stat generation, your hooks are configured wrong, since Apache in cPanel only reloads *once* during the whole process.

> Issue is nginx, I show you situation now with 2.58% used for 1 work, which is same value for others, but gloably, nginx uses now 2.58%, this number is increasing slowly at the rythm of nginx reloads asked..

I happen to use nginx (mainline version) myself on a cPanel server - no custom modules, there's no memory leak in the latest versions of nginx - I stay happily at 0.2% in memory (32 gigabyte server)

> Anoop is dev of Xtendweb stack using nginx core, he is investigating, and it seems his solution if to use a pre-approved nginx core : https://openresty.org/en/

Using OpenResty wouldn't solve your issues - you can use the exact same modules as OpenResty does, in a normal nginx build (be aware that some modules such as the lua module, and the echo-nginx module isn't yet building correctly against nginx 1.11.11+)

In the end, include only the extra modules you require - because as far as I can tell, in the mainline version of nginx, nothing (at least for me) has caused memory issues with workers, even when reloading a bunch of times.

It might very well be that one of the 3rd-party modules have not been fully tested to work with 1.11.13







On 06/04/2017, 17.32, "nginx on behalf of JohnCarne" <nginx-bounces at nginx.org on behalf of nginx-forum at forum.nginx.org> wrote:

>cpanel stat generation cause thet nginx makes a lot of reload to grab new
>file descriptor... no issue on that
>
>Issue is nginx, I show you situation now with 2.58% used for 1 work, which
>is same value for others, but gloably, nginx uses now 2.58%, this number is
>increasing slowly at the rythm of nginx reloads asked...
>
>
>[root at web1 ~]# ps alx | grep nginx
>5    99  711213  913692  20   0 3917936 3397132 ep_pol S ?          0:22
>nginx: worker process
>5    99  711224  913692  20   0 3918128 3397300 ep_pol S ?          0:24
>nginx: worker process
>5    99  711229  913692  20   0 3918392 3397456 ep_pol S ?          0:26
>nginx: worker process
>5    99  711238  913692  20   0 3918128 3397228 ep_pol S ?          0:20
>nginx: worker process
>5    99  711245  913692  20   0 3917936 3397144 ep_pol S ?          0:23
>nginx: worker process
>5    99  711248  913692  20   0 3918096 3397296 ep_pol S ?          0:18
>nginx: worker process
>5    99  711252  913692  20   0 3918392 3397392 ep_pol S ?          0:21
>nginx: worker process
>5    99  711255  913692  20   0 3918128 3397132 -   R    ?          0:19
>nginx: worker process
>5    99  711257  913692  20   0 3917580 3394632 ep_pol S ?          0:00
>nginx: cache manager process
>0     0  767011  766950  20   0 112652   956 pipe_w S+   pts/2      0:00
>grep --color=auto nginx
>5     0  913692       1  20   0 3917576 3396176 sigsus Ss ?        74:26
>nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
>
>
>Output of nginx -T is taking 100's of pages, i can't pu it here...
>
>[root at web1 ~]# nginx -V
>nginx version: nginx/1.11.13
>built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
>built with LibreSSL 2.5.2
>TLS SNI support enabled
>configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>--modules-path=/etc/nginx/modules --with-pcre=./pcre-8.40 --with-pcre-jit
>--with-zlib=./zlib-1.2.11 --with-openssl=./libressl-2.5.2
>--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log
>--http-log-path=/var/log/nginx/access_log --pid-path=/var/run/nginx.pid
>--lock-path=/var/run/nginx.lock
>--http-client-body-temp-path=/var/cache/nginx/client_temp
>--http-proxy-temp-path=/var/cache/nginx/proxy_temp
>--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody
>--group=nobody --with-http_ssl_module --with-http_realip_module
>--with-http_addition_module --with-http_sub_module --with-http_dav_module
>--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
>--with-http_gzip_static_module --with-http_random_index_module
>--with-http_secure_link_module --with-http_stub_status_module
>--with-http_auth_request_module --add-dynamic-module=naxsi-http2/naxsi_src
>--with-file-aio --with-threads --with-stream --with-stream_ssl_module
>--with-http_slice_module --with-compat --with-http_v2_module
>--with-http_geoip_module=dynamic
>--add-dynamic-module=ngx_pagespeed-release-1.11.33.4-beta
>--add-dynamic-module=/usr/local/rvm/gems/ruby-2.3.1/gems/passenger-5.1.2/src/nginx_module
>--add-dynamic-module=ngx_brotli --add-dynamic-module=echo-nginx-module-0.60
>--add-dynamic-module=headers-more-nginx-module-0.32
>--add-dynamic-module=ngx_http_redis-0.3.8
>--add-dynamic-module=redis2-nginx-module
>--add-dynamic-module=srcache-nginx-module-0.31
>--add-dynamic-module=ngx_devel_kit-0.3.0
>--add-dynamic-module=set-misc-nginx-module-0.31
>--add-dynamic-module=ModSecurity-nginx --with-cc-opt='-O2 -g -pipe -Wall
>-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>--with-ld-opt=-Wl,-E
>[root at web1 ~]#
>
>
>Anoop is dev of Xtendweb stack using nginx core, he is investigating, and it
>seems his solution if to use a pre-approved nginx core :
>https://openresty.org/en/
>and that it could solve many issues with 3rd party modules which we need to
>use absolutely...
>
>Indeed, we are all tired to do 3 upgrades /month
>
>Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273456#msg-273456
>
>_______________________________________________
>nginx mailing list
>nginx at nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx

From mdounin at mdounin.ru  Thu Apr  6 17:05:31 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 6 Apr 2017 20:05:31 +0300
Subject: Memory issue
In-Reply-To: <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
References: <20170406152320.GU13617@mdounin.ru>
 <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170406170531.GA13617@mdounin.ru>

Hello!

On Thu, Apr 06, 2017 at 11:32:45AM -0400, JohnCarne wrote:

> cpanel stat generation cause thet nginx makes a lot of reload to grab new
> file descriptor... no issue on that
> 
> Issue is nginx, I show you situation now with 2.58% used for 1 work, which
> is same value for others, but gloably, nginx uses now 2.58%, this number is
> increasing slowly at the rythm of nginx reloads asked...
> 
> 
> [root at web1 ~]# ps alx | grep nginx
> 5    99  711213  913692  20   0 3917936 3397132 ep_pol S ?          0:22
> nginx: worker process
> 5    99  711224  913692  20   0 3918128 3397300 ep_pol S ?          0:24
> nginx: worker process
> 5    99  711229  913692  20   0 3918392 3397456 ep_pol S ?          0:26
> nginx: worker process
> 5    99  711238  913692  20   0 3918128 3397228 ep_pol S ?          0:20
> nginx: worker process
> 5    99  711245  913692  20   0 3917936 3397144 ep_pol S ?          0:23
> nginx: worker process
> 5    99  711248  913692  20   0 3918096 3397296 ep_pol S ?          0:18
> nginx: worker process
> 5    99  711252  913692  20   0 3918392 3397392 ep_pol S ?          0:21
> nginx: worker process
> 5    99  711255  913692  20   0 3918128 3397132 -   R    ?          0:19
> nginx: worker process
> 5    99  711257  913692  20   0 3917580 3394632 ep_pol S ?          0:00
> nginx: cache manager process
> 0     0  767011  766950  20   0 112652   956 pipe_w S+   pts/2      0:00
> grep --color=auto nginx
> 5     0  913692       1  20   0 3917576 3396176 sigsus Ss ?        74:26
> nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf

Ok, so nginx master process grown to 3+ GB, and all workers are 
mostly identical.  So the memory is certainly consumed by the 
master process.  This may or may not be normal, depending on the 
configuration used.

If you think that memory is consumed on configuration reloads, you 
may want to provide "ps alx | grep nginx" after restarting nginx 
(it is expected to be small), after one configuration reload (it 
is expected to be larger due to another copy of the configuration 
allocated) and after multiple configuration reloads (this will 
demonstrate increased memory consumption, if any).

Note well: leaking memory on configuration reloads is a more or 
less typical problem with various 3rd party modules.  IIRC, 
various versions of modsecurity were previously reported doing 
this.  As previously suggested, try without 3rd party modules to 
see if it helps.

> Output of nginx -T is taking 100's of pages, i can't pu it here...

Well, not a problem.  It simply limits possibility of others to help 
you.  Anyway, I suspect your problem is 3rd party modules, and I 
don't think there is a room to investigate further before testing 
if the problem persists without 3rd party modules.

[...]

> Indeed, we are all tired to do 3 upgrades /month

Note that the way you are asking others to help you is not likely 
to attract many volunteers.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Thu Apr  6 17:20:20 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 13:20:20 -0400
Subject: Memory issue
In-Reply-To: <20170406170531.GA13617@mdounin.ru>
References: <20170406170531.GA13617@mdounin.ru>
Message-ID: <9d21bf97a209072d5842d385fe63d3d8.NginxMailingListEnglish@forum.nginx.org>

Thanks for your feebacks. I do my best seriously to communicate what I can
!

We note this issue on very busy server only, it will be hard to remove all
modules on such busy server, and reconfig all, but not impossible. Anoop is
on the case on smallest servers, and succeed to see the issue at small
scale, he will troubleshoot with sometimes...

Yes, 1 of the 3rd party module is leaking memory for sure, no doubt about
this for me.

ps alx | grep nginx" after restarting nginx 
This gives 1.16% as usual
+ 1 more reload, we get around 2.24%
+ more 100's more reloads, we gradually get to 2.58%

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273461#msg-273461


From nginx-forum at forum.nginx.org  Thu Apr  6 18:46:40 2017
From: nginx-forum at forum.nginx.org (shivramg94)
Date: Thu, 06 Apr 2017 14:46:40 -0400
Subject: Nginx upstream server certificate verification
In-Reply-To: <C7DF9D5A-C046-40EF-A8DE-C620C596ECA1@nginx.com>
References: <C7DF9D5A-C046-40EF-A8DE-C620C596ECA1@nginx.com>
Message-ID: <b06b5f9db3825d0f84f64ff90e6683e4.NginxMailingListEnglish@forum.nginx.org>

Thank Sergey, for you response. 

I have one more question. If I have multiple upstream server host names in
the upstream server block, then how can I specify the specific upstream
server host name to which the request is being proxied, in the
proxy_ssl_name directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273462#msg-273462


From reallfqq-nginx at yahoo.fr  Thu Apr  6 19:49:03 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Thu, 6 Apr 2017 21:49:03 +0200
Subject: Memory issue
In-Reply-To: <9d21bf97a209072d5842d385fe63d3d8.NginxMailingListEnglish@forum.nginx.org>
References: <20170406170531.GA13617@mdounin.ru>
 <9d21bf97a209072d5842d385fe63d3d8.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CALqce=2RycZQXRCAzGzjwrrq=qj+3CV26nKYnFt22h78RvYd+w@mail.gmail.com>

Idea coming right out of the blue: have you given a thought on compiling
nginx (+ gradually modules) with valgrind? ?You should know pretty quickly
if something is wrong.?
?Note the slowdown, though. Might not be a good idea on production, or if
you do not secure some offload to somewhere else if it becomes messy.?
---
*B. R.*

On Thu, Apr 6, 2017 at 7:20 PM, JohnCarne <nginx-forum at forum.nginx.org>
wrote:

> Thanks for your feebacks. I do my best seriously to communicate what I can
> !
>
> We note this issue on very busy server only, it will be hard to remove all
> modules on such busy server, and reconfig all, but not impossible. Anoop is
> on the case on smallest servers, and succeed to see the issue at small
> scale, he will troubleshoot with sometimes...
>
> Yes, 1 of the 3rd party module is leaking memory for sure, no doubt about
> this for me.
>
> ps alx | grep nginx" after restarting nginx
> This gives 1.16% as usual
> + 1 more reload, we get around 2.24%
> + more 100's more reloads, we gradually get to 2.58%
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,273274,273461#msg-273461
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/80021631/attachment.html>

From ceecko at gmail.com  Thu Apr  6 21:18:02 2017
From: ceecko at gmail.com (Michal Kralik)
Date: Thu, 6 Apr 2017 23:18:02 +0200
Subject: 99.999% my config works - then default_server is used
Message-ID: <CAGVfq3FOu1xaGRwD7E9zO0+sYiC7T5D5TBx5c6eSn9Ch7fDzkw@mail.gmail.com>

Hi,

We're facing super strange issues with nginx 1.10.3 (CentOS 7,
3.10.0-327.36.3.el7.x86_64). Our config works ok, we get a lot of traffic,
but every day a couple of requests (5-10) don't get processes correctly by
a server directive with the defined server_name, but rather by a server
directive with listen's "default_server". Here's the config
https://paste.ngx.cc/29345124359e0447

Most of the time a request to 01.app.example.com gets processed correctly,
but every day a couple of requests get processed by the server directive
from file conf.d/01-default.conf. There's nothing in the nginx system logs
around the time when this issue happens.

The access.log from the default_server shows this
(/data/logs/nginx/access.log):
1.1.1.1 - - [06/Apr/2017:12:20:57 +0000] "01.app.example.com" "GET
/robots.txt HTTP/1.1" 302 161 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +
http://www.google.com/bot.html)" "-"

It's clearly a redirect processed by the default_server, but the request
should be rather processed by server directive in conf.d/02-apps.conf
because the host header clearly states "01.app.example.com".

Any ideas what's going on?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/497fae47/attachment.html>

From ru at nginx.com  Thu Apr  6 21:50:56 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Fri, 7 Apr 2017 00:50:56 +0300
Subject: 99.999% my config works - then default_server is used
In-Reply-To: <CAGVfq3FOu1xaGRwD7E9zO0+sYiC7T5D5TBx5c6eSn9Ch7fDzkw@mail.gmail.com>
References: <CAGVfq3FOu1xaGRwD7E9zO0+sYiC7T5D5TBx5c6eSn9Ch7fDzkw@mail.gmail.com>
Message-ID: <20170406215056.GH79252@lo0.su>

On Thu, Apr 06, 2017 at 11:18:02PM +0200, Michal Kralik wrote:
> Hi,
> 
> We're facing super strange issues with nginx 1.10.3 (CentOS 7,
> 3.10.0-327.36.3.el7.x86_64). Our config works ok, we get a lot of traffic,
> but every day a couple of requests (5-10) don't get processes correctly by
> a server directive with the defined server_name, but rather by a server
> directive with listen's "default_server". Here's the config
> https://paste.ngx.cc/29345124359e0447
> 
> Most of the time a request to 01.app.example.com gets processed correctly,
> but every day a couple of requests get processed by the server directive
> from file conf.d/01-default.conf. There's nothing in the nginx system logs
> around the time when this issue happens.
> 
> The access.log from the default_server shows this
> (/data/logs/nginx/access.log):
> 1.1.1.1 - - [06/Apr/2017:12:20:57 +0000] "01.app.example.com" "GET
> /robots.txt HTTP/1.1" 302 161 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)" "-"
> 
> It's clearly a redirect processed by the default_server, but the request
> should be rather processed by server directive in conf.d/02-apps.conf
> because the host header clearly states "01.app.example.com".
> 
> Any ideas what's going on?

Given the provided configuration snippet, this should happen
with all HTTPS requests to 01.app.example.com.

From al-nginx at none.at  Thu Apr  6 22:51:15 2017
From: al-nginx at none.at (Aleksandar Lazic)
Date: Fri, 07 Apr 2017 00:51:15 +0200
Subject: Memory issue
In-Reply-To: <20170406170531.GA13617@mdounin.ru>
References: <20170406152320.GU13617@mdounin.ru>
 <a03520131efbf590009e633d864a37f6.NginxMailingListEnglish@forum.nginx.org>
 <20170406170531.GA13617@mdounin.ru>
Message-ID: <6789749d680998a41f82d644c1935d9c@none.at>



Am 06-04-2017 19:05, schrieb Maxim Dounin:
> Hello!
> 
> On Thu, Apr 06, 2017 at 11:32:45AM -0400, JohnCarne wrote:
> 

[...]

> [...]
> 
>> Indeed, we are all tired to do 3 upgrades /month
> 
> Note that the way you are asking others to help you is not likely
> to attract many volunteers.

+1

From nginx-forum at forum.nginx.org  Fri Apr  7 03:03:48 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 23:03:48 -0400
Subject: Memory issue
In-Reply-To: <CALqce=2RycZQXRCAzGzjwrrq=qj+3CV26nKYnFt22h78RvYd+w@mail.gmail.com>
References: <CALqce=2RycZQXRCAzGzjwrrq=qj+3CV26nKYnFt22h78RvYd+w@mail.gmail.com>
Message-ID: <8b79275036348545e9f14362f561d8d0.NginxMailingListEnglish@forum.nginx.org>

@] BR via Nginx :
Idea coming right out of the blue: have you given a thought on compiling
nginx (+ gradually modules) with valgrind? ?You should know pretty quickly
if something is wrong.?

Thanks for this idea which can really improve the eng process...

Brotli seems the main suspected issue

Anoop just told me :
**the reload is changed to USR1 for stats////

I will upgrade soon, this should dramatically reduce the issue to 0
nearly...

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273467#msg-273467


From nginx-forum at forum.nginx.org  Fri Apr  7 03:34:05 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 23:34:05 -0400
Subject: Memory issue
In-Reply-To: <20170406170531.GA13617@mdounin.ru>
References: <20170406170531.GA13617@mdounin.ru>
Message-ID: <3fd2571a3c37398b2faed20bdc5d1062.NginxMailingListEnglish@forum.nginx.org>

I could not paste output of nginx -T, even truncating to 2500 lines instead
of 158000

I get :
Please shorten your messages, the body is too large.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273468#msg-273468


From nginx-forum at forum.nginx.org  Fri Apr  7 03:57:38 2017
From: nginx-forum at forum.nginx.org (JohnCarne)
Date: Thu, 06 Apr 2017 23:57:38 -0400
Subject: Memory issue
In-Reply-To: <3fd2571a3c37398b2faed20bdc5d1062.NginxMailingListEnglish@forum.nginx.org>
References: <20170406170531.GA13617@mdounin.ru>
 <3fd2571a3c37398b2faed20bdc5d1062.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <c0d0c03a0930e0f810afcbc9aa658871.NginxMailingListEnglish@forum.nginx.org>

another attempt :

# configuration file /etc/nginx/nginx.conf:
#Core Functionality

user  nobody;
worker_processes  8;
pid        /var/run/nginx.pid;
pcre_jit on;
error_log /var/log/nginx/error_log;
#error_log /home/abackup/debug.log debug;
worker_rlimit_nofile 300000;

#Load Dynamic Modules
include /etc/nginx/modules.d/*.load;

events {
worker_connections 8192;
use epoll;
multi_accept on;
accept_mutex off;
}

#Settings For other core modules like for example the stream module
include /etc/nginx/conf.d/main_custom_include.conf;

#Settings for the http core module
include /etc/nginx/conf.d/http_settings_custom.conf;


# configuration file /etc/nginx/modules.d/brotli.load:
load_module "/etc/nginx/modules/ngx_http_brotli_filter_module.so";
load_module "/etc/nginx/modules/ngx_http_brotli_static_module.so";

# configuration file /etc/nginx/modules.d/geoip.load:
load_module "/etc/nginx/modules/ngx_http_geoip_module.so";

# configuration file /etc/nginx/modules.d/headers_more_filter.load:
load_module "/etc/nginx/modules/ngx_http_headers_more_filter_module.so";

# configuration file /etc/nginx/modules.d/ndk.load:
load_module "/etc/nginx/modules/ndk_http_module.so";

# configuration file /etc/nginx/conf.d/main_custom_include.conf:

# configuration file /etc/nginx/conf.d/http_settings_custom.conf:
http {

#Set server identifier to XtendWeb-nginx
more_set_headers 'Server: YOORshop';

sendfile             off;
sendfile_max_chunk   1M;
tcp_nodelay          on;
#tcp_nopush           on;

# Slowloris mitigation
client_body_timeout             10s;
client_header_timeout           10s;
keepalive_timeout               30s;
send_timeout                    20s;
reset_timedout_connection       on;

keepalive_requests              512;
keepalive_disable               msie6 safari;
types_hash_max_size             2048;
server_names_hash_max_size      256000;
server_names_hash_bucket_size   4096;

server_tokens                   off;
client_max_body_size        	32m;
client_body_buffer_size      	256k;	
map_hash_bucket_size         	256;
map_hash_max_size            	4096;

connection_pool_size 		 	512;
client_header_buffer_size    	32k;
large_client_header_buffers  	4 256k;
request_pool_size            	32k;
output_buffers               	4 256k;
postpone_output  			 	1460;

#FastCGI
fastcgi_buffers				 16 16k;
fastcgi_buffer_size			 32k;
# the below options depend on theoretical maximum of your PHP script
run-time
fastcgi_read_timeout         300;
fastcgi_send_timeout         300;

include /etc/nginx/mime.types;
default_type application/octet-stream;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

# Open File Cache
open_file_cache          max=10000 inactive=5m;
open_file_cache_valid    2m;
open_file_cache_min_uses 2;
open_file_cache_errors   on;

# Logging Settings
open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;
log_format bytes_log "$sec $bytes_sent .";
log_not_found off;
access_log off;

#Default maps
include /etc/nginx/conf.d/maps.conf;
include /etc/nginx/conf.d/maps-custom.conf;

#Limit Request Zone conf
include /etc/nginx/conf.d/limit_request_custom.conf;

#Include File where you can add any custom settings
include /etc/nginx/conf.d/custom_include.conf;

#RealIP conf for CDN like CloudFlare,Incapsula etc
include /etc/nginx/conf.d/cdn_realip.conf;
real_ip_header     X-Forwarded-For;

# FastCGI and PROXY cache config
include /etc/nginx/conf.d/nginx_cache_custom.conf;

# Uncomment following to enable DOS mitigation server wide
# include /etc/nginx/conf.d/dos_mitigate.conf;

# Include All config files in /etc/nginx/conf.auto/
include /etc/nginx/conf.auto/*.conf;

# Virtual Host Configs
#include /etc/nginx/conf.d/default_server.conf; # Auto Generated at nDeploy
install time
#include /etc/nginx/sites-enabled/*.conf; # Auto Generated by nDeploy

}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document 
  docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet       
  xlsx;
   
application/vnd.openxmlformats-officedocument.presentationml.presentation 
pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/maps.conf:
#Mapping upstream httpd ports
 map $scheme $cpport {
      http  9999;
      https 4430;
  }


#Mapping $msec to $sec so that we dont break cPanel bandwidth calculator
map $msec $sec {
        ~^(?P<secres>.+)\. $secres;
    }


#Maps to be used with various cache templates
####################################################################
map $request_method $requestnocache {
    default "";
    POST    1;
}


map $http_cookie $wpcookienocache {
        default                     "";
        SESS                        1;
        PHPSESSID                   1;
        ~*wordpress_[a-f0-9]+       1;
        comment_author              1;
        wp-postpass                 1;
        wordpress_no_cache          1;
        woocommerce_items_in_cart   1;
        resetpass                   1;
        wordpress_logged_in         1;
    }


map $http_cookie $drupalcookienocache {
        default                     "";
        ~*SESS                        1;
    }


map $request_uri $wpurinocache {
        default                                      "";
        ~*^\/wp-admin\/.*                            1;
        ~*^\/wp-[a-zA-Z0-9-]+\.php$                  1;
        ~*^\/feed\/.*                                1;
        ~*^\/administrator\/.*                       1;
        ~*^\/xmlrpc.php$                             1;
        ~*^\/index.php$                              1;
        ~*^\/wp-links-opml.php$                      1;
        ~*^\/wp-locations.php$                       1;
        ~*^\/sitemap(_index)?.xml                    1;
        ~*^\/[a-z0-9_-]+-sitemap([0-9]+)?.xml        1;
        ~*^\/cart\/.*                                1;
        ~*^\/my-account\/.*                          1;
        ~*^\/wp-api\/.*                              1;
        ~*^\/resetpass\/.*                           1;
}


map $request_uri $drupalurinocache {
        default                 "";
        ~*\/status\.php$         1;
        ~*\/update\.php$         1;
        ~*\/admin$              1;
        ~*\/admin\/.*$          1;
        ~*\/user$               1;
        ~*\/user\/.*            1;
        ~*\/flag\/.*            1;
        ~*.*\/ajax\/.*          1;
        ~*.*\/ahah\/.*          1;
        ~*\/admin\/content\/backup_migrate\/export  1;
  }


#Map for mobile user agent
map $http_user_agent $ua_device {
	default 'desktop';
	~*(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\
|maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\
os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\
ce|xda|xiino/i 'mobile';
	~*android|ipad|playbook|silk/i 'tablet';
}
####################################################################

# configuration file /etc/nginx/conf.d/maps-custom.conf:
map $request_method $not_allowed_method {
    default 1;
    GET 0;
    HEAD 0;
    POST 0;
    }
	
# GeoIP
geoip_country         /usr/share/GeoIP/GeoLiteCountry.dat;
geoip_city            /usr/share/GeoIP/GeoLiteCity.dat;

map $geoip_country_code $allowed_country {
        default yes;
		RU no;
		CN no;
		UA no;
    }

# configuration file /etc/nginx/conf.d/limit_request_custom.conf:
limit_req_zone $binary_remote_addr zone=FLOODPROTECT:10m rate=10r/s;
limit_req_zone $server_name zone=FLOODVHOST:20m rate=10r/s;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/m;
limit_req_zone $binary_remote_addr zone=two:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=three:10m rate=3r/s;
limit_conn_zone $binary_remote_addr zone=PERIP:10m;
limit_conn_zone $server_name zone=PERSERVER:10m;
limit_conn_zone $server_name zone=PERSERVERLOGIN:10m;
limit_conn_zone $server_name zone=PERSERVERSEARCH:10m;
# configuration file /etc/nginx/conf.d/custom_include.conf:
#Referrer Spam Map
include /etc/nginx/conf.d/spam_protection.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks.conf;
##
#IP blocks
include /etc/nginx/conf.d/ip_blocks_layer7.conf;
# Include netdata
include /etc/nginx/conf.d/netdata.conf;

# configuration file /etc/nginx/conf.d/spam_protection.conf:
map $http_user_agent $bad_bot {
    default 0;
    ~*^Lynx 0; # Let Lynx go through
	~*UptimeRobot/2.0 0; # Let UptimeRobot
	~*bingbot/2.0 0; # Let bingbot
	~*checkgzipcompression.com 0; # Let check gzip
	~*ocsp.comodoca.com 0; # SSL comodo
     libwww-perl 1;   
~*(?i)(\$x0E|\%0A|\%0D|\%27|\%3C|\%00|\@\$x|\!susie|\_irc|\_works|3gse|^4all|^4anything|^Buzzbot|a\_browser|^Yooplaabot|^ltx71|^python-requests|NerdyBot|^Vegi|^VegeBot)
1;
}

map $http_user_agent $scanners {
        default 0;
		"~*LinkedInBot" 0;
		"~*Discovery" 0;		
		"~*Bloglovin" 1;
		"~*Jakarta" 1;
        "~*toCrawl/UrlDispatcher" 1; 			
}

map $http_referer $bad_referer {
   default 0;
   "~*pastebin.com" 1;   
   "~*torrent" 1;
   "~*webxtrakt" 1;
}

map $remote_addr $denied {
default 0;
poneytelecom.eu 1;
185.62.189.113 1;
155.94.172.27 1;
1.54.43.166 1;
104.144.28.20 1;
} 
# configuration file /etc/nginx/conf.d/ip_blocks.conf:
deny 123.125.71.56/29;
deny 1.233.43.75;
deny 104.194.26.1;
deny 104.194.26.128/26;

# configuration file /etc/nginx/conf.d/ip_blocks_layer7.conf:
deny 103.194.193.1/32;
deny 103.194.193.2/31;
deny 103.194.193.4/30;

# configuration file /etc/nginx/conf.d/cdn_realip.conf:

#CloudFlare
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

#Incapsula
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 198.143.32.0/19;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 45.64.64.0/22;
set_real_ip_from 185.11.124.0/22;
set_real_ip_from 192.230.64.0/18;
set_real_ip_from 107.154.126.0/24;

set_real_ip_from 2a02:e980::/29;

# configuration file /etc/nginx/conf.d/nginx_cache_custom.conf:
# PROXY Micro-caching
proxy_cache_path /tmpcachenginx levels=1:2 keys_zone=micro:300m
inactive=240m max_size=5000m;
#PROXY CACHE
proxy_cache_path /var/cache/nginx/proxycache levels=1:2
keys_zone=PROXYCACHE:32m inactive=360m max_size=1000m;

proxy_cache_key "$scheme$request_method$host$request_uri";

#################################
#FASTCGICACHE
fastcgi_cache_path /var/cache/nginx/fastcgicache levels=1:2
keys_zone=FASTCGICACHE:32m inactive=60m max_size=512m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

# configuration file /etc/nginx/conf.auto/geoip.conf:
# GeoIP
# Add Following to /etc/nginx/conf.d/custom_include.conf to preserve in rpm
upgrade.

#geoip_country         /usr/share/GeoIP/GeoLiteCountry.dat;
#geoip_city            /usr/share/GeoIP/GeoLiteCity.dat;


1 vhost as example

# Redirects if any







# The server blocks

server {
listen    11.0.5.21:80 ;

server_name  22b-pit.com mail.22b-pit.com www.22b-pit.com;

access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;






add_header X-Frame-Options SAMEORIGIN;



add_header X-XSS-Protection "1; mode=block";


include /etc/nginx/conf.d/gzip.conf;





# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory

# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;


}


server {
listen    11.0.5.21:443 ssl http2 ;

ssl_certificate /etc/nginx/ssl/22b-pit.com.crt;
ssl_certificate_key
/var/cpanel/ssl/installed/keys/cbb12_c8e7d_dd90f364f8f3c643df9fc97d3413d866.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout  5m;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/var/cpanel/ssl/installed/cabundles/cPanel_Inc__681917bfb43af6b642178607e0b36ccc_1747526399.cabundle;
resolver 213.186.33.99 80.20.9.50 8.8.4.4 valid=300s;
resolver_timeout 5s;

server_name  22b-pit.com mail.22b-pit.com www.22b-pit.com;

access_log /usr/local/apache/domlogs/22b-pit.com-bytes_log bytes_log
buffer=32k flush=5m;






add_header X-Frame-Options SAMEORIGIN;



add_header X-XSS-Protection "1; mode=block";


include /etc/nginx/conf.d/brotli.conf;





# Allow "Well-Known URIs" as per RFC 5785
location ~* ^/.well-known/ {
allow all;
}
# Allow "Well-Known URIs" as per RFC 5785
# Include NAXSI settings
location ^~ /NaxsiRequestDenied {
return 418;
}
# End Include NAXSI settings
# Include any applications in subdirectory

# End Include any applications in subdirectory
include /etc/nginx/sites-enabled/22b-pit.com.manualconfig*;
include /etc/nginx/sites-enabled/22b-pit.com.include;

}


#Proxy to cPanel Apache httpd service
root /home/fit3b/public_html;
access_log off;

location / {
	if ($bad_referer = 1) {
    rewrite ^(.*) https://www.filters.com/banspam/spam_traffic.html
permanent;
    }
	if ($bad_bot = 1) {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($denied) {
    rewrite ^(.*) https://www.filters.com/banspam/denied.html permanent;
    }
	if ($scanners = 1) {
    rewrite ^(.*) https://www.filters.com/banspam/scanners.html permanent;
    }
	if ($allowed_country = no) {
    rewrite ^(.*) https://www.filters.com/banspam/country.html permanent;
    }
	if ($not_allowed_method) {
    rewrite ^(.*) https://www.filters.com/banspam/not_allowed.html
permanent;
    }
	limit_conn PERIP 250;
	limit_conn PERSERVER 1000;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	}    

location ~
^/(\.?!well-known|error_log|up\.php|CONTRIBUTING\.md|README\.md|LICENSES|readme\.html|readme\.txt|license\.txt|license\.html|wp-config\.php|xmlrpc\.php|config\.php|configure\.php|configuration\.php|testproxy\.php|sql|mySqlDumper|msd|jmx-console|jenkins|sys_cpanel|phpMyAdmin|sqlite|mysql|SQlite|sqlitemanager|SQLiteManager)
{
    deny all;
    return 444;	
    }

location = /wp-login.php {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
    limit_req   zone=one  burst=1 nodelay;
	limit_req_status 429;	
	limit_conn PERIP 3;
	limit_conn PERSERVER 5;
	limit_conn_status 444;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
location ~ ^/(robots\.txt|sitemap\.xml) {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($not_allowed_method) {
    return 405;
    }
    limit_req   zone=two  burst=2;
	limit_conn PERIP 4;
	limit_conn PERSERVER 100;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_redirect     off;
	proxy_cache micro;
    proxy_cache_lock on;
	proxy_cache_min_uses 2;
   	proxy_cache_valid 200 5m;
   	proxy_cache_use_stale updating;
	proxy_set_header   Proxy "";
	proxy_set_header Accept-Encoding "";
	} 
  
location /modules/sendtoafriend/ {
    deny all;   
    return 444;	
    }
	
location ~ ^/(search) {
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
	limit_conn PERIP 35;
	limit_conn PERSERVER 100;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
location ~ ^/(login|order) {	
	if ($denied) {
    return 444;
    }
	if ($bad_referer = 1) {
    return 410;
    }
	if ($bad_bot = 1) {
	return 444;
	}
	if ($scanners = 1) {
    return 444;
    }
	if ($allowed_country = no) {
    return 444;
    }
	if ($http_user_agent = "") {
	rewrite ^(.*) https://www.filters.com/banspam/badbot.html permanent;
	}
	if ($not_allowed_method) {
    return 405;
    }
	limit_req zone=two burst=5;
	limit_conn PERIP 12;
	limit_conn PERSERVERLOGIN 25;
	
	proxy_send_timeout         900;
   	proxy_read_timeout 		   900;
	proxy_buffer_size          128k;
	proxy_buffers              4 256k;
	proxy_busy_buffers_size    256k;
	proxy_temp_file_write_size 256k;
   	proxy_connect_timeout      300s;

    
	proxy_pass   $scheme://11.0.5.21:$cpport;
	proxy_ssl_session_reuse on;
	proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
	
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header   Host   $host;
	proxy_set_header   X-Real-IP  $remote_addr;
	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header   X-Forwarded-Proto $scheme;
	proxy_set_header   X-Scheme $scheme;
	proxy_set_header   Proxy "";
	proxy_redirect     off;
	} 
	
## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 520;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 520;
    }

    ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 520;   
	}	
###############################################

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273274,273469#msg-273469


From ajaygargnsit at gmail.com  Fri Apr  7 13:45:51 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Fri, 7 Apr 2017 19:15:51 +0530
Subject: Login-Credentials based redirection?
Message-ID: <CAHP4M8VPoCHHknKWbQqSshZZY_EOS6L64kHrLaCSOX7u49GN6Q@mail.gmail.com>

Hi All.

We have setup multiple ssh-reverse tunnels, and our server will be
listening to ports from 9000 to 10000.
The server will have a public-IP, and we DO NOT want just anyone to look
into any of the ports by trying ::

http://1.2.3.4:9000
http://1.2.3.4:9001 and so on ...


So, we are wondering if we can do something like this ::


1. User types in a URL, let's say https://1.2.3.4/index.html
2. The user gets presented with a login/password page.
3. Depending upon the credentials passed, the user gets "proxied" to the
appropriate end-url.

So, a user with credentials for port 9000 will ONLY be able to see
http://1.2.3.4:9000
A user with credentials for port 9001 will ONLY be able to see
http://1.2.3.4:9001, and so on ..

An important point to note that the URLs http://1.2.3.4:9000,
http://1.2.3.4:9001 must be not be directly accessible, else it defeats the
purpose of authentication at first place.

Is the above approach feasible logically and technically-via-nginx?


Will be grateful for pointers.


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170407/44155217/attachment.html>

From ceecko at gmail.com  Fri Apr  7 15:07:58 2017
From: ceecko at gmail.com (Michal Kralik)
Date: Fri, 7 Apr 2017 17:07:58 +0200
Subject: 99.999% my config works - then default_server is used
In-Reply-To: <20170406215056.GH79252@lo0.su>
References: <CAGVfq3FOu1xaGRwD7E9zO0+sYiC7T5D5TBx5c6eSn9Ch7fDzkw@mail.gmail.com>
 <20170406215056.GH79252@lo0.su>
Message-ID: <CAGVfq3HgpHUcY24usXD2zLB=9pbgcniVOT1MBScvPag0xRMn5g@mail.gmail.com>

Hi Ruslan,

Thank you for your answer. This makes complete sense and is the reason why
this was happening.
It didn't occur to me before asking the question - thank you for your help!

On Thu, Apr 6, 2017 at 11:50 PM, Ruslan Ermilov <ru at nginx.com> wrote:

> On Thu, Apr 06, 2017 at 11:18:02PM +0200, Michal Kralik wrote:
> > Hi,
> >
> > We're facing super strange issues with nginx 1.10.3 (CentOS 7,
> > 3.10.0-327.36.3.el7.x86_64). Our config works ok, we get a lot of
> traffic,
> > but every day a couple of requests (5-10) don't get processes correctly
> by
> > a server directive with the defined server_name, but rather by a server
> > directive with listen's "default_server". Here's the config
> > https://paste.ngx.cc/29345124359e0447
> >
> > Most of the time a request to 01.app.example.com gets processed
> correctly,
> > but every day a couple of requests get processed by the server directive
> > from file conf.d/01-default.conf. There's nothing in the nginx system
> logs
> > around the time when this issue happens.
> >
> > The access.log from the default_server shows this
> > (/data/logs/nginx/access.log):
> > 1.1.1.1 - - [06/Apr/2017:12:20:57 +0000] "01.app.example.com" "GET
> > /robots.txt HTTP/1.1" 302 161 "-" "Mozilla/5.0 (compatible;
> Googlebot/2.1; +
> > http://www.google.com/bot.html)" "-"
> >
> > It's clearly a redirect processed by the default_server, but the request
> > should be rather processed by server directive in conf.d/02-apps.conf
> > because the host header clearly states "01.app.example.com".
> >
> > Any ideas what's going on?
>
> Given the provided configuration snippet, this should happen
> with all HTTPS requests to 01.app.example.com.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170407/3a38b0b3/attachment.html>

From ajaygargnsit at gmail.com  Fri Apr  7 15:41:56 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Fri, 7 Apr 2017 21:11:56 +0530
Subject: Login-Credentials based redirection?
In-Reply-To: <CAHP4M8VPoCHHknKWbQqSshZZY_EOS6L64kHrLaCSOX7u49GN6Q@mail.gmail.com>
References: <CAHP4M8VPoCHHknKWbQqSshZZY_EOS6L64kHrLaCSOX7u49GN6Q@mail.gmail.com>
Message-ID: <CAHP4M8WDYUizHk0KibijCNG4pbqcNFgS8Cbw-E9S80u+g34mYw@mail.gmail.com>

I have been searching if it is possible to do a one-to-one mapping,
something like ::

location /9000
{
    auth_basic
    auth_value username9000:password9000
    proxy_pass http://localhost:9000
}

location /9001
{
    auth_basic
    auth_value username9002:password9002
    proxy_pass http://localhost:9001
}

Also, ports 9000, 9001 will be firewalled from the public.


Above will ensure that someone wanting to get access to say port 9000, will
have to come via http://1.2.3.4/9000. and must know the credentials
username9000:password9000

Do I make sense?
If yes, can someone please point me out as to how to specify
username:password on the URL basis.


Thanks and Regards,
Ajay

On Fri, Apr 7, 2017 at 7:15 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi All.
>
> We have setup multiple ssh-reverse tunnels, and our server will be
> listening to ports from 9000 to 10000.
> The server will have a public-IP, and we DO NOT want just anyone to look
> into any of the ports by trying ::
>
> http://1.2.3.4:9000
> http://1.2.3.4:9001 and so on ...
>
>
> So, we are wondering if we can do something like this ::
>
>
> 1. User types in a URL, let's say https://1.2.3.4/index.html
> 2. The user gets presented with a login/password page.
> 3. Depending upon the credentials passed, the user gets "proxied" to the
> appropriate end-url.
>
> So, a user with credentials for port 9000 will ONLY be able to see
> http://1.2.3.4:9000
> A user with credentials for port 9001 will ONLY be able to see
> http://1.2.3.4:9001, and so on ..
>
> An important point to note that the URLs http://1.2.3.4:9000,
> http://1.2.3.4:9001 must be not be directly accessible, else it defeats
> the purpose of authentication at first place.
>
> Is the above approach feasible logically and technically-via-nginx?
>
>
> Will be grateful for pointers.
>
>
> Thanks and Regards,
> Ajay
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170407/705a8054/attachment.html>

From nginx-forum at forum.nginx.org  Fri Apr  7 15:53:39 2017
From: nginx-forum at forum.nginx.org (sachin.shetty@gmail.com)
Date: Fri, 07 Apr 2017 11:53:39 -0400
Subject: Checking multiple caches before forwarding request to upstream
In-Reply-To: <20170406145357.GT13617@mdounin.ru>
References: <20170406145357.GT13617@mdounin.ru>
Message-ID: <3be4e7d923b1ca773a68e14739df31a3.NginxMailingListEnglish@forum.nginx.org>

Hi Maxim,

I found one way to make this work using lua to set the cache name. It seems
to be working ok, all my tests passed. 

""" Lua Script 
local resty_md5 = require "resty.md5"
local str = require "resty.string"
local md5 = resty_md5:new();
local posix = require("posix")
local days_30 = 1000 * 60 * 60 * 24 * 30
local days_90 = days_30 * 3

file_exists = function(path)
	file_stat = posix.stat(path);
	if file_stat == nil or file_stat.type ~= 'regular' then
		ngx.log(ngx.ERR, "file does not exists: ", path)
		return false
	end
	ngx.log(ngx.ERR, "file exists: ", path)
	return true;
end

pick_cache = function(last_modified)
	local now = ngx.now()
	if now - last_modified < days_30 then
		return "cache_recent"
	elseif now - last_modified < days_90 then
		return "cache_midterm"
	else
		return "cache_longterm"
	end
end



md5:update(ngx.var.request_uri)
local digest = md5:final()
local md5_str = str.to_hex(digest)
ngx.log(ngx.ERR, "md5: ", md5_str)

local cache_dirs = {
	"../cache_recent",
	"../cache_midterm",
	"../cache_longterm",
}

local file_name = string.sub(md5_str, -1) .. "/" .. string.sub(md5_str, -3,
-2)   .. "/" .. md5_str

for cache_count = 1, #cache_dirs do
	if file_exists(cache_dirs[cache_count] .. '/' .. file_name) then
		cache_name = string.gsub(cache_dirs[cache_count], ".*/", "")
		return cache_name
	end
end

--return pick_cache(ngx.now() - 10) -- from request header
--return pick_cache(ngx.now() - days_30) --  from request header
return pick_cache(ngx.now() - days_90) --  from request header
"""

Nginx conf:
set_by_lua_file $cache_name conf/cache_picker.lua;
proxy_cache $cache_name;

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273446,273473#msg-273473


From reallfqq-nginx at yahoo.fr  Fri Apr  7 17:33:37 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Fri, 7 Apr 2017 19:33:37 +0200
Subject: Login-Credentials based redirection?
In-Reply-To: <CAHP4M8WDYUizHk0KibijCNG4pbqcNFgS8Cbw-E9S80u+g34mYw@mail.gmail.com>
References: <CAHP4M8VPoCHHknKWbQqSshZZY_EOS6L64kHrLaCSOX7u49GN6Q@mail.gmail.com>
 <CAHP4M8WDYUizHk0KibijCNG4pbqcNFgS8Cbw-E9S80u+g34mYw@mail.gmail.com>
Message-ID: <CALqce=2i+Gz4SxT9NO5NtM61nA2Sz5hEKLkhOfLrktnMO9FYpg@mail.gmail.com>

You could use a map to match proxy_pass URI to user names, and then use a
single password file for the auth_basic module.
?This removes the need of having specific location URI for each user,
although you could still keep doing it if they are part of your
requirements.
---
*B. R.*

On Fri, Apr 7, 2017 at 5:41 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> I have been searching if it is possible to do a one-to-one mapping,
> something like ::
>
> location /9000
> {
>     auth_basic
>     auth_value username9000:password9000
>     proxy_pass http://localhost:9000
> }
>
> location /9001
> {
>     auth_basic
>     auth_value username9002:password9002
>     proxy_pass http://localhost:9001
> }
>
> Also, ports 9000, 9001 will be firewalled from the public.
>
>
> Above will ensure that someone wanting to get access to say port 9000,
> will have to come via http://1.2.3.4/9000. and must know the credentials
> username9000:password9000
>
> Do I make sense?
> If yes, can someone please point me out as to how to specify
> username:password on the URL basis.
>
>
> Thanks and Regards,
> Ajay
>
> On Fri, Apr 7, 2017 at 7:15 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi All.
>>
>> We have setup multiple ssh-reverse tunnels, and our server will be
>> listening to ports from 9000 to 10000.
>> The server will have a public-IP, and we DO NOT want just anyone to look
>> into any of the ports by trying ::
>>
>> http://1.2.3.4:9000
>> http://1.2.3.4:9001 and so on ...
>>
>>
>> So, we are wondering if we can do something like this ::
>>
>>
>> 1. User types in a URL, let's say https://1.2.3.4/index.html
>> 2. The user gets presented with a login/password page.
>> 3. Depending upon the credentials passed, the user gets "proxied" to the
>> appropriate end-url.
>>
>> So, a user with credentials for port 9000 will ONLY be able to see
>> http://1.2.3.4:9000
>> A user with credentials for port 9001 will ONLY be able to see
>> http://1.2.3.4:9001, and so on ..
>>
>> An important point to note that the URLs http://1.2.3.4:9000,
>> http://1.2.3.4:9001 must be not be directly accessible, else it defeats
>> the purpose of authentication at first place.
>>
>> Is the above approach feasible logically and technically-via-nginx?
>>
>>
>> Will be grateful for pointers.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170407/21a816e5/attachment-0001.html>

From larry.martell at gmail.com  Fri Apr  7 18:53:13 2017
From: larry.martell at gmail.com (Larry Martell)
Date: Fri, 7 Apr 2017 14:53:13 -0400
Subject: threads don't run after request returns?
Message-ID: <CACwCsY6rcyAG=WHyA4W1Z4KgrD7QypOQO6wsd9WfzC3T5Kz5sQ@mail.gmail.com>

I have a django app that I serve with nginx. Some requests that the
app receives start python threads that are not complete when the
request returns a response to the client. When I run with the django
devel server the threads continue to run to completion. But when I run
with nginx it seems that the threads terminate when the response is
sent. Would that be expected or is there something else going on? If
that is expected, is there a way I can get around this?

From larry.martell at gmail.com  Fri Apr  7 19:17:08 2017
From: larry.martell at gmail.com (Larry Martell)
Date: Fri, 7 Apr 2017 15:17:08 -0400
Subject: threads don't run after request returns?
In-Reply-To: <CACwCsY6rcyAG=WHyA4W1Z4KgrD7QypOQO6wsd9WfzC3T5Kz5sQ@mail.gmail.com>
References: <CACwCsY6rcyAG=WHyA4W1Z4KgrD7QypOQO6wsd9WfzC3T5Kz5sQ@mail.gmail.com>
Message-ID: <CACwCsY7HvwhsTOF53r3sduaPfZ_4mX5gfYLuNnKz_1CXyvMtnw@mail.gmail.com>

On Fri, Apr 7, 2017 at 2:53 PM, Larry Martell <larry.martell at gmail.com> wrote:
> I have a django app that I serve with nginx. Some requests that the
> app receives start python threads that are not complete when the
> request returns a response to the client. When I run with the django
> devel server the threads continue to run to completion. But when I run
> with nginx it seems that the threads terminate when the response is
> sent. Would that be expected or is there something else going on? If
> that is expected, is there a way I can get around this?

I have a bit more info on this ... the server was in the state where
it seemed the threads were no longer running and then I restarted
uwsgi and then the threads ran to completion! So now I am very
confused - they clearly were still around, but seeming in some blocked
state and they were able to resume when uwsgi restarted. Can anyone
shed any light on what is going on? Or should I post on the uwsgi
list?

From al-nginx at none.at  Fri Apr  7 23:42:05 2017
From: al-nginx at none.at (Aleksandar Lazic)
Date: Sat, 08 Apr 2017 01:42:05 +0200
Subject: Configuring a subnet in an upstream server
In-Reply-To: <CAEU5HDYbW150N+bu2EG8_QrdjRQVV40fsQmDQp_3b-P7hnZXvg@mail.gmail.com>
References: <CAEU5HDagpe=p2+TUpCo7Z1avpN2F7eF5iX1pTArufYinuR2=Uw@mail.gmail.com>
 <CALqce=1zf5553tBju7ph9WxbP7o2d0NHyeoJu15ud8BGpKRA5g@mail.gmail.com>
 <CAEU5HDYbW150N+bu2EG8_QrdjRQVV40fsQmDQp_3b-P7hnZXvg@mail.gmail.com>
Message-ID: <b42bf7df3c1229a1f3a902220792e6d6@none.at>

Am 03-04-2017 18:09, schrieb Dynastic Space:

> I used a poor example.
> The functionality I was interested in was adding a range of application 
> servers, all part of the same domain.

I think you have the following options.

.) or list every app server in the upstream block 
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream
.) DNS rr with resolver 
http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
.) in the commercial version is also a service=name and resolve possible 
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#server

You can also use a script which creates from 192.168.0.0/16 a server 
line for the upstream and include it into the nginx.conf

You can add in the log format the upstream address to see to which app 
server the request was forwarded.
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#variables

Regards
Aleks

> D
> 
> On Mon, Apr 3, 2017 at 11:04 AM, B.R. via nginx <nginx at nginx.org> 
> wrote:
> 
> What would be the meaning of that?
> 
> How do you route traffic to 192.168.0.0? Do you really want to send 
> requests to 192.168.255.255?
> How would you handle requests sent to some servers (but not all) if 
> some are not responsive?
> 
> I suspect what you want to use is dynamic IP addresses for your 
> backends. Good news: you can use domain names.
> 
> ---
> B. R.
> 
> On Sun, Apr 2, 2017 at 8:42 AM, Dynastic Space 
> <dynasticspace at gmail.com> wrote:
> 
> Is it possible to configure a collection of servers using subnet 
> notation in the upstream server knob? e.g. server 192.168.0.0/16.
> 
> Thanks,
> 
> Dynastic _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

From fam6837 at gmail.com  Sat Apr  8 07:46:57 2017
From: fam6837 at gmail.com (Musta Fa)
Date: Sat, 8 Apr 2017 08:46:57 +0100
Subject: custom ip address on port 80 not listening
Message-ID: <CAAL+Fe-kT-90M1OWsMXFDsc1z_BKNhyW5gihbqcdc0KasJU1mQ@mail.gmail.com>

nginx/1.11.13


i have 4 server IPs, all registered in network interface
and many domains and apps, also on different ports.

all other ports are ok:
custom_ip1:443, custom_ip1:5000, custom_ip1:81
custom_ip2:443, custom_ip2:5000, custom_ip2:81
custom_ip3:443, custom_ip3:5000, custom_ip3:81

but i can not make it listen on custom_ip:80
port 80 is always 0.0.0.0:80

cd /etc/nginx
grep listen -r *
only "listen custom_ip:80;"

why is that??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/a29edb8e/attachment.html>

From francis at daoine.org  Sat Apr  8 08:37:24 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 8 Apr 2017 09:37:24 +0100
Subject: custom ip address on port 80 not listening
In-Reply-To: <CAAL+Fe-kT-90M1OWsMXFDsc1z_BKNhyW5gihbqcdc0KasJU1mQ@mail.gmail.com>
References: <CAAL+Fe-kT-90M1OWsMXFDsc1z_BKNhyW5gihbqcdc0KasJU1mQ@mail.gmail.com>
Message-ID: <20170408083724.GI3428@daoine.org>

On Sat, Apr 08, 2017 at 08:46:57AM +0100, Musta Fa wrote:

Hi there,

> but i can not make it listen on custom_ip:80
> port 80 is always 0.0.0.0:80
> 
> cd /etc/nginx
> grep listen -r *
> only "listen custom_ip:80;"
> 
> why is that??

Any server{} without an explicit "listen" has an implicit "listen *:80"
when you run as root.

Does

  nginx -T | grep -n 'server\|listen'

show any obvious candidates?

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sat Apr  8 13:09:59 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sat, 8 Apr 2017 18:39:59 +0530
Subject: URL-Rewriting not working
Message-ID: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>

Hi All.

When I setup the following, the authentication+proxying works perfect, with
the url changing from http://1.2.3.4:2001 to
http://1.2.3.4:2001/cgi-bin/webproc, and the proxied0server opening up
perfectly.

############################################################################
server {
        listen 2001;
        location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file
/home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
                        proxy_pass http://127.0.0.1:2000;
                }
        }
#############################################################################



However, I am not able to do the proxying if I perform url-rewriting.
Nothing of the following works ::

a)
############################################################################
server {
        listen 2001;
        location /78 {

                        auth_basic 'Restricted';
                        auth_basic_user_file
/home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
                        proxy_pass http://127.0.0.1:2000;
                }
        }
############################################################################

No URL change happens, and 404 (illegal-file-access) is obtained.


b)
############################################################################
server {
        listen 2001;
        location /78 {

                        auth_basic 'Restricted';
                        auth_basic_user_file
/home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
                        proxy_pass http://127.0.0.1:2000/;
                }
        }
############################################################################

No URL change happens, and 404 (illegal-file-access) is obtained.


c)
############################################################################
server {
        listen 2001;
        location /78/ {

                        auth_basic 'Restricted';
                        auth_basic_user_file
/home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
                        proxy_pass http://127.0.0.1:2000/;
                }
        }
############################################################################

The URL does changes from http://1.2.3.4:2001/78 to
http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.


d)
############################################################################
server {
        listen 2001;
        location /78/ {

                        auth_basic 'Restricted';
                        auth_basic_user_file
/home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
                        proxy_pass http://127.0.0.1:2000;
                }
        }
############################################################################

No URL change happens, and 404 (illegal-file-access) is obtained.


So, I guess c) is the closest to doing a url-rewrite, but I wonder why am I
getting a 404, even though the URL-change is perfect.


Any ideas please?


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/25addbc5/attachment.html>

From anoopalias01 at gmail.com  Sat Apr  8 13:19:41 2017
From: anoopalias01 at gmail.com (Anoop Alias)
Date: Sat, 8 Apr 2017 18:49:41 +0530
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
Message-ID: <CAO6TEX2hpqT_QESVjN5Op=JNyN27AmZ=z+wWZDYt3EwToDg+sg@mail.gmail.com>

I think you are confusing between url-rewrite and location

On Sat, Apr 8, 2017 at 6:39 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi All.
>
> When I setup the following, the authentication+proxying works perfect,
> with the url changing from http://1.2.3.4:2001 to
> http://1.2.3.4:2001/cgi-bin/webproc, and the proxied0server opening up
> perfectly.
>
> ############################################################
> ################
> server {
>         listen 2001;
>         location / {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /home/
> 2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000;
>                 }
>         }
> ############################################################
> #################
>
>
>
> However, I am not able to do the proxying if I perform url-rewriting.
> Nothing of the following works ::
>
> a)
> ############################################################
> ################
> server {
>         listen 2001;
>         location /78 {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /home/
> 2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000;
>                 }
>         }
> ############################################################
> ################
>
> No URL change happens, and 404 (illegal-file-access) is obtained.
>
>
> b)
> ############################################################
> ################
> server {
>         listen 2001;
>         location /78 {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /home/
> 2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000/;
>                 }
>         }
> ############################################################
> ################
>
> No URL change happens, and 404 (illegal-file-access) is obtained.
>
>
> c)
> ############################################################
> ################
> server {
>         listen 2001;
>         location /78/ {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /home/
> 2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000/;
>                 }
>         }
> ############################################################
> ################
>
> The URL does changes from http://1.2.3.4:2001/78 to
> http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.
>
>
> d)
> ############################################################
> ################
> server {
>         listen 2001;
>         location /78/ {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /home/
> 2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000;
>                 }
>         }
> ############################################################
> ################
>
> No URL change happens, and 404 (illegal-file-access) is obtained.
>
>
> So, I guess c) is the closest to doing a url-rewrite, but I wonder why am
> I getting a 404, even though the URL-change is perfect.
>
>
> Any ideas please?
>
>
> Thanks and Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/d3cdf461/attachment.html>

From ajaygargnsit at gmail.com  Sat Apr  8 13:24:16 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sat, 8 Apr 2017 18:54:16 +0530
Subject: URL-Rewriting not working
In-Reply-To: <CAO6TEX2hpqT_QESVjN5Op=JNyN27AmZ=z+wWZDYt3EwToDg+sg@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <CAO6TEX2hpqT_QESVjN5Op=JNyN27AmZ=z+wWZDYt3EwToDg+sg@mail.gmail.com>
Message-ID: <CAHP4M8U9nRm_3=HXZUP=o8J+d8=OhOWuULD0bwLD3QYcwypNxA@mail.gmail.com>

Hi Anoop.

As per
http://serverfault.com/questions/379675/nginx-reverse-proxy-url-rewrite,
the rewrite should be automatic.
But it does not work for me :(

On Sat, Apr 8, 2017 at 6:49 PM, Anoop Alias <anoopalias01 at gmail.com> wrote:

> I think you are confusing between url-rewrite and location
>
> On Sat, Apr 8, 2017 at 6:39 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi All.
>>
>> When I setup the following, the authentication+proxying works perfect,
>> with the url changing from http://1.2.3.4:2001 to
>> http://1.2.3.4:2001/cgi-bin/webproc, and the proxied0server opening up
>> perfectly.
>>
>> ############################################################
>> ################
>> server {
>>         listen 2001;
>>         location / {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file
>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>                         proxy_pass http://127.0.0.1:2000;
>>                 }
>>         }
>> ############################################################
>> #################
>>
>>
>>
>> However, I am not able to do the proxying if I perform url-rewriting.
>> Nothing of the following works ::
>>
>> a)
>> ############################################################
>> ################
>> server {
>>         listen 2001;
>>         location /78 {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file
>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>                         proxy_pass http://127.0.0.1:2000;
>>                 }
>>         }
>> ############################################################
>> ################
>>
>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>
>>
>> b)
>> ############################################################
>> ################
>> server {
>>         listen 2001;
>>         location /78 {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file
>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>                         proxy_pass http://127.0.0.1:2000/;
>>                 }
>>         }
>> ############################################################
>> ################
>>
>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>
>>
>> c)
>> ############################################################
>> ################
>> server {
>>         listen 2001;
>>         location /78/ {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file
>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>                         proxy_pass http://127.0.0.1:2000/;
>>                 }
>>         }
>> ############################################################
>> ################
>>
>> The URL does changes from http://1.2.3.4:2001/78 to
>> http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.
>>
>>
>> d)
>> ############################################################
>> ################
>> server {
>>         listen 2001;
>>         location /78/ {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file
>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>                         proxy_pass http://127.0.0.1:2000;
>>                 }
>>         }
>> ############################################################
>> ################
>>
>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>
>>
>> So, I guess c) is the closest to doing a url-rewrite, but I wonder why am
>> I getting a 404, even though the URL-change is perfect.
>>
>>
>> Any ideas please?
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> *Anoop P Alias*
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/ef646358/attachment-0001.html>

From anoopalias01 at gmail.com  Sat Apr  8 13:40:33 2017
From: anoopalias01 at gmail.com (Anoop Alias)
Date: Sat, 8 Apr 2017 19:10:33 +0530
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8U9nRm_3=HXZUP=o8J+d8=OhOWuULD0bwLD3QYcwypNxA@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <CAO6TEX2hpqT_QESVjN5Op=JNyN27AmZ=z+wWZDYt3EwToDg+sg@mail.gmail.com>
 <CAHP4M8U9nRm_3=HXZUP=o8J+d8=OhOWuULD0bwLD3QYcwypNxA@mail.gmail.com>
Message-ID: <CAO6TEX3qaAR3orD8PZfBrkqkuC_mcCf7EM1SDFGcmyf+wVjP3g@mail.gmail.com>

The 404 is thrown by whatever is working on port 2000 ;so you can check its
access log and see


On Sat, Apr 8, 2017 at 6:54 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi Anoop.
>
> As per http://serverfault.com/questions/379675/nginx-
> reverse-proxy-url-rewrite, the rewrite should be automatic.
> But it does not work for me :(
>
> On Sat, Apr 8, 2017 at 6:49 PM, Anoop Alias <anoopalias01 at gmail.com>
> wrote:
>
>> I think you are confusing between url-rewrite and location
>>
>> On Sat, Apr 8, 2017 at 6:39 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>>
>>> Hi All.
>>>
>>> When I setup the following, the authentication+proxying works perfect,
>>> with the url changing from http://1.2.3.4:2001 to
>>> http://1.2.3.4:2001/cgi-bin/webproc, and the proxied0server opening up
>>> perfectly.
>>>
>>> ############################################################
>>> ################
>>> server {
>>>         listen 2001;
>>>         location / {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file
>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>                         proxy_pass http://127.0.0.1:2000;
>>>                 }
>>>         }
>>> ############################################################
>>> #################
>>>
>>>
>>>
>>> However, I am not able to do the proxying if I perform url-rewriting.
>>> Nothing of the following works ::
>>>
>>> a)
>>> ############################################################
>>> ################
>>> server {
>>>         listen 2001;
>>>         location /78 {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file
>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>                         proxy_pass http://127.0.0.1:2000;
>>>                 }
>>>         }
>>> ############################################################
>>> ################
>>>
>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>
>>>
>>> b)
>>> ############################################################
>>> ################
>>> server {
>>>         listen 2001;
>>>         location /78 {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file
>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>                         proxy_pass http://127.0.0.1:2000/;
>>>                 }
>>>         }
>>> ############################################################
>>> ################
>>>
>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>
>>>
>>> c)
>>> ############################################################
>>> ################
>>> server {
>>>         listen 2001;
>>>         location /78/ {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file
>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>                         proxy_pass http://127.0.0.1:2000/;
>>>                 }
>>>         }
>>> ############################################################
>>> ################
>>>
>>> The URL does changes from http://1.2.3.4:2001/78 to
>>> http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.
>>>
>>>
>>> d)
>>> ############################################################
>>> ################
>>> server {
>>>         listen 2001;
>>>         location /78/ {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file
>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>                         proxy_pass http://127.0.0.1:2000;
>>>                 }
>>>         }
>>> ############################################################
>>> ################
>>>
>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>
>>>
>>> So, I guess c) is the closest to doing a url-rewrite, but I wonder why
>>> am I getting a 404, even though the URL-change is perfect.
>>>
>>>
>>> Any ideas please?
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> *Anoop P Alias*
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/96c692c9/attachment.html>

From ajaygargnsit at gmail.com  Sat Apr  8 13:44:33 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sat, 8 Apr 2017 19:14:33 +0530
Subject: URL-Rewriting not working
In-Reply-To: <CAO6TEX3qaAR3orD8PZfBrkqkuC_mcCf7EM1SDFGcmyf+wVjP3g@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <CAO6TEX2hpqT_QESVjN5Op=JNyN27AmZ=z+wWZDYt3EwToDg+sg@mail.gmail.com>
 <CAHP4M8U9nRm_3=HXZUP=o8J+d8=OhOWuULD0bwLD3QYcwypNxA@mail.gmail.com>
 <CAO6TEX3qaAR3orD8PZfBrkqkuC_mcCf7EM1SDFGcmyf+wVjP3g@mail.gmail.com>
Message-ID: <CAHP4M8XfoVMNtcsOREtQXhU=2TCLggo9Xc1ZWB=WbwPNVLgpRQ@mail.gmail.com>

The same thing works if I put "/" in the location.
The URL-change is the same, and things work seamlessly.

It is definitely something that I am missing while specifying a location
other than "/", that is causing incomplete proxying under the hood.

On Sat, Apr 8, 2017 at 7:10 PM, Anoop Alias <anoopalias01 at gmail.com> wrote:

> The 404 is thrown by whatever is working on port 2000 ;so you can check
> its access log and see
>
>
> On Sat, Apr 8, 2017 at 6:54 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi Anoop.
>>
>> As per http://serverfault.com/questions/379675/nginx-reverse-proxy-
>> url-rewrite, the rewrite should be automatic.
>> But it does not work for me :(
>>
>> On Sat, Apr 8, 2017 at 6:49 PM, Anoop Alias <anoopalias01 at gmail.com>
>> wrote:
>>
>>> I think you are confusing between url-rewrite and location
>>>
>>> On Sat, Apr 8, 2017 at 6:39 PM, Ajay Garg <ajaygargnsit at gmail.com>
>>> wrote:
>>>
>>>> Hi All.
>>>>
>>>> When I setup the following, the authentication+proxying works perfect,
>>>> with the url changing from http://1.2.3.4:2001 to
>>>> http://1.2.3.4:2001/cgi-bin/webproc, and the proxied0server opening up
>>>> perfectly.
>>>>
>>>> ############################################################
>>>> ################
>>>> server {
>>>>         listen 2001;
>>>>         location / {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file
>>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>>                         proxy_pass http://127.0.0.1:2000;
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> #################
>>>>
>>>>
>>>>
>>>> However, I am not able to do the proxying if I perform url-rewriting.
>>>> Nothing of the following works ::
>>>>
>>>> a)
>>>> ############################################################
>>>> ################
>>>> server {
>>>>         listen 2001;
>>>>         location /78 {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file
>>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>>                         proxy_pass http://127.0.0.1:2000;
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ################
>>>>
>>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>>
>>>>
>>>> b)
>>>> ############################################################
>>>> ################
>>>> server {
>>>>         listen 2001;
>>>>         location /78 {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file
>>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>>                         proxy_pass http://127.0.0.1:2000/;
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ################
>>>>
>>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>>
>>>>
>>>> c)
>>>> ############################################################
>>>> ################
>>>> server {
>>>>         listen 2001;
>>>>         location /78/ {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file
>>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>>                         proxy_pass http://127.0.0.1:2000/;
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ################
>>>>
>>>> The URL does changes from http://1.2.3.4:2001/78 to
>>>> http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.
>>>>
>>>>
>>>> d)
>>>> ############################################################
>>>> ################
>>>> server {
>>>>         listen 2001;
>>>>         location /78/ {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file
>>>> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>>>>                         proxy_pass http://127.0.0.1:2000;
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ################
>>>>
>>>> No URL change happens, and 404 (illegal-file-access) is obtained.
>>>>
>>>>
>>>> So, I guess c) is the closest to doing a url-rewrite, but I wonder why
>>>> am I getting a 404, even though the URL-change is perfect.
>>>>
>>>>
>>>> Any ideas please?
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>>
>>> --
>>> *Anoop P Alias*
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> *Anoop P Alias*
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/0f3039d2/attachment-0001.html>

From ajaygargnsit at gmail.com  Sat Apr  8 13:48:37 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sat, 8 Apr 2017 19:18:37 +0530
Subject: Any harms in opening up multiple ports in listening-state in the
 context of Nginx?
Message-ID: <CAHP4M8X6p27vy2W+MPTB27v1Kbu1nEBHpBgv_=Mq0tNe=DYBOQ@mail.gmail.com>

Hi All.

I have been trying to do url-based redirections, but as per
http://mailman.nginx.org/pipermail/nginx/2017-April/053443.html, there are
issues cropping up.
If the issues exist, then I will have to follow the

    one port for each proxy-url (constant "/" location)

approach, instead of

   one port for all proxy-urls, using multiple locations to do the mapping

approach.


So, if I indeed need to open multiple ports to public in listening-state,
is there any harm?


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170408/e1f89f7c/attachment.html>

From luky-37 at hotmail.com  Sat Apr  8 19:26:01 2017
From: luky-37 at hotmail.com (Lukas Tribus)
Date: Sat, 8 Apr 2017 19:26:01 +0000
Subject: Ticket #196 followup: disallow spaces in uri by default
Message-ID: <VI1PR08MB120000E505BD597B7321CB14ED0F0@VI1PR08MB1200.eurprd08.prod.outlook.com>

Hello list,


in Ticket #196 [1], Maxim Dounin suggested that spaces in URI's could be disallowed by default.

As far as I can tell, current code still does not "disallow" those requests (not by default and not via specific configuration either), is that correct? Could this be improved, as per the suggestion in the ticket?

Nginx' behavior looks weird and inconsistent in case the HTTP request contains a unescaped "space followed by a uppercase H" and troubleshooting is more complicated because of it, take a look at this for example:

https://github.com/peeringdb/peeringdb/issues/132



cheers,
lukas

[1] https://trac.nginx.org/nginx/ticket/196

From francis at daoine.org  Sun Apr  9 10:49:31 2017
From: francis at daoine.org (Francis Daly)
Date: Sun, 9 Apr 2017 11:49:31 +0100
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
Message-ID: <20170409104931.GJ3428@daoine.org>

On Sat, Apr 08, 2017 at 06:39:59PM +0530, Ajay Garg wrote:

Hi there,

> However, I am not able to do the proxying if I perform url-rewriting.
> Nothing of the following works ::

Note that if you want to reverse-proxy a back-end web service at a
different part of the url hierarchy to where it believes it is installed,
in general you need the web service to help.

That is, if you want the back-end / to correspond to the front-end /x/,
then if the back-end ever links to something like /a, you will need that
to become translated to /x/a before it leaves the front-end. In general,
the front-end cannot do that translation.

So you may find it easier to configure the back-end to be (or to act as
if it is) installed below /x/ directly.

Otherwise things can go wrong.

What that means is...

> a)
> server {
>         listen 2001;
>         location /78 {
> 
>                         auth_basic 'Restricted';
>                         auth_basic_user_file
> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000;
>                 }
>         }
> ############################################################################
> 
> No URL change happens, and 404 (illegal-file-access) is obtained.

If you request http://1.2.3.4:2001/78, nginx should request
http://127.0.0.1:2000/78, and I guess that the back-end said 404.

What do the back-end logs say?

Can you show a specific "curl" command, with "-v" or "-i", that you can
use to show this error case?

> b)
> ############################################################################
> server {
>         listen 2001;
>         location /78 {
> 
>                         auth_basic 'Restricted';
>                         auth_basic_user_file
> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000/;
>                 }
>         }
> ############################################################################
> 
> No URL change happens, and 404 (illegal-file-access) is obtained.

If you request http://1.2.3.4:2001/78, nginx should request
http://127.0.0.1:2000/. Does the 404 come from nginx or the back-end?

What do the back-end logs say?

(Did you request http://1.2.3.4:2001/78, or http://1.2.3.4:2001/78/ --
because the two urls arl different.)

> c)
> ############################################################################
> server {
>         listen 2001;
>         location /78/ {
> 
>                         auth_basic 'Restricted';
>                         auth_basic_user_file
> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000/;
>                 }
>         }
> ############################################################################
> 
> The URL does changes from http://1.2.3.4:2001/78 to
> http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.

If you request http://1.2.3.4:2001/78, nginx should return 301
redirecting you to http://1.2.3.4:2001/78/. If you then request
http://1.2.3.4:2001/78/, nginx should request http://127.0.0.1:2000/. I
guess that the back-end then returns 301 redirecting you to
/cgi-bin/webproc. If you request http://1.2.3.4:2001/cgi-bin/webproc,
then nginx should return 404 (because /cgi-bin/webproc does not start
with /78/).

Can you see all of those requests and responses, especially the ones
involving the back-end?

> d)
> ############################################################################
> server {
>         listen 2001;
>         location /78/ {
> 
>                         auth_basic 'Restricted';
>                         auth_basic_user_file
> /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
>                         proxy_pass http://127.0.0.1:2000;
>                 }
>         }
> ############################################################################
> 
> No URL change happens, and 404 (illegal-file-access) is obtained.

Similar to a)

> So, I guess c) is the closest to doing a url-rewrite, but I wonder why am I
> getting a 404, even though the URL-change is perfect.

You have multiple possible configurations there. And you have not shown
the details of the requests and responses.

Can you show some requests that you want the client to make of nginx,
and then show the matching requests that you want nginx to make of
the back-end?

You can use "curl" on the nginx machine to make similar requests of the
back-end yourself, to see that actual response details. That might give
a hint as to what, if any, proxy_redirect directives are needed.

> Any ideas please?

Can you configure the web service on port 2000 to believe that all of
its useful urls are below /78/ ? If so, use configuration d).

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sun Apr  9 11:57:31 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 17:27:31 +0530
Subject: URL-Rewriting not working
In-Reply-To: <20170409104931.GJ3428@daoine.org>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
Message-ID: <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>

Hi Francis.

Thanks for your detailed analysis.

Unfortunately, our backen-service(s) (on port 2000 in the example) is
ssh-reverse-tunnel, having two layers of machines behind them. The
terminating-node for sure cannot be changed.

Looking at your explanations, I guess then we will have to open a port for
every service.
So, for example, port 2001 for proxying to service running on ssh-tunnel at
2000,
                         port 2003 for proxying to service running on
ssh-tunnel at 2002, and so on.


That brings me to my last question as per
http://mailman.nginx.org/pipermail/nginx/2017-April/053448.html. If there
isn't an issue with opening multiple nginx-listening-ports to the public,
then I guess we are done.


Would love to hear back your thoughts.



Thanks and Regards,
Ajay

On Sun, Apr 9, 2017 at 4:19 PM, Francis Daly <francis at daoine.org> wrote:

> On Sat, Apr 08, 2017 at 06:39:59PM +0530, Ajay Garg wrote:
>
> Hi there,
>
> > However, I am not able to do the proxying if I perform url-rewriting.
> > Nothing of the following works ::
>
> Note that if you want to reverse-proxy a back-end web service at a
> different part of the url hierarchy to where it believes it is installed,
> in general you need the web service to help.
>
> That is, if you want the back-end / to correspond to the front-end /x/,
> then if the back-end ever links to something like /a, you will need that
> to become translated to /x/a before it leaves the front-end. In general,
> the front-end cannot do that translation.
>
> So you may find it easier to configure the back-end to be (or to act as
> if it is) installed below /x/ directly.
>
> Otherwise things can go wrong.
>
> What that means is...
>
> > a)
> > server {
> >         listen 2001;
> >         location /78 {
> >
> >                         auth_basic 'Restricted';
> >                         auth_basic_user_file
> > /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
> >                         proxy_pass http://127.0.0.1:2000;
> >                 }
> >         }
> > ############################################################
> ################
> >
> > No URL change happens, and 404 (illegal-file-access) is obtained.
>
> If you request http://1.2.3.4:2001/78, nginx should request
> http://127.0.0.1:2000/78, and I guess that the back-end said 404.
>
> What do the back-end logs say?
>
> Can you show a specific "curl" command, with "-v" or "-i", that you can
> use to show this error case?
>
> > b)
> > ############################################################
> ################
> > server {
> >         listen 2001;
> >         location /78 {
> >
> >                         auth_basic 'Restricted';
> >                         auth_basic_user_file
> > /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
> >                         proxy_pass http://127.0.0.1:2000/;
> >                 }
> >         }
> > ############################################################
> ################
> >
> > No URL change happens, and 404 (illegal-file-access) is obtained.
>
> If you request http://1.2.3.4:2001/78, nginx should request
> http://127.0.0.1:2000/. Does the 404 come from nginx or the back-end?
>
> What do the back-end logs say?
>
> (Did you request http://1.2.3.4:2001/78, or http://1.2.3.4:2001/78/ --
> because the two urls arl different.)
>
> > c)
> > ############################################################
> ################
> > server {
> >         listen 2001;
> >         location /78/ {
> >
> >                         auth_basic 'Restricted';
> >                         auth_basic_user_file
> > /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
> >                         proxy_pass http://127.0.0.1:2000/;
> >                 }
> >         }
> > ############################################################
> ################
> >
> > The URL does changes from http://1.2.3.4:2001/78 to
> > http://1.2.3.4:2001/cgi-bin/webproc, but a 404 is obtained.
>
> If you request http://1.2.3.4:2001/78, nginx should return 301
> redirecting you to http://1.2.3.4:2001/78/. If you then request
> http://1.2.3.4:2001/78/, nginx should request http://127.0.0.1:2000/. I
> guess that the back-end then returns 301 redirecting you to
> /cgi-bin/webproc. If you request http://1.2.3.4:2001/cgi-bin/webproc,
> then nginx should return 404 (because /cgi-bin/webproc does not start
> with /78/).
>
> Can you see all of those requests and responses, especially the ones
> involving the back-end?
>
> > d)
> > ############################################################
> ################
> > server {
> >         listen 2001;
> >         location /78/ {
> >
> >                         auth_basic 'Restricted';
> >                         auth_basic_user_file
> > /home/2819163155b64c4c81f8608aa23c9faa/.htpasswd;
> >                         proxy_pass http://127.0.0.1:2000;
> >                 }
> >         }
> > ############################################################
> ################
> >
> > No URL change happens, and 404 (illegal-file-access) is obtained.
>
> Similar to a)
>
> > So, I guess c) is the closest to doing a url-rewrite, but I wonder why
> am I
> > getting a 404, even though the URL-change is perfect.
>
> You have multiple possible configurations there. And you have not shown
> the details of the requests and responses.
>
> Can you show some requests that you want the client to make of nginx,
> and then show the matching requests that you want nginx to make of
> the back-end?
>
> You can use "curl" on the nginx machine to make similar requests of the
> back-end yourself, to see that actual response details. That might give
> a hint as to what, if any, proxy_redirect directives are needed.
>
> > Any ideas please?
>
> Can you configure the web service on port 2000 to believe that all of
> its useful urls are below /78/ ? If so, use configuration d).
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/a714467b/attachment-0001.html>

From francis at daoine.org  Sun Apr  9 12:28:54 2017
From: francis at daoine.org (Francis Daly)
Date: Sun, 9 Apr 2017 13:28:54 +0100
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
Message-ID: <20170409122854.GK3428@daoine.org>

On Sun, Apr 09, 2017 at 05:27:31PM +0530, Ajay Garg wrote:

Hi there,

> Unfortunately, our backen-service(s) (on port 2000 in the example) is
> ssh-reverse-tunnel, having two layers of machines behind them. The
> terminating-node for sure cannot be changed.

"In general", reverse-proxying to a different part of the url hierarchy
needs back-end support. In the specific case of your system, maybe it
does not need anything special. Only you can tell.

> Looking at your explanations, I guess then we will have to open a port for
> every service.
> So, for example, port 2001 for proxying to service running on ssh-tunnel at
> 2000,

You could.

Or, you could have nginx listening on public:2000 and proxy_pass'ing
to local:2000, so you don't have to remember the public/private port
mappings.

Or you could have nginx listening on one port, and have multiple server{}
blocks, so that userA connects to A.example.com which proxy_pass'es
to local:2000; and userB connects to B.example.com which proxy_pass'es
to local:2002.

Or, you could (potentially) have nginx listening on one port, with one
server{} block, where anyone who authenticates as userA is proxy_pass'ed
to local:2000 and anyone who authenticates as userB is proxy_pass'ed
to local:2002.

In each of those cases, the reverse-proxying is not to a different part
of the url hierarchy, so the original concern does not apply.

Each case has its own costs and benefits, regarding future maintenance
within nginx and external to nginx. All can work. Only you can decide
which suits you best.

> That brings me to my last question as per
> http://mailman.nginx.org/pipermail/nginx/2017-April/053448.html. If there
> isn't an issue with opening multiple nginx-listening-ports to the public,
> then I guess we are done.

Until you exhaust resources on your system, nginx does not care how many
listening ports it opens.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sun Apr  9 12:46:37 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 18:16:37 +0530
Subject: URL-Rewriting not working
In-Reply-To: <20170409122854.GK3428@daoine.org>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
Message-ID: <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>

Hi Francis.

Thanks a ton for your suggestions.

On Sun, Apr 9, 2017 at 5:58 PM, Francis Daly <francis at daoine.org> wrote:

> On Sun, Apr 09, 2017 at 05:27:31PM +0530, Ajay Garg wrote:
>
> Hi there,
>
> > Unfortunately, our backen-service(s) (on port 2000 in the example) is
> > ssh-reverse-tunnel, having two layers of machines behind them. The
> > terminating-node for sure cannot be changed.
>
> "In general", reverse-proxying to a different part of the url hierarchy
> needs back-end support. In the specific case of your system, maybe it
> does not need anything special. Only you can tell.
>
> > Looking at your explanations, I guess then we will have to open a port
> for
> > every service.
> > So, for example, port 2001 for proxying to service running on ssh-tunnel
> at
> > 2000,
>
> You could.
>
> Or, you could have nginx listening on public:2000 and proxy_pass'ing
> to local:2000, so you don't have to remember the public/private port
> mappings.
>
> Or you could have nginx listening on one port, and have multiple server{}
> blocks, so that userA connects to A.example.com which proxy_pass'es
> to local:2000; and userB connects to B.example.com which proxy_pass'es
> to local:2002.
>

I doubt I would be allowed to do this, since we would be using a fixed IP
(instead of the costly multiple DNS-addresses).



>
> Or, you could (potentially) have nginx listening on one port, with one
> server{} block, where anyone who authenticates as userA is proxy_pass'ed
> to local:2000 and anyone who authenticates as userB is proxy_pass'ed
> to local:2002.
>

I would be very much interested if this case is possible.
Kindly let know how to do the proxy-routing based upon credentials.

This will really solve our last core issue (opening multiple ports), while
preserving all the feature-sets.

So, will be grateful to hear back from you on how to implement this :)


Once again, thanks a ton for the speedy, detailed responses !!


Thanks and Regards,
Ajay


>
> In each of those cases, the reverse-proxying is not to a different part
> of the url hierarchy, so the original concern does not apply.
>
> Each case has its own costs and benefits, regarding future maintenance
> within nginx and external to nginx. All can work. Only you can decide
> which suits you best.
>
> > That brings me to my last question as per
> > http://mailman.nginx.org/pipermail/nginx/2017-April/053448.html. If
> there
> > isn't an issue with opening multiple nginx-listening-ports to the public,
> > then I guess we are done.
>
> Until you exhaust resources on your system, nginx does not care how many
> listening ports it opens.
>
> Good luck with it,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/58a12d95/attachment.html>

From ajaygargnsit at gmail.com  Sun Apr  9 13:06:51 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 18:36:51 +0530
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
 <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
Message-ID: <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>

Got it Francis !!

server {
                listen 2001 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file
/home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;

                                        if ($remote_user =
"20da689b45c84f2b80bc84d651ed573f") {
                                                proxy_pass
https://127.0.0.1:2000;
                                        }

                }
        }



Love you !!! :P :P


Thanks and Regards,
Ajay

On Sun, Apr 9, 2017 at 6:16 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi Francis.
>
> Thanks a ton for your suggestions.
>
> On Sun, Apr 9, 2017 at 5:58 PM, Francis Daly <francis at daoine.org> wrote:
>
>> On Sun, Apr 09, 2017 at 05:27:31PM +0530, Ajay Garg wrote:
>>
>> Hi there,
>>
>> > Unfortunately, our backen-service(s) (on port 2000 in the example) is
>> > ssh-reverse-tunnel, having two layers of machines behind them. The
>> > terminating-node for sure cannot be changed.
>>
>> "In general", reverse-proxying to a different part of the url hierarchy
>> needs back-end support. In the specific case of your system, maybe it
>> does not need anything special. Only you can tell.
>>
>> > Looking at your explanations, I guess then we will have to open a port
>> for
>> > every service.
>> > So, for example, port 2001 for proxying to service running on
>> ssh-tunnel at
>> > 2000,
>>
>> You could.
>>
>> Or, you could have nginx listening on public:2000 and proxy_pass'ing
>> to local:2000, so you don't have to remember the public/private port
>> mappings.
>>
>> Or you could have nginx listening on one port, and have multiple server{}
>> blocks, so that userA connects to A.example.com which proxy_pass'es
>> to local:2000; and userB connects to B.example.com which proxy_pass'es
>> to local:2002.
>>
>
> I doubt I would be allowed to do this, since we would be using a fixed IP
> (instead of the costly multiple DNS-addresses).
>
>
>
>>
>> Or, you could (potentially) have nginx listening on one port, with one
>> server{} block, where anyone who authenticates as userA is proxy_pass'ed
>> to local:2000 and anyone who authenticates as userB is proxy_pass'ed
>> to local:2002.
>>
>
> I would be very much interested if this case is possible.
> Kindly let know how to do the proxy-routing based upon credentials.
>
> This will really solve our last core issue (opening multiple ports), while
> preserving all the feature-sets.
>
> So, will be grateful to hear back from you on how to implement this :)
>
>
> Once again, thanks a ton for the speedy, detailed responses !!
>
>
> Thanks and Regards,
> Ajay
>
>
>>
>> In each of those cases, the reverse-proxying is not to a different part
>> of the url hierarchy, so the original concern does not apply.
>>
>> Each case has its own costs and benefits, regarding future maintenance
>> within nginx and external to nginx. All can work. Only you can decide
>> which suits you best.
>>
>> > That brings me to my last question as per
>> > http://mailman.nginx.org/pipermail/nginx/2017-April/053448.html. If
>> there
>> > isn't an issue with opening multiple nginx-listening-ports to the
>> public,
>> > then I guess we are done.
>>
>> Until you exhaust resources on your system, nginx does not care how many
>> listening ports it opens.
>>
>> Good luck with it,
>>
>>         f
>> --
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/1c9604a7/attachment-0001.html>

From ajaygargnsit at gmail.com  Sun Apr  9 13:55:56 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 19:25:56 +0530
Subject: Mechanism to avoid restarting nginx upon every change
Message-ID: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>

Hi All.

We are wanting to implement a solution, wherein the user gets proxied to
the appropriate local-url, depending upon the credentials.
Following architecture works like a charm (thanks a ton to
francis at daoine.org, without whom I would not have been able to reach here)
::

####################################################
server {
                listen 2000 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file
/etc/nginx/ssl/.htpasswd;

                                        if ($remote_user =  "user1") {
                                                proxy_pass
https://127.0.0.1:2001 <https://127.0.0.1:2000>;
                                        }

                                        if ($remote_user =  "user2") {
                                                proxy_pass
https://127.0.0.1:2002 <https://127.0.0.1:2000>;
                                        }

                                       # and so on ....

                }
         }
####################################################


Things are good, except that adding any new user information requires
reloading/restarting the nginx server, causing (however small) downtime.

Can this be avoided?
Can the above be implemented using some sort of database, so that the nginx
itself does not have to be down, and the "remote_user <=> proxy_pass"
mapping can be retrieved from a database instead?

Will be grateful for pointers.


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/f5b9ec12/attachment.html>

From lucas at lucasrolff.com  Sun Apr  9 13:59:05 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Sun, 9 Apr 2017 13:59:05 +0000
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
Message-ID: <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>

Hi Ajay,

If you generate the configuration, and issue a nginx reload ? it won't cause any downtime. The master process will reread the configuration, start new workers, and gracefully shut down the old ones.
There's absolutely no downtime involved in this process.


From: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> on behalf of Ajay Garg <ajaygargnsit at gmail.com<mailto:ajaygargnsit at gmail.com>>
Reply-To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Date: Sunday, 9 April 2017 at 15.55
To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Subject: Mechanism to avoid restarting nginx upon every change

Hi All.

We are wanting to implement a solution, wherein the user gets proxied to the appropriate local-url, depending upon the credentials.
Following architecture works like a charm (thanks a ton tofrancis at daoine.org<mailto:francis at daoine.org>, without whom I would not have been able to reach here) ::

####################################################
server {
                listen 2000 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                                        if ($remote_user =  "user1") {
                                                proxy_pass https://127.0.0.1:2001<https://127.0.0.1:2000>;
                                        }

                                        if ($remote_user =  "user2") {
                                                proxy_pass https://127.0.0.1:2002<https://127.0.0.1:2000>;
                                        }

                                       # and so on ....

                }
         }
####################################################


Things are good, except that adding any new user information requires reloading/restarting the nginx server, causing (however small) downtime.

Can this be avoided?
Can the above be implemented using some sort of database, so that the nginx itself does not have to be down, and the "remote_user <=> proxy_pass" mapping can be retrieved from a database instead?

Will be grateful for pointers.


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/df04234a/attachment.html>

From ajaygargnsit at gmail.com  Sun Apr  9 14:25:38 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 19:55:38 +0530
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
 <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
Message-ID: <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>

Thanks a ton Lucas.

Just checked reloading, and the previous proxy-session was intact !!
Thanks a ton again.

And sorry I missed your name in the credits, you too had helped a greate
deal yesterday, and today too !!
Thanks a ton again !!!


Thanks and Regards,
Ajay

On Sun, Apr 9, 2017 at 7:29 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:

> Hi Ajay,
>
> If you generate the configuration, and issue a nginx reload ? it won't
> cause any downtime. The master process will reread the configuration, start
> new workers, and gracefully shut down the old ones.
> There's absolutely no downtime involved in this process.
>
>
> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
> ajaygargnsit at gmail.com>
> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
> Date: Sunday, 9 April 2017 at 15.55
> To: "nginx at nginx.org" <nginx at nginx.org>
> Subject: Mechanism to avoid restarting nginx upon every change
>
> Hi All.
>
> We are wanting to implement a solution, wherein the user gets proxied to
> the appropriate local-url, depending upon the credentials.
> Following architecture works like a charm (thanks a ton to
> francis at daoine.org, without whom I would not have been able to reach
> here) ::
>
> ####################################################
> server {
>                 listen 2000 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /etc/nginx/ssl/.htpasswd;
>
>                                         if ($remote_user =  "user1") {
>                                                 proxy_pass
> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>                                         }
>
>                                         if ($remote_user =  "user2") {
>                                                 proxy_pass
> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>                                         }
>
>                                        # and so on ....
>
>                 }
>          }
> ####################################################
>
>
> Things are good, except that adding any new user information requires
> reloading/restarting the nginx server, causing (however small) downtime.
>
> Can this be avoided?
> Can the above be implemented using some sort of database, so that the
> nginx itself does not have to be down, and the "remote_user <=> proxy_pass"
> mapping can be retrieved from a database instead?
>
> Will be grateful for pointers.
>
>
> Thanks and Regards,
> Ajay
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/34567c5d/attachment-0001.html>

From francis at daoine.org  Sun Apr  9 15:17:21 2017
From: francis at daoine.org (Francis Daly)
Date: Sun, 9 Apr 2017 16:17:21 +0100
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
 <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
 <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>
Message-ID: <20170409151721.GL3428@daoine.org>

On Sun, Apr 09, 2017 at 06:36:51PM +0530, Ajay Garg wrote:

Hi there,

> Got it Francis !!

Good news.

>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;
> 
>                                         if ($remote_user =
> "20da689b45c84f2b80bc84d651ed573f") {
>                                                 proxy_pass
> https://127.0.0.1:2000;
>                                         }
> 
>                 }

When you come to add the second user, you will see that you want one
file with all the user/pass details.

You will probably also see that it will be good to use a map
(http://nginx.org/r/map) to set a variable for the port to connect to,
based on $remote_user. Then your main config becomes just "proxy_pass
http://127.0.0.1:$per_user_port;".

Note that I have not tested that, and expect that there may be some more
subtleties involved, such as perhaps requiring an explicit proxy_redirect
directive.

Note also that you will probably want to set a default value for
$per_user_port, and make sure that something sensible happens when that
value is used -- probably a response along the lines of "something isn't
fully set up on the server yet; please wait or let us know", so the user
is not confused.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sun Apr  9 15:37:02 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 9 Apr 2017 21:07:02 +0530
Subject: URL-Rewriting not working
In-Reply-To: <20170409151721.GL3428@daoine.org>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
 <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
 <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>
 <20170409151721.GL3428@daoine.org>
Message-ID: <CAHP4M8WLQqOpk0DMg+0W8nF1_zFf7Kn+tW-StUxpdeqF5U+NOg@mail.gmail.com>

Hi Francis.

On Sun, Apr 9, 2017 at 8:47 PM, Francis Daly <francis at daoine.org> wrote:

> On Sun, Apr 09, 2017 at 06:36:51PM +0530, Ajay Garg wrote:
>
> Hi there,
>
> > Got it Francis !!
>
> Good news.
>
> >                 location / {
> >                                         auth_basic 'Restricted';
> >                                         auth_basic_user_file
> > /home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;
> >
> >                                         if ($remote_user =
> > "20da689b45c84f2b80bc84d651ed573f") {
> >                                                 proxy_pass
> > https://127.0.0.1:2000;
> >                                         }
> >
> >                 }
>
> When you come to add the second user, you will see that you want one
> file with all the user/pass details.
>


Yes, I have already changed it to use just one file.
Upon that, would not just multiple sections of "if" checks for $remote_user
suffice, something like ::

#########################################################################
server {
                listen 2000 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file
/etc/nginx/ssl/.htpasswd;

                                        if ($remote_user =  "user1") {
                                                proxy_pass
https://127.0.0.1:2001 <https://127.0.0.1:2000>;
                                        }

                                        if ($remote_user =  "user2") {
                                                proxy_pass
https://127.0.0.1:2002 <https://127.0.0.1:2000>;
                                        }

                                       # and so on ....

                }
         }
#########################################################################

Looking forward to hearing back from you.


Thanks and Regards,
Ajay




>
> You will probably also see that it will be good to use a map
> (http://nginx.org/r/map) to set a variable for the port to connect to,
> based on $remote_user. Then your main config becomes just "proxy_pass
> http://127.0.0.1:$per_user_port;".
>
> Note that I have not tested that, and expect that there may be some more
> subtleties involved, such as perhaps requiring an explicit proxy_redirect
> directive.
>
> Note also that you will probably want to set a default value for
> $per_user_port, and make sure that something sensible happens when that
> value is used -- probably a response along the lines of "something isn't
> fully set up on the server yet; please wait or let us know", so the user
> is not confused.
>
> Good luck with it,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/09c1a18b/attachment.html>

From lucas at lucasrolff.com  Sun Apr  9 15:47:07 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Sun, 9 Apr 2017 15:47:07 +0000
Subject: URL-Rewriting not working
In-Reply-To: <CAHP4M8WLQqOpk0DMg+0W8nF1_zFf7Kn+tW-StUxpdeqF5U+NOg@mail.gmail.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
 <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
 <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>
 <20170409151721.GL3428@daoine.org>
 <CAHP4M8WLQqOpk0DMg+0W8nF1_zFf7Kn+tW-StUxpdeqF5U+NOg@mail.gmail.com>
Message-ID: <314BBB68-62C9-4593-BAC5-DD7587CFE8B1@lucasrolff.com>

In general try to avoid using the if directive too much.
https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

For what you're trying to do, using a map would be the cleanest (and nicest) way I believe ? someone can correct me if they want :-D

From: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> on behalf of Ajay Garg <ajaygargnsit at gmail.com<mailto:ajaygargnsit at gmail.com>>
Reply-To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Date: Sunday, 9 April 2017 at 17.37
To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Subject: Re: URL-Rewriting not working

Hi Francis.

On Sun, Apr 9, 2017 at 8:47 PM, Francis Daly <francis at daoine.org<mailto:francis at daoine.org>> wrote:
On Sun, Apr 09, 2017 at 06:36:51PM +0530, Ajay Garg wrote:

Hi there,

> Got it Francis !!

Good news.

>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;
>
>                                         if ($remote_user =
> "20da689b45c84f2b80bc84d651ed573f") {
>                                                 proxy_pass
> https://127.0.0.1:2000;
>                                         }
>
>                 }

When you come to add the second user, you will see that you want one
file with all the user/pass details.


Yes, I have already changed it to use just one file.
Upon that, would not just multiple sections of "if" checks for $remote_user suffice, something like ::

#########################################################################
server {
                listen 2000 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                                        if ($remote_user =  "user1") {
                                                proxy_pass https://127.0.0.1:2001<https://127.0.0.1:2000>;
                                        }

                                        if ($remote_user =  "user2") {
                                                proxy_pass https://127.0.0.1:2002<https://127.0.0.1:2000>;
                                        }

                                       # and so on ....

                }
         }
#########################################################################

Looking forward to hearing back from you.


Thanks and Regards,
Ajay




You will probably also see that it will be good to use a map
(http://nginx.org/r/map) to set a variable for the port to connect to,
based on $remote_user. Then your main config becomes just "proxy_pass
http://127.0.0.1:$per_user_port;".

Note that I have not tested that, and expect that there may be some more
subtleties involved, such as perhaps requiring an explicit proxy_redirect
directive.

Note also that you will probably want to set a default value for
$per_user_port, and make sure that something sensible happens when that
value is used -- probably a response along the lines of "something isn't
fully set up on the server yet; please wait or let us know", so the user
is not confused.

Good luck with it,

        f
--
Francis Daly        francis at daoine.org<mailto:francis at daoine.org>
_______________________________________________
nginx mailing list
nginx at nginx.org<mailto:nginx at nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/e89c4be8/attachment-0001.html>

From unsay.mono at yahoo.com  Sun Apr  9 22:42:23 2017
From: unsay.mono at yahoo.com (Unsay Mono)
Date: Sun, 9 Apr 2017 22:42:23 +0000 (UTC)
Subject: nginScript and accessing cookies
References: <1273096375.2849034.1491777743020.ref@mail.yahoo.com>
Message-ID: <1273096375.2849034.1491777743020@mail.yahoo.com>

Hey everyone
In this nginx news article the author states:
> With nginScript you can route traffic based on any data in the request, including cookies, headers, arguments, or any keywords in the request body.
So far I've been unable to find any documentation on how to read and write to cookies from nginScript.
Has anyone got an example they could share?
Kind regards
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/590a748f/attachment.html>

From unsay.mono at yahoo.com  Sun Apr  9 22:45:05 2017
From: unsay.mono at yahoo.com (Unsay Mono)
Date: Sun, 9 Apr 2017 22:45:05 +0000 (UTC)
Subject: nginx ngx_http_js_module debug
References: <2104030780.2833377.1491777905222.ref@mail.yahoo.com>
Message-ID: <2104030780.2833377.1491777905222@mail.yahoo.com>

I've noticed there is a second ngx_http_js_module which, based on the name, is used for debugging.
Can someone shine some light on what exactly the debug version of the module does differently and how it's used?
Kind regards
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/e32248e6/attachment.html>

From jeff.dyke at gmail.com  Mon Apr 10 02:00:33 2017
From: jeff.dyke at gmail.com (Jeff Dyke)
Date: Sun, 9 Apr 2017 22:00:33 -0400
Subject: nginScript and accessing cookies
In-Reply-To: <1273096375.2849034.1491777743020@mail.yahoo.com>
References: <1273096375.2849034.1491777743020.ref@mail.yahoo.com>
 <1273096375.2849034.1491777743020@mail.yahoo.com>
Message-ID: <CAHmnZdagZSH2kYBpJuD6FaKWZ3oPQ4-q6wvLdv8FZb_v9QHtjA@mail.gmail.com>

at first glance i thought this may be dead, but perhaps you'd should look
here: https://www.nginx.com/blog/introduction-nginscript/, which supports
both Plus and OSS versions.  I've been working with the lua module via
nginx-extras on ubuntu, they suit my needs, but that page may help you.

Jeff

On Sun, Apr 9, 2017 at 6:42 PM, Unsay Mono via nginx <nginx at nginx.org>
wrote:

> Hey everyone
>
> In this
> <https://www.nginx.com/blog/launching-nginscript-and-looking-ahead/>nginx
> news article the author states:
>
> > With nginScript you can route traffic based on any data in the request,
> including *cookies*, headers, arguments, or any keywords in the request
> body.
>
> So far I've been unable to find any documentation on how to *read *and *write
> *to cookies from nginScript.
>
> Has anyone got an example they could share?
>
> Kind regards
>
> Andreas
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170409/277a753c/attachment.html>

From ajaygargnsit at gmail.com  Mon Apr 10 04:53:42 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Mon, 10 Apr 2017 10:23:42 +0530
Subject: URL-Rewriting not working
In-Reply-To: <314BBB68-62C9-4593-BAC5-DD7587CFE8B1@lucasrolff.com>
References: <CAHP4M8U8-wgTTRYsG2BVydjK6no37Sn+wP+yU1tSeKQoiS7M=g@mail.gmail.com>
 <20170409104931.GJ3428@daoine.org>
 <CAHP4M8U23UahZ51O36a3UQ04mYvB-R6Ufcxh01oLgOmmX3NwNA@mail.gmail.com>
 <20170409122854.GK3428@daoine.org>
 <CAHP4M8XyNGV6U8C8Uty+HED0tuqu9+Diu=2CND9wiePpUCwbHQ@mail.gmail.com>
 <CAHP4M8Vzc9g5AzUrWZyaLinst_MXb0AZQW2keLnYntUFi4YjMQ@mail.gmail.com>
 <20170409151721.GL3428@daoine.org>
 <CAHP4M8WLQqOpk0DMg+0W8nF1_zFf7Kn+tW-StUxpdeqF5U+NOg@mail.gmail.com>
 <314BBB68-62C9-4593-BAC5-DD7587CFE8B1@lucasrolff.com>
Message-ID: <CAHP4M8WfrvQmhMr2sGOeXkEyEttS5Tvwcm7v+3XaZECAJhDs-A@mail.gmail.com>

Thanks a ton Lucas .. moved to map :)

Thanks a ton again !!!



Thanks and Regards,
Ajay

On Sun, Apr 9, 2017 at 9:17 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:

> In general try to avoid using the if directive too much.
> https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
>
> For what you're trying to do, using a map would be the cleanest (and
> nicest) way I believe ? someone can correct me if they want :-D
>
> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
> ajaygargnsit at gmail.com>
> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
> Date: Sunday, 9 April 2017 at 17.37
> To: "nginx at nginx.org" <nginx at nginx.org>
> Subject: Re: URL-Rewriting not working
>
> Hi Francis.
>
> On Sun, Apr 9, 2017 at 8:47 PM, Francis Daly <francis at daoine.org> wrote:
>
>> On Sun, Apr 09, 2017 at 06:36:51PM +0530, Ajay Garg wrote:
>>
>> Hi there,
>>
>> > Got it Francis !!
>>
>> Good news.
>>
>> >                 location / {
>> >                                         auth_basic 'Restricted';
>> >                                         auth_basic_user_file
>> > /home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;
>> >
>> >                                         if ($remote_user =
>> > "20da689b45c84f2b80bc84d651ed573f") {
>> >                                                 proxy_pass
>> > https://127.0.0.1:2000;
>> >                                         }
>> >
>> >                 }
>>
>> When you come to add the second user, you will see that you want one
>> file with all the user/pass details.
>>
>
>
> Yes, I have already changed it to use just one file.
> Upon that, would not just multiple sections of "if" checks for
> $remote_user suffice, something like ::
>
> #########################################################################
> server {
>                 listen 2000 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /etc/nginx/ssl/.htpasswd;
>
>                                         if ($remote_user =  "user1") {
>                                                 proxy_pass
> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>                                         }
>
>                                         if ($remote_user =  "user2") {
>                                                 proxy_pass
> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>                                         }
>
>                                        # and so on ....
>
>                 }
>          }
> #########################################################################
>
> Looking forward to hearing back from you.
>
>
> Thanks and Regards,
> Ajay
>
>
>
>
>>
>> You will probably also see that it will be good to use a map
>> (http://nginx.org/r/map) to set a variable for the port to connect to,
>> based on $remote_user. Then your main config becomes just "proxy_pass
>> http://127.0.0.1:$per_user_port;".
>>
>> Note that I have not tested that, and expect that there may be some more
>> subtleties involved, such as perhaps requiring an explicit proxy_redirect
>> directive.
>>
>> Note also that you will probably want to set a default value for
>> $per_user_port, and make sure that something sensible happens when that
>> value is used -- probably a response along the lines of "something isn't
>> fully set up on the server yet; please wait or let us know", so the user
>> is not confused.
>>
>> Good luck with it,
>>
>>         f
>> --
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170410/3616061d/attachment-0001.html>

From reallfqq-nginx at yahoo.fr  Mon Apr 10 07:34:13 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Mon, 10 Apr 2017 09:34:13 +0200
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
 <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
 <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>
Message-ID: <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>

You could have got your answer yourself by Reading The... Fine? Manual:
https://nginx.org/en/docs/control.html

There are tons of interesting pieces of informations there, by the nature
of said docs...
?I suggest you take a look at everything: https://nginx.org/en/docs/?
---
*B. R.*

On Sun, Apr 9, 2017 at 4:25 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Thanks a ton Lucas.
>
> Just checked reloading, and the previous proxy-session was intact !!
> Thanks a ton again.
>
> And sorry I missed your name in the credits, you too had helped a greate
> deal yesterday, and today too !!
> Thanks a ton again !!!
>
>
> Thanks and Regards,
> Ajay
>
> On Sun, Apr 9, 2017 at 7:29 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:
>
>> Hi Ajay,
>>
>> If you generate the configuration, and issue a nginx reload ? it won't
>> cause any downtime. The master process will reread the configuration, start
>> new workers, and gracefully shut down the old ones.
>> There's absolutely no downtime involved in this process.
>>
>>
>> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
>> ajaygargnsit at gmail.com>
>> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
>> Date: Sunday, 9 April 2017 at 15.55
>> To: "nginx at nginx.org" <nginx at nginx.org>
>> Subject: Mechanism to avoid restarting nginx upon every change
>>
>> Hi All.
>>
>> We are wanting to implement a solution, wherein the user gets proxied to
>> the appropriate local-url, depending upon the credentials.
>> Following architecture works like a charm (thanks a ton to
>> francis at daoine.org, without whom I would not have been able to reach
>> here) ::
>>
>> ####################################################
>> server {
>>                 listen 2000 ssl;
>>
>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>>                 location / {
>>                                         auth_basic 'Restricted';
>>                                         auth_basic_user_file
>> /etc/nginx/ssl/.htpasswd;
>>
>>                                         if ($remote_user =  "user1") {
>>                                                 proxy_pass
>> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>>                                         }
>>
>>                                         if ($remote_user =  "user2") {
>>                                                 proxy_pass
>> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>>                                         }
>>
>>                                        # and so on ....
>>
>>                 }
>>          }
>> ####################################################
>>
>>
>> Things are good, except that adding any new user information requires
>> reloading/restarting the nginx server, causing (however small) downtime.
>>
>> Can this be avoided?
>> Can the above be implemented using some sort of database, so that the
>> nginx itself does not have to be down, and the "remote_user <=> proxy_pass"
>> mapping can be retrieved from a database instead?
>>
>> Will be grateful for pointers.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170410/d5d36ba9/attachment.html>

From nginx-forum at forum.nginx.org  Mon Apr 10 08:42:25 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Mon, 10 Apr 2017 04:42:25 -0400
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
Message-ID: <0a3932e2b3be214dd172c5ffec78b969.NginxMailingListEnglish@forum.nginx.org>

Hi, 

I am trying to implement the NGINX API gateway in nginx 1.10.3 community
version. I am facing the issue that NGINX is not forwarding the request to
authentication service. nginx configuration is pasted at the end of this
thread.

I have written authentication service which is listening for login requests
on /login.
My protected application has no login page and responds with 401 status if
its tried to be accessed without login in authentication service.

Now according to the nginx auth_request module, if the protected applicaiton
throws 401 status then NGINX forwards the request to authentication service
for login and after successful login the request is forwarded back to the
backend server.
BUT, this is not happening for my configuration. When I try to access my
nginx application it is not forwarding the request to auth service. I have
verified this by looking at the response headers which has the custom
sessionid name of protected application only. 

I have checked my installation and it shows that
--with-http_auth_request_module is compiled in my installation 

NGINX Configuraiton :


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

#	proxy_intercept_errors on;
	
    server {
        listen       8180;

		location /{
			auth_request /login;			
			proxy_pass http://adi-backend;
		}

		location /api {
			auth_request /login;
			proxy_pass http://adi-backend;
		}

		location = /login {
		   proxy_pass http://localhost:8080/login;
		   proxy_pass_request_body off;
		   proxy_set_header Content-Length "";
		   proxy_set_header X-Original-URI $request_uri;
		}
			
		error_page   500 502 503 504  /50x.html;
			location = /50x.html {
			root   html;
		}
	}

	upstream adi-backend {
		server localhost:8280;
   	}
		
	upstream authserv {
		 server localhost:8380;
   	}

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273515#msg-273515


From mdounin at mdounin.ru  Mon Apr 10 12:12:37 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Mon, 10 Apr 2017 15:12:37 +0300
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <0a3932e2b3be214dd172c5ffec78b969.NginxMailingListEnglish@forum.nginx.org>
References: <0a3932e2b3be214dd172c5ffec78b969.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170410121237.GE13617@mdounin.ru>

Hello!

On Mon, Apr 10, 2017 at 04:42:25AM -0400, zaidahmd wrote:

> I am trying to implement the NGINX API gateway in nginx 1.10.3 community
> version. I am facing the issue that NGINX is not forwarding the request to
> authentication service. nginx configuration is pasted at the end of this
> thread.
> 
> I have written authentication service which is listening for login requests
> on /login.
> My protected application has no login page and responds with 401 status if
> its tried to be accessed without login in authentication service.
> 
> Now according to the nginx auth_request module, if the protected applicaiton
> throws 401 status then NGINX forwards the request to authentication service
> for login and after successful login the request is forwarded back to the
> backend server.

You misunderstood what auth_request does.  Instead, it issues a 
subrequest for every incoming request, and allows further 
processing of the request if and only if the subrequest returns 
200.  No attempts are made to look into the response returned for 
the original request, that is, "protected application".

Quoting the documentation, 
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html:

: The ngx_http_auth_request_module module (1.5.4+) implements 
: client authorization based on the result of a subrequest.
: If the subrequest returns a 2xx response code, the access is 
: allowed. If it returns 401 or 403, the access is denied with the 
: corresponding error code. Any other response code returned by the 
: subrequest is considered an error.

That is, the only thing which is expected to happen in your 
configuration is a subrequest to "/login" for every request.  If 
this subrequest returns 200, access will be allowed for the 
original request.  If it returns anything else, access will be 
denied.

-- 
Maxim Dounin
http://nginx.org/

From pluknet at nginx.com  Mon Apr 10 17:16:54 2017
From: pluknet at nginx.com (Sergey Kandaurov)
Date: Mon, 10 Apr 2017 20:16:54 +0300
Subject: Nginx upstream server certificate verification
In-Reply-To: <b06b5f9db3825d0f84f64ff90e6683e4.NginxMailingListEnglish@forum.nginx.org>
References: <C7DF9D5A-C046-40EF-A8DE-C620C596ECA1@nginx.com>
 <b06b5f9db3825d0f84f64ff90e6683e4.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <ADCF078B-3086-44A8-94ED-C34B33896F84@nginx.com>


> On 6 Apr 2017, at 21:46, shivramg94 <nginx-forum at forum.nginx.org> wrote:
> 
> Thank Sergey, for you response. 
> 
> I have one more question. If I have multiple upstream server host names in
> the upstream server block, then how can I specify the specific upstream
> server host name to which the request is being proxied, in the
> proxy_ssl_name directive?
> 
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273462#msg-273462

You could try to construct proxy_ssl_name based on upstream address, e.g.:

    map $upstream_addr $name {
        ~\Q192.0.2.1:8000\E$ first;
        ~\Q192.0.2.2:8000\E$ second;
    }

    proxy_ssl_name $name;

Note well that $upstream_addr may contain multiple addresses, use it
with a special care.  See for details: http://nginx.org/r/$upstream_addr

-- 
Sergey Kandaurov


From alex at samad.com.au  Mon Apr 10 21:31:05 2017
From: alex at samad.com.au (Alex Samad)
Date: Mon, 10 Apr 2017 21:31:05 +0000
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
 <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
 <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>
 <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>
Message-ID: <CAJ+Q1PULKdEzJALkB5gf94Oh4yrL+vtF7Szgwm+EAXK2DpA5QA@mail.gmail.com>

But long live sessions are closed and I've had lua session information
persist with a reload. Needed a restart

A
On Sun, 9 Apr 2017 at 21:35, B.R. via nginx <nginx at nginx.org> wrote:

> You could have got your answer yourself by Reading The... Fine? Manual:
> https://nginx.org/en/docs/control.html
>
> There are tons of interesting pieces of informations there, by the nature
> of said docs...
> ?I suggest you take a look at everything: https://nginx.org/en/docs/?
> ---
> *B. R.*
>
> On Sun, Apr 9, 2017 at 4:25 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
> Thanks a ton Lucas.
>
> Just checked reloading, and the previous proxy-session was intact !!
> Thanks a ton again.
>
> And sorry I missed your name in the credits, you too had helped a greate
> deal yesterday, and today too !!
> Thanks a ton again !!!
>
>
> Thanks and Regards,
> Ajay
>
> On Sun, Apr 9, 2017 at 7:29 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:
>
> Hi Ajay,
>
> If you generate the configuration, and issue a nginx reload ? it won't
> cause any downtime. The master process will reread the configuration, start
> new workers, and gracefully shut down the old ones.
> There's absolutely no downtime involved in this process.
>
>
> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
> ajaygargnsit at gmail.com>
> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
> Date: Sunday, 9 April 2017 at 15.55
> To: "nginx at nginx.org" <nginx at nginx.org>
> Subject: Mechanism to avoid restarting nginx upon every change
>
> Hi All.
>
> We are wanting to implement a solution, wherein the user gets proxied to
> the appropriate local-url, depending upon the credentials.
> Following architecture works like a charm (thanks a ton to
> francis at daoine.org, without whom I would not have been able to reach
> here) ::
>
> ####################################################
> server {
>                 listen 2000 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /etc/nginx/ssl/.htpasswd;
>
>                                         if ($remote_user =  "user1") {
>                                                 proxy_pass
> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>                                         }
>
>                                         if ($remote_user =  "user2") {
>                                                 proxy_pass
> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>                                         }
>
>                                        # and so on ....
>
>                 }
>          }
> ####################################################
>
>
> Things are good, except that adding any new user information requires
> reloading/restarting the nginx server, causing (however small) downtime.
>
> Can this be avoided?
> Can the above be implemented using some sort of database, so that the
> nginx itself does not have to be down, and the "remote_user <=> proxy_pass"
> mapping can be retrieved from a database instead?
>
> Will be grateful for pointers.
>
>
> Thanks and Regards,
> Ajay
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170410/70ece915/attachment.html>

From nginx-forum at forum.nginx.org  Tue Apr 11 06:04:32 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Tue, 11 Apr 2017 02:04:32 -0400
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <20170410121237.GE13617@mdounin.ru>
References: <20170410121237.GE13617@mdounin.ru>
Message-ID: <8813de41ce25c3c7744f12067e51f9c8.NginxMailingListEnglish@forum.nginx.org>

Hi Maxim,

Thanks for the response.

As you said below,

> Instead, it issues a 
> subrequest for every incoming request, and allows further 
> processing of the request if and only if the subrequest returns 
> 200.

This means my authentication service will be getting a subrequest to /login
everytime a request reaches nginx. And if the subrequest returns 401 then it
means the user needs to login. So kindly help me that how can I show a login
page if a subrequest throws 401 ? My authentication service is sending a
redirect in response alongwith the 401 status? 

When I access my authentication service directly from browser without a
logged-in session id, my browser is getting a 401 with redirect to /login
which is login page. I want this same behaviour in my NGINX API gateway i.e.
NGINX sends each request to API gateway if the request needs to be logged in
a login page should be shown otherwise let the request access the resource.
And I followed the nginx auth_request user guide to configure this as I
showed my config in first thread.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273523#msg-273523


From nginx-forum at forum.nginx.org  Tue Apr 11 07:51:37 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Tue, 11 Apr 2017 03:51:37 -0400
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <8813de41ce25c3c7744f12067e51f9c8.NginxMailingListEnglish@forum.nginx.org>
References: <20170410121237.GE13617@mdounin.ru>
 <8813de41ce25c3c7744f12067e51f9c8.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <b6b9694c8ad3c5157f44997e748213b0.NginxMailingListEnglish@forum.nginx.org>

Hi maxim,

After implementing your valuable inputs I came across the following error in
my application.
Error: "Request 'GET /login' doesn't match 'POST /login"

  this means that nginx is sending GET requests to authentication service.

So the flow is as follows and is according to your valuable feedback.

1. I typed the nginx URL in browser "http://localhost:8180/api"
2. NGINX forwarded the request to "http://localhost:8080/login"
3. I get the above error in my auth service i.e "Request 'GET /login'
doesn't match 'POST /login"

This forwarded request to auth service should be a POST login

Alternatively, 
if I type "http://localhost:8180/login", which is also a NGINX location, I
am able to see login page of my auth service.

I want the same for other nginx locaitons i.e. if the request is not
authenticated show login page of auth service. get the user authenticated
and then forward the requests to upstream server.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273524#msg-273524


From nginx-forum at forum.nginx.org  Tue Apr 11 08:28:54 2017
From: nginx-forum at forum.nginx.org (comput3rz)
Date: Tue, 11 Apr 2017 04:28:54 -0400
Subject: [ Module development - Socket ]
Message-ID: <f9f43fe64b42a809f5708e70886f46b2.NginxMailingListEnglish@forum.nginx.org>

Hi,

I need to develop a module which make a connexion with an external server. I
tried to use simple TCP sockets available  

in the "sys/socket.h" (Linux) library but it appears that it wasn't a good
idea as nothing was working correctly. 

Then, I searched in the source code keywords like "connection, socket" and I
found the "ngx_connection.h" file which I 

suppose, is the API to be used if I want to do an external connection.
Looking on the web for tutorials/resources using

this API I found nothing more than unanswered stackoverflow threads...

I'm pretty sure that including "sys/socket.h" into nginx is not the good
solution as it makes ugly code and broke the pipes 

system which makes nginx so fast, could you please help me to find a
solution ? 

Regards, 

XXX

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273525,273525#msg-273525


From reallfqq-nginx at yahoo.fr  Tue Apr 11 11:15:20 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Tue, 11 Apr 2017 13:15:20 +0200
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <CAJ+Q1PULKdEzJALkB5gf94Oh4yrL+vtF7Szgwm+EAXK2DpA5QA@mail.gmail.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
 <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
 <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>
 <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>
 <CAJ+Q1PULKdEzJALkB5gf94Oh4yrL+vtF7Szgwm+EAXK2DpA5QA@mail.gmail.com>
Message-ID: <CALqce=2oZ2ZM1yxzUjh54tQgZmx=dGPMzsEdnPeZCBXca2mDHQ@mail.gmail.com>

I do not know anything about third-party modules. I'll let experts on the
lua one answering that one.
The baseline is: you should not need to.
---
*B. R.*

On Mon, Apr 10, 2017 at 11:31 PM, Alex Samad <alex at samad.com.au> wrote:

> But long live sessions are closed and I've had lua session information
> persist with a reload. Needed a restart
>
> A
> On Sun, 9 Apr 2017 at 21:35, B.R. via nginx <nginx at nginx.org> wrote:
>
>> You could have got your answer yourself by Reading The... Fine? Manual:
>> https://nginx.org/en/docs/control.html
>>
>> There are tons of interesting pieces of informations there, by the nature
>> of said docs...
>> ?I suggest you take a look at everything: https://nginx.org/en/docs/?
>> ---
>> *B. R.*
>>
>> On Sun, Apr 9, 2017 at 4:25 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>>
>> Thanks a ton Lucas.
>>
>> Just checked reloading, and the previous proxy-session was intact !!
>> Thanks a ton again.
>>
>> And sorry I missed your name in the credits, you too had helped a greate
>> deal yesterday, and today too !!
>> Thanks a ton again !!!
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Sun, Apr 9, 2017 at 7:29 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:
>>
>> Hi Ajay,
>>
>> If you generate the configuration, and issue a nginx reload ? it won't
>> cause any downtime. The master process will reread the configuration, start
>> new workers, and gracefully shut down the old ones.
>> There's absolutely no downtime involved in this process.
>>
>>
>> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
>> ajaygargnsit at gmail.com>
>> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
>> Date: Sunday, 9 April 2017 at 15.55
>> To: "nginx at nginx.org" <nginx at nginx.org>
>> Subject: Mechanism to avoid restarting nginx upon every change
>>
>> Hi All.
>>
>> We are wanting to implement a solution, wherein the user gets proxied to
>> the appropriate local-url, depending upon the credentials.
>> Following architecture works like a charm (thanks a ton to
>> francis at daoine.org, without whom I would not have been able to reach
>> here) ::
>>
>> ####################################################
>> server {
>>                 listen 2000 ssl;
>>
>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>>                 location / {
>>                                         auth_basic 'Restricted';
>>                                         auth_basic_user_file
>> /etc/nginx/ssl/.htpasswd;
>>
>>                                         if ($remote_user =  "user1") {
>>                                                 proxy_pass
>> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>>                                         }
>>
>>                                         if ($remote_user =  "user2") {
>>                                                 proxy_pass
>> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>>                                         }
>>
>>                                        # and so on ....
>>
>>                 }
>>          }
>> ####################################################
>>
>>
>> Things are good, except that adding any new user information requires
>> reloading/restarting the nginx server, causing (however small) downtime.
>>
>> Can this be avoided?
>> Can the above be implemented using some sort of database, so that the
>> nginx itself does not have to be down, and the "remote_user <=> proxy_pass"
>> mapping can be retrieved from a database instead?
>>
>> Will be grateful for pointers.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170411/167f8b3a/attachment-0001.html>

From francis at daoine.org  Tue Apr 11 11:48:26 2017
From: francis at daoine.org (Francis Daly)
Date: Tue, 11 Apr 2017 12:48:26 +0100
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <8813de41ce25c3c7744f12067e51f9c8.NginxMailingListEnglish@forum.nginx.org>
References: <20170410121237.GE13617@mdounin.ru>
 <8813de41ce25c3c7744f12067e51f9c8.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170411114826.GN3428@daoine.org>

On Tue, Apr 11, 2017 at 02:04:32AM -0400, zaidahmd wrote:

Hi there,

> This means my authentication service will be getting a subrequest to /login
> everytime a request reaches nginx. And if the subrequest returns 401 then it
> means the user needs to login.

I'm not sure what your system design is, but it sounds like it may not
match the nginx auth_request design.

If your application does its own authentication, then you possibly do
not need nginx auth_request at all.

Do things work for you if the nginx side is just "proxy_pass"?

And, out of interest, which nginx auth_request user guide did you use
for inspiration? It may be that that document can be improved for the
next person.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From mdounin at mdounin.ru  Tue Apr 11 14:10:16 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 11 Apr 2017 17:10:16 +0300
Subject: [ Module development - Socket ]
In-Reply-To: <f9f43fe64b42a809f5708e70886f46b2.NginxMailingListEnglish@forum.nginx.org>
References: <f9f43fe64b42a809f5708e70886f46b2.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170411141016.GK13617@mdounin.ru>

Hello!

On Tue, Apr 11, 2017 at 04:28:54AM -0400, comput3rz wrote:

> Hi,
> 
> I need to develop a module which make a connexion with an external server. I
> tried to use simple TCP sockets available  
> 
> in the "sys/socket.h" (Linux) library but it appears that it wasn't a good
> idea as nothing was working correctly. 
> 
> Then, I searched in the source code keywords like "connection, socket" and I
> found the "ngx_connection.h" file which I 
> 
> suppose, is the API to be used if I want to do an external connection.
> Looking on the web for tutorials/resources using
> 
> this API I found nothing more than unanswered stackoverflow threads...
> 
> I'm pretty sure that including "sys/socket.h" into nginx is not the good
> solution as it makes ugly code and broke the pipes 
> 
> system which makes nginx so fast, could you please help me to find a
> solution ? 

Try looking into src/http/ngx_http_upstream.c for the upstream 
module implementation, the base module used by proxy and other 
modules which talk to backend servers.  Basically, you are 
expected to use the ngx_event_connect_peer() function to connect 
to an external server, and then use appropriate event handling.

Additional and probably simplier examples can be found in the 
mail module (src/mail/ngx_mail_auth_http_module.c, 
src/mail/ngx_mail_proxy_module.c), the stream module 
(src/stream/ngx_stream_proxy_module.c), as well as in OCSP 
stapling code (src/event/ngx_event_openssl_stapling.c).

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Tue Apr 11 14:19:34 2017
From: nginx-forum at forum.nginx.org (comput3rz)
Date: Tue, 11 Apr 2017 10:19:34 -0400
Subject: [ Module development - Socket ]
In-Reply-To: <20170411141016.GK13617@mdounin.ru>
References: <20170411141016.GK13617@mdounin.ru>
Message-ID: <5dcba18270215da85cbf10f641ade268.NginxMailingListEnglish@forum.nginx.org>

Thanks Maxim ! =)

I found what I was looking for.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273525,273532#msg-273532


From mdounin at mdounin.ru  Tue Apr 11 15:31:10 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 11 Apr 2017 18:31:10 +0300
Subject: Ticket #196 followup: disallow spaces in uri by default
In-Reply-To: <VI1PR08MB120000E505BD597B7321CB14ED0F0@VI1PR08MB1200.eurprd08.prod.outlook.com>
References: <VI1PR08MB120000E505BD597B7321CB14ED0F0@VI1PR08MB1200.eurprd08.prod.outlook.com>
Message-ID: <20170411153110.GL13617@mdounin.ru>

Hello!

On Sat, Apr 08, 2017 at 07:26:01PM +0000, Lukas Tribus wrote:

> in Ticket #196 [1], Maxim Dounin suggested that spaces in URI's 
> could be disallowed by default.
> 
> As far as I can tell, current code still does not "disallow" 
> those requests (not by default and not via specific 
> configuration either), is that correct?

Yes.  There were no changes in this area.

> Could this be improved, as per the suggestion in the ticket?

I think it is something to be considered in 1.13.x timeframe, as 
we have some plans to look into HTTP parser anyway.

I think the main question here: is it ok to just drop support for 
spaces, or we have to introduce some option to preserve the old 
behaviour.

-- 
Maxim Dounin
http://nginx.org/

From luky-37 at hotmail.com  Tue Apr 11 16:22:29 2017
From: luky-37 at hotmail.com (Lukas Tribus)
Date: Tue, 11 Apr 2017 16:22:29 +0000
Subject: AW: Ticket #196 followup: disallow spaces in uri by default
In-Reply-To: <20170411153110.GL13617@mdounin.ru>
References: <VI1PR08MB120000E505BD597B7321CB14ED0F0@VI1PR08MB1200.eurprd08.prod.outlook.com>,
 <20170411153110.GL13617@mdounin.ru>
Message-ID: <VI1PR08MB12003631B67FD40886B045BCED000@VI1PR08MB1200.eurprd08.prod.outlook.com>

> I think the main question here: is it ok to just drop support for 
> spaces, or we have to introduce some option to preserve the old 
> behaviour.

My opinion: I think we will need the configuration knob, so there is time
to fix the problem, as a client bug is not always immediatly fixable.

Either that or we do it like Apache (returning file abc when the request
is GET /abc xyz HTTP/1.1), but that is still inconsistent and I don't like
it personally.


Thanks,
Lukas

From shirley at nginx.com  Tue Apr 11 16:26:19 2017
From: shirley at nginx.com (Shirley Bailes)
Date: Tue, 11 Apr 2017 09:26:19 -0700
Subject: =?UTF-8?Q?nginx=2Econf_2017=3A_Call_For_Papers_Now_Open_=E2=80=93_Submit_a?=
 =?UTF-8?Q?_Talk!?=
Message-ID: <CAOLajL7NPO6VptCS5cyLDmiNPo1c_rStOEP6QfBxL+ZoNYqvDw@mail.gmail.com>

Hello NGINX community ?

We?re excited to announce that the call for proposals for the fourth
NGINX conference, nginx.conf 2017 <https://www.nginx.com/nginxconf/>
is open. Please submit a talk, and share the CFP
<https://nginxconf17.busyconf.com/proposals/new> with those you know
who have good NGINX stories to share.

*Deadline to submit: 11:59PM PT, May 8, 2017.*

Our goal each year is to help attendees learn about NGINX use cases,
insights, and best practices from real-world experts like you. This
year, our theme is 'Architect the Future'. Tell us how you envision
using NGINX with tomorrow's applications, or check out the suggested
topics below for inspiration on the types of talks we?re looking for:


   - Architecture & Development
   - High-Performance Web
   - Operations & Deployment
   - Case Studies

*Conference details: *

   - nginx.conf 2017 <https://www.nginx.com/nginxconf/> will be held
in Portland, OR
   - Venue: The Nines Hotel
   - Dates: September 6-8
   - Twitter: #nginxconf

Let us know if you have any questions. Otherwise, we look forward to
reading the stories you have to share.

*s


Shirley Bailes
Director, Event Marketing
Mobile: 707.569.4888 <//707.569.4888>
<https://nginx.com/>
<https://www.linkedin.com/in/shirleybailes>
<https://twitter.com/shirleybailes>  <https://www.facebook.com/nginxinc>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170411/044dd66a/attachment.html>

From ajaygargnsit at gmail.com  Wed Apr 12 04:08:01 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 09:38:01 +0530
Subject: Mechanism to avoid restarting nginx upon every change
In-Reply-To: <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>
References: <CAHP4M8U8d6m_xog6pQ2apTs3+NQkhyH7uVSQp5CM2eVMGKX1rQ@mail.gmail.com>
 <3E44F131-8C69-410F-AE08-BFF9E778693C@lucasrolff.com>
 <CAHP4M8UpMhOrrybtEiG65=JCDKY54H2tZsDZvjq46fLbrrp0xA@mail.gmail.com>
 <CALqce=0w9XT5+Oyd++9PM7oxXcRc=PgJvctX_dWrP-CLvjQ+ng@mail.gmail.com>
Message-ID: <CAHP4M8VfvKGE6++gPgkLvXCDA90MW6aU3_8Q1c7CZgG_8L5JSQ@mail.gmail.com>

On Mon, Apr 10, 2017 at 1:04 PM, B.R. via nginx <nginx at nginx.org> wrote:

> You could have got your answer yourself by Reading The... Fine? Manual:
> https://nginx.org/en/docs/control.html
>
> There are tons of interesting pieces of informations there, by the nature
> of said docs...
> ?I suggest you take a look at everything: https://nginx.org/en/docs/?
>

Thanks B.R., I surely will !!


> ---
> *B. R.*
>
> On Sun, Apr 9, 2017 at 4:25 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Thanks a ton Lucas.
>>
>> Just checked reloading, and the previous proxy-session was intact !!
>> Thanks a ton again.
>>
>> And sorry I missed your name in the credits, you too had helped a greate
>> deal yesterday, and today too !!
>> Thanks a ton again !!!
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Sun, Apr 9, 2017 at 7:29 PM, Lucas Rolff <lucas at lucasrolff.com> wrote:
>>
>>> Hi Ajay,
>>>
>>> If you generate the configuration, and issue a nginx reload ? it won't
>>> cause any downtime. The master process will reread the configuration, start
>>> new workers, and gracefully shut down the old ones.
>>> There's absolutely no downtime involved in this process.
>>>
>>>
>>> From: nginx <nginx-bounces at nginx.org> on behalf of Ajay Garg <
>>> ajaygargnsit at gmail.com>
>>> Reply-To: "nginx at nginx.org" <nginx at nginx.org>
>>> Date: Sunday, 9 April 2017 at 15.55
>>> To: "nginx at nginx.org" <nginx at nginx.org>
>>> Subject: Mechanism to avoid restarting nginx upon every change
>>>
>>> Hi All.
>>>
>>> We are wanting to implement a solution, wherein the user gets proxied to
>>> the appropriate local-url, depending upon the credentials.
>>> Following architecture works like a charm (thanks a ton to
>>> francis at daoine.org, without whom I would not have been able to reach
>>> here) ::
>>>
>>> ####################################################
>>> server {
>>>                 listen 2000 ssl;
>>>
>>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>>                 location / {
>>>                                         auth_basic 'Restricted';
>>>                                         auth_basic_user_file
>>> /etc/nginx/ssl/.htpasswd;
>>>
>>>                                         if ($remote_user =  "user1") {
>>>                                                 proxy_pass
>>> https://127.0.0.1:2001 <https://127.0.0.1:2000>;
>>>                                         }
>>>
>>>                                         if ($remote_user =  "user2") {
>>>                                                 proxy_pass
>>> https://127.0.0.1:2002 <https://127.0.0.1:2000>;
>>>                                         }
>>>
>>>                                        # and so on ....
>>>
>>>                 }
>>>          }
>>> ####################################################
>>>
>>>
>>> Things are good, except that adding any new user information requires
>>> reloading/restarting the nginx server, causing (however small) downtime.
>>>
>>> Can this be avoided?
>>> Can the above be implemented using some sort of database, so that the
>>> nginx itself does not have to be down, and the "remote_user <=> proxy_pass"
>>> mapping can be retrieved from a database instead?
>>>
>>> Will be grateful for pointers.
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/f522e2f6/attachment-0001.html>

From igal at lucee.org  Wed Apr 12 04:37:46 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Tue, 11 Apr 2017 21:37:46 -0700
Subject: Windows 1024 Connections Limit
Message-ID: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>

Is there a technical reason for the 1,024 Connections Limit on Windows?

http://nginx.org/en/docs/windows.html#known_issues

Surely the OS can handle many more connections than that.

This is not much of an issue with regular requests, but when you use 
WebSockets you can run out of connections very fast.

Thanks,


Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170411/26bd10a9/attachment.html>

From ajaygargnsit at gmail.com  Wed Apr 12 07:08:19 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 12:38:19 +0530
Subject: Multiple "channels" on forwarded port (with a ssh-reverse-tunnel
 behind)
Message-ID: <CAHP4M8UBGds3R_DM_NTS5QJ+V6BV4p8Qk7KZdNn3qosj7gaQ0Q@mail.gmail.com>

Hi All.

Let's say, we have a server-block like

########################################################################
server {
                listen 2001 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {
                                        auth_basic 'Restricted';
                                        auth_basic_user_file /home/
20da689b45c84f2b80bc84d651ed573f/.htpasswd;

                                        if ($remote_user =  "
20da689b45c84f2b80bc84d651ed573f") {
                                                proxy_pass
https://127.0.0.1:2000;
                                        }

                }
        }
########################################################################


and when a user opens the browser window. she authenticates, and is
appropriately forwarded to port 2000 on the server.
This port (2000) is in a LISTENING state on the server, created via a
ssh-reverse-tunnel, through the command

            sshpass -p password ssh -N -R 0.0.0.0:2000:192.168.1.1:443
user at 1.2.3.4

from the remote-machine.

Things work fine if only one user is forwarded to port 2000.
However, I observe that if a second user logs into the server and provides
the same auth-credentials, a 502-Bad-Gateway error is observed 99% of the
times.

Is this expected?
Does the forwarding over a ssh-reverse-tunnelled-port work reliably only if
one user is forwarded to the port?

I am sorry if I am posting to the wrong list, not sure if this is a
question related to nginx or ssh-reverse-tunnelling in general.
Will be great to hear thoughts/experiences from the experts.


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/69f37daa/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr 12 09:50:56 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Wed, 12 Apr 2017 05:50:56 -0400
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <20170411114826.GN3428@daoine.org>
References: <20170411114826.GN3428@daoine.org>
Message-ID: <d3a7761824ce7079184357f1c5a14bef.NginxMailingListEnglish@forum.nginx.org>

Hi Francis,

Thanks for your interest. I would certainly like to contribute for the
future implementers of NGINX reverse proxy with API gateway functionality.
Below I will explain my application with NGINX configuration I have
performed and the code snippets/references for future users. If you like I
can share my working sample application also as starter guide for custom
java authentication gateway.

Secondly, I am able to complete my configuraiton successfully and got it
working and now in testing and expanding the functionality.

1. I have two Java applications written in Spring MVC framework. Both
applications are as follows
           a. Secure Gateway
           b. Protected Application(s)
2. Client sends a request to nginx to access protected resource.
http://nginx-server/employee

3. Nginx intercepts the request and first, sends the request to "Secure
Gateway" for authentication. http://secure-gw/authenticate
**************************************************************************
		location /api {
			auth_request /authenticate;
			proxy_pass http://protected;
		}

		location = /authenticate {
			proxy_pass http://secure-gw;
		}
***************************************************************************

4. If the user is NOT a logged in user "Secure Gateway" throws a 401
exception. Otherwise 200 ok is sent as a response and NGINX forwards the
request to "Protected Application" which returns the "employee"
resource/page.

5. NGINX is configured to capture the error "401" and redirect the request
to login page of SecureGateway using a location configured to cater 401
responses.
***************************************************************************
		location =/authfull {
			proxy_pass http://secure-gw/authenticate;
			proxy_pass_request_body off;
			proxy_set_header Content-Length "";
			proxy_set_header X-Original-URI $request_uri;
		}

		error_page   401 authfull;
***************************************************************************

6. User inputs the credential into login page and submits the request to
NGINX's location "/authenticate" using URL
"http://nginx-server/authenticate". 

7. "/authenticate" location is configured to forward the requests to "Secure
Gateway" application without removing the request body i.e. carries the
username and password from the form login page.

8(a)**. After successful login a token or session-id is generated and is
stored in a common session store which is also accessible to the "Protected
Application".
8(b)**. After successful login in "Secure Gateway" the secure gateway
application sends an internal login request to "Protected Application" and
gets the cookie response. Secure Gateway places two sessionIds(with
different name) in response cookies and sends the response back to NGINX
with HTTP 200 OK status.

9. NGINX forwards the authenticated/authorized requests to the "Protected
Application"

10. "Protected Application" checks the presence of session id in cookie,
validates the cookie and if valid, serves the request.

11. After the first request, whenever the user sends a new request to NGINX
for a protected application resource, NGINX sends a subrequest to
"/authenticate" location, "Secure Gateway" verifies its session id in cookie
and if valid, nginx forwards the request to "Protected applicaiton" which
also verifies the login session-id or token and serves the request if valid
session. After frst request Secure Gateway only checks for the validity of
its own session information. This time Secure Gateway will NOT send internal
requests to Protected application.

***********************************************Image Reference of
Design:*********************************
URL : http://tinypic.com/r/35a2lbp/9

This image is missing one thing that its not showing the internal login
request from secure gateway to protected application. For info, this request
is made only once when the user is not a logged in user to secure gateway
application. All subsequent requests does not involve this internal request
flow.

**********************************************NGINX
Configuration***********************************************
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

	proxy_intercept_errors on;
	
    server {
        listen       8180;

		location /{
			auth_request /authenticate;
			proxy_pass http://protected;			
		}

		location = /authenticate {
			proxy_pass http://secure-gw;
		}
		location =/authfull {
			proxy_pass http://secure-gw/authenticate;
			proxy_pass_request_body off;
			proxy_set_header Content-Length "";
			proxy_set_header X-Original-URI $request_uri;
		}
		error_page   401 authfull;
	}

	upstream protected {
		server localhost:8280;
   	}
		
	upstream secure-gw {
		 server localhost:8080;
   	}

}
**********************************************************************Secure
Gateway - SPRING MVC Security
Configs********************************************
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		
        http
        .authorizeRequests()
            .antMatchers("/authenticate").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
        	.successHandler(successHandler)
            .loginPage("/authenticate")
            .failureHandler(failureHandler)
            .permitAll()
                     .and().csrf().disable();;
	}

************************************************************UI Login
Form********************************

        <form th:action="@{/authenticate}" method="post">
            <div><label> User Name : <input type="text" name="username"/>
</label></div>
            <div><label> Password: <input type="password" name="password"/>
</label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>

********************************************************************Protected
Resource - Security Configs ***********************************************
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests().anyRequest().authenticated().and().formLogin()
				.successHandler(authenticationSuccessHandler).failureHandler(authenticationFailureHandler).and()
				.logout().permitAll().and().exceptionHandling().accessDeniedHandler(accessDeniedHandler())
				.authenticationEntryPoint(authenticationEntryPoint).and().csrf().disable();
	}
****************************************************************************************************************************************************************


Hope, I am able to clarify what I am doing. I can share the sample code if
you think its requried.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273544#msg-273544


From nginx-forum at forum.nginx.org  Wed Apr 12 11:40:25 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Wed, 12 Apr 2017 07:40:25 -0400
Subject: How to Edit/Delete own posted reply or topic
Message-ID: <c9b20833d79c60a08901067b72ad2ea6.NginxMailingListEnglish@forum.nginx.org>

Hi,

I need to edit one reply to a topic in this list and need to know how to
perform it. I cannot see any edit or delete button.

I have been using stackoverflow where edits and delete is allowed to the
users.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273547,273547#msg-273547


From ajaygargnsit at gmail.com  Wed Apr 12 12:43:19 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 18:13:19 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
Message-ID: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>

Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).

Have tried everything I could find on the google, but nothing works
(whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the
version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_addition_module
--with-http_dav_module --with-http_flv_module --with-http_geoip_module
--with-http_gzip_static_module --with-http_image_filter_module
--with-http_mp4_module --with-http_perl_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_spdy_module --with-http_sub_module --with-http_xslt_module
--with-mail --with-mail_ssl_module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/c15e43e7/attachment.html>

From ajaygargnsit at gmail.com  Wed Apr 12 12:51:56 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 18:21:56 +0530
Subject: Multiple "channels" on forwarded port (with a ssh-reverse-tunnel
 behind)
In-Reply-To: <CAHP4M8UBGds3R_DM_NTS5QJ+V6BV4p8Qk7KZdNn3qosj7gaQ0Q@mail.gmail.com>
References: <CAHP4M8UBGds3R_DM_NTS5QJ+V6BV4p8Qk7KZdNn3qosj7gaQ0Q@mail.gmail.com>
Message-ID: <CAHP4M8UVcOpHGgCJAMyPFTH4sAoSqNb3iDWf9mVSnkBmi2dusg@mail.gmail.com>

Sorry for the idiotic question.

Just checked, multiple sockets are created on each side of the ssh-reverse
tunnel.
So, seems the 502-Bad-Gateway error is due to other (network-slowness)
issues.

Sorry again.


Thanks and Regards,
Ajay

On Wed, Apr 12, 2017 at 12:38 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi All.
>
> Let's say, we have a server-block like
>
> ########################################################################
> server {
>                 listen 2001 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 location / {
>                                         auth_basic 'Restricted';
>                                         auth_basic_user_file
> /home/20da689b45c84f2b80bc84d651ed573f/.htpasswd;
>
>                                         if ($remote_user =
> "20da689b45c84f2b80bc84d651ed573f") {
>                                                 proxy_pass
> https://127.0.0.1:2000;
>                                         }
>
>                 }
>         }
> ########################################################################
>
>
> and when a user opens the browser window. she authenticates, and is
> appropriately forwarded to port 2000 on the server.
> This port (2000) is in a LISTENING state on the server, created via a
> ssh-reverse-tunnel, through the command
>
>             sshpass -p password ssh -N -R 0.0.0.0:2000:192.168.1.1:443
> user at 1.2.3.4
>
> from the remote-machine.
>
> Things work fine if only one user is forwarded to port 2000.
> However, I observe that if a second user logs into the server and provides
> the same auth-credentials, a 502-Bad-Gateway error is observed 99% of the
> times.
>
> Is this expected?
> Does the forwarding over a ssh-reverse-tunnelled-port work reliably only
> if one user is forwarded to the port?
>
> I am sorry if I am posting to the wrong list, not sure if this is a
> question related to nginx or ssh-reverse-tunnelling in general.
> Will be great to hear thoughts/experiences from the experts.
>
>
> Thanks and Regards,
> Ajay
>
>


-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/b610c8e3/attachment.html>

From mdounin at mdounin.ru  Wed Apr 12 12:57:16 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 12 Apr 2017 15:57:16 +0300
Subject: Windows 1024 Connections Limit
In-Reply-To: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
Message-ID: <20170412125716.GP13617@mdounin.ru>

Hello!

On Tue, Apr 11, 2017 at 09:37:46PM -0700, Igal @ Lucee.org wrote:

> Is there a technical reason for the 1,024 Connections Limit on Windows?
> 
> http://nginx.org/en/docs/windows.html#known_issues
> 
> Surely the OS can handle many more connections than that.

On Windows, nginx uses select() system call to handle connection 
events.  This syscall implies fixed-size bitmasks to pass file 
descriptors from userland to kernel and back.  Size of these 
bitmasks can be only specified during compilation, and 1024 is the 
value nginx uses for official binaries to balance between maximum 
number of connections and unneeded overhead implied by large 
bitmasks.

> This is not much of an issue with regular requests, but when you use 
> WebSockets you can run out of connections very fast.

It is possible to recompile nginx with different value if you need 
to, see http://nginx.org/en/docs/howto_build_on_win32.html.

On ther other hand, if you are using nginx in production I would 
recommend to consider using Unix variants instead.

-- 
Maxim Dounin
http://nginx.org/

From mdounin at mdounin.ru  Wed Apr 12 13:17:16 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 12 Apr 2017 16:17:16 +0300
Subject: How to Edit/Delete own posted reply or topic
In-Reply-To: <c9b20833d79c60a08901067b72ad2ea6.NginxMailingListEnglish@forum.nginx.org>
References: <c9b20833d79c60a08901067b72ad2ea6.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170412131716.GR13617@mdounin.ru>

Hello!

On Wed, Apr 12, 2017 at 07:40:25AM -0400, zaidahmd wrote:

> I need to edit one reply to a topic in this list and need to know how to
> perform it. I cannot see any edit or delete button.
> 
> I have been using stackoverflow where edits and delete is allowed to the
> users.

This is a mailing list, you can't edit or delete anything.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Wed Apr 12 13:45:52 2017
From: nginx-forum at forum.nginx.org (itpp2012)
Date: Wed, 12 Apr 2017 09:45:52 -0400
Subject: How to Edit/Delete own posted reply or topic
In-Reply-To: <20170412131716.GR13617@mdounin.ru>
References: <20170412131716.GR13617@mdounin.ru>
Message-ID: <859985469baedf1d5a815971939c1d7f.NginxMailingListEnglish@forum.nginx.org>

You can if you use the web portal at https://forum.nginx.org/

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273547,273556#msg-273556


From ajaygargnsit at gmail.com  Wed Apr 12 14:48:45 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 20:18:45 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
Message-ID: <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>

For the record, here is the server-block ::


#########################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Access-Control-Allow-Origin' $http_origin;
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                location / {

                        add_header 'Access-Control-Max-Age' 1728000;
                        add_header 'Access-Control-Allow-Origin' '*';
                        add_header 'Access-Control-Allow-Credentials'
'true';
                        add_header 'Access-Control-Allow-Methods' 'GET,
POST, OPTIONS';
                        add_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header 'Access-Control-Allow-Credentials'
'true';
                        proxy_set_header 'Access-Control-Allow-Methods'
'GET, POST, OPTIONS';
                        proxy_set_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:
$forwarded_port;

                }
        }
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi All.
>
> We are facing the following issue :
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
> Allow-Origin' missing).
>
> Have tried everything I could find on the google, but nothing works
> (whatever I do in /etc/nginx/sites-available/default)
>
>
> So, first question first, is it even possible to solve this issue on the
> version, as per the information below ::
>
> ########################################################
> nginx -V
> nginx version: nginx/1.4.6 (Ubuntu)
> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
> TLS SNI support enabled
> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
> --with-http_realip_module --with-http_addition_module
> --with-http_dav_module --with-http_flv_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_mp4_module --with-http_perl_module --with-http_random_index_module
> --with-http_secure_link_module --with-http_spdy_module
> --with-http_sub_module --with-http_xslt_module --with-mail
> --with-mail_ssl_module --add-module=/build/nginx-9sG_
> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
> ngx_http_substitutions_filter_module
> ##########################################################
>
>
>
> Thanks and Regards,
> Ajay
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/9fb6dcb3/attachment-0001.html>

From r1ch+nginx at teamliquid.net  Wed Apr 12 15:00:15 2017
From: r1ch+nginx at teamliquid.net (Richard Stanway)
Date: Wed, 12 Apr 2017 17:00:15 +0200
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
Message-ID: <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>

Your are using auth_basic, so the 401 response code is not in the range
that add_header works with ("Adds the specified field to a response header
provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
304, or 307."). You need to use "always" if you want to include the header
in all responses. See the documentation for more details.

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> For the record, here is the server-block ::
>
>
> #########################################################
> server {
>
>                 listen 443 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 add_header 'Access-Control-Max-Age' 1728000;
>                 add_header 'Access-Control-Allow-Origin' $http_origin;
>                 add_header 'Access-Control-Allow-Credentials' 'true';
>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
> OPTIONS';
>                 add_header 'Access-Control-Allow-Headers'
> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-
> Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
> Control,Content-Type';
>
>                 location / {
>
>                         add_header 'Access-Control-Max-Age' 1728000;
>                         add_header 'Access-Control-Allow-Origin' '*';
>                         add_header 'Access-Control-Allow-Credentials'
> 'true';
>                         add_header 'Access-Control-Allow-Methods' 'GET,
> POST, OPTIONS';
>                         add_header 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>
>                         proxy_set_header 'Access-Control-Max-Age' 1728000;
>                         proxy_set_header 'Access-Control-Allow-Origin' '*';
>                         proxy_set_header 'Access-Control-Allow-Credentials'
> 'true';
>                         proxy_set_header 'Access-Control-Allow-Methods'
> 'GET, POST, OPTIONS';
>                         proxy_set_header 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
>                         proxy_pass $forwarded_protocol://127.0.0.
> 1:$forwarded_port;
>
>                 }
>         }
> #########################################################
>
> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi All.
>>
>> We are facing the following issue :
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>> 'Access-Control-
>> Allow-Origin' missing).
>>
>> Have tried everything I could find on the google, but nothing works
>> (whatever I do in /etc/nginx/sites-available/default)
>>
>>
>> So, first question first, is it even possible to solve this issue on the
>> version, as per the information below ::
>>
>> ########################################################
>> nginx -V
>> nginx version: nginx/1.4.6 (Ubuntu)
>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>> TLS SNI support enabled
>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>> --http-client-body-temp-path=/var/lib/nginx/body
>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>> --http-proxy-temp-path=/var/lib/nginx/proxy
>> --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>> --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module
>> --with-http_stub_status_module --with-http_realip_module
>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>> --with-http_geoip_module --with-http_gzip_static_module
>> --with-http_image_filter_module --with-http_mp4_module
>> --with-http_perl_module --with-http_random_index_module
>> --with-http_secure_link_module --with-http_spdy_module
>> --with-http_sub_module --with-http_xslt_module --with-mail
>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>> ngx_http_substitutions_filter_module
>> ##########################################################
>>
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/460b5075/attachment.html>

From mdounin at mdounin.ru  Wed Apr 12 15:19:28 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 12 Apr 2017 18:19:28 +0300
Subject: nginx-1.12.0
Message-ID: <20170412151927.GV13617@mdounin.ru>

Changes with nginx 1.12.0                                        12 Apr 2017

    *) 1.12.x stable branch.


-- 
Maxim Dounin
http://nginx.org/

From kworthington at gmail.com  Wed Apr 12 15:52:33 2017
From: kworthington at gmail.com (Kevin Worthington)
Date: Wed, 12 Apr 2017 11:52:33 -0400
Subject: [nginx-announce] nginx-1.12.0
In-Reply-To: <20170412151933.GW13617@mdounin.ru>
References: <20170412151933.GW13617@mdounin.ru>
Message-ID: <CAGo79UUHDjmtA9R3anFjh7j=EO9WzwjYFCgnybZz=5yKUvBakg@mail.gmail.com>

Hello Nginx users,

Now available: Nginx 1.12.0 for Windows
https://kevinworthington.com/nginxwin1120
(32-bit and 64-bit versions)

These versions are to support legacy users who are already using Cygwin
based builds of Nginx. Officially supported native Windows binaries are at
nginx.org.

Announcements are also available here:
Twitter http://twitter.com/kworthington
Google+ https://plus.google.com/+KevinWorthington/

Thank you,
Kevin
--
Kevin Worthington
kworthington *@* (gmail]  [dot} {com)
http://kevinworthington.com/
http://twitter.com/kworthington
https://plus.google.com/+KevinWorthington/
On Wed, Apr 12, 2017 at 11:19 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Changes with nginx 1.12.0                                        12 Apr
> 2017
>
>     *) 1.12.x stable branch.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-announce mailing list
> nginx-announce at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-announce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/368c88b9/attachment-0001.html>

From ajaygargnsit at gmail.com  Wed Apr 12 17:24:42 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Wed, 12 Apr 2017 22:54:42 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
Message-ID: <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>

Hi Richard.

Thanks for the help.

I added 'always' as the last argument in all the "add_header" and
"proxy_set_header" directives.
Unfortunately, I receive the following on the very first "add_header"
directive ::

#####################################################
2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in
"add_header" directive in /etc/nginx/sites-enabled/default:22
#####################################################


I guess the 'always' argument requires nginx >= 1.7.5.


Is there a pre-built package available for nginx?
Our linux-machine is ::

#####################################################
uname -a
Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017
x86_64 x86_64 x86_64 GNU/Linux
#####################################################

If not, I guess the link to use is http://nginx.org/en/docs/configure.html,
but I am very afraid that I might miss something, so a pre-built package >=
1.7.5 (provided one exists) for our linux-machine would be great :)


Thanks for the help so far !!!


Thanks and Regards,
Ajay

On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <r1ch+nginx at teamliquid.net>
wrote:

> Your are using auth_basic, so the 401 response code is not in the range
> that add_header works with ("Adds the specified field to a response header
> provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
> 304, or 307."). You need to use "always" if you want to include the header
> in all responses. See the documentation for more details.
>
> http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
>
> On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> For the record, here is the server-block ::
>>
>>
>> #########################################################
>> server {
>>
>>                 listen 443 ssl;
>>
>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>>                 add_header 'Access-Control-Max-Age' 1728000;
>>                 add_header 'Access-Control-Allow-Origin' $http_origin;
>>                 add_header 'Access-Control-Allow-Credentials' 'true';
>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>> OPTIONS';
>>                 add_header 'Access-Control-Allow-Headers'
>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,
>> User-Agent,X-Requested-With,If-Modified-Since,Cache-Contro
>> l,Content-Type';
>>
>>                 location / {
>>
>>                         add_header 'Access-Control-Max-Age' 1728000;
>>                         add_header 'Access-Control-Allow-Origin' '*';
>>                         add_header 'Access-Control-Allow-Credentials'
>> 'true';
>>                         add_header 'Access-Control-Allow-Methods' 'GET,
>> POST, OPTIONS';
>>                         add_header 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>
>>                         proxy_set_header 'Access-Control-Max-Age' 1728000;
>>                         proxy_set_header 'Access-Control-Allow-Origin'
>> '*';
>>                         proxy_set_header 'Access-Control-Allow-Credentials'
>> 'true';
>>                         proxy_set_header 'Access-Control-Allow-Methods'
>> 'GET, POST, OPTIONS';
>>                         proxy_set_header 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>>                         proxy_pass $forwarded_protocol://127.0.0.
>> 1:$forwarded_port;
>>
>>                 }
>>         }
>> #########################################################
>>
>> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <ajaygargnsit at gmail.com>
>> wrote:
>>
>>> Hi All.
>>>
>>> We are facing the following issue :
>>>
>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>>> 'Access-Control-
>>> Allow-Origin' missing).
>>>
>>> Have tried everything I could find on the google, but nothing works
>>> (whatever I do in /etc/nginx/sites-available/default)
>>>
>>>
>>> So, first question first, is it even possible to solve this issue on the
>>> version, as per the information below ::
>>>
>>> ########################################################
>>> nginx -V
>>> nginx version: nginx/1.4.6 (Ubuntu)
>>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>>> TLS SNI support enabled
>>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>>> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
>>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>>> --http-client-body-temp-path=/var/lib/nginx/body
>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>>> --http-proxy-temp-path=/var/lib/nginx/proxy
>>> --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>>> --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module
>>> --with-http_stub_status_module --with-http_realip_module
>>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>>> --with-http_geoip_module --with-http_gzip_static_module
>>> --with-http_image_filter_module --with-http_mp4_module
>>> --with-http_perl_module --with-http_random_index_module
>>> --with-http_secure_link_module --with-http_spdy_module
>>> --with-http_sub_module --with-http_xslt_module --with-mail
>>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>>> ngx_http_substitutions_filter_module
>>> ##########################################################
>>>
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/b10c04e1/attachment.html>

From igal at lucee.org  Wed Apr 12 17:42:02 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Wed, 12 Apr 2017 10:42:02 -0700
Subject: Windows 1024 Connections Limit
In-Reply-To: <20170412125716.GP13617@mdounin.ru>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
 <20170412125716.GP13617@mdounin.ru>
Message-ID: <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>

Maxim,

On 4/12/2017 5:57 AM, Maxim Dounin wrote:
>
> On Windows, nginx uses select() system call to handle connection
> events.  This syscall implies fixed-size bitmasks to pass file
> descriptors from userland to kernel and back.  Size of these
> bitmasks can be only specified during compilation, and 1024 is the
> value nginx uses for official binaries to balance between maximum
> number of connections and unneeded overhead implied by large
> bitmasks.
>
> It is possible to recompile nginx with different value if you need
> to, see http://nginx.org/en/docs/howto_build_on_win32.html.
>
> On ther other hand, if you are using nginx in production I would
> recommend to consider using Unix variants instead.

Thank you very much for the explanation and recommendation,


Igal

From nginx-forum at forum.nginx.org  Wed Apr 12 17:53:41 2017
From: nginx-forum at forum.nginx.org (SebK)
Date: Wed, 12 Apr 2017 13:53:41 -0400
Subject: UDP TLS Termination
In-Reply-To: <20170328092827.GA32543@vlpc.nginx.com>
References: <20170328092827.GA32543@vlpc.nginx.com>
Message-ID: <0ef6a49c56d895e1c7dbe3f802817eec.NginxMailingListEnglish@forum.nginx.org>

Vladimir Homutov Wrote:
-------------------------------------------------------
> On Tue, Mar 28, 2017 at 12:25:35PM +0300, Vladimir Homutov wrote:
> > instead of normal DTLS.
> 
> i meant SSL (TLS)  of course.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Hi,

I stumbled across this thread in search of answers to my own question
regarding the combination of nginx + DTLS. Since you didn't receive an
answer to your question, Vladimir, here's a use case I am currently working
on: I have an IoT use case using CoAP for client-server-communication. CoAP
in turn uses DTLS for securing its data. All server applications are working
behind an nginx web server. Right now for the DTLS communication nginx is
justed proxiing the udp packets from the client to the server. When using a
PKI instead of a, let's say PSK ciphersuite, I too would think that it would
be be helpful to centralize all TLS specifics e.g. certificate management
within the nginx web server. You should then be able to pass the unencrypted
datagrams to the CoAP server.

Regards,
Sebastian

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273251,273571#msg-273571


From igal at lucee.org  Wed Apr 12 18:40:16 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Wed, 12 Apr 2017 11:40:16 -0700
Subject: HTTP/2 on the Upstream
Message-ID: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>

According to https://www.nginx.com/blog/http2-module-nginx/#QandA nginx 
only supports HTTP/2 on the client side, but it is possible to configure 
proxy_pass to use HTTP/2.

There is a huge benefit in supporting HTTP/2 on the Upstream, as that 
will allow the Upstream servers to perform HTTP/2 Push 
(https://en.wikipedia.org/wiki/HTTP/2_Server_Push).

While nginx can not know which resources should be pushed on a dynamic 
page, as dynamic pages can not be simply cached across different users, 
the Upstream servers can know which resources should be pushed.

I really think that nginx should reconsider its position on this matter.

In the meantime, where can I find documentation on how to configure 
proxy_pass to use HTTP/2?

Thank you,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/9227ea8e/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr 12 19:53:43 2017
From: nginx-forum at forum.nginx.org (SebK)
Date: Wed, 12 Apr 2017 15:53:43 -0400
Subject: Proxying UDP: Preserve proxy port during DTLS handshake
Message-ID: <d4ca110fe05b5a1dea7022085b695d52.NginxMailingListEnglish@forum.nginx.org>

Hello everyone,

TL;DR: When proxying UDP packets through nginx, is there a way for nginx to
preserve its initial source port for subsequent packets? This is to be used
during a DTLS handshake.

Outlined version: This issue arose when proxying UDP packets, more
specifically establishing an DTLS connection for CoAP message exchange. I
came across two different threads with similar subjects
(https://forum.nginx.org/read.php?2,273251,273251#msg-273251 and
https://forum.nginx.org/read.php?2,271957,271957#msg-271957) from which I
can guess that it is not (yet) supported out of the box.

Hence, I am only using nginx to proxy the CoAP's UDP packets between client
and server. This works for unencrypted CoAP, but not for CoAP over DTLS
because the handshake fails. This is because nginx uses (or may use?)
different source ports for every udp packet it forwards. An easy way to
examine this issue is to proxy a UDP netcat connection with nginx. First
message from client to server is received but subsequent messages can only
be sent from server to client because netcat "locks in" on the client port
from which it received the first message. The port is constant on the client
side, but nginx may use different ports when proxying the packets. 

I managed to get the DTLS connection to work by using the proxy_bind
directive of the proxy stream module with the values
"127.0.0.1:$remote_port" respectively "127.0.0.1:$server_port". It works,
but I am not happy with either of it. Reason against
"127.0.0.1:$server_port": Two client requests may overlap and there would be
no way for the server to tell them apart. Reason against
"127.0.0.1:$remote_port": Even tough unlikely, it may happen that two
clients decide to use the same port from their dynamic port range. Also in
this case there would be no way of telling them both apart. 

I know about the "proxy_bind address [transparent]" option of the proxy
module, but I would consider using this the "nuclear option" since,
according to the documentation, it requires the worker processes to run with
superuser rights and reconfigure the kernel routing table.

So my conclusive question is: Does nginx provide a way to preserve its
chosen dynamic port when forwarding udp packets?

Regards,
Sebastian

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273576,273576#msg-273576


From vbart at nginx.com  Wed Apr 12 19:57:16 2017
From: vbart at nginx.com (Valentin V. Bartenev)
Date: Wed, 12 Apr 2017 22:57:16 +0300
Subject: HTTP/2 on the Upstream
In-Reply-To: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
Message-ID: <1507484.hQDnxRCjQ1@vbart-workstation>

On Wednesday 12 April 2017 11:40:16 Igal @ Lucee.org wrote:
> According to https://www.nginx.com/blog/http2-module-nginx/#QandA nginx 
> only supports HTTP/2 on the client side, but it is possible to configure 
> proxy_pass to use HTTP/2.
> 
> There is a huge benefit in supporting HTTP/2 on the Upstream, as that 
> will allow the Upstream servers to perform HTTP/2 Push 
> (https://en.wikipedia.org/wiki/HTTP/2_Server_Push).
[..]

That's not related.

Server Push doesn't require HTTP/2 from the Upstream side.  Moreover,
upstream usually don't have access to the static resources that are
served directly from nginx.

> 
> While nginx can not know which resources should be pushed on a dynamic 
> page, as dynamic pages can not be simply cached across different users, 
> the Upstream servers can know which resources should be pushed.
> 
> I really think that nginx should reconsider its position on this matter.
> 
> In the meantime, where can I find documentation on how to configure 
> proxy_pass to use HTTP/2?
> 

There's no such documentation since HTTP/2 isn't supported by the proxy
module.

  wbr, Valentin V. Bartenev


From mdounin at mdounin.ru  Wed Apr 12 19:59:47 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 12 Apr 2017 22:59:47 +0300
Subject: HTTP/2 on the Upstream
In-Reply-To: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
Message-ID: <20170412195947.GF13617@mdounin.ru>

Hello!

On Wed, Apr 12, 2017 at 11:40:16AM -0700, Igal @ Lucee.org wrote:

> According to https://www.nginx.com/blog/http2-module-nginx/#QandA nginx 
> only supports HTTP/2 on the client side, but it is possible to configure 
> proxy_pass to use HTTP/2.
> 
> There is a huge benefit in supporting HTTP/2 on the Upstream, as that 
> will allow the Upstream servers to perform HTTP/2 Push 
> (https://en.wikipedia.org/wiki/HTTP/2_Server_Push).
> 
> While nginx can not know which resources should be pushed on a dynamic 
> page, as dynamic pages can not be simply cached across different users, 
> the Upstream servers can know which resources should be pushed.
> 
> I really think that nginx should reconsider its position on this matter.

There is nothing to stop a backend from performing a push based on 
the knowledge.  It's just a matter of providing upstream servers 
with a way to push resources, e.g., via something like the 
X-Accel-Push header or something like this.  This doesn't need 
HTTP/2 between nginx and upstream servers.

Moreover, using HTTP/2 with ability to push things will likely be 
a problem here, as in most cases dynamic pages are generated 
separately from static assets.  Using nginx to do the actual 
push is likely to be much more optimal here.

> In the meantime, where can I find documentation on how to configure 
> proxy_pass to use HTTP/2?

You can't, nginx only supports HTTP/2 on the client side.  The 
actual answer was "Now you can't configure HTTP/2 with 
proxy_pass...", see here:

https://youtu.be/4OiyssTW4BA?t=14m34s

The transcript needs to be fixed, thanks.

-- 
Maxim Dounin
http://nginx.org/

From igal at lucee.org  Wed Apr 12 21:13:45 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Wed, 12 Apr 2017 14:13:45 -0700
Subject: HTTP/2 on the Upstream
In-Reply-To: <20170412195947.GF13617@mdounin.ru>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
 <20170412195947.GF13617@mdounin.ru>
Message-ID: <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>

Thank you, Maxim and Valentin, for your prompt replies.  I will reply 
here to both so that we can maintain a single thread for this issue:

On 4/12/2017 12:57 PM, Valentin V. Bartenev wrote:

> Server Push doesn't require HTTP/2 from the Upstream side.  Moreover,
> upstream usually don't have access to the static resources that are
> served directly from nginx.

On 4/12/2017 12:59 PM, Maxim Dounin wrote:
> There is nothing to stop a backend from performing a push based on
> the knowledge.  It's just a matter of providing upstream servers
> with a way to push resources, e.g., via something like the
> X-Accel-Push header or something like this.  This doesn't need
> HTTP/2 between nginx and upstream servers.
>
> Moreover, using HTTP/2 with ability to push things will likely be
> a problem here, as in most cases dynamic pages are generated
> separately from static assets.  Using nginx to do the actual
> push is likely to be much more optimal here.

These are both good points, but it is my understanding that the server 
that Pushes the resources needs to know which resources need to be 
pushed, is that not the case?

If my Upstream (Tomcat, for example) generates a dynamic page for the 
client, then it can keep track of all of the images on that page and 
then push them.  How can the Upstream "tell" nginx what to Push?

Please watch the clip at https://youtu.be/QpLtBftqM04?t=34m51s until 
about 36m12s where Simone Bordet, a Jetty developer, claims that HA 
Proxy is a better proxy solution than nginx because it talks HTTP/2 to 
the Upstream.

Also please note that the Servlet 4.0 specification plans to add a 
Push() API to push resources to the clients.  If nginx doesn't use 
HTTP/2 to talk to my Servlet engine (Tomcat, Jetty, etc.), this 
functionality will not be available as the Servlet engine will treat the 
request as an HTTP/1.

On 4/12/2017 12:59 PM, Maxim Dounin wrote:
> The actual answer was "Now you can't configure HTTP/2 with
> proxy_pass...", see here:
>
> https://youtu.be/4OiyssTW4BA?t=14m34s
>
> The transcript needs to be fixed, thanks.

Well noted, thanks for clarifying.


Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/949f1fe3/attachment.html>

From francis at daoine.org  Wed Apr 12 21:44:50 2017
From: francis at daoine.org (Francis Daly)
Date: Wed, 12 Apr 2017 22:44:50 +0100
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <d3a7761824ce7079184357f1c5a14bef.NginxMailingListEnglish@forum.nginx.org>
References: <20170411114826.GN3428@daoine.org>
 <d3a7761824ce7079184357f1c5a14bef.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170412214450.GQ3428@daoine.org>

On Wed, Apr 12, 2017 at 05:50:56AM -0400, zaidahmd wrote:

Hi there,

> Below I will explain my application with NGINX configuration I have
> performed and the code snippets/references for future users.
 
I've read your description, and I confess I'm not sure what benefit
auth_request within nginx gives you. It looks like your application is
doing its own auth check on every request anyway, so having nginx do
the same thing seems redundant. I'm probably missing something.

That's ok; I don't need to understand it.

> Secondly, I am able to complete my configuraiton successfully and got it
> working and now in testing and expanding the functionality.

You now have a working system; that's good.

The bonus piece would be if you found that some words in some
documentation were unclear; and if you now know what words would have
made it clear to you the first time you read it; then sharing those new
words might let that piece of documentation become updated so that it
will be clear for the next person reading it for the first time.

Doing the work to prepare those words will be of no benefit to you,
of course, so it's not a problem if it does not suit you to do it.


It's good that you have solved the problem you had.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From gfrankliu at gmail.com  Wed Apr 12 21:50:08 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Wed, 12 Apr 2017 14:50:08 -0700
Subject: weight and balancing in upstream proxy
Message-ID: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>

Hi,

How does nginx balances traffic to upstream with different weight? If I
have 3 servers in upstream, with weight 1, 2, 4, assuming all are healthy,
will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 2, 3, 3, 3,
3? If I have two servers with both weight 50, will nginx will 50 requests
to server 1, and then 50 to server 2, or will it calculate the ration to be
1:1 and send one after another?

Thanks!
Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/0033ec1f/attachment-0001.html>

From francis at daoine.org  Wed Apr 12 21:52:49 2017
From: francis at daoine.org (Francis Daly)
Date: Wed, 12 Apr 2017 22:52:49 +0100
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
Message-ID: <20170412215249.GR3428@daoine.org>

On Wed, Apr 12, 2017 at 06:13:19PM +0530, Ajay Garg wrote:

Hi there,

> We are facing the following issue :
> 
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
> Allow-Origin' missing).

What's the issue, specifically?

It looks like your browser thinks it is talking to two web servers. Do
you think your browser is talking to two web servers? If not, that's
the problem to fix. Otherwise, you'll want to set suitable headers in
the response from the first web server.

If your browser should only be talking to https://1.2.3.4/, and everything
else should be reverse-proxied behind that, then the problem is that
some part of a back-end is leaking through, and the network allows the
browser to talk directly to something that it should not be talking to.

A later mail shows some nginx config, but it is not clear to me if that
is on the 1.2.3.4 server or on a different server; and it is not clear
to me why many of the add_header and proxy_set_header lines are there.

I suspect that if you can get a clear understanding of the issue, and of
what should be happening, then the path to configuring things to allow
to all to happen will become clearer.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From luky-37 at hotmail.com  Wed Apr 12 23:11:23 2017
From: luky-37 at hotmail.com (Lukas Tribus)
Date: Wed, 12 Apr 2017 23:11:23 +0000
Subject: AW: HTTP/2 on the Upstream
In-Reply-To: <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
 <20170412195947.GF13617@mdounin.ru>,
 <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
Message-ID: <VI1PR08MB12004D84915B450466F516FDED030@VI1PR08MB1200.eurprd08.prod.outlook.com>

> Please watch the clip at https://youtu.be/QpLtBftqM04?t=34m51s until
> about 36m12s where Simone Bordet, a Jetty developer, claims that
> HA Proxy is a better proxy solution than nginx because it talks
> HTTP/2 to the Upstream.

This statement is misleading.

As of now, haproxy does not support HTTP/2.

What you can do with haproxy is forward arbitrary TCP protocols, TLS
offload and NPN/ALPN negotiate whatever you like with the client. This
makes it possible to ALPN-negotiate H2 and forward whatever cleartext
TCP protocol you like. This includes HTTP/2.

Saying "Haproxy can talk HTTP/2 to the backend" is certainly wrong in
the context you are interpreting it.


The only thing missing to achieve the same thing in nginx, is afaik arbitrary
ALPN protocol negotiation with the client int the ngx_stream_ssl_module.

But that also does not make nginx HTTP/2 capable on the backend side.



Lukas

From igal at lucee.org  Thu Apr 13 00:08:53 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Wed, 12 Apr 2017 17:08:53 -0700
Subject: HTTP/2 on the Upstream
In-Reply-To: <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
 <20170412195947.GF13617@mdounin.ru>
 <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
Message-ID: <e2f54ceb-6c2d-8fb8-1465-34464a112bb9@lucee.org>

Hello,

On 4/12/2017 12:59 PM, Maxim Dounin wrote:
> It's just a matter of providing upstream servers
> with a way to push resources, e.g., via something like the
> X-Accel-Push header or something like this.  This doesn't need
> HTTP/2 between nginx and upstream servers.

On 4/12/2017 2:13 PM, Igal @ Lucee.org wrote:
>
> If my Upstream (Tomcat, for example) generates a dynamic page for the 
> client, then it can keep track of all of the images on that page and 
> then push them.  How can the Upstream "tell" nginx what to Push?
>

Upon studying HTTP/2 Push further I have learned that the way to do so 
is with the "Link" header, e.g.

Link: </res/css/style.css>; rel=preload; as=style, </res/min/script.js>; 
rel=preload; as=script

Chrome developer tools confirms that these assets are being pushed, so 
it's all good.

You can ignore my previous email if you read this one in time.

Thank you,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170412/3c53d28a/attachment.html>

From ajaygargnsit at gmail.com  Thu Apr 13 01:39:29 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Thu, 13 Apr 2017 07:09:29 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
Message-ID: <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>

Upgraded to 1.11

Now, things get worse, I am not being prompted for any credentials (even
with all browser cache cleared), even with the following
/etc/nginx/conf.d/default.conf


##########################################################
server {

                listen 443 ssl;
                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

#               add_header 'Access-Control-Max-Age' 1728000 'always';
#               add_header 'Access-Control-Allow-Origin' $http_origin
'always';
#               add_header 'Access-Control-Allow-Credentials' 'true'
'always';
#               add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
#               add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

#                       add_header 'Access-Control-Max-Age' 1728000
'always';
#                       add_header 'Access-Control-Allow-Origin' '*'
'always';
#                       add_header 'Access-Control-Allow-Credentials'
'true' 'always';
#                       add_header 'Access-Control-Allow-Methods' 'GET,
POST, OPTIONS' 'always';
#                       add_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

#                       proxy_set_header 'Access-Control-Max-Age' 1728000;
#                       proxy_set_header 'Access-Control-Allow-Origin' '*';
#                       proxy_set_header 'Access-Control-Allow-Credentials'
'true';
#                       proxy_set_header 'Access-Control-Allow-Methods'
'GET, POST, OPTIONS';
#                       proxy_set_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:
$forwarded_port;

                }
        }

##########################################################


Any ideas why this regression?

On Wed, Apr 12, 2017 at 10:54 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi Richard.
>
> Thanks for the help.
>
> I added 'always' as the last argument in all the "add_header" and
> "proxy_set_header" directives.
> Unfortunately, I receive the following on the very first "add_header"
> directive ::
>
> #####################################################
> 2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in
> "add_header" directive in /etc/nginx/sites-enabled/default:22
> #####################################################
>
>
> I guess the 'always' argument requires nginx >= 1.7.5.
>
>
> Is there a pre-built package available for nginx?
> Our linux-machine is ::
>
> #####################################################
> uname -a
> Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC
> 2017 x86_64 x86_64 x86_64 GNU/Linux
> #####################################################
>
> If not, I guess the link to use is http://nginx.org/en/docs/configure.html,
> but I am very afraid that I might miss something, so a pre-built package >=
> 1.7.5 (provided one exists) for our linux-machine would be great :)
>
>
> Thanks for the help so far !!!
>
>
> Thanks and Regards,
> Ajay
>
> On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <
> r1ch+nginx at teamliquid.net> wrote:
>
>> Your are using auth_basic, so the 401 response code is not in the range
>> that add_header works with ("Adds the specified field to a response header
>> provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
>> 304, or 307."). You need to use "always" if you want to include the header
>> in all responses. See the documentation for more details.
>>
>> http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
>>
>> On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <ajaygargnsit at gmail.com>
>> wrote:
>>
>>> For the record, here is the server-block ::
>>>
>>>
>>> #########################################################
>>> server {
>>>
>>>                 listen 443 ssl;
>>>
>>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>>                 add_header 'Access-Control-Max-Age' 1728000;
>>>                 add_header 'Access-Control-Allow-Origin' $http_origin;
>>>                 add_header 'Access-Control-Allow-Credentials' 'true';
>>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>> OPTIONS';
>>>                 add_header 'Access-Control-Allow-Headers'
>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,
>>> Content-Type';
>>>
>>>                 location / {
>>>
>>>                         add_header 'Access-Control-Max-Age' 1728000;
>>>                         add_header 'Access-Control-Allow-Origin' '*';
>>>                         add_header 'Access-Control-Allow-Credentials'
>>> 'true';
>>>                         add_header 'Access-Control-Allow-Methods' 'GET,
>>> POST, OPTIONS';
>>>                         add_header 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>
>>>                         proxy_set_header 'Access-Control-Max-Age'
>>> 1728000;
>>>                         proxy_set_header 'Access-Control-Allow-Origin'
>>> '*';
>>>                         proxy_set_header 'Access-Control-Allow-Credentials'
>>> 'true';
>>>                         proxy_set_header 'Access-Control-Allow-Methods'
>>> 'GET, POST, OPTIONS';
>>>                         proxy_set_header 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>>                         proxy_pass $forwarded_protocol://127.0.0.
>>> 1:$forwarded_port;
>>>
>>>                 }
>>>         }
>>> #########################################################
>>>
>>> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <ajaygargnsit at gmail.com>
>>> wrote:
>>>
>>>> Hi All.
>>>>
>>>> We are facing the following issue :
>>>>
>>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>>>> 'Access-Control-
>>>> Allow-Origin' missing).
>>>>
>>>> Have tried everything I could find on the google, but nothing works
>>>> (whatever I do in /etc/nginx/sites-available/default)
>>>>
>>>>
>>>> So, first question first, is it even possible to solve this issue on
>>>> the version, as per the information below ::
>>>>
>>>> ########################################################
>>>> nginx -V
>>>> nginx version: nginx/1.4.6 (Ubuntu)
>>>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>>>> TLS SNI support enabled
>>>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>>>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>>>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>>>> --http-log-path=/var/log/nginx/access.log
>>>> --error-log-path=/var/log/nginx/error.log
>>>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>>>> --http-client-body-temp-path=/var/lib/nginx/body
>>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>>>> --http-proxy-temp-path=/var/lib/nginx/proxy
>>>> --http-scgi-temp-path=/var/lib/nginx/scgi
>>>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
>>>> --with-pcre-jit --with-ipv6 --with-http_ssl_module
>>>> --with-http_stub_status_module --with-http_realip_module
>>>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>>>> --with-http_geoip_module --with-http_gzip_static_module
>>>> --with-http_image_filter_module --with-http_mp4_module
>>>> --with-http_perl_module --with-http_random_index_module
>>>> --with-http_secure_link_module --with-http_spdy_module
>>>> --with-http_sub_module --with-http_xslt_module --with-mail
>>>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>>>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>>>> ngx_http_substitutions_filter_module
>>>> ##########################################################
>>>>
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Ajay
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/5c249114/attachment-0001.html>

From nginx-forum at forum.nginx.org  Thu Apr 13 05:00:20 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Thu, 13 Apr 2017 01:00:20 -0400
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <20170412214450.GQ3428@daoine.org>
References: <20170412214450.GQ3428@daoine.org>
Message-ID: <5d1cebcbf1c93c193ff939a7bb80d8f7.NginxMailingListEnglish@forum.nginx.org>

Hi Francis,

> I've read your description, and I confess I'm not sure what benefit
> auth_request within nginx gives you. It looks like your application is
> doing its own auth check on every request anyway, so having nginx do
> the same thing seems redundant. I'm probably missing something.

can u please tell me the concept and usage of auth_request module. What I
understood from the documentation is stated
below."http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"

Auth_Request Understanding: 
      If the auth requirement of an application is to use something other
than BASIC or jwt THEN use auth_request. auth_request can be used to send
each request to a custom authentication application and get the requests
authenticated from that application. NGINX will send a subrequest to
auth_request application for each incoming client request. (This is the same
logic which MAXIM told me in the previous replies.
"https://forum.nginx.org/read.php?2,273515,273516#msg-273516")


************************** MAXIM's Reply Below
****************************************
> You misunderstood what auth_request does. Instead, it issues a 
> subrequest for every incoming request, and allows further 
> processing of the request if and only if the subrequest returns 
> 200. No attempts are made to look into the response returned for 
> the original request, that is, "protected application"
************************** END MAXIM's
Reply****************************************

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273515,273586#msg-273586


From reallfqq-nginx at yahoo.fr  Thu Apr 13 07:54:34 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Thu, 13 Apr 2017 09:54:34 +0200
Subject: Windows 1024 Connections Limit
In-Reply-To: <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
 <20170412125716.GP13617@mdounin.ru>
 <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>
Message-ID: <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>

Even though using nginx on Windows goes way over my head (even for
development) and/or seing WIndows as any kind of server, I read that
Windows Vista+ support the poll (well, actually WSAPoll
<https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669.aspx>)
system call.
Since XP may now reasonably be called something of the past, would not it
be nice to go for it? No epoll, though.
---
*B. R.*

On Wed, Apr 12, 2017 at 7:42 PM, Igal @ Lucee.org <igal at lucee.org> wrote:

> Maxim,
>
> On 4/12/2017 5:57 AM, Maxim Dounin wrote:
>
>>
>> On Windows, nginx uses select() system call to handle connection
>> events.  This syscall implies fixed-size bitmasks to pass file
>> descriptors from userland to kernel and back.  Size of these
>> bitmasks can be only specified during compilation, and 1024 is the
>> value nginx uses for official binaries to balance between maximum
>> number of connections and unneeded overhead implied by large
>> bitmasks.
>>
>> It is possible to recompile nginx with different value if you need
>> to, see http://nginx.org/en/docs/howto_build_on_win32.html.
>>
>> On ther other hand, if you are using nginx in production I would
>> recommend to consider using Unix variants instead.
>>
>
> Thank you very much for the explanation and recommendation,
>
>
> Igal
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/b19e0e60/attachment.html>

From oscaretu at gmail.com  Thu Apr 13 08:09:04 2017
From: oscaretu at gmail.com (oscaretu .)
Date: Thu, 13 Apr 2017 08:09:04 +0000
Subject: Windows 1024 Connections Limit
In-Reply-To: <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
 <20170412125716.GP13617@mdounin.ru>
 <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>
 <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
Message-ID: <CAFztJwSx13XrxBbJiT5324jAUta+F09aw_+KW_BSei4Cr9FHkQ@mail.gmail.com>

Since two days ago Windows Vista is part of the past:

http://www.theverge.com/2017/4/11/15241580/microsoft-windows-vista-end-of-support

Kind regards,
Oscar

El El jue, 13 abr 2017 a las 9:55, B.R. via nginx <nginx at nginx.org>
escribi?:

> Even though using nginx on Windows goes way over my head (even for
> development) and/or seing WIndows as any kind of server, I read that
> Windows Vista+ support the poll (well, actually WSAPoll
> <https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669.aspx>)
> system call.
> Since XP may now reasonably be called something of the past, would not it
> be nice to go for it? No epoll, though.
> ---
> *B. R.*
>
> On Wed, Apr 12, 2017 at 7:42 PM, Igal @ Lucee.org <igal at lucee.org> wrote:
>
>> Maxim,
>>
>> On 4/12/2017 5:57 AM, Maxim Dounin wrote:
>>
>>>
>>> On Windows, nginx uses select() system call to handle connection
>>> events.  This syscall implies fixed-size bitmasks to pass file
>>> descriptors from userland to kernel and back.  Size of these
>>> bitmasks can be only specified during compilation, and 1024 is the
>>> value nginx uses for official binaries to balance between maximum
>>> number of connections and unneeded overhead implied by large
>>> bitmasks.
>>>
>>> It is possible to recompile nginx with different value if you need
>>> to, see http://nginx.org/en/docs/howto_build_on_win32.html.
>>>
>>> On ther other hand, if you are using nginx in production I would
>>> recommend to consider using Unix variants instead.
>>>
>>
>> Thank you very much for the explanation and recommendation,
>>
>>
>> Igal
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Oscar Fernandez Sierra
oscaretu at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/c96b093c/attachment.html>

From reallfqq-nginx at yahoo.fr  Thu Apr 13 08:09:16 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Thu, 13 Apr 2017 10:09:16 +0200
Subject: weight and balancing in upstream proxy
In-Reply-To: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
Message-ID: <CALqce=1XuLpnh-3bPUCDvNmEDda8qz9Ejef14yDVZjQzfi3KCA@mail.gmail.com>

That is an interesting questions as intuitively, people could think the
former behavior applies.

If I got the source code
<https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_upstream_round_robin.c#L507>
right, and as the docs
<https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
state, nginx is following a weighted round-robin
<https://en.wikipedia.org/wiki/Weighted_round_robin> algorithm.
It thus means it will go over the same list of servers everytime a peer
needs to be chosen (ie for every request), and pick the first not having
depleted its weight allocation.

To me, it would use the latter of your proposals.
?Please correct me if I am wrong, so incorrect information does not
propagate too much. :o)?
---
*B. R.*

On Wed, Apr 12, 2017 at 11:50 PM, Frank Liu <gfrankliu at gmail.com> wrote:

> Hi,
>
> How does nginx balances traffic to upstream with different weight? If I
> have 3 servers in upstream, with weight 1, 2, 4, assuming all are healthy,
> will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 2, 3, 3, 3,
> 3? If I have two servers with both weight 50, will nginx will 50 requests
> to server 1, and then 50 to server 2, or will it calculate the ration to be
> 1:1 and send one after another?
>
> Thanks!
> Frank
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/fe4c2ade/attachment-0001.html>

From vl at nginx.com  Thu Apr 13 09:28:58 2017
From: vl at nginx.com (Vladimir Homutov)
Date: Thu, 13 Apr 2017 12:28:58 +0300
Subject: Proxying UDP: Preserve proxy port during DTLS handshake
In-Reply-To: <d4ca110fe05b5a1dea7022085b695d52.NginxMailingListEnglish@forum.nginx.org>
References: <d4ca110fe05b5a1dea7022085b695d52.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170413092857.GA16930@vlpc.nginx.com>

On Wed, Apr 12, 2017 at 03:53:43PM -0400, SebK wrote:
> Hello everyone,

Hi Sebastian,

[...]
>
> So my conclusive question is: Does nginx provide a way to preserve its
> chosen dynamic port when forwarding udp packets?
>

No, currently it is not supported.
See also http://mailman.nginx.org/pipermail/nginx/2016-September/051688.html

We have some experimental patches for DTLS support that overcome this
issue, and if you are interested in testing, please write me a email
(vl at nginx.com)



From nginx-forum at forum.nginx.org  Thu Apr 13 09:40:46 2017
From: nginx-forum at forum.nginx.org (comput3rz)
Date: Thu, 13 Apr 2017 05:40:46 -0400
Subject: [ Module development - Socket ]
In-Reply-To: <20170411141016.GK13617@mdounin.ru>
References: <20170411141016.GK13617@mdounin.ru>
Message-ID: <40884f11b71ff0235a02d1103bd0dd4d.NginxMailingListEnglish@forum.nginx.org>

After reading the source code available  in "ngx_mail_auth_http_module.c"

 trying to figure out how to make a "basic TCP connection" to 

a backend server, nothing seems clear. I didn't find any simple pattern 

to read/write on a TCP socket, even if there are simple call like

ngx_event_connect_peer() or ngx_close_connection() for connection phase

 and ngx_send|recv / ngx_unix_send|recv / send|recv for reading and writing
on a socket. 

How can I setup a basic TCP socket into my handler which will connect / send
/ recv and then

close the connection ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273525,273598#msg-273598


From nginx-forum at forum.nginx.org  Thu Apr 13 11:16:34 2017
From: nginx-forum at forum.nginx.org (SebK)
Date: Thu, 13 Apr 2017 07:16:34 -0400
Subject: Proxying UDP: Preserve proxy port during DTLS handshake
In-Reply-To: <20170413092857.GA16930@vlpc.nginx.com>
References: <20170413092857.GA16930@vlpc.nginx.com>
Message-ID: <5eacd2daaf4799c03ded15c0d1a71bab.NginxMailingListEnglish@forum.nginx.org>

Vladimir Homutov Wrote:
-------------------------------------------------------
> On Wed, Apr 12, 2017 at 03:53:43PM -0400, SebK wrote:
> > Hello everyone,
> 
> Hi Sebastian,
> 
> [...]
> >
> > So my conclusive question is: Does nginx provide a way to preserve
> its
> > chosen dynamic port when forwarding udp packets?
> >
> 
> No, currently it is not supported.
> See also
> http://mailman.nginx.org/pipermail/nginx/2016-September/051688.html
> 
> We have some experimental patches for DTLS support that overcome this
> issue, and if you are interested in testing, please write me a email
> (vl at nginx.com)
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Hi Vladimir,
much appreciated. I'll contact you via email.
Regards,
Sebastian

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273576,273600#msg-273600


From igal at lucee.org  Thu Apr 13 14:00:04 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Thu, 13 Apr 2017 07:00:04 -0700
Subject: Windows 1024 Connections Limit
In-Reply-To: <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
 <20170412125716.GP13617@mdounin.ru>
 <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>
 <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
Message-ID: <6dd2840b-6ef2-ee9a-4328-ee91913db512@lucee.org>

Hi,

On 4/13/2017 12:54 AM, B.R. via nginx wrote:
> Even though using nginx on Windows goes way over my head (even for 
> development) and/or seing WIndows as any kind of server,
It's very simple - this system was set up many years ago and I was 
uncomfortable at the time with running Linux -- not with the stability 
of Linux at the time and not with my skills administering it.  The next 
server that I will set up for production will be a Linux machine, but 
until then I'm stuck with Windows.

I was using IIS as a web server for many years, until about five years 
ago I "saw the light" and upgraded to nginx.  Having nginx available for 
Windows is a great thing because it serves as a stepping stone and 
allows Windows users to make smaller changes to their systems rather 
than one big change.

> I read that Windows Vista+ support the poll (well, actually WSAPoll 
> <https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669.aspx>) 
> system call.
> Since XP may now reasonably be called something of the past, would not 
> it be nice to go for it? No epoll, though.
I agree that XP is out of the picture now, and the servers that I need 
to support are 2008R2 which are built on the Vista code base so this 
system call is supported.

Can you explain briefly how WSAPoll would help here?

Thanks,


Igal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/ac209cf2/attachment.html>

From mdounin at mdounin.ru  Thu Apr 13 14:26:47 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 13 Apr 2017 17:26:47 +0300
Subject: Windows 1024 Connections Limit
In-Reply-To: <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
References: <4a2fed45-af88-e2b8-1e7a-ebac7d3864ad@lucee.org>
 <20170412125716.GP13617@mdounin.ru>
 <06a74863-9588-ec68-8492-0e1a8ff2afe3@lucee.org>
 <CALqce=3wUgbRTYwHox8p0m5ShSF33GgZ-1fszEeRFBZ57XeT3w@mail.gmail.com>
Message-ID: <20170413142647.GG13617@mdounin.ru>

Hello!

On Thu, Apr 13, 2017 at 09:54:34AM +0200, B.R. via nginx wrote:

> Even though using nginx on Windows goes way over my head (even for
> development) and/or seing WIndows as any kind of server, I read that
> Windows Vista+ support the poll (well, actually WSAPoll
> <https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669.aspx>)
> system call.
> Since XP may now reasonably be called something of the past, would not it
> be nice to go for it? No epoll, though.

I've looked into WSAPoll() support a while ago.  Unfortunately, XP 
is still widely used in real life, over 5% worldwide:

http://gs.statcounter.com/os-version-market-share/windows/desktop/worldwide

This is likely to become an option in the not-so-distant future though.

-- 
Maxim Dounin
http://nginx.org/

From mdounin at mdounin.ru  Thu Apr 13 14:34:54 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 13 Apr 2017 17:34:54 +0300
Subject: weight and balancing in upstream proxy
In-Reply-To: <CALqce=1XuLpnh-3bPUCDvNmEDda8qz9Ejef14yDVZjQzfi3KCA@mail.gmail.com>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <CALqce=1XuLpnh-3bPUCDvNmEDda8qz9Ejef14yDVZjQzfi3KCA@mail.gmail.com>
Message-ID: <20170413143454.GH13617@mdounin.ru>

Hello!

On Thu, Apr 13, 2017 at 10:09:16AM +0200, B.R. via nginx wrote:

> That is an interesting questions as intuitively, people could think the
> former behavior applies.
> 
> If I got the source code
> <https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_upstream_round_robin.c#L507>
> right, and as the docs
> <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> state, nginx is following a weighted round-robin
> <https://en.wikipedia.org/wiki/Weighted_round_robin> algorithm.
> It thus means it will go over the same list of servers everytime a peer
> needs to be chosen (ie for every request), and pick the first not having
> depleted its weight allocation.
> 
> To me, it would use the latter of your proposals.
> ?Please correct me if I am wrong, so incorrect information does not
> propagate too much. :o)?

The Wikipedia link in question doesn't seem to be related to what 
nginx does.

-- 
Maxim Dounin
http://nginx.org/

From ajaygargnsit at gmail.com  Thu Apr 13 14:50:15 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Thu, 13 Apr 2017 20:20:15 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
Message-ID: <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>

Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay

From mdounin at mdounin.ru  Thu Apr 13 15:07:37 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 13 Apr 2017 18:07:37 +0300
Subject: HTTP/2 on the Upstream
In-Reply-To: <e2f54ceb-6c2d-8fb8-1465-34464a112bb9@lucee.org>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
 <20170412195947.GF13617@mdounin.ru>
 <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
 <e2f54ceb-6c2d-8fb8-1465-34464a112bb9@lucee.org>
Message-ID: <20170413150737.GJ13617@mdounin.ru>

Hello!

On Wed, Apr 12, 2017 at 05:08:53PM -0700, Igal @ Lucee.org wrote:

> On 4/12/2017 12:59 PM, Maxim Dounin wrote:
> > It's just a matter of providing upstream servers
> > with a way to push resources, e.g., via something like the
> > X-Accel-Push header or something like this.  This doesn't need
> > HTTP/2 between nginx and upstream servers.
> 
> On 4/12/2017 2:13 PM, Igal @ Lucee.org wrote:
> >
> > If my Upstream (Tomcat, for example) generates a dynamic page for the 
> > client, then it can keep track of all of the images on that page and 
> > then push them.  How can the Upstream "tell" nginx what to Push?
> >
> 
> Upon studying HTTP/2 Push further I have learned that the way to do so 
> is with the "Link" header, e.g.
> 
> Link: </res/css/style.css>; rel=preload; as=style, </res/min/script.js>; 
> rel=preload; as=script
> 
> Chrome developer tools confirms that these assets are being pushed, so 
> it's all good.

Note: there is no HTTP/2 push support in nginx as of now.  If you 
indeed see the resources being pushed with the "Link" header, 
likely you are using cloudflare and this is something Cloudflare 
does for you.

Note well that pushing all of the resources used on the page 
is very likely to do more harm than good, since in many cases 
browsers already have static resources cached.

-- 
Maxim Dounin
http://nginx.org/

From igal at lucee.org  Thu Apr 13 15:16:22 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Thu, 13 Apr 2017 08:16:22 -0700
Subject: HTTP/2 on the Upstream
In-Reply-To: <20170413150737.GJ13617@mdounin.ru>
References: <cc9456a8-48f7-3518-efc7-59fbef2270ea@lucee.org>
 <20170412195947.GF13617@mdounin.ru>
 <7c70d560-3b3f-5e6a-1475-852de3ea25f8@lucee.org>
 <e2f54ceb-6c2d-8fb8-1465-34464a112bb9@lucee.org>
 <20170413150737.GJ13617@mdounin.ru>
Message-ID: <7c37ad41-3495-e189-bf29-ce89ad8bf585@lucee.org>

Maxim,

On 4/13/2017 8:07 AM, Maxim Dounin wrote:
> Note: there is no HTTP/2 push support in nginx as of now.  If you
> indeed see the resources being pushed with the "Link" header,
> likely you are using cloudflare and this is something Cloudflare
> does for you.
Thank you for clarifying.  That did puzzle me a bit and I thought that I 
simply misunderstood the Push process.

What I see in Developer Tools is that the resources that I reference in 
the "Link" header are downloaded first, and are downloaded faster.  The 
"Initiator" of those resources shows as "Other", as opposed to most 
other resources who show something like a URI.

> Note well that pushing all of the resources used on the page
> is very likely to do more harm than good, since in many cases
> browsers already have static resources cached.
Understood.  I am only "pushing" (I guess not a real push, but a 
suggestion to the browser via the "Link" header) links to a few 
resources that are required for loading and rendering the page, like the 
stylesheet, javascript, and image sprite.

Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/7b3f3a89/attachment.html>

From r1ch+nginx at teamliquid.net  Thu Apr 13 17:37:01 2017
From: r1ch+nginx at teamliquid.net (Richard Stanway)
Date: Thu, 13 Apr 2017 19:37:01 +0200
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
 <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
Message-ID: <CAKWQeyinEkMfOWb_ZTBXzeAt1u0kXtyUZWr_SOGA=ckEAX5G7A@mail.gmail.com>

You're missing the "Authorization" header in
your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "
https://username:password at 1.2.3.4/") rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Strange, but rebooting the machine caused the credentials-popup to be
> seen again :-|
> Sorry for the noise here.
>
> There has been some progress, but still get a "CORS preflight did not
> succeed error".
> Following is what I am doing.
>
>
> a)
> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>
> ##########################################################################
> server {
>
>                 listen 443 ssl;
>
>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>                 add_header 'Access-Control-Allow-Origin' $http_origin
> 'always';
>                 add_header 'Access-Control-Allow-Credentials' 'true'
> 'always';
>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
> OPTIONS' 'always';
>                 add_header 'Access-Control-Allow-Headers'
> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-
> Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
> Control,Content-Type'
> 'always';
>
>                 location / {
>
>                         auth_basic 'Restricted';
>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>
>                         proxy_set_header 'Access-Control-Max-Age' 1728000;
>                         proxy_set_header 'Access-Control-Allow-Origin' '*';
>                         proxy_set_header
> 'Access-Control-Allow-Credentials' 'true';
>                         proxy_set_header
> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>                         proxy_set_header
> 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
>                         proxy_pass
> $forwarded_protocol://127.0.0.1:$forwarded_port;
>
>                 }
>         }
> ##########################################################################
>
>
>
>
> b)
> Firing the following html from firefox (sensitive information changed) ::
>
> ##########################################################################
> <html>
> <body>
> <script type="text/javascript">
> var data = null;
>
> var xhr = new XMLHttpRequest();
> xhr.withCredentials = true;
>
> xhr.addEventListener("readystatechange", function () {
>       if (this.readyState === 4) {
>               console.log(this.responseText);
>                 }
> });
>
> xhr.open("GET", "https://1.2.3.4/");
> xhr.setRequestHeader("authorization", "Basic abcdefg");
> xhr.setRequestHeader("cache-control", "no-cache");
>
> xhr.send(data);
> </script>
> </body>
> </html>
> ##########################################################################
>
>
>
> Following is received in the firebug-console (sensitive information
> changed) ::
>
> ##########################################################################
> GET https://23.253.207.208/
> uff.html (line 19)
> Headers
>
> Accept
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding   gzip, deflate, br
> Accept-Language   en-US,en;q=0.5
> Authorization         Basic abcdefg
> Cache-Control       no-cache
> Host                     1.2.3.4
> Origin                    null
> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
> Gecko/20100101 Firefox/47.0
>
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
> channel did not succeed).
> ##########################################################################
>
>
> I am beginning to believe that I am close to solving the issue (of
> course all credit to tremendous help from this list).
> I will be grateful for the last bit of help being received by the
> really helpful experts here..
>
> Sorry again for the noise in my previous email.
>
>
> Thanks and Regards,
> Ajay
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/30df2e7b/attachment-0001.html>

From nginx-forum at forum.nginx.org  Thu Apr 13 19:54:53 2017
From: nginx-forum at forum.nginx.org (Unsay)
Date: Thu, 13 Apr 2017 15:54:53 -0400
Subject: nginScript and accessing cookies
In-Reply-To: <CAHmnZdagZSH2kYBpJuD6FaKWZ3oPQ4-q6wvLdv8FZb_v9QHtjA@mail.gmail.com>
References: <CAHmnZdagZSH2kYBpJuD6FaKWZ3oPQ4-q6wvLdv8FZb_v9QHtjA@mail.gmail.com>
Message-ID: <de32673125ddc29e1f00d476ec074aa8.NginxMailingListEnglish@forum.nginx.org>

Okay, I've found the answer to my question.

nginScript supports access to all of NGINX's variables. This also provides
access to the cookie like so:

myfunction(req, res) {
  var cookie = req.variables.http_cookie;
}

Kind regards

Andreas

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273509,273626#msg-273626


From nginx-forum at forum.nginx.org  Thu Apr 13 20:16:41 2017
From: nginx-forum at forum.nginx.org (Unsay)
Date: Thu, 13 Apr 2017 16:16:41 -0400
Subject: nginScript filesystem access
Message-ID: <8ee5b048352077554746b3ecd2915799.NginxMailingListEnglish@forum.nginx.org>

Hello

We'd like to move a rather complicated multilingual website over to nginx. I
must determine if we can handle the somewhat involved language based
redirects in nginScript middleware (javascript).

At one point I must redirect based on whether or not a file exists. In the
configuration file I could do this like so:

if (-f $realpath_root$url) {
...
}

However, that doesn't help me since all the redirection logic is in a
javascript function.

How can I do that same test from within the javascript function rather than
in the config file?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273628,273628#msg-273628


From nginx-forum at forum.nginx.org  Thu Apr 13 21:26:35 2017
From: nginx-forum at forum.nginx.org (daveyfx)
Date: Thu, 13 Apr 2017 17:26:35 -0400
Subject: auth_basic and satisfy allowing all traffic
Message-ID: <60dae17a8cf35ed9361be4a76b93bd67.NginxMailingListEnglish@forum.nginx.org>

Hi all -

I'm having an issue trying to get auth_basic and satisfy directives working
in tandem.  If I use auth_basic/auth_basic_user_file on its own, I am
prompted for credentials as expected.  However, if I added the
satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
without prompting for auth.

Here's how I have it.

    satisfy any;
    allow 38.103.XX.XXX/32;     # HQIP
    allow 38.118.XX.XXX/32;     # User VPN IP
    deny all;

    auth_basic "Site Restricted";
    auth_basic_user_file includes/htpasswd.site.dev.conf;

When I look though my access logs, I see the correct client IP as well.

nginx version is 1.10.1

Thank you for your help.

Dave

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273629#msg-273629


From gfrankliu at gmail.com  Thu Apr 13 23:08:23 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Thu, 13 Apr 2017 16:08:23 -0700
Subject: weight and balancing in upstream proxy
In-Reply-To: <20170413143454.GH13617@mdounin.ru>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <CALqce=1XuLpnh-3bPUCDvNmEDda8qz9Ejef14yDVZjQzfi3KCA@mail.gmail.com>
 <20170413143454.GH13617@mdounin.ru>
Message-ID: <646E45D3-15EE-4917-81AD-C182FA32D548@gmail.com>

Hi Maxim,
Thanks for pointing out the link is not related. Do you have the answer to the original question or a related link?
Thanks
Frank

> On Apr 13, 2017, at 7:34 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> Hello!
> 
>> On Thu, Apr 13, 2017 at 10:09:16AM +0200, B.R. via nginx wrote:
>> 
>> That is an interesting questions as intuitively, people could think the
>> former behavior applies.
>> 
>> If I got the source code
>> <https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_upstream_round_robin.c#L507>
>> right, and as the docs
>> <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
>> state, nginx is following a weighted round-robin
>> <https://en.wikipedia.org/wiki/Weighted_round_robin> algorithm.
>> It thus means it will go over the same list of servers everytime a peer
>> needs to be chosen (ie for every request), and pick the first not having
>> depleted its weight allocation.
>> 
>> To me, it would use the latter of your proposals.
>> Please correct me if I am wrong, so incorrect information does not
>> propagate too much. :o)
> 
> The Wikipedia link in question doesn't seem to be related to what 
> nginx does.
> 
> -- 
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

From francis at daoine.org  Thu Apr 13 23:35:58 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 00:35:58 +0100
Subject: Nginx - API Gateway is not forwarding the request to Auth Service
In-Reply-To: <5d1cebcbf1c93c193ff939a7bb80d8f7.NginxMailingListEnglish@forum.nginx.org>
References: <20170412214450.GQ3428@daoine.org>
 <5d1cebcbf1c93c193ff939a7bb80d8f7.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170413233558.GA10157@daoine.org>

On Thu, Apr 13, 2017 at 01:00:20AM -0400, zaidahmd wrote:

Hi there,

> > I've read your description, and I confess I'm not sure what benefit
> > auth_request within nginx gives you. It looks like your application is
> > doing its own auth check on every request anyway, so having nginx do
> > the same thing seems redundant. I'm probably missing something.
> 
> can u please tell me the concept and usage of auth_request module. What I

My understanding is that the auth_request module is especially useful
if you want some degree of authorization, but the application you want
to protect does not implement it.

> understood from the documentation is stated
> below."http://nginx.org/en/docs/http/ngx_http_auth_request_module.html"

For what it's worth, when I read the above url, the understanding I come
to does not exactly match the paragraph you write.

But that does not really matter: you have a configuration that does what
you want it to do. So what you have is good.

If you particularly want to test whether auth_request does anything
useful in your case, use a test system with the same configuration,
and remove the auth_request lines. If the effective behaviour changes,
then the lines were doing something that matters.

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Thu Apr 13 23:49:07 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 00:49:07 +0100
Subject: weight and balancing in upstream proxy
In-Reply-To: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
Message-ID: <20170413234907.GB10157@daoine.org>

On Wed, Apr 12, 2017 at 02:50:08PM -0700, Frank Liu wrote:

Hi there,

> How does nginx balances traffic to upstream with different weight? If I
> have 3 servers in upstream, with weight 1, 2, 4, assuming all are healthy,
> will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 2, 3, 3, 3,
> 3?

If you want to know what your current nginx version does, it should not
be too difficult to test:

One nginx.conf. One http section. One upstream{} listing multiple
ip:ports. One server{} which proxy_pass:es to that upstream. Multiple
server{}s, each of which listens on one ip:port, writes to a different
access_log, and does something like "return 200 ok;".

Then for increasing numbers X, "GET /X" on the main server. Look at
the individual access log files to see which server handled /1, which
handled /2, etc. By the time you get to 700, you'll either see that
there is a reliably repeating pattern, or you'll see that it is probably
randomish.


If you actually care about what pattern is used; or if you want to
guarantee that the same pattern will be used in future nginx versions;
then get your preferred code written and use that instead of whatever
nginx uses.


If you want to know what guarantee there is that the behaviour will not
change in the future: I'd say "none", except that there is a good chance
that what is written in the documentation will be honoured. Paraphrasing
that, for the above case: for 7 requests, 1 will go to the first server;
2 to the second; and 4 to the third.

> If I have two servers with both weight 50, will nginx will 50 requests
> to server 1, and then 50 to server 2, or will it calculate the ration to be
> 1:1 and send one after another?

Same answer: it does not seem to difficult to test, if you don't want
to read the available source.

Good luck with it!

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Fri Apr 14 00:17:53 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 01:17:53 +0100
Subject: auth_basic and satisfy allowing all traffic
In-Reply-To: <60dae17a8cf35ed9361be4a76b93bd67.NginxMailingListEnglish@forum.nginx.org>
References: <60dae17a8cf35ed9361be4a76b93bd67.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170414001753.GC10157@daoine.org>

On Thu, Apr 13, 2017 at 05:26:35PM -0400, daveyfx wrote:

Hi there,

> However, if I added the
> satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
> without prompting for auth.

It works for me.

Can you provide a complete config that shows the problem you report?

What I have is:

==
  server {
    listen 8080;
    satisfy any;
    allow 127.0.0.1/32;
    allow 127.0.0.2/32;
    deny all;
    auth_basic "Site Restricted";
    auth_basic_user_file includes/htpasswd.site.dev.conf;
  }
==

Then "curl -i http://127.0.0.2:8080/x" returns 200 with the content
of /usr/local/nginx/html/x, while "curl -i http://127.0.0.3:8080/x"
returns 401 with

WWW-Authenticate: Basic realm="Site Restricted"


What do you see when you do that exact test?

How does it differ from the problem case you reported?

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Fri Apr 14 00:47:55 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 01:47:55 +0100
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
 <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
Message-ID: <20170414004755.GD10157@daoine.org>

On Thu, Apr 13, 2017 at 08:20:15PM +0530, Ajay Garg wrote:

Hi there,

> There has been some progress, but still get a "CORS preflight did not
> succeed error".

What do the nginx logs say happened?

What should the nginx logs say, if everything worked the way you want
it to?

> Following is received in the firebug-console (sensitive information changed) ::

> Host                     1.2.3.4
> Origin                    null

Does anything different happen if you serve this html file from your
1.2.3.4 server, instead of (I presume) by reading a local file?

Will your final use case involve a local file, a resource from the 1.2.3.4
server, or something else?

	f
-- 
Francis Daly        francis at daoine.org

From nginx-forum at forum.nginx.org  Fri Apr 14 03:49:50 2017
From: nginx-forum at forum.nginx.org (daveyfx)
Date: Thu, 13 Apr 2017 23:49:50 -0400
Subject: auth_basic and satisfy allowing all traffic
In-Reply-To: <20170414001753.GC10157@daoine.org>
References: <20170414001753.GC10157@daoine.org>
Message-ID: <593b50077c0b6f4db932cbd90e74e564.NginxMailingListEnglish@forum.nginx.org>

Hi Francis -

In both cases, I get a 404 response, which is to be expected as the default
doc root for nginx isn't served on my host.  I should expect a 401 on the
second curl test, but I get a 404.

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 14 Apr 2017 03:44:19 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273636#msg-273636


From ajaygargnsit at gmail.com  Fri Apr 14 04:47:15 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Fri, 14 Apr 2017 10:17:15 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAKWQeyinEkMfOWb_ZTBXzeAt1u0kXtyUZWr_SOGA=ckEAX5G7A@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
 <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
 <CAKWQeyinEkMfOWb_ZTBXzeAt1u0kXtyUZWr_SOGA=ckEAX5G7A@mail.gmail.com>
Message-ID: <CAHP4M8XeXOKqkTfZPhwR-i3L045o8TYdjr12QLxrViuO6AByKA@mail.gmail.com>

Hi Richard.

You have got me thinking ...
https://username:password at 1.2.3.4/ works, even without ANY of the
"add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https
indicates that the URL is safe, in the sense that "username" and "password"
would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about
GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <r1ch+nginx at teamliquid.net
> wrote:

> You're missing the "Authorization" header in your Access-Control-Allow-Headers
> directive.
>
> You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "
> https://username:password at 1.2.3.4/") rather than crafting it manually.
>
> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Strange, but rebooting the machine caused the credentials-popup to be
>> seen again :-|
>> Sorry for the noise here.
>>
>> There has been some progress, but still get a "CORS preflight did not
>> succeed error".
>> Following is what I am doing.
>>
>>
>> a)
>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>
>> ############################################################
>> ##############
>> server {
>>
>>                 listen 443 ssl;
>>
>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>>                 add_header 'Access-Control-Allow-Origin' $http_origin
>> 'always';
>>                 add_header 'Access-Control-Allow-Credentials' 'true'
>> 'always';
>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>> OPTIONS' 'always';
>>                 add_header 'Access-Control-Allow-Headers'
>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,
>> User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>> 'always';
>>
>>                 location / {
>>
>>                         auth_basic 'Restricted';
>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>
>>                         proxy_set_header 'Access-Control-Max-Age' 1728000;
>>                         proxy_set_header 'Access-Control-Allow-Origin'
>> '*';
>>                         proxy_set_header
>> 'Access-Control-Allow-Credentials' 'true';
>>                         proxy_set_header
>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>                         proxy_set_header
>> 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>>                         proxy_pass
>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>
>>                 }
>>         }
>> ############################################################
>> ##############
>>
>>
>>
>>
>> b)
>> Firing the following html from firefox (sensitive information changed) ::
>>
>> ############################################################
>> ##############
>> <html>
>> <body>
>> <script type="text/javascript">
>> var data = null;
>>
>> var xhr = new XMLHttpRequest();
>> xhr.withCredentials = true;
>>
>> xhr.addEventListener("readystatechange", function () {
>>       if (this.readyState === 4) {
>>               console.log(this.responseText);
>>                 }
>> });
>>
>> xhr.open("GET", "https://1.2.3.4/");
>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>> xhr.setRequestHeader("cache-control", "no-cache");
>>
>> xhr.send(data);
>> </script>
>> </body>
>> </html>
>> ############################################################
>> ##############
>>
>>
>>
>> Following is received in the firebug-console (sensitive information
>> changed) ::
>>
>> ############################################################
>> ##############
>> GET https://23.253.207.208/
>> uff.html (line 19)
>> Headers
>>
>> Accept
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Encoding   gzip, deflate, br
>> Accept-Language   en-US,en;q=0.5
>> Authorization         Basic abcdefg
>> Cache-Control       no-cache
>> Host                     1.2.3.4
>> Origin                    null
>> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>> Gecko/20100101 Firefox/47.0
>>
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>> channel did not succeed).
>> ############################################################
>> ##############
>>
>>
>> I am beginning to believe that I am close to solving the issue (of
>> course all credit to tremendous help from this list).
>> I will be grateful for the last bit of help being received by the
>> really helpful experts here..
>>
>> Sorry again for the noise in my previous email.
>>
>>
>> Thanks and Regards,
>> Ajay
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/a1d38089/attachment.html>

From gfrankliu at gmail.com  Fri Apr 14 05:08:21 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Thu, 13 Apr 2017 22:08:21 -0700
Subject: weight and balancing in upstream proxy
In-Reply-To: <20170413234907.GB10157@daoine.org>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <20170413234907.GB10157@daoine.org>
Message-ID: <CAOXPdC9u4AFvSX--edckjMzv3zZfk0h_qPOUZf8rE7EfANxhFQ@mail.gmail.com>

Hi Francis,

Thanks for confirming that there is no document, and any results observed
through testing or reviewing code will not be guaranteed. I guess it is
purposely undocumented so that people won't rely on one behavior and we are
free to change.

Regards,
Frank


On Thu, Apr 13, 2017 at 4:49 PM, Francis Daly <francis at daoine.org> wrote:

> On Wed, Apr 12, 2017 at 02:50:08PM -0700, Frank Liu wrote:
>
> Hi there,
>
> > How does nginx balances traffic to upstream with different weight? If I
> > have 3 servers in upstream, with weight 1, 2, 4, assuming all are
> healthy,
> > will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 2, 3, 3,
> 3,
> > 3?
>
> If you want to know what your current nginx version does, it should not
> be too difficult to test:
>
> One nginx.conf. One http section. One upstream{} listing multiple
> ip:ports. One server{} which proxy_pass:es to that upstream. Multiple
> server{}s, each of which listens on one ip:port, writes to a different
> access_log, and does something like "return 200 ok;".
>
> Then for increasing numbers X, "GET /X" on the main server. Look at
> the individual access log files to see which server handled /1, which
> handled /2, etc. By the time you get to 700, you'll either see that
> there is a reliably repeating pattern, or you'll see that it is probably
> randomish.
>
>
> If you actually care about what pattern is used; or if you want to
> guarantee that the same pattern will be used in future nginx versions;
> then get your preferred code written and use that instead of whatever
> nginx uses.
>
>
> If you want to know what guarantee there is that the behaviour will not
> change in the future: I'd say "none", except that there is a good chance
> that what is written in the documentation will be honoured. Paraphrasing
> that, for the above case: for 7 requests, 1 will go to the first server;
> 2 to the second; and 4 to the third.
>
> > If I have two servers with both weight 50, will nginx will 50 requests
> > to server 1, and then 50 to server 2, or will it calculate the ration to
> be
> > 1:1 and send one after another?
>
> Same answer: it does not seem to difficult to test, if you don't want
> to read the available source.
>
> Good luck with it!
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170413/62920bd9/attachment.html>

From reallfqq-nginx at yahoo.fr  Fri Apr 14 07:13:47 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Fri, 14 Apr 2017 09:13:47 +0200
Subject: weight and balancing in upstream proxy
In-Reply-To: <20170413143454.GH13617@mdounin.ru>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <CALqce=1XuLpnh-3bPUCDvNmEDda8qz9Ejef14yDVZjQzfi3KCA@mail.gmail.com>
 <20170413143454.GH13617@mdounin.ru>
Message-ID: <CALqce=1wumNRmd9WzjKVxdDw2KB+3t0602k2UHT-qnf30KcPBw@mail.gmail.com>

Please, enlighten us then.
---
*B. R.*

On Thu, Apr 13, 2017 at 4:34 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Thu, Apr 13, 2017 at 10:09:16AM +0200, B.R. via nginx wrote:
>
> > That is an interesting questions as intuitively, people could think the
> > former behavior applies.
> >
> > If I got the source code
> > <https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_
> http_upstream_round_robin.c#L507>
> > right, and as the docs
> > <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> > state, nginx is following a weighted round-robin
> > <https://en.wikipedia.org/wiki/Weighted_round_robin> algorithm.
> > It thus means it will go over the same list of servers everytime a peer
> > needs to be chosen (ie for every request), and pick the first not having
> > depleted its weight allocation.
> >
> > To me, it would use the latter of your proposals.
> > ?Please correct me if I am wrong, so incorrect information does not
> > propagate too much. :o)?
>
> The Wikipedia link in question doesn't seem to be related to what
> nginx does.
>
> --
> Maxim Dounin
> http://nginx.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/5b6e7ef7/attachment-0001.html>

From francis at daoine.org  Fri Apr 14 07:35:43 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 08:35:43 +0100
Subject: weight and balancing in upstream proxy
In-Reply-To: <CAOXPdC9u4AFvSX--edckjMzv3zZfk0h_qPOUZf8rE7EfANxhFQ@mail.gmail.com>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <20170413234907.GB10157@daoine.org>
 <CAOXPdC9u4AFvSX--edckjMzv3zZfk0h_qPOUZf8rE7EfANxhFQ@mail.gmail.com>
Message-ID: <20170414073543.GE10157@daoine.org>

On Thu, Apr 13, 2017 at 10:08:21PM -0700, Frank Liu wrote:

Hi there,

> Thanks for confirming that there is no document, and any results observed
> through testing or reviewing code will not be guaranteed. I guess it is
> purposely undocumented so that people won't rely on one behavior and we are
> free to change.

The guarantee is written in the licence, available at
http://nginx.org/LICENSE.

Something similar is true for every aspect of every piece of behaviour
of every piece of software.

If there is specific behaviour you want, you always have the option
of finding someone who will commit to providing and preserving that
behaviour in future versions of the nginx that you use.

Or, if you know through testing and code review that the behaviour of
1.10.0 is exactly what you want, you always have the option of continuing
to use that version. (Compiled with your version of a compiler and
support libraries, and running with your version of an operating system
and runtime libraries.)


I suspect that the upstream round-robin implementation will not change in
the future without good reason, just like I expect that HTTP/1.0 support
will not change without good reason. But if things do change, and if
my comfort depends on the old behaviour persisting, I have the freedom
to ensure that the old behaviour does persist on my systems.

So I'd say that if it matters, you can see what the current code does,
and base your system on that.

Note that if your system relies on all upstreams remaining always
available, your system is probably fragile -- if you need a specific
pattern of access, and one of your upstreams is unavailable when nginx
wants it, the current nginx "recovery" behaviour may or may not be what
you want. And *that* behaviour (I think) depends on timings of incoming
requests, so may not be fully under your control anyway.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From reallfqq-nginx at yahoo.fr  Fri Apr 14 07:41:36 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Fri, 14 Apr 2017 09:41:36 +0200
Subject: upstream - behavior on pool exhaustion
Message-ID: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>

Hello,

Reading from upstream
<https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
docs, on upstream pool exhaustion, every backend should be tried once, and
then if all fail the response should be crafted based on the one from the
last server attempt.
So far so good.

I recently faced a server farm which implements a dull nightly restart of
every node, not sequencing it, resulting in the possibility of having all
nodes offline at the same time.

However, I collected log entries which did not match what I was expected.
For 6 backend nodes, I got:
- log format: $status $body_bytes_sent $request_time $upstream_addr
$upstream_response_time
- log entry: 502 568 0.001 <IP address 1>:<port>, <IP address 2>:<port>,
<IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP
address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000, 0.000
I got 7 entries for $upstream_addr & $upstream_response_time, instead of
the expected 6.

?Here are the interesting parts of the configuration:
upstream php-fpm {
    server <machine 1>:<port> down;
    server <machine 2>:<port> down;
    [...]
    server <machine N-5>:<port>;
    server <machine N-4>:<port>;
    server <machine N-3>:<port>;
    server <machine N-2>:<port>;
    server <machine N-1>:<port>;
    server <machine N>:<port>;
    keepalive 128;
}

?server {
    set $fpm_pool "php-fpm$fpm_pool_ID";
    [...]
        location ~ \.php$ {
            [...]
            fastcgi_read_timeout 600;
            fastcgi_keep_conn on;
            fastcgi_index index.php;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
            [...]
            fastcgi_pass $fpm_pool;
        }
}

?The question is:
php-fpm being an upstream group name, how come has it been tried as a
domain name in the end?
Stated otherwise, is this because the upstream group is considered 'down',
thus somehow removed from the possibilities, and nginx trying one last time
the name as a domain name to see if something answers?
This 7th request is definitely strange to my point of view. Is it a bug or
a feature?
---
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/e8fd542e/attachment.html>

From francis at daoine.org  Fri Apr 14 07:48:37 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 14 Apr 2017 08:48:37 +0100
Subject: auth_basic and satisfy allowing all traffic
In-Reply-To: <593b50077c0b6f4db932cbd90e74e564.NginxMailingListEnglish@forum.nginx.org>
References: <20170414001753.GC10157@daoine.org>
 <593b50077c0b6f4db932cbd90e74e564.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170414074837.GF10157@daoine.org>

On Thu, Apr 13, 2017 at 11:49:50PM -0400, daveyfx wrote:

Hi there,

> In both cases, I get a 404 response, which is to be expected as the default
> doc root for nginx isn't served on my host.  I should expect a 401 on the
> second curl test, but I get a 404.

If your test nginx.conf contains the one server{} block that handles
requests on this ip:port, and that server{} block is exactly the 9 lines
from the previous mail, then I think you've found a significant bug in
the implementation, that does not show itself on my system.


I suspect that it is more likely that the server{} that nginx is using is
not the server{} that you think nginx is using to process these requests.

Or that some of the configuration that you have not shown is involved.

If you can show a minimal config that works, and a minimal config that
fails, then identifying the differences between the two will probably
reveal the fix.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From ru at nginx.com  Fri Apr 14 08:21:47 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Fri, 14 Apr 2017 11:21:47 +0300
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
Message-ID: <20170414082147.GB95482@lo0.su>

On Fri, Apr 14, 2017 at 09:41:36AM +0200, B.R. via nginx wrote:
> Hello,
> 
> Reading from upstream
> <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> docs, on upstream pool exhaustion, every backend should be tried once, and
> then if all fail the response should be crafted based on the one from the
> last server attempt.
> So far so good.
> 
> I recently faced a server farm which implements a dull nightly restart of
> every node, not sequencing it, resulting in the possibility of having all
> nodes offline at the same time.
> 
> However, I collected log entries which did not match what I was expected.
> For 6 backend nodes, I got:
> - log format: $status $body_bytes_sent $request_time $upstream_addr
> $upstream_response_time
> - log entry: 502 568 0.001 <IP address 1>:<port>, <IP address 2>:<port>,
> <IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP
> address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000, 0.000
> I got 7 entries for $upstream_addr & $upstream_response_time, instead of
> the expected 6.
> 
> ?Here are the interesting parts of the configuration:
> upstream php-fpm {
>     server <machine 1>:<port> down;
>     server <machine 2>:<port> down;
>     [...]
>     server <machine N-5>:<port>;
>     server <machine N-4>:<port>;
>     server <machine N-3>:<port>;
>     server <machine N-2>:<port>;
>     server <machine N-1>:<port>;
>     server <machine N>:<port>;
>     keepalive 128;
> }
> 
> ?server {
>     set $fpm_pool "php-fpm$fpm_pool_ID";
>     [...]
>         location ~ \.php$ {
>             [...]
>             fastcgi_read_timeout 600;
>             fastcgi_keep_conn on;
>             fastcgi_index index.php;
> 
>             include fastcgi_params;
>             fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
>             [...]
>             fastcgi_pass $fpm_pool;
>         }
> }
> 
> ?The question is:
> php-fpm being an upstream group name, how come has it been tried as a
> domain name in the end?
> Stated otherwise, is this because the upstream group is considered 'down',
> thus somehow removed from the possibilities, and nginx trying one last time
> the name as a domain name to see if something answers?
> This 7th request is definitely strange to my point of view. Is it a bug or
> a feature?

A feature.

Most $upstream_* variables are vectored ones, and the number of entries
in their values corresponds to the number of tries made to select a peer.
When a peer cannot be selected at all (as in your case), the status is
502 and the name equals the upstream group name.

There could be several reasons why none of the peers can be selected.
For example, some peers are marked "down", and other peers were failing
and are now in the "unavailable" state.

The number of tries is limited by the number of servers in the group,
unless futher restricted by proxy_next_upstream_tries.  In your case,
since there are two "down" servers, and other servers are unavailable,
you reach the situation when a peer cannot be selected.  If you comment
out the two "down" servers, and try a few requests in a row when all
servers are physically unavailable, the first log entry will list all
of the attempted servers, and then for the next 10 seconds (in the
default config) you'll see only the upstream group name and 502 in
$upstream_status, until the servers become available again (see
max_fails/fail_timeout).

Hope this makes things a little bit clearer.

From al-nginx at none.at  Fri Apr 14 08:47:27 2017
From: al-nginx at none.at (Aleksandar Lazic)
Date: Fri, 14 Apr 2017 10:47:27 +0200
Subject: weight and balancing in upstream proxy
In-Reply-To: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
Message-ID: <54e15d5d01c6e23113a88c69413f98bb@none.at>

Hi.

Am 12-04-2017 23:50, schrieb Frank Liu:

> Hi,
> 
> How does nginx balances traffic to upstream with different weight?
> If I have 3 servers in upstream, with weight 1, 2, 4, assuming all are 
> healthy, will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 
> 2, 3, 3, 3, 3?
> If I have two servers with both weight 50, will nginx will 50 requests 
> to server 1, and then 50 to server 2, or will it calculate the ration 
> to be 1:1 and send one after another?

You can find a explanation of the algorithm in the commit messages.

http://hg.nginx.org/nginx/rev/c90801720a0c
http://hg.nginx.org/nginx/rev/d05ab8793a69
http://hg.nginx.org/nginx/rev/0811376954e4

I have found this with this query.

http://hg.nginx.org/nginx/log?rev=weight

Have you seen this doc?
http://nginx.org/en/docs/http/load_balancing.html

Best Regards
Aleks

From r1ch+nginx at teamliquid.net  Fri Apr 14 11:31:26 2017
From: r1ch+nginx at teamliquid.net (Richard Stanway)
Date: Fri, 14 Apr 2017 13:31:26 +0200
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAHP4M8XeXOKqkTfZPhwR-i3L045o8TYdjr12QLxrViuO6AByKA@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
 <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
 <CAKWQeyinEkMfOWb_ZTBXzeAt1u0kXtyUZWr_SOGA=ckEAX5G7A@mail.gmail.com>
 <CAHP4M8XeXOKqkTfZPhwR-i3L045o8TYdjr12QLxrViuO6AByKA@mail.gmail.com>
Message-ID: <CAKWQeyisciZXuF+NN6=W=+uJ3dFXgFCSyYjH=Katxf+LtUU_cQ@mail.gmail.com>

You're correct - placing the username and password in the URI is just as
safe as any other method as long as it's going over HTTPS, and the
credentials should never appear in any access logs (unless you specifically
choose to log the Authorization header).

On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi Richard.
>
> You have got me thinking ...
> https://username:password at 1.2.3.4/ works, even without ANY of the
> "add_header" and "proxy_set_header" directives.
>
> So, now the only thing that worries me is security.
>
> http://stackoverflow.com/questions/4143196/is-get-data-
> also-encrypted-in-https indicates that the URL is safe, in the sense that
> "username" and "password" would not be sniffable through a
> man-in-the-middle attack, right?
>
> Also, since 1.2.3.4 is our own server, so we are not really bothered about
> GET-requests getting logged on the server, so we should be good.
>
> Do I make sense?
>
> Kindly let know your thoughts.
>
>
> Thanks and Regards,
> Ajay
>
> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
> r1ch+nginx at teamliquid.net> wrote:
>
>> You're missing the "Authorization" header in
>> your Access-Control-Allow-Headers directive.
>>
>> You can alternatively pass the basic auth in your URI, eg xhr.open("GET",
>> "https://username:password at 1.2.3.4/") rather than crafting it manually.
>>
>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com>
>> wrote:
>>
>>> Strange, but rebooting the machine caused the credentials-popup to be
>>> seen again :-|
>>> Sorry for the noise here.
>>>
>>> There has been some progress, but still get a "CORS preflight did not
>>> succeed error".
>>> Following is what I am doing.
>>>
>>>
>>> a)
>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>
>>> ############################################################
>>> ##############
>>> server {
>>>
>>>                 listen 443 ssl;
>>>
>>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>>>                 add_header 'Access-Control-Allow-Origin' $http_origin
>>> 'always';
>>>                 add_header 'Access-Control-Allow-Credentials' 'true'
>>> 'always';
>>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>> OPTIONS' 'always';
>>>                 add_header 'Access-Control-Allow-Headers'
>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>>> 'always';
>>>
>>>                 location / {
>>>
>>>                         auth_basic 'Restricted';
>>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>
>>>                         proxy_set_header 'Access-Control-Max-Age'
>>> 1728000;
>>>                         proxy_set_header 'Access-Control-Allow-Origin'
>>> '*';
>>>                         proxy_set_header
>>> 'Access-Control-Allow-Credentials' 'true';
>>>                         proxy_set_header
>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>>                         proxy_set_header
>>> 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>>                         proxy_pass
>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>
>>>                 }
>>>         }
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>>
>>> b)
>>> Firing the following html from firefox (sensitive information changed) ::
>>>
>>> ############################################################
>>> ##############
>>> <html>
>>> <body>
>>> <script type="text/javascript">
>>> var data = null;
>>>
>>> var xhr = new XMLHttpRequest();
>>> xhr.withCredentials = true;
>>>
>>> xhr.addEventListener("readystatechange", function () {
>>>       if (this.readyState === 4) {
>>>               console.log(this.responseText);
>>>                 }
>>> });
>>>
>>> xhr.open("GET", "https://1.2.3.4/");
>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>
>>> xhr.send(data);
>>> </script>
>>> </body>
>>> </html>
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>> Following is received in the firebug-console (sensitive information
>>> changed) ::
>>>
>>> ############################################################
>>> ##############
>>> GET https://23.253.207.208/
>>> uff.html (line 19)
>>> Headers
>>>
>>> Accept
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Encoding   gzip, deflate, br
>>> Accept-Language   en-US,en;q=0.5
>>> Authorization         Basic abcdefg
>>> Cache-Control       no-cache
>>> Host                     1.2.3.4
>>> Origin                    null
>>> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>> Gecko/20100101 Firefox/47.0
>>>
>>>
>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>> channel did not succeed).
>>> ############################################################
>>> ##############
>>>
>>>
>>> I am beginning to believe that I am close to solving the issue (of
>>> course all credit to tremendous help from this list).
>>> I will be grateful for the last bit of help being received by the
>>> really helpful experts here..
>>>
>>> Sorry again for the noise in my previous email.
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/76486d2d/attachment-0001.html>

From ajaygargnsit at gmail.com  Fri Apr 14 13:12:22 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Fri, 14 Apr 2017 18:42:22 +0530
Subject: Unable to use a GET url-param
Message-ID: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>

Hi All.

When I do the following call ::


https://username:password at 1.2.3.4?upstream_protocol=http

I get a 500 error (on the browser-client), with the following seen in
/var/log/nginx/error.log (on nginx-server)

######################################################
2017/04/14 13:03:51 [error] 16039#16039: *1 invalid URL prefix in "://
127.0.0.1:5000", client: 182.69.5.226, server: , request: "GET
/cgi-bin/webproc HTTP/1.1", host: "1.2.3.4", referrer: "
https://1.2.3.4/?upstream_protocol=http"
######################################################


Following is the server-block section in /etc/nginx/conf.d/default.conf

######################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_pass $arg_upstream_protocol://127.0.0.1:
$forwarded_port;
                }
        }
######################################################

It definitely looks that "upstream_protocol" parameter is not being picked
up by $arg_upstream_protocol.

What am I missing?
Will be grateful for pointers.


Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/7dca5a2b/attachment.html>

From ajaygargnsit at gmail.com  Fri Apr 14 13:13:26 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Fri, 14 Apr 2017 18:43:26 +0530
Subject: Unable to resolve the "Access-Control-Allow-Origin" issue
In-Reply-To: <CAKWQeyisciZXuF+NN6=W=+uJ3dFXgFCSyYjH=Katxf+LtUU_cQ@mail.gmail.com>
References: <CAHP4M8Xk397qNFP_sJSi0u9ETo0MKmShzkXWuLDEOcA5LxHMMQ@mail.gmail.com>
 <CAHP4M8WWnnZzkZmBP6gsNX8QcLgR-OpsfzUTn4inXkO9Gj9LKA@mail.gmail.com>
 <CAKWQeyjpDOYQThDv=vMhQM1nerEm8OZzepcW2-1TMsbE731j7Q@mail.gmail.com>
 <CAHP4M8VZ7aFRSMK4iTRVc4009z7eJ2JeTMQnYDf3Sd23pk_zYg@mail.gmail.com>
 <CAHP4M8VmPuMxMPo2bnU8o4K+MXi7TjXZpxqYEq-hMn4zpezYGw@mail.gmail.com>
 <CAHP4M8XgX5dW1gRc5kOsp_UUTD52PPa4zAypP50f0MsvyzRnhw@mail.gmail.com>
 <CAKWQeyinEkMfOWb_ZTBXzeAt1u0kXtyUZWr_SOGA=ckEAX5G7A@mail.gmail.com>
 <CAHP4M8XeXOKqkTfZPhwR-i3L045o8TYdjr12QLxrViuO6AByKA@mail.gmail.com>
 <CAKWQeyisciZXuF+NN6=W=+uJ3dFXgFCSyYjH=Katxf+LtUU_cQ@mail.gmail.com>
Message-ID: <CAHP4M8UNwb17V6UGb3-ep_t4nq7uwJNngnyfdiNnjm4FrVxsRQ@mail.gmail.com>

Thanks a ton Richard !!

I will ask my colleague if this works in angularjs on Monday; my gut feel
is it will :)
Thanks a ton guys !!!


Thanks and Regards,
Ajay

On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <r1ch+nginx at teamliquid.net>
wrote:

> You're correct - placing the username and password in the URI is just as
> safe as any other method as long as it's going over HTTPS, and the
> credentials should never appear in any access logs (unless you specifically
> choose to log the Authorization header).
>
> On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>
>> Hi Richard.
>>
>> You have got me thinking ...
>> https://username:password at 1.2.3.4/ works, even without ANY of the
>> "add_header" and "proxy_set_header" directives.
>>
>> So, now the only thing that worries me is security.
>>
>> http://stackoverflow.com/questions/4143196/is-get-data-also-
>> encrypted-in-https indicates that the URL is safe, in the sense that
>> "username" and "password" would not be sniffable through a
>> man-in-the-middle attack, right?
>>
>> Also, since 1.2.3.4 is our own server, so we are not really bothered
>> about GET-requests getting logged on the server, so we should be good.
>>
>> Do I make sense?
>>
>> Kindly let know your thoughts.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
>> r1ch+nginx at teamliquid.net> wrote:
>>
>>> You're missing the "Authorization" header in
>>> your Access-Control-Allow-Headers directive.
>>>
>>> You can alternatively pass the basic auth in your URI, eg
>>> xhr.open("GET", "https://username:password at 1.2.3.4/") rather than
>>> crafting it manually.
>>>
>>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <ajaygargnsit at gmail.com>
>>> wrote:
>>>
>>>> Strange, but rebooting the machine caused the credentials-popup to be
>>>> seen again :-|
>>>> Sorry for the noise here.
>>>>
>>>> There has been some progress, but still get a "CORS preflight did not
>>>> succeed error".
>>>> Following is what I am doing.
>>>>
>>>>
>>>> a)
>>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> server {
>>>>
>>>>                 listen 443 ssl;
>>>>
>>>>                 ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>>                 ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>>
>>>>                 add_header 'Access-Control-Max-Age' 1728000 'always';
>>>>                 add_header 'Access-Control-Allow-Origin' $http_origin
>>>> 'always';
>>>>                 add_header 'Access-Control-Allow-Credentials' 'true'
>>>> 'always';
>>>>                 add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>>> OPTIONS' 'always';
>>>>                 add_header 'Access-Control-Allow-Headers'
>>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,C
>>>> ontent-Type'
>>>> 'always';
>>>>
>>>>                 location / {
>>>>
>>>>                         auth_basic 'Restricted';
>>>>                         auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>>
>>>>                         proxy_set_header 'Access-Control-Max-Age'
>>>> 1728000;
>>>>                         proxy_set_header 'Access-Control-Allow-Origin'
>>>> '*';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Credentials' 'true';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>>>                         proxy_set_header
>>>> 'Access-Control-Allow-Headers'
>>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>>> f-Modified-Since,Cache-Control,Content-Type';
>>>>
>>>>                         proxy_pass
>>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>>
>>>>                 }
>>>>         }
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>>
>>>> b)
>>>> Firing the following html from firefox (sensitive information changed)
>>>> ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> <html>
>>>> <body>
>>>> <script type="text/javascript">
>>>> var data = null;
>>>>
>>>> var xhr = new XMLHttpRequest();
>>>> xhr.withCredentials = true;
>>>>
>>>> xhr.addEventListener("readystatechange", function () {
>>>>       if (this.readyState === 4) {
>>>>               console.log(this.responseText);
>>>>                 }
>>>> });
>>>>
>>>> xhr.open("GET", "https://1.2.3.4/");
>>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>>
>>>> xhr.send(data);
>>>> </script>
>>>> </body>
>>>> </html>
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>> Following is received in the firebug-console (sensitive information
>>>> changed) ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> GET https://23.253.207.208/
>>>> uff.html (line 19)
>>>> Headers
>>>>
>>>> Accept
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Encoding   gzip, deflate, br
>>>> Accept-Language   en-US,en;q=0.5
>>>> Authorization         Basic abcdefg
>>>> Cache-Control       no-cache
>>>> Host                     1.2.3.4
>>>> Origin                    null
>>>> User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>>> Gecko/20100101 Firefox/47.0
>>>>
>>>>
>>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>>> channel did not succeed).
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>> I am beginning to believe that I am close to solving the issue (of
>>>> course all credit to tremendous help from this list).
>>>> I will be grateful for the last bit of help being received by the
>>>> really helpful experts here..
>>>>
>>>> Sorry again for the noise in my previous email.
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/870f2070/attachment-0001.html>

From nginx-forum at forum.nginx.org  Fri Apr 14 19:26:41 2017
From: nginx-forum at forum.nginx.org (daveyfx)
Date: Fri, 14 Apr 2017 15:26:41 -0400
Subject: auth_basic and satisfy allowing all traffic
In-Reply-To: <20170414074837.GF10157@daoine.org>
References: <20170414074837.GF10157@daoine.org>
Message-ID: <7095024bb656adc5a864b59dcbfbd952.NginxMailingListEnglish@forum.nginx.org>

Hi Francis -

That would have been my suspicion as well.  To test that theory, I installed
the same nginx 1.10.1 RPM file on a similar CentOS 6 virtual machine in my
environment.  This particular VM has never been used for any nginx testing,
nor has it ever had nginx installed.

I tested the same server configuration as your example, but the testing VM
produced the same results.  The satisfy/allow/deny directives allow
bypassing of the basic_auth.  Once those entries have been commented out,
auth works as expected.

Would there be additional steps involved in determining if this is, in fact,
a bug?

Thank you for your help.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273656#msg-273656


From gfrankliu at gmail.com  Fri Apr 14 20:01:54 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Fri, 14 Apr 2017 13:01:54 -0700
Subject: weight and balancing in upstream proxy
In-Reply-To: <54e15d5d01c6e23113a88c69413f98bb@none.at>
References: <CAOXPdC-2vq7nBnpg0AvM_842KcBq+2pMNwdERiH0HDEs1OwtuQ@mail.gmail.com>
 <54e15d5d01c6e23113a88c69413f98bb@none.at>
Message-ID: <CAOXPdC9mk+iW3RUmLUd0omz513YVKRUKahUbNyWxfz+9AcU=1g@mail.gmail.com>

Hi Aleks,

Those information are extremely helpful. Much appreciated!

Regards,
Frank


On Fri, Apr 14, 2017 at 1:47 AM, Aleksandar Lazic <al-nginx at none.at> wrote:

> Hi.
>
> Am 12-04-2017 23:50, schrieb Frank Liu:
>
> Hi,
>>
>> How does nginx balances traffic to upstream with different weight?
>> If I have 3 servers in upstream, with weight 1, 2, 4, assuming all are
>> healthy, will nginx send traffic to server 1, 2, 3, 2, 3, 3, 3 or 1, 2, 2,
>> 3, 3, 3, 3?
>> If I have two servers with both weight 50, will nginx will 50 requests to
>> server 1, and then 50 to server 2, or will it calculate the ration to be
>> 1:1 and send one after another?
>>
>
> You can find a explanation of the algorithm in the commit messages.
>
> http://hg.nginx.org/nginx/rev/c90801720a0c
> http://hg.nginx.org/nginx/rev/d05ab8793a69
> http://hg.nginx.org/nginx/rev/0811376954e4
>
> I have found this with this query.
>
> http://hg.nginx.org/nginx/log?rev=weight
>
> Have you seen this doc?
> http://nginx.org/en/docs/http/load_balancing.html
>
> Best Regards
> Aleks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170414/1e868eb7/attachment.html>

From reallfqq-nginx at yahoo.fr  Sat Apr 15 01:55:20 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Sat, 15 Apr 2017 03:55:20 +0200
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <20170414082147.GB95482@lo0.su>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
Message-ID: <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>

Let me be clear here:
I got 6 active servers (not marked down), and the logs show 1 attempt on
each. They all failed for a known reason, and there is no problem there.
Subsequently, the whole pool was 'down' and the response was 502.
Everything perfectly normal so far.

?What is unclear is the feature (as you classified it) of having a fake
node named after the pool appearing in the list of tried upstream servers.?
It brings confusion more than anything else: having a 502 response + the
list of all tried (and failed) nodes corresponding with the list of active
nodes is more than enough to describe what happened.
The name of the upstream group does not corresponding to any real asset, it
is purely virtual classification. It thus makes no sense at all to me to
have it appearing as a 7th 'node' in the list... and how do you interpret
its response time (where you got also a 7th item in the list)?
Moreover, it is confusing, since proxy_pass handles domain names and one
could believe nginx treated the upstream group name as such.
---
*B. R.*

On Fri, Apr 14, 2017 at 10:21 AM, Ruslan Ermilov <ru at nginx.com> wrote:

> On Fri, Apr 14, 2017 at 09:41:36AM +0200, B.R. via nginx wrote:
> > Hello,
> >
> > Reading from upstream
> > <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> > docs, on upstream pool exhaustion, every backend should be tried once,
> and
> > then if all fail the response should be crafted based on the one from the
> > last server attempt.
> > So far so good.
> >
> > I recently faced a server farm which implements a dull nightly restart of
> > every node, not sequencing it, resulting in the possibility of having all
> > nodes offline at the same time.
> >
> > However, I collected log entries which did not match what I was expected.
> > For 6 backend nodes, I got:
> > - log format: $status $body_bytes_sent $request_time $upstream_addr
> > $upstream_response_time
> > - log entry: 502 568 0.001 <IP address 1>:<port>, <IP address 2>:<port>,
> > <IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP
> > address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000,
> 0.000
> > I got 7 entries for $upstream_addr & $upstream_response_time, instead of
> > the expected 6.
> >
> > ?Here are the interesting parts of the configuration:
> > upstream php-fpm {
> >     server <machine 1>:<port> down;
> >     server <machine 2>:<port> down;
> >     [...]
> >     server <machine N-5>:<port>;
> >     server <machine N-4>:<port>;
> >     server <machine N-3>:<port>;
> >     server <machine N-2>:<port>;
> >     server <machine N-1>:<port>;
> >     server <machine N>:<port>;
> >     keepalive 128;
> > }
> >
> > ?server {
> >     set $fpm_pool "php-fpm$fpm_pool_ID";
> >     [...]
> >         location ~ \.php$ {
> >             [...]
> >             fastcgi_read_timeout 600;
> >             fastcgi_keep_conn on;
> >             fastcgi_index index.php;
> >
> >             include fastcgi_params;
> >             fastcgi_param SCRIPT_FILENAME
> > $document_root$fastcgi_script_name;
> >             [...]
> >             fastcgi_pass $fpm_pool;
> >         }
> > }
> >
> > ?The question is:
> > php-fpm being an upstream group name, how come has it been tried as a
> > domain name in the end?
> > Stated otherwise, is this because the upstream group is considered
> 'down',
> > thus somehow removed from the possibilities, and nginx trying one last
> time
> > the name as a domain name to see if something answers?
> > This 7th request is definitely strange to my point of view. Is it a bug
> or
> > a feature?
>
> A feature.
>
> Most $upstream_* variables are vectored ones, and the number of entries
> in their values corresponds to the number of tries made to select a peer.
> When a peer cannot be selected at all (as in your case), the status is
> 502 and the name equals the upstream group name.
>
> There could be several reasons why none of the peers can be selected.
> For example, some peers are marked "down", and other peers were failing
> and are now in the "unavailable" state.
>
> The number of tries is limited by the number of servers in the group,
> unless futher restricted by proxy_next_upstream_tries.  In your case,
> since there are two "down" servers, and other servers are unavailable,
> you reach the situation when a peer cannot be selected.  If you comment
> out the two "down" servers, and try a few requests in a row when all
> servers are physically unavailable, the first log entry will list all
> of the attempted servers, and then for the next 10 seconds (in the
> default config) you'll see only the upstream group name and 502 in
> $upstream_status, until the servers become available again (see
> max_fails/fail_timeout).
>
> Hope this makes things a little bit clearer.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170415/39139767/attachment.html>

From francis at daoine.org  Sat Apr 15 08:25:30 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 15 Apr 2017 09:25:30 +0100
Subject: Unable to use a GET url-param
In-Reply-To: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
Message-ID: <20170415082530.GG10157@daoine.org>

On Fri, Apr 14, 2017 at 06:42:22PM +0530, Ajay Garg wrote:

Hi there,

> When I do the following call ::
> 
> https://username:password at 1.2.3.4?upstream_protocol=http

> 2017/04/14 13:03:51 [error] 16039#16039: *1 invalid URL prefix in "://
> 127.0.0.1:5000", client: 182.69.5.226, server: , request: "GET
> /cgi-bin/webproc HTTP/1.1", host: "1.2.3.4", referrer: "
> https://1.2.3.4/?upstream_protocol=http"

> What am I missing?

The request in the log line is not the same as the first request provided.

What is the output of "curl -v" on the first request? If it is not
exactly what you expect, what does the nginx log say for that one request?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr 15 08:32:34 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 15 Apr 2017 09:32:34 +0100
Subject: auth_basic and satisfy allowing all traffic
In-Reply-To: <7095024bb656adc5a864b59dcbfbd952.NginxMailingListEnglish@forum.nginx.org>
References: <20170414074837.GF10157@daoine.org>
 <7095024bb656adc5a864b59dcbfbd952.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170415083234.GH10157@daoine.org>

On Fri, Apr 14, 2017 at 03:26:41PM -0400, daveyfx wrote:

Hi there,

> I tested the same server configuration as your example, but the testing VM
> produced the same results.  The satisfy/allow/deny directives allow
> bypassing of the basic_auth.  Once those entries have been commented out,
> auth works as expected.
> 
> Would there be additional steps involved in determining if this is, in fact,
> a bug?

In this case, I suggest building a reproducible test case.

Assuming that you use "default" config files, then "nginx -V" will show
information about what version you are using; "nginx -T" will show the
configuration actually being used, and provide "curl -v" or "curl -i"
commands that show the unexpected behaviour. nginx logs for the requests
should also show what source IP address nginx thinks the requests are
coming from.

Copy-paste; do not re-type. Make it so that the differences between a
working and a failing system are obvious.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sat Apr 15 09:17:26 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sat, 15 Apr 2017 14:47:26 +0530
Subject: Unable to use a GET url-param
In-Reply-To: <20170415082530.GG10157@daoine.org>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
Message-ID: <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>

Hi Francis.

I tried the curl method, and I happened to land on an interesting
observation.

a)
If there is no forwarded-port in listening state (port 5000 in this case)
for the upstream-server, the request suitably returns a 502 error. More
importantly, the $arg_upstream_protocol does seem to be parsed properly ::

#####################################################
2017/04/15 09:08:56 [error] 16039#16039: *40 connect() failed (111:
Connection refused) while connecting to upstream, client: 182.69.5.226,
server: , request: "GET /?upstream_protocol=http HTTP/1.1", upstream: "
http://127.0.0.1:5000/?upstream_protocol=http", host: "1.2.3.4"
#####################################################

b)
However, if the forwarded port is in listening state, I get the usual 500
error ::

#####################################################
2017/04/15 09:08:21 [error] 16039#16039: *37 invalid URL prefix in "://
127.0.0.1:5000", client: 182.69.5.226, server: , request: "GET
/cgi-bin/webproc HTTP/1.1", host: "1.2.3.4", referrer: "
https://1.2.3.4/?upstream_protocol=http"
#####################################################


Note that /cgi-bin/webproc is the default location for the upstream-server.
Also, to re-iterate, following is the proxy-pass directive ::

                        proxy_pass $arg_upstream_protocol://127.
0.0.1:$forwarded_port;


So, the GET-param is being parsed fine (as evident from case a), seems I
need to do some url-rewritings while the requests move to and from between
nginx and upstream-server, right?


On Sat, Apr 15, 2017 at 1:55 PM, Francis Daly <francis at daoine.org> wrote:

> On Fri, Apr 14, 2017 at 06:42:22PM +0530, Ajay Garg wrote:
>
> Hi there,
>
> > When I do the following call ::
> >
> > https://username:password at 1.2.3.4?upstream_protocol=http
>
> > 2017/04/14 13:03:51 [error] 16039#16039: *1 invalid URL prefix in "://
> > 127.0.0.1:5000", client: 182.69.5.226, server: , request: "GET
> > /cgi-bin/webproc HTTP/1.1", host: "1.2.3.4", referrer: "
> > https://1.2.3.4/?upstream_protocol=http"
>
> > What am I missing?
>
> The request in the log line is not the same as the first request provided.
>
> What is the output of "curl -v" on the first request? If it is not
> exactly what you expect, what does the nginx log say for that one request?
>
> Good luck with it,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170415/cebbc835/attachment.html>

From francis at daoine.org  Sat Apr 15 15:20:22 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 15 Apr 2017 16:20:22 +0100
Subject: Unable to use a GET url-param
In-Reply-To: <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
 <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
Message-ID: <20170415152022.GI10157@daoine.org>

On Sat, Apr 15, 2017 at 02:47:26PM +0530, Ajay Garg wrote:

Hi there,

> If there is no forwarded-port in listening state (port 5000 in this case)
> for the upstream-server, the request suitably returns a 502 error. More
> importantly, the $arg_upstream_protocol does seem to be parsed properly ::

Why do you have $arg_upstream_protocol? What is its purpose?

After you answer that, consider: why do you not also have
$arg_forwarded_port?

If the port to connect to, and the protocol to connect with, are
conceptually analogous, they should probably be handled in the same way.

(Set them both in maps.)

> So, the GET-param is being parsed fine (as evident from case a), seems I
> need to do some url-rewritings while the requests move to and from between
> nginx and upstream-server, right?

One request gets one response. If the response is a http 301, the next
request is a whole new request that should be considered separately.

If at all possible, do not design things so that you need to edit the
upstream response body before sending it to the client.

So: what is the output of "curl -v" on the first request?

What do you want the output to be, in your design?

	f
-- 
Francis Daly        francis at daoine.org

From ajaygargnsit at gmail.com  Sun Apr 16 04:19:09 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Sun, 16 Apr 2017 09:49:09 +0530
Subject: Unable to use a GET url-param
In-Reply-To: <20170415152022.GI10157@daoine.org>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
 <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
 <20170415152022.GI10157@daoine.org>
Message-ID: <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>

Hi Francis.

Thanks for your continued help.

On Sat, Apr 15, 2017 at 8:50 PM, Francis Daly <francis at daoine.org> wrote:

> On Sat, Apr 15, 2017 at 02:47:26PM +0530, Ajay Garg wrote:
>
> Hi there,
>
> > If there is no forwarded-port in listening state (port 5000 in this case)
> > for the upstream-server, the request suitably returns a 502 error. More
> > importantly, the $arg_upstream_protocol does seem to be parsed properly
> ::
>
> Why do you have $arg_upstream_protocol? What is its purpose?
>
> After you answer that, consider: why do you not also have
> $arg_forwarded_port?
>
> If the port to connect to, and the protocol to connect with, are
> conceptually analogous, they should probably be handled in the same way.
>


Our architecture is as follows ::

   Proxy-Server  <==>  Gateway <==>  End-Server

Proxy-Server and Gateway are connected via a ssh-reverse-tunnel.
The port over which they are connected remains the same, as long as the
Gateway is same.
So, $forwarded_port can be safely set in the map.

Gateway and End-Server communicate via the "other end" of the
ssh-reverse-tunnel.
The End-Server here might change, and so the communication can either be
over http or https.
This information is passed as a GET-param, when making the request to the
Proxy-Server.
So, $arg_upstream_protocol comes into picture.



> (Set them both in maps.)
>


I have already tried this via

map $remote_user $forwarded_protocol {

    ajay           $arg_upstream_protocol
}

....
.....
                proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

but I get the same results as per my previous emails.








>
> > So, the GET-param is being parsed fine (as evident from case a), seems I
> > need to do some url-rewritings while the requests move to and from
> between
> > nginx and upstream-server, right?
>
> One request gets one response. If the response is a http 301, the next
> request is a whole new request that should be considered separately.
>
> If at all possible, do not design things so that you need to edit the
> upstream response body before sending it to the client.
>
> So: what is the output of "curl -v" on the first request?
>

Following is received ::

#####################################################
curl -v -k https://ajay:garg at 1.2.3.4/?upstream_protocol=http
* Hostname was NOT found in DNS cache
*   Trying 1.2.3.4...

* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):

* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*      subject: C=IN; ST=Delhi; L=Delhi; O=Home; OU=Home; CN=www.home.com;
emailAddress=support at home.com
*      start date: 2017-04-09 03:53:25 GMT
*      expire date: 2027-04-07 03:53:25 GMT
*      issuer: C=IN; ST=Delhi; L=Delhi; O=Home; OU=Home; CN=www.home.com;
emailAddress=support at home.com
*      SSL certificate verify result: self signed certificate (18),
continuing anyway.
* Server auth using Basic with user 'ajay'
* SSLv2, Unknown (23):
> GET /?upstream_protocol=http HTTP/1.1
> Authorization: Basic abcdefg
> User-Agent: curl/7.37.1
> Host: 1.2.3.4
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 200 Ok
* Server nginx/1.11.13 is not blacklisted
< Server: nginx/1.11.13
< Date: Sun, 16 Apr 2017 03:42:22 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 75
< Connection: keep-alive
< Last-Modified: Sat, 08 Aug 2015 04:40:50 GMT
<
<script>
<!--
    window.location.href = "/cgi-bin/webproc";
-->
* Connection #0 to host 1.2.3.4 left intact
#####################################################


Strangely, when request is done by curl, absolutely nothing appears in
/var/log/nignix/error.log, whereas when done through the browser, logs
appear in /var/log/nginx/error.log as per my previous emails.


Beginning to feel a little lost again :-\
But I believe that the experts will sail me through..








>
> What do you want the output to be, in your design?
>

Things work fine if I hardcode http/https in proxy_pass directive.
It's only when I need to use to parse-and-use "upstream_protocol" from the
GET-param (which can only be equal to http/https) that I start facing
problems.




>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



Thanks and Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170416/e781d071/attachment.html>

From ajaygargnsit at gmail.com  Mon Apr 17 05:49:36 2017
From: ajaygargnsit at gmail.com (Ajay Garg)
Date: Mon, 17 Apr 2017 11:19:36 +0530
Subject: Unable to use a GET url-param
In-Reply-To: <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
 <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
 <20170415152022.GI10157@daoine.org>
 <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>
Message-ID: <CAHP4M8X5b0xS67F+nKn3rBHPvKh-Cd5UD5RY1anVjasnA4LoKw@mail.gmail.com>

Never mind.

I created two different credentials, one which forwards via http-protocol,
and the other which forwards via https-protocol.
Thanks everyone (especially Francis) for all the help !!!


Thanks and Regards,
Ajay

On Sun, Apr 16, 2017 at 9:49 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:

> Hi Francis.
>
> Thanks for your continued help.
>
> On Sat, Apr 15, 2017 at 8:50 PM, Francis Daly <francis at daoine.org> wrote:
>
>> On Sat, Apr 15, 2017 at 02:47:26PM +0530, Ajay Garg wrote:
>>
>> Hi there,
>>
>> > If there is no forwarded-port in listening state (port 5000 in this
>> case)
>> > for the upstream-server, the request suitably returns a 502 error. More
>> > importantly, the $arg_upstream_protocol does seem to be parsed properly
>> ::
>>
>> Why do you have $arg_upstream_protocol? What is its purpose?
>>
>> After you answer that, consider: why do you not also have
>> $arg_forwarded_port?
>>
>> If the port to connect to, and the protocol to connect with, are
>> conceptually analogous, they should probably be handled in the same way.
>>
>
>
> Our architecture is as follows ::
>
>    Proxy-Server  <==>  Gateway <==>  End-Server
>
> Proxy-Server and Gateway are connected via a ssh-reverse-tunnel.
> The port over which they are connected remains the same, as long as the
> Gateway is same.
> So, $forwarded_port can be safely set in the map.
>
> Gateway and End-Server communicate via the "other end" of the
> ssh-reverse-tunnel.
> The End-Server here might change, and so the communication can either be
> over http or https.
> This information is passed as a GET-param, when making the request to the
> Proxy-Server.
> So, $arg_upstream_protocol comes into picture.
>
>
>
>> (Set them both in maps.)
>>
>
>
> I have already tried this via
>
> map $remote_user $forwarded_protocol {
>
>     ajay           $arg_upstream_protocol
> }
>
> ....
> .....
>                 proxy_pass $forwarded_protocol://127.0.0.
> 1:$forwarded_port;
>
> but I get the same results as per my previous emails.
>
>
>
>
>
>
>
>
>>
>> > So, the GET-param is being parsed fine (as evident from case a), seems I
>> > need to do some url-rewritings while the requests move to and from
>> between
>> > nginx and upstream-server, right?
>>
>> One request gets one response. If the response is a http 301, the next
>> request is a whole new request that should be considered separately.
>>
>> If at all possible, do not design things so that you need to edit the
>> upstream response body before sending it to the client.
>>
>> So: what is the output of "curl -v" on the first request?
>>
>
> Following is received ::
>
> #####################################################
> curl -v -k https://ajay:garg at 1.2.3.4/?upstream_protocol=http
> * Hostname was NOT found in DNS cache
> *   Trying 1.2.3.4...
>
> * Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
> * successfully set certificate verify locations:
> *   CAfile: none
>   CApath: /etc/ssl/certs
> * SSLv3, TLS Unknown, Unknown (22):
> * SSLv3, TLS handshake, Client hello (1):
>
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Server key exchange (12):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv2, Unknown (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv2, Unknown (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv2, Unknown (22):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * Server certificate:
> *      subject: C=IN; ST=Delhi; L=Delhi; O=Home; OU=Home; CN=www.home.com;
> emailAddress=support at home.com
> *      start date: 2017-04-09 03:53:25 GMT
> *      expire date: 2027-04-07 03:53:25 GMT
> *      issuer: C=IN; ST=Delhi; L=Delhi; O=Home; OU=Home; CN=www.home.com;
> emailAddress=support at home.com
> *      SSL certificate verify result: self signed certificate (18),
> continuing anyway.
> * Server auth using Basic with user 'ajay'
> * SSLv2, Unknown (23):
> > GET /?upstream_protocol=http HTTP/1.1
> > Authorization: Basic abcdefg
> > User-Agent: curl/7.37.1
> > Host: 1.2.3.4
> > Accept: */*
> >
> * SSLv2, Unknown (23):
> < HTTP/1.1 200 Ok
> * Server nginx/1.11.13 is not blacklisted
> < Server: nginx/1.11.13
> < Date: Sun, 16 Apr 2017 03:42:22 GMT
> < Content-Type: text/html; charset=utf-8
> < Content-Length: 75
> < Connection: keep-alive
> < Last-Modified: Sat, 08 Aug 2015 04:40:50 GMT
> <
> <script>
> <!--
>     window.location.href = "/cgi-bin/webproc";
> -->
> * Connection #0 to host 1.2.3.4 left intact
> #####################################################
>
>
> Strangely, when request is done by curl, absolutely nothing appears in
> /var/log/nignix/error.log, whereas when done through the browser, logs
> appear in /var/log/nginx/error.log as per my previous emails.
>
>
> Beginning to feel a little lost again :-\
> But I believe that the experts will sail me through..
>
>
>
>
>
>
>
>
>>
>> What do you want the output to be, in your design?
>>
>
> Things work fine if I hardcode http/https in proxy_pass directive.
> It's only when I need to use to parse-and-use "upstream_protocol" from the
> GET-param (which can only be equal to http/https) that I start facing
> problems.
>
>
>
>
>>
>>         f
>> --
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> Thanks and Regards,
> Ajay
>



-- 
Regards,
Ajay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170417/d960d5bf/attachment.html>

From francis at daoine.org  Mon Apr 17 08:02:01 2017
From: francis at daoine.org (Francis Daly)
Date: Mon, 17 Apr 2017 09:02:01 +0100
Subject: Unable to use a GET url-param
In-Reply-To: <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
 <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
 <20170415152022.GI10157@daoine.org>
 <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>
Message-ID: <20170417080201.GJ10157@daoine.org>

On Sun, Apr 16, 2017 at 09:49:09AM +0530, Ajay Garg wrote:
> On Sat, Apr 15, 2017 at 8:50 PM, Francis Daly <francis at daoine.org> wrote:
> > On Sat, Apr 15, 2017 at 02:47:26PM +0530, Ajay Garg wrote:

Hi there,

> Proxy-Server and Gateway are connected via a ssh-reverse-tunnel.
> The port over which they are connected remains the same, as long as the
> Gateway is same.
> So, $forwarded_port can be safely set in the map.

Ok.

> Gateway and End-Server communicate via the "other end" of the
> ssh-reverse-tunnel.
> The End-Server here might change, and so the communication can either be
> over http or https.

I suspect that that is the piece that is breaking you now.

I think that it will be much easier to configure if the upstream is
http, or the upstream is https, and changing is a significant event,
which involves reconfiguring nginx.

> This information is passed as a GET-param, when making the request to the
> Proxy-Server.

As shown below, that design cannot work without more changes. If possible,
I suggest you remove that "changeable" desire. If not, you will need a
fuller design that accounts for it.

I would first suggest making all upstreams accessible over http. Failing
that, you may be able to build something based on cookies -- if the GET
param is present, set a cookie and use that value; else, if the cookie
is present, use that value; else do something appropriate -- perhaps
fail and tell the user why; perhaps assume http.

(If you can get a reliable "you used http instead of https" error code
from upstream, you might be able to use that information when setting
the cookie, so the thing can auto-tune.)
 
> I have already tried this via
> 
> map $remote_user $forwarded_protocol {
> 
>     ajay           $arg_upstream_protocol
> }

I was thinking more like

     ajay           http;

because $arg_upstream_protocol is not always present.

> > One request gets one response. If the response is a http 301, the next
> > request is a whole new request that should be considered separately.
> >
> > If at all possible, do not design things so that you need to edit the
> > upstream response body before sending it to the client.

> curl -v -k https://ajay:garg at 1.2.3.4/?upstream_protocol=http

> > GET /?upstream_protocol=http HTTP/1.1
> > Authorization: Basic abcdefg

> < HTTP/1.1 200 Ok

> <script>
> <!--
>     window.location.href = "/cgi-bin/webproc";
> -->

So - the first request is handled as you want it to be. It includes
in its response body an invitation to the browser to make a new request,
to /cgi-bin/webproc.

Not to /cgi-bin/webproc?upstream_protocol=http.


Eventually, there will be a html page with many "a href" and "img src"
urls; none of them will include "?upstream_protocol=http" either. (Unless
you significantly change the upstream config to always include it --
which you do not want to do -- or you change the nginx config to edit
the upstream response body to always include it before returning it to
the client -- which you also do not want to do.)

> Strangely, when request is done by curl, absolutely nothing appears in
> /var/log/nignix/error.log, whereas when done through the browser, logs
> appear in /var/log/nginx/error.log as per my previous emails.

curl makes the one request that you ask it to make, and shows the
response. So you can see exactly what is happening.

Then, if you want to, you can use it to make the next one request that
the browser makes, so again you can see exactly what is happening.

I suspect that if you do

  curl -v -k https://ajay:garg at 1.2.3.4/cgi-bin/webproc

you will see that same result in nginx as when the browser makes that
request.

But now you know that the error message is not from the first request,
so you do not need to try to fix the first request.

And if you do

  curl -v -k https://ajay:garg at 1.2.3.4/cgi-bin/webproc?upstream_protocol=http

(or if you use that url in a browser) you will see what comes back and
see the next problem.

> Things work fine if I hardcode http/https in proxy_pass directive.
> It's only when I need to use to parse-and-use "upstream_protocol" from the
> GET-param (which can only be equal to http/https) that I start facing
> problems.

Yes - you only face those problems when "upstream_protocol" is not
provided in the GET-params. So you must design things so that either
"upstream_protocol" is present in every request; or design things so
that the information that it carries is available in every request --
which probably means "always http" or "tied to authentication" or "tied
to a cookie".

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Mon Apr 17 08:04:33 2017
From: francis at daoine.org (Francis Daly)
Date: Mon, 17 Apr 2017 09:04:33 +0100
Subject: Unable to use a GET url-param
In-Reply-To: <CAHP4M8X5b0xS67F+nKn3rBHPvKh-Cd5UD5RY1anVjasnA4LoKw@mail.gmail.com>
References: <CAHP4M8WvzA5Uca4GeaxDGKPkCahqq0_VCUjYv-5SCvi1AGx-QQ@mail.gmail.com>
 <20170415082530.GG10157@daoine.org>
 <CAHP4M8WVi+ingavTuBNJf_7t6JKjOdZhD6JbS7tgpZEc0-4fAA@mail.gmail.com>
 <20170415152022.GI10157@daoine.org>
 <CAHP4M8VqGuGsFMnMdFm2pEZQ=UScXPtNUaYwpbAJxXCxrcqmtg@mail.gmail.com>
 <CAHP4M8X5b0xS67F+nKn3rBHPvKh-Cd5UD5RY1anVjasnA4LoKw@mail.gmail.com>
Message-ID: <20170417080433.GK10157@daoine.org>

On Mon, Apr 17, 2017 at 11:19:36AM +0530, Ajay Garg wrote:

Hi there,

> I created two different credentials, one which forwards via http-protocol,
> and the other which forwards via https-protocol.

Good that you came up with a system that works.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From ru at nginx.com  Mon Apr 17 16:09:04 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Mon, 17 Apr 2017 19:09:04 +0300
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
Message-ID: <20170417160904.GE38469@lo0.su>

On Sat, Apr 15, 2017 at 03:55:20AM +0200, B.R. via nginx wrote:
> Let me be clear here:
> I got 6 active servers (not marked down), and the logs show 1 attempt on
> each. They all failed for a known reason, and there is no problem there.
> Subsequently, the whole pool was 'down' and the response was 502.
> Everything perfectly normal so far.
> 
> ?What is unclear is the feature (as you classified it) of having a fake
> node named after the pool appearing in the list of tried upstream servers.?
> It brings confusion more than anything else: having a 502 response + the
> list of all tried (and failed) nodes corresponding with the list of active
> nodes is more than enough to describe what happened.
> The name of the upstream group does not corresponding to any real asset, it
> is purely virtual classification. It thus makes no sense at all to me to
> have it appearing as a 7th 'node' in the list... and how do you interpret
> its response time (where you got also a 7th item in the list)?
> Moreover, it is confusing, since proxy_pass handles domain names and one
> could believe nginx treated the upstream group name as such.

Without the six attempts, if all of the servers are unreachable (either
"down" or "unavailable" because they have failed previously) at the time
the request starts, what do you expect to see in $upstream_*?

> On Fri, Apr 14, 2017 at 10:21 AM, Ruslan Ermilov <ru at nginx.com> wrote:
> 
> > On Fri, Apr 14, 2017 at 09:41:36AM +0200, B.R. via nginx wrote:
> > > Hello,
> > >
> > > Reading from upstream
> > > <https://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> > > docs, on upstream pool exhaustion, every backend should be tried once,
> > and
> > > then if all fail the response should be crafted based on the one from the
> > > last server attempt.
> > > So far so good.
> > >
> > > I recently faced a server farm which implements a dull nightly restart of
> > > every node, not sequencing it, resulting in the possibility of having all
> > > nodes offline at the same time.
> > >
> > > However, I collected log entries which did not match what I was expected.
> > > For 6 backend nodes, I got:
> > > - log format: $status $body_bytes_sent $request_time $upstream_addr
> > > $upstream_response_time
> > > - log entry: 502 568 0.001 <IP address 1>:<port>, <IP address 2>:<port>,
> > > <IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP
> > > address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000,
> > 0.000
> > > I got 7 entries for $upstream_addr & $upstream_response_time, instead of
> > > the expected 6.
> > >
> > > ?Here are the interesting parts of the configuration:
> > > upstream php-fpm {
> > >     server <machine 1>:<port> down;
> > >     server <machine 2>:<port> down;
> > >     [...]
> > >     server <machine N-5>:<port>;
> > >     server <machine N-4>:<port>;
> > >     server <machine N-3>:<port>;
> > >     server <machine N-2>:<port>;
> > >     server <machine N-1>:<port>;
> > >     server <machine N>:<port>;
> > >     keepalive 128;
> > > }
> > >
> > > ?server {
> > >     set $fpm_pool "php-fpm$fpm_pool_ID";
> > >     [...]
> > >         location ~ \.php$ {
> > >             [...]
> > >             fastcgi_read_timeout 600;
> > >             fastcgi_keep_conn on;
> > >             fastcgi_index index.php;
> > >
> > >             include fastcgi_params;
> > >             fastcgi_param SCRIPT_FILENAME
> > > $document_root$fastcgi_script_name;
> > >             [...]
> > >             fastcgi_pass $fpm_pool;
> > >         }
> > > }
> > >
> > > ?The question is:
> > > php-fpm being an upstream group name, how come has it been tried as a
> > > domain name in the end?
> > > Stated otherwise, is this because the upstream group is considered
> > 'down',
> > > thus somehow removed from the possibilities, and nginx trying one last
> > time
> > > the name as a domain name to see if something answers?
> > > This 7th request is definitely strange to my point of view. Is it a bug
> > or
> > > a feature?
> >
> > A feature.
> >
> > Most $upstream_* variables are vectored ones, and the number of entries
> > in their values corresponds to the number of tries made to select a peer.
> > When a peer cannot be selected at all (as in your case), the status is
> > 502 and the name equals the upstream group name.
> >
> > There could be several reasons why none of the peers can be selected.
> > For example, some peers are marked "down", and other peers were failing
> > and are now in the "unavailable" state.
> >
> > The number of tries is limited by the number of servers in the group,
> > unless futher restricted by proxy_next_upstream_tries.  In your case,
> > since there are two "down" servers, and other servers are unavailable,
> > you reach the situation when a peer cannot be selected.  If you comment
> > out the two "down" servers, and try a few requests in a row when all
> > servers are physically unavailable, the first log entry will list all
> > of the attempted servers, and then for the next 10 seconds (in the
> > default config) you'll see only the upstream group name and 502 in
> > $upstream_status, until the servers become available again (see
> > max_fails/fail_timeout).
> >
> > Hope this makes things a little bit clearer.
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx


-- 
Ruslan Ermilov
Assume stupidity not malice

From nginx-forum at forum.nginx.org  Tue Apr 18 11:18:11 2017
From: nginx-forum at forum.nginx.org (xstation)
Date: Tue, 18 Apr 2017 07:18:11 -0400
Subject: Welcome to nginx on Debian!
Message-ID: <cdcac2d4dd10c4167de4e6ff16257366.NginxMailingListEnglish@forum.nginx.org>

Welcome to nginx on Debian! is the default  holding page

where is this stored on debian 8 jessie?

thankyou
xstation

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273701,273701#msg-273701


From reallfqq-nginx at yahoo.fr  Tue Apr 18 12:39:27 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Tue, 18 Apr 2017 14:39:27 +0200
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <20170417160904.GE38469@lo0.su>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
Message-ID: <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>

'down' should not translate into any kind of attempt, so nothing should
really appear for the servers in that static state.
For 'unavailable' servers, for the most part the content of the variables
should be the same.

Starting from the example I provided, here is what I expected to see:
- $upstream_addr: <IP address 1>:<port>, <IP address 2>:<port>, <IP address
3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP address
6>:<port>
- $upstream_response_time: 0.000, 0.000, 0.000, 0.000, 0.001, 0.000

That, associated with the 502 response from the HTTP language, is
sufficient to interpret the log entry as: the request failed to find a
proper backend after having attempted communication with the 6 specified
active backends. It is pretty straightforward.
If you want to add something to explicitely states the whole upstream group
is down, this should go to the error log.
At the very least, if the current way of working is kept, the grammar of
the content of the $upstream_* variables should be specified.

?Does not that seem reasonable?
---
*B. R.*

On Mon, Apr 17, 2017 at 6:09 PM, Ruslan Ermilov <ru at nginx.com> wrote:

> On Sat, Apr 15, 2017 at 03:55:20AM +0200, B.R. via nginx wrote:
> > Let me be clear here:
> > I got 6 active servers (not marked down), and the logs show 1 attempt on
> > each. They all failed for a known reason, and there is no problem there.
> > Subsequently, the whole pool was 'down' and the response was 502.
> > Everything perfectly normal so far.
> >
> > ?What is unclear is the feature (as you classified it) of having a fake
> > node named after the pool appearing in the list of tried upstream
> servers.?
> > It brings confusion more than anything else: having a 502 response + the
> > list of all tried (and failed) nodes corresponding with the list of
> active
> > nodes is more than enough to describe what happened.
> > The name of the upstream group does not corresponding to any real asset,
> it
> > is purely virtual classification. It thus makes no sense at all to me to
> > have it appearing as a 7th 'node' in the list... and how do you interpret
> > its response time (where you got also a 7th item in the list)?
> > Moreover, it is confusing, since proxy_pass handles domain names and one
> > could believe nginx treated the upstream group name as such.
>
> Without the six attempts, if all of the servers are unreachable (either
> "down" or "unavailable" because they have failed previously) at the time
> the request starts, what do you expect to see in $upstream_*?
>
> > On Fri, Apr 14, 2017 at 10:21 AM, Ruslan Ermilov <ru at nginx.com> wrote:
> >
> > > On Fri, Apr 14, 2017 at 09:41:36AM +0200, B.R. via nginx wrote:
> > > > Hello,
> > > >
> > > > Reading from upstream
> > > > <https://nginx.org/en/docs/http/ngx_http_upstream_module.htm
> l#upstream>
> > > > docs, on upstream pool exhaustion, every backend should be tried
> once,
> > > and
> > > > then if all fail the response should be crafted based on the one
> from the
> > > > last server attempt.
> > > > So far so good.
> > > >
> > > > I recently faced a server farm which implements a dull nightly
> restart of
> > > > every node, not sequencing it, resulting in the possibility of
> having all
> > > > nodes offline at the same time.
> > > >
> > > > However, I collected log entries which did not match what I was
> expected.
> > > > For 6 backend nodes, I got:
> > > > - log format: $status $body_bytes_sent $request_time $upstream_addr
> > > > $upstream_response_time
> > > > - log entry: 502 568 0.001 <IP address 1>:<port>, <IP address
> 2>:<port>,
> > > > <IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>,
> <IP
> > > > address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000,
> > > 0.000
> > > > I got 7 entries for $upstream_addr & $upstream_response_time,
> instead of
> > > > the expected 6.
> > > >
> > > > ?Here are the interesting parts of the configuration:
> > > > upstream php-fpm {
> > > >     server <machine 1>:<port> down;
> > > >     server <machine 2>:<port> down;
> > > >     [...]
> > > >     server <machine N-5>:<port>;
> > > >     server <machine N-4>:<port>;
> > > >     server <machine N-3>:<port>;
> > > >     server <machine N-2>:<port>;
> > > >     server <machine N-1>:<port>;
> > > >     server <machine N>:<port>;
> > > >     keepalive 128;
> > > > }
> > > >
> > > > ?server {
> > > >     set $fpm_pool "php-fpm$fpm_pool_ID";
> > > >     [...]
> > > >         location ~ \.php$ {
> > > >             [...]
> > > >             fastcgi_read_timeout 600;
> > > >             fastcgi_keep_conn on;
> > > >             fastcgi_index index.php;
> > > >
> > > >             include fastcgi_params;
> > > >             fastcgi_param SCRIPT_FILENAME
> > > > $document_root$fastcgi_script_name;
> > > >             [...]
> > > >             fastcgi_pass $fpm_pool;
> > > >         }
> > > > }
> > > >
> > > > ?The question is:
> > > > php-fpm being an upstream group name, how come has it been tried as a
> > > > domain name in the end?
> > > > Stated otherwise, is this because the upstream group is considered
> > > 'down',
> > > > thus somehow removed from the possibilities, and nginx trying one
> last
> > > time
> > > > the name as a domain name to see if something answers?
> > > > This 7th request is definitely strange to my point of view. Is it a
> bug
> > > or
> > > > a feature?
> > >
> > > A feature.
> > >
> > > Most $upstream_* variables are vectored ones, and the number of entries
> > > in their values corresponds to the number of tries made to select a
> peer.
> > > When a peer cannot be selected at all (as in your case), the status is
> > > 502 and the name equals the upstream group name.
> > >
> > > There could be several reasons why none of the peers can be selected.
> > > For example, some peers are marked "down", and other peers were failing
> > > and are now in the "unavailable" state.
> > >
> > > The number of tries is limited by the number of servers in the group,
> > > unless futher restricted by proxy_next_upstream_tries.  In your case,
> > > since there are two "down" servers, and other servers are unavailable,
> > > you reach the situation when a peer cannot be selected.  If you comment
> > > out the two "down" servers, and try a few requests in a row when all
> > > servers are physically unavailable, the first log entry will list all
> > > of the attempted servers, and then for the next 10 seconds (in the
> > > default config) you'll see only the upstream group name and 502 in
> > > $upstream_status, until the servers become available again (see
> > > max_fails/fail_timeout).
> > >
> > > Hope this makes things a little bit clearer.
> > > _______________________________________________
> > > nginx mailing list
> > > nginx at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> --
> Ruslan Ermilov
> Assume stupidity not malice
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170418/a3b45992/attachment.html>

From jeff.dyke at gmail.com  Tue Apr 18 16:39:09 2017
From: jeff.dyke at gmail.com (Jeff Dyke)
Date: Tue, 18 Apr 2017 12:39:09 -0400
Subject: nginx-extras
Message-ID: <CAHmnZdb2wvso3khcqU3iAN5Ld_wRT=YF+pSPXtnAG3vmECfz+g@mail.gmail.com>

I realize this may not be the best place to ask, but thought someone may
know.

I am using nginx-extras which runs 1.10, for some very helpful lua
functionality, and nginx stable just hit the apt repositories on 1.12, does
anyone know how quickly nginx-extras may be updated to 1.12?

I would like to avoid self compilation as all machines are managed via
saltstack. and i would like to take advantage of the latest stable.

Thanks for any info, even if only historical knowledge.  I'll also put this
on the ubuntu lists, but feel it will just get lost in the volume.

Best,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170418/d110e31d/attachment.html>

From nginx-forum at forum.nginx.org  Tue Apr 18 17:12:44 2017
From: nginx-forum at forum.nginx.org (shiz)
Date: Tue, 18 Apr 2017 13:12:44 -0400
Subject: Welcome to nginx on Debian!
In-Reply-To: <cdcac2d4dd10c4167de4e6ff16257366.NginxMailingListEnglish@forum.nginx.org>
References: <cdcac2d4dd10c4167de4e6ff16257366.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <2f50a16cbc5df7e63f883c2694450da6.NginxMailingListEnglish@forum.nginx.org>

/var/www/html/index.nginx-debian.html

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273701,273710#msg-273710


From nginx-forum at forum.nginx.org  Tue Apr 18 20:36:59 2017
From: nginx-forum at forum.nginx.org (nnvc)
Date: Tue, 18 Apr 2017 16:36:59 -0400
Subject: Nginx as a Proxy for WSUS static caching not working
In-Reply-To: <8fb94d78387fb969213484cf5076c9b7.NginxMailingListEnglish@forum.nginx.org>
References: <8fb94d78387fb969213484cf5076c9b7.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <7e0a9229d31bc733be43758a6d98c4cf.NginxMailingListEnglish@forum.nginx.org>

Dear good afternoon

I'm going through the same situation.

Did you solve it?

thank's

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,220614,273712#msg-273712


From ru at nginx.com  Wed Apr 19 08:51:39 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Wed, 19 Apr 2017 11:51:39 +0300
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
 <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
Message-ID: <20170419085139.GD22499@lo0.su>

On Tue, Apr 18, 2017 at 02:39:27PM +0200, B.R. via nginx wrote:
> 'down' should not translate into any kind of attempt, so nothing should
> really appear for the servers in that static state.
> For 'unavailable' servers, for the most part the content of the variables
> should be the same.
> 
> Starting from the example I provided, here is what I expected to see:
> - $upstream_addr: <IP address 1>:<port>, <IP address 2>:<port>, <IP address
> 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>, <IP address
> 6>:<port>
> - $upstream_response_time: 0.000, 0.000, 0.000, 0.000, 0.001, 0.000
> 
> That, associated with the 502 response from the HTTP language, is
> sufficient to interpret the log entry as: the request failed to find a
> proper backend after having attempted communication with the 6 specified
> active backends. It is pretty straightforward.

And what about the next request when all of servers are either "down"
or "unavailable"?

I'm just trying to give you a simple example of when the value of the
$upstream_addr variable has a special value equal to the upstream
group name, and why it can be useful.

> If you want to add something to explicitely states the whole upstream group
> is down, this should go to the error log.
> At the very least, if the current way of working is kept, the grammar of
> the content of the $upstream_* variables should be specified.
> 
> Does not that seem reasonable?
> ---
> *B. R.*
> 
> On Mon, Apr 17, 2017 at 6:09 PM, Ruslan Ermilov <ru at nginx.com> wrote:
> 
> > On Sat, Apr 15, 2017 at 03:55:20AM +0200, B.R. via nginx wrote:
> > > Let me be clear here:
> > > I got 6 active servers (not marked down), and the logs show 1 attempt on
> > > each. They all failed for a known reason, and there is no problem there.
> > > Subsequently, the whole pool was 'down' and the response was 502.
> > > Everything perfectly normal so far.
> > >
> > > ?What is unclear is the feature (as you classified it) of having a fake
> > > node named after the pool appearing in the list of tried upstream
> > servers.?
> > > It brings confusion more than anything else: having a 502 response + the
> > > list of all tried (and failed) nodes corresponding with the list of
> > active
> > > nodes is more than enough to describe what happened.
> > > The name of the upstream group does not corresponding to any real asset,
> > it
> > > is purely virtual classification. It thus makes no sense at all to me to
> > > have it appearing as a 7th 'node' in the list... and how do you interpret
> > > its response time (where you got also a 7th item in the list)?
> > > Moreover, it is confusing, since proxy_pass handles domain names and one
> > > could believe nginx treated the upstream group name as such.
> >
> > Without the six attempts, if all of the servers are unreachable (either
> > "down" or "unavailable" because they have failed previously) at the time
> > the request starts, what do you expect to see in $upstream_*?
> >
> > > On Fri, Apr 14, 2017 at 10:21 AM, Ruslan Ermilov <ru at nginx.com> wrote:
> > >
> > > > On Fri, Apr 14, 2017 at 09:41:36AM +0200, B.R. via nginx wrote:
> > > > > Hello,
> > > > >
> > > > > Reading from upstream
> > > > > <https://nginx.org/en/docs/http/ngx_http_upstream_module.htm
> > l#upstream>
> > > > > docs, on upstream pool exhaustion, every backend should be tried
> > once,
> > > > and
> > > > > then if all fail the response should be crafted based on the one
> > from the
> > > > > last server attempt.
> > > > > So far so good.
> > > > >
> > > > > I recently faced a server farm which implements a dull nightly
> > restart of
> > > > > every node, not sequencing it, resulting in the possibility of
> > having all
> > > > > nodes offline at the same time.
> > > > >
> > > > > However, I collected log entries which did not match what I was
> > expected.
> > > > > For 6 backend nodes, I got:
> > > > > - log format: $status $body_bytes_sent $request_time $upstream_addr
> > > > > $upstream_response_time
> > > > > - log entry: 502 568 0.001 <IP address 1>:<port>, <IP address
> > 2>:<port>,
> > > > > <IP address 3>:<port>, <IP address 4>:<port>, <IP address 5>:<port>,
> > <IP
> > > > > address 6>:<port>, php-fpm 0.000, 0.000, 0.000, 0.000, 0.001, 0.000,
> > > > 0.000
> > > > > I got 7 entries for $upstream_addr & $upstream_response_time,
> > instead of
> > > > > the expected 6.
> > > > >
> > > > > ?Here are the interesting parts of the configuration:
> > > > > upstream php-fpm {
> > > > >     server <machine 1>:<port> down;
> > > > >     server <machine 2>:<port> down;
> > > > >     [...]
> > > > >     server <machine N-5>:<port>;
> > > > >     server <machine N-4>:<port>;
> > > > >     server <machine N-3>:<port>;
> > > > >     server <machine N-2>:<port>;
> > > > >     server <machine N-1>:<port>;
> > > > >     server <machine N>:<port>;
> > > > >     keepalive 128;
> > > > > }
> > > > >
> > > > > ?server {
> > > > >     set $fpm_pool "php-fpm$fpm_pool_ID";
> > > > >     [...]
> > > > >         location ~ \.php$ {
> > > > >             [...]
> > > > >             fastcgi_read_timeout 600;
> > > > >             fastcgi_keep_conn on;
> > > > >             fastcgi_index index.php;
> > > > >
> > > > >             include fastcgi_params;
> > > > >             fastcgi_param SCRIPT_FILENAME
> > > > > $document_root$fastcgi_script_name;
> > > > >             [...]
> > > > >             fastcgi_pass $fpm_pool;
> > > > >         }
> > > > > }
> > > > >
> > > > > ?The question is:
> > > > > php-fpm being an upstream group name, how come has it been tried as a
> > > > > domain name in the end?
> > > > > Stated otherwise, is this because the upstream group is considered
> > > > 'down',
> > > > > thus somehow removed from the possibilities, and nginx trying one
> > last
> > > > time
> > > > > the name as a domain name to see if something answers?
> > > > > This 7th request is definitely strange to my point of view. Is it a
> > bug
> > > > or
> > > > > a feature?
> > > >
> > > > A feature.
> > > >
> > > > Most $upstream_* variables are vectored ones, and the number of entries
> > > > in their values corresponds to the number of tries made to select a
> > peer.
> > > > When a peer cannot be selected at all (as in your case), the status is
> > > > 502 and the name equals the upstream group name.
> > > >
> > > > There could be several reasons why none of the peers can be selected.
> > > > For example, some peers are marked "down", and other peers were failing
> > > > and are now in the "unavailable" state.
> > > >
> > > > The number of tries is limited by the number of servers in the group,
> > > > unless futher restricted by proxy_next_upstream_tries.  In your case,
> > > > since there are two "down" servers, and other servers are unavailable,
> > > > you reach the situation when a peer cannot be selected.  If you comment
> > > > out the two "down" servers, and try a few requests in a row when all
> > > > servers are physically unavailable, the first log entry will list all
> > > > of the attempted servers, and then for the next 10 seconds (in the
> > > > default config) you'll see only the upstream group name and 502 in
> > > > $upstream_status, until the servers become available again (see
> > > > max_fails/fail_timeout).
> > > >
> > > > Hope this makes things a little bit clearer.
> > > > _______________________________________________
> > > > nginx mailing list
> > > > nginx at nginx.org
> > > > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> >
> > --
> > Ruslan Ermilov
> > Assume stupidity not malice
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >


-- 
Ruslan Ermilov
Assume stupidity not malice

From reallfqq-nginx at yahoo.fr  Wed Apr 19 15:26:17 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Wed, 19 Apr 2017 17:26:17 +0200
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <20170419085139.GD22499@lo0.su>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
 <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
 <20170419085139.GD22499@lo0.su>
Message-ID: <CALqce=1NXwZ2sAKTWBmaySufWtHk49=JQ0kZy6aQgddBc_p7aQ@mail.gmail.com>

On Wed, Apr 19, 2017 at 10:51 AM, Ruslan Ermilov <ru at nginx.com> wrote:

> And what about the next request when all of servers are either "down"
> or "unavailable"?
>

To me, all the unavailable servers have been 'tried', ie their state has
been checked, as the docs
<http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream> say
every server of an upstream group will be checked.
Thus, they should all appear, along with the time it took for that lookup
to be made (usually 0.000 since no communication occurred and a simple
internal check has probably been made for the duration of the 'unavailable'
state).

?No special value whatsoever, as none required, and the grammar of the 2
variables is stable.?
?If an explicit message about attempts against completely unavailable
upstream groups should be logged, it would be so in the error log.?

---
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/0db60f5d/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr 19 16:18:07 2017
From: nginx-forum at forum.nginx.org (Kumudini Ponnuthurai)
Date: Wed, 19 Apr 2017 12:18:07 -0400
Subject: GPG Key ( nginx_signing.key) file does not contain the key to verify
 the tar file
Message-ID: <0c06b12446f3bc468d4ce0196166b5ac.NginxMailingListEnglish@forum.nginx.org>

Not able to verify the latest source of mainline and stable versions of
NGINX with gpg key ( http://nginx.org/keys/nginx_signing.key ). I am using
Gpg4win Kleopatra. I uploaded this nginx_signing.key file, then changed the
owner trust under certificates.  Then verified the source (tar file and the
.asc file) by file -> decrypt/verify. The message was, the key used to sign
the source is not found in the nginx_signing.key file. 

Please let me know, how to I verify nginx source with GPG in windows.
Thanks.

I also tried to do this by checking for the key in key servers. Not able to
find the key that is used to sign the source tar file.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273729,273729#msg-273729


From mdounin at mdounin.ru  Wed Apr 19 16:44:35 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 19 Apr 2017 19:44:35 +0300
Subject: GPG Key ( nginx_signing.key) file does not contain the key to
 verify the tar file
In-Reply-To: <0c06b12446f3bc468d4ce0196166b5ac.NginxMailingListEnglish@forum.nginx.org>
References: <0c06b12446f3bc468d4ce0196166b5ac.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170419164435.GN43932@mdounin.ru>

Hello!

On Wed, Apr 19, 2017 at 12:18:07PM -0400, Kumudini Ponnuthurai wrote:

> Not able to verify the latest source of mainline and stable versions of
> NGINX with gpg key ( http://nginx.org/keys/nginx_signing.key ). I am using
> Gpg4win Kleopatra. I uploaded this nginx_signing.key file, then changed the
> owner trust under certificates.  Then verified the source (tar file and the
> .asc file) by file -> decrypt/verify. The message was, the key used to sign
> the source is not found in the nginx_signing.key file. 
> 
> Please let me know, how to I verify nginx source with GPG in windows.
> Thanks.
> 
> I also tried to do this by checking for the key in key servers. Not able to
> find the key that is used to sign the source tar file.

There is more than one PGP key used.  Full list of keys is here:

http://nginx.org/en/pgp_keys.html

Most of the recent releases are signed by me, key is at 
http://nginx.org/keys/mdounin.key.  Key fingerprint is:
B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8.

-- 
Maxim Dounin
http://nginx.org/

From atif.ali at gmail.com  Wed Apr 19 17:46:00 2017
From: atif.ali at gmail.com (aT)
Date: Wed, 19 Apr 2017 21:46:00 +0400
Subject: Logging all requests onNginx
Message-ID: <CA+OZ_ChVC8yK4OO3ec1_QwU=DLsBn=c+ojif2k1QSaVfiApVnA@mail.gmail.com>

HI ,

Is there a way to log all incoming requests on Nginx .

Regardless of them being served or not .

For example,  In case of surge of crawler hits , if the upstream backend
cannot perform and requests hang  , nginx will not log any such failed
request .

How can we log them to have more detail on the surges of requests.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/4af54e7d/attachment.html>

From alex at samad.com.au  Wed Apr 19 23:06:51 2017
From: alex at samad.com.au (Alex Samad)
Date: Thu, 20 Apr 2017 09:06:51 +1000
Subject: Logging all requests onNginx
In-Reply-To: <CA+OZ_ChVC8yK4OO3ec1_QwU=DLsBn=c+ojif2k1QSaVfiApVnA@mail.gmail.com>
References: <CA+OZ_ChVC8yK4OO3ec1_QwU=DLsBn=c+ojif2k1QSaVfiApVnA@mail.gmail.com>
Message-ID: <CAJ+Q1PXre8kgvDZQmDJ1mvzSZErvn6wRZZMYoGksHQ1gzJ_vhA@mail.gmail.com>

Will it not be logged as a timeout either in access or error/log ?

On 20 April 2017 at 03:46, aT <atif.ali at gmail.com> wrote:

> HI ,
>
> Is there a way to log all incoming requests on Nginx .
>
> Regardless of them being served or not .
>
> For example,  In case of surge of crawler hits , if the upstream backend
> cannot perform and requests hang  , nginx will not log any such failed
> request .
>
> How can we log them to have more detail on the surges of requests.
>
> Thanks
>
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/c13e071e/attachment.html>

From jeff.dyke at gmail.com  Wed Apr 19 23:53:57 2017
From: jeff.dyke at gmail.com (Jeff Dyke)
Date: Wed, 19 Apr 2017 19:53:57 -0400
Subject: Logging all requests onNginx
In-Reply-To: <CAJ+Q1PXre8kgvDZQmDJ1mvzSZErvn6wRZZMYoGksHQ1gzJ_vhA@mail.gmail.com>
References: <CA+OZ_ChVC8yK4OO3ec1_QwU=DLsBn=c+ojif2k1QSaVfiApVnA@mail.gmail.com>
 <CAJ+Q1PXre8kgvDZQmDJ1mvzSZErvn6wRZZMYoGksHQ1gzJ_vhA@mail.gmail.com>
Message-ID: <CAHmnZdYtvLDxSMn-JrxHhc1vVbOS1zY3bSxsoqW_gun4ZYXqAQ@mail.gmail.com>

untested, but if you set error_log to the correct level, it should log
there as it likely received a > 300 response from the backends. I don't
think you want these in your access logs, but i am suprised you don't get
some sort of non < 400 response in those logs.  But it's been a long day....

On Wed, Apr 19, 2017 at 7:06 PM, Alex Samad <alex at samad.com.au> wrote:

> Will it not be logged as a timeout either in access or error/log ?
>
> On 20 April 2017 at 03:46, aT <atif.ali at gmail.com> wrote:
>
>> HI ,
>>
>> Is there a way to log all incoming requests on Nginx .
>>
>> Regardless of them being served or not .
>>
>> For example,  In case of surge of crawler hits , if the upstream backend
>> cannot perform and requests hang  , nginx will not log any such failed
>> request .
>>
>> How can we log them to have more detail on the surges of requests.
>>
>> Thanks
>>
>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/38370d76/attachment-0001.html>

From jeff.dyke at gmail.com  Wed Apr 19 23:55:52 2017
From: jeff.dyke at gmail.com (Jeff Dyke)
Date: Wed, 19 Apr 2017 19:55:52 -0400
Subject: Logging all requests onNginx
In-Reply-To: <CAHmnZdYtvLDxSMn-JrxHhc1vVbOS1zY3bSxsoqW_gun4ZYXqAQ@mail.gmail.com>
References: <CA+OZ_ChVC8yK4OO3ec1_QwU=DLsBn=c+ojif2k1QSaVfiApVnA@mail.gmail.com>
 <CAJ+Q1PXre8kgvDZQmDJ1mvzSZErvn6wRZZMYoGksHQ1gzJ_vhA@mail.gmail.com>
 <CAHmnZdYtvLDxSMn-JrxHhc1vVbOS1zY3bSxsoqW_gun4ZYXqAQ@mail.gmail.com>
Message-ID: <CAHmnZdYiaMh=Rj4UBK3FPnMfBEfrNEWTRTm_ecBfErzgdy6DSA@mail.gmail.com>

this might be helpful -
http://stackoverflow.com/questions/12315832/how-to-fix-nginx-throws-400-bad-request-headers-on-any-header-testing-tools/17289826#comment16555393_12315832

On Wed, Apr 19, 2017 at 7:53 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:

> untested, but if you set error_log to the correct level, it should log
> there as it likely received a > 300 response from the backends. I don't
> think you want these in your access logs, but i am suprised you don't get
> some sort of non < 400 response in those logs.  But it's been a long day....
>
> On Wed, Apr 19, 2017 at 7:06 PM, Alex Samad <alex at samad.com.au> wrote:
>
>> Will it not be logged as a timeout either in access or error/log ?
>>
>> On 20 April 2017 at 03:46, aT <atif.ali at gmail.com> wrote:
>>
>>> HI ,
>>>
>>> Is there a way to log all incoming requests on Nginx .
>>>
>>> Regardless of them being served or not .
>>>
>>> For example,  In case of surge of crawler hits , if the upstream backend
>>> cannot perform and requests hang  , nginx will not log any such failed
>>> request .
>>>
>>> How can we log them to have more detail on the surges of requests.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/93ae1866/attachment.html>

From gfrankliu at gmail.com  Thu Apr 20 00:08:20 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Wed, 19 Apr 2017 17:08:20 -0700
Subject: access log request without query string
Message-ID: <CAOXPdC_XF77KfCHZrB+_BnNyB-4WvLWa9Nep5=t1YxRuuSTZPw@mail.gmail.com>

Hi,

What's the best way to login the original request uri ($request_uri)
without query string? I tried $uri but it seems to be normalized and if I
have customized 404 error page /404.html, all those requests are logged as
/404.html instead of original requests uri.

Thanks!
Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/3e03c594/attachment.html>

From zchao1995 at gmail.com  Thu Apr 20 01:23:11 2017
From: zchao1995 at gmail.com (Zhang Chao)
Date: Wed, 19 Apr 2017 21:23:11 -0400
Subject: access log request without query string
In-Reply-To: <CAOXPdC_XF77KfCHZrB+_BnNyB-4WvLWa9Nep5=t1YxRuuSTZPw@mail.gmail.com>
References: <CAOXPdC_XF77KfCHZrB+_BnNyB-4WvLWa9Nep5=t1YxRuuSTZPw@mail.gmail.com>
Message-ID: <CAPr95BhuoA2U1LhA7hmOSdhQeT__w5vbi9k_2wFUiFcqrsFDRg@mail.gmail.com>

Maybe lua-nginx-module is more convenient :)


On 20 April 2017 at 08:08:46, Frank Liu (gfrankliu at gmail.com) wrote:

Hi,

What's the best way to login the original request uri ($request_uri)
without query string? I tried $uri but it seems to be normalized and if I
have customized 404 error page /404.html, all those requests are logged as
/404.html instead of original requests uri.

Thanks!
Frank
?_______________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170419/11e0035f/attachment.html>

From a20132950 at pucp.pe  Thu Apr 20 07:05:55 2017
From: a20132950 at pucp.pe (SARA QUISPE MEJIA)
Date: Thu, 20 Apr 2017 09:05:55 +0200
Subject: nginx access logs to mysql
Message-ID: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>

I want to parse the log file respect to a client that means to make a
report of how the client is using my application through the information
provided by a log file.

So I need to filter some url where I find an especific  name of a function.
For that I thought in insert my log file to database like mysql. Could I do
that with my log file ?  (I use nginx )

I tried to do that with syslog-ng but it doesn't work

Do you have any ideas?

Thanks

Sara
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/1f43bbba/attachment.html>

From oscaretu at gmail.com  Thu Apr 20 07:11:38 2017
From: oscaretu at gmail.com (oscaretu .)
Date: Thu, 20 Apr 2017 09:11:38 +0200
Subject: nginx access logs to mysql
In-Reply-To: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
Message-ID: <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>

Sara, why don't you process the log file just with grep / pcregrep to get
just the lines that containt that function name?


On Thu, Apr 20, 2017 at 9:05 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
wrote:

> I want to parse the log file respect to a client that means to make a
> report of how the client is using my application through the information
> provided by a log file.
>
> So I need to filter some url where I find an especific  name of a
> function. For that I thought in insert my log file to database like mysql.
> Could I do that with my log file ?  (I use nginx )
>
> I tried to do that with syslog-ng but it doesn't work
>
> Do you have any ideas?
>
> Thanks
>
> Sara
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Oscar Fernandez Sierra
oscaretu at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/eb1429d3/attachment.html>

From a20132950 at pucp.pe  Thu Apr 20 07:29:48 2017
From: a20132950 at pucp.pe (SARA QUISPE MEJIA)
Date: Thu, 20 Apr 2017 09:29:48 +0200
Subject: nginx access logs to mysql
In-Reply-To: <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
 <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>
Message-ID: <CAPkVA2bZP1_tyexYOe86f8XzButw+jG6YidR2ps92GdieU_CZA@mail.gmail.com>

yes, I tried to do that and then I did the analysis with goaccess,
but now I need to do an interface(page.php) for the user can choose
the function that want to filter and then generate a report.
So, I thought put all my information on a database like mysql

2017-04-20 9:11 GMT+02:00 oscaretu . <oscaretu at gmail.com>:

> Sara, why don't you process the log file just with grep / pcregrep to get
> just the lines that containt that function name?
>
>
> On Thu, Apr 20, 2017 at 9:05 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
> wrote:
>
>> I want to parse the log file respect to a client that means to make a
>> report of how the client is using my application through the information
>> provided by a log file.
>>
>> So I need to filter some url where I find an especific  name of a
>> function. For that I thought in insert my log file to database like mysql.
>> Could I do that with my log file ?  (I use nginx )
>>
>> I tried to do that with syslog-ng but it doesn't work
>>
>> Do you have any ideas?
>>
>> Thanks
>>
>> Sara
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Oscar Fernandez Sierra
> oscaretu at gmail.com
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/d09a80f0/attachment-0001.html>

From oscaretu at gmail.com  Thu Apr 20 07:57:27 2017
From: oscaretu at gmail.com (oscaretu .)
Date: Thu, 20 Apr 2017 09:57:27 +0200
Subject: nginx access logs to mysql
In-Reply-To: <CAPkVA2bZP1_tyexYOe86f8XzButw+jG6YidR2ps92GdieU_CZA@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
 <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>
 <CAPkVA2bZP1_tyexYOe86f8XzButw+jG6YidR2ps92GdieU_CZA@mail.gmail.com>
Message-ID: <CAFztJwRrPUMkiBWnanqgQJ+uzA8P914qvhG+A5nXwXypDTfuzA@mail.gmail.com>

If you extract the lines containing all the function names, and filter them
with a script that counts the number of times that the function appears,
you only have to store (for example in a JSON) the number of times that
each function was used. And you can avoid storing all the logs in a
database.


On Thu, Apr 20, 2017 at 9:29 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
wrote:

> yes, I tried to do that and then I did the analysis with goaccess,
> but now I need to do an interface(page.php) for the user can choose
> the function that want to filter and then generate a report.
> So, I thought put all my information on a database like mysql
>
> 2017-04-20 9:11 GMT+02:00 oscaretu . <oscaretu at gmail.com>:
>
>> Sara, why don't you process the log file just with grep / pcregrep to get
>> just the lines that containt that function name?
>>
>>
>> On Thu, Apr 20, 2017 at 9:05 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
>> wrote:
>>
>>> I want to parse the log file respect to a client that means to make a
>>> report of how the client is using my application through the information
>>> provided by a log file.
>>>
>>> So I need to filter some url where I find an especific  name of a
>>> function. For that I thought in insert my log file to database like mysql.
>>> Could I do that with my log file ?  (I use nginx )
>>>
>>> I tried to do that with syslog-ng but it doesn't work
>>>
>>> Do you have any ideas?
>>>
>>> Thanks
>>>
>>> Sara
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Oscar Fernandez Sierra
>> oscaretu at gmail.com
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Oscar Fernandez Sierra
oscaretu at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/a4c3ab45/attachment.html>

From a20132950 at pucp.pe  Thu Apr 20 08:10:13 2017
From: a20132950 at pucp.pe (SARA QUISPE MEJIA)
Date: Thu, 20 Apr 2017 10:10:13 +0200
Subject: nginx access logs to mysql
In-Reply-To: <CAFztJwRrPUMkiBWnanqgQJ+uzA8P914qvhG+A5nXwXypDTfuzA@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
 <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>
 <CAPkVA2bZP1_tyexYOe86f8XzButw+jG6YidR2ps92GdieU_CZA@mail.gmail.com>
 <CAFztJwRrPUMkiBWnanqgQJ+uzA8P914qvhG+A5nXwXypDTfuzA@mail.gmail.com>
Message-ID: <CAPkVA2YPGNVBrv6-MwGTHEkeoWLp0gEHYRy-fo372cR9-EU2tA@mail.gmail.com>

yes, I could do it but I want just store for example the customer, the
function name, the date after with those information I could filter my
report through a page.php
But  with json I don't know how can I do that?


2017-04-20 9:57 GMT+02:00 oscaretu . <oscaretu at gmail.com>:

> If you extract the lines containing all the function names, and filter
> them with a script that counts the number of times that the function
> appears, you only have to store (for example in a JSON) the number of times
> that each function was used. And you can avoid storing all the logs in a
> database.
>
>
> On Thu, Apr 20, 2017 at 9:29 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
> wrote:
>
>> yes, I tried to do that and then I did the analysis with goaccess,
>> but now I need to do an interface(page.php) for the user can choose
>> the function that want to filter and then generate a report.
>> So, I thought put all my information on a database like mysql
>>
>> 2017-04-20 9:11 GMT+02:00 oscaretu . <oscaretu at gmail.com>:
>>
>>> Sara, why don't you process the log file just with grep / pcregrep to
>>> get just the lines that containt that function name?
>>>
>>>
>>> On Thu, Apr 20, 2017 at 9:05 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
>>> wrote:
>>>
>>>> I want to parse the log file respect to a client that means to make a
>>>> report of how the client is using my application through the information
>>>> provided by a log file.
>>>>
>>>> So I need to filter some url where I find an especific  name of a
>>>> function. For that I thought in insert my log file to database like mysql.
>>>> Could I do that with my log file ?  (I use nginx )
>>>>
>>>> I tried to do that with syslog-ng but it doesn't work
>>>>
>>>> Do you have any ideas?
>>>>
>>>> Thanks
>>>>
>>>> Sara
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>>
>>> --
>>> Oscar Fernandez Sierra
>>> oscaretu at gmail.com
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Oscar Fernandez Sierra
> oscaretu at gmail.com
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/80ab353a/attachment.html>

From oleg at mamontov.net  Thu Apr 20 09:25:52 2017
From: oleg at mamontov.net (Oleg A. Mamontov)
Date: Thu, 20 Apr 2017 12:25:52 +0300
Subject: access log request without query string
In-Reply-To: <CAPr95BhuoA2U1LhA7hmOSdhQeT__w5vbi9k_2wFUiFcqrsFDRg@mail.gmail.com>
References: <CAOXPdC_XF77KfCHZrB+_BnNyB-4WvLWa9Nep5=t1YxRuuSTZPw@mail.gmail.com>
 <CAPr95BhuoA2U1LhA7hmOSdhQeT__w5vbi9k_2wFUiFcqrsFDRg@mail.gmail.com>
Message-ID: <20170420092552.i2qaot73ua7uavwj@xenon.mamontov.net>

On Wed, Apr 19, 2017 at 09:23:11PM -0400, Zhang Chao wrote:
> Maybe lua-nginx-module is more convenient :)

Please don't overcomplicate such a simple task ;)
The following approach should just work:
--------------------------------
map $request_uri $request_path {
    ~(?<path>[^?]*) $path;
}
--------------------------------

> On 20 April 2017 at 08:08:46, Frank Liu (gfrankliu at gmail.com) wrote:
> 
> Hi,
> 
> What's the best way to login the original request uri ($request_uri)
> without query string? I tried $uri but it seems to be normalized and if I
> have customized 404 error page /404.html, all those requests are logged as
> /404.html instead of original requests uri.
> 
> Thanks!
> Frank

-- 
Cheers,
Oleg A. Mamontov

mailto: oleg at mamontov.net

skype:  lonerr11
cell:   +7 (903) 798-1352

From r at roze.lv  Thu Apr 20 09:51:39 2017
From: r at roze.lv (Reinis Rozitis)
Date: Thu, 20 Apr 2017 12:51:39 +0300
Subject: nginx access logs to mysql
In-Reply-To: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
Message-ID: <EB87BA4280894CE0BF2BC04ED8BE115B@Neiroze>

> I tried to do that with syslog-ng but it doesn't work

What exactly didn't work (before writing a longer configuration example)?

It's kind of simple with syslog-ng - you set the nginx log file as source / 
provide mysql as destination and that's it.


rr


From oscaretu at gmail.com  Thu Apr 20 10:30:57 2017
From: oscaretu at gmail.com (oscaretu .)
Date: Thu, 20 Apr 2017 12:30:57 +0200
Subject: nginx access logs to mysql
In-Reply-To: <CAPkVA2YPGNVBrv6-MwGTHEkeoWLp0gEHYRy-fo372cR9-EU2tA@mail.gmail.com>
References: <CAPkVA2b9eqia2S8qiRzNXVWscXU1m=tSjxPKJD3PChtHNaCKfA@mail.gmail.com>
 <CAFztJwSUCWCKOghJpc+860eEhhvNg+sxcEXD=GH=8Ln1BZJsFQ@mail.gmail.com>
 <CAPkVA2bZP1_tyexYOe86f8XzButw+jG6YidR2ps92GdieU_CZA@mail.gmail.com>
 <CAFztJwRrPUMkiBWnanqgQJ+uzA8P914qvhG+A5nXwXypDTfuzA@mail.gmail.com>
 <CAPkVA2YPGNVBrv6-MwGTHEkeoWLp0gEHYRy-fo372cR9-EU2tA@mail.gmail.com>
Message-ID: <CAFztJwQAL7rMhFffBQLc35q5QsbZZ202yMJDfF6v7=-SR8FY1Q@mail.gmail.com>

I was trying to say you that you don't need to store lots of unnecesary
logs when you can store just the valuable information contained in the
logs, in a processed way.

Why store thousands of log lines that show some called function
functionname1 instead of store something like this:


{
  "date" : "20170420",
  "functionmname1": 33,
  "functionmname2": 18,
  "functionmname3": 51,
  "functionmname4": 68,
  ...
}

In JSON, in a database, or where you want...


On Thu, Apr 20, 2017 at 10:10 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
wrote:

> yes, I could do it but I want just store for example the customer, the
> function name, the date after with those information I could filter my
> report through a page.php
> But  with json I don't know how can I do that?
>
>
> 2017-04-20 9:57 GMT+02:00 oscaretu . <oscaretu at gmail.com>:
>
>> If you extract the lines containing all the function names, and filter
>> them with a script that counts the number of times that the function
>> appears, you only have to store (for example in a JSON) the number of times
>> that each function was used. And you can avoid storing all the logs in a
>> database.
>>
>>
>> On Thu, Apr 20, 2017 at 9:29 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
>> wrote:
>>
>>> yes, I tried to do that and then I did the analysis with goaccess,
>>> but now I need to do an interface(page.php) for the user can choose
>>> the function that want to filter and then generate a report.
>>> So, I thought put all my information on a database like mysql
>>>
>>> 2017-04-20 9:11 GMT+02:00 oscaretu . <oscaretu at gmail.com>:
>>>
>>>> Sara, why don't you process the log file just with grep / pcregrep to
>>>> get just the lines that containt that function name?
>>>>
>>>>
>>>> On Thu, Apr 20, 2017 at 9:05 AM, SARA QUISPE MEJIA <a20132950 at pucp.pe>
>>>> wrote:
>>>>
>>>>> I want to parse the log file respect to a client that means to make a
>>>>> report of how the client is using my application through the information
>>>>> provided by a log file.
>>>>>
>>>>> So I need to filter some url where I find an especific  name of a
>>>>> function. For that I thought in insert my log file to database like mysql.
>>>>> Could I do that with my log file ?  (I use nginx )
>>>>>
>>>>> I tried to do that with syslog-ng but it doesn't work
>>>>>
>>>>> Do you have any ideas?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Sara
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Oscar Fernandez Sierra
>>>> oscaretu at gmail.com
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Oscar Fernandez Sierra
>> oscaretu at gmail.com
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
Oscar Fernandez Sierra
oscaretu at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/0fda3f40/attachment-0001.html>

From ru at nginx.com  Thu Apr 20 12:58:00 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Thu, 20 Apr 2017 15:58:00 +0300
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <CALqce=1NXwZ2sAKTWBmaySufWtHk49=JQ0kZy6aQgddBc_p7aQ@mail.gmail.com>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
 <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
 <20170419085139.GD22499@lo0.su>
 <CALqce=1NXwZ2sAKTWBmaySufWtHk49=JQ0kZy6aQgddBc_p7aQ@mail.gmail.com>
Message-ID: <20170420125800.GE8722@lo0.su>

On Wed, Apr 19, 2017 at 05:26:17PM +0200, B.R. via nginx wrote:
> On Wed, Apr 19, 2017 at 10:51 AM, Ruslan Ermilov <ru at nginx.com> wrote:
> 
> > And what about the next request when all of servers are either "down"
> > or "unavailable"?
> >
> 
> To me, all the unavailable servers have been 'tried', ie their state has
> been checked, as the docs
> <http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream> say
> every server of an upstream group will be checked.
> Thus, they should all appear, along with the time it took for that lookup
> to be made (usually 0.000 since no communication occurred and a simple
> internal check has probably been made for the duration of the 'unavailable'
> state).
> 
> ?No special value whatsoever, as none required, and the grammar of the 2
> variables is stable.?
> ?If an explicit message about attempts against completely unavailable
> upstream groups should be logged, it would be so in the error log.?

Given the following config,

    upstream u {
	server 127.0.0.1:8001;
	server 127.0.0.1:8002;
	server 127.0.0.1:8003;
    }

    log_format u "upstream_addr={$upstream_addr} upstream_status={$upstream_status}";

    server {
	access_log logs/u.log u;

	listen 8000;

	location / {
	    proxy_pass http://u;
	}
    }

when none of the upstream servers are available, the first request will
log

upstream_addr={127.0.0.1:8001, 127.0.0.1:8002, 127.0.0.1:8003} upstream_status={502, 502, 502}

And the next request will log:

upstream_addr={u} upstream_status={502}


If you add the 4th "server 127.0.0.1:8004 down" and start afresh, then the
first request will end up with

upstream_addr={127.0.0.1:8001, 127.0.0.1:8002, 127.0.0.1:8003, u} upstream_status={502, 502, 502, 502}

This is because the number of attempts equals the number of servers by
default.


Again, this is not a bug but a feature.

The number of values in $upstream_* always corresponds to the number
of attempts made to select a server.  The last value can be a special
value with the name of the upstream group when an attempt to select
a peer has failed.  This can happen on the 1st attempt, and then the
only value will be the upstream group name.

From cornelis.bos at gmail.com  Thu Apr 20 14:06:49 2017
From: cornelis.bos at gmail.com (Kees Bos)
Date: Thu, 20 Apr 2017 16:06:49 +0200
Subject: nginx-mail and proxy protocol
Message-ID: <1492697209.21907.4.camel@gmail.com>

Hi all,

Does someone have experience with nginx-mail and the proxy protocol?

Does nginx-mail have (or will is get) support for the 'proxy_protocol'
parameter to the 'listen' directive?


Cheers,

Kees

From maxim at nginx.com  Thu Apr 20 14:12:18 2017
From: maxim at nginx.com (Maxim Konovalov)
Date: Thu, 20 Apr 2017 17:12:18 +0300
Subject: nginx-mail and proxy protocol
In-Reply-To: <1492697209.21907.4.camel@gmail.com>
References: <1492697209.21907.4.camel@gmail.com>
Message-ID: <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>

Hi Kees,

On 20/04/2017 17:06, Kees Bos wrote:
> Hi all,
> 
> Does someone have experience with nginx-mail and the proxy protocol?
> 
> Does nginx-mail have (or will is get) support for the 'proxy_protocol'
> parameter to the 'listen' directive?
> 
It doesn't. There were no plans for that basically because nobody
asked before.

What's your backend software which supports proxy proto?

Thanks,

Maxim

-- 
Maxim Konovalov

From fam6837 at gmail.com  Thu Apr 20 14:29:41 2017
From: fam6837 at gmail.com (Musta Fa)
Date: Thu, 20 Apr 2017 15:29:41 +0100
Subject: request_body capture regex
Message-ID: <CAAL+Fe867348Y7NWVmCcQFxG91+nU7nd1tuxVEd=yZOJcWYQkg@mail.gmail.com>

is it possible to capture POST data, but as soon there is a "password" then
this word and its value to mask or exclude from log.

i was trying to split request_body, but it not working correct:

map $request_body $request_body_nopwd {
"~(.*)(&|%5B)password(%5D)?\=" $1;
}

also if request dont have password it returns empty value, etc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/835199b6/attachment.html>

From cornelis.bos at gmail.com  Thu Apr 20 14:41:03 2017
From: cornelis.bos at gmail.com (Kees Bos)
Date: Thu, 20 Apr 2017 16:41:03 +0200
Subject: nginx-mail and proxy protocol
In-Reply-To: <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
References: <1492697209.21907.4.camel@gmail.com>
 <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
Message-ID: <1492699263.21907.9.camel@gmail.com>

On do, 2017-04-20 at 17:12 +0300, Maxim Konovalov wrote:
> Hi Kees,
> 
> On 20/04/2017 17:06, Kees Bos wrote:
> > 
> > Hi all,
> > 
> > Does someone have experience with nginx-mail and the proxy
> > protocol?
> > 
> > Does nginx-mail have (or will is get) support for the
> > 'proxy_protocol'
> > parameter to the 'listen' directive?
> > 
> It doesn't. There were no plans for that basically because nobody
> asked before.
> 
> What's your backend software which supports proxy proto?
> 
> 

I'm using haproxy in front of zimbra, which uses nginx to map the
pop/imap connections to the right mail store. The (nginx) pop/imap thus
cannot determine the right source ip unless the proxy protocol would we
supported.


From mdounin at mdounin.ru  Thu Apr 20 14:44:38 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Thu, 20 Apr 2017 17:44:38 +0300
Subject: nginx-mail and proxy protocol
In-Reply-To: <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
References: <1492697209.21907.4.camel@gmail.com>
 <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
Message-ID: <20170420144437.GU43932@mdounin.ru>

Hello!

On Thu, Apr 20, 2017 at 05:12:18PM +0300, Maxim Konovalov wrote:

> Hi Kees,
> 
> On 20/04/2017 17:06, Kees Bos wrote:
> > Hi all,
> > 
> > Does someone have experience with nginx-mail and the proxy protocol?
> > 
> > Does nginx-mail have (or will is get) support for the 'proxy_protocol'
> > parameter to the 'listen' directive?
> > 
> It doesn't. There were no plans for that basically because nobody
> asked before.

There was at least one attempt to implement it.
http://mailman.nginx.org/pipermail/nginx-devel/2016-November/009083.html

-- 
Maxim Dounin
http://nginx.org/

From maxim at nginx.com  Thu Apr 20 14:47:45 2017
From: maxim at nginx.com (Maxim Konovalov)
Date: Thu, 20 Apr 2017 17:47:45 +0300
Subject: nginx-mail and proxy protocol
In-Reply-To: <1492699263.21907.9.camel@gmail.com>
References: <1492697209.21907.4.camel@gmail.com>
 <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
 <1492699263.21907.9.camel@gmail.com>
Message-ID: <3f7bb69e-140a-747f-a525-b0e94db2cefb@nginx.com>

On 20/04/2017 17:41, Kees Bos wrote:
> On do, 2017-04-20 at 17:12 +0300, Maxim Konovalov wrote:
>> Hi Kees,
>>
>> On 20/04/2017 17:06, Kees Bos wrote:
>>>
>>> Hi all,
>>>
>>> Does someone have experience with nginx-mail and the proxy
>>> protocol?
>>>
>>> Does nginx-mail have (or will is get) support for the
>>> 'proxy_protocol'
>>> parameter to the 'listen' directive?
>>>
>> It doesn't. There were no plans for that basically because nobody
>> asked before.
>>
>> What's your backend software which supports proxy proto?
>>
>>
> 
> I'm using haproxy in front of zimbra, which uses nginx to map the
> pop/imap connections to the right mail store. The (nginx) pop/imap thus
> cannot determine the right source ip unless the proxy protocol would we
> supported.
> 
I think it is possible simplify things with the stream module unless
you're doing sophisticated auth with the mail module.

Have you ever thought about that?

-- 
Maxim Konovalov

From dino.edwards at mydirectmail.net  Thu Apr 20 18:42:42 2017
From: dino.edwards at mydirectmail.net (Dino Edwards)
Date: Thu, 20 Apr 2017 18:42:42 +0000
Subject: execution error - pcre limits exceeded (-8)
Message-ID: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>

Hello,

I have compiled nginx 1.12.0 with modsecurity on a Ubuntu 16.04 server and I'm running it as a reverse proxy in front of an Apache webserver which hosts a variety of different type of websites. After enabling modsecurity I'm starting to get a lot of the following errors in the error.log file:

execution error - pcre limits exceeded (-8)

At that point, web pages don't load correctly.  Can someone help with this? I haven't found anything useful on google except some references of adjusting my php.ini file which doesn't seem to be relevant in my case.

Thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/c5873992/attachment.html>

From cornelis.bos at gmail.com  Thu Apr 20 20:28:19 2017
From: cornelis.bos at gmail.com (Kees Bos)
Date: Thu, 20 Apr 2017 22:28:19 +0200
Subject: nginx-mail and proxy protocol
In-Reply-To: <3f7bb69e-140a-747f-a525-b0e94db2cefb@nginx.com>
References: <1492697209.21907.4.camel@gmail.com>
 <e9299a86-96cd-b95f-0ab2-6af33ce02f9f@nginx.com>
 <1492699263.21907.9.camel@gmail.com>
 <3f7bb69e-140a-747f-a525-b0e94db2cefb@nginx.com>
Message-ID: <1492720099.21907.14.camel@gmail.com>

On do, 2017-04-20 at 17:47 +0300, Maxim Konovalov wrote:
> On 20/04/2017 17:41, Kees Bos wrote:
> > 
> > On do, 2017-04-20 at 17:12 +0300, Maxim Konovalov wrote:
> > > 
> > > Hi Kees,
> > > 
> > > On 20/04/2017 17:06, Kees Bos wrote:
> > > > 
> > > > 
> > > > Hi all,
> > > > 
> > > > Does someone have experience with nginx-mail and the proxy
> > > > protocol?
> > > > 
> > > > Does nginx-mail have (or will is get) support for the
> > > > 'proxy_protocol'
> > > > parameter to the 'listen' directive?
> > > > 
> > > It doesn't. There were no plans for that basically because nobody
> > > asked before.
> > > 
> > > What's your backend software which supports proxy proto?
> > > 
> > > 
> > I'm using haproxy in front of zimbra, which uses nginx to map the
> > pop/imap connections to the right mail store. The (nginx) pop/imap
> > thus
> > cannot determine the right source ip unless the proxy protocol
> > would we
> > supported.
> > 
> I think it is possible simplify things with the stream module unless
> you're doing sophisticated auth with the mail module.
> 
> Have you ever thought about that?

Hmm. I think I've not been totally clear. I'm not talking about
'proxy_protocol on', but about the?'proxy_protocol' modifier of the
'listen' argument.

So, haproxy --ProxyProtocol--> nginx --> pop/imap

From nginx-forum at forum.nginx.org  Thu Apr 20 21:31:22 2017
From: nginx-forum at forum.nginx.org (shivramg94)
Date: Thu, 20 Apr 2017 17:31:22 -0400
Subject: Spawning of Nginx worker process
Message-ID: <157b06647cc39985650b1a63b6691d5d.NginxMailingListEnglish@forum.nginx.org>

Hi All,

When we issue a reload to Nginx binary (<binary_location> -s reload), what
are the steps involved inthe spawning of new set of worker processes? 

Is it something like, while the older worker processes are still running or
are serving in flight requests, Nginx spawns the newer worker processes and
then brings down the older processes once they have served all the accepted
requests?

Also, is there any chance where one of  the spawned up newer worker
processes after reload, uses the PID of the older/earlier running Nginx
worker process?

Thanks,
Shiv

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273770,273770#msg-273770


From gfrankliu at gmail.com  Fri Apr 21 03:47:42 2017
From: gfrankliu at gmail.com (Frank Liu)
Date: Thu, 20 Apr 2017 20:47:42 -0700
Subject: access log request without query string
In-Reply-To: <20170420092552.i2qaot73ua7uavwj@xenon.mamontov.net>
References: <CAOXPdC_XF77KfCHZrB+_BnNyB-4WvLWa9Nep5=t1YxRuuSTZPw@mail.gmail.com>
 <CAPr95BhuoA2U1LhA7hmOSdhQeT__w5vbi9k_2wFUiFcqrsFDRg@mail.gmail.com>
 <20170420092552.i2qaot73ua7uavwj@xenon.mamontov.net>
Message-ID: <CAOXPdC-z29y+Oc5MJtW=ZDsfCOjHoBvn=erw7KcPP=6Knf_5dg@mail.gmail.com>

I was thinking about lua but the map regex is much better.
Thanks!
Frank


On Thu, Apr 20, 2017 at 2:25 AM, Oleg A. Mamontov <oleg at mamontov.net> wrote:

> On Wed, Apr 19, 2017 at 09:23:11PM -0400, Zhang Chao wrote:
> > Maybe lua-nginx-module is more convenient :)
>
> Please don't overcomplicate such a simple task ;)
> The following approach should just work:
> --------------------------------
> map $request_uri $request_path {
>     ~(?<path>[^?]*) $path;
> }
> --------------------------------
>
> > On 20 April 2017 at 08:08:46, Frank Liu (gfrankliu at gmail.com) wrote:
> >
> > Hi,
> >
> > What's the best way to login the original request uri ($request_uri)
> > without query string? I tried $uri but it seems to be normalized and if I
> > have customized 404 error page /404.html, all those requests are logged
> as
> > /404.html instead of original requests uri.
> >
> > Thanks!
> > Frank
>
> --
> Cheers,
> Oleg A. Mamontov
>
> mailto: oleg at mamontov.net
>
> skype:  lonerr11
> cell:   +7 (903) 798-1352
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170420/80e9923c/attachment.html>

From defan at nginx.com  Fri Apr 21 08:41:13 2017
From: defan at nginx.com (Andrei Belov)
Date: Fri, 21 Apr 2017 11:41:13 +0300
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
Message-ID: <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>

Hi Dino,

> On 20 Apr 2017, at 21:42, Dino Edwards <dino.edwards at mydirectmail.net> wrote:
> 
> Hello,
>  
> I have compiled nginx 1.12.0 with modsecurity on a Ubuntu 16.04 server and I?m running it as a reverse proxy in front of an Apache webserver which hosts a variety of different type of websites. After enabling modsecurity I?m starting to get a lot of the following errors in the error.log file:
>  
> execution error - pcre limits exceeded (-8)
>  
> At that point, web pages don?t load correctly.  Can someone help with this? I haven?t found anything useful on google except some references of adjusting my php.ini file which doesn?t seem to be relevant in my case.
>  
> Thanks

Which version of modsecurity are you using with nginx?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/ece484fb/attachment.html>

From dino.edwards at mydirectmail.net  Fri Apr 21 09:29:54 2017
From: dino.edwards at mydirectmail.net (Dino Edwards)
Date: Fri, 21 Apr 2017 09:29:54 +0000
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
 <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
Message-ID: <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>

Hi Andrei,

Which version of modsecurity are you using with nginx?

I?m using 2.9.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/7843f6c0/attachment.html>

From defan at nginx.com  Fri Apr 21 10:05:16 2017
From: defan at nginx.com (Andrei Belov)
Date: Fri, 21 Apr 2017 13:05:16 +0300
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
 <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
 <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>
Message-ID: <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>


> On 21 Apr 2017, at 12:29, Dino Edwards <dino.edwards at mydirectmail.net> wrote:
> 
> Hi Andrei,
>  
> Which version of modsecurity are you using with nginx?
>  
> I?m using 2.9.1

It's worth to try libmodsecurity (aka ModSecurity 3.x) + nginx connector instead:

https://github.com/SpiderLabs/ModSecurity/tree/v3/master
https://github.com/SpiderLabs/ModSecurity-nginx

Please note that libmodsecurity does not support all of ModSecurity 2.x features:
https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-version-3-%28earlier-release-candidate-1%29


From joel.parker.gm at gmail.com  Fri Apr 21 12:16:14 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Fri, 21 Apr 2017 07:16:14 -0500
Subject: Configuration advice
Message-ID: <CAG6CpSB=J-aFAf-X1VDOfS6xE91BAZVF8vbiSUJ9nVkofiAx_A@mail.gmail.com>

I currently have a config that allows me to terminate TLSv1.2 and decrypt
it. Then it re-encrypts the packets with a different cert before sending to
the upstream servers. I want to "look" at the decrypted packets before they
are encrypted but I am not sure the best way to accomplish this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/652bf057/attachment.html>

From dino.edwards at mydirectmail.net  Fri Apr 21 12:26:45 2017
From: dino.edwards at mydirectmail.net (Dino Edwards)
Date: Fri, 21 Apr 2017 12:26:45 +0000
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
 <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
 <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>
 <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>
Message-ID: <13937A461B5E0A40810939402AE476D60138ED40D2@hdgexchange.deeztek.com>


>It's worth to try libmodsecurity (aka ModSecurity 3.x) + nginx connector instead:

>https://github.com/SpiderLabs/ModSecurity/tree/v3/master
>https://github.com/SpiderLabs/ModSecurity-nginx

>Please note that libmodsecurity does not support all of ModSecurity 2.x features:
>https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-version-3-%28earlier-release-candidate-1%29

So, from what I understand, libmodsecurity is targeted for Nginx and it does not rely on apache2 elements anymore. Is this going to be stable enough for production or would I be better off with NAXSI?




From mdounin at mdounin.ru  Fri Apr 21 12:46:09 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Fri, 21 Apr 2017 15:46:09 +0300
Subject: Spawning of Nginx worker process
In-Reply-To: <157b06647cc39985650b1a63b6691d5d.NginxMailingListEnglish@forum.nginx.org>
References: <157b06647cc39985650b1a63b6691d5d.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170421124609.GX43932@mdounin.ru>

Hello!

On Thu, Apr 20, 2017 at 05:31:22PM -0400, shivramg94 wrote:

> Hi All,
> 
> When we issue a reload to Nginx binary (<binary_location> -s reload), what
> are the steps involved inthe spawning of new set of worker processes? 
> 
> Is it something like, while the older worker processes are still running or
> are serving in flight requests, Nginx spawns the newer worker processes and
> then brings down the older processes once they have served all the accepted
> requests?

Yes.  It is documented here: 
http://nginx.org/en/docs/control.html#reconfiguration

> Also, is there any chance where one of  the spawned up newer worker
> processes after reload, uses the PID of the older/earlier running Nginx
> worker process?

No, if there is only one configuration reload and by "older" your 
mean only the previous set of worker processes.

Yes, as long as there is more than one configuration reload and 
"older" includes all previously running worker processes.

-- 
Maxim Dounin
http://nginx.org/

From joel.parker.gm at gmail.com  Fri Apr 21 15:10:27 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Fri, 21 Apr 2017 10:10:27 -0500
Subject: Config advice / wireshark
Message-ID: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>

I currently have a config that allows me to terminate TLSv1.2 and decrypt
it. Then it re-encrypts the packets with a different cert before sending to
the upstream servers. I want to "look" at the decrypted packets before they
are encrypted but I am not sure the best way to accomplish this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/6612977c/attachment.html>

From rpaprocki at fearnothingproductions.net  Fri Apr 21 15:21:26 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Fri, 21 Apr 2017 08:21:26 -0700
Subject: Config advice / wireshark
In-Reply-To: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
References: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
Message-ID: <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>

Unless wireshark has access to the private key (and PFC isn't enabled), you're best bet would be to log the data from nginx directly, rather than trying to examine the raw bytes on the wire. 

> On Apr 21, 2017, at 08:10, Joel Parker <joel.parker.gm at gmail.com> wrote:
> 
> I currently have a config that allows me to terminate TLSv1.2 and decrypt it. Then it re-encrypts the packets with a different cert before sending to the upstream servers. I want to "look" at the decrypted packets before they are encrypted but I am not sure the best way to accomplish this.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

From joel.parker.gm at gmail.com  Fri Apr 21 15:25:59 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Fri, 21 Apr 2017 10:25:59 -0500
Subject: Config advice / wireshark
In-Reply-To: <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>
References: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
 <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>
Message-ID: <CAG6CpSAzRxaBEVRkTgk-ngNoaCOULkHm_AVHPuDVTJye88cR+g@mail.gmail.com>

Is it compatible with something like log2pcap ? or I just need to set the
format somehow to be compatible with it.

Joel Parker

On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <
rpaprocki at fearnothingproductions.net> wrote:

> Unless wireshark has access to the private key (and PFC isn't enabled),
> you're best bet would be to log the data from nginx directly, rather than
> trying to examine the raw bytes on the wire.
>
> > On Apr 21, 2017, at 08:10, Joel Parker <joel.parker.gm at gmail.com> wrote:
> >
> > I currently have a config that allows me to terminate TLSv1.2 and
> decrypt it. Then it re-encrypts the packets with a different cert before
> sending to the upstream servers. I want to "look" at the decrypted packets
> before they are encrypted but I am not sure the best way to accomplish this.
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/6b11195e/attachment.html>

From rpaprocki at fearnothingproductions.net  Fri Apr 21 15:30:39 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Fri, 21 Apr 2017 08:30:39 -0700
Subject: Config advice / wireshark
In-Reply-To: <CAG6CpSAzRxaBEVRkTgk-ngNoaCOULkHm_AVHPuDVTJye88cR+g@mail.gmail.com>
References: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
 <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>
 <CAG6CpSAzRxaBEVRkTgk-ngNoaCOULkHm_AVHPuDVTJye88cR+g@mail.gmail.com>
Message-ID: <CAEuShZd2zfAZvxcvMXNSV=sLk6SO-kWCx4d9_4rei_eAQ=BP_A@mail.gmail.com>

Is what compatible? Nginx logging? I don't think so, Nginx logs are
intended to be human readable. Related docs:
http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format

On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> Is it compatible with something like log2pcap ? or I just need to set the
> format somehow to be compatible with it.
>
> Joel Parker
>
> On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <rpaprocki@
> fearnothingproductions.net> wrote:
>
>> Unless wireshark has access to the private key (and PFC isn't enabled),
>> you're best bet would be to log the data from nginx directly, rather than
>> trying to examine the raw bytes on the wire.
>>
>> > On Apr 21, 2017, at 08:10, Joel Parker <joel.parker.gm at gmail.com>
>> wrote:
>> >
>> > I currently have a config that allows me to terminate TLSv1.2 and
>> decrypt it. Then it re-encrypts the packets with a different cert before
>> sending to the upstream servers. I want to "look" at the decrypted packets
>> before they are encrypted but I am not sure the best way to accomplish this.
>> > _______________________________________________
>> > nginx mailing list
>> > nginx at nginx.org
>> > http://mailman.nginx.org/mailman/listinfo/nginx
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/4d5b63a2/attachment-0001.html>

From joel.parker.gm at gmail.com  Fri Apr 21 15:42:45 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Fri, 21 Apr 2017 10:42:45 -0500
Subject: Config advice / wireshark
In-Reply-To: <CAEuShZd2zfAZvxcvMXNSV=sLk6SO-kWCx4d9_4rei_eAQ=BP_A@mail.gmail.com>
References: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
 <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>
 <CAG6CpSAzRxaBEVRkTgk-ngNoaCOULkHm_AVHPuDVTJye88cR+g@mail.gmail.com>
 <CAEuShZd2zfAZvxcvMXNSV=sLk6SO-kWCx4d9_4rei_eAQ=BP_A@mail.gmail.com>
Message-ID: <CAG6CpSAans-VQCnyfVSSDYSMYht7MMaip80gxmDTR7HG426Nhw@mail.gmail.com>

The only other thing I was thinking of was to double proxy through
localhost. i.e. user -> proxy -> localhost proxy -> upstream server. Seems
like it is pretty convoluted but is it still possible ?


On Fri, Apr 21, 2017 at 10:30 AM, Robert Paprocki <
rpaprocki at fearnothingproductions.net> wrote:

> Is what compatible? Nginx logging? I don't think so, Nginx logs are
> intended to be human readable. Related docs: http://nginx.org/en/
> docs/http/ngx_http_log_module.html#log_format
>
> On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <joel.parker.gm at gmail.com>
> wrote:
>
>> Is it compatible with something like log2pcap ? or I just need to set the
>> format somehow to be compatible with it.
>>
>> Joel Parker
>>
>> On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <
>> rpaprocki at fearnothingproductions.net> wrote:
>>
>>> Unless wireshark has access to the private key (and PFC isn't enabled),
>>> you're best bet would be to log the data from nginx directly, rather than
>>> trying to examine the raw bytes on the wire.
>>>
>>> > On Apr 21, 2017, at 08:10, Joel Parker <joel.parker.gm at gmail.com>
>>> wrote:
>>> >
>>> > I currently have a config that allows me to terminate TLSv1.2 and
>>> decrypt it. Then it re-encrypts the packets with a different cert before
>>> sending to the upstream servers. I want to "look" at the decrypted packets
>>> before they are encrypted but I am not sure the best way to accomplish this.
>>> > _______________________________________________
>>> > nginx mailing list
>>> > nginx at nginx.org
>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/439d22b4/attachment.html>

From joel.parker.gm at gmail.com  Fri Apr 21 16:05:39 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Fri, 21 Apr 2017 11:05:39 -0500
Subject: Config advice / wireshark
In-Reply-To: <CAG6CpSAans-VQCnyfVSSDYSMYht7MMaip80gxmDTR7HG426Nhw@mail.gmail.com>
References: <CAG6CpSB8FrGAQLp4+m4q9U2AzfAkRvnG+yDirNccGQDP8A_NLQ@mail.gmail.com>
 <24072A65-E75F-42B2-B2B1-29AEA119DA04@fearnothingproductions.net>
 <CAG6CpSAzRxaBEVRkTgk-ngNoaCOULkHm_AVHPuDVTJye88cR+g@mail.gmail.com>
 <CAEuShZd2zfAZvxcvMXNSV=sLk6SO-kWCx4d9_4rei_eAQ=BP_A@mail.gmail.com>
 <CAG6CpSAans-VQCnyfVSSDYSMYht7MMaip80gxmDTR7HG426Nhw@mail.gmail.com>
Message-ID: <CAG6CpSA+UWy5WrP_wxiDdJftuPF+KNyT=WeQthOzVeL5t19MAg@mail.gmail.com>

I guess logging would work I just need to capture the full request and
response to replay later. Is there a standard way to do this or plugin
available ?



On Fri, Apr 21, 2017 at 10:42 AM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> The only other thing I was thinking of was to double proxy through
> localhost. i.e. user -> proxy -> localhost proxy -> upstream server. Seems
> like it is pretty convoluted but is it still possible ?
>
>
> On Fri, Apr 21, 2017 at 10:30 AM, Robert Paprocki <rpaprocki@
> fearnothingproductions.net> wrote:
>
>> Is what compatible? Nginx logging? I don't think so, Nginx logs are
>> intended to be human readable. Related docs: http://nginx.org/en/docs
>> /http/ngx_http_log_module.html#log_format
>>
>> On Fri, Apr 21, 2017 at 8:25 AM, Joel Parker <joel.parker.gm at gmail.com>
>> wrote:
>>
>>> Is it compatible with something like log2pcap ? or I just need to set
>>> the format somehow to be compatible with it.
>>>
>>> Joel Parker
>>>
>>> On Fri, Apr 21, 2017 at 10:21 AM, Robert Paprocki <
>>> rpaprocki at fearnothingproductions.net> wrote:
>>>
>>>> Unless wireshark has access to the private key (and PFC isn't enabled),
>>>> you're best bet would be to log the data from nginx directly, rather than
>>>> trying to examine the raw bytes on the wire.
>>>>
>>>> > On Apr 21, 2017, at 08:10, Joel Parker <joel.parker.gm at gmail.com>
>>>> wrote:
>>>> >
>>>> > I currently have a config that allows me to terminate TLSv1.2 and
>>>> decrypt it. Then it re-encrypts the packets with a different cert before
>>>> sending to the upstream servers. I want to "look" at the decrypted packets
>>>> before they are encrypted but I am not sure the best way to accomplish this.
>>>> > _______________________________________________
>>>> > nginx mailing list
>>>> > nginx at nginx.org
>>>> > http://mailman.nginx.org/mailman/listinfo/nginx
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170421/b1041356/attachment.html>

From reallfqq-nginx at yahoo.fr  Fri Apr 21 23:52:48 2017
From: reallfqq-nginx at yahoo.fr (B.R.)
Date: Sat, 22 Apr 2017 01:52:48 +0200
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <20170420125800.GE8722@lo0.su>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
 <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
 <20170419085139.GD22499@lo0.su>
 <CALqce=1NXwZ2sAKTWBmaySufWtHk49=JQ0kZy6aQgddBc_p7aQ@mail.gmail.com>
 <20170420125800.GE8722@lo0.su>
Message-ID: <CALqce=1OZsTPfvsXjsX_QWVD6g_5BoK4zdFvmAv1DSutGU7+rQ@mail.gmail.com>

I do not know if your detailed explanation was aimed to me, or to the list
in general, but I got all that already as far as I am concerned.

?To me, when an attempt is made to an upstream group where no peer can be
selected, a 502 should be returned for that request, and no upstream having
been selected, no $upstream_* variable? should contain anything. An error
message should be generated in the error log.
I fail to see the benefit of having the group name being considered as an
upstream peer.... For cons, that name might get confused with a domain
name, and the grammar of the $upstream_addr variable is complexified.
Not that, as stated before, the docs merely say the $upstream_addr should
contains IP addresses and ports of peers, no mention of the upstream group
name there.

Well, it seems your design decisions are made, and even though I see things
differently, I understand what I did not get before.
Is my vision broke, ie some benefit I am failing to see about your
implementation?

Another linked question:
I got some cases in which $upstream_response_time was '-' for some peers
(and not a numeric value like 0.000).
What is the meaning of that? Connection failed? I am not logging the
$upstream_status variable, not $upstream_connect_time, thus have limited
information.
Could that '-' appear anywhere in the list?
---
*B. R.*

On Thu, Apr 20, 2017 at 2:58 PM, Ruslan Ermilov <ru at nginx.com> wrote:

> On Wed, Apr 19, 2017 at 05:26:17PM +0200, B.R. via nginx wrote:
> > On Wed, Apr 19, 2017 at 10:51 AM, Ruslan Ermilov <ru at nginx.com> wrote:
> >
> > > And what about the next request when all of servers are either "down"
> > > or "unavailable"?
> > >
> >
> > To me, all the unavailable servers have been 'tried', ie their state has
> > been checked, as the docs
> > <http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream>
> say
> > every server of an upstream group will be checked.
> > Thus, they should all appear, along with the time it took for that lookup
> > to be made (usually 0.000 since no communication occurred and a simple
> > internal check has probably been made for the duration of the
> 'unavailable'
> > state).
> >
> > ?No special value whatsoever, as none required, and the grammar of the 2
> > variables is stable.?
> > ?If an explicit message about attempts against completely unavailable
> > upstream groups should be logged, it would be so in the error log.?
>
> Given the following config,
>
>     upstream u {
>         server 127.0.0.1:8001;
>         server 127.0.0.1:8002;
>         server 127.0.0.1:8003;
>     }
>
>     log_format u "upstream_addr={$upstream_addr}
> upstream_status={$upstream_status}";
>
>     server {
>         access_log logs/u.log u;
>
>         listen 8000;
>
>         location / {
>             proxy_pass http://u;
>         }
>     }
>
> when none of the upstream servers are available, the first request will
> log
>
> upstream_addr={127.0.0.1:8001, 127.0.0.1:8002, 127.0.0.1:8003}
> upstream_status={502, 502, 502}
>
> And the next request will log:
>
> upstream_addr={u} upstream_status={502}
>
>
> If you add the 4th "server 127.0.0.1:8004 down" and start afresh, then the
> first request will end up with
>
> upstream_addr={127.0.0.1:8001, 127.0.0.1:8002, 127.0.0.1:8003, u}
> upstream_status={502, 502, 502, 502}
>
> This is because the number of attempts equals the number of servers by
> default.
>
>
> Again, this is not a bug but a feature.
>
> The number of values in $upstream_* always corresponds to the number
> of attempts made to select a server.  The last value can be a special
> value with the name of the upstream group when an attempt to select
> a peer has failed.  This can happen on the 1st attempt, and then the
> only value will be the upstream group name.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170422/4611e071/attachment-0001.html>

From agentzh at gmail.com  Sat Apr 22 01:31:14 2017
From: agentzh at gmail.com (Yichun Zhang (agentzh))
Date: Fri, 21 Apr 2017 18:31:14 -0700
Subject: [ANN] OpenResty 1.11.2.3 released
Message-ID: <CAB4Tn6MOZUBDZZOQRX2n6Zr8Mev6MxzWJtKp9Vkz0A1Qs6ukUQ@mail.gmail.com>

Hi folks,

Long time no releases. We've been very busy setting up the OpenResty
Inc. commercial company in the US. That's why we've been quiet in the
last few months. The good news is that we now have a strong full-time
engineering team that can work on both the OpenResty open source
platform and higher-level commercial products based on that. The
OpenResty web platform will always remain open source. There's no
doubt about that ;)

Now I am excited to announce the new formal release, 1.11.2.3, of the
OpenResty web platform based on NGINX and LuaJIT:

    https://openresty.org/en/download.html

Both the (portable) source code distribution and the Win32 binary
distribution are provided on this Download page.

OpenResty's official yum repositories will get updated to use the this
new version as soon as Fedora's COPR site is back online:
http://status.fedoraproject.org/

Special thanks go to all our developers and contributors!

We have the following highlights in this release:

* We greatly reduced the chance of hash collisions in LuaJIT's global
string table for x86_64 systems with SSE 4.2 support.

* We removed the standard Lua 5.1 interpreter from our bundle. We now
use LuaJIT exclusively. We will soon drop compatibility with the
standard 5.1 interpreter in the OpenResty core so that we no
longer have to maintain two parallel implementations of our Lua API (one
based on CFunction, and the one based on FFI).

* We add HTTP/HTTPS proxy support to our OPM client for restricted
network environments.

* We now includes a very new LuaJIT v2.1 version with new builtin
functions like Lua 5.3's table.move().

* New --shdict "NAME SIZE" and --resolve-ipv6 options in the "resty"
command-line utility.

* Automatic Lua bracktrace output on Lua exceptions in the "resty"
command-line utility.

* Important bug fixes regarding retries count limit in balancer_by_lua*.

* ngx.redirect() now supports 303 as well.

The complete change log since the last (formal) release, 1.11.2.2:

 *   change: we no longer bundle the standard Lua 5.1 interpreter
     (aka the PUC-Rio Lua). now we only bundle LuaJIT.

 *   win32: upgraded PCRE to 8.40, zlib to 1.2.11, and OpenSSL to
     1.0.2k.

 *   bugfix: we did not use "PATH" in "./configure --sbin-path=PATH"
     when creating symlinks. thanks David Galeano for the patch.

 *   bugfix: default index.html: missing the "</p>" tag. thanks
     Xiaoyu Chen for the patch.

 *   feature: applied the "safe_resolver_ipv6_option" patch to the
     nginx core to avoid the "ipv6=off" option to be parsed by nginx
     when it is not built with IPv6 support. thanks Thibault
     Charbonnier for the patch.

 *   feature: now we automatically add the "-msse4.2" compilation
     option for building the bundled LuaJIT when it is available.

 *   upgraded ngx_lua to 0.10.8.

     *   feature: fixed build compatibility with BoringSSL. thanks
         Tom Thorogood for the patch. Note: BoringSSL is *not* an
         officially supported target.

     *   feature: "tcpsock:connect()": allows the "options_table"
         argument being nil. thanks Dejiang Zhu for the patch.

     *   feature: added support for the 303 status code in
         ngx.redirect(). thanks Tom Thorogood for the patch.

     *   bugfix: C API: "ngx_http_lua_add_package_preload()" might
         not take effect when lua_code_cache is off. thanks jimtan
         for the patch.

     *   bugfix: balancer_by_lua*: the number of retres might exceed
         the limit of proxy_next_upstream_tries or alike.

     *   bugfix: setting response headers would change the
         "Content-Type" response header. thanks leafo for the report
         and Ming Wen for the patch.

     *   bugfix: tcp cosockets: "sslhandshake()": typo in the error
         message. thanks detailyang for the patch.

     *   bugfix: typo fix in C POST args handler debug log. thanks
         Robert Paprocki for the patch.

     *   change: removed the use of "luaL_getn()" macro as it is no
         longer available in the latest LuaJIT v2.1. thanks Datong
         Sun for the patch.

     *   change: removed the "mmap(sbrk(0))" memory trick since glibc
         leaks memory when it is forced to use "mmap()" to fulfill
         "malloc()".

     *   doc: ngx.exit() also returns immediately in the
         balancer_by_lua* context. thanks Jinhua Tan for the patch.

     *   doc: various wording tweaks and more code examples. thanks
         Dayo Akanji for the patch.

     *   doc: added a note about the LRU regex cache used in the
         ngx.re.* implementation of lua-resty-core.

     *   tests: the test suite can now work with PCRE 8.39 ~ 8.40.
         thanks Andreas Lubbe for the patch.

 *   upgraded resty-cli to 0.17.

     *   optimize: removed unwanted exit status handling. thanks
         Thibault Charbonnier for the patch.

     *   feature: generates Lua stacktraces by default for user
         errors. thanks Thibault Charbonnier for the patch.

     *   bugfix: fixed exit code handling for nginx crashes and INT
         signal interrupts. thanks Aliaxandr Rahalevich and Gordon
         Gao for the report.

     *   feature: resty: added the --shdict "NAME SIZE" option.
         thanks Thibault Charbonnier for the patch.

     *   feature: resty: added new command-line option
         "--resolve-ipv6". thanks Thibault Charbonnier for the patch.

 *   upgraded opm to 0.0.3.

     *   "dist.ini": relaxed the github repo link check.

     *   feature: added support for HTTP proxies via environments
         "http_proxy" and "https_proxy".

     *   bugfix: tar might give the permissions error 'Cannot change
         ownership to uid XX, gid XX: Operation not permitted'.
         thanks Jon Keys for the patch.

 *   upgraded lua-resty-core to 0.1.11.

     *   feature: "resty.core.regex": exported internal Lua helper
         functions "collect_captures", "check_buf_size", and
         "re_sub_compile". these functions are deliberately
         undocumented and thus subject to future changes.

     *   change: "resty.core": made the warning louder by turning it
         to an alert when LuaJIT 2.0 is used.

     *   bugfix: ngx.re: "split()" might enter infinite loops when
         the regex is an empty string. thanks Dejiang Zhu for the
         patch.

 *   upgraded lua-resty-lock to 0.06.

     *   optimize: use branch-free algorithms for variables
         assignment. thanks Thibault Charbonnier for the patch.

     *   optimize: removed the unused shdict metatable retrieval
         code. thanks Thibault Charbonnier for the patch.

     *   doc: various documentation improvements from Thibault
         Charbonnier.

 *   upgraded lua-resty-lrucache to 0.06.

     *   bugfix: "resty.lrucache": the "get()" method incorrectly
         ignored "false" values. thanks Proton for the patch.

     *   optimize: small tweaks from Aapo Talvensaari and Thibault
         Charbonnier.

     *   doc: typo fixes from Gordon Gao.

 *   upgraded lua-resty-mysql to 0.19.

     *   bugfix: the 8-bit packet numbers might overflow and led to
         runtime Lua exceptions. thanks Ming Wen for the patch.

 *   upgraded lua-resty-limit-traffic to 0.03.

     *   bugfix: fixed several known race conditions by switching to
         "shdict:incr(k, v, init)". thanks Thibault Charbonnier for
         the patch.

     *   optimize: use "math.max()" to reduce Lua branches. thanks
         Thibault Charbonnier for the patch.

 *   upgraded lua-redis-parser to 0.13.

     *   bugfix: removed the use of the old Lua 5.0 "luaL_getn" API
         function since the latest LuaJIT 2.1 just removed it.

 *   upgraded lua-cjson to 2.1.0.5.

     *   feature: supports MS C compiler older than VC2012. thanks
         spacewander for the patch.

     *   bugfix: fixed compilation errors from the Microsoft C
         compiler. thanks Tim Chen for the patch.

     *   bugfix: conditionally build "luaL_setfuncs()" function as
         the latest LuaJIT v2.1 already includes it. thanks Datong
         Sun for the patch.

     *   bugfix: preserve "empty_array_mt" behavior upon multiple
         loadings of the module. thanks Thibault Charbonnier for the
         patch.

 *   upgraded ngx_redis2 to 0.14.

     *   feature: fixed compilation errors with Nginx 1.11.6+.

 *   upgraded ngx_memc to 0.18.

     *   feature: fixed the compilation errors with nginx 1.11.6+.
         thanks Hiroaki Nakamura for the patch.

 *   upgraded ngx_drizzle to 0.1.10.

     *   feature: fixed compilation issues with nginx 1.11.6+. thanks
         James Christopher Adduono for the patch.

     *   bugfix: fixed errors and warnings with C compilers without
         variadic macro support.

 *   upgraded LuaJIT to v2.1-20170405:
     https://github.com/openresty/luajit2/tags

     *   feature: added the bytecode option "L" to display lua source
         line numbers. thanks Dejiang Zhu for the patch.

     *   optimize: x64: "lj_str_new": uses randomized hash functions
         based on crc32 when "-msse4.2" is used in build options.
         thanks Shuxin Yang for the patch.

     *   optimize: "lj_str_new": tests the full hash value before
         doing the full string comparison on hash collisions. thanks
         Shuxin Yang for the patch.

     *   imported Mike Pall's latest changes:

         *   Add some more changes and extensions from Lua 5.2.

         *   Remove old Lua 5.0 compatibility defines.

         *   FFI: Fix FOLD rules for "int64_t" comparisons.

         *   ARM64: Add big-endian support.

         *   x64/"LJ_GC64": Fix "emit_loadk64()".

         *   "LJ_GC64": Fix "BC_CALLM" snapshot handling.

         *   x64/"LJ_GC64": Fix assembly of CNEWI with 64 bit
             constant pointer.

         *   ARM64: Fix Nintendo Switch build.

         *   ARM64: Fix XLOAD/XSTORE with FP operand.

         *   Remove unnecessary mcode alloc pointer check.

         *   Limit mcode alloc probing, depending on the available
             pool size.

         *   Fix overly restrictive range calculation in mcode
             allocation.

         *   Fix out-of-scope goto handling in parser.

         *   Remove internal "__mode = "K"" and replace with safe
             check.

         *   Fix annoying warning, due to deterministic binutils
             configuration.

         *   DynASM: Fix warning.

         *   MIPS64, part 2: Add MIPS64 hard-float JIT compiler
             backend.

         *   Fix FOLD rules for "math.abs()" and FP negation.

         *   Fix soft-float "math.abs()" and negation.

         *   x64/"LJ_GC64": Fix warning for DUALNUM build.

         *   x64/"LJ_GC64": Fix (currently unused) integer stores in
             "asm_tvptr()".

         *   ARM64: Cleanup and de-cargo-cult TValue store
             generation.

         *   MIPS: Don't use "RID_GP" as a scratch register.

         *   MIPS: Fix emitted code for U32 to float conversion.

         *   MIPS: Backport workaround for compact unwind tables.

         *   Make "checkptrGC()" actually work.

         *   ARM64: Fix AREF/HREF/UREF fusion.

         *   "LJ_GC64": Add build options and install instructions.

         *   Add some more extensions from Lua 5.2/5.3.

         *   Fix cross-endian jit.bcsave for MIPS target.

         *   ARM64: Remove unused variables in disassembler.

         *   ARM64: Fuse BOR/BXOR and BNOT into ORN/EON.

         *   Add "proto" field to "jit.util.funcinfo()".

         *   Add missing FOLD rule for 64 bit shift+BAND
             simplification.

         *   ARM64: Fix code generation for S19 offsets.

         *   ARM64: Fuse various BAND/BSHL/BSHR/BSAR combinations.

         *   ARM64: Fuse FP multiply-add/sub.

         *   ARM64: Fuse XLOAD/XSTORE with STRREF/ADD/BSHL/CONV.

         *   ARM64: Reorganize operand extension definitions.

         *   ARM64: Add missing ldrb/strb instructions to
             disassembler.

         *   ARM64: Fix pc-relative loads of consts. Cleanup branch
             codegen.

         *   ARM64: Make use of tbz/tbnz and cbz/cbnz.

         *   Eliminate use of lightuserdata derived from static data
             pointers.

         *   ARM64: Emit more efficient trace exits.

         *   Generalize deferred constant handling in backend to 64
             bit.

         *   ARM64: Reject special case in "emit_isk13()".

         *   ARM64: Allow full VA range for mcode allocation.

         *   ARM64: Add JIT compiler backend.

         *   Fix amalgamated build.

         *   Increase range of "GG_State" loads via "IR_FLOAD" with
             "REF_NIL".

         *   MIPS: Fix TSETR barrier.

         *   Report parent of stitched trace.

The HTML version of the change log with lots of helpful hyper-links
can be browsed here:

    https://openresty.org/en/changelog-1011002.html

OpenResty is a full-fledged web platform
by bundling the standard Nginx core, Lua/LuaJIT, lots of
3rd-party Nginx modules and Lua libraries, as well as most of their external
dependencies. See OpenResty's homepage for details:

    https://openresty.org/

We have run extensive testing on our Amazon EC2 test cluster and
ensured that all the components (including the Nginx core) play well
together. The latest test report can always be found here:

    https://qa.openresty.org/

Have fun!

Best regards,
Yichun

PS 1: we've been privately building a Perl 6 dialect
compiler that can compile a large (non-strict) subset of the Perl 6
programming language into optimized and standalone Lua code targeting
the OpenResty web platform. This compiler is called fanlang. Our
initial benchmark already shows that the Lua code generated by the
fanlang compiler is significantly faster than the official/reference
implementation of Perl 6. Our fanlang compiler is already mature enough
that has already been
successfully used to build another compiler for a domain specific
language called edgelang. The edgelang compiler also emits optimized
and standalone Lua code targeting OpenResty. This release is the first
OpenResty formal version that can fully support our fanlang and edgelang
compilers. We have plans to open source a basic version of our fanlang
compiler to the community once it is fully bootstrapped by itself.

PS 2: We'll try upgrading the NGINX core in OpenResty to the latest
version in the next OpenResty release. Stay tuned!

From dino.edwards at mydirectmail.net  Sat Apr 22 12:13:01 2017
From: dino.edwards at mydirectmail.net (Dino Edwards)
Date: Sat, 22 Apr 2017 12:13:01 +0000
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
 <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
 <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>
 <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>
Message-ID: <13937A461B5E0A40810939402AE476D60138ED4D47@hdgexchange.deeztek.com>


> It's worth to try libmodsecurity (aka ModSecurity 3.x) + nginx connector instead:

> https://github.com/SpiderLabs/ModSecurity/tree/v3/master
> https://github.com/SpiderLabs/ModSecurity-nginx

I'm trying to download/compile libmodsecurity and everything I read concerning Ubuntu, it instructs me to use build.sh (./build.sh), however when I clone https://github.com/SpiderLabs/ModSecurity/tree/v3/master build.sh file is not there. I'm not that familiar with git so I'm sure I'm doing something wrong.






From anoopalias01 at gmail.com  Sat Apr 22 12:17:02 2017
From: anoopalias01 at gmail.com (Anoop Alias)
Date: Sat, 22 Apr 2017 17:47:02 +0530
Subject: execution error - pcre limits exceeded (-8)
In-Reply-To: <13937A461B5E0A40810939402AE476D60138ED4D47@hdgexchange.deeztek.com>
References: <13937A461B5E0A40810939402AE476D60138ED31D1@hdgexchange.deeztek.com>
 <72139FA3-FE57-4169-835D-F8DC85BDD9B3@nginx.com>
 <13937A461B5E0A40810939402AE476D60138ED3CE3@hdgexchange.deeztek.com>
 <A2EBB2EA-7573-4ED0-85FA-7EC8362A90CF@nginx.com>
 <13937A461B5E0A40810939402AE476D60138ED4D47@hdgexchange.deeztek.com>
Message-ID: <CAO6TEX0cqd8g+goP7tvx6mVkc3K1U0kQ=4M_+R9=1nBdYeYyJg@mail.gmail.com>

>From the docs:

yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel
doxygen zlib-devel pcre-devel
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update

On Sat, Apr 22, 2017 at 5:43 PM, Dino Edwards <dino.edwards at mydirectmail.net
> wrote:

>
> > It's worth to try libmodsecurity (aka ModSecurity 3.x) + nginx connector
> instead:
>
> > https://github.com/SpiderLabs/ModSecurity/tree/v3/master
> > https://github.com/SpiderLabs/ModSecurity-nginx
>
> I'm trying to download/compile libmodsecurity and everything I read
> concerning Ubuntu, it instructs me to use build.sh (./build.sh), however
> when I clone https://github.com/SpiderLabs/ModSecurity/tree/v3/master
> build.sh file is not there. I'm not that familiar with git so I'm sure I'm
> doing something wrong.
>
>
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
*Anoop P Alias*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170422/df0faed7/attachment.html>

From nginx-forum at forum.nginx.org  Sat Apr 22 14:14:03 2017
From: nginx-forum at forum.nginx.org (purvez)
Date: Sat, 22 Apr 2017 10:14:03 -0400
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
Message-ID: <47c3e13dbffc7125880cc839fad4c5bf.NginxMailingListEnglish@forum.nginx.org>

I had a fully functioning ubuntu 14.04 serving up via nginx a passenger/ror
site with 'some' php.

The passenger/ror bit works fine after the upgrade however any attempt at
accessing my php files gives a 404 Not Found error:

The error.log for nginx shows the following:

=================================

2017/04/22 11:16:22 [crit] 16531#0: *1 connect() to
unix:/var/run/php/php7.0-fpm.sock failed (13: Permission denied) while
connecting to upstream, client: 212.159.100.115, server:
resys.gourmindia.com, request: "GET /phpinfo.php HTTP/1.1", upstream:
"fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host:
"resys.gourmindia.com"

==================

My question is what should the /var/run/php/php7.0-fpm.sock have as
permission?

ALL help gratefully received with thanks.

Purvez

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273798,273798#msg-273798


From hobson42 at gmail.com  Sat Apr 22 15:54:06 2017
From: hobson42 at gmail.com (Ian Hobson)
Date: Sat, 22 Apr 2017 16:54:06 +0100
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <47c3e13dbffc7125880cc839fad4c5bf.NginxMailingListEnglish@forum.nginx.org>
References: <47c3e13dbffc7125880cc839fad4c5bf.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <eeffa761-9c2d-fa95-0e29-7b86d5301abe@gmail.com>

Hi Purvez,

I am going through a similar upgrade, here is what I found necessary (so 
far).

1) Swap back from sockets to a normal port. As root, edit 
/etc/php/7.0/fpm/pool.d/www.conf
     # nano /etc/php/7.0/fpm/pool.d/www.conf
Find listen and change to
     listen = 127.0.0.1:9000
     listen.allowed_clients = 127.0.0.1

Your nginx configs much match.

2) Check all mysql fields in all user databases - all fields you do not 
explicitly write MUST now have a default. The older MySQL was a lot more 
forgiving - E.g. unset varchar() field became "", but no longer.
All but one of my changes were to varchar() fields.

3) Check all GROUP BY statements. You may have to add a ANY_VALUE() 
round a field if you get a error about not being compatible with the 
ONLY_FULL_GROUP_BY mode (default has changed). MySQL will now reject 
queries for which the select list, HAVING condition, or ORDER BY list 
refer to non-aggregated columns that are neither named in the GROUP BY 
clause nor are functionally dependent on (uniquely determined by) GROUP 
BY columns.

4) secure php7-fpm - edit /etc/php/7.0/fpm/php.ini and find the line
defining cgi.fix_pathinfo. Uncomment the line and set the value =0.

5) You may have to install and enable mcrypt and mbstring (as root)
     # apt install php7.0-mcrypt php7.0-mbstring
     # phpenmod mcrypt
     # phpenmod mbstring

Your mileage will probably vary, but I hope this helps you avoid some 
ditches you might otherwise fall into.

Ian

On 22/04/2017 15:14, purvez wrote:
> I had a fully functioning ubuntu 14.04 serving up via nginx a passenger/ror
> site with 'some' php.
>
> The passenger/ror bit works fine after the upgrade however any attempt at
> accessing my php files gives a 404 Not Found error:
>
> The error.log for nginx shows the following:
>
> =================================
>
> 2017/04/22 11:16:22 [crit] 16531#0: *1 connect() to
> unix:/var/run/php/php7.0-fpm.sock failed (13: Permission denied) while
> connecting to upstream, client: 212.159.100.115, server:
> resys.gourmindia.com, request: "GET /phpinfo.php HTTP/1.1", upstream:
> "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host:
> "resys.gourmindia.com"
>
> ==================
>
> My question is what should the /var/run/php/php7.0-fpm.sock have as
> permission?
>
> ALL help gratefully received with thanks.
>
> Purvez
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273798,273798#msg-273798
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>

-- 
Ian Hobson
Tel (+351) 910 418 473

From dewanggaba at xtremenitro.org  Sat Apr 22 17:36:48 2017
From: dewanggaba at xtremenitro.org (Dewangga Bachrul Alam)
Date: Sun, 23 Apr 2017 00:36:48 +0700
Subject: Too many define location directive
Message-ID: <0d1b2b79-63fd-15c9-d194-d7e9e1d7e129@xtremenitro.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

I got confused and no hint(s) about map directive co-exist with
try_files directive. Is it right to think using map directive? Or any
alternative?

The goals is, I want to avoid many location like :

... snip ...
        index   index.php;
        try_files $uri $uri/ /index.php?q=$uri&$args;
        root    /var/www/api.domain.tld;

        location /v2 {
                try_files $uri $uri/ /v2/index.php?q=$uri&$args;
        }

        location /v3 {
                try_files $uri $uri/ /v3/index.php?q=$uri&$args;
        }

location ~ \.php$ {
        fastcgi_param  SCRIPT_FILENAME
$document_root$fastcgi_script_name;
        ... rest fastcgi stuff there ...
}
...

That config above are works fine, but too many location "/v[0-9]+" in
config file. So, if there are v4, v5, etc are exists in
/var/www/api.domain.tld, the configuration won't change.

Any helps are appreciate.
Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY+5SqGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcN9dEACak9z+gX1b0Jp+5iEM3vMx7iQMsIGjQc7CZ2+1bjlsYfYSdNsE
6v/T8Tc6e69aiKMrDF45a3CzW84FwTYdxD6u6Wg7SgrJhFfDLF+xltSKz17xa7C2
1ZdP1YTWHsu3XSbwtoERVcaX/nVgh66jpxCvNztUdcaeCKXWXiHZ4QB/tMMdS1+9
+b9uuoPDfgJaF42C3AbpjYNI6EanmVIBADu8Nkkx5apmr/QoBYLqFNPa3ShYkdzV
CD3m7pKILlfjo10w+1as1lNH9d6fFhD8fs12hbrkBtC1r/7ZigFCvsuuENokCamg
281qQeGg8jOUL9sHJLd9/S8q8991D8hUjmRPeQcjJ6pJC77Zxb+aw6WNu+v88/cL
6ePsbBNbXZGkwbVsXAqqFLcDhzA7gUEstz5pPbCyRmP5z6CQ+ruxwb817kf38aqq
rlTL4rDkR4hYWPbsUWOIAc56hQmG0bV45cieeMIy4a5t2ZsJVYxcvcdq8Jx3aXUM
fuy7qH5+yw//ISAdwHHgW3HNxXUxZFjYJ90wUtRk+UuEHWTwC0pfljb8u55kXBxK
Qj8lR8KWsPCgf374AgOvKHzqNMScZCAssH58RwOJ8raN4DLB+JHifSvRQeGeT7ma
EXkK3ET2alGn+XxaCO3p1sCQX275UcueJW2SIKVJOsq88GIZP1E16Q3Iyw==
=7AV6
-----END PGP SIGNATURE-----

From nginx-forum at forum.nginx.org  Sat Apr 22 18:10:16 2017
From: nginx-forum at forum.nginx.org (purvez)
Date: Sat, 22 Apr 2017 14:10:16 -0400
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <eeffa761-9c2d-fa95-0e29-7b86d5301abe@gmail.com>
References: <eeffa761-9c2d-fa95-0e29-7b86d5301abe@gmail.com>
Message-ID: <f833d21eb3b7ba72e80a4bcd47a96ad8.NginxMailingListEnglish@forum.nginx.org>

Ian thanks very much for your prompt response. I already have been through
the MySQL problems and I'll try your fix on php on Monday.  Unfortunately I
had unexpected guests to deal with today hence I only 'just' saw your
message.

Will let you know how I got on.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273798,273801#msg-273801


From r at roze.lv  Sat Apr 22 18:11:01 2017
From: r at roze.lv (Reinis Rozitis)
Date: Sat, 22 Apr 2017 21:11:01 +0300
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <47c3e13dbffc7125880cc839fad4c5bf.NginxMailingListEnglish@forum.nginx.org>
References: <47c3e13dbffc7125880cc839fad4c5bf.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <000001d2bb93$cd079ae0$6716d0a0$@roze.lv>

> My question is what should the /var/run/php/php7.0-fpm.sock have as
> permission?

It should have rw (read/write)  access for whatever user/group nginx is running under (by default nobody).

Depending on which service (nginx or php-fpm) is running under correct user either change the nginx configuration/user to match the sock file ownership ( http://nginx.org/en/docs/ngx_core_module.html#user ) or check your php-fpm.conf for:

listen = in your case should be /var/run/php/php7.0-fpm.sock
and adjust accordingly:

listen.mode = 0660
listen.owner = ...

rr


From nginx-forum at forum.nginx.org  Mon Apr 24 01:14:20 2017
From: nginx-forum at forum.nginx.org (justink101)
Date: Sun, 23 Apr 2017 21:14:20 -0400
Subject: limit_conn with variables erroring with invalid number of connections
Message-ID: <314e0d4b2c70b83cc2f6d4a16118217f.NginxMailingListEnglish@forum.nginx.org>

Here is the configuration:

http {
    limit_conn_zone $binary_remote_addr zone=limitapinoauth:16m;
    limit_conn_zone $remote_user zone=limitapi:32m;
    
    map $remote_user $limit_zone {
        default   limitapi;
        ''        limitapinoauth;
    }

    map $remote_user $limit_number {
        default   100;
        ''        200;
    }
}

server {
    limit_conn $limit_zone $limit_number;
}

When starting NGINX getting a fatal error though. Does limit_conn support
using variables?

error => invalid number of connections "$limit_number"

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273805,273805#msg-273805


From steve at greengecko.co.nz  Mon Apr 24 02:07:17 2017
From: steve at greengecko.co.nz (steve)
Date: Mon, 24 Apr 2017 14:07:17 +1200
Subject: Too many define location directive
In-Reply-To: <0d1b2b79-63fd-15c9-d194-d7e9e1d7e129@xtremenitro.org>
References: <0d1b2b79-63fd-15c9-d194-d7e9e1d7e129@xtremenitro.org>
Message-ID: <3b6c693b-2d80-f1a6-a587-46d48a03a3e9@greengecko.co.nz>

Hi,

On 23/04/17 05:36, Dewangga Bachrul Alam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello!
>
> I got confused and no hint(s) about map directive co-exist with
> try_files directive. Is it right to think using map directive? Or any
> alternative?
>
> The goals is, I want to avoid many location like :
>
> ... snip ...
>          index   index.php;
>          try_files $uri $uri/ /index.php?q=$uri&$args;
>          root    /var/www/api.domain.tld;
>
>          location /v2 {
>                  try_files $uri $uri/ /v2/index.php?q=$uri&$args;
>          }
>
>          location /v3 {
>                  try_files $uri $uri/ /v3/index.php?q=$uri&$args;
>          }
>
> location ~ \.php$ {
>          fastcgi_param  SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
>          ... rest fastcgi stuff there ...
> }
> ...
>
> That config above are works fine, but too many location "/v[0-9]+" in
> config file. So, if there are v4, v5, etc are exists in
> /var/www/api.domain.tld, the configuration won't change.
>
> Any helps are appreciate.
> Thanks.
>

use a map??

-- 
Steve Holdoway BSc(Hons) MIITP
https://www.greengecko.co.nz/
Linkedin: https://www.linkedin.com/in/steveholdoway
Skype: sholdowa


From nginx-forum at forum.nginx.org  Mon Apr 24 09:14:11 2017
From: nginx-forum at forum.nginx.org (purvez)
Date: Mon, 24 Apr 2017 05:14:11 -0400
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <000001d2bb93$cd079ae0$6716d0a0$@roze.lv>
References: <000001d2bb93$cd079ae0$6716d0a0$@roze.lv>
Message-ID: <7f970dc7d3a6e7eb1002d2770f33342b.NginxMailingListEnglish@forum.nginx.org>

Reinis thanks very much for your response.  The owner shown for :
/var/run/php/php7.0-fpm.sock is 33 & group is 33.  Both have read/write
access but other groups have no access rights.

I therefore added the following line at the beginning of nginx.conf

user 33 33;

However when I tried to restart nginx it failed and systemctl status says
that getpwnam("33") failed.  What have I done wrong here?

Thanks for your continued help.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273798,273812#msg-273812


From nginx-forum at forum.nginx.org  Mon Apr 24 09:29:02 2017
From: nginx-forum at forum.nginx.org (purvez)
Date: Mon, 24 Apr 2017 05:29:02 -0400
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <7f970dc7d3a6e7eb1002d2770f33342b.NginxMailingListEnglish@forum.nginx.org>
References: <000001d2bb93$cd079ae0$6716d0a0$@roze.lv>
 <7f970dc7d3a6e7eb1002d2770f33342b.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <f279d2a7bb0ef71ea20838d9f8f57eb0.NginxMailingListEnglish@forum.nginx.org>

Reinis I found that www-data was also a member of group 33 so I changed my
user in nginx.conf to that and it is now working.

Many thanks for your help with this one.

Not sure how I mark this as 'Completed' though.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273798,273813#msg-273813


From r at roze.lv  Mon Apr 24 09:50:30 2017
From: r at roze.lv (Reinis Rozitis)
Date: Mon, 24 Apr 2017 12:50:30 +0300
Subject: Upgrade to Ubuntu16.04 LTS from 14.04 LTS killed my php
In-Reply-To: <f279d2a7bb0ef71ea20838d9f8f57eb0.NginxMailingListEnglish@forum.nginx.org>
References: <000001d2bb93$cd079ae0$6716d0a0$@roze.lv>
 <7f970dc7d3a6e7eb1002d2770f33342b.NginxMailingListEnglish@forum.nginx.org>
 <f279d2a7bb0ef71ea20838d9f8f57eb0.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <000001d2bce0$35aa5fe0$a0ff1fa0$@roze.lv>

> Reinis I found that www-data was also a member of group 33 so I changed my
> user in nginx.conf to that and it is now working.
> 
> Many thanks for your help with this one.

It is most likely also the correct user just nginx in configuration expects the human-readable name ('www-data') instead of the id/numeric representation.


> Not sure how I mark this as 'Completed' though.

In general this is mailinglist  and the forum is just a frontend or alternative approach to it. So the "topic" change is not really needed :)

rr


From scoulibaly at gmail.com  Mon Apr 24 15:58:34 2017
From: scoulibaly at gmail.com (=?UTF-8?Q?S=C3=A9kine_Coulibaly?=)
Date: Mon, 24 Apr 2017 17:58:34 +0200
Subject: Passive healthcheck for UDP
Message-ID: <CAD8n-Frr3+EMmSXFyd-mrie1Gi9Eyhk50vuqeUof5K=VQxhCJg@mail.gmail.com>

Hi,

I'm gathering some information regarding UDP load balancing. I've come
accross this in
https://www.nginx.com/resources/admin-guide/udp-health-check/ and I'm quite
puzzled :

"NGINX can mark the server as unavailable and stop sending UDP datagrams to
it for some time if the server replies with an error or times out.
The number of consecutive failed connection attempts within a certain time
period is set with the max_fails parameter for an upstream server (default
value is 1)."

What is unclear to me is the "failed connection attempt" term. UDP being a
connectionless protocol, it's unclear what is the actual method used by
NGINX to decide whether a passive health check is successfull or not. Would
the existence of traffic from server to Nginx be a sign of success or are
other methods involved ?

Thank you

SC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170424/fde487c5/attachment.html>

From arut at nginx.com  Mon Apr 24 17:46:10 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Mon, 24 Apr 2017 20:46:10 +0300
Subject: Passive healthcheck for UDP
In-Reply-To: <CAD8n-Frr3+EMmSXFyd-mrie1Gi9Eyhk50vuqeUof5K=VQxhCJg@mail.gmail.com>
References: <CAD8n-Frr3+EMmSXFyd-mrie1Gi9Eyhk50vuqeUof5K=VQxhCJg@mail.gmail.com>
Message-ID: <20170424174610.GB46798@Romans-MacBook-Air.local>

Hi

On Mon, Apr 24, 2017 at 05:58:34PM +0200, S?kine Coulibaly wrote:
> Hi,
> 
> I'm gathering some information regarding UDP load balancing. I've come
> accross this in
> https://www.nginx.com/resources/admin-guide/udp-health-check/ and I'm quite
> puzzled :
> 
> "NGINX can mark the server as unavailable and stop sending UDP datagrams to
> it for some time if the server replies with an error or times out.
> The number of consecutive failed connection attempts within a certain time
> period is set with the max_fails parameter for an upstream server (default
> value is 1)."
> 
> What is unclear to me is the "failed connection attempt" term. 

Thanks for spotting this, we'll fix the documentation.
This phrase obviously came from TCP.

> UDP being a
> connectionless protocol, it's unclear what is the actual method used by
> NGINX to decide whether a passive health check is successfull or not. Would
> the existence of traffic from server to Nginx be a sign of success or are
> other methods involved ?

A UDP session is considered unsuccessful if 

- a UDP socket I/O error happened, usually as a result of an ICMP error report

- proxied server did not send the response within proxy_timeout if
proxy_responses is set.  If it's unset, this error can never happen.

-- 
Roman Arutyunyan

From joel.parker.gm at gmail.com  Mon Apr 24 19:10:47 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Mon, 24 Apr 2017 14:10:47 -0500
Subject: invalid default_server parrameter
Message-ID: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>

I have many servers sending ssl which I am trying to terminate. So I wanted
to create a statement that was a catch all instead of listening for each ip
address. I thought this would do it :

server {

      listen 443 ssl  default_server;

......

}

but when I run nginx -t, I keep getting the error : nginx: [emerg] the
invalid "default_server" parameter in /etc/nginx/nginx.conf:13

Is this the correct way of doing a catch all incoming ssl traffic and what
is wrong with my syntax ?

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170424/03d2de08/attachment.html>

From jeff.dyke at gmail.com  Mon Apr 24 19:19:12 2017
From: jeff.dyke at gmail.com (Jeff Dyke)
Date: Mon, 24 Apr 2017 15:19:12 -0400
Subject: invalid default_server parrameter
In-Reply-To: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
References: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
Message-ID: <CAHmnZdaGSucDM_BW3nArZ03ETkapJgOTKi78FGLS_fvWFPd6Uw@mail.gmail.com>

if you're using sni, you should be able to use _ as the server_name or
remove default server b/c if this is going to represent many servers, from
memory, default_server is not a value you want.  for example i run nginx
behind haproxy to create letsencrypt certs, which will listen to currently
dozens of request:  (of course you may not require proxy_protocol)

----
listen 8888 proxy_protocol;
server_name _;
----

On Mon, Apr 24, 2017 at 3:10 PM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> I have many servers sending ssl which I am trying to terminate. So I
> wanted to create a statement that was a catch all instead of listening for
> each ip address. I thought this would do it :
>
> server {
>
>       listen 443 ssl  default_server;
>
> ......
>
> }
>
> but when I run nginx -t, I keep getting the error : nginx: [emerg] the
> invalid "default_server" parameter in /etc/nginx/nginx.conf:13
>
> Is this the correct way of doing a catch all incoming ssl traffic and what
> is wrong with my syntax ?
>
> Joel
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170424/3b0792a7/attachment.html>

From mdounin at mdounin.ru  Mon Apr 24 19:50:25 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Mon, 24 Apr 2017 22:50:25 +0300
Subject: invalid default_server parrameter
In-Reply-To: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
References: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
Message-ID: <20170424195025.GF43932@mdounin.ru>

Hello!

On Mon, Apr 24, 2017 at 02:10:47PM -0500, Joel Parker wrote:

> I have many servers sending ssl which I am trying to terminate. So I wanted
> to create a statement that was a catch all instead of listening for each ip
> address. I thought this would do it :
> 
> server {
> 
>       listen 443 ssl  default_server;
> 
> ......
> 
> }
> 
> but when I run nginx -t, I keep getting the error : nginx: [emerg] the
> invalid "default_server" parameter in /etc/nginx/nginx.conf:13
> 
> Is this the correct way of doing a catch all incoming ssl traffic and what
> is wrong with my syntax ?

Are you trying to use it in a stream{} block?  There are no 
virtual servers in the stream module, so the "listen" directive 
has no "default_server" parameter - it is not needed, all 
connections to the given listening socket will be handled in only 
one server{} block.

-- 
Maxim Dounin
http://nginx.org/

From joel.parker.gm at gmail.com  Mon Apr 24 20:13:45 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Mon, 24 Apr 2017 15:13:45 -0500
Subject: invalid default_server parrameter
In-Reply-To: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
References: <CAG6CpSDTxFpq2jkmvgaXbsmOXZwYNbpF2fFMWx82KP+8mXrBpQ@mail.gmail.com>
Message-ID: <CAG6CpSCbVhnK4Mm5srK4_gK1gf=p9kHQbHYzmN0frWoNhvHnQg@mail.gmail.com>

I'm still trying to figure this all out. I am just going to remove
default_server for now like you suggested. The config checker doesn't
complain anymore ... we'll see if it works.

Joel

On Mon, Apr 24, 2017 at 2:10 PM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> I have many servers sending ssl which I am trying to terminate. So I
> wanted to create a statement that was a catch all instead of listening for
> each ip address. I thought this would do it :
>
> server {
>
>       listen 443 ssl  default_server;
>
> ......
>
> }
>
> but when I run nginx -t, I keep getting the error : nginx: [emerg] the
> invalid "default_server" parameter in /etc/nginx/nginx.conf:13
>
> Is this the correct way of doing a catch all incoming ssl traffic and what
> is wrong with my syntax ?
>
> Joel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170424/c32acad9/attachment.html>

From nginx-forum at forum.nginx.org  Tue Apr 25 13:53:01 2017
From: nginx-forum at forum.nginx.org (Ortal)
Date: Tue, 25 Apr 2017 09:53:01 -0400
Subject: timeout callback
Message-ID: <51c76989d4c4a0477708ef72f66a19dd.NginxMailingListEnglish@forum.nginx.org>

Hello,

I am developing my own nginx module, I would like to use the
"keepalive_timeout" option.

I tried to find a callback which signal that timeout was expired, before the
nginx call ngx_http_close_connection. I am using a memory which I allocate
and I would like to free it

Thanks, 
Ortal Levi

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273836,273836#msg-273836


From nginx-forum at forum.nginx.org  Tue Apr 25 14:13:19 2017
From: nginx-forum at forum.nginx.org (marciokoko)
Date: Tue, 25 Apr 2017 10:13:19 -0400
Subject: Nginx Nodejs Raspberry Pi2 Bad Gateway
Message-ID: <74040922db04719a7515879b1aa2fdb1.NginxMailingListEnglish@forum.nginx.org>

This is what my setup looks like:

INTERNET (subdomain.domain.com A Record to public IP 186....187)
Hurl.it -----POST-----> Public IP:
https://186....187/API/switches?sw1?password=123456 -----> Linksys Router
IP:186...187:443 Port Forward to 192...53

ONLAN (nginx setup https with ssl from letsencrypt)
192....53 RPi2 nginx config bypass 192...53:442 . ------> nodejs app.js
listening on port 442 

This is my nginx config file:

[code]
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name subdomain.domain.com;

        ssl_certificate         
/etc/letsencrypt/live/subdomain.domain.com/fullchain.pem;
        ssl_certificate_key     
/etc/letsencrypt/live/subdomain.domain.com/privkey.pem;

        root /www/subdomain.domain.com/aism;
        index index.php index.html index.htm;

        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;

        # Error & Access logs
        error_log /www/subdomain.domain.com/logs/error.log error;
        access_log /www/subdomain.domain.com/logs/access.log;

        location / {
                index index.html index.php;
                proxy_pass http://192.168.1.53:442;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
        location ~ /.well-known {
                allow all;
        }
        location /public {
                root /www/subdomain.domain.com/aism;
        }
        location ~
^/(images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/) {
        }
}[/code]

I have tested the nodejs app while on port 80 from hurl.it with the port
forward config for port 80 instead and it works perfectly.

Here is the current error log:

[quote]
OST /API/switches/sw1?password=123456 HTTP/1.1", upstream:
"http://192.168.1.53:442/50x.html", host: "subdomain.domain.com"
2017/04/23 20:08:38 [error] 20424#0: *4 upstream prematurely closed
connection while reading response header from upstream, client:
192.168.1.56, server: subdomain.domain.com, request: "GET /aism/ HTTP/1.1",
upstream: "http://192.168.1.53:442/aism/", host: "subdomain.domain.com"
2017/04/23 20:08:38 [error] 20424#0: *4 upstream prematurely closed
connection while reading response header from upstream, client:
192.168.1.56, server: subdomain.domain.com, request: "GET /aism/ HTTP/1.1",
upstream: "http://192.168.1.53:442/50x.html", host: "subdomain.domain.com"
2017/04/23 20:09:25 [error] 20467#0: *1 upstream prematurely closed
connection while reading response header from upstream, client:
23.20.198.108, server: subdomain.domain.com, request: "POST
/API/switches/sw1?password=123456 HTTP/1.1", upstream:
"http://192.168.1.53:442/API/switches/sw1?password=123456", host:
"subdomain.domain.com"
[/code]

Please help!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273837,273837#msg-273837


From mdounin at mdounin.ru  Tue Apr 25 14:32:35 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 25 Apr 2017 17:32:35 +0300
Subject: nginx-1.13.0
Message-ID: <20170425143234.GJ43932@mdounin.ru>

Changes with nginx 1.13.0                                        25 Apr 2017

    *) Change: SSL renegotiation is now allowed on backend connections.

    *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
       directives of the mail proxy and stream modules.

    *) Feature: the "return" and "error_page" directives can now be used to
       return 308 redirections.
       Thanks to Simon Leblanc.

    *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.

    *) Feature: when logging signals nginx now logs PID of the process which
       sent the signal.

    *) Bugfix: in memory allocation error handling.

    *) Bugfix: if a server in the stream module listened on a wildcard
       address, the source address of a response UDP datagram could differ
       from the original datagram destination address.


-- 
Maxim Dounin
http://nginx.org/

From ru at nginx.com  Tue Apr 25 14:44:37 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Tue, 25 Apr 2017 17:44:37 +0300
Subject: upstream - behavior on pool exhaustion
In-Reply-To: <CALqce=1OZsTPfvsXjsX_QWVD6g_5BoK4zdFvmAv1DSutGU7+rQ@mail.gmail.com>
References: <CALqce=38t_cq8vZTpDE5M_WYq7Kn8iv_i_xUrh-NWgoiMpZ9Bg@mail.gmail.com>
 <20170414082147.GB95482@lo0.su>
 <CALqce=0g=-w6Bx8Z+m07dC-s7-q1vNYcn+H+J5BsPG=K+JxB4w@mail.gmail.com>
 <20170417160904.GE38469@lo0.su>
 <CALqce=3QQ0sSxtMReLyD17BYv72O+kGKnNRP6Scw43DMFqbsUw@mail.gmail.com>
 <20170419085139.GD22499@lo0.su>
 <CALqce=1NXwZ2sAKTWBmaySufWtHk49=JQ0kZy6aQgddBc_p7aQ@mail.gmail.com>
 <20170420125800.GE8722@lo0.su>
 <CALqce=1OZsTPfvsXjsX_QWVD6g_5BoK4zdFvmAv1DSutGU7+rQ@mail.gmail.com>
Message-ID: <20170425144437.GD52013@lo0.su>

On Sat, Apr 22, 2017 at 01:52:48AM +0200, B.R. via nginx wrote:
> I do not know if your detailed explanation was aimed to me, or to the list
> in general, but I got all that already as far as I am concerned.
> 
> ?To me, when an attempt is made to an upstream group where no peer can be
> selected, a 502 should be returned for that request, and no upstream having
> been selected, no $upstream_* variable? should contain anything. An error
> message should be generated in the error log.
> I fail to see the benefit of having the group name being considered as an
> upstream peer.... For cons, that name might get confused with a domain
> name, and the grammar of the $upstream_addr variable is complexified.
> Not that, as stated before, the docs merely say the $upstream_addr should
> contains IP addresses and ports of peers, no mention of the upstream group
> name there.
> 
> Well, it seems your design decisions are made, and even though I see things
> differently, I understand what I did not get before.
> Is my vision broke, ie some benefit I am failing to see about your
> implementation?

I agree with you that it's not logical, I was just trying to explain
in details why it happens the way it is.  I've prepared a patch that
addresses this and other inconsistencies with $upstream_* variables.
The only assertion I've preserved is that the number of elements
always stays equal to the number of attempts made to select a peer.
What this means for $upstream_addr is that instead of the upstream
group name it'll now output `-' as one of the possible values, much
like it's always the case for $upstream_status and $upstream_response_time
(see the answer to your other question below).

> Another linked question:
> I got some cases in which $upstream_response_time was '-' for some peers
> (and not a numeric value like 0.000).
> What is the meaning of that? Connection failed? I am not logging the
> $upstream_status variable, not $upstream_connect_time, thus have limited
> information.
> Could that '-' appear anywhere in the list?

This happens when the client aborts the connection before the upstream
server sends the status line with the status code.  The same holds
true for $upstream_status.  And while it seems logical for $upstream_status
not to output it when the status code is unknown, I see no reason not to
output the actual time spent on obtaining the response in this case.
The server may have responded with "HTTP/1.1 ", then $upstream_bytes_received
will be 9, but $upstream_response_time is `-'.  That's another inconsistency
that my patch fixes.

Also, $upstream_status no longer outputs 502 for the case when no live
upstream could be selected.  It'll similarly output `-' to mean "not
applicable" (for this particular attempt).

Just in case you want to give it a try, I've attached the patch against
the current nginx version.

diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -1481,6 +1481,7 @@ ngx_http_upstream_connect(ngx_http_reque
     u->state->response_time = ngx_current_msec;
     u->state->connect_time = (ngx_msec_t) -1;
     u->state->header_time = (ngx_msec_t) -1;
+    u->state->selected = 1;
 
     rc = ngx_event_connect_peer(&u->peer);
 
@@ -1496,6 +1497,7 @@ ngx_http_upstream_connect(ngx_http_reque
     u->state->peer = u->peer.name;
 
     if (rc == NGX_BUSY) {
+        u->state->selected = 0;
         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "no live upstreams");
         ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_NOLIVE);
         return;
@@ -4146,7 +4148,9 @@ ngx_http_upstream_next(ngx_http_request_
         return;
     }
 
-    u->state->status = status;
+    if (ft_type != NGX_HTTP_UPSTREAM_FT_NOLIVE) {
+        u->state->status = status;
+    }
 
     timeout = u->conf->next_upstream_timeout;
 
@@ -5223,7 +5227,7 @@ ngx_http_upstream_addr_variable(ngx_http
 
     for (i = 0; i < r->upstream_states->nelts; i++) {
         if (state[i].peer) {
-            len += state[i].peer->len + 2;
+            len += (state[i].selected ? state[i].peer->len : 1) + 2;
 
         } else {
             len += 3;
@@ -5241,7 +5245,13 @@ ngx_http_upstream_addr_variable(ngx_http
 
     for ( ;; ) {
         if (state[i].peer) {
-            p = ngx_cpymem(p, state[i].peer->data, state[i].peer->len);
+
+            if (state[i].selected) {
+                p = ngx_cpymem(p, state[i].peer->data, state[i].peer->len);
+
+            } else {
+                *p++ = '-';
+            }
         }
 
         if (++i == r->upstream_states->nelts) {
@@ -5368,7 +5378,7 @@ ngx_http_upstream_response_time_variable
     state = r->upstream_states->elts;
 
     for ( ;; ) {
-        if (state[i].status) {
+        if (state[i].selected) {
 
             if (data == 1 && state[i].header_time != (ngx_msec_t) -1) {
                 ms = state[i].header_time;
@@ -5445,12 +5455,17 @@ ngx_http_upstream_response_length_variab
     state = r->upstream_states->elts;
 
     for ( ;; ) {
-
-        if (data == 1) {
-            p = ngx_sprintf(p, "%O", state[i].bytes_received);
+        if (state[i].selected) {
+
+            if (data == 1) {
+                p = ngx_sprintf(p, "%O", state[i].bytes_received);
+
+            } else {
+                p = ngx_sprintf(p, "%O", state[i].response_length);
+            }
 
         } else {
-            p = ngx_sprintf(p, "%O", state[i].response_length);
+            *p++ = '-';
         }
 
         if (++i == r->upstream_states->nelts) {
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@@ -65,6 +65,7 @@ typedef struct {
     off_t                            bytes_received;
 
     ngx_str_t                       *peer;
+    ngx_uint_t                       selected;  /* unsigned selected:1 */
 } ngx_http_upstream_state_t;
 
 

From kworthington at gmail.com  Tue Apr 25 15:41:10 2017
From: kworthington at gmail.com (Kevin Worthington)
Date: Tue, 25 Apr 2017 11:41:10 -0400
Subject: [nginx-announce] nginx-1.13.0
In-Reply-To: <20170425143241.GK43932@mdounin.ru>
References: <20170425143241.GK43932@mdounin.ru>
Message-ID: <CAGo79UUp67MgbxZqB=VWdMqYdoKNdT5ko=BzQQzydwA7L=APfw@mail.gmail.com>

Hello!

Getting a make error on 32-bit and 64-bit Cygwin:

        -o objs/src/os/unix/ngx_writev_chain.o \
        src/os/unix/ngx_writev_chain.c
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
-D FD_
SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
-I /us
r/include/libxml2 -I objs \
        -o objs/src/os/unix/ngx_udp_send.o \
        src/os/unix/ngx_udp_send.c
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
-D FD_
SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
-I /us
r/include/libxml2 -I objs \
        -o objs/src/os/unix/ngx_udp_sendmsg_chain.o \
        src/os/unix/ngx_udp_sendmsg_chain.c
src/os/unix/ngx_udp_sendmsg_chain.c: In function `ngx_sendmsg':
src/os/unix/ngx_udp_sendmsg_chain.c:274:16: error: `struct in_pktinfo' has
no me
mber named `ipi_spec_dst'
             pkt->ipi_spec_dst = sin->sin_addr;
                ^
objs/Makefile:847: recipe for target
'objs/src/os/unix/ngx_udp_sendmsg_chain.o'
failed
make[1]: *** [objs/src/os/unix/ngx_udp_sendmsg_chain.o] Error 1
make[1]: Leaving directory '/home/kevin.worthington/nginx-1.13.0'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

Any tips to fix this? Thank you for reading.

Best regards,
Kevin
--
Kevin Worthington
kworthington ( at ) gmail {dot} com
https://kevinworthington.com/
https://twitter.com/kworthington

On Tue, Apr 25, 2017 at 10:32 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Changes with nginx 1.13.0                                        25 Apr
> 2017
>
>     *) Change: SSL renegotiation is now allowed on backend connections.
>
>     *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
>        directives of the mail proxy and stream modules.
>
>     *) Feature: the "return" and "error_page" directives can now be used to
>        return 308 redirections.
>        Thanks to Simon Leblanc.
>
>     *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
>
>     *) Feature: when logging signals nginx now logs PID of the process
> which
>        sent the signal.
>
>     *) Bugfix: in memory allocation error handling.
>
>     *) Bugfix: if a server in the stream module listened on a wildcard
>        address, the source address of a response UDP datagram could differ
>        from the original datagram destination address.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx-announce mailing list
> nginx-announce at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-announce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/51fc6160/attachment.html>

From rainer at ultra-secure.de  Tue Apr 25 16:01:11 2017
From: rainer at ultra-secure.de (rainer at ultra-secure.de)
Date: Tue, 25 Apr 2017 18:01:11 +0200
Subject: Question about $upstream_cache_status
Message-ID: <728901c8f9af754ca7849267ef8b5f56@ultra-secure.de>

Hi,

am I right that $upstream_cache_status primarily concerns nginx' own 
upstreams like fastcgi, uwsgi etc?

Or is there a possibility to display whether an upstream varnish has had 
the page cached?



Rainer

From nginx-forum at forum.nginx.org  Tue Apr 25 16:11:00 2017
From: nginx-forum at forum.nginx.org (kay)
Date: Tue, 25 Apr 2017 12:11:00 -0400
Subject: Efficient stream proxy
Message-ID: <0b2f28d8a867e4770bac838eb3a2bc02.NginxMailingListEnglish@forum.nginx.org>

Hi,

I'd like to implement proxy server for internet radio streaming. And I'd
like to reuse existing established connection to the upstream for all
clients which listen the same "radio station"/"url".

Right now every listener creates a new connection on nginx side. Is it even
possible to reuse one connection for everyone?



Thanks in advance.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273848,273848#msg-273848


From mdounin at mdounin.ru  Tue Apr 25 16:25:02 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 25 Apr 2017 19:25:02 +0300
Subject: Question about $upstream_cache_status
In-Reply-To: <728901c8f9af754ca7849267ef8b5f56@ultra-secure.de>
References: <728901c8f9af754ca7849267ef8b5f56@ultra-secure.de>
Message-ID: <20170425162502.GP43932@mdounin.ru>

Hello!

On Tue, Apr 25, 2017 at 06:01:11PM +0200, rainer at ultra-secure.de wrote:

> am I right that $upstream_cache_status primarily concerns nginx' own 
> upstreams like fastcgi, uwsgi etc?

Yes.

> Or is there a possibility to display whether an upstream varnish has had 
> the page cached?

To obtain additional information from upstream servers you can use 
HTTP headers.  Headers as received from an upstream server are 
available as $upstream_http_* variables, see docs here:

http://nginx.org/r/$upstream_http_

-- 
Maxim Dounin
http://nginx.org/

From arut at nginx.com  Tue Apr 25 16:41:28 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Tue, 25 Apr 2017 19:41:28 +0300
Subject: Efficient stream proxy
In-Reply-To: <0b2f28d8a867e4770bac838eb3a2bc02.NginxMailingListEnglish@forum.nginx.org>
References: <0b2f28d8a867e4770bac838eb3a2bc02.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170425164128.GA94542@Romans-MacBook-Air.local>

Hi,

On Tue, Apr 25, 2017 at 12:11:00PM -0400, kay wrote:
> I'd like to implement proxy server for internet radio streaming. And I'd
> like to reuse existing established connection to the upstream for all
> clients which listen the same "radio station"/"url".
> 
> Right now every listener creates a new connection on nginx side. Is it even
> possible to reuse one connection for everyone?

Nothing like that is currently implemented in HTTP or stream.

But if you write your own module, nothing is impossible.

-- 
Roman Arutyunyan

From arut at nginx.com  Tue Apr 25 17:32:49 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Tue, 25 Apr 2017 20:32:49 +0300
Subject: [nginx-announce] nginx-1.13.0
In-Reply-To: <CAGo79UUp67MgbxZqB=VWdMqYdoKNdT5ko=BzQQzydwA7L=APfw@mail.gmail.com>
References: <20170425143241.GK43932@mdounin.ru>
 <CAGo79UUp67MgbxZqB=VWdMqYdoKNdT5ko=BzQQzydwA7L=APfw@mail.gmail.com>
Message-ID: <20170425173249.GB94542@Romans-MacBook-Air.local>

Hi,

Please try the patch.

On Tue, Apr 25, 2017 at 11:41:10AM -0400, Kevin Worthington wrote:
> Hello!
> 
> Getting a make error on 32-bit and 64-bit Cygwin:
> 
>         -o objs/src/os/unix/ngx_writev_chain.o \
>         src/os/unix/ngx_writev_chain.c
> cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> -D FD_
> SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> -I /us
> r/include/libxml2 -I objs \
>         -o objs/src/os/unix/ngx_udp_send.o \
>         src/os/unix/ngx_udp_send.c
> cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> -D FD_
> SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> -I /us
> r/include/libxml2 -I objs \
>         -o objs/src/os/unix/ngx_udp_sendmsg_chain.o \
>         src/os/unix/ngx_udp_sendmsg_chain.c
> src/os/unix/ngx_udp_sendmsg_chain.c: In function `ngx_sendmsg':
> src/os/unix/ngx_udp_sendmsg_chain.c:274:16: error: `struct in_pktinfo' has
> no me
> mber named `ipi_spec_dst'
>              pkt->ipi_spec_dst = sin->sin_addr;
>                 ^
> objs/Makefile:847: recipe for target
> 'objs/src/os/unix/ngx_udp_sendmsg_chain.o'
> failed
> make[1]: *** [objs/src/os/unix/ngx_udp_sendmsg_chain.o] Error 1
> make[1]: Leaving directory '/home/kevin.worthington/nginx-1.13.0'
> Makefile:8: recipe for target 'build' failed
> make: *** [build] Error 2
> 
> Any tips to fix this? Thank you for reading.
> 
> Best regards,
> Kevin
> --
> Kevin Worthington
> kworthington ( at ) gmail {dot} com
> https://kevinworthington.com/
> https://twitter.com/kworthington
> 
> On Tue, Apr 25, 2017 at 10:32 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > Changes with nginx 1.13.0                                        25 Apr
> > 2017
> >
> >     *) Change: SSL renegotiation is now allowed on backend connections.
> >
> >     *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
> >        directives of the mail proxy and stream modules.
> >
> >     *) Feature: the "return" and "error_page" directives can now be used to
> >        return 308 redirections.
> >        Thanks to Simon Leblanc.
> >
> >     *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
> >
> >     *) Feature: when logging signals nginx now logs PID of the process
> > which
> >        sent the signal.
> >
> >     *) Bugfix: in memory allocation error handling.
> >
> >     *) Bugfix: if a server in the stream module listened on a wildcard
> >        address, the source address of a response UDP datagram could differ
> >        from the original datagram destination address.
> >
> >
> > --
> > Maxim Dounin
> > http://nginx.org/
> > _______________________________________________
> > nginx-announce mailing list
> > nginx-announce at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-announce
> >

> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


-- 
Roman Arutyunyan
-------------- next part --------------
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1493141521 -10800
#      Tue Apr 25 20:32:01 2017 +0300
# Node ID 0d643aae8f445c75054d1bd13c16eb59534bb953
# Parent  201038680680b05ac435191ab2b8ceb5d6785ccf
Configure: disable IP_PKTINFO feature on Cygwin.

On this platform struct in_pktinfo has no field ipi_spec_dst.  Now presence of
this field is checked while configuring nginx.

diff --git a/auto/unix b/auto/unix
--- a/auto/unix
+++ b/auto/unix
@@ -416,7 +416,10 @@ ngx_feature_incs="#include <sys/socket.h
                   #include <netinet/in.h>"
 ngx_feature_path=
 ngx_feature_libs=
-ngx_feature_test="setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)"
+ngx_feature_test="struct in_pktinfo  pkt;
+                  pkt.ipi_spec_dst.s_addr = INADDR_ANY;
+                  (void) pkt;
+                  setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)"
 . auto/feature
 
 

From joel.parker.gm at gmail.com  Tue Apr 25 18:32:26 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 13:32:26 -0500
Subject: N00b - logging stream request / response
Message-ID: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>

I am trying to log all request / response in a stream with a lua script I
found in git hub and am having issues figuring out where to put the
log_format directive. Here is what I currently have :

stream {

    log_format bodylog '$remote_addr - $remote_user [$time_local] '
      '"$request" $status $body_bytes_sent '
      '"$http_referer" "$http_user_agent" $request_time '
      '<"$request_body" >"$resp_body"';

     lua_need_request_body on;

     set $resp_body "";
     body_filter_by_lua '
        local resp_body = ngx.arg[1]
        ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
        if ngx.arg[2] then
           ngx.var.resp_body = ngx.ctx.buffered
        end
       ';

......

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/81e18f3e/attachment.html>

From rpaprocki at fearnothingproductions.net  Tue Apr 25 18:38:50 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Tue, 25 Apr 2017 11:38:50 -0700
Subject: N00b - logging stream request / response
In-Reply-To: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
Message-ID: <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>

What you're doing doesn't quite make sense. You're trying to log HTTP data
inside a stream block. That doesn't work. There's no such concept of
$status, $http_referer, etc, inside a stream {} block.

Have a read of the log_format docs:
http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format


Syntax: *log_format* *name* [escape=default|json] *string* ...;
Default:

log_format combined "...";

Context: http



On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> I am trying to log all request / response in a stream with a lua script I
> found in git hub and am having issues figuring out where to put the
> log_format directive. Here is what I currently have :
>
> stream {
>
>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>       '"$request" $status $body_bytes_sent '
>       '"$http_referer" "$http_user_agent" $request_time '
>       '<"$request_body" >"$resp_body"';
>
>      lua_need_request_body on;
>
>      set $resp_body "";
>      body_filter_by_lua '
>         local resp_body = ngx.arg[1]
>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>         if ngx.arg[2] then
>            ngx.var.resp_body = ngx.ctx.buffered
>         end
>        ';
>
> ......
>
> }
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/ef777a0c/attachment.html>

From joel.parker.gm at gmail.com  Tue Apr 25 18:46:42 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 13:46:42 -0500
Subject: N00b - logging stream request / response
In-Reply-To: <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
 <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
Message-ID: <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>

so can I have a hierarchy like this ?

http {
      // log format
    stream {
          server {
             // access log
         }
    }
}

On Tue, Apr 25, 2017 at 1:38 PM, Robert Paprocki <
rpaprocki at fearnothingproductions.net> wrote:

> What you're doing doesn't quite make sense. You're trying to log HTTP data
> inside a stream block. That doesn't work. There's no such concept of
> $status, $http_referer, etc, inside a stream {} block.
>
> Have a read of the log_format docs: http://nginx.org/en/
> docs/http/ngx_http_log_module.html#log_format
>
>
> Syntax: *log_format* *name* [escape=default|json] *string* ...;
> Default:
>
> log_format combined "...";
>
> Context: http
>
>
>
> On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <joel.parker.gm at gmail.com>
> wrote:
>
>> I am trying to log all request / response in a stream with a lua script I
>> found in git hub and am having issues figuring out where to put the
>> log_format directive. Here is what I currently have :
>>
>> stream {
>>
>>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>>       '"$request" $status $body_bytes_sent '
>>       '"$http_referer" "$http_user_agent" $request_time '
>>       '<"$request_body" >"$resp_body"';
>>
>>      lua_need_request_body on;
>>
>>      set $resp_body "";
>>      body_filter_by_lua '
>>         local resp_body = ngx.arg[1]
>>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>>         if ngx.arg[2] then
>>            ngx.var.resp_body = ngx.ctx.buffered
>>         end
>>        ';
>>
>> ......
>>
>> }
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/e383d57e/attachment-0001.html>

From rpaprocki at fearnothingproductions.net  Tue Apr 25 18:49:05 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Tue, 25 Apr 2017 11:49:05 -0700
Subject: N00b - logging stream request / response
In-Reply-To: <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
 <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
 <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>
Message-ID: <CAEuShZdR9g-sE-xX8OVKxeXh8-qL1YOMUpudFH7isgQ3eT40QA@mail.gmail.com>

No. stream {} and http {} blocks are mutually exclusive.

What exactly are you trying to accomplish with stream?

On Tue, Apr 25, 2017 at 11:46 AM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> so can I have a hierarchy like this ?
>
> http {
>       // log format
>     stream {
>           server {
>              // access log
>          }
>     }
> }
>
> On Tue, Apr 25, 2017 at 1:38 PM, Robert Paprocki <rpaprocki@
> fearnothingproductions.net> wrote:
>
>> What you're doing doesn't quite make sense. You're trying to log HTTP
>> data inside a stream block. That doesn't work. There's no such concept of
>> $status, $http_referer, etc, inside a stream {} block.
>>
>> Have a read of the log_format docs: http://nginx.org/en/docs
>> /http/ngx_http_log_module.html#log_format
>>
>>
>> Syntax: *log_format* *name* [escape=default|json] *string* ...;
>> Default:
>>
>> log_format combined "...";
>>
>> Context: http
>>
>>
>>
>> On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <joel.parker.gm at gmail.com>
>> wrote:
>>
>>> I am trying to log all request / response in a stream with a lua script
>>> I found in git hub and am having issues figuring out where to put the
>>> log_format directive. Here is what I currently have :
>>>
>>> stream {
>>>
>>>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>>>       '"$request" $status $body_bytes_sent '
>>>       '"$http_referer" "$http_user_agent" $request_time '
>>>       '<"$request_body" >"$resp_body"';
>>>
>>>      lua_need_request_body on;
>>>
>>>      set $resp_body "";
>>>      body_filter_by_lua '
>>>         local resp_body = ngx.arg[1]
>>>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>>>         if ngx.arg[2] then
>>>            ngx.var.resp_body = ngx.ctx.buffered
>>>         end
>>>        ';
>>>
>>> ......
>>>
>>> }
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/88462979/attachment.html>

From kworthington at gmail.com  Tue Apr 25 18:49:38 2017
From: kworthington at gmail.com (Kevin Worthington)
Date: Tue, 25 Apr 2017 14:49:38 -0400
Subject: [nginx-announce] nginx-1.13.0
In-Reply-To: <20170425173249.GB94542@Romans-MacBook-Air.local>
References: <20170425143241.GK43932@mdounin.ru>
 <CAGo79UUp67MgbxZqB=VWdMqYdoKNdT5ko=BzQQzydwA7L=APfw@mail.gmail.com>
 <20170425173249.GB94542@Romans-MacBook-Air.local>
Message-ID: <CAGo79UXEnh8Y57cLwAxWW70dKZPi0CvDhqzLp1XTD0vAvx-uhg@mail.gmail.com>

Hi Roman,

Thank you so much - it worked great!

Cheers,
Kevin
--
Kevin Worthington
kworthington ( at ) gmail {dot} com
https://kevinworthington.com/
https://twitter.com/kworthington

On Tue, Apr 25, 2017 at 1:32 PM, Roman Arutyunyan <arut at nginx.com> wrote:

> Hi,
>
> Please try the patch.
>
> On Tue, Apr 25, 2017 at 11:41:10AM -0400, Kevin Worthington wrote:
> > Hello!
> >
> > Getting a make error on 32-bit and 64-bit Cygwin:
> >
> >         -o objs/src/os/unix/ngx_writev_chain.o \
> >         src/os/unix/ngx_writev_chain.c
> > cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> > -D FD_
> > SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> > -I /us
> > r/include/libxml2 -I objs \
> >         -o objs/src/os/unix/ngx_udp_send.o \
> >         src/os/unix/ngx_udp_send.c
> > cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> > -D FD_
> > SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> > -I /us
> > r/include/libxml2 -I objs \
> >         -o objs/src/os/unix/ngx_udp_sendmsg_chain.o \
> >         src/os/unix/ngx_udp_sendmsg_chain.c
> > src/os/unix/ngx_udp_sendmsg_chain.c: In function `ngx_sendmsg':
> > src/os/unix/ngx_udp_sendmsg_chain.c:274:16: error: `struct in_pktinfo'
> has
> > no me
> > mber named `ipi_spec_dst'
> >              pkt->ipi_spec_dst = sin->sin_addr;
> >                 ^
> > objs/Makefile:847: recipe for target
> > 'objs/src/os/unix/ngx_udp_sendmsg_chain.o'
> > failed
> > make[1]: *** [objs/src/os/unix/ngx_udp_sendmsg_chain.o] Error 1
> > make[1]: Leaving directory '/home/kevin.worthington/nginx-1.13.0'
> > Makefile:8: recipe for target 'build' failed
> > make: *** [build] Error 2
> >
> > Any tips to fix this? Thank you for reading.
> >
> > Best regards,
> > Kevin
> > --
> > Kevin Worthington
> > kworthington ( at ) gmail {dot} com
> > https://kevinworthington.com/
> > https://twitter.com/kworthington
> >
> > On Tue, Apr 25, 2017 at 10:32 AM, Maxim Dounin <mdounin at mdounin.ru>
> wrote:
> >
> > > Changes with nginx 1.13.0                                        25 Apr
> > > 2017
> > >
> > >     *) Change: SSL renegotiation is now allowed on backend connections.
> > >
> > >     *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
> > >        directives of the mail proxy and stream modules.
> > >
> > >     *) Feature: the "return" and "error_page" directives can now be
> used to
> > >        return 308 redirections.
> > >        Thanks to Simon Leblanc.
> > >
> > >     *) Feature: the "TLSv1.3" parameter of the "ssl_protocols"
> directive.
> > >
> > >     *) Feature: when logging signals nginx now logs PID of the process
> > > which
> > >        sent the signal.
> > >
> > >     *) Bugfix: in memory allocation error handling.
> > >
> > >     *) Bugfix: if a server in the stream module listened on a wildcard
> > >        address, the source address of a response UDP datagram could
> differ
> > >        from the original datagram destination address.
> > >
> > >
> > > --
> > > Maxim Dounin
> > > http://nginx.org/
> > > _______________________________________________
> > > nginx-announce mailing list
> > > nginx-announce at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx-announce
> > >
>
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> --
> Roman Arutyunyan
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/c240dc1d/attachment.html>

From joel.parker.gm at gmail.com  Tue Apr 25 18:52:41 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 13:52:41 -0500
Subject: N00b - logging stream request / response
In-Reply-To: <CAEuShZdR9g-sE-xX8OVKxeXh8-qL1YOMUpudFH7isgQ3eT40QA@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
 <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
 <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>
 <CAEuShZdR9g-sE-xX8OVKxeXh8-qL1YOMUpudFH7isgQ3eT40QA@mail.gmail.com>
Message-ID: <CAG6CpSA26=T9tQqpzS9iMMk79d9sfHiToA8x9fder6CggCOoNA@mail.gmail.com>

What I am trying to do is create an open proxy that listens to TLS from
many servers and de-crypts the traffic with the appropriate keys, log the
de-crytped request / response then re-encrypt with different certs and send
to an upstream server. My thought was theat a stream block would help me
accomplish this.

Joel

On Tue, Apr 25, 2017 at 1:49 PM, Robert Paprocki <
rpaprocki at fearnothingproductions.net> wrote:

> No. stream {} and http {} blocks are mutually exclusive.
>
> What exactly are you trying to accomplish with stream?
>
> On Tue, Apr 25, 2017 at 11:46 AM, Joel Parker <joel.parker.gm at gmail.com>
> wrote:
>
>> so can I have a hierarchy like this ?
>>
>> http {
>>       // log format
>>     stream {
>>           server {
>>              // access log
>>          }
>>     }
>> }
>>
>> On Tue, Apr 25, 2017 at 1:38 PM, Robert Paprocki <
>> rpaprocki at fearnothingproductions.net> wrote:
>>
>>> What you're doing doesn't quite make sense. You're trying to log HTTP
>>> data inside a stream block. That doesn't work. There's no such concept of
>>> $status, $http_referer, etc, inside a stream {} block.
>>>
>>> Have a read of the log_format docs: http://nginx.org/en/docs
>>> /http/ngx_http_log_module.html#log_format
>>>
>>>
>>> Syntax: *log_format* *name* [escape=default|json] *string* ...;
>>> Default:
>>>
>>> log_format combined "...";
>>>
>>> Context: http
>>>
>>>
>>>
>>> On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <joel.parker.gm at gmail.com>
>>> wrote:
>>>
>>>> I am trying to log all request / response in a stream with a lua script
>>>> I found in git hub and am having issues figuring out where to put the
>>>> log_format directive. Here is what I currently have :
>>>>
>>>> stream {
>>>>
>>>>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>>>>       '"$request" $status $body_bytes_sent '
>>>>       '"$http_referer" "$http_user_agent" $request_time '
>>>>       '<"$request_body" >"$resp_body"';
>>>>
>>>>      lua_need_request_body on;
>>>>
>>>>      set $resp_body "";
>>>>      body_filter_by_lua '
>>>>         local resp_body = ngx.arg[1]
>>>>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>>>>         if ngx.arg[2] then
>>>>            ngx.var.resp_body = ngx.ctx.buffered
>>>>         end
>>>>        ';
>>>>
>>>> ......
>>>>
>>>> }
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/004a8807/attachment-0001.html>

From chadhansen at google.com  Tue Apr 25 18:53:03 2017
From: chadhansen at google.com (Chad Hansen)
Date: Tue, 25 Apr 2017 18:53:03 +0000
Subject: unable to log upstream_bytes_sent
Message-ID: <CAJa36RCvD=AnY=-bLwVtwvvG3KTfU4kVgYL1m1Y8tGSuBxw-OQ@mail.gmail.com>

I'm running nginx 1.11.9, and I get an error any time I try to use
bytes_sent, upstream_bytes_sent, or upstream_bytes_received. I've tried
logging directly in a log format, or using in a map:

<in http context>

map $request_method $chad_sent {
  default $upstream_bytes_sent;
}

map $request_method $chad_received {
  default $upstream_bytes_received;
}

This results in:

me at here:~/Downloads$ sudo service nginx restart
 * Restarting nginx nginx

nginx: [emerg] unknown "upstream_bytes_sent" variable
nginx: configuration file /etc/nginx/nginx.conf test failed

It's unclear to me if there's something wrong with my build, or if I have
to use a stream context, or some other issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/8a1aa820/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4851 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/8a1aa820/attachment.bin>

From rpaprocki at fearnothingproductions.net  Tue Apr 25 19:00:25 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Tue, 25 Apr 2017 12:00:25 -0700
Subject: N00b - logging stream request / response
In-Reply-To: <CAG6CpSA26=T9tQqpzS9iMMk79d9sfHiToA8x9fder6CggCOoNA@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
 <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
 <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>
 <CAEuShZdR9g-sE-xX8OVKxeXh8-qL1YOMUpudFH7isgQ3eT40QA@mail.gmail.com>
 <CAG6CpSA26=T9tQqpzS9iMMk79d9sfHiToA8x9fder6CggCOoNA@mail.gmail.com>
Message-ID: <CAEuShZe674w54VvAY2tHhv-y5f3eOybR961_eUZv6MAp73qkhQ@mail.gmail.com>

Just set up a server {} block that accepts TLS connections. This is exactly
what proxy_pass is for :) You can log whatever HTTP data you need via Nginx
(just as your log_format and content_by_lua block does), and then
proxy_pass that traffic to your upstream as normal. Stream blocks are for
arbitrary TCP/UDP streams; they have no knowledge of layer 7 HTTP data.

BTW it's very bad practice to buffer the whole request body like that ;)

On Tue, Apr 25, 2017 at 11:52 AM, Joel Parker <joel.parker.gm at gmail.com>
wrote:

> What I am trying to do is create an open proxy that listens to TLS from
> many servers and de-crypts the traffic with the appropriate keys, log the
> de-crytped request / response then re-encrypt with different certs and send
> to an upstream server. My thought was theat a stream block would help me
> accomplish this.
>
> Joel
>
> On Tue, Apr 25, 2017 at 1:49 PM, Robert Paprocki <
> rpaprocki at fearnothingproductions.net> wrote:
>
>> No. stream {} and http {} blocks are mutually exclusive.
>>
>> What exactly are you trying to accomplish with stream?
>>
>> On Tue, Apr 25, 2017 at 11:46 AM, Joel Parker <joel.parker.gm at gmail.com>
>> wrote:
>>
>>> so can I have a hierarchy like this ?
>>>
>>> http {
>>>       // log format
>>>     stream {
>>>           server {
>>>              // access log
>>>          }
>>>     }
>>> }
>>>
>>> On Tue, Apr 25, 2017 at 1:38 PM, Robert Paprocki <
>>> rpaprocki at fearnothingproductions.net> wrote:
>>>
>>>> What you're doing doesn't quite make sense. You're trying to log HTTP
>>>> data inside a stream block. That doesn't work. There's no such concept of
>>>> $status, $http_referer, etc, inside a stream {} block.
>>>>
>>>> Have a read of the log_format docs: http://nginx.org/en/docs
>>>> /http/ngx_http_log_module.html#log_format
>>>>
>>>>
>>>> Syntax: *log_format* *name* [escape=default|json] *string* ...;
>>>> Default:
>>>>
>>>> log_format combined "...";
>>>>
>>>> Context: http
>>>>
>>>>
>>>>
>>>> On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <joel.parker.gm at gmail.com
>>>> > wrote:
>>>>
>>>>> I am trying to log all request / response in a stream with a lua
>>>>> script I found in git hub and am having issues figuring out where to put
>>>>> the log_format directive. Here is what I currently have :
>>>>>
>>>>> stream {
>>>>>
>>>>>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>>>>>       '"$request" $status $body_bytes_sent '
>>>>>       '"$http_referer" "$http_user_agent" $request_time '
>>>>>       '<"$request_body" >"$resp_body"';
>>>>>
>>>>>      lua_need_request_body on;
>>>>>
>>>>>      set $resp_body "";
>>>>>      body_filter_by_lua '
>>>>>         local resp_body = ngx.arg[1]
>>>>>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>>>>>         if ngx.arg[2] then
>>>>>            ngx.var.resp_body = ngx.ctx.buffered
>>>>>         end
>>>>>        ';
>>>>>
>>>>> ......
>>>>>
>>>>> }
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/0f07da79/attachment.html>

From joel.parker.gm at gmail.com  Tue Apr 25 19:11:49 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 14:11:49 -0500
Subject: N00b - logging stream request / response
In-Reply-To: <CAEuShZe674w54VvAY2tHhv-y5f3eOybR961_eUZv6MAp73qkhQ@mail.gmail.com>
References: <CAG6CpSCFnE3g=9w2vFzUygtEfpA3EqRiQUoiyPor0FuVz_LGgA@mail.gmail.com>
 <CAEuShZcWR6EOA0iLdgVLnJD==+gE3BdB0hW5tzgZY8wB8zZG+A@mail.gmail.com>
 <CAG6CpSC1SkjQgY2uqn-t4iTJVMGXMCb2=hmbLb_xNff=rqqW8A@mail.gmail.com>
 <CAEuShZdR9g-sE-xX8OVKxeXh8-qL1YOMUpudFH7isgQ3eT40QA@mail.gmail.com>
 <CAG6CpSA26=T9tQqpzS9iMMk79d9sfHiToA8x9fder6CggCOoNA@mail.gmail.com>
 <CAEuShZe674w54VvAY2tHhv-y5f3eOybR961_eUZv6MAp73qkhQ@mail.gmail.com>
Message-ID: <CAG6CpSCiaE7BgHtV75rc-jGesZznmMrwk-gM3GFTOk5VRRYWAg@mail.gmail.com>

I am still having issues with the config, can you take a look at my short
config and see where my confusion lies ? Changed the stream block to http
and think I did the rest correct but still complains about log_format and
not sure if my proxy_pass or any of the rest of it is bad.

Joel

On Tue, Apr 25, 2017 at 2:00 PM, Robert Paprocki <
rpaprocki at fearnothingproductions.net> wrote:

> Just set up a server {} block that accepts TLS connections. This is
> exactly what proxy_pass is for :) You can log whatever HTTP data you need
> via Nginx (just as your log_format and content_by_lua block does), and then
> proxy_pass that traffic to your upstream as normal. Stream blocks are for
> arbitrary TCP/UDP streams; they have no knowledge of layer 7 HTTP data.
>
> BTW it's very bad practice to buffer the whole request body like that ;)
>
>
> On Tue, Apr 25, 2017 at 11:52 AM, Joel Parker <joel.parker.gm at gmail.com>
> wrote:
>
>> What I am trying to do is create an open proxy that listens to TLS from
>> many servers and de-crypts the traffic with the appropriate keys, log the
>> de-crytped request / response then re-encrypt with different certs and send
>> to an upstream server. My thought was theat a stream block would help me
>> accomplish this.
>>
>> Joel
>>
>> On Tue, Apr 25, 2017 at 1:49 PM, Robert Paprocki <
>> rpaprocki at fearnothingproductions.net> wrote:
>>
>>> No. stream {} and http {} blocks are mutually exclusive.
>>>
>>> What exactly are you trying to accomplish with stream?
>>>
>>> On Tue, Apr 25, 2017 at 11:46 AM, Joel Parker <joel.parker.gm at gmail.com>
>>> wrote:
>>>
>>>> so can I have a hierarchy like this ?
>>>>
>>>> http {
>>>>       // log format
>>>>     stream {
>>>>           server {
>>>>              // access log
>>>>          }
>>>>     }
>>>> }
>>>>
>>>> On Tue, Apr 25, 2017 at 1:38 PM, Robert Paprocki <
>>>> rpaprocki at fearnothingproductions.net> wrote:
>>>>
>>>>> What you're doing doesn't quite make sense. You're trying to log HTTP
>>>>> data inside a stream block. That doesn't work. There's no such concept of
>>>>> $status, $http_referer, etc, inside a stream {} block.
>>>>>
>>>>> Have a read of the log_format docs: http://nginx.org/en/docs
>>>>> /http/ngx_http_log_module.html#log_format
>>>>>
>>>>>
>>>>> Syntax: *log_format* *name* [escape=default|json] *string* ...;
>>>>> Default:
>>>>>
>>>>> log_format combined "...";
>>>>>
>>>>> Context: http
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Apr 25, 2017 at 11:32 AM, Joel Parker <
>>>>> joel.parker.gm at gmail.com> wrote:
>>>>>
>>>>>> I am trying to log all request / response in a stream with a lua
>>>>>> script I found in git hub and am having issues figuring out where to put
>>>>>> the log_format directive. Here is what I currently have :
>>>>>>
>>>>>> stream {
>>>>>>
>>>>>>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>>>>>>       '"$request" $status $body_bytes_sent '
>>>>>>       '"$http_referer" "$http_user_agent" $request_time '
>>>>>>       '<"$request_body" >"$resp_body"';
>>>>>>
>>>>>>      lua_need_request_body on;
>>>>>>
>>>>>>      set $resp_body "";
>>>>>>      body_filter_by_lua '
>>>>>>         local resp_body = ngx.arg[1]
>>>>>>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>>>>>>         if ngx.arg[2] then
>>>>>>            ngx.var.resp_body = ngx.ctx.buffered
>>>>>>         end
>>>>>>        ';
>>>>>>
>>>>>> ......
>>>>>>
>>>>>> }
>>>>>>
>>>>>> _______________________________________________
>>>>>> nginx mailing list
>>>>>> nginx at nginx.org
>>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/b2f3039d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx.conf
Type: application/octet-stream
Size: 1676 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/b2f3039d/attachment-0001.obj>

From joel.parker.gm at gmail.com  Tue Apr 25 19:41:27 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 14:41:27 -0500
Subject: N00b - "set" directive is not allowed here
Message-ID: <CAG6CpSAr0kBMzH8jwzPkSZdqTS+p94tFFAHA7Nxu2ChXGh2igA@mail.gmail.com>

I have a set directive inside an http block which I thought was valid but
when I run config -t it says the nginx: [emerg] "set" directive is not
allowed here.


http {

    log_format bodylog '$remote_addr - $remote_user [$time_local] '
      '"$request" $status $body_bytes_sent '
      '"$http_referer" "$http_user_agent" $request_time '
      '<"$request_body" >"$resp_body"';

     lua_need_request_body on;

     *set $resp_body "";*
     body_filter_by_lua '
        local resp_body = ngx.arg[1]
        ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
        if ngx.arg[2] then
           ngx.var.resp_body = ngx.ctx.buffered
        end
       ';

.....

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/242af662/attachment.html>

From igal at lucee.org  Tue Apr 25 19:50:24 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Tue, 25 Apr 2017 12:50:24 -0700
Subject: Blocking all URIs except for one directory
Message-ID: <6460cf38-0f2a-a522-2f2d-531166415d13@lucee.org>

Hello,

I want to secure a site using the allow/deny directives so that only 
allowed networks will be able to access it.  There is one "public" 
directory, however, that I want to be accessible for everyone.

nginx serves as a reverse proxy on that site, and requests for URIs that 
end with the suffix ".cfm" are proxied to Tomcat.

So I currently have something like:

location / {
     allow 10.0.0.0/24;
     deny all;
}

location /public/ {
     allow all;    # does that make sense?
}

location ~ \.cfm$ {
     ## proxy settings go here
}

Keep in mind that .cfm scripts are both in /public/ as well as in other 
directories.

How can I achieve that?

Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/b43ffa70/attachment.html>

From rpaprocki at fearnothingproductions.net  Tue Apr 25 19:54:43 2017
From: rpaprocki at fearnothingproductions.net (Robert Paprocki)
Date: Tue, 25 Apr 2017 12:54:43 -0700
Subject: N00b - "set" directive is not allowed here
In-Reply-To: <CAG6CpSAr0kBMzH8jwzPkSZdqTS+p94tFFAHA7Nxu2ChXGh2igA@mail.gmail.com>
References: <CAG6CpSAr0kBMzH8jwzPkSZdqTS+p94tFFAHA7Nxu2ChXGh2igA@mail.gmail.com>
Message-ID: <D5710864-8A98-41D9-8D47-ED370B1D14AF@fearnothingproductions.net>

Read the docs please :)

http://nginx.org/en/docs/http/ngx_http_rewrite_module.html#set

Set is allowed is server, location, and if blocks. Not http blocks. 

> On Apr 25, 2017, at 12:41, Joel Parker <joel.parker.gm at gmail.com> wrote:
> 
> I have a set directive inside an http block which I thought was valid but when I run config -t it says the nginx: [emerg] "set" directive is not allowed here.
> 
> 
> http {
> 
>     log_format bodylog '$remote_addr - $remote_user [$time_local] '
>       '"$request" $status $body_bytes_sent '
>       '"$http_referer" "$http_user_agent" $request_time '
>       '<"$request_body" >"$resp_body"';
> 
>      lua_need_request_body on;
> 
>      set $resp_body "";
>      body_filter_by_lua '
>         local resp_body = ngx.arg[1]
>         ngx.ctx.buffered = (ngx.ctx.buffered or "") .. resp_body
>         if ngx.arg[2] then
>            ngx.var.resp_body = ngx.ctx.buffered
>         end
>        ';
> 
> .....
> 
> Joel
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/8cad3665/attachment.html>

From nginx-forum at forum.nginx.org  Tue Apr 25 20:16:19 2017
From: nginx-forum at forum.nginx.org (tommygunner)
Date: Tue, 25 Apr 2017 16:16:19 -0400
Subject: remove if from code
Message-ID: <e53f6bf76d6b8adda086c28727df6d23.NginxMailingListEnglish@forum.nginx.org>

I am using Nginx 1.13 and have read that using "if" is a poor solution. I
have looked through my configuration file and found one and would like to
rewrite it without the "if". Does anyone know how to rewrite this snippet?

## Execute PHP Scripts using FastCGI
	location ~ \.php(/.*)? {
    if (!-e $request_filename) {
        rewrite / /index.php last;
    }

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273865,273865#msg-273865


From joel.parker.gm at gmail.com  Tue Apr 25 20:31:56 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Tue, 25 Apr 2017 15:31:56 -0500
Subject: N00b - confused ssl
Message-ID: <CAG6CpSCJ6bxjHrkV_iXBAd1=JP4=i+sP2EbdDiht7_dFWACFmQ@mail.gmail.com>

I am reading this doc : https://www.nginx.com/blog/nginx-ssl/  and it shows
how to either terminate (de-crypt) ssl or how to receive un-encrypted
traffic over port 80 for example and encrypt it before sending to the
upstream servers.

>From the doc:

listen 443 *ssl*;

*** tells nginx to decrypt the incoming traffic

proxy_pass https://backends;

*** and https tells nginx to encrypt the traffic going to the upstream
servers

so if I put both of these in one server block so that the incoming is
de-crypted and the outgoing is decrypted. Do I put both the server and
client certs in the same server block ?

confused.

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170425/1ff5309f/attachment.html>

From alex at samad.com.au  Tue Apr 25 21:15:13 2017
From: alex at samad.com.au (Alex Samad)
Date: Wed, 26 Apr 2017 07:15:13 +1000
Subject: nginx-1.13.0
In-Reply-To: <20170425143234.GJ43932@mdounin.ru>
References: <20170425143234.GJ43932@mdounin.ru>
Message-ID: <CAJ+Q1PXrqoo0w-gcZGibBOhk1LUhU_xTUTKSfbTpshjy9HMrGA@mail.gmail.com>

On 26 April 2017 at 00:32, Maxim Dounin <mdounin at mdounin.ru> wrote:

>
>     *) Change: SSL renegotiation is now allowed on backend connections.
>

What does this mean ?


reason I am asking is I would like to setup a site say example.com, that is
SSL, with no need for client certs at root URI

but I would like to force a reneg at say /private/<...>

is that possible ..(I know its not backend, my hope is that if the code is
there for the backend, then it might be available at the front end as well)

A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/e65b4226/attachment-0001.html>

From r at roze.lv  Wed Apr 26 01:13:42 2017
From: r at roze.lv (Reinis Rozitis)
Date: Wed, 26 Apr 2017 04:13:42 +0300
Subject: N00b - confused ssl
In-Reply-To: <CAG6CpSCJ6bxjHrkV_iXBAd1=JP4=i+sP2EbdDiht7_dFWACFmQ@mail.gmail.com>
References: <CAG6CpSCJ6bxjHrkV_iXBAd1=JP4=i+sP2EbdDiht7_dFWACFmQ@mail.gmail.com>
Message-ID: <000601d2be2a$58854ac0$098fe040$@roze.lv>

> so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?
confused. 

Depends on what setup/requirements you actually have:

- If your backend server requires authentication then you have to provide a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate ).

- If your clients need to authenticate versus your nginx proxy then you use ssl_verify_client / ssl_trusted_certificate ( http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client ).

- If your backend requires passing through the user certificates it's a bit tricky as depending on backend it might or might not work https://trac.nginx.org/nginx/ticket/857 

rr


From r at roze.lv  Wed Apr 26 10:54:20 2017
From: r at roze.lv (Reinis Rozitis)
Date: Wed, 26 Apr 2017 13:54:20 +0300
Subject: remove if from code
In-Reply-To: <e53f6bf76d6b8adda086c28727df6d23.NginxMailingListEnglish@forum.nginx.org>
References: <e53f6bf76d6b8adda086c28727df6d23.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <087C1D67372846D0855E34FA8CCF4A97@MasterPC>

> Does anyone know how to rewrite this snippet?

> ## Execute PHP Scripts using FastCGI
> location ~ \.php(/.*)? {
>    if (!-e $request_filename) {
>        rewrite / /index.php last;
>    }

You can use try_files for that ( 
http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files )

location ~ \.php$ {
    try_files $uri /index.php;
}


p.s. obviously for this location you need to add php handling also.

rr 


From kworthington at gmail.com  Wed Apr 26 11:18:24 2017
From: kworthington at gmail.com (Kevin Worthington)
Date: Wed, 26 Apr 2017 07:18:24 -0400
Subject: nginx-1.13.0
In-Reply-To: <20170425143234.GJ43932@mdounin.ru>
References: <20170425143234.GJ43932@mdounin.ru>
Message-ID: <CAGo79UXLwHvkaB_XjpGh=+L47uo-LnsNTrwKaXRmrHXB7Q7jXg@mail.gmail.com>

Hello Nginx users,

(I forgot to send this email yesterday.)

Now available: Nginx 1.13.0 for Windows https://kevinworthington.com/n
ginxwin1130 (32-bit and 64-bit versions)

These versions are to support legacy users who are already using Cygwin
based builds of Nginx. Officially supported native Windows binaries are at
nginx.org.

Announcements are also available here:
Twitter http://twitter.com/kworthington
Google+ https://plus.google.com/+KevinWorthington/

Thank you,
Kevin
--
Kevin Worthington
kworthington *@* (gmail]  [dot} {com)
http://kevinworthington.com/
http://twitter.com/kworthington
https://plus.google.com/+KevinWorthington/


On Tue, Apr 25, 2017 at 10:32 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Changes with nginx 1.13.0                                        25 Apr
> 2017
>
>     *) Change: SSL renegotiation is now allowed on backend connections.
>
>     *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
>        directives of the mail proxy and stream modules.
>
>     *) Feature: the "return" and "error_page" directives can now be used to
>        return 308 redirections.
>        Thanks to Simon Leblanc.
>
>     *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
>
>     *) Feature: when logging signals nginx now logs PID of the process
> which
>        sent the signal.
>
>     *) Bugfix: in memory allocation error handling.
>
>     *) Bugfix: if a server in the stream module listened on a wildcard
>        address, the source address of a response UDP datagram could differ
>        from the original datagram destination address.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/8d0be1d2/attachment.html>

From joel.parker.gm at gmail.com  Wed Apr 26 11:42:16 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Wed, 26 Apr 2017 06:42:16 -0500
Subject: N00b - confused ssl
In-Reply-To: <000601d2be2a$58854ac0$098fe040$@roze.lv>
References: <CAG6CpSCJ6bxjHrkV_iXBAd1=JP4=i+sP2EbdDiht7_dFWACFmQ@mail.gmail.com>
 <000601d2be2a$58854ac0$098fe040$@roze.lv>
Message-ID: <CAG6CpSC-1JPjxK+6JthLZGMJ766zDFzZHNUEom0Tv1er7U0ehA@mail.gmail.com>

So it sounds like if I want to decrypt incoming traffic and upstream
traffic I would put them in the same block like this ?

server {

######################################################################
        # This is acting like the  server side  to decrypt the incoming
traffic

######################################################################

        listen 443 ssl;    # 'ssl' parameter tells NGINX to decrypt the
traffic
        server_name _;        # any server

        # root cert in PEM format
        ssl_certificate        /etc/ssl/certs/server.crt;

        # root private key
        ssl_certificate_key    /etc/ssl/certs/server.key;

        ssl_protocols    TLSv1.2;
        ssl_ciphers    HIGH:!aNULL:!MD5;

        # can tweak caching stradegy if needed
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout    4h;
        ssl_handshake_timeout    30s;


######################################################################
        # This is acting like the client side and re-encrypting

######################################################################

        proxy_ssl    on;

        # ssl client cert
        proxy_ssl_certificate    /etc/ssl/certs/backend.crt;

        # ssl client private key
        proxy_ssl_certificate_key    /etc/ssl/certs/backend.key;
        proxy_ssl_protocols    SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers    HIGH:!aNULL:!MD5;

        # if requires trusted cert
        # proxy_ssl_trusted_certificate
/etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify    on;
        proxy_ssl_verify_depth    2;
        proxy_ssl_session_reuse    on;

        log_format replay '[$time_local] $server_name $status $content_type
$request_method XX_HOST_XX$request_uri Authorization:"$http_authorization"
$request_body_file';

        client_body_in_file_only on;
        access_log /var/log/nginx/request_response.log replay;

        location / {
            proxy_pass https://backend; # 'https' prefix tells NGINX to
encrypt the traffic
        }
    }

On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <r at roze.lv> wrote:

> > so if I put both of these in one server block so that the incoming is
> de-crypted and the outgoing is decrypted. Do I put both the server and
> client certs in the same server block ?
> confused.
>
> Depends on what setup/requirements you actually have:
>
> - If your backend server requires authentication then you have to provide
> a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/
> http/ngx_http_proxy_module.html#proxy_ssl_certificate ).
>
> - If your clients need to authenticate versus your nginx proxy then you
> use ssl_verify_client / ssl_trusted_certificate (
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
> ).
>
> - If your backend requires passing through the user certificates it's a
> bit tricky as depending on backend it might or might not work
> https://trac.nginx.org/nginx/ticket/857
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/97c2de9c/attachment.html>

From r at roze.lv  Wed Apr 26 12:28:15 2017
From: r at roze.lv (Reinis Rozitis)
Date: Wed, 26 Apr 2017 15:28:15 +0300
Subject: N00b - confused ssl
In-Reply-To: <CAG6CpSC-1JPjxK+6JthLZGMJ766zDFzZHNUEom0Tv1er7U0ehA@mail.gmail.com>
References: <CAG6CpSCJ6bxjHrkV_iXBAd1=JP4=i+sP2EbdDiht7_dFWACFmQ@mail.gmail.com>
 <000601d2be2a$58854ac0$098fe040$@roze.lv>
 <CAG6CpSC-1JPjxK+6JthLZGMJ766zDFzZHNUEom0Tv1er7U0ehA@mail.gmail.com>
Message-ID: <C887102940094713BCD75681B7C8E755@MasterPC>

> So it sounds like if I want to decrypt incoming traffic and upstream 
> traffic I would put them in the same block like this ?

Seems fine.

p.s. just if you trust your backend there is in general no need to use 
proxy_ssl_verify    on;
When it?s off (by default) nginx will be fine with whatever certificate the 
backend server provides as far the the connection is via ssl/tls.


rr


From nginx-forum at forum.nginx.org  Wed Apr 26 12:32:08 2017
From: nginx-forum at forum.nginx.org (akb-nginx)
Date: Wed, 26 Apr 2017 08:32:08 -0400
Subject: UDP reverse proxying for OpenVPN isn't working using Nginx streams
Message-ID: <376d2e795457eaba5e1ba5c5ad825f0e.NginxMailingListEnglish@forum.nginx.org>

Hi.

I was just wondering whether UDP stream proxying on Nginx is in its infacy
or there is something which I am doing wrong. I have this simple config: 

events { worker_connections  1024; }

worker_processes  1;
error_log /dev/stderr debug;
daemon off;

stream {
server {
    listen X.X.X.X:1194 udp;
    proxy_pass 127.0.0.1:1195;
}
}

to make Nginx a reverse proxy for my OpenVPN server listening on UDP port
1195 on localhost. But it just doesn't work. When a client connects, Nginx
keeps logging these lines on stderr:

2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method
2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13
2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 
2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64
2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096
2017/04/26 12:14:43 [notice] 17125#0: start worker processes
2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126
2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *7 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *7 udp proxy 127.0.0.1:60363 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *9 udp client Y.Y.Y.Y:56226 connected to
X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *9 udp proxy 127.0.0.1:52499 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *11 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *11 udp proxy 127.0.0.1:48850 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *13 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *13 udp proxy 127.0.0.1:60125 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *15 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *15 udp proxy 127.0.0.1:54133 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *17 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *17 udp proxy 127.0.0.1:50184 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *19 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *19 udp proxy 127.0.0.1:48836 connected
to 127.0.0.1:1195
2017/04/26 12:14:53 [info] 17126#0: *21 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:53 [info] 17126#0: *21 udp proxy 127.0.0.1:42665 connected
to 127.0.0.1:1195
2017/04/26 12:14:56 [info] 17126#0: *23 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
.......................
.......................

Whereas the OpenVPN client is stuck on:

Wed Apr 26 12:14:50 2017 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Wed Apr 26 12:14:50 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO
2.08
Wed Apr 26 12:14:50 2017 Control Channel Authentication: tls-auth using
INLINE static key file
Wed Apr 26 12:14:50 2017 Outgoing Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Incoming Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Socket Buffers: R=[212992->212992]
S=[212992->212992]
Wed Apr 26 12:14:50 2017 UDPv4 link local: [undef]
Wed Apr 26 12:14:50 2017 UDPv4 link remote: [AF_INET]X.X.X.X:1194
Wed Apr 26 12:14:50 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194,
sid=afcea479 758711e0

Even there trivial setups work as expected:

pen X.X.X.X:1194 127.0.0.1:1195  -U

OR

nc -u -l -p 1194 -c "nc -u 127.0.0.1 1195"

But I fail to understand why isn't Nginx working. By the way, if everything
is replaced with TCP in both nginx and OpenVPN file, it works. Also UDP
proxying for DNS:

listen X.X.X.X:53 udp; 
proxy_pass 8.8.8.8:53;

works. The Nginx version is: 1.11.13. Will really appreciate any advice on
this.

Thanks & Regards.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273875,273875#msg-273875


From mdounin at mdounin.ru  Wed Apr 26 12:50:56 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 26 Apr 2017 15:50:56 +0300
Subject: Blocking all URIs except for one directory
In-Reply-To: <6460cf38-0f2a-a522-2f2d-531166415d13@lucee.org>
References: <6460cf38-0f2a-a522-2f2d-531166415d13@lucee.org>
Message-ID: <20170426125056.GR43932@mdounin.ru>

Hello!

On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote:

> Hello,
> 
> I want to secure a site using the allow/deny directives so that only 
> allowed networks will be able to access it.  There is one "public" 
> directory, however, that I want to be accessible for everyone.
> 
> nginx serves as a reverse proxy on that site, and requests for URIs that 
> end with the suffix ".cfm" are proxied to Tomcat.
> 
> So I currently have something like:
> 
> location / {
>      allow 10.0.0.0/24;
>      deny all;
> }
> 
> location /public/ {
>      allow all;    # does that make sense?
> }
> 
> location ~ \.cfm$ {
>      ## proxy settings go here
> }
> 
> Keep in mind that .cfm scripts are both in /public/ as well as in other 
> directories.
> 
> How can I achieve that?

Try this instead:

    location / {
        allow ...
        deny all;

        location ~ \.cfm$ {
            ...
        }
    }

    location /public/ {
	# access allowed to all by default - unless there is 
	# something restrictive defined on previous levels

        location ~ \.cfm$ {
            ...
        }
    }

You may also find this talk interesting:

https://youtu.be/YWRYbLKsS0I

-- 
Maxim Dounin
http://nginx.org/

From arut at nginx.com  Wed Apr 26 13:32:29 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Wed, 26 Apr 2017 16:32:29 +0300
Subject: UDP reverse proxying for OpenVPN isn't working using Nginx streams
In-Reply-To: <376d2e795457eaba5e1ba5c5ad825f0e.NginxMailingListEnglish@forum.nginx.org>
References: <376d2e795457eaba5e1ba5c5ad825f0e.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170426133229.GC94542@Romans-MacBook-Air.local>

Hi,

On Wed, Apr 26, 2017 at 08:32:08AM -0400, akb-nginx wrote:
> Hi.
> 
> I was just wondering whether UDP stream proxying on Nginx is in its infacy
> or there is something which I am doing wrong. I have this simple config: 
> 
> events { worker_connections  1024; }
> 
> worker_processes  1;
> error_log /dev/stderr debug;
> daemon off;
> 
> stream {
> server {
>     listen X.X.X.X:1194 udp;
>     proxy_pass 127.0.0.1:1195;
> }
> }
> 
> to make Nginx a reverse proxy for my OpenVPN server listening on UDP port
> 1195 on localhost. But it just doesn't work. When a client connects, Nginx
> keeps logging these lines on stderr:
> 
> 2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method
> 2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13
> 2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 
> 2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64
> 2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096
> 2017/04/26 12:14:43 [notice] 17125#0: start worker processes
> 2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126
> 2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected
> to 127.0.0.1:1195
> 2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected
> to 127.0.0.1:1195
> 2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to
> X.X.X.X:1194
> 2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected
> to 127.0.0.1:1195

Stream UDP proxy creates a session for every client packet.
That packet is proxied separately from other client packets with a new
proxy client port each time and a response for this packet is proxied back.

While this works fine for protocols like DNS, long sessions with multiple
client packets will not work properly.

[..]

-- 
Roman Arutyunyan

From nginx-forum at forum.nginx.org  Wed Apr 26 13:42:22 2017
From: nginx-forum at forum.nginx.org (akb-nginx)
Date: Wed, 26 Apr 2017 09:42:22 -0400
Subject: UDP reverse proxying for OpenVPN isn't working using Nginx streams
In-Reply-To: <20170426133229.GC94542@Romans-MacBook-Air.local>
References: <20170426133229.GC94542@Romans-MacBook-Air.local>
Message-ID: <7da2d43c50b4bb37c2068bdd55f666b5.NginxMailingListEnglish@forum.nginx.org>

Thanks for your responce. I think I am out of luck then as far as proxying
UDP openvpn is concerned. Any particular reason that Nginx took this
approach instead of how very basic load balancers like "Pen" etc do it.

I was able to proxy using simpler tools like pen and nc but a more loaded
Nginx fails for the reasons you mentioned.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273875,273878#msg-273878


From mdounin at mdounin.ru  Wed Apr 26 14:14:23 2017
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 26 Apr 2017 17:14:23 +0300
Subject: nginx-1.13.0
In-Reply-To: <CAJ+Q1PXrqoo0w-gcZGibBOhk1LUhU_xTUTKSfbTpshjy9HMrGA@mail.gmail.com>
References: <20170425143234.GJ43932@mdounin.ru>
 <CAJ+Q1PXrqoo0w-gcZGibBOhk1LUhU_xTUTKSfbTpshjy9HMrGA@mail.gmail.com>
Message-ID: <20170426141423.GT43932@mdounin.ru>

Hello!

On Wed, Apr 26, 2017 at 07:15:13AM +1000, Alex Samad wrote:

> On 26 April 2017 at 00:32, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> >
> >     *) Change: SSL renegotiation is now allowed on backend connections.
> >
> 
> What does this mean ?
> 
> 
> reason I am asking is I would like to setup a site say example.com, that is
> SSL, with no need for client certs at root URI
> 
> but I would like to force a reneg at say /private/<...>
> 
> is that possible ..(I know its not backend, my hope is that if the code is
> there for the backend, then it might be available at the front end as well)

No, it is not possible to client certificates only for some URIs 
in nginx, and unlikely will be possible in the foreseeable future.  
This is implemented by some other servers though, and in the past 
there were several reports about interoperability problems with 
such servers when nginx talked to them via proxy_pass.  For 
additional details see http://hg.nginx.org/nginx/rev/ac9b1df5b246.

-- 
Maxim Dounin
http://nginx.org/

From nginx-forum at forum.nginx.org  Wed Apr 26 14:15:16 2017
From: nginx-forum at forum.nginx.org (lchennup)
Date: Wed, 26 Apr 2017 10:15:16 -0400
Subject: Way to deny all requests if any upstream is down
Message-ID: <1904b658e580e0145d0f2a8b4282a973.NginxMailingListEnglish@forum.nginx.org>

Hi All,

Is there any way to deny all requests if any upstream servers are down?.

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273881,273881#msg-273881


From nginx-forum at forum.nginx.org  Wed Apr 26 14:22:20 2017
From: nginx-forum at forum.nginx.org (e.htabar)
Date: Wed, 26 Apr 2017 10:22:20 -0400
Subject: how add RewriteRule .* index.php in nginx
Message-ID: <6aaf4677bd6537ee1d5b128499371d15.NginxMailingListEnglish@forum.nginx.org>

down vote
favorite
how set add " RewriteRule .* index.php " in nginx.conf for subfolder ?

and dont redirect for root example:

https://www.bidbarg.com/ (index.php redirect to none)

https://www.bidbarg.com/bimeh/index.php/ (index.php needed)

thank you

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273883,273883#msg-273883


From nginx-forum at forum.nginx.org  Wed Apr 26 13:56:15 2017
From: nginx-forum at forum.nginx.org (tory)
Date: Wed, 26 Apr 2017 09:56:15 -0400
Subject: Client certificate authentication error
In-Reply-To: <c2166e42cb7741526e4a1d56ff63ea75.NginxMailingListEnglish@forum.nginx.org>
References: <c2166e42cb7741526e4a1d56ff63ea75.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <e4f50dcb48e456ae52e852043b78f192.NginxMailingListEnglish@forum.nginx.org>

There is an incorrect syntax to fix.

I have registered p12 certificate and ca certificate in my Firefox browser,
but I get "400 Bad Request". 

==> I have registered client.p12 and ca.crt file in my Firefox browser, but
I get "400 Bad Request".

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273879,273880#msg-273880


From nginx-forum at forum.nginx.org  Wed Apr 26 13:49:40 2017
From: nginx-forum at forum.nginx.org (tory)
Date: Wed, 26 Apr 2017 09:49:40 -0400
Subject: Client certificate authentication error
Message-ID: <c2166e42cb7741526e4a1d56ff63ea75.NginxMailingListEnglish@forum.nginx.org>

Hello.
I am trying to implement a client certificate using nginx on Ubuntu 16.04.
Firefox browser "400 Bad Request No required SSL certificate was sent "error
occurs.

To solve the above error, I release everything for the development process
and configuration tests.

1. create client certificate file(openssl 1.0.2g)


openssl genrsa -des3 -out ca.key 2048  (pass :  1234)

openssl req -new -key ca.key -out ca.csr -subj
/C=KR/ST=Seoul/L=Guro-gu/O=company/CN=www.wemakeusa.com/emailAddress=company at wemakeusa.com

openssl x509 -req -days 1280 -in ca.csr -signkey ca.key -out ca.crt

openssl rsa -in ca.key -out ca_key.pem

--

openssl genrsa -des3 -out server.key 2048  (pass : 12345)

openssl req -new -key server.key -out server.csr -subj
/C=KR/ST=Seoul/L=Guro-gu/O=req
company/CN=www.wemakeusa.com/emailAddress=manager at wemakeusa.com

openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA
ca.crt -CAkey ca.key -CAcreateserial -days 365

openssl rsa -in server.key -out server_key.pem

--

openssl genrsa -des3 -out client.key 2048  (pass : 123456)

openssl req -new -key client.key -out client.csr -subj
/C=KR/ST=Seoul/L=Guro-gu/O=Users/CN=www.wemakeusa.com/emailAddress=users at wemakeusa.com

openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA
server.crt -CAkey server.key -CAcreateserial -days 365

openssl rsa -in client.key -out client_key.pem


openssl pkcs12 -in client.crt -inkey client.key -export -out client.p12



2. Nginx configure(1.10.0)

server {
    listen        443;
    ssl on;
    server_name www.wemakeusa.com;

    error_log   /home/ubuntu/nginx-error.log debug;

    ssl_certificate      /home/ubuntu/ssl-der/server.crt;
    ssl_certificate_key  /home/ubuntu/ssl-der/server_key.pem;
    ssl_client_certificate /home/ubuntu/ssl-der/ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 3;

    location / {
        root           /var/www/wemakeusa.com;
        index index.html;
        if ($ssl_client_i_dn != "CN = company") {
            return 403;
        }
        if ($ssl_client_i_dn != "emailAddress=user at wemakeusa.com") {
            return 403;
        }
    }
}


3. SSL testing

https://www.ssllabs.com/ssltest/analyze.html?d=www.wemakeusa.com



4. Download files for exams

http://www.wemakeusa.com/certificate_file.tar



I have registered p12 certificate and ca certificate in my Firefox browser,
but I get "400 Bad Request".

I need help with 'multiple user cilent certificate authentication' tips and
solutions for errors.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273879,273879#msg-273879


From djczaski at gmail.com  Wed Apr 26 14:42:14 2017
From: djczaski at gmail.com (Danomi Czaski)
Date: Wed, 26 Apr 2017 10:42:14 -0400
Subject: Passing small request_body to auth_request through a header
Message-ID: <CA+Nw5WAXxpH_Nj1QNHHm8BFDpuc8eTy=X4+_695K0w__BJdd3w@mail.gmail.com>

I have a small body (less than 512 bytes) that I'd like to pass to
auth_request. Since the body is discarded, I've tried passing it
through a header with no luck. Is there any way to do this?

    location = /my_auth
    {
        internal;

        include  fastcgi_params;
        fastcgi_pass  unix:/tmp/nginx/sock/my_auth.sock;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

        proxy_set_header MYBODY $request_body;
        fastcgi_param  MYBODY $request_body;
    }

    location = /login
    {
        auth_request /my_auth;
        client_max_body_size 512;
    }

From arut at nginx.com  Wed Apr 26 14:56:23 2017
From: arut at nginx.com (Roman Arutyunyan)
Date: Wed, 26 Apr 2017 17:56:23 +0300
Subject: UDP reverse proxying for OpenVPN isn't working using Nginx streams
In-Reply-To: <7da2d43c50b4bb37c2068bdd55f666b5.NginxMailingListEnglish@forum.nginx.org>
References: <20170426133229.GC94542@Romans-MacBook-Air.local>
 <7da2d43c50b4bb37c2068bdd55f666b5.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170426145623.GD94542@Romans-MacBook-Air.local>

On Wed, Apr 26, 2017 at 09:42:22AM -0400, akb-nginx wrote:
> Thanks for your responce. I think I am out of luck then as far as proxying
> UDP openvpn is concerned. Any particular reason that Nginx took this
> approach instead of how very basic load balancers like "Pen" etc do it.
> 
> I was able to proxy using simpler tools like pen and nc but a more loaded
> Nginx fails for the reasons you mentioned.

When operating in multi-worker mode, a UDP packet from a client may be received
by any worker.  Using SO_REUSEPORT can help with that on Linux, but not always.
Proxying becomes complicated if every packet of a UDP packet sequence is
received by a different worker.

-- 
Roman Arutyunyan

From r1ch+nginx at teamliquid.net  Wed Apr 26 15:14:57 2017
From: r1ch+nginx at teamliquid.net (Richard Stanway)
Date: Wed, 26 Apr 2017 17:14:57 +0200
Subject: Client certificate authentication error
In-Reply-To: <e4f50dcb48e456ae52e852043b78f192.NginxMailingListEnglish@forum.nginx.org>
References: <c2166e42cb7741526e4a1d56ff63ea75.NginxMailingListEnglish@forum.nginx.org>
 <e4f50dcb48e456ae52e852043b78f192.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CAKWQeyiL4dEqFzvW4dDWxrGgaBLo6bewaRs0si=UmoP8CtW3yw@mail.gmail.com>

> openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA
> server.crt -CAkey server.key -CAcreateserial -days 365

I think you should be using the CA certificate here, not the server
certificate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/15218974/attachment.html>

From awhosit at gmail.com  Wed Apr 26 16:32:27 2017
From: awhosit at gmail.com (Kevin)
Date: Wed, 26 Apr 2017 12:32:27 -0400
Subject: Why does nginx rewrite sending https to http?
Message-ID: <CAN94_t-iZ45xxMSFiJSKLcM5ct5G1zyGX24TPGpc034E6tBRyQ@mail.gmail.com>

Hi,

I'm trying to rewrite some route in cloud foundry static buildpack, but
whenever I rewrite, the https goes to http.

So I add return with / with /login, then it goes to http://server/, even it
starts with https://server/login.


location /login {
      return 301 /;

      <% if ENV["FORCE_HTTPS"] %>
        if ($http_x_forwarded_proto != "https") {
          return 301 https://$host$request_uri;
        }
      <% end %>
 }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/7819527b/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr 26 17:09:14 2017
From: nginx-forum at forum.nginx.org (tommygunner)
Date: Wed, 26 Apr 2017 13:09:14 -0400
Subject: remove if from code
In-Reply-To: <087C1D67372846D0855E34FA8CCF4A97@MasterPC>
References: <087C1D67372846D0855E34FA8CCF4A97@MasterPC>
Message-ID: <b9356873546a436a966f3c20a10cd6d1.NginxMailingListEnglish@forum.nginx.org>

Thanks! I got it to work but had to put my fastcgi stuff inside.


location ~ \.php$ {
try_files $uri /index.php;

    
	# fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	expires 	off;
	fastcgi_pass   127.0.0.1:9000;
	fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
	## Tweak fastcgi buffers, just in case.
	fastcgi_buffer_size 256k;
	fastcgi_buffers 256 4k;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;
    #fastcgi_connect_timeout 300;
	#fastcgi_send_timeout 300;
	#fastcgi_read_timeout 300;
    fastcgi_param HTTPS on;
    fastcgi_param   HTTP_SCHEME         https;
    
	include fastcgi_params;
	}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273865,273888#msg-273888


From nginx-forum at forum.nginx.org  Wed Apr 26 17:29:17 2017
From: nginx-forum at forum.nginx.org (tommygunner)
Date: Wed, 26 Apr 2017 13:29:17 -0400
Subject: critique my config file
Message-ID: <be806485cf8a41dca37d13bdded7b96f.NginxMailingListEnglish@forum.nginx.org>

I am using Nginx 1.13 and have removed all the "if"s from the config file
and would now like someone to analyse it, look at the rewrites, etc if
possible. It works fine but seems a bit unorganized and I'm wondering if
there are some duplicate things. I have created a bunch of 444 locations to
drop the malicious scripts and visitors from reading such locations which
don't exist. I also make the admin area unassessable then uncomment whenever
I want to access such areas for security. 

The only issue I'm aware of is the I am using the resolver 8.8.8.8; which is
said to leave open to man in the middle DNS attack or spoofing but haven't
been excited about running BIND with all the extra overhead so haven't done
so.

Here is the config file:
https://pastebin.com/szFGQ2SD

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273889,273889#msg-273889


From adityaumrani at gmail.com  Wed Apr 26 20:30:57 2017
From: adityaumrani at gmail.com (Aditya Umrani)
Date: Wed, 26 Apr 2017 13:30:57 -0700
Subject: Health checks and reloads
Message-ID: <CANKmQZd9WssddmR=2_CB0OP0-LpK7i=8AeCRmFUW4AkuS5W18Q@mail.gmail.com>

Hello,

We are using nginx plus and we use application health-checks. We want to
move to the 'mandatory' parameter which requires that servers pass the
health check before it becomes active.

Currently, we have a system which reloads all configs (rather than a diff
based system which would just only apply the changes via the APIs). It does
this by generating a new set of configs (routing rules, upstreams, etc) and
then calling reload on the parent (which essentially results in creating
new worker processes).

We are wondering what happens when nginx receives a reload. For an upstream
(for simplicity - say 1 host in that upstream) which is present in the old
config and is also present in the new config:
1. Will it block traffic till that host has successfully passed 'N' checks
(configured)
2. Will it return 502's as there are no more active hosts to serve for this
upstream.
3. Anything else?

Thanks,
Aditya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/a2a9d432/attachment-0001.html>

From maxim at nginx.com  Wed Apr 26 20:35:11 2017
From: maxim at nginx.com (Maxim Konovalov)
Date: Wed, 26 Apr 2017 23:35:11 +0300
Subject: Health checks and reloads
In-Reply-To: <CANKmQZd9WssddmR=2_CB0OP0-LpK7i=8AeCRmFUW4AkuS5W18Q@mail.gmail.com>
References: <CANKmQZd9WssddmR=2_CB0OP0-LpK7i=8AeCRmFUW4AkuS5W18Q@mail.gmail.com>
Message-ID: <4fca7da1-eacb-65f6-d2f3-707e67073489@nginx.com>

Hi Aditya,

On 26/04/2017 23:30, Aditya Umrani wrote:
> Hello,
> 
> We are using nginx plus and we use application health-checks. We
> want to move to the 'mandatory' parameter which requires that
> servers pass the health check before it becomes active.
> 
[...]

I'd suggest to approach -plus support channel.  You can open a
support ticket just by forwarding this email.

-- 
Maxim Konovalov

From francis at daoine.org  Wed Apr 26 21:18:20 2017
From: francis at daoine.org (Francis Daly)
Date: Wed, 26 Apr 2017 22:18:20 +0100
Subject: Nginx Nodejs Raspberry Pi2 Bad Gateway
In-Reply-To: <74040922db04719a7515879b1aa2fdb1.NginxMailingListEnglish@forum.nginx.org>
References: <74040922db04719a7515879b1aa2fdb1.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170426211820.GL10157@daoine.org>

On Tue, Apr 25, 2017 at 10:13:19AM -0400, marciokoko wrote:

Hi there,

I confess that it's a bit confusing to me what exactly you are doing here.

Can you create one "curl" command which makes one request, that gives
a response that is not what you want to see?

If you can show what you expect to see instead, that might be helpful too.

If at all possible, copy-paste the pieces you are reporting, rather than
re-typing things.

It looks like there may be some typographical errors in what you report
here, which might be what is unclear to me.

> INTERNET (subdomain.domain.com A Record to public IP 186....187)
> Hurl.it -----POST-----> Public IP:
> https://186....187/API/switches?sw1?password=123456 -----> Linksys Router
> IP:186...187:443 Port Forward to 192...53
> 
> ONLAN (nginx setup https with ssl from letsencrypt)
> 192....53 RPi2 nginx config bypass 192...53:442 . ------> nodejs app.js
> listening on port 442 

I *think* that the intention here is that a https request gets to nginx,
and then nginx makes a http request to the port-442 listener.

Can you show the request that gets to nginx, and the request that gets
to port 442, and see what the port-442 listener does with it?

>         error_page 404 /404.html;
>         error_page 500 502 503 504 /50x.html;

Unless you have a location{} that matches those html urls, they may be
proxy_pass'ed to port 442 as well, which may make it more difficult than
necessary to interpret the log files.

> 2017/04/23 20:08:38 [error] 20424#0: *4 upstream prematurely closed
> connection while reading response header from upstream, client:
> 192.168.1.56, server: subdomain.domain.com, request: "GET /aism/ HTTP/1.1",
> upstream: "http://192.168.1.53:442/aism/", host: "subdomain.domain.com"

"upstream prematurely closed connection" suggests that nginx thinks that
the port 442 listener did something wrong. Are there logs of what the
port 442 listener thinks happened?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Wed Apr 26 21:36:58 2017
From: francis at daoine.org (Francis Daly)
Date: Wed, 26 Apr 2017 22:36:58 +0100
Subject: how add RewriteRule .* index.php in nginx
In-Reply-To: <6aaf4677bd6537ee1d5b128499371d15.NginxMailingListEnglish@forum.nginx.org>
References: <6aaf4677bd6537ee1d5b128499371d15.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170426213658.GM10157@daoine.org>

On Wed, Apr 26, 2017 at 10:22:20AM -0400, e.htabar wrote:

Hi there,

> how set add " RewriteRule .* index.php " in nginx.conf for subfolder ?

You probably put the config in a suitable location{} block.

What config do you have right now that does most of what you want?

Do you "return" or "rewrite" or "try_files" or something else?

The best config depends on what else you want the system to do.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From nginx-forum at forum.nginx.org  Wed Apr 26 23:17:40 2017
From: nginx-forum at forum.nginx.org (ywarnier)
Date: Wed, 26 Apr 2017 19:17:40 -0400
Subject: $upstream_addr returning "-" only on requests with "del" in them
Message-ID: <fb74e39a8104cfa53a34351c147d351b.NginxMailingListEnglish@forum.nginx.org>

Hi guys,

I have a problem with some of the requests sent to my Nginx load balancer,
which reports (in the access_log configured to show $upstream_addr) that
$upstream_addr is equal to "-", but only in a weird case where the post
contains the word "del".

I'm using Nginx 1.10.0 packaged in Ubuntu 16.04.4, in a development cluster
of VMs with Nginx serving as load balancer to serve a bunch Drupal 7 sites
that an Apache+modPHP is serving (I could use Nginx+PHP-FPM but that's not
the point here).

So it's a web-facing VM with Nginx that passes to another VM with Apache
(through proxy_pass). No "effective" load balancing (only one upstream
server in the backend block).

I've tried to maintain customizations to a reasonable minimum to avoid
introducing too many variables.

Inside Drupal 7 (which I installed under the Apache backend server), I have
nodes that I would like to edit.

Now, on several nodes, when I edit a textarea with whatever I like,
everything works fine. The request is passed to Nginx, then to Apache, and I
can see that in the access logs for both.

However, if the textarea contains the work "del" (I know... weird), then the
request gets to Nginx and the $upstream_addr is generated as "-" and no
request reaches the upstream server.

How can I debug that?
I've tried putting the error_log to "debug" but it's apparently not an
error.
The access_log provides me with this weird case of $upstream_addr = '-', but
that's all I get...

Thanks for your help!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273895#msg-273895


From alex at samad.com.au  Wed Apr 26 23:54:46 2017
From: alex at samad.com.au (Alex Samad)
Date: Thu, 27 Apr 2017 09:54:46 +1000
Subject: xslt question
Message-ID: <CAJ+Q1PVR+-PZp_Sk22Jno3L5rchrMyiBoJqOqFwp8i4WYxDzWg@mail.gmail.com>

Hi

I am using
https://gist.github.com/wilhelmy/5a59b8eea26974a468c9

for


    location /ts/ {
        #autoindex on;
        #autoindex_format html;
        try_files $uri @autoindex;
    }


    # need xlst module
    location @autoindex {
        autoindex on;
        autoindex_format xml;
        xslt_stylesheet xslt/dirlist.xslt path='$uri';

    }


my problem is, i have a file with a % in it and I need to escape / encode
it as a uri

but when I use the xml functions to encode a uri I get function not found.

more reading I need xslt 2 not 1. how can I tell if I am using 1 or 2 ?

A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170427/20f369ed/attachment.html>

From nginx-forum at forum.nginx.org  Wed Apr 26 23:58:08 2017
From: nginx-forum at forum.nginx.org (ywarnier)
Date: Wed, 26 Apr 2017 19:58:08 -0400
Subject: $upstream_addr returning "-" only on requests with "del" in them
In-Reply-To: <fb74e39a8104cfa53a34351c147d351b.NginxMailingListEnglish@forum.nginx.org>
References: <fb74e39a8104cfa53a34351c147d351b.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <ac2907bca01a7e6a9e1324cce34adb05.NginxMailingListEnglish@forum.nginx.org>

Sometimes writing your thought helps...
Apparently something wasn't reporting correctly so far, but using the debug
level, I finally end up getting some information. I should mention that the
word that seems to provoke this issue is ' del ' (with two spaces around
it). If those 3 letters are included in another word, nothing weird
happens.

When the word is there on its own, though, this is my debug log (I have
surrounded the most obvious issue with two blank lines):

2017/04/26 18:38:52 [debug] 6496#6496: *350 http keepalive handler
2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 000055B18C6ADF30:1024
2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 978 of 1024
2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0
2017/04/26 18:38:52 [debug] 6496#6496: *350 posix_memalign:
000055B18C6C0F10:4096 @16
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Host:
dev.www.myorg.edu"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Connection:
keep-alive"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Length:
16639"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Pragma: no-cache"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cache-Control:
no-cache"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Origin:
http://dev.www.myorg.edu"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header:
"Upgrade-Insecure-Requests: 1"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "User-Agent:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Ubuntu Chromium/57.0.2987.98 Chrome/57.0.2987.98 Safari/537.36"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Type:
multipart/form-data; boundary=----WebKitFormBoundaryfufPzGfQx0XTvHjM"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Referer:
http://dev.www.myorg.edu/en/node/734/edit"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Encoding:
gzip, deflate"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Language:
en-US,en;q=0.8,es;q=0.6,fr-FR;q=0.4,fr;q=0.2"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cookie:
DrupalModuleFilter=activeTab%3Dall;
SESSb62f82f041805dbb55d5167522aaa24e=y-yFLoyVXBRCGSmicYphWW-OCVYIGphmDhmx9k9wubQ;
SESSd452cfca8c0eccb9b5e4447bc1fa95dc=ENsFfcPE5jv4sTxlDxc40kg09aFMu7S-ZXJHPn0osb4;
has_js=1; Drupal.tableDrag.showWeight=0"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "DNT: 1"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header done
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 0
2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 1
2017/04/26 18:38:52 [debug] 6496#6496: *350 test location: "/"
2017/04/26 18:38:52 [debug] 6496#6496: *350 using configuration "/"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http cl:16639 max:52428800
2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 3
2017/04/26 18:38:52 [debug] 6496#6496: *350 post rewrite phase: 4
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 5
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 6
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 7
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 8
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 9
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 10
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 11
2017/04/26 18:38:52 [debug] 6496#6496: *350 post access phase: 12
2017/04/26 18:38:52 [debug] 6496#6496: *350 try files phase: 13
2017/04/26 18:38:52 [debug] 6496#6496: *350 http request body content length
filter
2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 000055B18C6F4100:8192
2017/04/26 18:38:52 [debug] 6496#6496: *350 http read client request body
2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 -1 of 8192

2017/04/26 18:38:52 [info] 6496#6496: *350 recv() failed (104: Connection
reset by peer), client: 190.117.233.77, server: dev.www.myorg.edu, request:
"POST /en/node/734/edit HTTP/1.1", host: "dev.www.myorg.edu", referrer:
"http://dev.www.myorg.edu/en/node/734/edit"

2017/04/26 18:38:52 [debug] 6496#6496: *350 http client request body recv
-1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http finalize request: 400,
"/en/node/734/edit?" a:1, c:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate request count:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate cleanup count:1
blk:0
2017/04/26 18:38:52 [debug] 6496#6496: *350 http posted request:
"/en/node/734/edit?"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate handler count:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http request count:1 blk:0
2017/04/26 18:38:52 [debug] 6496#6496: *350 http close request
2017/04/26 18:38:52 [debug] 6496#6496: *350 http log handler
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6F4100
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6C0F10, unused:
128
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6F30F0, unused:
1648
2017/04/26 18:38:52 [debug] 6496#6496: *350 close http connection: 16
2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6ADF30
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6AF150, unused:
112


So in my case I got a 104: Connection reset by peer. Usually, this error
message is followed by "while reading response header from upstream", but
that's not my case. It looks like the issue is only the connection between
my browser and Nginx, and nothing more. This is confirmed by the fact that I
don't get anything in my backend's access logs.

Is there anything else in this error log that should point me to a
particular type of issue?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273897#msg-273897


From nginx-forum at forum.nginx.org  Thu Apr 27 00:25:31 2017
From: nginx-forum at forum.nginx.org (ywarnier)
Date: Wed, 26 Apr 2017 20:25:31 -0400
Subject: $upstream_addr returning "-" only on requests with "del" in them
In-Reply-To: <ac2907bca01a7e6a9e1324cce34adb05.NginxMailingListEnglish@forum.nginx.org>
References: <fb74e39a8104cfa53a34351c147d351b.NginxMailingListEnglish@forum.nginx.org>
 <ac2907bca01a7e6a9e1324cce34adb05.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <e106df1fce13a939f723cf0b78c4ad97.NginxMailingListEnglish@forum.nginx.org>

And the usual debug information I just found on
https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/ that
I should provide (very sorry for doing that in 3 parts, won't happen
again):

#### nginx -V
nginx version: nginx/1.10.0 (Ubuntu)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2'
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_addition_module --with-http_dav_module --with-http_geoip_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_v2_module --with-http_sub_module
--with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail
--with-mail_ssl_module --with-threads
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-auth-pam
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-echo
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/ngx_http_substitutions_filter_module

#### cat /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
}

http {
        sendfile on;
        tcp_nopush on
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        client_max_body_size 50m;
        # Avoid timeouts
        send_timeout         600;
        proxy_send_timeout   600;
        proxy_read_timeout   600;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        log_format compression '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent"
"$gzip_ratio"'
                           '[$upstream_addr: $request
|$upstream_connect_time|$upstream_header_time|$upstream_response_time|$request_time|$bytes_sent|$pipe|$upstream_status]';

        gzip on;
        gzip_disable "msie6";
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#### cat sites-enabled/load-balancer 

upstream apache {
  server webdevw1.myorg.edu;
}

#### cat sites-enabled/dev.www.myorg.edu

server {
  listen 80;
  listen [::]:80;
  server_name dev.www.myorg.edu;
  error_log /var/log/nginx/www.myorg.edu-error.log debug;
  access_log /var/log/nginx/www.myorg.edu-access.log compression;
  location / {
    proxy_buffers 64 128k;
    proxy_buffer_size 2k;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass http://apache;
  }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273898#msg-273898


From nginx-forum at forum.nginx.org  Thu Apr 27 05:27:28 2017
From: nginx-forum at forum.nginx.org (t.nishiyori)
Date: Thu, 27 Apr 2017 01:27:28 -0400
Subject: How can I set a maximum limit for gzip module?
Message-ID: <cfda938ae28bf25b656801305c79148e.NginxMailingListEnglish@forum.nginx.org>

Hello,

I'm using nginx-1.11.2 for proxy server with gzip-module.

I hope to use such like a "gzip_max_length" directive in
ngx_http_gzip_module.
Because some upstream response's sizes exceeded the settings of
gzip_buffers.
(But there were no error... These are strange things for me...)

I can change the gzip_buffers to enough size for upstream, but there is no
limit.

Can I set a limit of maximum content-size for gzip module?

Thank you.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273899,273899#msg-273899


From zchao1995 at gmail.com  Thu Apr 27 06:18:27 2017
From: zchao1995 at gmail.com (Zhang Chao)
Date: Wed, 26 Apr 2017 23:18:27 -0700
Subject: How can I set a maximum limit for gzip module?
In-Reply-To: <cfda938ae28bf25b656801305c79148e.NginxMailingListEnglish@forum.nginx.org>
References: <cfda938ae28bf25b656801305c79148e.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CAPr95BgjaX2e5=6j-7k0iqtU0Oe3S3WMkR+fFcQhf3dJ=dhbhQ@mail.gmail.com>

There is no any directive like ?gzip_max_length? so far.
By the way, nginx compresses the body by ?chunk?, so one ?chunk? is an
independtent compressed data.


On 27 April 2017 at 13:27:42, t.nishiyori (nginx-forum at forum.nginx.org)
wrote:

Hello,

I'm using nginx-1.11.2 for proxy server with gzip-module.

I hope to use such like a "gzip_max_length" directive in
ngx_http_gzip_module.
Because some upstream response's sizes exceeded the settings of
gzip_buffers.
(But there were no error... These are strange things for me...)

I can change the gzip_buffers to enough size for upstream, but there is no
limit.

Can I set a limit of maximum content-size for gzip module?

Thank you.

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,273899,273899#msg-273899

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/6fb5d617/attachment.html>

From michael.salmon at ericsson.com  Thu Apr 27 06:48:25 2017
From: michael.salmon at ericsson.com (Michael Salmon)
Date: Thu, 27 Apr 2017 06:48:25 +0000
Subject: Way to deny all requests if any upstream is down
In-Reply-To: <1904b658e580e0145d0f2a8b4282a973.NginxMailingListEnglish@forum.nginx.org>
References: <1904b658e580e0145d0f2a8b4282a973.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <D3705ECE-0255-4557-BDEF-471ECA66F78F@ericsson.com>

You can do it if all upstream servers are down but I don't think that any is possible. Just have a backup server that replies with a 502 to any url. I did something similar recently but you need to have a backup server that can take care of all methods, get, post etc.

/Michael Salmon
SE KI34 06 341C (OLC: 9FFVCX34+67Q8)
+46 722 184 909

> On 26 Apr 2017, at 16:15:16, lchennup <nginx-forum at forum.nginx.org> wrote:
> 
> Hi All,
> 
> Is there any way to deny all requests if any upstream servers are down?.
> 
> Thanks
> 
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273881,273881#msg-273881
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


From nginx-forum at forum.nginx.org  Thu Apr 27 08:18:37 2017
From: nginx-forum at forum.nginx.org (tory)
Date: Thu, 27 Apr 2017 04:18:37 -0400
Subject: Client certificate authentication error
In-Reply-To: <CAKWQeyiL4dEqFzvW4dDWxrGgaBLo6bewaRs0si=UmoP8CtW3yw@mail.gmail.com>
References: <CAKWQeyiL4dEqFzvW4dDWxrGgaBLo6bewaRs0si=UmoP8CtW3yw@mail.gmail.com>
Message-ID: <a97565664f6a83ef1fe7a38af1f0daff.NginxMailingListEnglish@forum.nginx.org>

This problem has been solved with your help.
I sincerely appreciate your help.
This case is closed because this request has been resolved.
Thank you very much.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273879,273902#msg-273902


From ru at nginx.com  Thu Apr 27 09:00:09 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Thu, 27 Apr 2017 12:00:09 +0300
Subject: How can I set a maximum limit for gzip module?
In-Reply-To: <cfda938ae28bf25b656801305c79148e.NginxMailingListEnglish@forum.nginx.org>
References: <cfda938ae28bf25b656801305c79148e.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170427090009.GK52013@lo0.su>

On Thu, Apr 27, 2017 at 01:27:28AM -0400, t.nishiyori wrote:
> Hello,
> 
> I'm using nginx-1.11.2 for proxy server with gzip-module.
> 
> I hope to use such like a "gzip_max_length" directive in
> ngx_http_gzip_module.
> Because some upstream response's sizes exceeded the settings of
> gzip_buffers.
> (But there were no error... These are strange things for me...)
> 
> I can change the gzip_buffers to enough size for upstream, but there is no
> limit.
> 
> Can I set a limit of maximum content-size for gzip module?
> 
> Thank you.

gzip_buffers doesn't limit the maximum size of the response
that can be compressed.  When all buffers are filled, gzip
filter just outputs another chunk of compressed data.

From nginx-forum at forum.nginx.org  Thu Apr 27 09:21:06 2017
From: nginx-forum at forum.nginx.org (shivramg94)
Date: Thu, 27 Apr 2017 05:21:06 -0400
Subject: Nginx reload process in detail
Message-ID: <eca4ec77a14dff7070cc4cfd68431124.NginxMailingListEnglish@forum.nginx.org>

We have a persistent connection to Nginx on which we are issuing https
requests. Now when we do a reload, the persistent connections (the requests
which are already accepted) are failing as soon as the reload was issued.
Those connections are being dropped. Is this the expected behavior? 

In the Nginx documentation, it was mentioned that the older worker process
would continue to run untile they have served the accepted inflight requests
and then would go down. But the actual behavior seems to be different as the
persistent connections are being dropped as soon as a configuration reload
was issued.

To add to the above question, while reload was in progress, i am trying to
establish a new connection and its not being established. Can't the new
worker processes which were spawned as a result of configuration reload,
straight away serve the incoming new connections?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273904,273904#msg-273904


From ru at nginx.com  Thu Apr 27 09:38:53 2017
From: ru at nginx.com (Ruslan Ermilov)
Date: Thu, 27 Apr 2017 12:38:53 +0300
Subject: $upstream_addr returning "-" only on requests with "del" in them
In-Reply-To: <e106df1fce13a939f723cf0b78c4ad97.NginxMailingListEnglish@forum.nginx.org>
 <ac2907bca01a7e6a9e1324cce34adb05.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170427093853.GM52013@lo0.su>

On Wed, Apr 26, 2017 at 07:58:08PM -0400, ywarnier wrote:
> Sometimes writing your thought helps...
> Apparently something wasn't reporting correctly so far, but using the debug
> level, I finally end up getting some information. I should mention that the
> word that seems to provoke this issue is ' del ' (with two spaces around
> it). If those 3 letters are included in another word, nothing weird
> happens.
> 
> When the word is there on its own, though, this is my debug log (I have
> surrounded the most obvious issue with two blank lines):
> 
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http keepalive handler
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 000055B18C6ADF30:1024
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 978 of 1024
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 posix_memalign:
> 000055B18C6C0F10:4096 @16
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Host:
> dev.www.myorg.edu"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Connection:
> keep-alive"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Length:
> 16639"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Pragma: no-cache"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cache-Control:
> no-cache"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Origin:
> http://dev.www.myorg.edu"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header:
> "Upgrade-Insecure-Requests: 1"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "User-Agent:
> Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> Ubuntu Chromium/57.0.2987.98 Chrome/57.0.2987.98 Safari/537.36"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Type:
> multipart/form-data; boundary=----WebKitFormBoundaryfufPzGfQx0XTvHjM"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Referer:
> http://dev.www.myorg.edu/en/node/734/edit"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Encoding:
> gzip, deflate"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Language:
> en-US,en;q=0.8,es;q=0.6,fr-FR;q=0.4,fr;q=0.2"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cookie:
> DrupalModuleFilter=activeTab%3Dall;
> SESSb62f82f041805dbb55d5167522aaa24e=y-yFLoyVXBRCGSmicYphWW-OCVYIGphmDhmx9k9wubQ;
> SESSd452cfca8c0eccb9b5e4447bc1fa95dc=ENsFfcPE5jv4sTxlDxc40kg09aFMu7S-ZXJHPn0osb4;
> has_js=1; Drupal.tableDrag.showWeight=0"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "DNT: 1"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header done
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 0
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 1
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 test location: "/"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 using configuration "/"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http cl:16639 max:52428800
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 3
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 post rewrite phase: 4
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 5
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 6
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 7
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 8
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 9
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 10
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 11
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 post access phase: 12
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 try files phase: 13
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http request body content length
> filter
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 000055B18C6F4100:8192
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http read client request body
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 -1 of 8192
> 
> 2017/04/26 18:38:52 [info] 6496#6496: *350 recv() failed (104: Connection
> reset by peer), client: 190.117.233.77, server: dev.www.myorg.edu, request:
> "POST /en/node/734/edit HTTP/1.1", host: "dev.www.myorg.edu", referrer:
> "http://dev.www.myorg.edu/en/node/734/edit"
> 
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http client request body recv
> -1
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http finalize request: 400,
> "/en/node/734/edit?" a:1, c:1
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate request count:1
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate cleanup count:1
> blk:0
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http posted request:
> "/en/node/734/edit?"
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate handler count:1
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http request count:1 blk:0
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http close request
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 http log handler
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6F4100
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6C0F10, unused:
> 128
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6F30F0, unused:
> 1648
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 close http connection: 16
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6ADF30
> 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 000055B18C6AF150, unused:
> 112
> 
> 
> So in my case I got a 104: Connection reset by peer. Usually, this error
> message is followed by "while reading response header from upstream", but
> that's not my case. It looks like the issue is only the connection between
> my browser and Nginx, and nothing more. This is confirmed by the fact that I
> don't get anything in my backend's access logs.
> 
> Is there anything else in this error log that should point me to a
> particular type of issue?

On Wed, Apr 26, 2017 at 08:25:31PM -0400, ywarnier wrote:
> And the usual debug information I just found on
> https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/ that
> I should provide (very sorry for doing that in 3 parts, won't happen
> again):
> 
> #### nginx -V
> nginx version: nginx/1.10.0 (Ubuntu)
> built with OpenSSL 1.0.2g  1 Mar 2016
> TLS SNI support enabled
> configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong
> -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2'
> --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
> --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
> --http-log-path=/var/log/nginx/access.log
> --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
> --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
> --with-http_realip_module --with-http_auth_request_module
> --with-http_addition_module --with-http_dav_module --with-http_geoip_module
> --with-http_gunzip_module --with-http_gzip_static_module
> --with-http_image_filter_module --with-http_v2_module --with-http_sub_module
> --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail
> --with-mail_ssl_module --with-threads
> --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-auth-pam
> --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-dav-ext-module
> --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-echo
> --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-upstream-fair
> --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/ngx_http_substitutions_filter_module
> 
> #### cat /etc/nginx/nginx.conf
> 
> user www-data;
> worker_processes auto;
> pid /run/nginx.pid;
> 
> events {
>         worker_connections 768;
> }
> 
> http {
>         sendfile on;
>         tcp_nopush on
>         tcp_nodelay on;
>         keepalive_timeout 65;
>         types_hash_max_size 2048;
>         client_max_body_size 50m;
>         # Avoid timeouts
>         send_timeout         600;
>         proxy_send_timeout   600;
>         proxy_read_timeout   600;
> 
>         include /etc/nginx/mime.types;
>         default_type application/octet-stream;
> 
>         access_log /var/log/nginx/access.log;
>         error_log /var/log/nginx/error.log;
>         log_format compression '$remote_addr - $remote_user [$time_local] '
>                            '"$request" $status $body_bytes_sent '
>                            '"$http_referer" "$http_user_agent"
> "$gzip_ratio"'
>                            '[$upstream_addr: $request
> |$upstream_connect_time|$upstream_header_time|$upstream_response_time|$request_time|$bytes_sent|$pipe|$upstream_status]';
> 
>         gzip on;
>         gzip_disable "msie6";
>         include /etc/nginx/conf.d/*.conf;
>         include /etc/nginx/sites-enabled/*;
> }
> 
> 
> #### cat sites-enabled/load-balancer 
> 
> upstream apache {
>   server webdevw1.myorg.edu;
> }
> 
> #### cat sites-enabled/dev.www.myorg.edu
> 
> server {
>   listen 80;
>   listen [::]:80;
>   server_name dev.www.myorg.edu;
>   error_log /var/log/nginx/www.myorg.edu-error.log debug;
>   access_log /var/log/nginx/www.myorg.edu-access.log compression;
>   location / {
>     proxy_buffers 64 128k;
>     proxy_buffer_size 2k;
>     proxy_http_version 1.1;
>     proxy_set_header Connection "";
>     proxy_set_header Host $host;
>     proxy_set_header X-Forwarded-For $remote_addr;
>     proxy_pass http://apache;
>   }
> }

>From the log it follows that client closed a connection before
the entire request body was sent.  From the config it follows
that http://nginx.org/r/proxy_request_buffering is "on" (which
is the default setting).  It means that no upstream server was
ever contacted, so it's perfectly okay that $upstream_addr is
undefined (this is output as `-' in access_log).

From nginx-forum at forum.nginx.org  Thu Apr 27 11:04:27 2017
From: nginx-forum at forum.nginx.org (zaidahmd)
Date: Thu, 27 Apr 2017 07:04:27 -0400
Subject: SOAP Behind API Gateway
Message-ID: <545c0699ca45410069eede3ef4a30062.NginxMailingListEnglish@forum.nginx.org>

Hi, I have an application in internal network with no public internet
access. 

I want NGINX API gateway deployed in public exposed network that
authenticates incoming HTTP, and rest service traffic and then relays the
traffic to upstream servers. 

Similarly I want the NGINX API Gateway to authenticate SOAP requests also.
But SOAP has its own WS security, and I believe SOAP request should not have
any sessionid or token for web authentication. So this means API gateway
will not be able to perform authentication as its doing for 
normal http and rest service traffic.

What should be the best solution to secure a SOAP service behind a NGINX API
gateway ? Or it should not be protected by NGINX API Gateway module ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273906,273906#msg-273906


From alex at samad.com.au  Thu Apr 27 11:07:07 2017
From: alex at samad.com.au (Alex Samad)
Date: Thu, 27 Apr 2017 21:07:07 +1000
Subject: Nginx reload process in detail
In-Reply-To: <eca4ec77a14dff7070cc4cfd68431124.NginxMailingListEnglish@forum.nginx.org>
References: <eca4ec77a14dff7070cc4cfd68431124.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CAJ+Q1PVy7O0CpEDsQMKyT1fsGCuAFvOSn9J4z1MfFNLpCqkPEw@mail.gmail.com>

Thats what support have advised me, reload finished the current request and
then closes the connection.  No longer honors the long lived

Alex

On 27 April 2017 at 19:21, shivramg94 <nginx-forum at forum.nginx.org> wrote:

> We have a persistent connection to Nginx on which we are issuing https
> requests. Now when we do a reload, the persistent connections (the requests
> which are already accepted) are failing as soon as the reload was issued.
> Those connections are being dropped. Is this the expected behavior?
>
> In the Nginx documentation, it was mentioned that the older worker process
> would continue to run untile they have served the accepted inflight
> requests
> and then would go down. But the actual behavior seems to be different as
> the
> persistent connections are being dropped as soon as a configuration reload
> was issued.
>
> To add to the above question, while reload was in progress, i am trying to
> establish a new connection and its not being established. Can't the new
> worker processes which were spawned as a result of configuration reload,
> straight away serve the incoming new connections?
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,273904,273904#msg-273904
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170427/fd7da465/attachment.html>

From nginx-forum at forum.nginx.org  Thu Apr 27 13:26:36 2017
From: nginx-forum at forum.nginx.org (ywarnier)
Date: Thu, 27 Apr 2017 09:26:36 -0400
Subject: $upstream_addr returning "-" only on requests with "del" in them
In-Reply-To: <20170427093853.GM52013@lo0.su>
References: <20170427093853.GM52013@lo0.su>
Message-ID: <78bd9a71484602dc3e5360c8384ffdf2.NginxMailingListEnglish@forum.nginx.org>

ru at nginx.com Wrote:

 [...]

> From the log it follows that client closed a connection before
> the entire request body was sent.  From the config it follows
> that http://nginx.org/r/proxy_request_buffering is "on" (which
> is the default setting).  It means that no upstream server was
> ever contacted, so it's perfectly okay that $upstream_addr is
> undefined (this is output as `-' in access_log).

Thanks.
Would there be a way I can get more info about *why* the client closed the
connection before the entire request body was sent? In the browser itself, I
can see the request being sent but it acts as if the server returned a
partial answer...

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273908#msg-273908


From joel.parker.gm at gmail.com  Thu Apr 27 15:52:33 2017
From: joel.parker.gm at gmail.com (Joel Parker)
Date: Thu, 27 Apr 2017 10:52:33 -0500
Subject: Logging requests / responses in multiple files
Message-ID: <CAG6CpSDooLA3BB9i41x6iW7x973NiwTAZFP5y05OEZ3WF=-qpw@mail.gmail.com>

I wanted to see if there was a way to log a request and response in
separate file, so that I end up with something like this:

request_1.log
response_1.log
request_2.log
response_2.log
request_3.log
response_3.log

......

Is there a way to do this ?

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170427/45290b58/attachment.html>

From igal at lucee.org  Fri Apr 28 03:25:36 2017
From: igal at lucee.org (Igal @ Lucee.org)
Date: Thu, 27 Apr 2017 20:25:36 -0700
Subject: Blocking all URIs except for one directory
In-Reply-To: <20170426125056.GR43932@mdounin.ru>
References: <6460cf38-0f2a-a522-2f2d-531166415d13@lucee.org>
 <20170426125056.GR43932@mdounin.ru>
Message-ID: <bad95e4f-729e-9d6b-46ed-7ed9537df98b@lucee.org>

Maxim,

Thank you for your help, as always!

On 4/26/2017 5:50 AM, Maxim Dounin wrote:
> Hello!
>
> On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote:
>
>> Hello,
>>
>> I want to secure a site using the allow/deny directives so that only
>> allowed networks will be able to access it.  There is one "public"
>> directory, however, that I want to be accessible for everyone.
>>
>> nginx serves as a reverse proxy on that site, and requests for URIs that
>> end with the suffix ".cfm" are proxied to Tomcat.
>>
>> So I currently have something like:
>>
>> location / {
>>       allow 10.0.0.0/24;
>>       deny all;
>> }
>>
>> location /public/ {
>>       allow all;    # does that make sense?
>> }
>>
>> location ~ \.cfm$ {
>>       ## proxy settings go here
>> }
>>
>> Keep in mind that .cfm scripts are both in /public/ as well as in other
>> directories.
>>
>> How can I achieve that?
> Try this instead:
>
>      location / {
>          allow ...
>          deny all;
>
>          location ~ \.cfm$ {
>              ...
>          }
>      }
>
>      location /public/ {
> 	# access allowed to all by default - unless there is
> 	# something restrictive defined on previous levels
>
>          location ~ \.cfm$ {
>              ...
>          }
>      }
>
> You may also find this talk interesting:
>
> https://youtu.be/YWRYbLKsS0I
>

Igal Sapir
Lucee Core Developer
Lucee.org <http://lucee.org/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170427/d7595abe/attachment.html>

From nginx-forum at forum.nginx.org  Fri Apr 28 08:55:24 2017
From: nginx-forum at forum.nginx.org (t.nishiyori)
Date: Fri, 28 Apr 2017 04:55:24 -0400
Subject: How can I set a maximum limit for gzip module?
In-Reply-To: <20170427090009.GK52013@lo0.su>
References: <20170427090009.GK52013@lo0.su>
Message-ID: <f77d84bd912dc652bb6fa8dbf8d85d2c.NginxMailingListEnglish@forum.nginx.org>

Hi, 

> When all buffers are filled, gzip filter just outputs another chunk of
compressed data.
Thanks for explanation about gzip-module.
When all buffers are filled, how will the next data be handled?
I think that either "wait for the buffer to be released and compressed by
gzip filter" or "output as un-compressed data".

Thank you.

ru at nginx.com Wrote:
-------------------------------------------------------
> On Thu, Apr 27, 2017 at 01:27:28AM -0400, t.nishiyori wrote:
> > Hello,
> > 
> > I'm using nginx-1.11.2 for proxy server with gzip-module.
> > 
> > I hope to use such like a "gzip_max_length" directive in
> > ngx_http_gzip_module.
> > Because some upstream response's sizes exceeded the settings of
> > gzip_buffers.
> > (But there were no error... These are strange things for me...)
> > 
> > I can change the gzip_buffers to enough size for upstream, but there
> is no
> > limit.
> > 
> > Can I set a limit of maximum content-size for gzip module?
> > 
> > Thank you.
> 
> gzip_buffers doesn't limit the maximum size of the response
> that can be compressed.  When all buffers are filled, gzip
> filter just outputs another chunk of compressed data.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273899,273919#msg-273919


From nginx-forum at forum.nginx.org  Fri Apr 28 08:56:01 2017
From: nginx-forum at forum.nginx.org (t.nishiyori)
Date: Fri, 28 Apr 2017 04:56:01 -0400
Subject: How can I set a maximum limit for gzip module?
In-Reply-To: <CAPr95BgjaX2e5=6j-7k0iqtU0Oe3S3WMkR+fFcQhf3dJ=dhbhQ@mail.gmail.com>
References: <CAPr95BgjaX2e5=6j-7k0iqtU0Oe3S3WMkR+fFcQhf3dJ=dhbhQ@mail.gmail.com>
Message-ID: <df2d5d64bb9b7b8a233de7b5c9a157b1.NginxMailingListEnglish@forum.nginx.org>

Hi tokers,

> nginx compresses the body by ?chunk?
Thanks for explanation about gzip-module.
So, there were no errors when upstream response size exceeds the
gzip_buffers_size.
But I think a lot of large responses exceed the prepared buffers, some day.
Is there any possibility of such a problem?

Thank you.


tokers Wrote:
-------------------------------------------------------
> There is no any directive like ?gzip_max_length? so far.
> By the way, nginx compresses the body by ?chunk?, so one ?chunk? is an
> independtent compressed data.
> 
> 
> On 27 April 2017 at 13:27:42, t.nishiyori
> (nginx-forum at forum.nginx.org)
> wrote:
> 
> Hello,
> 
> I'm using nginx-1.11.2 for proxy server with gzip-module.
> 
> I hope to use such like a "gzip_max_length" directive in
> ngx_http_gzip_module.
> Because some upstream response's sizes exceeded the settings of
> gzip_buffers.
> (But there were no error... These are strange things for me...)
> 
> I can change the gzip_buffers to enough size for upstream, but there
> is no
> limit.
> 
> Can I set a limit of maximum content-size for gzip module?
> 
> Thank you.
> 
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273899,273899#msg-273899
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273899,273920#msg-273920


From zchao1995 at gmail.com  Fri Apr 28 09:53:58 2017
From: zchao1995 at gmail.com (Zhang Chao)
Date: Fri, 28 Apr 2017 02:53:58 -0700
Subject: How can I set a maximum limit for gzip module?
In-Reply-To: <df2d5d64bb9b7b8a233de7b5c9a157b1.NginxMailingListEnglish@forum.nginx.org>
References: <CAPr95BgjaX2e5=6j-7k0iqtU0Oe3S3WMkR+fFcQhf3dJ=dhbhQ@mail.gmail.com>
 <df2d5d64bb9b7b8a233de7b5c9a157b1.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <CAPr95BjpYH1irrd4qZK-Z=+fF+PQTteWzxG3kDJaFSM8nFpcHg@mail.gmail.com>

Hi t.nishiyori,

Don?t worry, just like Ermilov said, when you enable the gzip module and
nginx gets a part of response body, gzip module will try to compress the
data, and if the buffers reach the limit, gzip module just send these
compressed data firstly(ngx_http_gzip_body_filter), when processing by
chunk module, they evolved a ?chunk?. After some buffers is free, gzip will
continue the work.


On 28 April 2017 at 16:56:06, t.nishiyori (nginx-forum at forum.nginx.org)
wrote:

Hi tokers,

> nginx compresses the body by ?chunk?
Thanks for explanation about gzip-module.
So, there were no errors when upstream response size exceeds the
gzip_buffers_size.
But I think a lot of large responses exceed the prepared buffers, some day.
Is there any possibility of such a problem?

Thank you.


tokers Wrote:
-------------------------------------------------------
> There is no any directive like ?gzip_max_length? so far.
> By the way, nginx compresses the body by ?chunk?, so one ?chunk? is an
> independtent compressed data.
>
>
> On 27 April 2017 at 13:27:42, t.nishiyori
> (nginx-forum at forum.nginx.org)
> wrote:
>
> Hello,
>
> I'm using nginx-1.11.2 for proxy server with gzip-module.
>
> I hope to use such like a "gzip_max_length" directive in
> ngx_http_gzip_module.
> Because some upstream response's sizes exceeded the settings of
> gzip_buffers.
> (But there were no error... These are strange things for me...)
>
> I can change the gzip_buffers to enough size for upstream, but there
> is no
> limit.
>
> Can I set a limit of maximum content-size for gzip module?
>
> Thank you.
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273899,273899#msg-273899
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,273899,273920#msg-273920

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170428/5fc77b05/attachment-0001.html>

From francis at daoine.org  Fri Apr 28 11:52:09 2017
From: francis at daoine.org (Francis Daly)
Date: Fri, 28 Apr 2017 12:52:09 +0100
Subject: Nginx reload process in detail
In-Reply-To: <eca4ec77a14dff7070cc4cfd68431124.NginxMailingListEnglish@forum.nginx.org>
References: <eca4ec77a14dff7070cc4cfd68431124.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170428115209.GN10157@daoine.org>

On Thu, Apr 27, 2017 at 05:21:06AM -0400, shivramg94 wrote:

Hi there,

The rough description of the reload process is available by searching
for "nginx control" or "nginx reload"; the exact details are available
in the source.

> In the Nginx documentation, it was mentioned that the older worker process
> would continue to run untile they have served the accepted inflight requests
> and then would go down. But the actual behavior seems to be different as the
> persistent connections are being dropped as soon as a configuration reload
> was issued.

You have used the words "process", "requests", and "connections"
above. You should be aware that they refer to different things.

The intention of a "graceful" shutdown of worker processes is that
current idle connections will be closed, while current active requests
will complete and then their connections will be closed.

That seems to match what you are reporting, but perhaps I am missing
something.

> To add to the above question, while reload was in progress, i am trying to
> establish a new connection and its not being established. Can't the new
> worker processes which were spawned as a result of configuration reload,
> straight away serve the incoming new connections?

I believe that nginx should allow new connections to be established
and be handled by the new workers during an "nginx -s reload" invocation,
or when the master process receives a HUP signal.

Can you show a test case where that does not happen?

What nginx version do you use? How do you invoke the reload? Can you
show the new connection failing to be established, perhaps in "tcpdump"?

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

From nginx-forum at forum.nginx.org  Fri Apr 28 12:05:04 2017
From: nginx-forum at forum.nginx.org (bhargava)
Date: Fri, 28 Apr 2017 08:05:04 -0400
Subject: Dynamic Upstream
Message-ID: <2c0c58d8fcac85ac55764f6b65248666.NginxMailingListEnglish@forum.nginx.org>

Pupose: Need to create a local proxy to an image cdn (Beats the purpose of
having a CDN, but can't help!!)

Setup: I have a cdn setup with multiple endpoints say t1.mycdn.com,
t2.mycdn.com and t3.mycdn.com. I have a website (foobar.com) which uses
images from these cdns. Because of some requirement, I need to have
localized path to images (say https://foobar.com/images/sellers/s1/22.jpg).
I need to proxy pass it to my 3 cdn endpoints with equal weight. Along the
way, I need to change the URL too,
https://foobar.com/images/sellers/s1/22.jpg will be fetched from
t1.mycdn.com/img/slr/s1/22.jpg OR t2.mycdn.com/img/slr/s1/22.jpg OR
t3.mycdn.com/img/slr/s1/22.jpg with equal probability.

I have compiled nginx with the following config
configure arguments: --prefix=/opt/nginx
--pid-path=/home/ec2-user/pids/nginx.pid --user=ec2-user --group=ec2-user
--without-http_autoindex_module --without-http_geo_module
--without-http_memcached_module --without-http_scgi_module
--without-http_uwsgi_module --with-http_realip_module
--with-http_addition_module --with-http_xslt_module --with-http_geoip_module
--with-http_sub_module --with-http_gzip_static_module
--with-http_stub_status_module --with-http_secure_link_module
--without-mail_pop3_module --with-http_v2_module --without-mail_imap_module
--without-mail_smtp_module --with-http_ssl_module
--add-module=/tmp/ngx_devel_kit-0.3.0
--add-module=/tmp/lua-nginx-module-0.10.7
--add-module=/tmp/echo-nginx-module-0.60
--add-module=/tmp/set-misc-nginx-module-0.31
--add-module=/tmp/headers-more-nginx-module-0.32
--with-ld-opt=-Wl,-rpath,/opt/luajit/lib

Current Approach: I have the following block
location ~* ^/images/sellers/[^/]+/[^/]+$ {
  error_log /tmp/images.log debug;
  set $img_host "";
  set $img_url "";
  rewrite_by_lua '
    math.randomseed(os.time())
    ngx.var.img_host = "t"..math.random(1,3)..".mycdn.com"
    ngx.var.img_url = string.gsub(ngx.var.uri, "/images/sellers",
"/img/slr/")
  ';
  proxy_set_header HOST $img_host;
  proxy_pass https://$img_host$img_url;
}

When I try to fetch the image, I keep getting the following error

invalid URL prefix in "https://"

I tried changing https to http too. Doesn't help. Can you please let me know
where am I going wrong here ?

Thanks,
Bhargava

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273963,273963#msg-273963


From nginx-forum at forum.nginx.org  Fri Apr 28 14:27:12 2017
From: nginx-forum at forum.nginx.org (Alex Med)
Date: Fri, 28 Apr 2017 10:27:12 -0400
Subject: Trailing Slash Redirect Loop Help
Message-ID: <48cb6400ae229d74b11b234f8c9eaf68.NginxMailingListEnglish@forum.nginx.org>

Hi,

I am having an issue getting rid of the trailing slashes for directories.  I
have used the following to get rid off the trailing slash:


#rewrite all URIs without any '.' in them that end with a '/'         
        #rewrite ^([^.]*)/$ $1 permanent;

&
#rewrite all URIs that end with a '/'  
rewrite ^/(.*)/$ /$1 permanent;

They both work, but they do not when it comes to directories.  When it is a
directory the page is not displayed because it has different redirects. 
Here is the code that I have used inside the LOCATION definition as well as
in the SERVER block and they just do not work.


if (!-e $request_filename) {
rewrite ^/(.*)/$ /$1 permanent;
}

Or, I have used this one:

if (!-e $request_filename) {
rewrite ^([^.]*)/$ $1 permanent;
}

Note:  I have tested individually the two rules either in the server block
or the location block and I still get the redirection problems with files or
directories.


Could any of you please help me and tell me what I am doing wrong. 
Basically, when I enable the rewrite rule to get rid off the trailing slash
all directories get multiple redirects and end up in a loop.

Here is the nginx configuration.


user www-data;
worker_processes X;
pid /xxxx.pid;

events {
	worker_connections xxxx;
	# multi_accept on;
}



http {
        ##
        # Basic Settings
        ##

        sendfile off;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        #below hides the version of nginx 
	server_tokens off;

        server_names_hash_bucket_size 64;
        #this sets the url hash map table size for url rewrites
        map_hash_bucket_size 128;
        map_hash_max_size 2048;
	# server_name_in_redirect off;

        include /xxxx.types;
        default_type application/octet-stream;

     

        ##
        # Gzip Settings
        ##

        gzip on;

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 7;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
 	# Disable for IE < 6 because there are some known problems
        gzip_disable "MSIE [1-6].(?!.*SV1)";

        gzip_types
		text/plain
                text/css 
		text/javascript
		application/javascript
	        application/json
		application/x-javascript
		application/xml;

        ##
        # Buffer Size
        ##
        proxy_buffering on;
        proxy_buffers   4 256k;
        proxy_buffer_size   128k;
        proxy_busy_buffers_size   256k;

     


        ##
        ## URL REWRITE MAP
        ## File that contains all url rewrite rules for server
        include xxxurlmap.conf;


# SERVER DEFINITIONS




###FORWARD ALL 80 INCOMING REQUEST TO SSL
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name example.com www.example.com;
	return 301 https://www.example.com$request_uri;
}

#HTTPS server

#CHANGE DOMAIN NAME from NO-WWW to WWW - CREATE ONE SERVER INSTANCE AND
RETURN IT
server {
    listen       443 ssl http2;
    server_name  example.com;
    ssl_certificate     /xxx.pem;
    ssl_certificate_key /xxxx.pem;
   return       301 https://www.example.com$request_uri;
}


# Secure Server Configuration HTTPS Server

server {

        listen 443 ssl http2;
        listen [::]:443 ssl http2;        
        server_name www.example.com;

 
        ssl_certificate     /etc/ssl/fullchain.pem;
        ssl_certificate_key /etc/ssl/privkey.pem;
	    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 60m;
	
     
 
       ## THIS CONDITION REWRITES ALL URLS TO THE NEW ONES
        if ( $redirect_uri ) {
        return 301 $redirect_uri;
           }
   

        location / {
            proxy_pass https://xxxx:xportNumber;
            proxy_set_header  Host $host;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout 600;
            proxy_send_timeout 600;
            proxy_read_timeout 600;
            proxy_redirect off;
   #this deletes all the traling slash of all Content 
   if (!-e $request_filename) {
        rewrite ^/(.*)/$ /$1 permanent;
         }


                } 


        }

}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273964#msg-273964


From steven.hartland at multiplay.co.uk  Fri Apr 28 14:40:35 2017
From: steven.hartland at multiplay.co.uk (Steven Hartland)
Date: Fri, 28 Apr 2017 15:40:35 +0100
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <48cb6400ae229d74b11b234f8c9eaf68.NginxMailingListEnglish@forum.nginx.org>
References: <48cb6400ae229d74b11b234f8c9eaf68.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <80cc8a3b-9128-051b-6a9c-8ae0b834e0e3@multiplay.co.uk>

If is evil 
<https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/> I'd 
suggest using try_files instead, which is typically something like:

location / {
      try_files $uri $uri/ =404;
}

     Regards
     Steve


On 28/04/2017 15:27, Alex Med wrote:
> Hi,
>
> I am having an issue getting rid of the trailing slashes for directories.  I
> have used the following to get rid off the trailing slash:
>
>
> #rewrite all URIs without any '.' in them that end with a '/'
>          #rewrite ^([^.]*)/$ $1 permanent;
>
> &
> #rewrite all URIs that end with a '/'
> rewrite ^/(.*)/$ /$1 permanent;
>
> They both work, but they do not when it comes to directories.  When it is a
> directory the page is not displayed because it has different redirects.
> Here is the code that I have used inside the LOCATION definition as well as
> in the SERVER block and they just do not work.
>
>
> if (!-e $request_filename) {
> rewrite ^/(.*)/$ /$1 permanent;
> }
>
> Or, I have used this one:
>
> if (!-e $request_filename) {
> rewrite ^([^.]*)/$ $1 permanent;
> }
>
> Note:  I have tested individually the two rules either in the server block
> or the location block and I still get the redirection problems with files or
> directories.
>
>
> Could any of you please help me and tell me what I am doing wrong.
> Basically, when I enable the rewrite rule to get rid off the trailing slash
> all directories get multiple redirects and end up in a loop.
>
> Here is the nginx configuration.
>
>
> user www-data;
> worker_processes X;
> pid /xxxx.pid;
>
> events {
> 	worker_connections xxxx;
> 	# multi_accept on;
> }
>
>
>
> http {
>          ##
>          # Basic Settings
>          ##
>
>          sendfile off;
>          tcp_nopush on;
>          tcp_nodelay on;
>          keepalive_timeout 65;
>          types_hash_max_size 2048;
>          #below hides the version of nginx
> 	server_tokens off;
>
>          server_names_hash_bucket_size 64;
>          #this sets the url hash map table size for url rewrites
>          map_hash_bucket_size 128;
>          map_hash_max_size 2048;
> 	# server_name_in_redirect off;
>
>          include /xxxx.types;
>          default_type application/octet-stream;
>
>       
>
>          ##
>          # Gzip Settings
>          ##
>
>          gzip on;
>
>          gzip_vary on;
>          gzip_proxied any;
>          gzip_comp_level 7;
>          gzip_buffers 16 8k;
>          gzip_http_version 1.1;
>   	# Disable for IE < 6 because there are some known problems
>          gzip_disable "MSIE [1-6].(?!.*SV1)";
>
>          gzip_types
> 		text/plain
>                  text/css
> 		text/javascript
> 		application/javascript
> 	        application/json
> 		application/x-javascript
> 		application/xml;
>
>          ##
>          # Buffer Size
>          ##
>          proxy_buffering on;
>          proxy_buffers   4 256k;
>          proxy_buffer_size   128k;
>          proxy_busy_buffers_size   256k;
>
>       
>
>
>          ##
>          ## URL REWRITE MAP
>          ## File that contains all url rewrite rules for server
>          include xxxurlmap.conf;
>
>
> # SERVER DEFINITIONS
>
>
>
>
> ###FORWARD ALL 80 INCOMING REQUEST TO SSL
> server {
> 	listen 80 default_server;
> 	listen [::]:80 default_server;
> 	server_name example.com www.example.com;
> 	return 301 https://www.example.com$request_uri;
> }
>
> #HTTPS server
>
> #CHANGE DOMAIN NAME from NO-WWW to WWW - CREATE ONE SERVER INSTANCE AND
> RETURN IT
> server {
>      listen       443 ssl http2;
>      server_name  example.com;
>      ssl_certificate     /xxx.pem;
>      ssl_certificate_key /xxxx.pem;
>     return       301 https://www.example.com$request_uri;
> }
>
>
> # Secure Server Configuration HTTPS Server
>
> server {
>
>          listen 443 ssl http2;
>          listen [::]:443 ssl http2;
>          server_name www.example.com;
>
>   
>          ssl_certificate     /etc/ssl/fullchain.pem;
>          ssl_certificate_key /etc/ssl/privkey.pem;
> 	    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>
>          ssl_session_cache shared:SSL:20m;
>          ssl_session_timeout 60m;
> 	
>       
>   
>         ## THIS CONDITION REWRITES ALL URLS TO THE NEW ONES
>          if ( $redirect_uri ) {
>          return 301 $redirect_uri;
>             }
>     
>
>          location / {
>              proxy_pass https://xxxx:xportNumber;
>              proxy_set_header  Host $host;
>              proxy_set_header  X-Real-IP $remote_addr;
>              proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
>              proxy_connect_timeout 600;
>              proxy_send_timeout 600;
>              proxy_read_timeout 600;
>              proxy_redirect off;
>     #this deletes all the traling slash of all Content
>     if (!-e $request_filename) {
>          rewrite ^/(.*)/$ /$1 permanent;
>           }
>
>
>                  }
>
>
>          }
>
> }
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273964#msg-273964
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170428/1dbdff48/attachment.html>

From nginx-forum at forum.nginx.org  Fri Apr 28 14:48:19 2017
From: nginx-forum at forum.nginx.org (Alex Med)
Date: Fri, 28 Apr 2017 10:48:19 -0400
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <80cc8a3b-9128-051b-6a9c-8ae0b834e0e3@multiplay.co.uk>
References: <80cc8a3b-9128-051b-6a9c-8ae0b834e0e3@multiplay.co.uk>
Message-ID: <15175a622a4a02ef3ae3a207d373c423.NginxMailingListEnglish@forum.nginx.org>

Steveh:

Thank you for your reply.

So what you are suggesting me to do is something like this:

location / {
    try_files $uri $uri/ @rewrite;
}

location @rewrite {
     rewrite ^/(.*)/$ /$1 permanent;
}

Put try files inside the location block and create a new block with the
rewrite?

Thank you for the clarification!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273966#msg-273966


From steven.hartland at multiplay.co.uk  Fri Apr 28 15:35:02 2017
From: steven.hartland at multiplay.co.uk (Steven Hartland)
Date: Fri, 28 Apr 2017 16:35:02 +0100
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <15175a622a4a02ef3ae3a207d373c423.NginxMailingListEnglish@forum.nginx.org>
References: <80cc8a3b-9128-051b-6a9c-8ae0b834e0e3@multiplay.co.uk>
 <15175a622a4a02ef3ae3a207d373c423.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <d10784fb-702b-5f1d-4875-312bcb2438cb@multiplay.co.uk>

If I understand what you're trying to do correctly, then I think you 
want something like:

# Ensure no tailing slashes
rewrite ^/(.*)/$ /$1 permanent;

location @upstream {
	proxy_pass https://xxxx:xportNumber;
	proxy_set_header  Host $host;
	proxy_set_header  X-Real-IP $remote_addr;
	proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_connect_timeout 600;
	proxy_send_timeout 600;
	proxy_read_timeout 600;
	proxy_redirect off;
}

location / {
	try_files $uri $uri/ @upstream;
}

This will accept /wibble/ and rewrite it to /wibble (this will be passed 
back to the client which will then re-request /wibble) when the new 
request rewritten comes it the server will still look for local matches 
of /wibble (the file) and /wibble/<index files> (the directory) when 
searching for the content to serve and if not found will pass the 
request to your upstream server.

     Regards
     Steve

On 28/04/2017 15:48, Alex Med wrote:
> Steveh:
>
> Thank you for your reply.
>
> So what you are suggesting me to do is something like this:
>
> location / {
>      try_files $uri $uri/ @rewrite;
> }
>
> location @rewrite {
>       rewrite ^/(.*)/$ /$1 permanent;
> }
>
> Put try files inside the location block and create a new block with the
> rewrite?
>
> Thank you for the clarification!
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273966#msg-273966
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170428/41b3f330/attachment.html>

From nginx-forum at forum.nginx.org  Fri Apr 28 15:43:04 2017
From: nginx-forum at forum.nginx.org (Alex Med)
Date: Fri, 28 Apr 2017 11:43:04 -0400
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <d10784fb-702b-5f1d-4875-312bcb2438cb@multiplay.co.uk>
References: <d10784fb-702b-5f1d-4875-312bcb2438cb@multiplay.co.uk>
Message-ID: <4872bda116014655755e5d94eda4503c.NginxMailingListEnglish@forum.nginx.org>

Steve -

Thank you so much this has brought so much clarity!  I appreciate the time
you spend writing the reply.

So the rewrite ^/(.*)/$ /$1 permanent; needs to be outside of the location
definition and inside the server definition, correct?

Infinite  thanks!

Alex

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273969#msg-273969


From steven.hartland at multiplay.co.uk  Fri Apr 28 15:46:29 2017
From: steven.hartland at multiplay.co.uk (Steven Hartland)
Date: Fri, 28 Apr 2017 16:46:29 +0100
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <4872bda116014655755e5d94eda4503c.NginxMailingListEnglish@forum.nginx.org>
References: <d10784fb-702b-5f1d-4875-312bcb2438cb@multiplay.co.uk>
 <4872bda116014655755e5d94eda4503c.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <f6e0a65c-0e15-0096-5265-d10541719c06@multiplay.co.uk>

Yep.

On 28/04/2017 16:43, Alex Med wrote:
> Steve -
>
> Thank you so much this has brought so much clarity!  I appreciate the time
> you spend writing the reply.
>
> So the rewrite ^/(.*)/$ /$1 permanent; needs to be outside of the location
> definition and inside the server definition, correct?
>
> Infinite  thanks!
>
> Alex
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273969#msg-273969
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170428/51c9b697/attachment.html>

From nginx-forum at forum.nginx.org  Fri Apr 28 16:52:09 2017
From: nginx-forum at forum.nginx.org (Alex Med)
Date: Fri, 28 Apr 2017 12:52:09 -0400
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <f6e0a65c-0e15-0096-5265-d10541719c06@multiplay.co.uk>
References: <f6e0a65c-0e15-0096-5265-d10541719c06@multiplay.co.uk>
Message-ID: <c34c41b8733c9bb613cb7ef0f2bcbde9.NginxMailingListEnglish@forum.nginx.org>

Steven -

I implemented your suggestion and I still get the same problem with the
directories ... for anything else it works. But when I try to access a
directory ... I can see on the browser address bar the / appearing and
disappearing and then it finally does but the browser gives this error:

Too many redirects occurred trying to open https://xxxx.com/xxx".  This
might occur if you open a page that is redirected to open another page with
then is redirected to open the original page.

I checked and no my configuration I do not redirect anything to a directory
to give that error.

Thanks for your help!

Alex

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273964,273971#msg-273971


From xnucleargeminix at aol.com  Sat Apr 29 06:57:53 2017
From: xnucleargeminix at aol.com (Roman Pastushkov)
Date: Sat, 29 Apr 2017 02:57:53 -0400
Subject: Http proxy module
Message-ID: <15bb88062ae-1e2c-c172@webprd-a48.mail.aol.com>

Hello everyone! i am trying to build nginx with proxy module from sources
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/
nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/acces
s.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastc
gi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/t
mp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx  --with-ipv6 --with-http_ssl_m
odule --with-http_v2_module --with-http_realip_module --with-http_addition_module  --with-http_sub_module --with-http_dav_modu
le --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_i
ndex_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_mod
ule --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynam
ic --with-stream_ssl_module  --with-http_proxy_module  --with-debug --with-cc-opt='-O3' 


And me outs ./configure: error: invalid option "--with-http_proxy_module"

1.13 version and 1.12 too, wthats wrong?     


Roman Pastushkov
xnucleargeminix at aol.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170429/aa4cc86b/attachment.html>

From lucas at lucasrolff.com  Sat Apr 29 08:52:07 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Sat, 29 Apr 2017 08:52:07 +0000
Subject: Http proxy module
In-Reply-To: <15bb88062ae-1e2c-c172@webprd-a48.mail.aol.com>
References: <15bb88062ae-1e2c-c172@webprd-a48.mail.aol.com>
Message-ID: <E1903470-4EDA-49EA-A13C-FF9C47B5C2A4@lucasrolff.com>

You shouldn't pass --with-http_proxy_module at all


From: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> on behalf of Roman Pastushkov via nginx <nginx at nginx.org<mailto:nginx at nginx.org>>
Reply-To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Date: Saturday, 29 April 2017 at 08.57
To: "nginx at nginx.org<mailto:nginx at nginx.org>" <nginx at nginx.org<mailto:nginx at nginx.org>>
Cc: Roman Pastushkov <xnucleargeminix at aol.com<mailto:xnucleargeminix at aol.com>>
Subject: Http proxy module

Hello everyone! i am trying to build nginx with proxy module from sources
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/
nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/acces
s.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastc
gi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/t
mp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx  --with-ipv6 --with-http_ssl_m
odule --with-http_v2_module --with-http_realip_module --with-http_addition_module  --with-http_sub_module --with-http_dav_modu
le --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_i
ndex_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_mod
ule --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynam
ic --with-stream_ssl_module  --with-http_proxy_module  --with-debug --with-cc-opt='-O3'


And me outs ./configure: error: invalid option "--with-http_proxy_module"

1.13 version and 1.12 too, wthats wrong?

Roman Pastushkov
xnucleargeminix at aol.com<mailto:xnucleargeminix at aol.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170429/99d8a9a1/attachment-0001.html>

From xnucleargeminix at aol.com  Sat Apr 29 09:40:24 2017
From: xnucleargeminix at aol.com (Roman Pastushkov)
Date: Sat, 29 Apr 2017 05:40:24 -0400
Subject: Http proxy module
In-Reply-To: <E1903470-4EDA-49EA-A13C-FF9C47B5C2A4@lucasrolff.com>
Message-ID: <15bb9152bc3-1e2c-c2ec@webprd-a48.mail.aol.com>

and how correct add that?


Roman Pastushkov
xnucleargeminix at aol.com




-----Original Message-----
From: Lucas Rolff <lucas at lucasrolff.com>
To: nginx <nginx at nginx.org>
Sent: Sat, Apr 29, 2017 8:52 am
Subject: Re: Http proxy module



You shouldn't pass --with-http_proxy_module at all







From: nginx <nginx-bounces at nginx.org> on behalf of Roman Pastushkov via nginx <nginx at nginx.org>
Reply-To: "nginx at nginx.org" <nginx at nginx.org>
Date: Saturday, 29 April 2017 at 08.57
To: "nginx at nginx.org" <nginx at nginx.org>
Cc: Roman Pastushkov <xnucleargeminix at aol.com>
Subject: Http proxy module




Hello everyone! i am trying to build nginx with proxy module from sources
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/
nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/acces
s.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastc
gi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/t
mp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx  --with-ipv6 --with-http_ssl_m
odule --with-http_v2_module --with-http_realip_module --with-http_addition_module  --with-http_sub_module --with-http_dav_modu
le --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_i
ndex_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_mod
ule --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynam
ic --with-stream_ssl_module  --with-http_proxy_module  --with-debug --with-cc-opt='-O3'


And me outs ./configure: error: invalid option "--with-http_proxy_module"

1.13 version and 1.12 too, wthats wrong?     


Roman Pastushkov
xnucleargeminix at aol.com



_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170429/80c01f02/attachment.html>

From francis at daoine.org  Sat Apr 29 12:25:37 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 29 Apr 2017 13:25:37 +0100
Subject: Http proxy module
In-Reply-To: <15bb9152bc3-1e2c-c2ec@webprd-a48.mail.aol.com>
References: <E1903470-4EDA-49EA-A13C-FF9C47B5C2A4@lucasrolff.com>
 <15bb9152bc3-1e2c-c2ec@webprd-a48.mail.aol.com>
Message-ID: <20170429122537.GO10157@daoine.org>

On Sat, Apr 29, 2017 at 05:40:24AM -0400, Roman Pastushkov via nginx wrote:

Hi there,

> and how correct add that?

./configure --help | grep proxy

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr 29 12:35:16 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 29 Apr 2017 13:35:16 +0100
Subject: Trailing Slash Redirect Loop Help
In-Reply-To: <48cb6400ae229d74b11b234f8c9eaf68.NginxMailingListEnglish@forum.nginx.org>
References: <48cb6400ae229d74b11b234f8c9eaf68.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170429123516.GP10157@daoine.org>

On Fri, Apr 28, 2017 at 10:27:12AM -0400, Alex Med wrote:

Hi there,

> I am having an issue getting rid of the trailing slashes for directories.  I
> have used the following to get rid off the trailing slash:

Why do you want to get rid of the trailing slash for directories?

You can do it; but you will probably have to write the code to tell your
web server how to handle the request, because the common case is that
the slash is wanted.

So - you can make a request for /file/; nginx can issue a redirect to
/file; you can make a request for /file; and nginx can serve the content
of /usr/local/nginx/html/file. All good.

Next - you make a request for /dir/; nginx can issue a redirect to /dir;
you can make a request for /dir; what do you want to happen next? The
nginx-is-serving-this-from-the-filesystem behaviour is for nginx to issue
a redirect to /dir/. If you want something else to happen, you must
decide what that something else is, and then arrange that it happens,
possibly by config and possibly by coding.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr 29 12:41:28 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 29 Apr 2017 13:41:28 +0100
Subject: limit_conn with variables erroring with invalid number of
 connections
In-Reply-To: <314e0d4b2c70b83cc2f6d4a16118217f.NginxMailingListEnglish@forum.nginx.org>
References: <314e0d4b2c70b83cc2f6d4a16118217f.NginxMailingListEnglish@forum.nginx.org>
Message-ID: <20170429124128.GQ10157@daoine.org>

On Sun, Apr 23, 2017 at 09:14:20PM -0400, justink101 wrote:

Hi there,

> server {
>     limit_conn $limit_zone $limit_number;
> }
> 
> When starting NGINX getting a fatal error though. Does limit_conn support
> using variables?
> 
> error => invalid number of connections "$limit_number"

http://nginx.org/r/limit_conn

Generally, if a directive argument accepts variables, the documentation
will say that it does. Otherwise, it's probably a documentation bug.

In this case, the documentation does not say that it accepts variables,
and the error message indicates that it does not.

	f
-- 
Francis Daly        francis at daoine.org

From francis at daoine.org  Sat Apr 29 12:45:21 2017
From: francis at daoine.org (Francis Daly)
Date: Sat, 29 Apr 2017 13:45:21 +0100
Subject: Why does nginx rewrite sending https to http?
In-Reply-To: <CAN94_t-iZ45xxMSFiJSKLcM5ct5G1zyGX24TPGpc034E6tBRyQ@mail.gmail.com>
References: <CAN94_t-iZ45xxMSFiJSKLcM5ct5G1zyGX24TPGpc034E6tBRyQ@mail.gmail.com>
Message-ID: <20170429124521.GR10157@daoine.org>

On Wed, Apr 26, 2017 at 12:32:27PM -0400, Kevin wrote:

Hi there,

> I'm trying to rewrite some route in cloud foundry static buildpack, but
> whenever I rewrite, the https goes to http.
> 
> So I add return with / with /login, then it goes to http://server/, even it
> starts with https://server/login.

The nginx config fragment that you show, by itself will not show the
behaviour that you report.

Possibly there is some other config or relevant architecture that is
involved?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

From lists at lazygranch.com  Sun Apr 30 01:29:32 2017
From: lists at lazygranch.com (lists at lazygranch.com)
Date: Sat, 29 Apr 2017 18:29:32 -0700
Subject: hacker proxy attempt
Message-ID: <20170429182932.61730ee6.lists@lazygranch.com>

A bit OT, but can a guru verify I rejected all these proxy attempts.
I'm 99.9% sure, but I'd hate to allow some spammer or worse to route
through my server. The only edit I made is when they ran my IP address
though a forum spam checker. (I assume google indexes pastebin.)

https://pastebin.com/VCg28AZf

Pastebin made me captcha because they thought I was a spammer. ;-)



From lucas at lucasrolff.com  Sun Apr 30 10:44:21 2017
From: lucas at lucasrolff.com (Lucas Rolff)
Date: Sun, 30 Apr 2017 10:44:21 +0000
Subject: Serve index.html file if exists try_files + proxy_pass?
Message-ID: <8B8660DA-E717-46D8-B7EC-016800715842@lucasrolff.com>

Hi guys,

I have a small scenario where I have a backend (s3 compatible storage), which by default generates a directory listing overview of the files stored.
I want to be able to serve an "index.html" file if the file exists, else just proxy_pass as normally.

https://gist.github.com/lucasRolff/c7ea13305e9bff40eb6729246cd7eb39

My nginx config for somewhat reason doesn't work ? or maybe it's because I misunderstand how try_files actually work.

So I have URLs such as:

minio.box.com/bucket1/
minio.box.com/bucket43253/


When I request these URL's I want nginx to check if index.html exists in the directory (it's an actual file on the filesystem) - if it does, serve this one, else go to @minio location.

For any other file within the directory, I will just go to @minio location so if I request unicorn.png it should go in @minio location as well.

Is there any decent (non-evil) way of doing this?

I assume I have to define the root directive to make try_files work, but what would I actually have to define, to make nginx use try_files for index.html *within* the specific bucket?

Thanks in advance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170430/4fd04547/attachment.html>