From francis at daoine.org Tue Jun 1 06:54:26 2021 From: francis at daoine.org (Francis Daly) Date: Tue, 1 Jun 2021 07:54:26 +0100 Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container In-Reply-To: References: Message-ID: <20210601065426.GH11167@daoine.org> On Sat, May 29, 2021 at 07:11:38PM +0530, Amila Gunathilaka wrote: Hi there, It sounds like you have the main part solved by changing the "health check" request to be one that your port-9091 upstream is able to handle, which is good. > >As I understand it, the load balancer is making the request "OPTIONS /" > >to nginx, and nginx is responding with a http 405, and you don't want > >nginx to do that. > > >What response do you want nginx to give to the request? > > Yes you are absolutely right I wanted nginx to stop that 405 response and > give the success response 200 or even 401 which I can confirm my proxy pass > and basic auth is working. After you decide what response you want nginx to give to the request, you can configure nginx to do that. In this case, if you want nginx to give a 401 if no valid credentials are provided, then you want something like auth_basic; if you want nginx to give a 200 if no valid credentials are provided, then you must not have something like auth_basic. > Also I think that 405 response is coming *from nginx itself *to the > external load balancer because external load balancer directly > communicating with the nginx (80) and also my upstream server (9091 port > server) is not a webapp it's just a binary file running inside docker > container. >From nginx's point of view, it does not matter what the upstream/back-end service is; it matters that it responds correctly to http requests. When I use a similar configuration to yours, I see the OPTIONS request being sent to the upstream and getting a 405 from there. > Anyway I thought to fix the OPTIONS method fix on the external load > balancer itself , and I logged in to my external load balancer configs > page and I changed the HTTP health checks using OPTIONS into *GET * > method. > ANd yeah now 405 error gone. But now I'm getting 401 responses , which > should be the correct response since I'm using a basic auth in my > nginx.conf file. Below is my nginx.conf FYI Good stuff. This says that, for any request starting with /metrics, nginx should check for valid credentials or return 401; and then pass the request to the upstream and return whatever it returns. > location /metrics { > proxy_pass http://127.0.0.1:9091/metrics; One small thing: because the end of the "proxy_pass" directive is exactly equal to the full "location" value, you could omit it from the "proxy_pass"; that is, you could instead use proxy_pass http://127.0.0.1:9091; but when what you have works, it works. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Tue Jun 1 07:06:33 2021 From: francis at daoine.org (Francis Daly) Date: Tue, 1 Jun 2021 08:06:33 +0100 Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container In-Reply-To: References: Message-ID: <20210601070633.GI11167@daoine.org> On Sat, May 29, 2021 at 07:46:40PM +0530, Amila Gunathilaka wrote: Hi there, > My concern is why nginx still gives 401 responses *unless *my nginx.conf > has a basic authentication user name and password file in the > location /etc/nginx/.htpasswd. > > It says still not authenticate my external client POST requests yet ? Any > thoughts? I'm not sure I understand your question. "auth_basic" says "for each each request to nginx, if the user/password in the request does not match something in the file, nginx should return 401" If you want nginx to do authentication checks, you want auth_basic and auth_basic_user_file, If you do not want nginx to do authentication checks, you do not want auth_basic. http://nginx.org/r/auth_basic (You can use "auth_basic off;" if you want one location{} not to use auth_basic that would be inherited from a surrounding context.) If that does not tell you what you want, could you explain again, please? Thanks, f -- Francis Daly francis at daoine.org From amila.kdam at gmail.com Tue Jun 1 14:10:27 2021 From: amila.kdam at gmail.com (Amila Gunathilaka) Date: Tue, 1 Jun 2021 19:40:27 +0530 Subject: nginx Digest, Vol 140, Issue 1 In-Reply-To: References: Message-ID: Hi Francis, Hope you are doing good ? Thanks for your quick responses for my emails again. I have 02 questions for you today, I will brief it down for your ease. *quiz (1.) : * Yes I understand some of my clients requests don't have user/name password in their requests and that's why it gives 401 in the access.log file. But also for me when I browse the site in my internal network browser http://172.25.234.105/metrics its pop up the user name and password enter window and directs me successfully to the /metrics page and I can view contents. But when I tail the /var.log/nginx/error.log file for a moment and even after I log in by type username and password the error log gives below error message unless the login is successful. *tail -f /var.log/nginx/error.log output* 2021/06/01 11:25:26 [crit] 2379013#2379013: *57800 open() "/var/lib/nginx/proxy/4/79/0000002794" failed (*13: Permission denied*) while reading upstream, client: 172.20.0.201, server: 172.25.234.105, request: "GET /metrics HTTP/1.1", upstream: "http://127.0.0.1:9091/metrics", host: "172.25.234.105" So my first quiz is why it gives a Permission denied message for my request through the browser even after I enter credentials and I can view /metrics page contents. (note* - in my nginx /etc/nginx/.htpasswd file I have the password as encrypted but I enter the unencrypted password. I hope that's not an issue since the login is successful.) *quiz (2.) : * My second question for you is if I want to redirect the url, such as when I enter http://172.25.234.105:80 I want it to automatically redirect it to the page http://172.25.234.105/metrics. How could I achieve that via nginx ? Thanks for your effortless help for my questions Mr Francis ( even though I don't know your real name, lol) ; Appreciate a lot. Amila Devops Engineer RHCSA, CKA, AWS On Tue, Jun 1, 2021 at 5:30 PM wrote: > Send nginx mailing list submissions to > nginx at nginx.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.nginx.org/mailman/listinfo/nginx > or, via email, send a message with subject or body 'help' to > nginx-request at nginx.org > > You can reach the person managing the list at > nginx-owner at nginx.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of nginx digest..." > > > Today's Topics: > > 1. Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container (Francis Daly) > 2. Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container (Francis Daly) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 1 Jun 2021 07:54:26 +0100 > From: Francis Daly > To: nginx at nginx.org > Subject: Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container > Message-ID: <20210601065426.GH11167 at daoine.org> > Content-Type: text/plain; charset=us-ascii > > On Sat, May 29, 2021 at 07:11:38PM +0530, Amila Gunathilaka wrote: > > Hi there, > > It sounds like you have the main part solved by changing the "health > check" request to be one that your port-9091 upstream is able to handle, > which is good. > > > >As I understand it, the load balancer is making the request "OPTIONS /" > > >to nginx, and nginx is responding with a http 405, and you don't want > > >nginx to do that. > > > > >What response do you want nginx to give to the request? > > > > Yes you are absolutely right I wanted nginx to stop that 405 response and > > give the success response 200 or even 401 which I can confirm my proxy > pass > > and basic auth is working. > > After you decide what response you want nginx to give to the request, > you can configure nginx to do that. > > In this case, if you want nginx to give a 401 if no valid credentials are > provided, then you want something like auth_basic; if you want nginx to > give a 200 if no valid credentials are provided, then you must not have > something like auth_basic. > > > Also I think that 405 response is coming *from nginx itself *to the > > external load balancer because external load balancer directly > > communicating with the nginx (80) and also my upstream server (9091 port > > server) is not a webapp it's just a binary file running inside docker > > container. > > >From nginx's point of view, it does not matter what the upstream/back-end > service is; it matters that it responds correctly to http requests. > > When I use a similar configuration to yours, I see the OPTIONS request > being sent to the upstream and getting a 405 from there. > > > Anyway I thought to fix the OPTIONS method fix on the external load > > balancer itself , and I logged in to my external load balancer configs > > page and I changed the HTTP health checks using OPTIONS into *GET * > > method. > > ANd yeah now 405 error gone. But now I'm getting 401 responses , which > > should be the correct response since I'm using a basic auth in my > > nginx.conf file. Below is my nginx.conf FYI > > Good stuff. > > This says that, for any request starting with /metrics, nginx should > check for valid credentials or return 401; and then pass the request to > the upstream and return whatever it returns. > > > location /metrics { > > proxy_pass http://127.0.0.1:9091/metrics; > > One small thing: because the end of the "proxy_pass" directive is > exactly equal to the full "location" value, you could omit it from the > "proxy_pass"; that is, you could instead use > > proxy_pass http://127.0.0.1:9091; > > but when what you have works, it works. > > Cheers, > > f > -- > Francis Daly francis at daoine.org > > > ------------------------------ > > Message: 2 > Date: Tue, 1 Jun 2021 08:06:33 +0100 > From: Francis Daly > To: nginx at nginx.org > Subject: Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container > Message-ID: <20210601070633.GI11167 at daoine.org> > Content-Type: text/plain; charset=us-ascii > > On Sat, May 29, 2021 at 07:46:40PM +0530, Amila Gunathilaka wrote: > > Hi there, > > > My concern is why nginx still gives 401 responses *unless *my nginx.conf > > has a basic authentication user name and password file in the > > location /etc/nginx/.htpasswd. > > > > It says still not authenticate my external client POST requests yet ? > Any > > thoughts? > > I'm not sure I understand your question. > > "auth_basic" says "for each each request to nginx, if the user/password in > the request does not match something in the file, nginx should return 401" > > If you want nginx to do authentication checks, you want auth_basic and > auth_basic_user_file, If you do not want nginx to do authentication checks, > you do not want auth_basic. > > http://nginx.org/r/auth_basic > > (You can use "auth_basic off;" if you want one location{} not to use > auth_basic that would be inherited from a surrounding context.) > > If that does not tell you what you want, could you explain again, please? > > Thanks, > > f > -- > Francis Daly francis at daoine.org > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > ------------------------------ > > End of nginx Digest, Vol 140, Issue 1 > ************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Jun 1 14:48:19 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 1 Jun 2021 17:48:19 +0300 Subject: $ssl_protocol in nodejs POST requests after 1.9.4 In-Reply-To: References: <002d01d74427$d3d3ded0$7b7b9c70$@roze.lv> <002e01d74436$4a653b30$df2fb190$@roze.lv> Message-ID: Hello! On Sat, May 08, 2021 at 10:45:42PM +0300, Maxim Dounin wrote: > On Sat, May 08, 2021 at 09:16:39PM +0300, Reinis Rozitis wrote: > > > > Thanks for the report, it looks like this change broke things: > > > > > > changeset: 7738:554c6ae25ffc > > > > > > The only fix I can think of is to rewrite the lingering close so it will > > happen after the request is logged. > > > > Thkx Maxim for finding the cause. > > I suppose that this is considered a bug then? If so do I need to create a > > request on Trac or will this be enough to be fixed at some point? > > Sure, it's certainly a bug and will be fixed, hopefully soon. > There should be no need to create a ticket. Should be fixed now: http://hg.nginx.org/nginx/rev/5f765427c17a The fix will be available in the next release, 1.21.1, and eventually will be merged into 1.20.x stable branch. Thanks again for reporting this. -- Maxim Dounin http://mdounin.ru/ From francis at daoine.org Wed Jun 2 15:27:15 2021 From: francis at daoine.org (Francis Daly) Date: Wed, 2 Jun 2021 16:27:15 +0100 Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container In-Reply-To: References: Message-ID: <20210602152715.GN11167@daoine.org> On Tue, Jun 01, 2021 at 07:40:27PM +0530, Amila Gunathilaka wrote: Hi there, > Hope you are doing good ? Thanks for your quick responses for my emails > again. I have 02 questions for you today, I will brief it down for your > ease. You're welcome. In general, if the questions are unrelated to the first one, it's best to start a new mail. That'll help someone search for questions and answers in the future. In this case, they are kind-of vaguely related, so we'll keep[ them in this thread. > But when I tail the /var.log/nginx/error.log file for > a moment and even after I log in by type username and password the error > log gives below error message unless the login is successful. > > > *tail -f /var.log/nginx/error.log output* > 2021/06/01 11:25:26 [crit] 2379013#2379013: *57800 open() > "/var/lib/nginx/proxy/4/79/0000002794" failed (*13: Permission denied*) > while reading upstream, client: 172.20.0.201, server: 172.25.234.105, > request: "GET /metrics HTTP/1.1", upstream: "http://127.0.0.1:9091/metrics", > host: "172.25.234.105" > > > So my first quiz is why it gives a Permission denied message for my request > through the browser even after I enter credentials and I can view /metrics > page contents. That is almost certainly because you also have "proxy_cache" (http://nginx.org/r/proxy_cache) and "proxy_cache_path" defined, but configured to use part of the filesystem that the nginx user is not allowed to use -- maybe it was created or first run as one user, and now this user cannot write there? The simplest-to-understand fix, assuming that this is a test system where you are happy to start again, is probably to stop nginx, remove the /var/lib/nginx/proxy/ directory and all of its contents, create the directory again as the user that nginx runs as, and then start nginx. You should then see directories and files created, as cacheable responses are fetched. (There are other possible fixes too, of course.) > *quiz (2.) : * My second question for you is if I want to redirect the url, > such as when I enter http://172.25.234.105:80 I want it to automatically > redirect it to the page http://172.25.234.105/metrics. How could I > achieve that via nginx ? Something like location = / { return 301 /metrics/; } should probably work. Any access control on /metrics/ would still apply to the next request that the client makes, so it probably is ok not to require authentication for this one request. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Wed Jun 2 19:15:16 2021 From: nginx-forum at forum.nginx.org (bouvierh) Date: Wed, 02 Jun 2021 15:15:16 -0400 Subject: How to install nginx-module-njs on alpine Message-ID: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> Hello, How do I install the javascript module on Alpine? I have tried: "apk add nginx-module-njs" but that module is not available. ERROR: unable to select packages: nginx-module-njs (no such package): Thanks, Hugues Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291725,291725#msg-291725 From piersh at hotmail.com Wed Jun 2 19:28:26 2021 From: piersh at hotmail.com (TBD TBD) Date: Wed, 2 Jun 2021 19:28:26 +0000 Subject: Partial cached fastsgi responses? Message-ID: Is it possible to use the ?Range: bytes=? header with cached fastcgi locations? What config option do I need to use to get a cached fastcgi response to contain an `Accept-Ranges` header? Does the `fastcgi_force_ranges` config option even do anything? Piers. -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Wed Jun 2 20:34:13 2021 From: teward at thomas-ward.net (Thomas Ward) Date: Wed, 2 Jun 2021 16:34:13 -0400 Subject: How to install nginx-module-njs on alpine In-Reply-To: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> References: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> Message-ID: More than likely you'll have to compile the module yourself - I don't know of any distribution that currently ships the njs module. Thomas On 6/2/21 3:15 PM, bouvierh wrote: > Hello, > > How do I install the javascript module on Alpine? I have tried: "apk add > nginx-module-njs" but that module is not available. > ERROR: unable to select packages: > nginx-module-njs (no such package): > > Thanks, > Hugues > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291725,291725#msg-291725 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gk at leniwiec.biz Wed Jun 2 20:37:15 2021 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Wed, 2 Jun 2021 22:37:15 +0200 Subject: How to install nginx-module-njs on alpine In-Reply-To: References: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> Message-ID: <18f1f88f-6140-c099-09a7-1b2de8ad57c6@leniwiec.biz> W dniu 02.06.2021 o?22:34, Thomas Ward pisze: > More than likely you'll have to compile the module yourself - I don't know of any distribution that currently ships the njs module. Gentoo ships njs with nginx. -- Grzegorz Kulewski From osa at freebsd.org.ru Wed Jun 2 20:41:38 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 2 Jun 2021 23:41:38 +0300 Subject: How to install nginx-module-njs on alpine In-Reply-To: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> References: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi Hugues, On Wed, Jun 02, 2021 at 03:15:16PM -0400, bouvierh wrote: > Hello, > > How do I install the javascript module on Alpine? I have tried: "apk add > nginx-module-njs" but that module is not available. > ERROR: unable to select packages: > nginx-module-njs (no such package): Could you try: % sudo apk add nginx-module-njs at nginx as it was described at https://nginx.org/ru/linux_packages.html#Alpine page. -- Sergey Osokin From osa at freebsd.org.ru Wed Jun 2 20:44:53 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 2 Jun 2021 23:44:53 +0300 Subject: How to install nginx-module-njs on alpine In-Reply-To: References: <6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Wed, Jun 02, 2021 at 11:41:38PM +0300, Sergey A. Osokin wrote: > Hi Hugues, > > On Wed, Jun 02, 2021 at 03:15:16PM -0400, bouvierh wrote: > > Hello, > > > > How do I install the javascript module on Alpine? I have tried: "apk add > > nginx-module-njs" but that module is not available. > > ERROR: unable to select packages: > > nginx-module-njs (no such package): > > Could you try: > > % sudo apk add nginx-module-njs at nginx English page is here, https://nginx.org/en/linux_packages.html#Alpine -- Sergey Osokin From piersh at hotmail.com Wed Jun 2 21:17:21 2021 From: piersh at hotmail.com (TBD TBD) Date: Wed, 2 Jun 2021 21:17:21 +0000 Subject: Partial cached fastsgi responses? In-Reply-To: References: Message-ID: I guess a related question is: is it possible for nginx to serve partial requests for cached fastcgi responses that don?t support ranges? Ie. Can the fastcgi module fetch the whole response from upstream, cache it, and then serve partial requests from the cache? From: TBD TBD Sent: Wednesday, June 2, 2021 12:28 PM To: nginx at nginx.org Subject: Partial cached fastsgi responses? Is it possible to use the ?Range: bytes=? header with cached fastcgi locations? What config option do I need to use to get a cached fastcgi response to contain an `Accept-Ranges` header? Does the `fastcgi_force_ranges` config option even do anything? Piers. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Jun 2 22:22:54 2021 From: nginx-forum at forum.nginx.org (bouvierh) Date: Wed, 02 Jun 2021 18:22:54 -0400 Subject: How to install nginx-module-njs on alpine In-Reply-To: References: Message-ID: Thank you! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291725,291734#msg-291734 From fatma.mazari at esprit.tn Thu Jun 3 09:15:19 2021 From: fatma.mazari at esprit.tn (Fatma MAZARI) Date: Thu, 3 Jun 2021 10:15:19 +0100 Subject: How to install nginx-module-njs on alpine In-Reply-To: References: Message-ID: Hi, I have a question, I wanna use nginx and ffmpeg to serve chunks to clients without using or sending .m3u file to client. How can i do this lease? * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) * I want nginx to serve clients chunk by chunk in a continuous way without serving m3u file (the client must wait for the next chunk) . Thank you , Please I need your help Fatma. Le mer. 2 juin 2021 ? 23:23, bouvierh a ?crit : > Thank you! > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291725,291734#msg-291734 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fatma.mazari at esprit.tn Thu Jun 3 09:15:49 2021 From: fatma.mazari at esprit.tn (Fatma MAZARI) Date: Thu, 3 Jun 2021 10:15:49 +0100 Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container In-Reply-To: <20210602152715.GN11167@daoine.org> References: <20210602152715.GN11167@daoine.org> Message-ID: Hi, I have a question, I wanna use nginx and ffmpeg to serve chunks to clients without using or sending .m3u file to client. How can i do this lease? * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) * I want nginx to serve clients chunk by chunk in a continuous way without serving m3u file . Thank you , Fatma. Le mer. 2 juin 2021 ? 16:27, Francis Daly a ?crit : > On Tue, Jun 01, 2021 at 07:40:27PM +0530, Amila Gunathilaka wrote: > > Hi there, > > > Hope you are doing good ? Thanks for your quick responses for my emails > > again. I have 02 questions for you today, I will brief it down for > your > > ease. > > You're welcome. > > In general, if the questions are unrelated to the first one, it's best > to start a new mail. That'll help someone search for questions and > answers in the future. > > In this case, they are kind-of vaguely related, so we'll keep[ them in > this thread. > > > But when I tail the /var.log/nginx/error.log file for > > a moment and even after I log in by type username and password the error > > log gives below error message unless the login is successful. > > > > > > *tail -f /var.log/nginx/error.log output* > > 2021/06/01 11:25:26 [crit] 2379013#2379013: *57800 open() > > "/var/lib/nginx/proxy/4/79/0000002794" failed (*13: Permission denied*) > > while reading upstream, client: 172.20.0.201, server: 172.25.234.105, > > request: "GET /metrics HTTP/1.1", upstream: " > http://127.0.0.1:9091/metrics", > > host: "172.25.234.105" > > > > > > So my first quiz is why it gives a Permission denied message for my > request > > through the browser even after I enter credentials and I can view > /metrics > > page contents. > > That is almost certainly because you also have "proxy_cache" > (http://nginx.org/r/proxy_cache) and "proxy_cache_path" defined, but > configured to use part of the filesystem that the nginx user is not > allowed to use -- maybe it was created or first run as one user, and > now this user cannot write there? > > The simplest-to-understand fix, assuming that this is a test system > where you are happy to start again, is probably to stop nginx, remove > the /var/lib/nginx/proxy/ directory and all of its contents, create the > directory again as the user that nginx runs as, and then start nginx. > > You should then see directories and files created, as cacheable responses > are fetched. > > (There are other possible fixes too, of course.) > > > *quiz (2.) : * My second question for you is if I want to redirect the > url, > > such as when I enter http://172.25.234.105:80 I want it to > automatically > > redirect it to the page http://172.25.234.105/metrics. How could I > > achieve that via nginx ? > > Something like > > location = / { return 301 /metrics/; } > > should probably work. Any access control on /metrics/ would still apply > to the next request that the client makes, so it probably is ok not to > require authentication for this one request. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bboulton at skippingstone.com Thu Jun 3 16:08:04 2021 From: bboulton at skippingstone.com (Benn Boulton) Date: Thu, 3 Jun 2021 16:08:04 +0000 Subject: gmer3.itd.sterling.com/home.htm in the access log Message-ID: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> Hello, I have just installed the NGINX service to help rate limit connections to my Apache server on Windows. NGNIX 1.19.10 on Windows 10 64 bit Everything seems to be working fine but I am getting access log entries that I do not understand for the pages I am redirecting. I am running a process that posts to the server. NGNIX is processing the request and passing it to the destination server but it is not gmer3.itd.sterling.com/home.htm as shown in the access log entries below. Any Idea why 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" Thanks Benn -------------- next part -------------- An HTML attachment was scrubbed... URL: From moshe at ymkatz.net Thu Jun 3 16:13:49 2021 From: moshe at ymkatz.net (Moshe Katz) Date: Thu, 3 Jun 2021 12:13:49 -0400 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> Message-ID: Benn, That part of the log is not the request URL, it is the referrer header. The path that was requested on your server is before that - a POST request to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually misspells as "referer") is the web page that is making this request to your server. Moshe On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton wrote: > Hello, > > I have just installed the NGINX service to help rate limit connections to > my Apache server on Windows. > > NGNIX 1.19.10 on Windows 10 64 bit > > > > Everything seems to be working fine but I am getting access log entries > that I do not understand for the pages I am redirecting. > > I am running a process that posts to the server. NGNIX is processing the > request and passing it to the destination server but it is not > gmer3.itd.sterling.com/home.htm as shown in the access log entries below. > > Any Idea why > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" > > > > Thanks > > *Benn * > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From bboulton at skippingstone.com Thu Jun 3 17:18:07 2021 From: bboulton at skippingstone.com (Benn Boulton) Date: Thu, 3 Jun 2021 17:18:07 +0000 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> Message-ID: <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> Hello Moshe, Thanks for the reply. I guess I was not clear enough in my post. I know the /cr-bin/mp.exe is part of the POST request. What I do not understand is where the gmer3.itd.sterling.com/home.htm is coming from. It is not my proxy_pass value. It is not part of the POST request or part of the nginx proxy_pass or any thing I can find in my configuration. Is my post being sent to both my proxy_pass value and this site in the log? Do I have a hacked nginx? -Benn From: nginx On Behalf Of Moshe Katz Sent: Thursday, June 3, 2021 12:14 PM To: nginx at nginx.org Subject: Re: gmer3.itd.sterling.com/home.htm in the access log Benn, That part of the log is not the request URL, it is the referrer header. The path that was requested on your server is before that - a POST request to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually misspells as "referer") is the web page that is making this request to your server. Moshe On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > wrote: Hello, I have just installed the NGINX service to help rate limit connections to my Apache server on Windows. NGNIX 1.19.10 on Windows 10 64 bit Everything seems to be working fine but I am getting access log entries that I do not understand for the pages I am redirecting. I am running a process that posts to the server. NGNIX is processing the request and passing it to the destination server but it is not gmer3.itd.sterling.com/home.htm as shown in the access log entries below. Any Idea why 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" Thanks Benn _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From bboulton at skippingstone.com Thu Jun 3 17:19:24 2021 From: bboulton at skippingstone.com (Benn Boulton) Date: Thu, 3 Jun 2021 17:19:24 +0000 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> Message-ID: Hello Moshe, Thanks for the reply. I guess I was not clear enough in my post. I know the /cr-bin/mp.exe is part of the POST request. What I do not understand is where the gmer3.itd.sterling.com/home.htm is coming from. It is not my proxy_pass value. It is not part of the POST request or part of the nginx proxy_pass or any thing I can find in my configuration. Is my post being sent to both my proxy_pass value and this site in the log? Do I have a hacked nginx? -Benn From: nginx On Behalf Of Moshe Katz Sent: Thursday, June 3, 2021 12:14 PM To: nginx at nginx.org Subject: Re: gmer3.itd.sterling.com/home.htm in the access log Benn, That part of the log is not the request URL, it is the referrer header. The path that was requested on your server is before that - a POST request to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually misspells as "referer") is the web page that is making this request to your server. Moshe On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > wrote: Hello, I have just installed the NGINX service to help rate limit connections to my Apache server on Windows. NGNIX 1.19.10 on Windows 10 64 bit Everything seems to be working fine but I am getting access log entries that I do not understand for the pages I am redirecting. I am running a process that posts to the server. NGNIX is processing the request and passing it to the destination server but it is not gmer3.itd.sterling.com/home.htm as shown in the access log entries below. Any Idea why 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" Thanks Benn _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From moshe at ymkatz.net Thu Jun 3 17:28:37 2021 From: moshe at ymkatz.net (Moshe Katz) Date: Thu, 3 Jun 2021 13:28:37 -0400 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> Message-ID: Benn, I guess my explanation wasn't clear enough, so I'll try again. That value is not coming from anywhere in your server's configuration - it has nothing to do with proxy_pass or anything else. It is the value of the "Referer" header that is in the incoming request. First, are these log lines from requests that you are making to the server yourself, or are they coming from someone else? If it is your own traffic, where are you making your requests from? Is it a page in a web browser, or is it some other tool? If it is a web browser, that is usually the URL of the web page that is open in the browser. For example, if I have a website at ` example.com/page.html` with a form on it that submits to your server, the value in that place in the logs will be `https://example.com/page.html` so that your server can see where the request came from. Moshe On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton wrote: > Hello Moshe, > > > > Thanks for the reply. I guess I was not clear enough in my post. I know > the /cr-bin/mp.exe is part of the POST request. > > What I do not understand is where the gmer3.itd.sterling.com/home.htm > is coming from. It is not my proxy_pass value. > > It is not part of the POST request or part of the nginx proxy_pass or any > thing I can find in my configuration. > > > > Is my post being sent to both my proxy_pass value and this site in the > log? Do I have a hacked nginx? > > > > -Benn > > > > *From:* nginx *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 12:14 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log > > > > Benn, > > > > That part of the log is not the request URL, it is the referrer header. > The path that was requested on your server is before that - a POST request > to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually > misspells as "referer") is the web page that is making this request to your > server. > > > > Moshe > > > > On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > wrote: > > Hello, > > I have just installed the NGINX service to help rate limit connections to > my Apache server on Windows. > > NGNIX 1.19.10 on Windows 10 64 bit > > > > Everything seems to be working fine but I am getting access log entries > that I do not understand for the pages I am redirecting. > > I am running a process that posts to the server. NGNIX is processing the > request and passing it to the destination server but it is not > gmer3.itd.sterling.com/home.htm > > as shown in the access log entries below. > > Any Idea why > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > > > Thanks > > *Benn * > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From bboulton at skippingstone.com Thu Jun 3 18:52:19 2021 From: bboulton at skippingstone.com (Benn Boulton) Date: Thu, 3 Jun 2021 18:52:19 +0000 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> Message-ID: <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> Hi, Currently? The posts are coming from the same computer that is hosting NGINX that passes the requests to an external server. Eventually? NGINX will be run on the same computer with Apache and will also function as a load balancer for multiple servers. One being the same as NGINX and other external servers. The posts are from a custom poster process that is an .EXE run from the windows command prompt or a process that calls the POSTER executable. C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe f:test.txt h: is the host to send to f: is the file with the payload to be sent to the final destination which is the mp.exe on the server listed in the proxy_pass parameter. Everything looks to work as it should. But the ?gmer3.itd.sterling.com/home.htm? Log entries are just not what I expect to see. I am installing NGINX to rate limit a customer that is sending multiple posts so fast that we occasionally miss one, and hope this will resolve that. Again, the proxy redirect is working, just the log entries is what prompted my asking. Thanks, - Benn From: nginx On Behalf Of Moshe Katz Sent: Thursday, June 3, 2021 1:29 PM To: nginx at nginx.org Subject: Re: gmer3.itd.sterling.com/home.htm in the access log Benn, I guess my explanation wasn't clear enough, so I'll try again. That value is not coming from anywhere in your server's configuration - it has nothing to do with proxy_pass or anything else. It is the value of the "Referer" header that is in the incoming request. First, are these log lines from requests that you are making to the server yourself, or are they coming from someone else? If it is your own traffic, where are you making your requests from? Is it a page in a web browser, or is it some other tool? If it is a web browser, that is usually the URL of the web page that is open in the browser. For example, if I have a website at `example.com/page.html` with a form on it that submits to your server, the value in that place in the logs will be `https://example.com/page.html` so that your server can see where the request came from. Moshe On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton > wrote: Hello Moshe, Thanks for the reply. I guess I was not clear enough in my post. I know the /cr-bin/mp.exe is part of the POST request. What I do not understand is where the gmer3.itd.sterling.com/home.htm is coming from. It is not my proxy_pass value. It is not part of the POST request or part of the nginx proxy_pass or any thing I can find in my configuration. Is my post being sent to both my proxy_pass value and this site in the log? Do I have a hacked nginx? -Benn From: nginx > On Behalf Of Moshe Katz Sent: Thursday, June 3, 2021 12:14 PM To: nginx at nginx.org Subject: Re: gmer3.itd.sterling.com/home.htm in the access log Benn, That part of the log is not the request URL, it is the referrer header. The path that was requested on your server is before that - a POST request to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually misspells as "referer") is the web page that is making this request to your server. Moshe On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > wrote: Hello, I have just installed the NGINX service to help rate limit connections to my Apache server on Windows. NGNIX 1.19.10 on Windows 10 64 bit Everything seems to be working fine but I am getting access log entries that I do not understand for the pages I am redirecting. I am running a process that posts to the server. NGNIX is processing the request and passing it to the destination server but it is not gmer3.itd.sterling.com/home.htm as shown in the access log entries below. Any Idea why 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm" "brow v1.0 CCI" Thanks Benn _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Thu Jun 3 20:01:49 2021 From: teward at thomas-ward.net (Thomas Ward) Date: Thu, 3 Jun 2021 16:01:49 -0400 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> Message-ID: <83070222-503f-a634-9c9b-26bd169a5fbe@thomas-ward.net> Let's dissect an HTTP request that is sent to your NGINX server. Assume for a moment it's '/cr-bin/mp.exe' that's the request but there's extra headers.? The full HTTP request looks like this (CURL format output, but also what NGINX spits in debug mode): POST /cr-bin/mp.exe referer: example.com/foobar.html content-type: text/json content-length: 2345 The actual URL request in this case would have been http://your-nginx-server/cr-bin/mp.exe with a POST to there, and that is passed through to your system per your proxy_pass rules, etc. Where your logs are getting "gmer3.itd.sterling.com/home.htm" is from that *referer* header.? I.E. you would see "example.com/foobar.html" if the referer header in the request was the example above. This has **nothing** to do with your configuration.? Whatever 'poster' is doing to post the items to your system is passing a referer header in the POST with the contents "gmer3.itd.sterling.com/home.htm".? If this is some other site/system you'll see any number of potential referer items. It's also entirely possible that this is your hostname, or something specific to your Poster program itself setting the referer header in the POST that it sends to your server. This, again, has nothing to do with your NGINX configuration and everything with how Poster is structuring the POST request (including any headers it's sending in the request). Thomas On 6/3/21 2:52 PM, Benn Boulton wrote: > > Hi, > > Currently? The posts are coming from the ?same computer that is > hosting NGINX? that passes the requests to an external server. > > Eventually?? NGINX will be run on the same computer with Apache and > will also function as a load balancer for multiple servers. One being > the same as NGINX and other external? servers. > > The posts are from a custom poster process that is an .EXE run from > the windows command prompt or a process that calls the POSTER executable. > > C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe f:test.txt > > h: is the host to send to > > f: is the file with the payload to be sent to the final destination > which is the mp.exe on the server listed in the proxy_pass parameter. > > Everything looks to work as it should. ?But the > ?gmer3.itd.sterling.com/home.htm? Log entries are just not what I > expect to see. > > I ?am installing NGINX to rate limit a customer that is sending > multiple posts so fast that we occasionally miss one, and hope this > will resolve that. > > Again, the proxy redirect is working, just the log entries is what > prompted my asking. > > Thanks, > > - Benn > > *From:* nginx *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 1:29 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log > > Benn, > > I guess my explanation wasn't clear enough, so I'll try again. > > That value is not coming from anywhere in your server's configuration > - it has nothing to do with proxy_pass or anything else. It is the > value of the "Referer" header that is in the incoming request. > > First, are these log lines from requests?that you are making?to the > server yourself, or are they coming from someone else? > > If it is your own traffic, where are you making your requests from? Is > it a page in a web?browser, or is it some other tool? > > If it is a web browser, that is usually the URL of the web page that > is open in the?browser. For example, if I have a website at > `example.com/page.html` > > with a form on it that submits to your server, the value in that place > in the logs will be `https://example.com/page.html` > > so that your server can see where the request came from. > > Moshe > > On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton > > wrote: > > Hello Moshe, > > Thanks for the reply.? I guess I was not clear enough in my post.? > I know the /cr-bin/mp.exe is part of the POST request. > > ?What I do not understand is where the > gmer3.itd.sterling.com/home.htm > > is coming from. It is not my proxy_pass value. > > It is not part of the POST request or part of the nginx proxy_pass > or any thing I can find in my configuration. > > Is my post being sent to both my proxy_pass value and this site in > the log? Do I have a hacked nginx? > > -Benn > > *From:* nginx > *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 12:14 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm > > in the access log > > Benn, > > That part of the log is not the request URL, it is the > referrer?header. The path that was requested on your server is > before that - a POST request to "/cr-bin/mp.exe". The > referrer?(which the HTTP standard actually misspells as > "referer")?is the web page that is making this request to your server. > > Moshe > > On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > > > wrote: > > Hello, > > I have just installed the NGINX service to help rate limit > connections to my Apache server on Windows. > > NGNIX 1.19.10 on Windows 10 64 bit > > Everything seems to be working fine but I am getting access > log entries that I do not understand for the pages I am > redirecting. > > I am running a process that posts to the server. NGNIX is > processing the request and passing it to the destination > server but it is not gmer3.itd.sterling.com/home.htm > > as shown in the access log entries below. > > Any Idea why > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > Thanks > > *Benn * > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From fatma.mazari at esprit.tn Thu Jun 3 21:07:36 2021 From: fatma.mazari at esprit.tn (Fatma MAZARI) Date: Thu, 3 Jun 2021 23:07:36 +0200 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: <83070222-503f-a634-9c9b-26bd169a5fbe@thomas-ward.net> References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> <83070222-503f-a634-9c9b-26bd169a5fbe@thomas-ward.net> Message-ID: Hi, I have a question, I wanna use nginx and ffmpeg to serve chunks to clients without using or sending .m3u file to client. How can i do this lease? * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) * I want nginx to serve clients chunk by chunk in a continuous way without serving m3u file (the client must wait for the next chunk) . Thank you , Please I need your help Fatma. Le jeu. 3 juin 2021 ? 22:02, Thomas Ward a ?crit : > Let's dissect an HTTP request that is sent to your NGINX server. > > Assume for a moment it's '/cr-bin/mp.exe' that's the request but there's > extra headers. The full HTTP request looks like this (CURL format output, > but also what NGINX spits in debug mode): > > POST /cr-bin/mp.exe > referer: example.com/foobar.html > content-type: text/json > content-length: 2345 > > The actual URL request in this case would have been > http://your-nginx-server/cr-bin/mp.exe with a POST to there, and that is > passed through to your system per your proxy_pass rules, etc. > > Where your logs are getting "gmer3.itd.sterling.com/home.htm" is from > that *referer* header. I.E. you would see "example.com/foobar.html" if > the referer header in the request was the example above. > > This has **nothing** to do with your configuration. Whatever 'poster' is > doing to post the items to your system is passing a referer header in the > POST with the contents "gmer3.itd.sterling.com/home.htm". If this is > some other site/system you'll see any number of potential referer items. > It's also entirely possible that this is your hostname, or something > specific to your Poster program itself setting the referer header in the > POST that it sends to your server. > > This, again, has nothing to do with your NGINX configuration and > everything with how Poster is structuring the POST request (including any > headers it's sending in the request). > > > > Thomas > > > On 6/3/21 2:52 PM, Benn Boulton wrote: > > Hi, > > > > Currently? The posts are coming from the same computer that is hosting > NGINX that passes the requests to an external server. > > Eventually? NGINX will be run on the same computer with Apache and will > also function as a load balancer for multiple servers. One being the same > as NGINX and other external servers. > > The posts are from a custom poster process that is an .EXE run from the > windows command prompt or a process that calls the POSTER executable. > > C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe f:test.txt > > h: is the host to send to > > f: is the file with the payload to be sent to the final destination which > is the mp.exe on the server listed in the proxy_pass parameter. > > > > Everything looks to work as it should. But the ? > gmer3.itd.sterling.com/home.htm? Log entries are just not what I expect > to see. > > I am installing NGINX to rate limit a customer that is sending multiple > posts so fast that we occasionally miss one, and hope this will resolve > that. > > Again, the proxy redirect is working, just the log entries is what > prompted my asking. > > > > Thanks, > > - Benn > > *From:* nginx *On > Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 1:29 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log > > > > Benn, > > > > I guess my explanation wasn't clear enough, so I'll try again. > > > > That value is not coming from anywhere in your server's configuration - it > has nothing to do with proxy_pass or anything else. It is the value of the > "Referer" header that is in the incoming request. > > > > First, are these log lines from requests that you are making to the server > yourself, or are they coming from someone else? > > > > If it is your own traffic, where are you making your requests from? Is it > a page in a web browser, or is it some other tool? > > > > If it is a web browser, that is usually the URL of the web page that is > open in the browser. For example, if I have a website at ` > example.com/page.html` > > with a form on it that submits to your server, the value in that place in > the logs will be `https://example.com/page.html` > > so that your server can see where the request came from. > > > > Moshe > > > > On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton > wrote: > > Hello Moshe, > > > > Thanks for the reply. I guess I was not clear enough in my post. I know > the /cr-bin/mp.exe is part of the POST request. > > What I do not understand is where the gmer3.itd.sterling.com/home.htm > > is coming from. It is not my proxy_pass value. > > It is not part of the POST request or part of the nginx proxy_pass or any > thing I can find in my configuration. > > > > Is my post being sent to both my proxy_pass value and this site in the > log? Do I have a hacked nginx? > > > > -Benn > > > > *From:* nginx *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 12:14 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm > > in the access log > > > > Benn, > > > > That part of the log is not the request URL, it is the referrer header. > The path that was requested on your server is before that - a POST request > to "/cr-bin/mp.exe". The referrer (which the HTTP standard actually > misspells as "referer") is the web page that is making this request to your > server. > > > > Moshe > > > > On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > wrote: > > Hello, > > I have just installed the NGINX service to help rate limit connections to > my Apache server on Windows. > > NGNIX 1.19.10 on Windows 10 64 bit > > > > Everything seems to be working fine but I am getting access log entries > that I do not understand for the pages I am redirecting. > > I am running a process that posts to the server. NGNIX is processing the > request and passing it to the destination server but it is not > gmer3.itd.sterling.com/home.htm > > as shown in the access log entries below. > > Any Idea why > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST /cr-bin/mp.exe > HTTP/1.1" 200 569 "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > > > Thanks > > *Benn * > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Thu Jun 3 21:20:47 2021 From: teward at thomas-ward.net (Thomas Ward) Date: Thu, 3 Jun 2021 17:20:47 -0400 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> <83070222-503f-a634-9c9b-26bd169a5fbe@thomas-ward.net> Message-ID: <2769379c-fd9b-ec55-a088-def419d72cf0@thomas-ward.net> You should create your own thread for this issue, Fatma, as it has nothing to do with the issue that Benn was having. Thomas On 6/3/21 5:07 PM, Fatma MAZARI wrote: > Hi, > I have a question, > I wanna use nginx and ffmpeg to serve chunks to clients without using > or sending .m3u file to client. How can i do this lease? > * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts > ==> /home/STREAMS/channel/stream1.ts , > /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) > * I want nginx to serve clients chunk by chunk in a continuous? way > without serving m3u file?(the client must wait for the next chunk)? . > Thank you ,? Please I need your help > Fatma. > > Le?jeu. 3 juin 2021 ??22:02, Thomas Ward > a ?crit?: > > Let's dissect an HTTP request that is sent to your NGINX server. > > Assume for a moment it's '/cr-bin/mp.exe' that's the request but > there's extra headers.? The full HTTP request looks like this > (CURL format output, but also what NGINX spits in debug mode): > > POST /cr-bin/mp.exe > referer: example.com/foobar.html > content-type: text/json > content-length: 2345 > > The actual URL request in this case would have been > http://your-nginx-server/cr-bin/mp.exe > with a POST to there, and > that is passed through to your system per your proxy_pass rules, etc. > > Where your logs are getting "gmer3.itd.sterling.com/home.htm > " is from that *referer* > header.? I.E. you would see "example.com/foobar.html > " if the referer header in the > request was the example above. > > This has **nothing** to do with your configuration. Whatever > 'poster' is doing to post the items to your system is passing a > referer header in the POST with the contents > "gmer3.itd.sterling.com/home.htm > ". If this is some other > site/system you'll see any number of potential referer items.? > It's also entirely possible that this is your hostname, or > something specific to your Poster program itself setting the > referer header in the POST that it sends to your server. > > This, again, has nothing to do with your NGINX configuration and > everything with how Poster is structuring the POST request > (including any headers it's sending in the request). > > > > Thomas > > > On 6/3/21 2:52 PM, Benn Boulton wrote: >> >> Hi, >> >> Currently? The posts are coming from the ?same computer that is >> hosting NGINX? that passes the requests to an external server. >> >> Eventually?? NGINX will be run on the same computer with Apache >> and will also function as a load balancer for multiple servers. >> One being the same as NGINX and other external? servers. >> >> The posts are from a custom poster process that is an .EXE run >> from the windows command prompt or a process that calls the >> POSTER executable. >> >> C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe >> f:test.txt >> >> h: is the host to send to >> >> f: is the file with the payload to be sent to the final >> destination which is the mp.exe on the server listed in the >> proxy_pass parameter. >> >> Everything looks to work as it should.? But the >> ?gmer3.itd.sterling.com/home.htm >> ? Log entries are just >> not what I expect to see. >> >> I ?am installing NGINX to rate limit a customer that is sending >> multiple posts so fast that we occasionally miss one, and hope >> this will resolve that. >> >> Again, the proxy redirect is working, just the log entries is >> what prompted my asking. >> >> Thanks, >> >> - Benn >> >> *From:* nginx >> *On Behalf Of *Moshe Katz >> *Sent:* Thursday, June 3, 2021 1:29 PM >> *To:* nginx at nginx.org >> *Subject:* Re: gmer3.itd.sterling.com/home.htm >> in the access log >> >> Benn, >> >> I guess my explanation wasn't clear enough, so I'll try again. >> >> That value is not coming from anywhere in your server's >> configuration - it has nothing to do with proxy_pass or anything >> else. It is the value of the "Referer" header that is in the >> incoming request. >> >> First, are these log lines from requests?that you are making?to >> the server yourself, or are they coming from someone else? >> >> If it is your own traffic, where are you making your requests >> from? Is it a page in a web?browser, or is it some other tool? >> >> If it is a web browser, that is usually the URL of the web page >> that is open in the?browser. For example, if I have a website at >> `example.com/page.html` >> >> with a form on it that submits to your server, the value in that >> place in the logs will be `https://example.com/page.html` >> >> so that your server can see where the request came from. >> >> Moshe >> >> On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton >> > >> wrote: >> >> Hello Moshe, >> >> Thanks for the reply.? I guess I was not clear enough in my >> post.? I know the /cr-bin/mp.exe is part of the POST request. >> >> ?What I do not understand is where the >> gmer3.itd.sterling.com/home.htm >> >> is coming from. It is not my proxy_pass value. >> >> It is not part of the POST request or part of the nginx >> proxy_pass or any thing I can find in my configuration. >> >> Is my post being sent to both my proxy_pass value and this >> site in the log? Do I have a hacked nginx? >> >> -Benn >> >> *From:* nginx > > *On Behalf Of *Moshe Katz >> *Sent:* Thursday, June 3, 2021 12:14 PM >> *To:* nginx at nginx.org >> *Subject:* Re: gmer3.itd.sterling.com/home.htm >> >> in the access log >> >> Benn, >> >> That part of the log is not the request URL, it is the >> referrer?header. The path that was requested on your server >> is before that - a POST request to "/cr-bin/mp.exe". The >> referrer?(which the HTTP standard actually misspells as >> "referer")?is the web page that is making this request to >> your server. >> >> Moshe >> >> On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton >> > > wrote: >> >> Hello, >> >> I have just installed the NGINX service to help rate >> limit connections to my Apache server on Windows. >> >> NGNIX 1.19.10 on Windows 10 64 bit >> >> Everything seems to be working fine but I am getting >> access log entries that I do not understand for the pages >> I am redirecting. >> >> I am running a process that posts to the server. NGNIX is >> processing the request and passing it to the destination >> server but it is not gmer3.itd.sterling.com/home.htm >> >> as shown in the access log entries below. >> >> Any Idea why >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] >> "POST /cr-bin/mp.exe HTTP/1.1" 200 569 >> "gmer3.itd.sterling.com/home.htm >> " >> "brow v1.0 CCI" >> >> Thanks >> >> *Benn * >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >> >> >> >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Thu Jun 3 21:23:10 2021 From: teward at thomas-ward.net (Thomas Ward) Date: Thu, 3 Jun 2021 17:23:10 -0400 Subject: gmer3.itd.sterling.com/home.htm in the access log In-Reply-To: <2fb533461f3f4fc2b000859f7048d95f@skippingstone.com> References: <9bffaa11aeea49dcaff44252887576bd@skippingstone.com> <9e31c0a4d7a14d6292937f35a7ee2ea3@skippingstone.com> <62bf383d2f504c4c8cbb83b8c671a97f@skippingstone.com> <83070222-503f-a634-9c9b-26bd169a5fbe@thomas-ward.net> <2fb533461f3f4fc2b000859f7048d95f@skippingstone.com> Message-ID: You're most welcome!? (Your reply to me did not go to the list) Sometimes, it helps to see the actual HTTP request or an example request and understand the headers, etc.? You're right, this is likely being added by your poster.exe program which precedes your existence or involvement in the project, and is likely doing something with the headers.? If you ever want to *test* you can put the error.log into `debug` mode by doing `error_log /path/to/error.log debug;`? and get a TON of extra stuff during request processing (DO NOT do this long term!) but it'll also show you the request and the headers - it won't show you the data in a POST but it'll show you the request and received headers and the reply.? Sometimes, this helps you to dissect the request and understand what's going on behind the scenes. Thomas On 6/3/21 4:56 PM, Benn Boulton wrote: > > Thomas, > > Thank you for that explanation. > > It must be the poster.exe program adding that as a default header. > > I did not create the poster.exe application, it precedes my employment. > > Again Thank you for the information and thank you to this list . > > -Benn > > *From:* Thomas Ward > *Sent:* Thursday, June 3, 2021 4:02 PM > *To:* nginx at nginx.org; Benn Boulton > *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log > > Let's dissect an HTTP request that is sent to your NGINX server. > > Assume for a moment it's '/cr-bin/mp.exe' that's the request but > there's extra headers.? The full HTTP request looks like this (CURL > format output, but also what NGINX spits in debug mode): > > POST /cr-bin/mp.exe > referer: example.com/foobar.html > content-type: text/json > content-length: 2345 > > The actual URL request in this case would have been > http://your-nginx-server/cr-bin/mp.exe > > with a POST to there, and that is passed through to your system per > your proxy_pass rules, etc. > > Where your logs are getting "gmer3.itd.sterling.com/home.htm" is from > that *referer* header.? I.E. you would see "example.com/foobar.html" > if the referer header in the request was the example above. > > This has **nothing** to do with your configuration.? Whatever 'poster' > is doing to post the items to your system is passing a referer header > in the POST with the contents "gmer3.itd.sterling.com/home.htm".? If > this is some other site/system you'll see any number of potential > referer items. It's also entirely possible that this is your hostname, > or something specific to your Poster program itself setting the > referer header in the POST that it sends to your server. > > This, again, has nothing to do with your NGINX configuration and > everything with how Poster is structuring the POST request (including > any headers it's sending in the request). > > Thomas > > On 6/3/21 2:52 PM, Benn Boulton wrote: > > Hi, > > Currently? The posts are coming from the ?same computer that is > hosting NGINX? that passes the requests to an external server. > > Eventually?? NGINX will be run on the same computer with Apache > and will also function as a load balancer for multiple servers. > One being the same as NGINX and other external? servers. > > The posts are from a custom poster process that is an .EXE run > from the windows command prompt or a process that calls the POSTER > executable. > > C:\POSTER> Poster h:http://localhost/cr-bin/mp.exe > > f:test.txt > > h: is the host to send to > > f: is the file with the payload to be sent to the final > destination which is the mp.exe on the server listed in the > proxy_pass parameter. > > Everything looks to work as it should. ?But the > ?gmer3.itd.sterling.com/home.htm? Log entries are just not what I > expect to see. > > I ?am installing NGINX to rate limit a customer that is sending > multiple posts so fast that we occasionally miss one, and hope > this will resolve that. > > Again, the proxy redirect is working, just the log entries is what > prompted my asking. > > Thanks, > > - Benn > > *From:* nginx > *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 1:29 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm in the access log > > Benn, > > I guess my explanation wasn't clear enough, so I'll try again. > > That value is not coming from anywhere in your server's > configuration - it has nothing to do with proxy_pass or anything > else. It is the value of the "Referer" header that is in the > incoming request. > > First, are these log lines from requests?that you are making?to > the server yourself, or are they coming from someone else? > > If it is your own traffic, where are you making your requests > from? Is it a page in a web?browser, or is it some other tool? > > If it is a web browser, that is usually the URL of the web page > that is open in the?browser. For example, if I have a website at > `example.com/page.html` > > with a form on it that submits to your server, the value in that > place in the logs will be `https://example.com/page.html` > > so that your server can see where the request came from. > > Moshe > > On Thu, Jun 3, 2021 at 1:18 PM Benn Boulton > > > wrote: > > Hello Moshe, > > Thanks for the reply.? I guess I was not clear enough in my > post.? I know the /cr-bin/mp.exe is part of the POST request. > > ?What I do not understand is where the > gmer3.itd.sterling.com/home.htm > > is coming from. It is not my proxy_pass value. > > It is not part of the POST request or part of the nginx > proxy_pass or any thing I can find in my configuration. > > Is my post being sent to both my proxy_pass value and this > site in the log? Do I have a hacked nginx? > > -Benn > > *From:* nginx > *On Behalf Of *Moshe Katz > *Sent:* Thursday, June 3, 2021 12:14 PM > *To:* nginx at nginx.org > *Subject:* Re: gmer3.itd.sterling.com/home.htm > > in the access log > > Benn, > > That part of the log is not the request URL, it is the > referrer?header. The path that was requested on your server is > before that - a POST request to "/cr-bin/mp.exe". The > referrer?(which the HTTP standard actually misspells as > "referer")?is the web page that is making this request to your > server. > > Moshe > > On Thu, Jun 3, 2021 at 12:08 PM Benn Boulton > > wrote: > > Hello, > > I have just installed the NGINX service to help rate limit > connections to my Apache server on Windows. > > NGNIX 1.19.10 on Windows 10 64 bit > > Everything seems to be working fine but I am getting > access log entries that I do not understand for the pages > I am redirecting. > > I am running a process that posts to the server. NGNIX is > processing the request and passing it to the destination > server but it is not gmer3.itd.sterling.com/home.htm > > as shown in the access log entries below. > > Any Idea why > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:30:07 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:31:07 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:33:35 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:37:42 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:55:03 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > 127.0.0.1 - t_skipstone [03/Jun/2021:10:56:34 -0400] "POST > /cr-bin/mp.exe HTTP/1.1" 200 569 > "gmer3.itd.sterling.com/home.htm > " > "brow v1.0 CCI" > > Thanks > > *Benn * > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From babuvel_d at hotmail.com Fri Jun 4 07:54:00 2021 From: babuvel_d at hotmail.com (babu vel) Date: Fri, 4 Jun 2021 07:54:00 +0000 Subject: Using gRPC nginx gateway Message-ID: Hi, Am using nginx 1.17.3 version and trying to enable http2 and gRPC gateway. I compiled it enabling http_v2 and gRPC module. However, am still getting below error reporting unknown directive "grpc_pass", can you please let me know what is the issue here? # nginx -c /nginx/conf/grpc.conf -t nginx: [emerg] unknown directive "grpc_pass" in /nginx/conf/grpc.conf:165 nginx: configuration file /nginx/conf/grpc.conf test failed # # cat -n /nginx/conf/grpc.conf | grep -i http2 88 listen 443 http2 default_server; # cat -n /nginx/conf/grpc.conf | grep -i grpc 83 upstream backend_grpc { 84 server unix:/tmp/nginx_local/grpc_be_management.sock; 165 grpc_pass grpc://backend_grpc; 166 set $grpc_client_cert_auth 1; 168 set $grpc_client_cert_auth 0; 171 #grpc_read_timeout 2000000; 173 #grpc_set_header cl_cert_s_dn $ssl_client_s_dn; 174 #grpc_set_header cl_cert_status $grpc_client_cert_auth; # # strings nginx | grep grpc_pass grpc_pass grpc_pass_header # strings nginx | grep http_v2 ngx_http_v2_get_static_name ngx_http_v2_init ngx_http_v2_get_indexed_header ngx_http_v2_string_encode ngx_http_v2_filter_module ngx_http_v2_module ngx_http_v2_read_request_body ngx_http_v2_add_header ngx_http_v2_table_size ngx_http_v2_huff_encode ngx_http_v2_push_stream ngx_http_v2_get_static_value ngx_http_v2_huff_decode ngx_http_v2_close_stream ngx_http_v2_send_output_queue ngx_http_v2_read_unbuffered_request_body invalid parameter "spdy": ngx_http_spdy_module was superseded by ngx_http_v2_module invalid directive "%V": ngx_http_spdy_module was superseded by ngx_http_v2_module # Regards, Babu -------------- next part -------------- An HTML attachment was scrubbed... URL: From fatma.mazari at esprit.tn Fri Jun 4 09:03:14 2021 From: fatma.mazari at esprit.tn (Fatma MAZARI) Date: Fri, 4 Jun 2021 10:03:14 +0100 Subject: Serving chunks to clients continuously With Nginx without using .m3u files ! Message-ID: Hi, I have a question. I wanna use nginx and ffmpeg to serve chunks to clients without using or sending .m3u files to clients. How can I do this lease? * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) * I want nginx to serve clients chunk by chunk in a continuous way without serving m3u files (the client must wait for the next chunk) . Thank you , Please, I need your help Fatma. -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxim at nginx.com Fri Jun 4 09:15:52 2021 From: maxim at nginx.com (Maxim Konovalov) Date: Fri, 4 Jun 2021 12:15:52 +0300 Subject: Using gRPC nginx gateway In-Reply-To: References: Message-ID: <72112e12-8465-dec7-24f6-1bf18a42f5d2@nginx.com> Hi Babu, On 04.06.2021 10:54, babu vel wrote: > Hi, > > Am using nginx 1.17.3 version and trying to enable http2 and gRPC > gateway. I compiled it enabling http_v2 and gRPC module. However, am > still getting below error reporting unknown directive "grpc_pass", can > you please let me know what is the issue here? > > # nginx -c /nginx/conf/grpc.conf -t > nginx: [emerg] unknown directive "grpc_pass" in /nginx/conf/grpc.conf:165 > nginx: configuration file /nginx/conf/grpc.conf test failed > # > > # cat -n /nginx/conf/grpc.conf | grep -i http2 > ? ? 88 ? ? ? ? ?listen ? ? ? 443 http2 default_server; > # cat -n /nginx/conf/grpc.conf | grep -i grpc > ? ? 83 ? ? ?upstream backend_grpc { > ? ? 84 ? ? ? ? ?server unix:/tmp/nginx_local/grpc_be_management.sock; > ? ?165 ? ? ? ? ? ? ?grpc_pass grpc://backend_grpc; > ? ?166 ? ? ? ? ? ? ?set $grpc_client_cert_auth 1; > ? ?168 ? ? ? ? ? ? ? ? ?set $grpc_client_cert_auth 0; > ? ?171 ? ? ? ? ? ? ?#grpc_read_timeout 2000000; > ? ?173 ? ? ? ? ? ? ?#grpc_set_header cl_cert_s_dn $ssl_client_s_dn; > ? ?174 ? ? ? ? ? ? ?#grpc_set_header cl_cert_status $grpc_client_cert_auth; > # > [...] You cannot really use this directive in the upstream block, see http://nginx.org/r/grpc_pass -- Maxim Konovalov From r at roze.lv Fri Jun 4 09:37:25 2021 From: r at roze.lv (Reinis Rozitis) Date: Fri, 4 Jun 2021 12:37:25 +0300 Subject: Serving chunks to clients continuously With Nginx without using .m3u files ! In-Reply-To: References: Message-ID: <001801d75925$3a799eb0$af6cdc10$@roze.lv> > I wanna use nginx and ffmpeg to serve chunks to clients without using or sending .m3u files to clients. How can I do this lease? > * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts , /home/STREAMS/channel/stream3.ts ....) > * I want nginx to serve clients chunk by chunk in a continuous way without serving m3u files (the client must wait for the next chunk) . You can just point the server root to the folder where ffmpeg puts the stream files. It is the clients task to requests files not the webservers to push them - if you have (I am not aware of such) or can make a client which can fetch the files without playlist file then there is nothing special to configure on nginx side. The typical approach though is to generate playlist file which is requested continuously to get the stream chunks. rr From fatma.mazari at esprit.tn Fri Jun 4 09:46:03 2021 From: fatma.mazari at esprit.tn (Fatma MAZARI) Date: Fri, 4 Jun 2021 10:46:03 +0100 Subject: Serving chunks to clients continuously With Nginx without using .m3u files ! In-Reply-To: <001801d75925$3a799eb0$af6cdc10$@roze.lv> References: <001801d75925$3a799eb0$af6cdc10$@roze.lv> Message-ID: Hi, thank you for you response, I want nginx to continuously send Continuation requests including the next chunk. I want to make this point because some applications cannot read playlist files (.m3u) ,I thought about developing a python api which sends packets (http CONTINUATION) ==> the client of course his application can estimate that there is another chunk. I'm waiting for your response. Thank you Le ven. 4 juin 2021 ? 10:37, Reinis Rozitis a ?crit : > > I wanna use nginx and ffmpeg to serve chunks to clients without using or > sending .m3u files to clients. How can I do this lease? > > * ffmpeg copy streams in local ( in /home/STREAMS/channel/stream%d.ts > ==> /home/STREAMS/channel/stream1.ts , /home/STREAMS/channel/stream2.ts > , /home/STREAMS/channel/stream3.ts ....) > > * I want nginx to serve clients chunk by chunk in a continuous way > without serving m3u files (the client must wait for the next chunk) . > > You can just point the server root to the folder where ffmpeg puts the > stream files. > > It is the clients task to requests files not the webservers to push them - > if you have (I am not aware of such) or can make a client which can fetch > the files without playlist file then there is nothing special to configure > on nginx side. > > The typical approach though is to generate playlist file which is > requested continuously to get the stream chunks. > > rr > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Jun 4 10:20:57 2021 From: nginx-forum at forum.nginx.org (Flinou) Date: Fri, 04 Jun 2021 06:20:57 -0400 Subject: Nginx reverse proxy in front of corporate proxy Message-ID: Hello! I did some research and couldn't find anything similar on the forum, sorry if I'm wrong. I would like to setup something like : Client -> https://my-nginx.com -> http://corporate-proxy.com (corporate proxy) -> https://website.com (website to reach) Doing curl command like curl -v https://website.com -x http://corporate-proxy.com works fine I tried something like location /test { proxy_set_header Host https://website.com; proxy_pass http://corporate-proxy.com:3128; } The corporate proxy does not allow me to access https://website.com in this case. Rewriting is not, for my use case, a satisfying alternative because of the 302 return code. Is there any way to achieve this ? Thank you! Antoine Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291767,291767#msg-291767 From mdounin at mdounin.ru Fri Jun 4 15:20:38 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 4 Jun 2021 18:20:38 +0300 Subject: Using gRPC nginx gateway In-Reply-To: References: Message-ID: Hello! On Fri, Jun 04, 2021 at 07:54:00AM +0000, babu vel wrote: > Am using nginx 1.17.3 version and trying to enable http2 and > gRPC gateway. I compiled it enabling http_v2 and gRPC module. > However, am still getting below error reporting unknown > directive "grpc_pass", can you please let me know what is the > issue here? > > # nginx -c /nginx/conf/grpc.conf -t > nginx: [emerg] unknown directive "grpc_pass" in > /nginx/conf/grpc.conf:165 > nginx: configuration file /nginx/conf/grpc.conf test failed The error message suggests that you have no gRPC proxy module compiled in. Check the "nginx -V" output - my best guess is that you haven't updated the nginx binary you are running. Note well that nginx 1.17.3 is obsolete long time ago and should not be used. Consider updating to nginx 1.21.0 or nginx 1.20.1. [...] > # strings nginx | grep grpc_pass > grpc_pass > grpc_pass_header Note that "strings nginx" will look into "nginx" file in the current directory, while running nginx will look for the nginx binary in PATH. In most cases these aren't the same thing. -- Maxim Dounin http://mdounin.ru/ From babuvel_d at hotmail.com Fri Jun 4 15:44:22 2021 From: babuvel_d at hotmail.com (babu vel) Date: Fri, 4 Jun 2021 15:44:22 +0000 Subject: Using gRPC nginx gateway In-Reply-To: <72112e12-8465-dec7-24f6-1bf18a42f5d2@nginx.com> References: , <72112e12-8465-dec7-24f6-1bf18a42f5d2@nginx.com> Message-ID: Hi Maxim, It's not in upstream block. It's in server block. Please refer code snip below. upstream backend_grpc { server unix:/tmp/nginx_local/grpc_be_management.sock; } server { listen 443 http2 default_server; ssl on; ssl_certificate default.crt; ssl_certificate_key default.key; ssl_session_timeout 5m; .... location /gnmi { grpc_pass grpc://backend_grpc; set $grpc_client_cert_auth 1; if ($ssl_client_verify != SUCCESS){ set $grpc_client_cert_auth 0; } client_body_timeout 2000000; #grpc_read_timeout 2000000; #grpc_set_header cl_cert_s_dn $ssl_client_s_dn; #grpc_set_header cl_cert_status $grpc_client_cert_auth; } } Regards, Babu ________________________________ From: Maxim Konovalov Sent: Friday, June 4, 2021 2:15 AM To: nginx at nginx.org ; babu vel Subject: Re: Using gRPC nginx gateway Hi Babu, On 04.06.2021 10:54, babu vel wrote: > Hi, > > Am using nginx 1.17.3 version and trying to enable http2 and gRPC > gateway. I compiled it enabling http_v2 and gRPC module. However, am > still getting below error reporting unknown directive "grpc_pass", can > you please let me know what is the issue here? > > # nginx -c /nginx/conf/grpc.conf -t > nginx: [emerg] unknown directive "grpc_pass" in /nginx/conf/grpc.conf:165 > nginx: configuration file /nginx/conf/grpc.conf test failed > # > > # cat -n /nginx/conf/grpc.conf | grep -i http2 > 88 listen 443 http2 default_server; > # cat -n /nginx/conf/grpc.conf | grep -i grpc > 83 upstream backend_grpc { > 84 server unix:/tmp/nginx_local/grpc_be_management.sock; > 165 grpc_pass grpc://backend_grpc; > 166 set $grpc_client_cert_auth 1; > 168 set $grpc_client_cert_auth 0; > 171 #grpc_read_timeout 2000000; > 173 #grpc_set_header cl_cert_s_dn $ssl_client_s_dn; > 174 #grpc_set_header cl_cert_status $grpc_client_cert_auth; > # > [...] You cannot really use this directive in the upstream block, see http://nginx.org/r/grpc_pass -- Maxim Konovalov -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxim at nginx.com Fri Jun 4 15:49:37 2021 From: maxim at nginx.com (Maxim Konovalov) Date: Fri, 4 Jun 2021 18:49:37 +0300 Subject: Using gRPC nginx gateway In-Reply-To: References: <72112e12-8465-dec7-24f6-1bf18a42f5d2@nginx.com> Message-ID: On 04.06.2021 18:44, babu vel wrote: > Hi Maxim, > > It's not in upstream block. It's in server block. Please refer code snip > below.??? ?? > [...] Yes, I missed the line numbers in your snippet. Maxim D.'s has better explanation of what is going here. -- Maxim Konovalov From mdounin at mdounin.ru Fri Jun 4 16:06:56 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 4 Jun 2021 19:06:56 +0300 Subject: Nginx reverse proxy in front of corporate proxy In-Reply-To: References: Message-ID: Hello! On Fri, Jun 04, 2021 at 06:20:57AM -0400, Flinou wrote: > Hello! > > I did some research and couldn't find anything similar on the forum, sorry > if I'm wrong. > > I would like to setup something like : > > Client -> https://my-nginx.com -> http://corporate-proxy.com (corporate > proxy) -> https://website.com (website to reach) > > Doing curl command like > curl -v https://website.com -x http://corporate-proxy.com works fine > > I tried something like > > location /test { > proxy_set_header Host https://website.com; A side note: the Host header syntax is wrong here, it should be just "website.com". Correct syntax is not going to help here though, see below. > proxy_pass http://corporate-proxy.com:3128; > } > > The corporate proxy does not allow me to access https://website.com in this > case. > > Rewriting is not, for my use case, a satisfying alternative because of the > 302 return code. > > Is there any way to achieve this ? No. Unlike curl, nginx proxy_pass does not work through forward proxies. If you want to pass requests to a backend server, you have to connect to the server directly, or configure a dedicated reverse proxy or tunnel to do so. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Sat Jun 5 04:36:47 2021 From: nginx-forum at forum.nginx.org (bouvierh) Date: Sat, 05 Jun 2021 00:36:47 -0400 Subject: Tproxy support for IP transparency Message-ID: <2834fe483176096b98d94942276c2500.NginxMailingListEnglish@forum.nginx.org> Hello, When my application connects to a sever, I am intercepting the request and routing it to a nginx process located on the same host (listening to 127.0.0.1:8883). The interception need to be transparent, so IP tables does that well. Now the issue is restoring the original destination. This would be trivial with HTTP, however MQTT or AMQP can also be used. I have looked at Tproxy protocol, it looks promising, but I have not found any way to use it with Nginx. It seems it is used for IP transparency for upstream server, not for transparently intercepting client messages. Can I still implement a transparent interception of requests with Nginx? Thank you! Hugues Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291775,291775#msg-291775 From naveenamresh300496 at gmail.com Sat Jun 5 04:44:40 2021 From: naveenamresh300496 at gmail.com (Naveen Amresh) Date: Sat, 5 Jun 2021 10:14:40 +0530 Subject: REQ: NGINX LDAP Password Masking (nginx.conf) Message-ID: Hi Nginx Support Team, I would like to get assistance in Nginx LDAP bindn password masking in nginx.conf file. Thanks & Regards - Naveen -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sat Jun 5 08:28:06 2021 From: nginx-forum at forum.nginx.org (forumacct) Date: Sat, 05 Jun 2021 04:28:06 -0400 Subject: Serve same website under two URLs / domains with certbot Message-ID: <0de9a884d45477e0b9a22cfbc5244f0b.NginxMailingListEnglish@forum.nginx.org> Hello All, Using nginx/1.14.2 on Linux rpi3 5.10.17-v7+. Historically I ended up with two domains. I started with a dyndns 'domain' (is that actually correct to call it domain?) to operate my homemade RPI weather station. Later I got a domain from 'hover.com' to run my astronomy hobby webpage. Both pages are on the same RPI on the same directory branch and actually the domains manes are interchangeable. You can see my weather station at: http://drgert.dyndns.ws:8000/rpi/rpi.html http://www.skywatcher.space/rpi/rpi_wetter/rpi_wetter.php So far I had one default config: ls -l /etc/nginx/sites-enabled lrwxrwxrwx 1 root root 26 Jun 4 20:12 default -> ../sites-available/default Content: server { listen 80 default_server; listen 8000; # Alternate http port root /media/usbstick/nginx/www; # Add index.php to the list if you are using PHP index index.php index.html index.htm; server_name localhost; location / { try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; } } Now I want to use certbot for https. But that requires certificates unique for each domain. (I think) So I tried deleting the default file and have two conf files in conf.d for each domain. vi /etc/nginx/conf.d/www.skywatcher.space.conf server { listen 80 default_server; listen [::]:80 default_server; root /media/usbstick/nginx/www; server_name skywatcher.space www.skywatcher.space; } vi /etc/nginx/conf.d/www.drgert.dyndns.ws.conf server { listen 80 default_server; listen 8000; # Alternate http port root /media/usbstick/nginx/www; # Add index.php to the list if you are using PHP index index.php index.html index.htm; server_name drgert.dyndns.ws www.drgert.dyndns.ws; location / { try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; } } But then each such file had 'default_server' keyword in it and it failed to work. Also I don't know if its OK that both try to listen on port 80. So how do I do this right? Both domains pointing to the same html files root and both should receive https certificates. :-) Cheers, Gert Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291774,291774#msg-291774 From lywjk at outlook.com Sat Jun 5 08:35:32 2021 From: lywjk at outlook.com (=?gb2312?B?zfUgvrK/rQ==?=) Date: Sat, 5 Jun 2021 08:35:32 +0000 Subject: Server mp4 file larger than 2GB on 32bit system Message-ID: Hi, I compile a nginx for an 32bit system (ARM). When I request a mp4 file which is larger than 2GB then it response with '416 Requested Range Not Satisfiable?. The type of max_ranges is ngx_uint_t, I could not set it max than about 2000000000. In this situation, I could I server the mp4 file correctly? The ngx_size is set to 4 when I compile nginx. So: #ifndef NGX_MAX_SIZE_T_VALUE #define NGX_MAX_SIZE_T_VALUE 2147483647 #endif #ifndef NGX_SIZE_T_LEN #define NGX_SIZE_T_LEN (sizeof("-2147483648") - 1) #endif #ifndef NGX_MAX_OFF_T_VALUE #define NGX_MAX_OFF_T_VALUE 2147483647 #endif #ifndef NGX_OFF_T_LEN #define NGX_OFF_T_LEN (sizeof("-2147483648") - 1) #endif Config file: location ~* .*\.(mp4|m3u8|m4s)$ { max_ranges 2000000000; include conf.d/options.conf; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; root /mypath; expires 6h; } The header of request: Accept: */* Accept-Encoding: identity;q=1, *;q=0 Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cache-Control: no-cache Connection: keep-alive Cookie: -------- Host: 192.168.199.245 Pragma: no-cache Range: bytes=0- Referer: ------------- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.864.41 -------------- next part -------------- An HTML attachment was scrubbed... URL: From n5d9xq3ti233xiyif2vp at protonmail.ch Sat Jun 5 10:58:56 2021 From: n5d9xq3ti233xiyif2vp at protonmail.ch (Laura Smith) Date: Sat, 05 Jun 2021 10:58:56 +0000 Subject: Serve same website under two URLs / domains with certbot In-Reply-To: <0de9a884d45477e0b9a22cfbc5244f0b.NginxMailingListEnglish@forum.nginx.org> References: <0de9a884d45477e0b9a22cfbc5244f0b.NginxMailingListEnglish@forum.nginx.org> Message-ID: Sent with ProtonMail Secure Email. ??????? Original Message ??????? On Saturday, 5 June 2021 09:28, forumacct wrote: > > Now I want to use certbot for https. > But that requires certificates unique for each domain. (I think) Nope. I suggest you look again at the man page for certbot. ;-) You can have as many domains as you like under a certificate (as long as you have control over them all for Lets Encrypt validation purposes). From francis at daoine.org Sat Jun 5 14:38:25 2021 From: francis at daoine.org (Francis Daly) Date: Sat, 5 Jun 2021 15:38:25 +0100 Subject: Tproxy support for IP transparency In-Reply-To: <2834fe483176096b98d94942276c2500.NginxMailingListEnglish@forum.nginx.org> References: <2834fe483176096b98d94942276c2500.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210605143825.GO11167@daoine.org> On Sat, Jun 05, 2021 at 12:36:47AM -0400, bouvierh wrote: Hi there, I don't have a tested answer to your question, but... > When my application connects to a sever, I am intercepting the request and > routing it to a nginx process located on the same host (listening to > 127.0.0.1:8883). > The interception need to be transparent, so IP tables does that well. Now > the issue is restoring the original destination. This would be trivial with > HTTP, however MQTT or AMQP can also be used. does https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/ describe what you want to do? The current version (I think) expects that nginx and the upstream are on different servers; there is mention in the comments of a tproxy config that looks like it could work if they are on the same server. > I have looked at Tproxy protocol, it looks promising, but I have not found > any way to use it with Nginx. It seems it is used for IP transparency for > upstream server, not for transparently intercepting client messages. > > Can I still implement a transparent interception of requests with Nginx? The nginx-side of the config seems to be "proxy_bind" with the "transparent" argument; pretty much all of the rest seems to be configuring the networking around the server that nginx is running on and the server that the upstream service is running on, to make sure that the upstream service does not have to know that the nginx service is involved in the communication. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sat Jun 5 19:21:03 2021 From: francis at daoine.org (Francis Daly) Date: Sat, 5 Jun 2021 20:21:03 +0100 Subject: Serve same website under two URLs / domains with certbot In-Reply-To: <0de9a884d45477e0b9a22cfbc5244f0b.NginxMailingListEnglish@forum.nginx.org> References: <0de9a884d45477e0b9a22cfbc5244f0b.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210605192103.GP11167@daoine.org> On Sat, Jun 05, 2021 at 04:28:06AM -0400, forumacct wrote: Hi there, there are a few ways to approach this, depending on the end result that you want. I'll try to describe how things should work; maybe that will help you choose. > Now I want to use certbot for https. > But that requires certificates unique for each domain. (I think) > > So I tried deleting the default file and have two conf files in conf.d for > each domain. > > vi /etc/nginx/conf.d/www.skywatcher.space.conf > server { > listen 80 default_server; > listen [::]:80 default_server; > root /media/usbstick/nginx/www; > server_name skywatcher.space www.skywatcher.space; > } > > vi /etc/nginx/conf.d/www.drgert.dyndns.ws.conf > server { > listen 80 default_server; > listen 8000; # Alternate http port > root /media/usbstick/nginx/www; > # Add index.php to the list if you are using PHP > index index.php index.html index.htm; > server_name drgert.dyndns.ws www.drgert.dyndns.ws; > location / { > try_files $uri $uri/ =404; > } > # pass PHP scripts to FastCGI server > location ~ \.php$ { > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/run/php/php7.3-fpm.sock; > } > } > > But then each such file had 'default_server' keyword in it and it failed to > work. > Also I don't know if its OK that both try to listen on port 80. For http, nginx sees a connection coming to an ip:port, and the request has a Host: header value. Based on the server{}s that "listen" on that ip:port, and the "server_name" values in those servers, nginx will choose which one server{} to use to handle the request. Each value has a default that is used if it is not explicitly set. And if there is not a Host/server_name match, then the default_server for this ip:port is used -- there must always be exactly one default_server for each ip:port that nginx listens on. (That is why the error was logged when you had two default_servers on the same ip:port. If you care, you must tell nginx which one to use as default. If you don't care, you can let nginx choose by not using "default_server".) So you can have two server{}s listening on the same ip:port, and nginx will choose "the right" one based on your config and the request. When you have only one server{}, most of that choosing does not matter -- nginx will always choose this server{}. > So how do I do this right? > > Both domains pointing to the same html files root and both should receive > https certificates. :-) For https, most of the same applies, except before the request is made, nginx must provide a certificate to the client to set up the encrypted connection. And the *client* will probably care that that certificate is valid for whatever name the client used to access nginx. If you control the client, you can tell it what certificate to expect, or you can tell it to accept any certificate at all. In that case, use any certificate, and tell your client to accept it as valid. Generally, on the public internet, you do not control the client, so this does not apply. If you have two server_names that are used, and that will *always* serve the same content as each other (and you are happy that someone who uses one name will be able to see that the other name exists), then you can get one certificate that is valid for both names, and configure nginx to use that for all requests that are handled in this server{}. (The other reply indicates that certbot does support this two-name certificate.) If you want to keep the two server_names separate, then you will want two certificates, one for each name; and you will want two server{}s, each associated with one server_name and one certificate. And if they both serve the same content today, you will need to duplicate the rest of the config in the two server{}s. (You might be able to "include" a common file, if you want to avoid writing things twice.) In the main, nginx does not care what certificate you use; it is the client that will decide whether the certificate presented by the server is one that it will accept, and (generally) if the names do not match, the client will default-fail and maybe invite the user to explicitly accept things this time. And whoever signs the certificate will want to be confident that you control whatever their signing claims that you control -- for that, you follow their recipe/requirements, or you find another signing authority. So your choices are still: one server{}, one cert with both names; one server{}, one cert with one name, and let users that access the other name choose whether or not to continue; or two server{]s, each with a cert with one name. Hopefully the above describes why those are the choices; and gives an idea of the costs/benefits of each, so that you can choose which is most appropriate for your system. Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sat Jun 5 22:32:42 2021 From: nginx-forum at forum.nginx.org (forumacct) Date: Sat, 05 Jun 2021 18:32:42 -0400 Subject: Serve same website under two URLs / domains with certbot In-Reply-To: <20210605192103.GP11167@daoine.org> References: <20210605192103.GP11167@daoine.org> Message-ID: <34be94c9bc10fef82bc18611424c4160.NginxMailingListEnglish@forum.nginx.org> Hello, Thank you for the extended help. I see there will be a lot of reading to understand all the features in nginx. Francis Daly Wrote: ------------------------------------------------------- > On Sat, Jun 05, 2021 at 04:28:06AM -0400, forumacct wrote: > > Hi there, ... > If you have two server_names that are used, and that will *always* > serve > the same content as each other (and you are happy that someone who > uses > one name will be able to see that the other name exists), then you can > get one certificate that is valid for both names, and configure nginx > to > use that for all requests that are handled in this server{}. (The > other > reply indicates that certbot does support this two-name certificate.) ... That was something I also had just discovered. And that route seems to have worked for me. I did this: sudo certbot --nginx -d skywatcher.space -d www.skywatcher.space -d drgert.dyndns.ws And it asked if I want to append the multiple domains into the same certificate which I confirmed. It created one file /etc/letsencrypt/live/skywatcher.space/fullchain.pem which has 3 sections I assume representing the three domain names. (Why do www.domain.com and domain.com count as two?) Then a single file in sites-enabled worked for me. vi /etc/nginx/sites-enabled/rpi3_https_2dom.conf # Default server configuration server { listen 80 ; listen 8000; # Alternate http port root /media/usbstick/nginx/www; # Add index.php to the list if you are using PHP index index.php index.html index.htm; server_name drgert.dyndns.ws skywatcher.space www.skywatcher.space; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.3-fpm.sock; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/skywatcher.space/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/skywatcher.space/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } For your experience/background is there anything in the above that is not yet OK? Cheers, Gert Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291774,291781#msg-291781 From amila.kdam at gmail.com Sun Jun 6 08:44:33 2021 From: amila.kdam at gmail.com (Amila Gunathilaka) Date: Sun, 6 Jun 2021 14:14:33 +0530 Subject: nginx Digest, Vol 140, Issue 3 In-Reply-To: References: Message-ID: Dear Mr Francis, issue 1.) > That is almost certainly because you also have "proxy_cache" ( http://nginx.org/r/proxy_cache) and "proxy_cache_path" defined, but configured to use part of the filesystem that the nginx user - is not allowed to use -- maybe it was created or first run as one user, and now this user cannot write there? > The simplest-to-understand fix, assuming that this is a test system where you are happy to start again, is probably to stop nginx, remove the /var/lib/nginx/proxy/ directory and all of its - contents, create the directory again as the user that nginx runs as, and then start nginx. I actually didn't have any "proxy_cache" or "proxy_cache_path" defined in my nginx.conf file but I did remove /var/lib/nginx/proxy/ directory and re-create as you requested and yes now I'm not getting any permission-denied error or any error in the error.log file when I access the url. So thank you for this ! issue 2.) > Something like > location = / { return 301 /metrics/; } > should probably work. Any access control on /metrics/ would still apply > to the next request that the client makes, so it probably is ok not to > require authentication for this one request. This also working Mr Francis. now I have my nginx.conf file look like below. worker_rlimit_nofile 30000; events { worker_connections 30000; } http { server { listen 80; server_name 172.25.234.105 push.metrics.townsuite.com; #return 301 http://push.metrics.townsuite.com/metrics; #proxy_set_header Host push.metrics.townsuite.com/metric; location = / { return 301 /metrics/; } location /metrics { #proxy_set_header Host 172.25.234.105/metrics; proxy_pass http://127.0.0.1:9091/metrics; #proxy_redirect http://push.metrics.townsuite.com http://push.metrics.townsuite.com/metrics #proxy_set_header Host push.metrics.townsuite.com/metrics; auth_basic "PROMETHEUS PUSHGATEWAY Login Area"; auth_basic_user_file /etc/nginx/.htpasswd; } } } All good now !!! Thanks again for your immense help. I would like to contact you in future also about any nginx matters, we may can share knowledge (my area is kubernetes/aws actually). Amila Devops Engineer AWS, RHCSA, RHCE, CKA On Thu, Jun 3, 2021 at 2:47 AM wrote: > Send nginx mailing list submissions to > nginx at nginx.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.nginx.org/mailman/listinfo/nginx > or, via email, send a message with subject or body 'help' to > nginx-request at nginx.org > > You can reach the person managing the list at > nginx-owner at nginx.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of nginx digest..." > > > Today's Topics: > > 1. Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container (Francis Daly) > 2. How to install nginx-module-njs on alpine (bouvierh) > 3. Partial cached fastsgi responses? (TBD TBD) > 4. Re: How to install nginx-module-njs on alpine (Thomas Ward) > 5. Re: How to install nginx-module-njs on alpine (Grzegorz Kulewski) > 6. Re: How to install nginx-module-njs on alpine (Sergey A. Osokin) > 7. Re: How to install nginx-module-njs on alpine (Sergey A. Osokin) > 8. RE: Partial cached fastsgi responses? (TBD TBD) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 2 Jun 2021 16:27:15 +0100 > From: Francis Daly > To: nginx at nginx.org > Subject: Re: Help: Using Nginx Reverse Proxy bypass traffic in to a > application running in a container > Message-ID: <20210602152715.GN11167 at daoine.org> > Content-Type: text/plain; charset=us-ascii > > On Tue, Jun 01, 2021 at 07:40:27PM +0530, Amila Gunathilaka wrote: > > Hi there, > > > Hope you are doing good ? Thanks for your quick responses for my emails > > again. I have 02 questions for you today, I will brief it down for > your > > ease. > > You're welcome. > > In general, if the questions are unrelated to the first one, it's best > to start a new mail. That'll help someone search for questions and > answers in the future. > > In this case, they are kind-of vaguely related, so we'll keep[ them in > this thread. > > > But when I tail the /var.log/nginx/error.log file for > > a moment and even after I log in by type username and password the error > > log gives below error message unless the login is successful. > > > > > > *tail -f /var.log/nginx/error.log output* > > 2021/06/01 11:25:26 [crit] 2379013#2379013: *57800 open() > > "/var/lib/nginx/proxy/4/79/0000002794" failed (*13: Permission denied*) > > while reading upstream, client: 172.20.0.201, server: 172.25.234.105, > > request: "GET /metrics HTTP/1.1", upstream: " > http://127.0.0.1:9091/metrics", > > host: "172.25.234.105" > > > > > > So my first quiz is why it gives a Permission denied message for my > request > > through the browser even after I enter credentials and I can view > /metrics > > page contents. > > That is almost certainly because you also have "proxy_cache" > (http://nginx.org/r/proxy_cache) and "proxy_cache_path" defined, but > configured to use part of the filesystem that the nginx user is not > allowed to use -- maybe it was created or first run as one user, and > now this user cannot write there? > > The simplest-to-understand fix, assuming that this is a test system > where you are happy to start again, is probably to stop nginx, remove > the /var/lib/nginx/proxy/ directory and all of its contents, create the > directory again as the user that nginx runs as, and then start nginx. > > You should then see directories and files created, as cacheable responses > are fetched. > > (There are other possible fixes too, of course.) > > > *quiz (2.) : * My second question for you is if I want to redirect the > url, > > such as when I enter http://172.25.234.105:80 I want it to > automatically > > redirect it to the page http://172.25.234.105/metrics. How could I > > achieve that via nginx ? > > Something like > > location = / { return 301 /metrics/; } > > should probably work. Any access control on /metrics/ would still apply > to the next request that the client makes, so it probably is ok not to > require authentication for this one request. > > Good luck with it, > > f > -- > Francis Daly francis at daoine.org > > > ------------------------------ > > Message: 2 > Date: Wed, 02 Jun 2021 15:15:16 -0400 > From: "bouvierh" > To: nginx at nginx.org > Subject: How to install nginx-module-njs on alpine > Message-ID: > < > 6a4411929c09c44b47f51090d1e05e8a.NginxMailingListEnglish at forum.nginx.org> > > Content-Type: text/plain; charset=UTF-8 > > Hello, > > How do I install the javascript module on Alpine? I have tried: "apk add > nginx-module-njs" but that module is not available. > ERROR: unable to select packages: > nginx-module-njs (no such package): > > Thanks, > Hugues > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291725,291725#msg-291725 > > > > ------------------------------ > > Message: 3 > Date: Wed, 2 Jun 2021 19:28:26 +0000 > From: TBD TBD > To: "nginx at nginx.org" > Subject: Partial cached fastsgi responses? > Message-ID: > < > BYAPR07MB6376ED987DB8F2B5EAE172A6DA3D9 at BYAPR07MB6376.namprd07.prod.outlook.com > > > > Content-Type: text/plain; charset="windows-1252" > > Is it possible to use the ?Range: bytes=? header with cached fastcgi > locations? What config option do I need to use to get a cached fastcgi > response to contain an `Accept-Ranges` header? > > Does the `fastcgi_force_ranges` config option even do anything? > > Piers. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nginx.org/pipermail/nginx/attachments/20210602/bb183372/attachment-0001.htm > > > > ------------------------------ > > Message: 4 > Date: Wed, 2 Jun 2021 16:34:13 -0400 > From: Thomas Ward > To: nginx at nginx.org, bouvierh > Subject: Re: How to install nginx-module-njs on alpine > Message-ID: > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > More than likely you'll have to compile the module yourself - I don't > know of any distribution that currently ships the njs module. > > > Thomas > > > On 6/2/21 3:15 PM, bouvierh wrote: > > Hello, > > > > How do I install the javascript module on Alpine? I have tried: "apk add > > nginx-module-njs" but that module is not available. > > ERROR: unable to select packages: > > nginx-module-njs (no such package): > > > > Thanks, > > Hugues > > > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291725,291725#msg-291725 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nginx.org/pipermail/nginx/attachments/20210602/6bc25d19/attachment-0001.htm > > > > ------------------------------ > > Message: 5 > Date: Wed, 2 Jun 2021 22:37:15 +0200 > From: Grzegorz Kulewski > To: nginx at nginx.org > Cc: Thomas Ward , bouvierh > > Subject: Re: How to install nginx-module-njs on alpine > Message-ID: <18f1f88f-6140-c099-09a7-1b2de8ad57c6 at leniwiec.biz> > Content-Type: text/plain; charset=utf-8 > > W dniu 02.06.2021 o?22:34, Thomas Ward pisze: > > More than likely you'll have to compile the module yourself - I don't > know of any distribution that currently ships the njs module. > > Gentoo ships njs with nginx. > > -- > Grzegorz Kulewski > > > > ------------------------------ > > Message: 6 > Date: Wed, 2 Jun 2021 23:41:38 +0300 > From: "Sergey A. Osokin" > To: nginx at nginx.org > Subject: Re: How to install nginx-module-njs on alpine > Message-ID: > Content-Type: text/plain; charset=utf-8 > > Hi Hugues, > > On Wed, Jun 02, 2021 at 03:15:16PM -0400, bouvierh wrote: > > Hello, > > > > How do I install the javascript module on Alpine? I have tried: "apk add > > nginx-module-njs" but that module is not available. > > ERROR: unable to select packages: > > nginx-module-njs (no such package): > > Could you try: > > % sudo apk add nginx-module-njs at nginx > > as it was described at https://nginx.org/ru/linux_packages.html#Alpine > page. > > -- > Sergey Osokin > > > ------------------------------ > > Message: 7 > Date: Wed, 2 Jun 2021 23:44:53 +0300 > From: "Sergey A. Osokin" > To: nginx at nginx.org > Subject: Re: How to install nginx-module-njs on alpine > Message-ID: > Content-Type: text/plain; charset=utf-8 > > On Wed, Jun 02, 2021 at 11:41:38PM +0300, Sergey A. Osokin wrote: > > Hi Hugues, > > > > On Wed, Jun 02, 2021 at 03:15:16PM -0400, bouvierh wrote: > > > Hello, > > > > > > How do I install the javascript module on Alpine? I have tried: "apk > add > > > nginx-module-njs" but that module is not available. > > > ERROR: unable to select packages: > > > nginx-module-njs (no such package): > > > > Could you try: > > > > % sudo apk add nginx-module-njs at nginx > > English page is here, https://nginx.org/en/linux_packages.html#Alpine > > -- > Sergey Osokin > > > ------------------------------ > > Message: 8 > Date: Wed, 2 Jun 2021 21:17:21 +0000 > From: TBD TBD > To: "nginx at nginx.org" > Subject: RE: Partial cached fastsgi responses? > Message-ID: > < > BYAPR07MB637615D8948EAFD8DB8EEC9DDA3D9 at BYAPR07MB6376.namprd07.prod.outlook.com > > > > Content-Type: text/plain; charset="windows-1252" > > I guess a related question is: is it possible for nginx to serve partial > requests for cached fastcgi responses that don?t support ranges? > > Ie. Can the fastcgi module fetch the whole response from upstream, cache > it, and then serve partial requests from the cache? > > > From: TBD TBD > Sent: Wednesday, June 2, 2021 12:28 PM > To: nginx at nginx.org > Subject: Partial cached fastsgi responses? > > Is it possible to use the ?Range: bytes=? header with cached fastcgi > locations? What config option do I need to use to get a cached fastcgi > response to contain an `Accept-Ranges` header? > > Does the `fastcgi_force_ranges` config option even do anything? > > Piers. > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nginx.org/pipermail/nginx/attachments/20210602/426e84b2/attachment.htm > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > > ------------------------------ > > End of nginx Digest, Vol 140, Issue 3 > ************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From n5d9xq3ti233xiyif2vp at protonmail.ch Sun Jun 6 10:31:33 2021 From: n5d9xq3ti233xiyif2vp at protonmail.ch (Laura Smith) Date: Sun, 06 Jun 2021 10:31:33 +0000 Subject: Serve same website under two URLs / domains with certbot In-Reply-To: <34be94c9bc10fef82bc18611424c4160.NginxMailingListEnglish@forum.nginx.org> References: <20210605192103.GP11167@daoine.org> <34be94c9bc10fef82bc18611424c4160.NginxMailingListEnglish@forum.nginx.org> Message-ID: Sent with ProtonMail Secure Email. ??????? Original Message ??????? On Saturday, 5 June 2021 23:32, forumacct wrote: Why do > www.domain.com and domain.com count as two?) Because domain.com is the domain. www is a subdomain. Don't forget you can get a wildcard certificate if you need it. From mdounin at mdounin.ru Sun Jun 6 16:10:38 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 6 Jun 2021 19:10:38 +0300 Subject: Server mp4 file larger than 2GB on 32bit system In-Reply-To: References: Message-ID: Hello! On Sat, Jun 05, 2021 at 08:35:32AM +0000, ? ?? wrote: > I compile a nginx for an 32bit system (ARM). > When I request a mp4 file which is larger than 2GB then it response with '416 Requested Range Not Satisfiable?. > The type of max_ranges is ngx_uint_t, I could not set it max than about 2000000000. > In this situation, I could I server the mp4 file correctly? The max_ranges directive is to limit the number of ranges in a request, which almost always at most one (and just one in the request you've showed). And it is completely unrelated to 416 errors. Just leave the default. > The ngx_size is set to 4 when I compile nginx. > So: > #ifndef NGX_MAX_SIZE_T_VALUE > #define NGX_MAX_SIZE_T_VALUE 2147483647 > #endif > > > #ifndef NGX_SIZE_T_LEN > #define NGX_SIZE_T_LEN (sizeof("-2147483648") - 1) > #endif > > > #ifndef NGX_MAX_OFF_T_VALUE > #define NGX_MAX_OFF_T_VALUE 2147483647 > #endif > > > #ifndef NGX_OFF_T_LEN > #define NGX_OFF_T_LEN (sizeof("-2147483648") - 1) > #endif What does "./configure" output show? Are you running configure on the target system, or tried to cross-compile nginx? It looks like for some reason nginx wasn't able to find out how to instruct your system to use 64-bit off_t. The most likely reason I can think of is an attempt to cross-compile nginx. Note that cross-compiling is not supported and not going to work. The most simple and the only supported solution would be to compile nginx natively. -- Maxim Dounin http://mdounin.ru/ From lywjk at outlook.com Mon Jun 7 02:44:45 2021 From: lywjk at outlook.com (=?gb2312?B?zfUgvrK/rQ==?=) Date: Mon, 7 Jun 2021 02:44:45 +0000 Subject: =?gb2312?B?u9i4tDogU2VydmVyIG1wNCBmaWxlIGxhcmdlciB0aGFuIDJHQiBvbiAzMmJp?= =?gb2312?Q?t_system?= In-Reply-To: References: , Message-ID: >What does "./configure" output show? Are you running configure on >the target system, or tried to cross-compile nginx? >It looks like for some reason nginx wasn't able to find out how to >instruct your system to use 64-bit off_t. The most likely reason >I can think of is an attempt to cross-compile nginx. Note that >cross-compiling is not supported and not going to work. The most >simple and the only supported solution would be to compile nginx >natively. Yes,I am doing a cross compile. There is no way to compile natively. The configure output: root at ava-virtual-machine:/wjk/pingos-arm3536/pingos/modules/nginx-1.20.1# ./configure --user=root --group=root --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --pid-path=/usr/local/nginx/logs/nginx.pid --error-log-path=/usr/local/nginx/logs/error.log --with-http_ssl_module --with-cc=arm-hisiv400-linux-gcc --with-cpp=arm-hisiv400-linux-cpp --with-pcre=../pcre-8.44 --with-openssl=../openssl-1.1.1k --add-module=../nginx-client-module --add-module=../nginx-multiport-module --add-module=../nginx-toolkit-module --add-module=../nginx-rtmp-module --with-http_flv_module --with-http_mp4_module --with-debug --with-zlib=../zlib-1.2.11 --with-http_stub_status_module --with-cc-opt='-D_FILE_OFFSET_BITS=64 -D_LARGE_FILE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE' --with-ld-opt='-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE' --with-http_slice_module checking for OS + Linux 5.3.0-64-generic x86_64 checking for C compiler ... found + using GNU C compiler + gcc version: 4.8.3 20131202 (prerelease) (Hisilicon_v400) checking for gcc -pipe switch ... found checking for --with-ld-opt="-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found but is not working checking for C99 variadic macros ... found but is not working checking for gcc variadic macros ... found but is not working checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for eventfd() ... found checking for O_PATH ... found checking for sendfile() ... found but is not working checking for sendfile64() ... found but is not working checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found but is not working checking for prctl(PR_SET_KEEPCAPS) ... found but is not working checking for capabilities ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for sched_setaffinity() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... not found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... not found checking for IP_RECVDSTADDR ... not found checking for IP_SENDSRCADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... not found checking for TCP_INFO ... found checking for accept4() ... found checking for int size ... 4 bytes checking for long size ... 4 bytes checking for long long size ... 4 bytes checking for void * size ... 4 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... big endian checking for size_t size ... 4 bytes checking for off_t size ... 4 bytes checking for time_t size ... 4 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for strerrordesc_np() ... not found checking for sys_nerr ... found but is not working checking for _sys_nerr ... found but is not working checking for localtime_r() ... found checking for clock_gettime(CLOCK_MONOTONIC) ... not found checking for clock_gettime(CLOCK_MONOTONIC) in librt ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found but is not working checking for mmap("/dev/zero", MAP_SHARED) ... found but is not working checking for System V shared memory ... found but is not working checking for POSIX semaphores ... not found checking for POSIX semaphores in libpthread ... found but is not working checking for POSIX semaphores in librt ... not found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for ioctl(FIONREAD) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in ../nginx-client-module + ngx_client_module was configured adding module in ../nginx-multiport-module + ngx_multiport_module was configured adding module in ../nginx-toolkit-module + ngx_toolkit_module was configured adding module in ../nginx-rtmp-module + ngx_rtmp_module was configured creating objs/Makefile Configuration summary + using PCRE library: ../pcre-8.44 + using OpenSSL library: ../openssl-1.1.1k + using zlib library: ../zlib-1.2.11 nginx path prefix: "/usr/local/nginx" nginx binary file: "/usr/local/nginx/sbin/nginx" nginx modules path: "/usr/local/nginx/modules" nginx configuration prefix: "/usr/local/nginx/conf" nginx configuration file: "/usr/local/nginx/conf/nginx.conf" nginx pid file: "/usr/local/nginx/logs/nginx.pid" nginx error log file: "/usr/local/nginx/logs/error.log" nginx http access log file: "/usr/local/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" ???: Maxim Dounin ????: 2021?6?7? 0:10 ???: nginx at nginx.org ??: Re: Server mp4 file larger than 2GB on 32bit system Hello! On Sat, Jun 05, 2021 at 08:35:32AM +0000, ? ?? wrote: > I compile a nginx for an 32bit system (ARM). > When I request a mp4 file which is larger than 2GB then it response with '416 Requested Range Not Satisfiable?. > The type of max_ranges is ngx_uint_t, I could not set it max than about 2000000000. > In this situation, I could I server the mp4 file correctly? The max_ranges directive is to limit the number of ranges in a request, which almost always at most one (and just one in the request you've showed). And it is completely unrelated to 416 errors. Just leave the default. > The ngx_size is set to 4 when I compile nginx. > So: > #ifndef NGX_MAX_SIZE_T_VALUE > #define NGX_MAX_SIZE_T_VALUE 2147483647 > #endif > > > #ifndef NGX_SIZE_T_LEN > #define NGX_SIZE_T_LEN (sizeof("-2147483648") - 1) > #endif > > > #ifndef NGX_MAX_OFF_T_VALUE > #define NGX_MAX_OFF_T_VALUE 2147483647 > #endif > > > #ifndef NGX_OFF_T_LEN > #define NGX_OFF_T_LEN (sizeof("-2147483648") - 1) > #endif What does "./configure" output show? Are you running configure on the target system, or tried to cross-compile nginx? It looks like for some reason nginx wasn't able to find out how to instruct your system to use 64-bit off_t. The most likely reason I can think of is an attempt to cross-compile nginx. Note that cross-compiling is not supported and not going to work. The most simple and the only supported solution would be to compile nginx natively. -- Maxim Dounin https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmdounin.ru%2F&data=04%7C01%7C%7C9d9e573c16ce4999d88c08d92905a5be%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637585926499571416%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gWfy8ZPy%2B%2Bsdszv9FojJIBfsEt82KP9lY%2FQradMzx2g%3D&reserved=0 _______________________________________________ nginx mailing list nginx at nginx.org https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.nginx.org%2Fmailman%2Flistinfo%2Fnginx&data=04%7C01%7C%7C9d9e573c16ce4999d88c08d92905a5be%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637585926499571416%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AbLY8pukl8cg3dEcXamXgLJ1gnMy1M%2B%2F91VWZGDh1i0%3D&reserved=0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Jun 7 05:24:59 2021 From: nginx-forum at forum.nginx.org (jonok3) Date: Mon, 07 Jun 2021 01:24:59 -0400 Subject: fcgiwrap limit Message-ID: <763263daed2566ad9e0d14d826832868.NginxMailingListEnglish@forum.nginx.org> Hi, not really an nginx question but I didn't know where else to ask ... I'm load testing my nginx server which is using an application that only has a CGI interface. I have that setup and working fine, but the load test is breaking something related to CGI. I'm getting these errors when the load borks: *9039 connect() to unix:/var/run/fcgiwrap.socket failed (11: Resource temporarily unavailable) while connecting to upstream ... I increased the number of fcgiwap processes and that did seem to make the test go longer before it crashed, but I have noticed this - # systemctl status fcgiwrap fcgiwrap.service - Simple CGI Server Loaded: loaded (/etc/systemd/system/fcgiwrap.service; indirect; vendor preset: enabled) Active: active (running) since Mon 2021-06-07 15:06:25 AEST; 11min ago TriggeredBy: fcgiwrap.socket Main PID: 192523 (fcgiwrap) Tasks: 26 (limit: 19174) Memory: 6.9M CGroup: /system.slice/fcgiwrap.service ??192523 /usr/sbin/fcgiwrap -c 25 ... Does anyone know what the "limit" that is listed on Tasks: 26 (limit: 19174) refers to? Tasks seems to be 1+ the number of child fcgiwrap processes I have running, and changing the number of children doesn't change the limit. thanks Jonathan. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291786,291786#msg-291786 From 201904-nginx at planhack.com Mon Jun 7 05:45:00 2021 From: 201904-nginx at planhack.com (201904-nginx at planhack.com) Date: 07 Jun 21 01:45 EDT Subject: fcgiwrap limit In-Reply-To: <763263daed2566ad9e0d14d826832868.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210607054509.41199EA49F@vps1.haller.ws> Should be LimitNPROC as shown in https://blog.skbali.com/2019/09/set-ulimits-for-a-script-started-using-systemd/ From mdounin at mdounin.ru Mon Jun 7 12:20:48 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 7 Jun 2021 15:20:48 +0300 Subject: =?UTF-8?Q?Re=3A_=E5=9B=9E=E5=A4=8D=3A_Server_mp4_file_larger_than_2GB_on_3?= =?UTF-8?Q?2bit_system?= In-Reply-To: References: Message-ID: Hello! On Mon, Jun 07, 2021 at 02:44:45AM +0000, ? ?? wrote: > >What does "./configure" output show? Are you running configure on > >the target system, or tried to cross-compile nginx? > > >It looks like for some reason nginx wasn't able to find out how to > >instruct your system to use 64-bit off_t. The most likely reason > >I can think of is an attempt to cross-compile nginx. Note that > >cross-compiling is not supported and not going to work. The most > >simple and the only supported solution would be to compile nginx > >natively. > > Yes,I am doing a cross compile. > There is no way to compile natively. Certainly there is a way to compile natively. Even if for some reason, for example, due to lack of disk space, it is not possible to compile right on the target hardware, you can always compile in an emulated environment. If you nevertheless insist on cross-compiling, which is, as outlined above, is not supported, the right approach would be to check all the configure tests affected by your cross-compilation changes to nginx configure, notably all feature tests with "ngx_feature_run=yes" and all sizeof tests. Proper check would be to obtain the test binary as produced for the test by nginx configure and run it on the target system, and then make sure that results produced by your patched configure match the results from running test binaries on the target system. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Mon Jun 7 17:47:44 2021 From: nginx-forum at forum.nginx.org (bouvierh) Date: Mon, 07 Jun 2021 13:47:44 -0400 Subject: Tproxy support for IP transparency In-Reply-To: <20210605143825.GO11167@daoine.org> References: <20210605143825.GO11167@daoine.org> Message-ID: <6797362c41cb6ad89bdb083893edc1f9.NginxMailingListEnglish@forum.nginx.org> Thanks for the reply! I have looked at it, however it looks like this is intended to make proxy transparent from upstream/backend perspective: It is used so upstream server can see client address not proxy address. I am looking to do the opposite, I would like to make proxy transparent from the client perspective. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291775,291791#msg-291791 From yichun at openresty.com Mon Jun 7 22:55:05 2021 From: yichun at openresty.com (Yichun Zhang) Date: Mon, 7 Jun 2021 15:55:05 -0700 Subject: [ANN] OpenResty 1.19.3.2 released Message-ID: Hi folks, I am happy to announce the new formal release, 1.19.3.2, of our OpenResty web platform based on NGINX and LuaJIT. It includes the latest security fixes from Nginx and also includes the latest OpenSSL 1.1.1 version. We now also provide aarch64 package repositories for all the mainstream Linux distributions: https://openresty.org/en/linux-packages.html The full announcement, download links, and change logs can be found below: https://openresty.org/en/ann-1019003002.html OpenResty is a high performance and dynamic web platform based on our enhanced version of Nginx core, our enhanced version of LuaJIT, and many powerful Nginx modules and Lua libraries. See OpenResty's homepage for details: https://openresty.org/en/ Commercial support is provided by OpenResty Inc. for OpenResty users: https://openresty.com/ Enjoy! Best, Yichun From nginx at hide.argosnet.com Tue Jun 8 09:16:04 2021 From: nginx at hide.argosnet.com (B3r3n-NGinx) Date: Tue, 8 Jun 2021 11:16:04 +0200 Subject: Nginx as Rproxy with auth_request, websocket and authorization header change Message-ID: <48228369cd38d06f493b5092cb25d025.squirrel@wm.argosnet.com> Hello, I use NGinx as a front end for multiple accesses. Until now, I got a configuration that was perfectly working but with a recent failure I exchanged with NGinx team to discover what I was doing is...impossible :-) But apparently, it would just be a configuration issue so it becomes possible. NGinx should act as : 1- web server without auth for / (OK) 2- Web server with basic auth for /manager (OK) 3- Web server with authentication delegated to a back-end auth_request for /vigrid, then changing to websocket (OK) 4- Web server with authentication delegated to a back-end auth_request for /vigrid, then changing to websocket, CHANGING AUTHORIZATION (FAIL) >From 1 to 3, no issue, NGinx behaves perfectly. It validated the login (if needed) then does the job. The issue is with 4. The Heavy client send the Authorization header, NGinx sends to /auth that will decide either to block or to let pass but then it will change the autorization header before the proxy forwards to the real back end client. That is the problem... The PHP script really receives everything and changes the header, but this header is not received back at NGinx level and so the proxy keeps receiving the old Authorization header, that is not recognized (NGinx does the authentication job). I fail to understand where is the issue. I also tried with more_set_header, failed as well. Any help welcome, I struggle for 3 days with this :-( Here are my config... ### MAIN SERVER: server { listen 127.0.0.1:443 ssl default; server_name localhost; # Take fullchain here, not cert.pem ssl_certificate /etc/nginx/ssl/localhost.crt; ssl_certificate_key /etc/nginx/ssl/localhost.key; ssl_session_cache builtin:1000 shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # hide version server_tokens off; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; root /home/vigrid/www/site; index index.html index.htm index.php; # Vigrid home page location / { # sanity location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { log_not_found off; } location ~ \.css { add_header Content-Type text/css; } location ~ \.js { add_header Content-Type application/x-javascript; } location ~ \.eot { add_header Content-Type application/vnd.ms-fontobject; } location ~ \.woff { add_header Content-Type font/woff; } location ~* \.(htm|html|php)$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.html)(/.+)$; fastcgi_index index.html; fastcgi_pass unix:/run/php/php7.4-fpm.sock; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } # Vigrid management pages location /manager { # Basic authentication auth_basic "Vigrid's access, who are you ?"; auth_basic_user_file /home/vigrid/etc/vigrid-passwd; auth_request /auth; auth_request_set $auth_status $upstream_status; location ~ \.css { add_header Content-Type text/css; } location ~ \.js { add_header Content-Type application/x-javascript; } location ~ \.eot { add_header Content-Type application/vnd.ms-fontobject; } location ~ \.woff { add_header Content-Type font/woff; } location ~* \.(htm|html|php)$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.html)(/.+)$; fastcgi_index index.html; fastcgi_pass unix:/run/php/php7.4-fpm.sock; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } # Vigrid Heavy client location /vigrid { #auth_request_set $authHeader0 $upstream_http_authorization; proxy_set_header 'Authorization' $authHeader0; auth_request /auth; auth_request_set $auth_status $upstream_status; auth_request_set $auth_header $upstream_http_authorization; proxy_pass http://172.29.0.254:8080; proxy_set_header Host $host; proxy_set_header 'Authorization' $auth_header; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } location = /auth { internal; proxy_pass http://localhost:8001; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; } location ~ ^/(images|javascript|js|css|flash|media|static|font)/ { expires 7d; } location ~ /\.ht { deny all; } try_files $uri $uri/ /index.html?$args /index.htm?$args /index.php?$args; } ### AUTH: server { listen 127.0.0.1:8001; server_name localhost; access_log /var/log/nginx/vigrid_auth-access.log; error_log /var/log/nginx/vigrid_auth-error.log; root /home/vigrid/www/auth; index vigrid-auth.php; # hide version server_tokens off; location ~ /\.ht { deny all; } location / { # cleaning location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { log_not_found off; } location ~ \.css { add_header Content-Type text/css; } location ~ \.js { add_header Content-Type application/x-javascript; } location ~ \.eot { add_header Content-Type application/vnd.ms-fontobject; } location ~ \.woff { add_header Content-Type font/woff; } location ~* \.(htm|html|php)$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index vigrid-auth.php; fastcgi_pass unix:/run/php/php7.4-fpm.sock; # fastcgi_pass_header Authorization; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ ^/(images|javascript|js|css|flash|media|static|font)/ { expires 7d; } location ~ /\.ht { deny all; } try_files $uri $uri/ /vigrid-auth.php?$args; } } From postmaster at palvelin.fi Tue Jun 8 18:46:32 2021 From: postmaster at palvelin.fi (Palvelin Postmaster) Date: Tue, 8 Jun 2021 11:46:32 -0700 Subject: Weird privilege errors on Ubuntu 20.04 Message-ID: <7E53027F-D28D-4129-AE59-7C7113F7FE66@palvelin.fi> I wonder what can cause these weird error log entries? The log entries indicate a PID which doesn?t exist. Does nginx launch some temporary process when it starts? Nginx 1.21.0 on Ubuntu 20.04. root at k2:~# systemctl restart nginx root at k2:~# tail /var/log/nginx/error.log 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:21 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load certificate key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') error:2006D002:BIO routines:BIO_new_file:system lib) root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 nginx-selfsigned.key root at k2:~# cat /etc/nginx/nginx.conf |grep ^user user www-data; root at k2:~# ps -auxw |grep nginx root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 0:05 nginx: worker process www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 0:00 nginx: worker process www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 0:00 nginx: cache manager process From osa at freebsd.org.ru Tue Jun 8 19:13:02 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 8 Jun 2021 22:13:02 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <7E53027F-D28D-4129-AE59-7C7113F7FE66@palvelin.fi> References: <7E53027F-D28D-4129-AE59-7C7113F7FE66@palvelin.fi> Message-ID: Hi there, hope you're doing well. On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster wrote: > I wonder what can cause these weird error log entries? The log entries indicate a PID which doesn?t exist. Does nginx launch some temporary process when it starts? > > Nginx 1.21.0 on Ubuntu 20.04. > > root at k2:~# systemctl restart nginx > > root at k2:~# tail /var/log/nginx/error.log > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:21 > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load certificate key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') error:2006D002:BIO routines:BIO_new_file:system lib) Seems like an attempt to start nginx without root privileges. > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 nginx-selfsigned.key > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > user www-data; > > root at k2:~# ps -auxw |grep nginx > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 0:05 nginx: worker process > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 0:00 nginx: worker process > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 0:00 nginx: cache manager process Could you check `www-data' user permission, and add, if necessary, to the `ssl-cert' group. -- Sergey Osokin From nginx-forum at forum.nginx.org Tue Jun 8 19:57:59 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Tue, 08 Jun 2021 15:57:59 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <6cc0eb0b7448275e1e92035377a1c7bb.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, Adding www-data user to ssl-cert group doesn't help. root at k2# usermod -a -G ssl-cert www-data root at k2# getent group ssl-cert ssl-cert:x:112:postgres,www-data Sergey A. Osokin Wrote: ------------------------------------------------------- > Hi there, > > hope you're doing well. > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster wrote: > > I wonder what can cause these weird error log entries? The log > entries indicate a PID which doesn?t exist. Does nginx launch some > temporary process when it starts? > > > > Nginx 1.21.0 on Ubuntu 20.04. > > > > root at k2:~# systemctl restart nginx > > > > root at k2:~# tail /var/log/nginx/error.log > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive > makes sense only if the master process runs with super-user > privileges, ignored in /etc/nginx/nginx.conf:21 > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load certificate > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed > (SSL: error:0200100D:system library:fopen:Permission > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') > error:2006D002:BIO routines:BIO_new_file:system lib) > > Seems like an attempt to start nginx without root privileges. > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 nginx-selfsigned.key > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > > user www-data; > > > > root at k2:~# ps -auxw |grep nginx > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 0:00 > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 0:05 > nginx: worker process > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 0:00 > nginx: worker process > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 0:00 > nginx: cache manager process > > Could you check `www-data' user permission, and add, if necessary, to > the `ssl-cert' group. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291801#msg-291801 From osa at freebsd.org.ru Tue Jun 8 21:11:12 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Jun 2021 00:11:12 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <6cc0eb0b7448275e1e92035377a1c7bb.NginxMailingListEnglish@forum.nginx.org> References: <6cc0eb0b7448275e1e92035377a1c7bb.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi, Could you check and show permissions on /etc/ssl/private, /etc/ssl, and /etc directories. Thanks. -- Sergey On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote: > Hi Sergey, > > Adding www-data user to ssl-cert group doesn't help. > > root at k2# usermod -a -G ssl-cert www-data > > root at k2# getent group ssl-cert > ssl-cert:x:112:postgres,www-data > > > Sergey A. Osokin Wrote: > ------------------------------------------------------- > > Hi there, > > > > hope you're doing well. > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster wrote: > > > I wonder what can cause these weird error log entries? The log > > entries indicate a PID which doesn?t exist. Does nginx launch some > > temporary process when it starts? > > > > > > Nginx 1.21.0 on Ubuntu 20.04. > > > > > > root at k2:~# systemctl restart nginx > > > > > > root at k2:~# tail /var/log/nginx/error.log > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive > > makes sense only if the master process runs with super-user > > privileges, ignored in /etc/nginx/nginx.conf:21 > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load certificate > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed > > (SSL: error:0200100D:system library:fopen:Permission > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') > > error:2006D002:BIO routines:BIO_new_file:system lib) > > > > Seems like an attempt to start nginx without root privileges. > > > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 nginx-selfsigned.key > > > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > > > user www-data; > > > > > > root at k2:~# ps -auxw |grep nginx > > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 0:00 > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 0:05 > > nginx: worker process > > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 0:00 > > nginx: worker process > > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 0:00 > > nginx: cache manager process > > > > Could you check `www-data' user permission, and add, if necessary, to > > the `ssl-cert' group. > > > > -- > > Sergey Osokin > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291801#msg-291801 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Tue Jun 8 22:02:29 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Tue, 08 Jun 2021 18:02:29 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <8189a9496b57a99af86ad5300285e040.NginxMailingListEnglish@forum.nginx.org> Yes, certainly. drwxr-xr-x root root /etc drwxr-xr-x root root /etc/ssl drwxr-x--- root ssl-cert /etc/ssl/private Sergey A. Osokin Wrote: ------------------------------------------------------- > Hi, > > Could you check and show permissions on /etc/ssl/private, /etc/ssl, > and /etc directories. > > Thanks. > > -- > Sergey > > On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote: > > Hi Sergey, > > > > Adding www-data user to ssl-cert group doesn't help. > > > > root at k2# usermod -a -G ssl-cert www-data > > > > root at k2# getent group ssl-cert > > ssl-cert:x:112:postgres,www-data > > > > > > Sergey A. Osokin Wrote: > > ------------------------------------------------------- > > > Hi there, > > > > > > hope you're doing well. > > > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster > wrote: > > > > I wonder what can cause these weird error log entries? The log > > > entries indicate a PID which doesn?t exist. Does nginx launch some > > > temporary process when it starts? > > > > > > > > Nginx 1.21.0 on Ubuntu 20.04. > > > > > > > > root at k2:~# systemctl restart nginx > > > > > > > > root at k2:~# tail /var/log/nginx/error.log > > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive > > > makes sense only if the master process runs with super-user > > > privileges, ignored in /etc/nginx/nginx.conf:21 > > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load > certificate > > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed > > > (SSL: error:0200100D:system library:fopen:Permission > > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') > > > error:2006D002:BIO routines:BIO_new_file:system lib) > > > > > > Seems like an attempt to start nginx without root privileges. > > > > > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > > > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 > nginx-selfsigned.key > > > > > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > > > > user www-data; > > > > > > > > root at k2:~# ps -auxw |grep nginx > > > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 > 0:00 > > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > > > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 > 0:05 > > > nginx: worker process > > > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 > 0:00 > > > nginx: worker process > > > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 > 0:00 > > > nginx: cache manager process > > > > > > Could you check `www-data' user permission, and add, if necessary, > to > > > the `ssl-cert' group. > > > > > > -- > > > Sergey Osokin > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291799,291801#msg-291801 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291803#msg-291803 From osa at freebsd.org.ru Tue Jun 8 23:01:05 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Jun 2021 02:01:05 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <8189a9496b57a99af86ad5300285e040.NginxMailingListEnglish@forum.nginx.org> References: <8189a9496b57a99af86ad5300285e040.NginxMailingListEnglish@forum.nginx.org> Message-ID: Looks good to me. I'd like to request more files: - /etc/systemd/system/nginx.service.d/override.conf - /usr/lib/systemd/system/nginx.service - /etc/nginx/nginx.conf Thanks. On Tue, Jun 08, 2021 at 06:02:29PM -0400, hgv wrote: > Yes, certainly. > > drwxr-xr-x root root /etc > drwxr-xr-x root root /etc/ssl > drwxr-x--- root ssl-cert /etc/ssl/private > > > Sergey A. Osokin Wrote: > ------------------------------------------------------- > > Hi, > > > > Could you check and show permissions on /etc/ssl/private, /etc/ssl, > > and /etc directories. > > > > Thanks. > > > > -- > > Sergey > > > > On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote: > > > Hi Sergey, > > > > > > Adding www-data user to ssl-cert group doesn't help. > > > > > > root at k2# usermod -a -G ssl-cert www-data > > > > > > root at k2# getent group ssl-cert > > > ssl-cert:x:112:postgres,www-data > > > > > > > > > Sergey A. Osokin Wrote: > > > ------------------------------------------------------- > > > > Hi there, > > > > > > > > hope you're doing well. > > > > > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster > > wrote: > > > > > I wonder what can cause these weird error log entries? The log > > > > entries indicate a PID which doesn?t exist. Does nginx launch some > > > > temporary process when it starts? > > > > > > > > > > Nginx 1.21.0 on Ubuntu 20.04. > > > > > > > > > > root at k2:~# systemctl restart nginx > > > > > > > > > > root at k2:~# tail /var/log/nginx/error.log > > > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" directive > > > > makes sense only if the master process runs with super-user > > > > privileges, ignored in /etc/nginx/nginx.conf:21 > > > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load > > certificate > > > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() failed > > > > (SSL: error:0200100D:system library:fopen:Permission > > > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') > > > > error:2006D002:BIO routines:BIO_new_file:system lib) > > > > > > > > Seems like an attempt to start nginx without root privileges. > > > > > > > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > > > > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 > > nginx-selfsigned.key > > > > > > > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > > > > > user www-data; > > > > > > > > > > root at k2:~# ps -auxw |grep nginx > > > > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 > > 0:00 > > > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > > > > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 > > 0:05 > > > > nginx: worker process > > > > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 > > 0:00 > > > > nginx: worker process > > > > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 > > 0:00 > > > > nginx: cache manager process > > > > > > > > Could you check `www-data' user permission, and add, if necessary, > > to > > > > the `ssl-cert' group. > > > > > > > > -- > > > > Sergey Osokin > > > > _______________________________________________ > > > > nginx mailing list > > > > nginx at nginx.org > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > Posted at Nginx Forum: > > https://forum.nginx.org/read.php?2,291799,291801#msg-291801 > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291803#msg-291803 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From lywjk at outlook.com Wed Jun 9 02:55:28 2021 From: lywjk at outlook.com (=?gb2312?B?zfUgvrK/rQ==?=) Date: Wed, 9 Jun 2021 02:55:28 +0000 Subject: Server mp4 file larger than 2GB on 32bit system In-Reply-To: References: , Message-ID: Hello, >Certainly there is a way to compile natively. Even if for some >reason, for example, due to lack of disk space, it is not possible >to compile right on the target hardware, you can always compile in >an emulated environment. Because there is no gcc tools on the target environment.(Or maybe it is exist but we could not get it.) >If you nevertheless insist on cross-compiling, which is, as >outlined above, is not supported, the right approach would be to >check all the configure tests affected by your cross-compilation >changes to nginx configure, notably all feature tests with >"ngx_feature_run=yes" and all sizeof tests. Proper check would be >to obtain the test binary as produced for the test by nginx >configure and run it on the target system, and then make sure that >results produced by your patched configure match the results from >running test binaries on the target system. I have try to set ngx_feature_run to no to make sendfile() and sendfile64() work, but then the server will response ?ERR_CONTENT_LENGTH_MISMATCH?. And try to set ngx_size to 8, but it didn?t take effect. Do you mean compiling all the test program and run on the target system? ??? Windows 10 ????? ???: Maxim Dounin ????: 2021?6?7? 20:21 ???: nginx at nginx.org ??: Re: ??: Server mp4 file larger than 2GB on 32bit system Hello! On Mon, Jun 07, 2021 at 02:44:45AM +0000, ? ?? wrote: > >What does "./configure" output show? Are you running configure on > >the target system, or tried to cross-compile nginx? > > >It looks like for some reason nginx wasn't able to find out how to > >instruct your system to use 64-bit off_t. The most likely reason > >I can think of is an attempt to cross-compile nginx. Note that > >cross-compiling is not supported and not going to work. The most > >simple and the only supported solution would be to compile nginx > >natively. > > Yes,I am doing a cross compile. > There is no way to compile natively. Certainly there is a way to compile natively. Even if for some reason, for example, due to lack of disk space, it is not possible to compile right on the target hardware, you can always compile in an emulated environment. If you nevertheless insist on cross-compiling, which is, as outlined above, is not supported, the right approach would be to check all the configure tests affected by your cross-compilation changes to nginx configure, notably all feature tests with "ngx_feature_run=yes" and all sizeof tests. Proper check would be to obtain the test binary as produced for the test by nginx configure and run it on the target system, and then make sure that results produced by your patched configure match the results from running test binaries on the target system. -- Maxim Dounin https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmdounin.ru%2F&data=04%7C01%7C%7Ccb7a3aacf6d64cd57b7308d929aeb587%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637586652621238161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tAoWBa34oFmmnScsTA0fyDxy8BoHGSz2KfNXpCTBdj4%3D&reserved=0 _______________________________________________ nginx mailing list nginx at nginx.org https://apac01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.nginx.org%2Fmailman%2Flistinfo%2Fnginx&data=04%7C01%7C%7Ccb7a3aacf6d64cd57b7308d929aeb587%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637586652621238161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3CJlsPi98G7zGF4OusrtJxly16VGfwLV4QNVHKlgwqI%3D&reserved=0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Wed Jun 9 06:32:01 2021 From: francis at daoine.org (Francis Daly) Date: Wed, 9 Jun 2021 07:32:01 +0100 Subject: Tproxy support for IP transparency In-Reply-To: <6797362c41cb6ad89bdb083893edc1f9.NginxMailingListEnglish@forum.nginx.org> References: <20210605143825.GO11167@daoine.org> <6797362c41cb6ad89bdb083893edc1f9.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210609063201.GR11167@daoine.org> On Mon, Jun 07, 2021 at 01:47:44PM -0400, bouvierh wrote: Hi there, > I have looked at it, however it looks like this is intended to make proxy > transparent from upstream/backend perspective: > It is used so upstream server can see client address not proxy address. > > I am looking to do the opposite, I would like to make proxy transparent from > the client perspective. I think that I don't understand what you are trying to do, and what the restrictions on it are. So I'm not going to be able to suggest a "real" way to achieve it. I think you might want the response traffic from nginx to use a specific source IP address; that might be doable outside of nginx. And I'm not sure why you don't tell the client that nginx *is* the server, or move the "server" and put nginx where it was; but I suspect that there are good reasons not to do that (maybe there are multiple clients configured the same way, and only some should be intercepted?). So I'll let someone else make a suggestion. Good luck with it, f -- Francis Daly francis at daoine.org From mdounin at mdounin.ru Wed Jun 9 14:24:45 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 9 Jun 2021 17:24:45 +0300 Subject: Server mp4 file larger than 2GB on 32bit system In-Reply-To: References: Message-ID: Hello! On Wed, Jun 09, 2021 at 02:55:28AM +0000, ? ?? wrote: > >Certainly there is a way to compile natively. Even if for some > >reason, for example, due to lack of disk space, it is not possible > >to compile right on the target hardware, you can always compile in > >an emulated environment. > > Because there is no gcc tools on the target environment.(Or > maybe it is exist but we could not get it.) That's sad, but as long as you have a cross-compiler available, you can cross-compile a compiler and use it for native compilation. > >If you nevertheless insist on cross-compiling, which is, as > >outlined above, is not supported, the right approach would be to > >check all the configure tests affected by your cross-compilation > >changes to nginx configure, notably all feature tests with > >"ngx_feature_run=yes" and all sizeof tests. Proper check would be > >to obtain the test binary as produced for the test by nginx > >configure and run it on the target system, and then make sure that > >results produced by your patched configure match the results from > >running test binaries on the target system. > > I have try to set ngx_feature_run to no to make sendfile() and > sendfile64() work, but then the server will response > ?ERR_CONTENT_LENGTH_MISMATCH?. There are multiple feature tests with ngx_feature_run=yes, and each of these tests needs to be properly evaluated. Just setting ngx_feature_run=no will likely result in incorrectly working binary. > And try to set ngx_size to 8, but it didn?t take effect. Similarly, there are multiple sizeof tests, and each of these tests needs to be properly evaluated. Just setting ngx_size for all the tests to a fixed value is certainly wrong. > Do you mean compiling all the test program and run on the target system? Each feature test with ngx_feature_run=yes and each sizeof test compiles a test program, and runs it to obtain the test result. To properly cross-compile nginx you have to provide correct test results yourself - that is, you have to run the test program on the target system, record the result, and then use it in configure instead of running the particular test program. Note again that tests results are different for different tests. In particular, simply returning ngx_size=4 from all the sizeof tests is wrong and expected to cause problems like the one you are facing. You have to properly check sizes of all the types, they are different. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Wed Jun 9 15:46:32 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 11:46:32 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <9f3b3547d6d9cab471d450b223e01100.NginxMailingListEnglish@forum.nginx.org> /etc/systemd/system/nginx.service.d/override.conf and /usr/lib/systemd/system/nginx.service don't exist /etc/nginx/nginx.conf below user www-data; worker_processes auto; pid /run/nginx.pid; worker_rlimit_nofile 16384; events { worker_connections 1024; use epoll; multi_accept on; } http { sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; types_hash_max_size 2048; fastcgi_read_timeout 1800; include /etc/nginx/mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; index index.php index.html index.htm; log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '"$host" sn="$server_name" ' 'rt=$request_time ' 'ua="$upstream_addr" us="$upstream_status" ' 'ut="$upstream_response_time" ul="$upstream_response_length" ' 'cs=$upstream_cache_status' ; access_log /var/log/nginx/access.log main_ext; error_log /var/log/nginx/error.log warn; gzip on; gzip_disable "MSIE [1-6]\."; gzip_vary on; gzip_comp_level 4; gzip_vary on; gzip_comp_level 4; gzip_min_length 200; gzip_buffers 16 8k; gzip_http_version 1.0; gzip_proxied expired no-cache no-store private auth; gzip_types text/css text/plain text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/rss+xml application/atom_xml; open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; fastcgi_cache_path /var/lib/nginx/fastcgi/keventajat-fi levels=1:2 keys_zone=keventajat-fi:10m inactive=24h max_size=372m use_temp_path=off; fastcgi_cache_key "$scheme$request_method$host$request_uri"; fastcgi_cache_use_stale error timeout invalid_header http_500; fastcgi_cache_valid 200 301 302 24h; fastcgi_cache_valid 404 1m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie Vary; fastcgi_cache_background_update on; fastcgi_cache_revalidate on; limit_req_zone $binary_remote_addr zone=wplogin:5m rate=1r/s; limit_req_zone $binary_remote_addr zone=magsearch:5m rate=15r/m; send_timeout 60s; client_max_body_size 64m; client_body_timeout 60s; client_body_buffer_size 128K; client_header_timeout 30s; client_header_buffer_size 1k; keepalive_timeout 15s; keepalive_requests 100000; proxy_connect_timeout 30; proxy_send_timeout 300; proxy_read_timeout 300; resolver 127.0.0.53 valid=30s; resolver_timeout 10s; upstream php56 { server unix:/run/php/php5.6-fpm.sock max_fails=20 fail_timeout=60; } upstream php74 { server unix:/run/php/php7.4-fpm.sock max_fails=20 fail_timeout=60; } upstream graphql { server 127.0.0.1:3000; } ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 120m; ssl_session_tickets on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers !aNULL:!eNULL:FIPS at STRENGTH; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; map $uri $no_slash_uri { ~^/(?.*)$ $no_slash; } } Sergey A. Osokin Wrote: ------------------------------------------------------- > Looks good to me. > > I'd like to request more files: > - /etc/systemd/system/nginx.service.d/override.conf > - /usr/lib/systemd/system/nginx.service > - /etc/nginx/nginx.conf > > Thanks. > > On Tue, Jun 08, 2021 at 06:02:29PM -0400, hgv wrote: > > Yes, certainly. > > > > drwxr-xr-x root root /etc > > drwxr-xr-x root root /etc/ssl > > drwxr-x--- root ssl-cert /etc/ssl/private > > > > > > Sergey A. Osokin Wrote: > > ------------------------------------------------------- > > > Hi, > > > > > > Could you check and show permissions on /etc/ssl/private, > /etc/ssl, > > > and /etc directories. > > > > > > Thanks. > > > > > > -- > > > Sergey > > > > > > On Tue, Jun 08, 2021 at 03:57:59PM -0400, hgv wrote: > > > > Hi Sergey, > > > > > > > > Adding www-data user to ssl-cert group doesn't help. > > > > > > > > root at k2# usermod -a -G ssl-cert www-data > > > > > > > > root at k2# getent group ssl-cert > > > > ssl-cert:x:112:postgres,www-data > > > > > > > > > > > > Sergey A. Osokin Wrote: > > > > ------------------------------------------------------- > > > > > Hi there, > > > > > > > > > > hope you're doing well. > > > > > > > > > > On Tue, Jun 08, 2021 at 11:46:32AM -0700, Palvelin Postmaster > > > wrote: > > > > > > I wonder what can cause these weird error log entries? The > log > > > > > entries indicate a PID which doesn?t exist. Does nginx launch > some > > > > > temporary process when it starts? > > > > > > > > > > > > Nginx 1.21.0 on Ubuntu 20.04. > > > > > > > > > > > > root at k2:~# systemctl restart nginx > > > > > > > > > > > > root at k2:~# tail /var/log/nginx/error.log > > > > > > 2021/06/08 21:25:32 [warn] 1287733#1287733: the "user" > directive > > > > > makes sense only if the master process runs with super-user > > > > > privileges, ignored in /etc/nginx/nginx.conf:21 > > > > > > 2021/06/08 21:25:32 [emerg] 1287733#1287733: cannot load > > > certificate > > > > > key "/etc/ssl/private/nginx-selfsigned.key": BIO_new_file() > failed > > > > > (SSL: error:0200100D:system library:fopen:Permission > > > > > denied:fopen('/etc/ssl/private/nginx-selfsigned.key','r') > > > > > error:2006D002:BIO routines:BIO_new_file:system lib) > > > > > > > > > > Seems like an attempt to start nginx without root privileges. > > > > > > > > > > > root at k2:~# ls -lh /etc/ssl/private/ |grep selfsigned > > > > > > -rw-r----- 1 root ssl-cert 1.7K Jul 8 17:12 > > > nginx-selfsigned.key > > > > > > > > > > > > root at k2:~# cat /etc/nginx/nginx.conf |grep ^user > > > > > > user www-data; > > > > > > > > > > > > root at k2:~# ps -auxw |grep nginx > > > > > > root 1287600 0.0 0.0 56148 6504 ? Ss 21:25 > > > > 0:00 > > > > > nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf > > > > > > www-data 1287601 0.7 0.1 58544 15652 ? S 21:25 > > > > 0:05 > > > > > nginx: worker process > > > > > > www-data 1287602 0.0 0.1 57556 13696 ? S 21:25 > > > > 0:00 > > > > > nginx: worker process > > > > > > www-data 1287603 0.0 0.1 56392 9184 ? S 21:25 > > > > 0:00 > > > > > nginx: cache manager process > > > > > > > > > > Could you check `www-data' user permission, and add, if > necessary, > > > to > > > > > the `ssl-cert' group. > > > > > > > > > > -- > > > > > Sergey Osokin > > > > > _______________________________________________ > > > > > nginx mailing list > > > > > nginx at nginx.org > > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > > > Posted at Nginx Forum: > > > https://forum.nginx.org/read.php?2,291799,291801#msg-291801 > > > > > > > > _______________________________________________ > > > > nginx mailing list > > > > nginx at nginx.org > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291799,291803#msg-291803 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291812#msg-291812 From osa at freebsd.org.ru Wed Jun 9 16:45:51 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Jun 2021 19:45:51 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <9f3b3547d6d9cab471d450b223e01100.NginxMailingListEnglish@forum.nginx.org> References: <9f3b3547d6d9cab471d450b223e01100.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Wed, Jun 09, 2021 at 11:46:32AM -0400, hgv wrote: > /etc/systemd/system/nginx.service.d/override.conf and > /usr/lib/systemd/system/nginx.service don't exist Thanks for the update. Not sure how nginx package has been installed on that box. So, I'd recommend to follow the instruction and install nginx from a prebuilt Ubuntu package: https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#prebuilt_ubuntu Thanks. -- Sergey Osokin From nginx-forum at forum.nginx.org Wed Jun 9 17:43:57 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 13:43:57 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: Nginx has been installed from the official Nginx repository. /etc/apt/sources.list.d/nginx.list deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ focal nginx Sergey A. Osokin Wrote: ------------------------------------------------------- > On Wed, Jun 09, 2021 at 11:46:32AM -0400, hgv wrote: > > /etc/systemd/system/nginx.service.d/override.conf and > > /usr/lib/systemd/system/nginx.service don't exist > > Thanks for the update. > > Not sure how nginx package has been installed on that box. So, I'd > recommend > to follow the instruction and install nginx from a prebuilt Ubuntu > package: > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-n > ginx-open-source/#prebuilt_ubuntu > > Thanks. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291814#msg-291814 From nginx-forum at forum.nginx.org Wed Jun 9 17:50:08 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 13:50:08 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <57a7e19d51a561b76dd08fad996f3aa8.NginxMailingListEnglish@forum.nginx.org> In case it's relevant, I believe the initially installed version was 1.16 on Ubuntu 18.04. Both have since been upgraded to current versions. hgv Wrote: ------------------------------------------------------- > Nginx has been installed from the official Nginx repository. > > /etc/apt/sources.list.d/nginx.list > > deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ focal > nginx > > > Sergey A. Osokin Wrote: > ------------------------------------------------------- > > On Wed, Jun 09, 2021 at 11:46:32AM -0400, hgv wrote: > > > /etc/systemd/system/nginx.service.d/override.conf and > > > /usr/lib/systemd/system/nginx.service don't exist > > > > Thanks for the update. > > > > Not sure how nginx package has been installed on that box. So, I'd > > recommend > > to follow the instruction and install nginx from a prebuilt Ubuntu > > package: > > > > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-n > > > ginx-open-source/#prebuilt_ubuntu > > > > Thanks. > > > > -- > > Sergey Osokin > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291815#msg-291815 From osa at freebsd.org.ru Wed Jun 9 18:20:42 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Jun 2021 21:20:42 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <57a7e19d51a561b76dd08fad996f3aa8.NginxMailingListEnglish@forum.nginx.org> References: <57a7e19d51a561b76dd08fad996f3aa8.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Wed, Jun 09, 2021 at 01:50:08PM -0400, hgv wrote: > In case it's relevant, I believe the initially installed version was 1.16 on > Ubuntu 18.04. Both have since been upgraded to current versions. dpkg-deb(1) shows the following files in the package you've installed: % dpkg-deb -c nginx_1.21.0-1\~focal_amd64.deb | grep system/nginx -rw-r--r-- root/root 476 2021-05-25 09:01 ./lib/systemd/system/nginx-debug.service -rw-r--r-- root/root 470 2021-05-25 09:01 ./lib/systemd/system/nginx.service Seems like missed files? -- Sergey Osokin > hgv Wrote: > ------------------------------------------------------- > > Nginx has been installed from the official Nginx repository. > > > > /etc/apt/sources.list.d/nginx.list > > > > deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ focal > > nginx > > > > > > Sergey A. Osokin Wrote: > > ------------------------------------------------------- > > > On Wed, Jun 09, 2021 at 11:46:32AM -0400, hgv wrote: > > > > /etc/systemd/system/nginx.service.d/override.conf and > > > > /usr/lib/systemd/system/nginx.service don't exist > > > > > > Thanks for the update. > > > > > > Not sure how nginx package has been installed on that box. So, I'd > > > recommend > > > to follow the instruction and install nginx from a prebuilt Ubuntu > > > package: > > > > > > > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-n > > > > > ginx-open-source/#prebuilt_ubuntu > > > > > > Thanks. > > > > > > -- > > > Sergey Osokin > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291815#msg-291815 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Wed Jun 9 18:55:57 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 14:55:57 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <36c9fde91631235b0147ff6f43a5bd6a.NginxMailingListEnglish@forum.nginx.org> /lib/systemd/system/nginx-debug.service and /lib/systemd/system/nginx.service exist (different path then what you previously asked, sorry for the misunderstanding) /lib/systemd/system/nginx-debug.service [Unit] Description=nginx - high performance web server Documentation=https://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStart=/usr/sbin/nginx-debug -c /etc/nginx/nginx.conf ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" [Install] WantedBy=multi-user.target /lib/systemd/system/nginx.service [Unit] Description=nginx - high performance web server Documentation=https://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" [Install] WantedBy=multi-user.target Sergey A. Osokin Wrote: ------------------------------------------------------- > On Wed, Jun 09, 2021 at 01:50:08PM -0400, hgv wrote: > > In case it's relevant, I believe the initially installed version was > 1.16 on > > Ubuntu 18.04. Both have since been upgraded to current versions. > > dpkg-deb(1) shows the following files in the package you've installed: > > % dpkg-deb -c nginx_1.21.0-1\~focal_amd64.deb | grep system/nginx > -rw-r--r-- root/root 476 2021-05-25 09:01 > ./lib/systemd/system/nginx-debug.service > -rw-r--r-- root/root 470 2021-05-25 09:01 > ./lib/systemd/system/nginx.service > > Seems like missed files? > > -- > Sergey Osokin > > > hgv Wrote: > > ------------------------------------------------------- > > > Nginx has been installed from the official Nginx repository. > > > > > > /etc/apt/sources.list.d/nginx.list > > > > > > deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu/ focal > > > nginx > > > > > > > > > Sergey A. Osokin Wrote: > > > ------------------------------------------------------- > > > > On Wed, Jun 09, 2021 at 11:46:32AM -0400, hgv wrote: > > > > > /etc/systemd/system/nginx.service.d/override.conf and > > > > > /usr/lib/systemd/system/nginx.service don't exist > > > > > > > > Thanks for the update. > > > > > > > > Not sure how nginx package has been installed on that box. So, > I'd > > > > recommend > > > > to follow the instruction and install nginx from a prebuilt > Ubuntu > > > > package: > > > > > > > > > > > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-n > > > > > > > ginx-open-source/#prebuilt_ubuntu > > > > > > > > Thanks. > > > > > > > > -- > > > > Sergey Osokin > > > > _______________________________________________ > > > > nginx mailing list > > > > nginx at nginx.org > > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,291799,291815#msg-291815 > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291819#msg-291819 From osa at freebsd.org.ru Wed Jun 9 20:51:09 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 9 Jun 2021 23:51:09 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <36c9fde91631235b0147ff6f43a5bd6a.NginxMailingListEnglish@forum.nginx.org> References: <36c9fde91631235b0147ff6f43a5bd6a.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Wed, Jun 09, 2021 at 02:55:57PM -0400, hgv wrote: > /lib/systemd/system/nginx-debug.service and > /lib/systemd/system/nginx.service exist (different path then what you > previously asked, sorry for the misunderstanding) That's coming more and more interested than I expected, so could you show output of the following command: # ls -la / | grep usr -- Sergey Osokin From nginx-forum at forum.nginx.org Wed Jun 9 20:57:08 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 16:57:08 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <3c6ae4fd67951d18152b34d50ff45054.NginxMailingListEnglish@forum.nginx.org> root at k2# ls -la / | grep usr drwxr-xr-x 13 root root usr Sergey A. Osokin Wrote: ------------------------------------------------------- > On Wed, Jun 09, 2021 at 02:55:57PM -0400, hgv wrote: > > /lib/systemd/system/nginx-debug.service and > > /lib/systemd/system/nginx.service exist (different path then what > you > > previously asked, sorry for the misunderstanding) > > That's coming more and more interested than I expected, so could you > show output of the following command: > > # ls -la / | grep usr > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291821#msg-291821 From osa at freebsd.org.ru Wed Jun 9 21:02:43 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 10 Jun 2021 00:02:43 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: <3c6ae4fd67951d18152b34d50ff45054.NginxMailingListEnglish@forum.nginx.org> References: <3c6ae4fd67951d18152b34d50ff45054.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Wed, Jun 09, 2021 at 04:57:08PM -0400, hgv wrote: > root at k2# ls -la / | grep usr > drwxr-xr-x 13 root root usr And I have a bit different layout here: $ ls -al / | grep usr lrwxrwxrwx 1 root root 7 Feb 1 17:20 bin -> usr/bin lrwxrwxrwx 1 root root 7 Feb 1 17:20 lib -> usr/lib lrwxrwxrwx 1 root root 9 Feb 1 17:20 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Feb 1 17:20 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Feb 1 17:20 libx32 -> usr/libx32 lrwxrwxrwx 1 root root 8 Feb 1 17:20 sbin -> usr/sbin drwxr-xr-x 15 root root 4096 Apr 23 14:51 usr Is there any idea what may wrong? -- Sergey Osokin From nginx-forum at forum.nginx.org Wed Jun 9 21:16:17 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Wed, 09 Jun 2021 17:16:17 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: Are you suggesting not having symbolic links to various subdirectories of /usr at the file system root is the cause of my issue? I don't have those symbolic links in any of my Ubuntu 20.04 instances. Sergey A. Osokin Wrote: ------------------------------------------------------- > On Wed, Jun 09, 2021 at 04:57:08PM -0400, hgv wrote: > > root at k2# ls -la / | grep usr > > drwxr-xr-x 13 root root usr > > And I have a bit different layout here: > $ ls -al / | grep usr > lrwxrwxrwx 1 root root 7 Feb 1 17:20 bin -> usr/bin > lrwxrwxrwx 1 root root 7 Feb 1 17:20 lib -> usr/lib > lrwxrwxrwx 1 root root 9 Feb 1 17:20 lib32 -> usr/lib32 > lrwxrwxrwx 1 root root 9 Feb 1 17:20 lib64 -> usr/lib64 > lrwxrwxrwx 1 root root 10 Feb 1 17:20 libx32 -> usr/libx32 > lrwxrwxrwx 1 root root 8 Feb 1 17:20 sbin -> usr/sbin > drwxr-xr-x 15 root root 4096 Apr 23 14:51 usr > > Is there any idea what may wrong? > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291823#msg-291823 From osa at freebsd.org.ru Wed Jun 9 21:35:33 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 10 Jun 2021 00:35:33 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: On Wed, Jun 09, 2021 at 05:16:17PM -0400, hgv wrote: > Are you suggesting not having symbolic links to various subdirectories of > /usr at the file system root is the cause of my issue? I don't think I can recommend that. > I don't have those symbolic links in any of my Ubuntu 20.04 instances. I'm still on position to analyse/understand those differences. -- Sergey Osokin From francis at daoine.org Wed Jun 9 23:17:26 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 10 Jun 2021 00:17:26 +0100 Subject: Serve same website under two URLs / domains with certbot In-Reply-To: <34be94c9bc10fef82bc18611424c4160.NginxMailingListEnglish@forum.nginx.org> References: <20210605192103.GP11167@daoine.org> <34be94c9bc10fef82bc18611424c4160.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210609231726.GT11167@daoine.org> On Sat, Jun 05, 2021 at 06:32:42PM -0400, forumacct wrote: Hi there, > I did this: > sudo certbot --nginx -d skywatcher.space -d www.skywatcher.space -d > drgert.dyndns.ws > > And it asked if I want to append the multiple domains into the same > certificate which I confirmed. It created one file > /etc/letsencrypt/live/skywatcher.space/fullchain.pem > which has 3 sections I assume representing the three domain names. (Why do > www.domain.com and domain.com count as two?) My guess is that any pattern that the client should attempt to match the hostname they chose to use against, counts as "one". So two different strings are two. > Then a single file in sites-enabled worked for me. > > vi /etc/nginx/sites-enabled/rpi3_https_2dom.conf > # Default server configuration > server { > listen 80 ; > listen 8000; # Alternate http port > root /media/usbstick/nginx/www; > > # Add index.php to the list if you are using PHP > index index.php index.html index.htm; > server_name drgert.dyndns.ws skywatcher.space www.skywatcher.space; > # managed by Certbot > > location / { > # First attempt to serve request as file, then > # as directory, then fall back to displaying a 404. > try_files $uri $uri/ =404; > } > > # pass PHP scripts to FastCGI server > location ~ \.php$ { > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/run/php/php7.3-fpm.sock; > } > > listen 443 ssl; # managed by Certbot > ssl_certificate /etc/letsencrypt/live/skywatcher.space/fullchain.pem; # > managed by Certbot > ssl_certificate_key /etc/letsencrypt/live/skywatcher.space/privkey.pem; > # managed by Certbot > include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot > ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot > } > > For your experience/background is there anything in the above that is not > yet OK? It looks like it should work as-is. I think that the try_files line in "location /" is probably unnecessary, since it mostly reflects what the default is anyway. And I think that the "# managed by Certbot" lines, once they are set up once, probably never need to be changed if the tool is "just" renewing the same cert in future -- all the next run of Certbot needs do is replace the ssl_certificate file contents, and cause nginx to read the new content. (Maybe that is what it does anyway.) Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Jun 10 00:58:42 2021 From: nginx-forum at forum.nginx.org (admobwebmaster) Date: Wed, 09 Jun 2021 20:58:42 -0400 Subject: video server! Message-ID: <778c9a53b04d4f8b216b33a18aa13030.NginxMailingListEnglish@forum.nginx.org> Hello friends! I have a video server with nginx that I use in my app, I was wondering if there is any way to encrypt the links of my videos hosted on the server to block capturing my video links and being used by third parties. I wanted tips on how to expire the video links on my server and protect it. Thank you all. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291826,291826#msg-291826 From nginx-forum at forum.nginx.org Thu Jun 10 09:43:02 2021 From: nginx-forum at forum.nginx.org (raphy) Date: Thu, 10 Jun 2021 05:43:02 -0400 Subject: What's the problem with this nginx configuration? In-Reply-To: <45a75d0f-f3e3-40ed-8651-03596564377a@thomas-ward.net> References: <45a75d0f-f3e3-40ed-8651-03596564377a@thomas-ward.net> Message-ID: <4a548b286341d3049daaff1a8179ee69.NginxMailingListEnglish@forum.nginx.org> Thank you!!! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291599,291827#msg-291827 From nginx-forum at forum.nginx.org Thu Jun 10 10:14:03 2021 From: nginx-forum at forum.nginx.org (raphy) Date: Thu, 10 Jun 2021 06:14:03 -0400 Subject: Nginx Configuration for websocket: Error during WebSocket handshake: Unexpected response code: 403 Message-ID: <1070ea3a775a1a2f81862d7782435441.NginxMailingListEnglish@forum.nginx.org> In order to use XMPP with websocket, and take advantage of nginx capabilities to proxy to 443 and to serve multiple domains, I've configured nginx as follows: server { listen 443 ssl http2 default_server; server_name grasp.deals www.grasp.deals; ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; access_log /var/log/nginx/graspdeals-access.log combined; add_header Strict-Transport-Security "max-age=31536000"; location = /favicon.ico { access_log off; log_not_found off; } location / { proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /weights { root /home/raphy/www; try_files $uri $uri/ =404; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Following is necessary for Websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /http-bind { proxy_pass http://127.0.0.1:5280/http-bind; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; tcp_nodelay on; } location /xmpp-websocket { proxy_pass http://127.0.0.1:5280/xmpp-websocket; proxy_http_version 1.1; proxy_set_header Connection "Upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900s; } } server { listen 81; server_name grasp.deals www.grasp.deals; location ~ ^/(websocket|websocket\/socket-io) { proxy_pass http://127.0.0.1:4201; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwared-For $remote_addr; proxy_set_header Host $host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; } # https://prosody.im/doc/setting_up_bosh location /http-bind { proxy_pass http://127.0.0.1:5280/http-bind; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; tcp_nodelay on; } # https://prosody.im/doc/websocket#nginx location /xmpp-websocket { proxy_pass http://127.0.0.1:5280/xmpp-websocket; proxy_http_version 1.1; proxy_set_header Connection "Upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900s; } } upstream golang-webserver { ip_hash; server 127.0.0.1:2000; } server { root /puser/add; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; location / { proxy_pass http://golang-webserver; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { if ($host = grasp.deals) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = www.grasp.deals) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = conference.grasp.deals) { return 301 https://$host$request_uri; } # managed by Certbot server_name grasp.deals www.grasp.deals conference.grasp.deals; listen 80 default_server; return 404; # managed by Certbot } server { listen 443 ssl http2 ; server_name conference.grasp.deals; # managed by Certbot ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; access_log /var/log/nginx/graspdeals-access.log combined; add_header Strict-Transport-Security "max-age=31536000"; location = /favicon.ico { access_log off; log_not_found off; } location / { proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /weights { root /home/raphy/www; try_files $uri $uri/ =404; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Following is necessary for Websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # https://prosody.im/doc/setting_up_bosh location /http-bind { proxy_pass http://127.0.0.1:5280/http-bind; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; tcp_nodelay on; } # https://prosody.im/doc/websocket#nginx location /xmpp-websocket { proxy_pass http://127.0.0.1:5280/xmpp-websocket; proxy_http_version 1.1; proxy_set_header Connection "Upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 900s; } } In the app I'm developing, when I switch from BOSH (http-bind), which works fine: let [conn, setConn] = React.useState(new Strophe.Connection("https://grasp.deals/http-bind")); to websocket: let [conn, setConn] = React.useState(new Strophe.Connection("wss://grasp.deals/xmpp-websocket")); I get this error: WebSocket connection to 'wss://grasp.deals/xmpp-websocket' failed: Error during WebSocket handshake: Unexpected response code: 403 I asked in the prosody XMM server chat, and I got this answer: "take time to understand what nginx is doing in your setup, and what a reverse proxy is, and understand what service is listening on what ports" So... I'm here to understand more about nginx configuration for websocket, and how to solve this problem "Error during WebWocket handshake". Looking forward to your kind help and suggestions. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291828,291828#msg-291828 From pluknet at nginx.com Thu Jun 10 12:00:36 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 10 Jun 2021 15:00:36 +0300 Subject: Nginx Configuration for websocket: Error during WebSocket handshake: Unexpected response code: 403 In-Reply-To: <1070ea3a775a1a2f81862d7782435441.NginxMailingListEnglish@forum.nginx.org> References: <1070ea3a775a1a2f81862d7782435441.NginxMailingListEnglish@forum.nginx.org> Message-ID: <4497F5B7-2055-4240-8C3A-E626F3EE4724@nginx.com> > On 10 Jun 2021, at 13:14, raphy wrote: > > In order to use XMPP with websocket, and take advantage of nginx > capabilities to proxy to 443 and to serve multiple domains, I've configured > nginx as follows: > > > server { > listen 443 ssl http2 default_server; > server_name grasp.deals www.grasp.deals; > ssl_certificate /etc/letsencrypt/live/grasp.deals/fullchain.pem; # > managed by Certbot > ssl_certificate_key /etc/letsencrypt/live/grasp.deals/privkey.pem; # > managed by Certbot > ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot > [..] > } > > In the app I'm developing, when I switch from BOSH (http-bind), which works > fine: > > let [conn, setConn] = React.useState(new > Strophe.Connection("https://grasp.deals/http-bind")); > > to websocket: > > let [conn, setConn] = React.useState(new > Strophe.Connection("wss://grasp.deals/xmpp-websocket")); > > I get this error: > > WebSocket connection to 'wss://grasp.deals/xmpp-websocket' failed: Error > during WebSocket handshake: > Unexpected response code: 403 nginx doesn't support bootstrapping WebSockets with HTTP/2. -- Sergey Kandaurov From nginx-forum at forum.nginx.org Thu Jun 10 13:04:29 2021 From: nginx-forum at forum.nginx.org (raphy) Date: Thu, 10 Jun 2021 09:04:29 -0400 Subject: Nginx Configuration for websocket: Error during WebSocket handshake: Unexpected response code: 403 In-Reply-To: <4497F5B7-2055-4240-8C3A-E626F3EE4724@nginx.com> References: <4497F5B7-2055-4240-8C3A-E626F3EE4724@nginx.com> Message-ID: <9397088024a013e1da85a4aa352d2edd.NginxMailingListEnglish@forum.nginx.org> Hi Sergey The nginx configuration I used for /xmpp-websocket location, taken from here: https://prosody.im/doc/websocket , follows the official nginx indications: https://nginx.org/en/docs/http/websocket.html If nginx doesn't support bootstrapping WebSockets with HTTP/2, what should I do? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291828,291830#msg-291830 From pluknet at nginx.com Thu Jun 10 14:10:58 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 10 Jun 2021 17:10:58 +0300 Subject: Nginx Configuration for websocket: Error during WebSocket handshake: Unexpected response code: 403 In-Reply-To: <9397088024a013e1da85a4aa352d2edd.NginxMailingListEnglish@forum.nginx.org> References: <4497F5B7-2055-4240-8C3A-E626F3EE4724@nginx.com> <9397088024a013e1da85a4aa352d2edd.NginxMailingListEnglish@forum.nginx.org> Message-ID: <1CF3D2F0-48A1-4FC5-8354-0424661FC394@nginx.com> > On 10 Jun 2021, at 16:04, raphy wrote: > > Hi Sergey > > The nginx configuration I used for /xmpp-websocket location, taken from > here: https://prosody.im/doc/websocket , follows the official nginx > indications: https://nginx.org/en/docs/http/websocket.html > > If nginx doesn't support bootstrapping WebSockets with HTTP/2, what should > I do? Are you actually using HTTP/2 ? What if you try disabling http2 in the listen directive, to be sure. "Unexpected response code: 403" could mean misconfiguration on backend side. -- Sergey Kandaurov From mdounin at mdounin.ru Thu Jun 10 14:13:43 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 10 Jun 2021 17:13:43 +0300 Subject: Nginx Configuration for websocket: Error during WebSocket handshake: Unexpected response code: 403 In-Reply-To: <1070ea3a775a1a2f81862d7782435441.NginxMailingListEnglish@forum.nginx.org> References: <1070ea3a775a1a2f81862d7782435441.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Thu, Jun 10, 2021 at 06:14:03AM -0400, raphy wrote: > In order to use XMPP with websocket, and take advantage of nginx > capabilities to proxy to 443 and to serve multiple domains, I've configured > nginx as follows: > > > server { > listen 443 ssl http2 default_server; > server_name grasp.deals www.grasp.deals; [...] > location /http-bind { > proxy_pass http://127.0.0.1:5280/http-bind; > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_buffering off; > tcp_nodelay on; > } > > location /xmpp-websocket { > proxy_pass http://127.0.0.1:5280/xmpp-websocket; > proxy_http_version 1.1; > proxy_set_header Connection "Upgrade"; > proxy_set_header Upgrade $http_upgrade; > > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > > proxy_read_timeout 900s; > } > } [...] > In the app I'm developing, when I switch from BOSH (http-bind), which works > fine: > > let [conn, setConn] = React.useState(new > Strophe.Connection("https://grasp.deals/http-bind")); > > to websocket: > > let [conn, setConn] = React.useState(new > Strophe.Connection("wss://grasp.deals/xmpp-websocket")); > > I get this error: > > WebSocket connection to 'wss://grasp.deals/xmpp-websocket' failed: Error > during WebSocket handshake: > Unexpected response code: 403 Both locations seems to be proxied to the same backend, 127.0.0.1:5280, with mostly identical configurations. What's the backend is expected to do? Do you see the request in nginx log? In backend logs? >From the information you've provided it looks like the error is returned by the backend (though this needs to be checked), so you have to look at the backend to find out what goes wrong. If you don't see the request in the backend logs, try adding something like $upstream_status to nginx access logs (http://nginx.org/r/log_format) to see if the error is indeed returned by the backend. Alternatively, configure debug logging (http://nginx.org/en/docs/debugging_log.html) to see all the request processing details, it will also show the response returned by the backend server. Or simply use tcpdump to see the traffic between nginx and the backend. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Fri Jun 11 12:14:22 2021 From: nginx-forum at forum.nginx.org (anish10dec) Date: Fri, 11 Jun 2021 08:14:22 -0400 Subject: 416 HTTP Response Issue Message-ID: Hi Team, Though we have proxy cache valid defined to cache only respective response code , nginx caching 416 response. proxy_cache_valid 200 206 10d; proxy_cache_key $uri$http_range; 416 is returned from upstream server and its getting cached on Ngnix. Even with default settings by not specifying http response behavior is same. proxy_cache_valid 10d; Sample response cached on CDN for 416 Response KEY: /content/entry/wvdata/68/49/314af040c2c611ebad1619ca96fe25b8_2492_a.mp4bytes=12130626-12373254 HTTP/1.1 416 Requested Range Not Satisfiable^M Server: nginx^M Date: Tue, 01 Jun 2021 15:10:06 GMT^M Content-Type: text/html^M Content-Length: 190^M Connection: close^M Expires: Thu, 01 Jul 2021 14:10:43 GMT^M Cache-Control: max-age=2592000^M Access-Control-Allow-Origin: *^M Access-Control-Allow-Methods: GET, POST, OPTIONS^M Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type^M Content-Range: bytes */4194304^M Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291835,291835#msg-291835 From francis at daoine.org Fri Jun 11 12:29:04 2021 From: francis at daoine.org (Francis Daly) Date: Fri, 11 Jun 2021 13:29:04 +0100 Subject: 416 HTTP Response Issue In-Reply-To: References: Message-ID: <20210611122904.GU11167@daoine.org> On Fri, Jun 11, 2021 at 08:14:22AM -0400, anish10dec wrote: Hi there, > Though we have proxy cache valid defined to cache only respective response > code , nginx caching 416 response. http://nginx.org/r/proxy_cache_valid """ Parameters of caching can also be set directly in the response header. This has higher priority than setting of caching time using the directive. """ > Expires: Thu, 01 Jul 2021 14:10:43 GMT^M > Cache-Control: max-age=2592000^M You can tell nginx to ignore those headers, if you want to. Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Fri Jun 11 23:29:10 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Fri, 11 Jun 2021 19:29:10 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: Out of curiosity, I launched a fresh Ubuntu 20.04 AWS instance. Its file system structure matches the one you have. My installation is upgraded originally from 16.04 to 18.04 to 20.04. Therefore, I also checked a fresh Ubuntu 16.04. Its file system structure matches mine. Hence, it looks like the difference in our file system structures is explained by my upgrade path. Still not sure if it's relevant to the Nginx issue I'm experiencing, though :) Sergey A. Osokin Wrote: ------------------------------------------------------- > On Wed, Jun 09, 2021 at 05:16:17PM -0400, hgv wrote: > > Are you suggesting not having symbolic links to various > subdirectories of > > /usr at the file system root is the cause of my issue? > > I don't think I can recommend that. > > > I don't have those symbolic links in any of my Ubuntu 20.04 > instances. > > I'm still on position to analyse/understand those differences. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291840#msg-291840 From osa at freebsd.org.ru Sat Jun 12 01:23:50 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Sat, 12 Jun 2021 04:23:50 +0300 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: On Fri, Jun 11, 2021 at 07:29:10PM -0400, hgv wrote: > Out of curiosity, I launched a fresh Ubuntu 20.04 AWS instance. Its file > system structure matches the one you have. My installation is upgraded > originally from 16.04 to 18.04 to 20.04. Therefore, I also checked a fresh > Ubuntu 16.04. Its file system structure matches mine. > > Hence, it looks like the difference in our file system structures is > explained by my upgrade path. > > Still not sure if it's relevant to the Nginx issue I'm experiencing, though > :) Thanks for the update. It's more clear now that a file system structure was different when the issue was registered. Also, we need to understand how the systemd's systemctl utility is involved in this process. And I believe this issue needs to be reported to Ubuntu Development team, hope that helps to improve the upgrade process. Have you tried to reproduce the issue on fresh Ubuntu 20.04 AWS instance? Is it still reproducible? -- Sergey Osokin From nginx-forum at forum.nginx.org Mon Jun 14 17:01:07 2021 From: nginx-forum at forum.nginx.org (hgv) Date: Mon, 14 Jun 2021 13:01:07 -0400 Subject: Weird privilege errors on Ubuntu 20.04 In-Reply-To: References: Message-ID: <267238857dcc7eab3f4708ce139c1348.NginxMailingListEnglish@forum.nginx.org> Yes, it is reproducible on Ubuntu 20.04 as the headline of this thread implicates :) Sergey A. Osokin Wrote: ------------------------------------------------------- > On Fri, Jun 11, 2021 at 07:29:10PM -0400, hgv wrote: > > Out of curiosity, I launched a fresh Ubuntu 20.04 AWS instance. Its > file > > system structure matches the one you have. My installation is > upgraded > > originally from 16.04 to 18.04 to 20.04. Therefore, I also checked a > fresh > > Ubuntu 16.04. Its file system structure matches mine. > > > > Hence, it looks like the difference in our file system structures is > > explained by my upgrade path. > > > > Still not sure if it's relevant to the Nginx issue I'm experiencing, > though > > :) > > Thanks for the update. > > It's more clear now that a file system structure was different when > the > issue was registered. Also, we need to understand how the systemd's > systemctl > utility is involved in this process. And I believe this issue needs > to > be reported to Ubuntu Development team, hope that helps to improve the > upgrade process. > > Have you tried to reproduce the issue on fresh Ubuntu 20.04 AWS > instance? > Is it still reproducible? > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291799,291848#msg-291848 From ram.programme at gmail.com Tue Jun 15 01:21:45 2021 From: ram.programme at gmail.com (Ram B) Date: Mon, 14 Jun 2021 18:21:45 -0700 Subject: gRPC reverse proxy - connection level info cache Message-ID: Hello nginx team, I am nginx newbie, I am evaluating nginx as an alternative to our current custom implementation of gRPC reverse proxy use case. At the very high level this is how our current gRPC setup looks: - There are multiple services(using gRPC servers) running inside a box on different ports(some run TCP servers or use Unix Domain Sockets - UDS). - All those services are hosted only internally on the box, not exposed to outside world, there is one reverse proxy(revproxy) that sits on the box which exposes gRPC server port to external world - All the internal services register their RPCs(APIs) with the revproxy, the revproxy keeps map of which gRPC RPCs to direct to which internal service. - revproxy is also responsible for Auth RPC, it is currently serviced by revproxy itself, it isn't forwarded to any other internal service, if the auth fails the connection is terminated immediately, no further RPCs allowed on that channel - The Auth RPC also has additional context(ClientID) along with user credentials about the specific client that established the HTTP/2 connection, revproxy keeps track of this info as a map ClientID1 -> IP1+PORT1 - If there is another client comes with the same ClientID while the first one is still active, the new client request will be rejected. - When an existing connection goes down(either abruptly or in a normal case) for a particular client, we remove this ClientID1 mapping so that the same client can try reconnecting or a new client with the same ClientID can take over. Trying a prototype of our implementation in nginx, I was able to use 'grpc_pass' primitive and forward the requests to corresponding internal services. Here is where I am stumbling to adapt nginx for my use case: For our use case, a typical gRPC client first establishes the channel, then runs Auth RPC, then various service RPCs and finally client exits and the gRPC channel gets destroyed. http { server { listen 50051 http2; location /auth_subreq { internal; grpc_pass grpc://localhost:50052; } location /AuthRPC { grpc_pass grpc://localhost:50053; } location /RPC1 { auth_request /auth_subreq grpc_pass grpc://localhost:50054; } location /RPC2 { auth_request /auth_subreq grpc_pass grpc://localhost:50055; } } } If I have a config like this, I am expecting that a client calls "AuthRPC" first immediately after establishing a gRPC channel, that gets forwarded to Auth service running at 50053. This service does local authentication as well using user credentials that are part of AuthRPC and sends response back to the client either success or failure. If the AuthRPC succeeds. it also captures the client's IP address, PORT and ClientID keeps that mapping either in memory or in some DB. If some other client comes in with the same ClientID, the Auth service running at 50053 can see that there is already one client with the same ClientID and reject the new request. Typically clients start other RPCs once the AuthRPC succeeds, for example in this "RPC1" & "RPC2" are supported by two different services running at 50054 & 50055 respectively. We will have another service called "/auth_subreq" that is just the internal service that checks if this particular RPC can be allowed or not, to verify this, we use the info captured by "AuthRPC" and see if there is a successful channel already established from the IP+PORT that the current RPC invoked from, if not the RPC1/RPC2 request will be rejected. This is the most tricky part, I have to clean up the cached info that AuthRPC stored ClientID for a IP+PORT combo and also its authentication status whether it succeeded or not when the client connection gets closed. I couldn't figure out what is the best mechanism to handle this? If any one has already dealt with this kind of scenario, can you please let me know. Looking at the Development Guide, it looks like there can be different methods, not sure which one is better suited for this. - I tried to look at using a ngx_http_subrequest() within ngx_http_close_request function, but for some reason I ended with infinite loop of subrequests, need to explore more on how the request & subrequests work - maybe make a http client request to "/AuthRPC_Clean" or something which does the necessary cleanup of connection state, not sure if it is wise to call that in ngx_http_close_connections - Can we write a new module that does what the AuthRPC service provides, stores light weight per connection data and is able to look up that info when I get a new connection? - Is there some event mechanism where I can subscribe to callbacks for connection establishment and teardown? I can do the checking of existing ClientIDs and deletion of them in the respective callbacks. Any thoughts, greatly appreciated. Best, -Ram. -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Tue Jun 15 17:14:29 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 15 Jun 2021 20:14:29 +0300 Subject: njs-0.6.0 Message-ID: <81539ee9-5525-00a1-4ddd-526eea2774c3@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release proceeds to extend the coverage of ECMAScript specifications. Notable new features: - let and const declarations support : >> fuction test() { x = 1; let x; } : undefined : >> test() : ReferenceError: cannot access variable before initialization : >> function test2() {const x = 1; x = 2; } : undefined : >> test2() : TypeError: assignment to constant variable You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.6.0 15 Jun 2021 Core: *) Feature: added let and const declaration support. *) Feature: added RegExp.prototype[Symbol.split]. *) Feature: added sticky flag support for RegExp. *) Bugfix: fixed heap-buffer-overflow in String.prototype.lastIndexOf(). *) Bugfix: fixed RegExp.prototype.test() according to the specification. *) Bugfix: fixed String.prototype.split() according to the specification. *) Bugfix: fixed use-of-uninitialized-value while tracking rejected promises. *) Bugfix: fixed njs.dump() for objects with circular references. From maxim at nginx.com Tue Jun 15 17:21:48 2021 From: maxim at nginx.com (Maxim Konovalov) Date: Tue, 15 Jun 2021 20:21:48 +0300 Subject: [nginx-announce] njs-0.6.0 In-Reply-To: <81539ee9-5525-00a1-4ddd-526eea2774c3@nginx.com> References: <81539ee9-5525-00a1-4ddd-526eea2774c3@nginx.com> Message-ID: Brilliant! Big thanks to everyone who contributed code, time and energy into this release. -- Maxim Konovalov > 15 ???? 2021 ?., ? 20:14, Dmitry Volyntsev ???????(?): > > ?Hello, > > I'm glad to announce a new release of NGINX JavaScript module (njs). > > This release proceeds to extend the coverage of ECMAScript > specifications. > > Notable new features: > - let and const declarations support > : >> fuction test() { x = 1; let x; } > : undefined > : >> test() > : ReferenceError: cannot access variable before initialization > : >> function test2() {const x = 1; x = 2; } > : undefined > : >> test2() > : TypeError: assignment to constant variable > > You can learn more about njs: > > - Overview and introduction: http://nginx.org/en/docs/njs/ > - NGINX JavaScript in Your Web Server Configuration: > https://youtu.be/Jc_L6UffFOs > - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M > - Using node modules with njs: > http://nginx.org/en/docs/njs/node_modules.html > - Writing njs code using TypeScript definition files: > http://nginx.org/en/docs/njs/typescript.html > > Feel free to try it and give us feedback on: > > - Github: https://github.com/nginx/njs/issues > - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel > > > Changes with njs 0.6.0 15 Jun 2021 > > Core: > > *) Feature: added let and const declaration support. > > *) Feature: added RegExp.prototype[Symbol.split]. > > *) Feature: added sticky flag support for RegExp. > > *) Bugfix: fixed heap-buffer-overflow in > String.prototype.lastIndexOf(). > > *) Bugfix: fixed RegExp.prototype.test() according to the > specification. > > *) Bugfix: fixed String.prototype.split() according to the > specification. > > *) Bugfix: fixed use-of-uninitialized-value while tracking > rejected promises. > > *) Bugfix: fixed njs.dump() for objects with circular > references. > > _______________________________________________ > nginx-announce mailing list > nginx-announce at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce From takahiro.kujirai at it.zeus-enterprise.co.jp Wed Jun 16 02:41:15 2021 From: takahiro.kujirai at it.zeus-enterprise.co.jp (=?UTF-8?Q?=E9=AF=A8=E4=BA=95_=E8=B2=B4=E5=8D=9A?=) Date: Wed, 16 Jun 2021 11:41:15 +0900 Subject: njs-0.6.0 In-Reply-To: <33835b44015a97ed319ba2a1d1ade2c5@it.zeus-enterprise.co.jp> References: <81539ee9-5525-00a1-4ddd-526eea2774c3@nginx.com> <33835b44015a97ed319ba2a1d1ade2c5@it.zeus-enterprise.co.jp> Message-ID: Hello, Dmitry Thank you for announce! Is this list in "http://nginx.org/" ? Takahiro Kujirai ------Original Message------ ????"Dmitry Volyntsev" ???, ??? ???njs-0.6.0 ???2021?06?16?(?) 02:14(+0900) >Hello, > >I'm glad to announce a new release of NGINX JavaScript module (njs). > >This release proceeds to extend the coverage of ECMAScript >specifications. > >Notable new features: >- let and const declarations support >: >> fuction test() { x = 1; let x; } >: undefined >: >> test() >: ReferenceError: cannot access variable before initialization >: >> function test2() {const x = 1; x = 2; } >: undefined >: >> test2() >: TypeError: assignment to constant variable > >You can learn more about njs: > >- Overview and introduction: http://nginx.org/en/docs/njs/ >- NGINX JavaScript in Your Web Server Configuration: > https://youtu.be/Jc_L6UffFOs >- Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M >- Using node modules with njs: >http://nginx.org/en/docs/njs/node_modules.html >- Writing njs code using TypeScript definition files: > http://nginx.org/en/docs/njs/typescript.html > >Feel free to try it and give us feedback on: > >- Github: https://github.com/nginx/njs/issues >- Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel > > >Changes with njs 0.6.0 15 Jun 2021 > > Core: > > *) Feature: added let and const declaration support. > > *) Feature: added RegExp.prototype[Symbol.split]. > > *) Feature: added sticky flag support for RegExp. > > *) Bugfix: fixed heap-buffer-overflow in > String.prototype.lastIndexOf(). > > *) Bugfix: fixed RegExp.prototype.test() according to the > specification. > > *) Bugfix: fixed String.prototype.split() according to the > specification. > > *) Bugfix: fixed use-of-uninitialized-value while tracking > rejected promises. > > *) Bugfix: fixed njs.dump() for objects with circular > references. > >_______________________________________________ >nginx mailing list >nginx at nginx.org >http://mailman.nginx.org/mailman/listinfo/nginx From maxime.bruno at ens-lyon.fr Wed Jun 16 12:28:21 2021 From: maxime.bruno at ens-lyon.fr (Maxime Bruno) Date: Wed, 16 Jun 2021 14:28:21 +0200 Subject: Upstream proxy using QUIC Message-ID: Hello, I'm currently trying to setup a proxy using nginx server. I want it to have a QUIC (and so HTTP3) connection between the client and the load balancer and also between the load balancer and the backend. But I achieve, following the nginx doc only in the setup of a QUIC connection between the client and the load balancer and a TCP+TLS connection between the load balancer and the backend. Moreover despite the headers, when I try to connect to my load balancer with my web browser it don't upgrade my TCP+TLS connection to a QUIC connection. Information: I'm positive that my load balancer and my backend handle QUIC, I try them using curl and the option --http3 and verbose and I check that HTTP3 was indeed use. Can someone help me, or redirect me to another mailing list or forum that answer my problem and that I missed. I would be grateful. From pluknet at nginx.com Wed Jun 16 14:39:26 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 16 Jun 2021 17:39:26 +0300 Subject: Upstream proxy using QUIC In-Reply-To: References: Message-ID: <6F05A36C-9423-439F-9440-503802E01A2E@nginx.com> > On 16 Jun 2021, at 15:28, Maxime Bruno wrote: > > Hello, > > I'm currently trying to setup a proxy using nginx server. I want it to have a QUIC (and so HTTP3) connection between the client and the load balancer and also between the load balancer and the backend. As of now, nginx-quic supports QUIC and HTTP/3 termination only, it doesn't support communicating to a QUIC (and thus - HTTP/3) backend. [..] -- Sergey Kandaurov From vishal.m.mehra at gmail.com Thu Jun 17 03:21:47 2021 From: vishal.m.mehra at gmail.com (Vishal Mehra) Date: Wed, 16 Jun 2021 20:21:47 -0700 Subject: Ingress Controller Configuration for backend service with relative path Message-ID: What is the best way to route traffic to a backend web front service which uses different relative paths within the web application. As an example, take a standard Jaeger service kubectl create -f https://tinyurl.com/yc52x6q5. I would like to expose this service endpoint via an ingress controller, see ingress configuration below apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: frontend-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/add-base-url: "true"spec: rules: - host: http: paths: - path: / pathType: Prefix backend: service: name: frontend port: number: 4444 - path: /jaeger pathType: Prefix backend: service: name: jaeger-query port: number: 443 Using ingress endpoint https:///jaeger, I am able to successfully invoke the backend service (jaeger-query), however the backend service pages with the relative URLs (like /static and /api) are not getting loaded/rendered on the browser as ingress controller does not have a rule to route that traffic. As a workaround, I added ingress rules for /static and /api to point to the same backend service. configuration. apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: frontend-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/add-base-url: "true"spec: rules: - host: http: paths: - path: / pathType: Prefix backend: service: name: frontend port: number: 4444 - path: /jaeger pathType: Prefix backend: service: name: jaeger-query port: number: 443 - path: /search pathType: Prefix backend: service: name: jaeger-query port: number: 443 - path: /static pathType: Prefix backend: service: name: jaeger-query port: number: 443 - path: /api pathType: Prefix backend: service: name: jaeger-query port: number: 443 Ideally, I would like one Ingress rule per backend service and the relative paths like /static and /api to automatically adjust to /jaeger/static and /jaeger/api. Do you know how that can be achieved? -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Thu Jun 17 19:32:45 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 17 Jun 2021 22:32:45 +0300 Subject: Ingress Controller Configuration for backend service with relative path In-Reply-To: References: Message-ID: Hi Vishal, hope you're doing well. Correct me if I'm wrong here but his configuration is related to NGINX Ingress Controller from Kubernetes project, right? If so, I'd recommend to contact to that project. In case of NGINX OSS or NGINX Plus Ingress Controller from NGINX Inc. please visit the following page to get contact information, https://github.com/nginxinc/kubernetes-ingress/ Thank you. -- Sergey Osokin On Wed, Jun 16, 2021 at 08:21:47PM -0700, Vishal Mehra wrote: > What is the best way to route traffic to a backend web front service which > uses different relative paths within the web application. > > As an example, take a standard Jaeger service kubectl create -f > https://tinyurl.com/yc52x6q5. > > I would like to expose this service endpoint via an ingress controller, see > ingress configuration below > > apiVersion: networking.k8s.io/v1kind: Ingressmetadata: > name: frontend-ingress > annotations: > nginx.ingress.kubernetes.io/rewrite-target: /$1 > kubernetes.io/ingress.class: nginx > nginx.ingress.kubernetes.io/force-ssl-redirect: "true" > nginx.ingress.kubernetes.io/add-base-url: "true"spec: > rules: > - host: > http: > paths: > - path: / > pathType: Prefix > backend: > service: > name: frontend > port: > number: 4444 > - path: /jaeger > pathType: Prefix > backend: > service: > name: jaeger-query > port: > number: 443 > > Using ingress endpoint https:///jaeger, I am able to > successfully invoke the backend service (jaeger-query), however the backend > service pages with the relative URLs (like /static and /api) are not > getting loaded/rendered on the browser as ingress controller does not have > a rule to route that traffic. > > As a workaround, I added ingress rules for /static and /api to point to the > same backend service. configuration. > > apiVersion: networking.k8s.io/v1kind: Ingressmetadata: > name: frontend-ingress > annotations: > nginx.ingress.kubernetes.io/rewrite-target: /$1 > kubernetes.io/ingress.class: nginx > nginx.ingress.kubernetes.io/force-ssl-redirect: "true" > nginx.ingress.kubernetes.io/add-base-url: "true"spec: > rules: > - host: > http: > paths: > - path: / > pathType: Prefix > backend: > service: > name: frontend > port: > number: 4444 > - path: /jaeger > pathType: Prefix > backend: > service: > name: jaeger-query > port: > number: 443 > - path: /search > pathType: Prefix > backend: > service: > name: jaeger-query > port: > number: 443 > - path: /static > pathType: Prefix > backend: > service: > name: jaeger-query > port: > number: 443 > - path: /api > pathType: Prefix > backend: > service: > name: jaeger-query > port: > number: 443 > > Ideally, I would like one Ingress rule per backend service and the relative > paths like /static and /api to automatically adjust to /jaeger/static and > /jaeger/api. > > Do you know how that can be achieved? > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From alisonc1986 at gmail.com Fri Jun 18 14:12:44 2021 From: alisonc1986 at gmail.com (Alison) Date: Fri, 18 Jun 2021 15:12:44 +0100 Subject: Fwd: help websockets In-Reply-To: References: Message-ID: Hi, I'm using the following ingress in my jupyterhub application to expose the application externally from within the cluster: ################ apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: py-ingress annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /jupyterhub$1$2 namespace: default spec: rules: - http: paths: - path: /jupyterhub(/|$)(.*) backend: serviceName: jupyterhub servicePort: 8888 ################# When I deploy my application to one kubernetes cluster it works without problems. If I deploy the same application to another kubernetes cluster it fails (due to http 400 websockets). The part that fails is when I try from the Jupyter Notebook .... New ->Terminal ... or .... New -> Python3 kernel Any idea of what kind of additional annotations I need to add to the above ingress to solve the websocket issue ? https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ The nginx.conf content looks as follows for the application in both clusters ######################### location ~* "^/jupyterhub(/|$)(.*)" { set $namespace "default"; set $ingress_name "py-ingress"; set $service_name ""; set $service_port ""; set $location_path "/jupyterhub(/|$(literal_dollar))(.*)"; rewrite_by_lua_block { lua_ingress_rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balacer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "default-jupyterhub-8888"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_bosy_size 1m; proxy_set_header Host $best_http_host; # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; proxy_set_header Proxy proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; rewrite "(?i)/jupyterhub (/|$)(.*)" /jupyter$1$2 break; proxy_pass http://upstream_balancer; proxy_redirect off; } ########################## Thank you very much, Alison -------------- next part -------------- An HTML attachment was scrubbed... URL: From baalchina at gmail.com Fri Jun 18 14:32:51 2021 From: baalchina at gmail.com (baalchina) Date: Fri, 18 Jun 2021 22:32:51 +0800 Subject: unable to forbidden access by ip Message-ID: Hi all, I am using nginx as my reverse proxy, and I do not want all Excel files in my server to be accessed in the internet. So I add this in my nginx.conf: location ~* \.(xls|xlsx)$ { allow 10.0.0.0/8; deny all; } while my intranet address is 10.0.0.0/8. I found in internet, nginx return a 403 error, that's correct. But in my intranet, which ip in 10.0.0.0/8, nginx return a 404 error. I looked the error.log, it return like this: [nginx][error] open() "/etc/nginx/html/_upload/article/files/d7/c2.xlsx" failed (2: No such file or directory), client: 10.0.0.1, server: xxxxx request: "GET /_upload/article/files/d7/c2.xlsx HTTP/1.1", host: "xxx", referrer: "xxx" So, is there anything wrong in my config file? Thanks. -- from:baalchina -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Fri Jun 18 14:52:58 2021 From: teward at thomas-ward.net (Thomas Ward) Date: Fri, 18 Jun 2021 10:52:58 -0400 Subject: unable to forbidden access by ip In-Reply-To: References: Message-ID: Based on your configuration snippet there doesn't appear to be anything wrong. Except for the fact that "/etc/nginx/html/_upload/article/files/d7/c2.xlsx" doesn't seem to exist on system.? Which means either your document root is set wrong for your server block, or you actually don't have a file in that path that it's trying. Thomas On 6/18/21 10:32 AM, baalchina wrote: > Hi all, > I am using nginx as my reverse proxy, and I do not want all Excel > files in my server to be accessed in the internet. So I add this in my > nginx.conf: > > ? ? location ~* \.(xls|xlsx)$ { > ? ? ? ?allow 10.0.0.0/8 ; > ? ? ? ? deny all; > ? ? } > > while my intranet address is 10.0.0.0/8 . I found > in internet, nginx return a 403 error, that's correct. > > But in my intranet, which ip in 10.0.0.0/8 , nginx > return a 404 error. I looked the error.log, it return like this: > > [nginx][error] open() > "/etc/nginx/html/_upload/article/files/d7/c2.xlsx" failed (2: No such > file or directory), client: 10.0.0.1, server: xxxxx request: "GET > /_upload/article/files/d7/c2.xlsx HTTP/1.1", host: "xxx", referrer: "xxx" > > So, is there anything wrong in my config file? > > Thanks. > > > -- > from:baalchina > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Fri Jun 18 15:29:28 2021 From: nginx-forum at forum.nginx.org (kay) Date: Fri, 18 Jun 2021 11:29:28 -0400 Subject: Dynamically resolving smtp upstream hostnames Message-ID: I'm using a new "proxy_smtp_auth on;" option in my mail proxy server inside k8s cluster, therefore I just need to proxy_pass smtp requests to the backend. Since the backend must be set using the "auth_http" directive, I use the code below and provide the hostname instead of IP address: server { listen 127.0.0.1:8025; server_name _; access_log off; location / { add_header "Auth-Server" "smtp-hostname.local"; add_header "Auth-Port" "25"; return 200; } } Unfortunately nginx even with the resolver enabled in mail section doesn't resolve the hostname: auth http server 127.0.0.1:8025 sent invalid server address:"smtp-hostname.local" while in http auth state It is also not clear how to resolve the "smtp-hostname.local" hostname to an IP address in the "127.0.0.1:8025" listener. Using LUA is an overkill. Any suggestions on how to dynamically resolve the smtp upstream hostname? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291890,291890#msg-291890 From nick at nickrickard.co.uk Sun Jun 20 15:21:35 2021 From: nick at nickrickard.co.uk (Nick Rickard) Date: Sun, 20 Jun 2021 16:21:35 +0100 Subject: unable to forbidden access by ip In-Reply-To: References: Message-ID: <9F41DA4C-C0BE-467B-8E60-E9F723DC3C51@nickrickard.co.uk> I think the problem is the order of your deny and allow statements. Nginx processes them in turn. So nginx reads the allow one okay, but then reads the subsequent one as "deny all (including 10....)". Hence xls are denied to all. If you swap the order then it should work as intended (assuming the files exist and are in the right doc root, etc). On 18 June 2021 15:32:51 BST, baalchina wrote: >Hi all, >I am using nginx as my reverse proxy, and I do not want all Excel files in >my server to be accessed in the internet. So I add this in my nginx.conf: > > location ~* \.(xls|xlsx)$ { > allow 10.0.0.0/8; > deny all; > } > >while my intranet address is 10.0.0.0/8. I found in internet, nginx return >a 403 error, that's correct. > >But in my intranet, which ip in 10.0.0.0/8, nginx return a 404 error. I >looked the error.log, it return like this: > >[nginx][error] open() "/etc/nginx/html/_upload/article/files/d7/c2.xlsx" >failed (2: No such file or directory), client: 10.0.0.1, server: xxxxx >request: "GET /_upload/article/files/d7/c2.xlsx HTTP/1.1", host: "xxx", >referrer: "xxx" > >So, is there anything wrong in my config file? > >Thanks. > > >-- >from:baalchina -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Jun 23 13:29:46 2021 From: nginx-forum at forum.nginx.org (daveb) Date: Wed, 23 Jun 2021 09:29:46 -0400 Subject: loading ssl_certificate from a variable Message-ID: <1c97fca1e4222582d7b7e63aacc49a93.NginxMailingListEnglish@forum.nginx.org> Hello, I'm trying to load the cert/key from a variable, based on the documentation here: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate Using this configuration: server { listen 19099 ssl; set $mycert "-----BEGIN CERTIFICATE----- ..."; set $mypkey "-----BEGIN PRIVATE KEY----- ..."; ssl_certificate "data:$mycert"; ssl_certificate_key "data:$mypkey"; When I connect to port 19099, nginx reports this error (v 1.19.7) [error] 16408#0: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:19099 I realize that this might not be a great idea, but I don't understand why it's not working. Can someone please explain what's wrong with the config? Thanks, Dave Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291902,291902#msg-291902 From pluknet at nginx.com Wed Jun 23 14:22:45 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 23 Jun 2021 17:22:45 +0300 Subject: loading ssl_certificate from a variable In-Reply-To: <1c97fca1e4222582d7b7e63aacc49a93.NginxMailingListEnglish@forum.nginx.org> References: <1c97fca1e4222582d7b7e63aacc49a93.NginxMailingListEnglish@forum.nginx.org> Message-ID: > On 23 Jun 2021, at 16:29, daveb wrote: > > Hello, > > I'm trying to load the cert/key from a variable, based on the documentation > here: > > https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate > > Using this configuration: > > > server { > listen 19099 ssl; > > set $mycert "-----BEGIN CERTIFICATE----- ..."; > set $mypkey "-----BEGIN PRIVATE KEY----- ..."; > ssl_certificate "data:$mycert"; > ssl_certificate_key "data:$mypkey"; > > > > When I connect to port 19099, nginx reports this error (v 1.19.7) > > [error] 16408#0: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() > failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: > TRUSTED CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server: > 0.0.0.0:19099 The error indicates an empty value. This is because "set" variables are not yet handled while SSL handshaking. You might want to replace it with e.g. geo or map that use global context. The more intended way is loading certificates with perl or njs: https://hg.nginx.org/nginx-tests/file/tip/ssl_certificate_perl.t -- Sergey Kandaurov From osa at freebsd.org.ru Wed Jun 23 14:24:36 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 23 Jun 2021 17:24:36 +0300 Subject: loading ssl_certificate from a variable In-Reply-To: <1c97fca1e4222582d7b7e63aacc49a93.NginxMailingListEnglish@forum.nginx.org> References: <1c97fca1e4222582d7b7e63aacc49a93.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi Dave, hope you're doing well these days. On Wed, Jun 23, 2021 at 09:29:46AM -0400, daveb wrote: > Hello, > > I'm trying to load the cert/key from a variable, based on the documentation > here: > https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate > Using this configuration: > > > server { > listen 19099 ssl; > > set $mycert "-----BEGIN CERTIFICATE----- ..."; > set $mypkey "-----BEGIN PRIVATE KEY----- ..."; > ssl_certificate "data:$mycert"; > ssl_certificate_key "data:$mypkey"; > > > > When I connect to port 19099, nginx reports this error (v 1.19.7) > > [error] 16408#0: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() > failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: > TRUSTED CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server: > 0.0.0.0:19099 > > I realize that this might not be a great idea, but I don't understand why > it's not working. Can someone please explain what's wrong with the config? Shared information is not enough to understand how is a certificate and a key look like in the configuration file. My guess is all newlines have been removed, is that right? And if so, a certificate won't be handled correctly without newline breaks. -- Sergey Osokin From alisonc1986 at gmail.com Wed Jun 23 16:10:49 2021 From: alisonc1986 at gmail.com (Alison) Date: Wed, 23 Jun 2021 17:10:49 +0100 Subject: Fwd: help websockets In-Reply-To: References: Message-ID: Hi, Does anyone have any suggestions about the below ? Thank you very much, Alison ---------- Forwarded message --------- From: Alison Date: Fri, 18 Jun 2021, 15:06 Subject: help websockets To: Hi, I'm using the following ingress in my jupyterhub application to expose the application externally from within the cluster: ################ apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: py-ingress annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /jupyterhub$1$2 namespace: default spec: rules: - http: paths: - path: /jupyterhub(/|$)(.*) backend: serviceName: jupyterhub servicePort: 8888 ################# When I deploy my application to one kubernetes cluster it works without problems. If I deploy the same application to another kubernetes cluster it fails (due to http 400 websockets). The part that fails is when I try from the Jupyter Notebook .... New ->Terminal ... or .... New -> Python3 kernel Any idea of what kind of additional annotations I need to add to the above ingress to solve the websocket issue ? https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ The nginx.conf content looks as follows for the application in both clusters ######################### location ~* "^/jupyterhub(/|$)(.*)" { set $namespace "default"; set $ingress_name "py-ingress"; set $service_name ""; set $service_port ""; set $location_path "/jupyterhub(/|$(literal_dollar))(.*)"; rewrite_by_lua_block { lua_ingress_rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balacer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "default-jupyterhub-8888"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; set $pass_server_port $server_port; set $best_http_host $http_host; set $pass_port $pass_server_port; set $proxy_alternative_upstream_name ""; client_max_bosy_size 1m; proxy_set_header Host $best_http_host; # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Scheme $pass_access_scheme; proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; proxy_set_header Proxy proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_buffering off; proxy_buffer_size 4k; proxy_buffers 4 4k; proxy_max_temp_file_size 1024m; proxy_request_buffering on; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; proxy_next_upstream error timeout; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3; rewrite "(?i)/jupyterhub (/|$)(.*)" /jupyter$1$2 break; proxy_pass http://upstream_balancer; proxy_redirect off; } ########################## Thank you very much, Alison -------------- next part -------------- An HTML attachment was scrubbed... URL: From zakomany at gmail.com Wed Jun 23 16:17:26 2021 From: zakomany at gmail.com (zak preedy) Date: Wed, 23 Jun 2021 17:17:26 +0100 Subject: help websockets In-Reply-To: References: Message-ID: no On Wed, 23 Jun 2021 at 17:11, Alison wrote: > Hi, > > Does anyone have any suggestions about the below ? > > Thank you very much, > > Alison > > > ---------- Forwarded message --------- > From: Alison > Date: Fri, 18 Jun 2021, 15:06 > Subject: help websockets > To: > > > Hi, > > I'm using the following ingress in my jupyterhub application to expose the > application externally from within the cluster: > > ################ > > apiVersion: networking.k8s.io/v1beta1 > kind: Ingress > metadata: > name: py-ingress > annotations: > kubernetes.io/ingress.class: nginx > nginx.ingress.kubernetes.io/rewrite-target: /jupyterhub$1$2 > namespace: default > spec: > rules: > - http: > paths: > - path: /jupyterhub(/|$)(.*) > backend: > serviceName: jupyterhub > servicePort: 8888 > > > ################# > > When I deploy my application to one kubernetes cluster it works without > problems. > > If I deploy the same application to another kubernetes cluster it fails > (due to http 400 websockets). The part that fails is when I try from the > Jupyter Notebook .... New ->Terminal ... or .... New -> Python3 kernel > > Any idea of what kind of additional annotations I need to add to the above > ingress to solve the websocket issue ? > > > https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ > > The nginx.conf content looks as follows for the application in both > clusters > > ######################### > > location ~* "^/jupyterhub(/|$)(.*)" { > set $namespace "default"; > set $ingress_name "py-ingress"; > set $service_name ""; > set $service_port ""; > set $location_path "/jupyterhub(/|$(literal_dollar))(.*)"; > > rewrite_by_lua_block { > lua_ingress_rewrite({ > force_ssl_redirect = false, > ssl_redirect = true, > force_no_ssl_redirect = false, > use_port_in_redirects = false, > }) > balancer.rewrite() > plugins.run() > } > > header_filter_by_lua_block { > lua_ingress.header() > plugins.run() > } > > body_filter_by_lua_block { > } > > log_by_lua_block { > balacer.log() > > monitor.call() > > plugins.run() > } > > port_in_redirect off; > > set $balancer_ewma_score -1; > set $proxy_upstream_name "default-jupyterhub-8888"; > set $proxy_host $proxy_upstream_name; > set $pass_access_scheme $scheme; > set $pass_server_port $server_port; > set $best_http_host $http_host; > set $pass_port $pass_server_port; > set $proxy_alternative_upstream_name ""; > client_max_bosy_size 1m; > proxy_set_header Host $best_http_host; > > # Allow websocket connections > > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_set_header X-Request-ID $req_id; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $remote_addr; > proxy_set_header X-Forwarded-Proto $pass_access_scheme; > proxy_set_header X-Forwarded-Host $best_http_host; > proxy_set_header X-Forwarded-Port $pass_port; > proxy_set_header X-Scheme $pass_access_scheme; > proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; > proxy_set_header Proxy > proxy_connect_timeout 5s; > proxy_send_timeout 60s; > proxy_buffering off; > proxy_buffer_size 4k; > proxy_buffers 4 4k; > proxy_max_temp_file_size 1024m; > proxy_request_buffering on; > proxy_http_version 1.1; > proxy_cookie_domain off; > proxy_cookie_path off; > proxy_next_upstream error timeout; > proxy_next_upstream_timeout 0; > proxy_next_upstream_tries 3; > > rewrite "(?i)/jupyterhub (/|$)(.*)" /jupyter$1$2 break; > > proxy_pass http://upstream_balancer; > > proxy_redirect off; > > } > > ########################## > > Thank you very much, > > Alison > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Wed Jun 23 17:46:02 2021 From: francis at daoine.org (Francis Daly) Date: Wed, 23 Jun 2021 18:46:02 +0100 Subject: Fwd: help websockets In-Reply-To: References: Message-ID: <20210623174602.GW11167@daoine.org> On Wed, Jun 23, 2021 at 05:10:49PM +0100, Alison wrote: Hi there, > Does anyone have any suggestions about the below ? I don't have an answer for your question; but I will note that you seem to be asking about an nginx ingress controller for kubernetes; and there is more than one of those. https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/nginx-ingress-controllers.md describes the differences (from the "nginxinc" point of view); your config makes it look like you may be using the one from https://github.com/kubernetes/ingress-nginx If your question is about that application, you might have better luck getting an answer from that project. (I confess I'm not sure whether you are asking about the ingress controller config, or the nginx config here.) Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Wed Jun 23 19:00:43 2021 From: nginx-forum at forum.nginx.org (daveb) Date: Wed, 23 Jun 2021 15:00:43 -0400 Subject: loading ssl_certificate from a variable In-Reply-To: References: Message-ID: <6524eefd5900401a34c1973dd05d3340.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, Thanks, that makes sense. I'll try your suggestions. Dave Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291902,291908#msg-291908 From nginx-forum at forum.nginx.org Wed Jun 23 19:05:40 2021 From: nginx-forum at forum.nginx.org (daveb) Date: Wed, 23 Jun 2021 15:05:40 -0400 Subject: loading ssl_certificate from a variable In-Reply-To: References: Message-ID: <1c3aafb7cd6b5caacfdff3fdb4437618.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, Thanks for your reply. I tried with and without newlines, but as Sergey Kandaurov noted, the variable was empty in both cases,,so the variable not being set before handshake is the likely cause. Dave Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291902,291909#msg-291909 From adrian at wecode.ro Thu Jun 24 05:18:05 2021 From: adrian at wecode.ro (Adrian Bulgariu) Date: Thu, 24 Jun 2021 08:18:05 +0300 Subject: Php script is getting executed multiple times on nginx as a proxy server Message-ID: <81aea1b9-a7b4-eb08-3183-1ca79113db61@wecode.ro> Hello, i have nginx as a proxy server. When i run a php script that takes allot of time to import (some product imports) i see in the log file that starts on a web child and after some time the script it is called by another child fom my file log: [ ip of the child ] [iteration of product nr] [ 10.38.1.106 ] [ 7724 ] Product: 50376 - updated [ 10.38.1.106 ] [ 7725 ] Product: 50378 - updated [ 10.38.1.106 ] [ 7726 ] Product: 50379 - updated [ 10.38.1.106 ] [ 7727 ] Product: 50391 - updated [ 10.38.1.105 ] [ 9453 ] ============================== [ 10.38.1.106 ] [ 7728 ] Product: 50392 - updated [ 10.38.1.105 ] [ 0 ] Product: 104474 - updated [ 10.38.1.106 ] [ 7729 ] Product: 50394 - updated [ 10.38.1.105 ] [ 1 ] Product: 104675 - updated [ 10.38.1.106 ] [ 7730 ] Product: 50395 - updated [ 10.38.1.105 ] [ 2 ] Product: 105186 - updated [ 10.38.1.106 ] [ 7731 ] Product: 50396 - updated [ 10.38.1.105 ] [ 3 ] Product: 106417 - updated [ 10.38.1.106 ] [ 7732 ] Product: 50397 - updated nginx backends config: ????????upstream backends { ????????????????sticky name=cresist path=/; ????????????????server 10.38.1.104:80 weight=10 max_fails=3 fail_timeout=30s; # Child 1 ????????????????server 10.38.1.105:80 weight=10 max_fails=3 fail_timeout=30s; # Child 2 ????????????????server 10.38.1.106:80 weight=10 max_fails=3 fail_timeout=30s; # Child 3 ????????????????server 10.38.1.107:80 weight=10 max_fails=3 fail_timeout=30s; # Child 4 ????????????????server 10.38.1.108:80 weight=10 max_fails=3 fail_timeout=30s; # Child 5 ????????????????server 10.38.1.109:80 weight=10 max_fails=3 fail_timeout=30s; # Child 6 ????????} how can i set nginx not to split the load on another child if execution time is high ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Thu Jun 24 16:40:05 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 24 Jun 2021 19:40:05 +0300 Subject: Php script is getting executed multiple times on nginx as a proxy server In-Reply-To: <81aea1b9-a7b4-eb08-3183-1ca79113db61@wecode.ro> References: <81aea1b9-a7b4-eb08-3183-1ca79113db61@wecode.ro> Message-ID: Hi Andrian, On Thu, Jun 24, 2021 at 08:18:05AM +0300, Adrian Bulgariu wrote: > Hello, > > i have nginx as a proxy server. When i run a php script that takes allot > of time to import (some product imports) i see in the log file that > starts on a web child and after some time the script it is called by > another child > > fom my file log: > [ ip of the child ] [iteration of product nr] > [ 10.38.1.106 ] [ 7724 ] Product: 50376 - updated > [ 10.38.1.106 ] [ 7725 ] Product: 50378 - updated > [ 10.38.1.106 ] [ 7726 ] Product: 50379 - updated > [ 10.38.1.106 ] [ 7727 ] Product: 50391 - updated > [ 10.38.1.105 ] [ 9453 ] ============================== > [ 10.38.1.106 ] [ 7728 ] Product: 50392 - updated > [ 10.38.1.105 ] [ 0 ] Product: 104474 - updated > [ 10.38.1.106 ] [ 7729 ] Product: 50394 - updated > [ 10.38.1.105 ] [ 1 ] Product: 104675 - updated > [ 10.38.1.106 ] [ 7730 ] Product: 50395 - updated > [ 10.38.1.105 ] [ 2 ] Product: 105186 - updated > [ 10.38.1.106 ] [ 7731 ] Product: 50396 - updated > [ 10.38.1.105 ] [ 3 ] Product: 106417 - updated > [ 10.38.1.106 ] [ 7732 ] Product: 50397 - updated > > nginx backends config: > ????????upstream backends { > ????????????????sticky name=cresist path=/; > ????????????????server 10.38.1.104:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 1 > ????????????????server 10.38.1.105:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 2 > ????????????????server 10.38.1.106:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 3 > ????????????????server 10.38.1.107:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 4 > ????????????????server 10.38.1.108:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 5 > ????????????????server 10.38.1.109:80 weight=10 max_fails=3 > fail_timeout=30s; # Child 6 > ????????} > > how can i set nginx not to split the load on another child if execution > time is high ? How is the php script executed? Could you share more details in the NGINX configuration file, an upstream description is just a small part of the configuration file and it isn't enough. -- Sergey Osokin From adrian at wecode.ro Thu Jun 24 17:40:42 2021 From: adrian at wecode.ro (Adrian Bulgariu) Date: Thu, 24 Jun 2021 20:40:42 +0300 Subject: Php script is getting executed multiple times on nginx as a proxy server In-Reply-To: References: <81aea1b9-a7b4-eb08-3183-1ca79113db61@wecode.ro> Message-ID: <29685442-aeff-5e35-e346-b0ec50d16b16@wecode.ro> the only error I could get was this one using wget on linux to call on the script: HTTP request sent, awaiting response... Read error (Success.) in headers. Retrying. and it is starting new task on other servers ... On 24-Jun-21 19:40, Sergey A. Osokin wrote: > Hi Andrian, > > On Thu, Jun 24, 2021 at 08:18:05AM +0300, Adrian Bulgariu wrote: >> Hello, >> >> i have nginx as a proxy server. When i run a php script that takes allot >> of time to import (some product imports) i see in the log file that >> starts on a web child and after some time the script it is called by >> another child >> >> fom my file log: >> [ ip of the child ] [iteration of product nr] >> [ 10.38.1.106 ] [ 7724 ] Product: 50376 - updated >> [ 10.38.1.106 ] [ 7725 ] Product: 50378 - updated >> [ 10.38.1.106 ] [ 7726 ] Product: 50379 - updated >> [ 10.38.1.106 ] [ 7727 ] Product: 50391 - updated >> [ 10.38.1.105 ] [ 9453 ] ============================== >> [ 10.38.1.106 ] [ 7728 ] Product: 50392 - updated >> [ 10.38.1.105 ] [ 0 ] Product: 104474 - updated >> [ 10.38.1.106 ] [ 7729 ] Product: 50394 - updated >> [ 10.38.1.105 ] [ 1 ] Product: 104675 - updated >> [ 10.38.1.106 ] [ 7730 ] Product: 50395 - updated >> [ 10.38.1.105 ] [ 2 ] Product: 105186 - updated >> [ 10.38.1.106 ] [ 7731 ] Product: 50396 - updated >> [ 10.38.1.105 ] [ 3 ] Product: 106417 - updated >> [ 10.38.1.106 ] [ 7732 ] Product: 50397 - updated >> >> nginx backends config: >> ????????upstream backends { >> ????????????????sticky name=cresist path=/; >> ????????????????server 10.38.1.104:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 1 >> ????????????????server 10.38.1.105:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 2 >> ????????????????server 10.38.1.106:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 3 >> ????????????????server 10.38.1.107:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 4 >> ????????????????server 10.38.1.108:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 5 >> ????????????????server 10.38.1.109:80 weight=10 max_fails=3 >> fail_timeout=30s; # Child 6 >> ????????} >> >> how can i set nginx not to split the load on another child if execution >> time is high ? > How is the php script executed? Could you share more details > in the NGINX configuration file, an upstream description is just > a small part of the configuration file and it isn't enough. > From nginx-forum at forum.nginx.org Thu Jun 24 18:59:33 2021 From: nginx-forum at forum.nginx.org (malzad) Date: Thu, 24 Jun 2021 14:59:33 -0400 Subject: How to implement a new load-balancing algorithm in Nginx Message-ID: <696feab9d995001d675e22d9eef4737e.NginxMailingListEnglish@forum.nginx.org> Hello, is it possible to implement a new load-balancing algorithm in Nginx just like ?least_conn?, ?ip_hash?? The algorithm will hash (not similar to generic hash provided by Nginx) some part of the URL and do some other calculations, and based on the calculation, the request will be passed to the appropriate backend server. If this is possible where should I begin? Thanks in advance. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291913,291913#msg-291913 From nginx-forum at forum.nginx.org Thu Jun 24 19:36:42 2021 From: nginx-forum at forum.nginx.org (TheMask) Date: Thu, 24 Jun 2021 15:36:42 -0400 Subject: Nginx caching 500 Internal Server Error response Message-ID: <9ba6c158c2642a9ae05f5560a850f18e.NginxMailingListEnglish@forum.nginx.org> Hi everyone, We are using Nginx as reverse proxy. >From last 8-9months we are facing one issue in which nginx 500 response spike obseved. And we didnt see any call to upstream. It seems like Nginx caches the 500 response and that us served back to user. We have to restart the Nginx every time when issue occurred. As per Nginx Documentation by default nginx caches 200, 301 & 302 response code but we are observing that if Upstream server gives error 400 or 500 or 503, etc , response is getting cached and all other requests for same file becomes HIT. Though if we set proxy_cache_valid specifying response code ( like proxy_cache_valid 200 15m; ) then also its caching the error response code but its not caching 301 & 302 in that case. Why the same is not getting applied for error response code. Please advise to resolve this issue. Thanks, Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291914,291914#msg-291914 From mdounin at mdounin.ru Fri Jun 25 16:08:55 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 25 Jun 2021 19:08:55 +0300 Subject: How to implement a new load-balancing algorithm in Nginx In-Reply-To: <696feab9d995001d675e22d9eef4737e.NginxMailingListEnglish@forum.nginx.org> References: <696feab9d995001d675e22d9eef4737e.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Thu, Jun 24, 2021 at 02:59:33PM -0400, malzad wrote: > is it possible to implement a new load-balancing algorithm in Nginx just > like ?least_conn?, ?ip_hash?? The algorithm will hash (not similar to > generic hash provided by Nginx) some part of the URL and do some other > calculations, and based on the calculation, the request will be passed to > the appropriate backend server. If this is possible where should I begin? http://nginx.org/en/docs/dev/development_guide.html#http_load_balancing -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Fri Jun 25 16:58:34 2021 From: nginx-forum at forum.nginx.org (malzad) Date: Fri, 25 Jun 2021 12:58:34 -0400 Subject: How to implement a new load-balancing algorithm in Nginx In-Reply-To: References: Message-ID: <96e3406eab1f60f3f0b76d61d7d163d5.NginxMailingListEnglish@forum.nginx.org> Hi Maxim, Thanks a lot for the help. I will start to look into it. Best, Washik Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291913,291916#msg-291916 From nginx-forum at forum.nginx.org Sat Jun 26 12:26:50 2021 From: nginx-forum at forum.nginx.org (TheMask) Date: Sat, 26 Jun 2021 08:26:50 -0400 Subject: Nginx caching 500 Internal Server Error response In-Reply-To: <9ba6c158c2642a9ae05f5560a850f18e.NginxMailingListEnglish@forum.nginx.org> References: <9ba6c158c2642a9ae05f5560a850f18e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <18fa3288713f997754e5466c4f3be7d0.NginxMailingListEnglish@forum.nginx.org> Does anyone know what are all the status code Nginx caches by default and why its caching 500 response. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291914,291920#msg-291920 From bee.lists at gmail.com Mon Jun 28 13:52:17 2021 From: bee.lists at gmail.com (BeeRich Lists) Date: Mon, 28 Jun 2021 09:52:17 -0400 Subject: VHost Not Serving Message-ID: I have a VHost that isn?t serving up. I?ve changed nothing, and it just started defaulting to the default_server. The VHost is included in a catch-all for all the other local domains (my workstation): include /opt/homebrew/etc/nginx/servers/*.conf; I?ve even hard coded the VHost in its own include and even that isn?t working. I?ve rebooted the box, same thing. nginx.conf tests pass. Not sure what to be looking for. The logs in the VHost directives are not even being touched. Would be nice to ask nginx what registered servers it sees, but I don?t think nginx has that ability. Any insight appreciated. Cheers, Bee From osa at freebsd.org.ru Mon Jun 28 14:21:02 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Mon, 28 Jun 2021 17:21:02 +0300 Subject: VHost Not Serving In-Reply-To: References: Message-ID: Hi Bee, hope you're doing well. On Mon, Jun 28, 2021 at 09:52:17AM -0400, BeeRich Lists wrote: > I have a VHost that isn?t serving up. I?ve changed nothing, and it just started > defaulting to the default_server. > > The VHost is included in a catch-all for all the other local domains (my workstation): > include /opt/homebrew/etc/nginx/servers/*.conf; > > I?ve even hard coded the VHost in its own include and even that isn?t working. How did you test that? Could you provide an example of a request you sent to NGINX and response you received. Please use curl command for an URL with `-vk' flags, i.e. % curl -vk http://www.example.com/ > I?ve rebooted the box, same thing. nginx.conf tests pass. Not sure what to be > looking for. The logs in the VHost directives are not even being touched. > > Would be nice to ask nginx what registered servers it sees, but I don?t think > nginx has that ability. > > Any insight appreciated. > > Cheers, Bee Also, could you provide the NGINX configuration file. -- Sergey Osokin From nginx-forum at forum.nginx.org Mon Jun 28 14:34:42 2021 From: nginx-forum at forum.nginx.org (kay) Date: Mon, 28 Jun 2021 10:34:42 -0400 Subject: Dynamically resolving smtp upstream hostnames In-Reply-To: References: Message-ID: Any clues on how to solve this? Do I need to submit a feature request to resolve SMTP hostnames the same way it is done in HTTP proxy_pass directive? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291890,291927#msg-291927 From mdounin at mdounin.ru Mon Jun 28 14:59:54 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 28 Jun 2021 17:59:54 +0300 Subject: Dynamically resolving smtp upstream hostnames In-Reply-To: References: Message-ID: Hello! On Mon, Jun 28, 2021 at 10:34:42AM -0400, kay wrote: > Any clues on how to solve this? > Do I need to submit a feature request to resolve SMTP hostnames the same way > it is done in HTTP proxy_pass directive? There are no plans to implement something like this. The IP address is expected to be returned by the auth_http script. If you need to resolve a name to get the IP address, consider implementing this in your auth_http script. -- Maxim Dounin http://mdounin.ru/ From francis at daoine.org Mon Jun 28 18:10:00 2021 From: francis at daoine.org (Francis Daly) Date: Mon, 28 Jun 2021 19:10:00 +0100 Subject: Nginx caching 500 Internal Server Error response In-Reply-To: <9ba6c158c2642a9ae05f5560a850f18e.NginxMailingListEnglish@forum.nginx.org> References: <9ba6c158c2642a9ae05f5560a850f18e.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210628181000.GX11167@daoine.org> On Thu, Jun 24, 2021 at 03:36:42PM -0400, TheMask wrote: Hi there, > From last 8-9months we are facing one issue in which nginx 500 response > spike obseved. And we didnt see any call to upstream. It seems like Nginx > caches the 500 response and that us served back to user. > We have to restart the Nginx every time when issue occurred. You appear to be reporting that your configuration is doing something that the documentation suggests should not happen by default. Can you share a configuration that shows the problem? (And, just in case -- can you see that the response is an actual http 500, not a http 200 with an application-specific "this is a 500" in the response body?) Thanks, f -- Francis Daly francis at daoine.org From francis at daoine.org Mon Jun 28 18:15:40 2021 From: francis at daoine.org (Francis Daly) Date: Mon, 28 Jun 2021 19:15:40 +0100 Subject: Help: Using Nginx Reverse Proxy bypass traffic in to a application running in a container In-Reply-To: References: Message-ID: <20210628181540.GY11167@daoine.org> On Sun, Jun 06, 2021 at 02:14:33PM +0530, Amila Gunathilaka wrote: Hi there, > > The simplest-to-understand fix, assuming that this is a test system where > you are happy to start again, is probably to stop nginx, remove the > /var/lib/nginx/proxy/ directory and all of its > - contents, create the directory again as the user that nginx runs as, > and then start nginx. > > I actually didn't have any "proxy_cache" or "proxy_cache_path" defined in > my nginx.conf file but I did remove /var/lib/nginx/proxy/ directory and > re-create as you requested and yes now I'm not getting any > permission-denied error or any error in the error.log file when I access > the url. So thank you for this ! Good that you no longer have that error message! And also good that the other issues seem to be resolved too. > All good now !!! Thanks again for your immense help. You're welcome. I'm glad you have it working now. It's simplest to keep the questions and answers on the list, where others can benefit from them too. Cheers, f -- Francis Daly francis at daoine.org From lists at viaduct-productions.com Mon Jun 28 19:00:45 2021 From: lists at viaduct-productions.com (VP Lists) Date: Mon, 28 Jun 2021 15:00:45 -0400 Subject: VHost Not Serving In-Reply-To: References: Message-ID: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> Hi there. I used: curl alpha.local It returned hq3.local source. Here?s the main nginx.conf then the included domain.conf: worker_processes auto; load_module /opt/homebrew/opt/passenger/libexec/modules/ngx_http_passenger_module.so; error_log /opt/homebrew/var/log/error.log notice ; pid /opt/homebrew/var/run/nginx.pid; events { worker_connections 256; } http { server_names_hash_bucket_size 64; access_log /opt/homebrew/var/log/access.log; error_log /opt/homebrew/var/log/error_gen.log; passenger_root /opt/homebrew/opt/passenger/libexec/src/ruby_supportlib/phusion_passenger/locations.ini; passenger_ruby /Users/rich/.rbenv/shims/ruby; # pass_info in terminal passenger_friendly_error_pages on; server { listen 80 default_server; server_name hq3.local; # hq.local include /opt/homebrew/etc/nginx/mime.types; access_log /opt/homebrew/var/log/access_HQ.log; error_log /opt/homebrew/var/log/error_HQ.log warn; error_page 404 /Users/rich/Sites/HQ/public/404.html; root /Users/rich/Sites/HQ/public; passenger_enabled on; passenger_base_uri /; location / { autoindex off; # try_files $uri $uri/ /index.html?$query_string; index index.html; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } sendfile off; } server { listen 80; server_name charlie.local; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name charlie.local; # charlie.local ssl_certificate /Users/rich/Sites/charlie/charlie.local.pem; ssl_certificate_key /Users/rich/Sites/charlie/charlie.local-key.pem; ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; include /opt/homebrew/etc/nginx/mime.types; access_log /opt/homebrew/var/log/access_charlie.log; error_log /opt/homebrew/var/log/error_charlie.log warn; error_page 404 /404.html; root /Users/rich/Sites/charlie/public; passenger_enabled on; passenger_base_uri /; } server { listen 80; server_name vp.local; # vp.local include /opt/homebrew/etc/nginx/mime.types; access_log /opt/homebrew/var/log/access_VP.log; error_log /opt/homebrew/var/log/error_VP.log warn; error_page 404 /404.html; root /Users/rich/Sites/VP6/public; passenger_enabled on; passenger_base_uri /; location / { autoindex off; index index.html; } location = /img/favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } sendfile off; } include /opt/homebrew/etc/nginx/servers/*.conf; # resolution problem here # include /opt/homebrew/etc/nginx/servers/alpha.conf; # include /opt/homebrew/etc/nginx/servers/bravo.conf; } alpha.conf: server { server_name alpha.local listen 80; include /opt/homebrew/etc/nginx/mime.types; access_log /opt/homebrew/var/log/access_alpha.log; error_log /opt/homebrew/var/log/error_alpha.log warn; error_page 404 /404.html; client_max_body_size 12M; root /Users/rich/Sites/alpha/public; passenger_enabled on; passenger_base_uri /; location = /img/favicon.ico { access_log off;} } _____________ Rich in Toronto @ VP > On Jun 28, 2021, at 10:21 AM, Sergey A. Osokin wrote: > > Hi Bee, > > hope you're doing well. > > On Mon, Jun 28, 2021 at 09:52:17AM -0400, BeeRich Lists wrote: >> I have a VHost that isn?t serving up. I?ve changed nothing, and it just started >> defaulting to the default_server. >> >> The VHost is included in a catch-all for all the other local domains (my workstation): >> include /opt/homebrew/etc/nginx/servers/*.conf; >> >> I?ve even hard coded the VHost in its own include and even that isn?t working. > > How did you test that? Could you provide an example of a request you sent > to NGINX and response you received. Please use curl command for an URL > with `-vk' flags, i.e. > > % curl -vk http://www.example.com/ > >> I?ve rebooted the box, same thing. nginx.conf tests pass. Not sure what to be >> looking for. The logs in the VHost directives are not even being touched. >> >> Would be nice to ask nginx what registered servers it sees, but I don?t think >> nginx has that ability. >> >> Any insight appreciated. >> >> Cheers, Bee > > Also, could you provide the NGINX configuration file. From osa at freebsd.org.ru Mon Jun 28 22:35:50 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 29 Jun 2021 01:35:50 +0300 Subject: VHost Not Serving In-Reply-To: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> Message-ID: Hi Rich, On Mon, Jun 28, 2021 at 03:00:45PM -0400, VP Lists wrote: > Hi there. > > I used: > > curl alpha.local > > It returned hq3.local source. Seem like curl didn't send a valid "Host: alpha.local" header for some reason, that's why NGINX replied with an answer for default_server. Could you try the following request: curl -v -H "alpha.local" http://alpha.local/ -- Sergey Osokin From bee.lists at gmail.com Mon Jun 28 22:55:38 2021 From: bee.lists at gmail.com (BeeRich Lists) Date: Mon, 28 Jun 2021 18:55:38 -0400 Subject: VHost Not Serving In-Reply-To: References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> Message-ID: <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> Same result. Default returned. Nothing in access log nor error log. Cheers, Bee > On Jun 28, 2021, at 6:35 PM, Sergey A. Osokin wrote: > > Seem like curl didn't send a valid "Host: alpha.local" header for some reason, > that's why NGINX replied with an answer for default_server. > > Could you try the following request: > > curl -v -H "alpha.local" http://alpha.local/ From osa at freebsd.org.ru Mon Jun 28 23:08:46 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 29 Jun 2021 02:08:46 +0300 Subject: VHost Not Serving In-Reply-To: <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> Message-ID: On Mon, Jun 28, 2021 at 06:55:38PM -0400, BeeRich Lists wrote: > Same result. Default returned. Nothing in access log nor error log. Well, let's see how many servers are configured, could you provide an output of the following command: % nginx -T -- Sergey From bee.lists at gmail.com Mon Jun 28 23:20:36 2021 From: bee.lists at gmail.com (BeeRich Lists) Date: Mon, 28 Jun 2021 19:20:36 -0400 Subject: VHost Not Serving In-Reply-To: References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> Message-ID: <068BAA65-F471-4530-BF77-6A3E7E2DE386@gmail.com> Ya that?s too many to report. I have a catch-all with *.conf. I can restrict it down to that main nginx.conf and the extra VHost. Same as I posted before. Same result. This has the main two in my nginx.conf, and the included one. That last one has its own conf file: include /opt/homebrew/etc/nginx/servers/alpha.conf; Cheers, Bee > On Jun 28, 2021, at 7:08 PM, Sergey A. Osokin wrote: > > % nginx -T From bee.lists at gmail.com Mon Jun 28 23:23:05 2021 From: bee.lists at gmail.com (BeeRich Lists) Date: Mon, 28 Jun 2021 19:23:05 -0400 Subject: VHost Not Serving In-Reply-To: References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> Message-ID: <166AE6D7-CD8E-4946-8995-4EC3336DDFAF@gmail.com> I did notice that nginx.conf structure started to recognize trailing semicolons recently. I have updated to a new OS from an old box on several versions ago. Comments are allowed on the same line in nginx.conf still? Cheers, Bee > On Jun 28, 2021, at 7:08 PM, Sergey A. Osokin wrote: > > Well, let's see how many servers are configured, could you provide > an output of the following command: > > % nginx -T From osa at freebsd.org.ru Mon Jun 28 23:27:49 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 29 Jun 2021 02:27:49 +0300 Subject: VHost Not Serving In-Reply-To: <068BAA65-F471-4530-BF77-6A3E7E2DE386@gmail.com> References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> <068BAA65-F471-4530-BF77-6A3E7E2DE386@gmail.com> Message-ID: On Mon, Jun 28, 2021 at 07:20:36PM -0400, BeeRich Lists wrote: > Ya that?s too many to report. I have a catch-all with *.conf. I can restrict > it down to that main nginx.conf and the extra VHost. > > Same as I posted before. Same result. This has the main two in my nginx.conf, > and the included one. That last one has its own conf file: > > include /opt/homebrew/etc/nginx/servers/alpha.conf; > > Cheers, Bee I can't reproduce the issue locally. Here's the config: server { listen 80 default_server; server_name hq3.local; return 200 "OK: hq3.local\n"; } server { listen 80; server_name alpha.local; return 200 "OK: alpha.local\n"; } And here's the requests: % curl http://alpha.local OK: alpha.local % curl http://hq3.local OK: hq3.local % curl http://vp.local OK: hq3.local Last site is resolvable, but there's nothing in config about that one. -- Sergey From bee.lists at gmail.com Tue Jun 29 00:21:32 2021 From: bee.lists at gmail.com (BeeRich Lists) Date: Mon, 28 Jun 2021 20:21:32 -0400 Subject: VHost Not Serving In-Reply-To: References: <524C983B-89B2-4E91-90A2-D24345E30681@viaduct-productions.com> <57103DC7-21F3-45D6-A209-ED19D193A9CC@gmail.com> <068BAA65-F471-4530-BF77-6A3E7E2DE386@gmail.com> Message-ID: <8B6573DA-0424-47A9-8DA1-F99F3712283E@gmail.com> OK, I?ve inserted that return into the conf file. BUT, there?s an error from an entry I?ve had in there before of a master error.log. It says the path provided is no such file or directory. That path is nowhere to be found in nginx.conf or alpha.conf. Something wrong with nginx? It isn?t reading the conf file. Reported: nginx 1.21.0 Cheers, Bee > On Jun 28, 2021, at 7:27 PM, Sergey A. Osokin wrote: > > I can't reproduce the issue locally. Here's the config: > > server { > listen 80 default_server; > server_name hq3.local; > return 200 "OK: hq3.local\n"; > } > > server { > listen 80; > server_name alpha.local; > return 200 "OK: alpha.local\n"; > } > > And here's the requests: > > % curl http://alpha.local > OK: alpha.local > % curl http://hq3.local > OK: hq3.local > % curl http://vp.local > OK: hq3.local > > Last site is resolvable, but there's nothing in config about that one. From xeioex at nginx.com Tue Jun 29 16:08:23 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 29 Jun 2021 19:08:23 +0300 Subject: njs-0.6.1 Message-ID: <237585ec-20bd-196a-fd1f-3a1d5d7a3142@nginx.com> Hello, This is a bugfix release that fixes RegExp matching for a regular expression containing UTF-8 characters. The matching of ASCII or byte string by UTF-8 regexp was always negative. What methods were affected: - RegExp.prototype.exec() (since 0.4.2) - RegExp.protytype.test() (since 0.5.3) You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.6.1 29 Jun 2021 *) Bugfix: fixed RegExpBuiltinExec() with UTF-8 only regexps. The bug was introduced in 0.4.2. *) Bugfix: fixed parsing of export default declaration with non-assignment expressions. Thanks to Artem S. Povalyukhin. From hans at middelhoek.nl Wed Jun 30 15:01:11 2021 From: hans at middelhoek.nl (Hans Middelhoek) Date: Wed, 30 Jun 2021 17:01:11 +0200 Subject: HTTP request smuggling Message-ID: Hello, Recently I got a report from a security researcher who said I'm vulnerable for HTTP request smuggling attacks and included a demonstration. I couldn't imagine he was right because I'm using HTTP/1.0 connections between Nginx (reverse proxy) and Apache. It should only be possible when Nginx and Apache are reusing their connections, in real life that means they're using keepalive but that's not possible with HTTP/1.0 and therefore my setup shouldn't be vulnerable to this attack. I tested his demonstration and am able to get the same result. Strange thing is that I also get this outcome with Nginx as standalone webserver, tested with different versions from 1.13.3 to 1.19.6 with default configuration on Debian Stretch. I used the Request Editor of OWASP ZAP (zaproxy) to test the following request: ------------------------------ POST / HTTP/1.1 Transfer-Encoding: chunked Content-Length: 32 Foo: bar Host: vulnerable-domain.com 0 GET /admin7 HTTP/1.1 X-Foo: k ------------------------------ Processing the request twice results in a 405 (not allowed) the first time and 404 (not found) the second time. The Nginx logs show the /admin7 GET request the second time. When I set keepalive_timeout 0; this doesn't work anymore. The same request doesn't work on Apache 2.4 with keepalive enabled. It seems like Nginx is vulnerable to this type of attack, what am I missing? Thanks! Hans From mdounin at mdounin.ru Wed Jun 30 16:13:32 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 30 Jun 2021 19:13:32 +0300 Subject: HTTP request smuggling In-Reply-To: References: Message-ID: Hello! On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote: > Recently I got a report from a security researcher who said I'm > vulnerable for HTTP request smuggling attacks and included a > demonstration. I couldn't imagine he was right because I'm using > HTTP/1.0 connections between Nginx (reverse proxy) and Apache. It should > only be possible when Nginx and Apache are reusing their connections, in > real life that means they're using keepalive but that's not possible > with HTTP/1.0 and therefore my setup shouldn't be vulnerable to this attack. > > I tested his demonstration and am able to get the same result. Strange > thing is that I also get this outcome with Nginx as standalone > webserver, tested with different versions from 1.13.3 to 1.19.6 with > default configuration on Debian Stretch. > > I used the Request Editor of OWASP ZAP (zaproxy) to test the following > request: > ------------------------------ > POST / HTTP/1.1 > Transfer-Encoding: chunked > Content-Length: 32 > Foo: bar > Host: vulnerable-domain.com > > 0 > > GET /admin7 HTTP/1.1 > X-Foo: k > ------------------------------ > > Processing the request twice results in a 405 (not allowed) the first > time and 404 (not found) the second time. The Nginx logs show the > /admin7 GET request the second time. > > When I set keepalive_timeout 0; this doesn't work anymore. The same > request doesn't work on Apache 2.4 with keepalive enabled. It seems like > Nginx is vulnerable to this type of attack, what am I missing? The provided listing contains two separate requests, the "POST /" request with an empty body using chunked transfer encoding, and the "GET /admin7" request. Note that "Transfer-Encoding: chunked" takes precedence over the "Content-Length: 32", see RFC 7230, section 3.3.3 "Message Body Length" for details (https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3): If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Unfortunately, many "security researchers" out there do not know how HTTP works, and generate many false reports. Hope this helps. -- Maxim Dounin http://mdounin.ru/ From hans at middelhoek.nl Wed Jun 30 17:03:57 2021 From: hans at middelhoek.nl (Hans Middelhoek) Date: Wed, 30 Jun 2021 19:03:57 +0200 Subject: HTTP request smuggling In-Reply-To: References: Message-ID: Hi Maxim, Thanks! That makes sense to me. I like to understand things a little better and hope you can help with that: 1) Why is the result different when I disable keepalive in Nginx? After disabling keepalive the second request isn't executed anymore. 2) Do you know why Apache respond the same as Nginx with keepalive disabled? Op 30-6-2021 om 18:13 schreef Maxim Dounin: > Hello! > > On Wed, Jun 30, 2021 at 05:01:11PM +0200, Hans Middelhoek wrote: > >> Recently I got a report from a security researcher who said I'm >> vulnerable for HTTP request smuggling attacks and included a >> demonstration. I couldn't imagine he was right because I'm using >> HTTP/1.0 connections between Nginx (reverse proxy) and Apache. It should >> only be possible when Nginx and Apache are reusing their connections, in >> real life that means they're using keepalive but that's not possible >> with HTTP/1.0 and therefore my setup shouldn't be vulnerable to this attack. >> >> I tested his demonstration and am able to get the same result. Strange >> thing is that I also get this outcome with Nginx as standalone >> webserver, tested with different versions from 1.13.3 to 1.19.6 with >> default configuration on Debian Stretch. >> >> I used the Request Editor of OWASP ZAP (zaproxy) to test the following >> request: >> ------------------------------ >> POST / HTTP/1.1 >> Transfer-Encoding: chunked >> Content-Length: 32 >> Foo: bar >> Host: vulnerable-domain.com >> >> 0 >> >> GET /admin7 HTTP/1.1 >> X-Foo: k >> ------------------------------ >> >> Processing the request twice results in a 405 (not allowed) the first >> time and 404 (not found) the second time. The Nginx logs show the >> /admin7 GET request the second time. >> >> When I set keepalive_timeout 0; this doesn't work anymore. The same >> request doesn't work on Apache 2.4 with keepalive enabled. It seems like >> Nginx is vulnerable to this type of attack, what am I missing? > > The provided listing contains two separate requests, the "POST /" > request with an empty body using chunked transfer encoding, and > the "GET /admin7" request. > > Note that "Transfer-Encoding: chunked" takes precedence over the > "Content-Length: 32", see RFC 7230, section 3.3.3 "Message Body > Length" for details > (https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3): > > If a message is received with both a Transfer-Encoding and a > Content-Length header field, the Transfer-Encoding overrides the > Content-Length. > > Unfortunately, many "security researchers" out there do not know > how HTTP works, and generate many false reports. > > Hope this helps. > From mdounin at mdounin.ru Wed Jun 30 19:17:32 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 30 Jun 2021 22:17:32 +0300 Subject: HTTP request smuggling In-Reply-To: References: Message-ID: Hello! On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: > Thanks! That makes sense to me. I like to understand things a little > better and hope you can help with that: > > 1) Why is the result different when I disable keepalive in Nginx? After > disabling keepalive the second request isn't executed anymore. Because multiple requests in the same connection only work with keepalive. As long as keepalive is disabled, only the first request in the connection is processed. To make additional requests the client have to open additional connections. > 2) Do you know why Apache respond the same as Nginx with > keepalive disabled? Because keepalive is disabled on the Apache server you are testing against? As long as keepalive is enabled, the same requests work perfectly with Apache and return two responses as they should. -- Maxim Dounin http://mdounin.ru/ From hans at middelhoek.nl Wed Jun 30 20:49:53 2021 From: hans at middelhoek.nl (Hans Middelhoek) Date: Wed, 30 Jun 2021 22:49:53 +0200 Subject: HTTP request smuggling In-Reply-To: References: Message-ID: <204d413c-33be-d38d-9de3-3aab435c42e4@middelhoek.nl> Hi Maxim, Op 30-6-2021 om 21:17 schreef Maxim Dounin: > Hello! > > On Wed, Jun 30, 2021 at 07:03:57PM +0200, Hans Middelhoek wrote: > >> Thanks! That makes sense to me. I like to understand things a little >> better and hope you can help with that: >> >> 1) Why is the result different when I disable keepalive in Nginx? After >> disabling keepalive the second request isn't executed anymore. > Because multiple requests in the same connection only work with > keepalive. As long as keepalive is disabled, only the first > request in the connection is processed. To make additional > requests the client have to open additional connections. Thank you! That should have been obvious. >> 2) Do you know why Apache respond the same as Nginx with >> keepalive disabled? > Because keepalive is disabled on the Apache server you are testing > against? As long as keepalive is enabled, the same requests work > perfectly with Apache and return two responses as they should. > Keepalive is enabled in Apache. I enabled more verbose logging to find the cause. Apache doesn't allow the first request and gives a 400 error, error log: (22)Invalid argument: [client xx.xx.xx.xx:xxxxx] AH01590: Error reading/parsing chunk I suppose the connection is closed directly because of the error and therefore the second request isn't executed. I changed my test to confirm that Apache will handle the 2 requests within the same connection: POST / HTTP/1.1 Content-Length: 0 Foo: bar Host: vulnerable-domain.com GET /admin7 HTTP/1.1 X-Foo: k That works. It looks like Apache is very picky in the processing of the Transfer-Encoding header. Thank you for your help! Kind regards, Hans From nginx-forum at forum.nginx.org Wed Jun 30 23:31:43 2021 From: nginx-forum at forum.nginx.org (yosef) Date: Wed, 30 Jun 2021 19:31:43 -0400 Subject: Problem with aliases Message-ID: <78655efb41ec7f4e881fa809f6e383d9.NginxMailingListEnglish@forum.nginx.org> Hello, Im trying to use several blocks in my server using the server IP as server name (no domain yet), each block points to a folder containing Wordpress. I dont know what Im doing wrong because instead of running index.php nginx is download the file. Here is my configuration file: server { listen 80; listen [::]:80; index index.php; server_name 173.230.131.168; location ^~ /proj1 { alias /var/www/proj1/public_html; try_files $uri $uri/ /index.php?q=$uri&$args; } location ^~ /proj2 { alias /var/www/proj2/public_html; try_files $uri $uri/ /index.php?q=$uri&$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.4-fpm.sock; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,291964,291964#msg-291964