From mdounin at mdounin.ru Tue Nov 2 15:08:54 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 2 Nov 2021 18:08:54 +0300 Subject: nginx-1.21.4 Message-ID: Changes with nginx 1.21.4 02 Nov 2021 *) Change: support for NPN instead of ALPN to establish HTTP/2 connections has been removed. *) Change: now nginx rejects SSL connections if ALPN is used by the client, but no supported protocols can be negotiated. *) Change: the default value of the "sendfile_max_chunk" directive was changed to 2 megabytes. *) Feature: the "proxy_half_close" directive in the stream module. *) Feature: the "ssl_alpn" directive in the stream module. *) Feature: the $ssl_alpn_protocol variable. *) Feature: support for SSL_sendfile() when using OpenSSL 3.0. *) Feature: the "mp4_start_key_frame" directive in the ngx_http_mp4_module. Thanks to Tracey Jaquith. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: after receiving a response with incorrect length from a proxied backend nginx might nevertheless cache the connection. Thanks to Awdhesh Mathpal. *) Bugfix: invalid headers from backends were logged at the "info" level instead of "error"; the bug had appeared in 1.21.1. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Tue Nov 2 19:46:17 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Tue, 02 Nov 2021 15:46:17 -0400 Subject: Help with static content Message-ID: <94dbdf51db33419babf79f1cb89a0b3e.NginxMailingListEnglish@forum.nginx.org> I'm having a problem with Nginx serving static content (.css, .js, .png, .jpg etc.). In the below configuration, if I access the server via IP address static content is served with no problem. However, if I switch to host name, I get a 404 for all static content. === nginx.conf starts here === server { #LISTEN CONFIG listen 443 ssl; #HSTS CONFIG UNCOMMENT BELOW TO ENABLE add_header Strict-Transport-Security "max-age=31536000; preload"; keepalive_timeout 70; #LOGS CONFIG access_log /var/log/nginx/hermes_access.log; error_log /var/log/nginx/hermes_error.log warn; #SSL LETS ENCRYPT CERTIFICATE CONFIG ssl_certificate /etc/letsencrypt/live/host.domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/host.domain.tld/privkey.pem; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 #ssl_stapling on; #ssl_stapling_verify on; # maintain the .well-known directory alias for Lets Encrypt Certificate Renewals location /.well-known { root /var/www/html/; } ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_max_temp_file_size 5120m; client_max_body_size 5120m; #set_real_ip_from 192.XXX.XXX.XXX/24; #real_ip_header X-Forwarded-For; #real_ip_recursive on; include /etc/nginx/snippets/authelia.conf; # Authelia auth endpoint index index.cfm; location / { set $upstream_authelia http://127.0.0.1:9091; proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; } location /admin { proxy_pass http://localhost:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; include /etc/nginx/snippets/auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your configuration.yml } location /users { proxy_pass http://localhost:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } === nginx.conf ends here === === authelia.conf starts here === # Virtual endpoint created by nginx to forward auth requests. location /authelia { internal; set $upstream_authelia http://127.0.0.1:9091/api/verify; proxy_pass_request_body off; proxy_pass $upstream_authelia; proxy_set_header Content-Length ""; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # [REQUIRED] Needed by Authelia to check authorizations of the resource. # Provide either X-Original-URL and X-Forwarded-Proto or # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. # Those headers will be used by Authelia to deduce the target url of the user. # Basic Proxy Config client_body_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 4 32k; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; } === authelia.conf ends here === On the below config, if I change the following line from FQDN: error_page 401 =302 https://host.domain.tld?rd=$target_url; to IP: error_page 401 =302 https://192.168.1.100?rd=$target_url; and access using IP instead of FQDN static content works. === auth.conf starts here === # Basic Authelia Config # Send a subsequent request to Authelia to verify if the user is authenticated # and has the right permissions to access the resource. auth_request /authelia; # Set the `target_url` variable based on the request. It will be used to build the portal # URL with the correct redirection parameter. auth_request_set $target_url $scheme://$http_host$request_uri; # Set the X-Forwarded-User and X-Forwarded-Groups with the headers # returned by Authelia for the backends which can consume them. # This is not safe, as the backend must make sure that they come from the # proxy. In the future, it's gonna be safe to just use OAuth. auth_request_set $user $upstream_http_remote_user; auth_request_set $groups $upstream_http_remote_groups; auth_request_set $name $upstream_http_remote_name; auth_request_set $email $upstream_http_remote_email; proxy_set_header Remote-User $user; proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Name $name; proxy_set_header Remote-Email $email; # If Authelia returns 401, then nginx redirects the user to the login portal. # If it returns 200, then the request pass through to the backend. # For other type of errors, nginx will handle them as usual. error_page 401 =302 https://host.domain.tld?rd=$target_url; === auth.conf ends here === I tried adding the following in the server block but it didn't make a difference: location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { # Some basic cache-control for static files to be sent to the browser expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292742#msg-292742 From mailinglist at unix-solution.de Tue Nov 2 20:11:52 2021 From: mailinglist at unix-solution.de (basti) Date: Tue, 2 Nov 2021 21:11:52 +0100 Subject: Help with static content In-Reply-To: <94dbdf51db33419babf79f1cb89a0b3e.NginxMailingListEnglish@forum.nginx.org> References: <94dbdf51db33419babf79f1cb89a0b3e.NginxMailingListEnglish@forum.nginx.org> Message-ID: First of all try to add a "server_name". See http://nginx.org/en/docs/http/server_names.html Am 02.11.21 um 20:46 schrieb deeztek: > I'm having a problem with Nginx serving static content (.css, .js, .png, > .jpg etc.). > > In the below configuration, if I access the server via IP address static > content is served with no problem. However, if I switch to host name, I get > a 404 for all static content. > > === nginx.conf starts here === > > server { > #LISTEN CONFIG > listen 443 ssl; > #HSTS CONFIG UNCOMMENT BELOW TO ENABLE > add_header Strict-Transport-Security "max-age=31536000; preload"; > keepalive_timeout 70; > #LOGS CONFIG > access_log /var/log/nginx/hermes_access.log; > error_log /var/log/nginx/hermes_error.log warn; > #SSL LETS ENCRYPT CERTIFICATE CONFIG > ssl_certificate /etc/letsencrypt/live/host.domain.tld/fullchain.pem; > ssl_certificate_key /etc/letsencrypt/live/host.domain.tld/privkey.pem; > # Turn on OCSP stapling as recommended at > # https://community.letsencrypt.org/t/integration-guide/13123 > # requires nginx version >= 1.3.7 > #ssl_stapling on; > #ssl_stapling_verify on; > # maintain the .well-known directory alias for Lets Encrypt Certificate > Renewals > location /.well-known { > root /var/www/html/; > } > ssl_protocols TLSv1.2 TLSv1.3; > ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; > #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > proxy_max_temp_file_size 5120m; > client_max_body_size 5120m; > #set_real_ip_from 192.XXX.XXX.XXX/24; > #real_ip_header X-Forwarded-For; > #real_ip_recursive on; > include /etc/nginx/snippets/authelia.conf; # Authelia auth endpoint > index index.cfm; > > > location / { > set $upstream_authelia http://127.0.0.1:9091; > proxy_pass $upstream_authelia; > > client_body_buffer_size 128k; > > #Timeout if the real server is dead > proxy_next_upstream error timeout invalid_header http_500 http_502 > http_503; > > # Advanced Proxy Config > send_timeout 5m; > proxy_read_timeout 360; > proxy_send_timeout 360; > proxy_connect_timeout 360; > > # Basic Proxy Config > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $http_host; > proxy_set_header X-Forwarded-Uri $request_uri; > proxy_set_header X-Forwarded-Ssl on; > proxy_redirect http:// $scheme://; > proxy_http_version 1.1; > proxy_set_header Connection ""; > proxy_cache_bypass $cookie_session; > proxy_no_cache $cookie_session; > proxy_buffers 64 256k; > > # If behind reverse proxy, forwards the correct IP > set_real_ip_from 10.0.0.0/8; > set_real_ip_from 172.0.0.0/8; > set_real_ip_from 192.168.0.0/16; > set_real_ip_from fc00::/7; > real_ip_header X-Forwarded-For; > real_ip_recursive on; > } > > location /admin { > > proxy_pass http://localhost:8888; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > include /etc/nginx/snippets/auth.conf; # Activates Authelia for specified > route/location, please ensure you have setup the domain in your > configuration.yml > } > > location /users { > > proxy_pass http://localhost:8888; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > > === nginx.conf ends here === > > === authelia.conf starts here === > > # Virtual endpoint created by nginx to forward auth requests. > location /authelia { > internal; > set $upstream_authelia http://127.0.0.1:9091/api/verify; > proxy_pass_request_body off; > proxy_pass $upstream_authelia; > proxy_set_header Content-Length ""; > > # Timeout if the real server is dead > proxy_next_upstream error timeout invalid_header http_500 http_502 > http_503; > > # [REQUIRED] Needed by Authelia to check authorizations of the resource. > # Provide either X-Original-URL and X-Forwarded-Proto or > # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. > # Those headers will be used by Authelia to deduce the target url of the > user. > # Basic Proxy Config > client_body_buffer_size 128k; > proxy_set_header Host $host; > proxy_set_header X-Original-URL $scheme://$http_host$request_uri; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $remote_addr; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $http_host; > proxy_set_header X-Forwarded-Uri $request_uri; > proxy_set_header X-Forwarded-Ssl on; > proxy_redirect http:// $scheme://; > proxy_http_version 1.1; > proxy_set_header Connection ""; > proxy_cache_bypass $cookie_session; > proxy_no_cache $cookie_session; > proxy_buffers 4 32k; > > # Advanced Proxy Config > send_timeout 5m; > proxy_read_timeout 240; > proxy_send_timeout 240; > proxy_connect_timeout 240; > } > > === authelia.conf ends here === > > On the below config, if I change the following line from FQDN: > > error_page 401 =302 https://host.domain.tld?rd=$target_url; > > to IP: > > error_page 401 =302 https://192.168.1.100?rd=$target_url; > > and access using IP instead of FQDN static content works. > > === auth.conf starts here === > > # Basic Authelia Config > # Send a subsequent request to Authelia to verify if the user is > authenticated > # and has the right permissions to access the resource. > auth_request /authelia; > # Set the `target_url` variable based on the request. It will be used to > build the portal > # URL with the correct redirection parameter. > auth_request_set $target_url $scheme://$http_host$request_uri; > # Set the X-Forwarded-User and X-Forwarded-Groups with the headers > # returned by Authelia for the backends which can consume them. > # This is not safe, as the backend must make sure that they come from the > # proxy. In the future, it's gonna be safe to just use OAuth. > auth_request_set $user $upstream_http_remote_user; > auth_request_set $groups $upstream_http_remote_groups; > auth_request_set $name $upstream_http_remote_name; > auth_request_set $email $upstream_http_remote_email; > proxy_set_header Remote-User $user; > proxy_set_header Remote-Groups $groups; > proxy_set_header Remote-Name $name; > proxy_set_header Remote-Email $email; > # If Authelia returns 401, then nginx redirects the user to the login > portal. > # If it returns 200, then the request pass through to the backend. > # For other type of errors, nginx will handle them as usual. > error_page 401 =302 https://host.domain.tld?rd=$target_url; > > === auth.conf ends here === > > I tried adding the following in the server block but it didn't make a > difference: > > location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { > # Some basic cache-control for static files to be sent to the browser > expires max; > add_header Pragma public; > add_header Cache-Control "public, must-revalidate, proxy-revalidate"; > } > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292742#msg-292742 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > From nginx-forum at forum.nginx.org Tue Nov 2 21:50:35 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Tue, 02 Nov 2021 17:50:35 -0400 Subject: Help with static content In-Reply-To: References: Message-ID: <7ff4bf10b560eed46a4ced7f0b4bf993.NginxMailingListEnglish@forum.nginx.org> I already tried that with same results. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292744#msg-292744 From mailinglist at unix-solution.de Wed Nov 3 08:24:22 2021 From: mailinglist at unix-solution.de (basti) Date: Wed, 3 Nov 2021 09:24:22 +0100 Subject: Help with static content In-Reply-To: <7ff4bf10b560eed46a4ced7f0b4bf993.NginxMailingListEnglish@forum.nginx.org> References: <7ff4bf10b560eed46a4ced7f0b4bf993.NginxMailingListEnglish@forum.nginx.org> Message-ID: <6d307ca6-e429-c2ed-9f81-d5ae1fbe3b66@unix-solution.de> Check your config with 'nginx -T | less' for 'server_name _'. This is a catch_all as described in the docs. On 02.11.21 22:50, deeztek wrote: > I already tried that with same results. > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292744#msg-292744 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > From nginx-forum at forum.nginx.org Wed Nov 3 10:44:17 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Wed, 03 Nov 2021 06:44:17 -0400 Subject: Help with static content In-Reply-To: <6d307ca6-e429-c2ed-9f81-d5ae1fbe3b66@unix-solution.de> References: <6d307ca6-e429-c2ed-9f81-d5ae1fbe3b66@unix-solution.de> Message-ID: <13c605bb32bdad04795d1649c608ed69.NginxMailingListEnglish@forum.nginx.org> I ran it and there were no problems found. I think there is a misunderstanding. There are no errors in Nginx. Nginx starts with no problem and I'm able to access the application. The only problem is that static content is not being served when I configure and use a FQDN to access the application. When I switch to IP it all works. Part of the problem is the fact that the / location has to be used by the Authelia authentication server in order to intercept traffic destined for the /admin location and present a login. So I believe that's why the following does not make a difference because it configures the / location which is used by the Authelia authentication server: location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { # Some basic cache-control for static files to be sent to the browser expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } Is there a way to configure something like above for another location besides ~* ? Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292748#msg-292748 From nginx-forum at forum.nginx.org Wed Nov 3 18:59:15 2021 From: nginx-forum at forum.nginx.org (johan.belin) Date: Wed, 03 Nov 2021 14:59:15 -0400 Subject: SSL_write() failed (55: No buffer space available) while proxying upgraded connection Message-ID: I am a beginner so I am sorry for lacking info or stupid questions! Building a WebRTC streaming media system based on mediasoup, the server runs on a MacMini M1 in node, nginx port forwards to 8400. We are doing load tests and at 120 connected clients nginx gives the following error message: 2021/11/03 19:10:07 [crit] 282#0: *659 SSL_write() failed (55: No buffer space available) while proxying upgraded connection, client: 35.187.32.242, server: idol.activeent.co, request: "GET /idol-server/ HTTP/1.1", upstream: "https://127.0.0.1:8400/", host: "idol.activeent.co" Then after that there is another error 2021/11/03 19:10:11 [alert] 282#0: *771 socket() failed (24: Too many open files) while connecting to upstream, client: 23.251.143.177, server: idol.activeent.co, request: "GET /idol-server/ HTTP/1.1", upstream: "https://127.0.0.1:8400/", host: "idol.activeent.co" Any suggestions what it can be and what to do about it? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292750,292750#msg-292750 From nginx-forum at forum.nginx.org Wed Nov 3 19:29:47 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Wed, 03 Nov 2021 15:29:47 -0400 Subject: Help with static content In-Reply-To: <13c605bb32bdad04795d1649c608ed69.NginxMailingListEnglish@forum.nginx.org> References: <6d307ca6-e429-c2ed-9f81-d5ae1fbe3b66@unix-solution.de> <13c605bb32bdad04795d1649c608ed69.NginxMailingListEnglish@forum.nginx.org> Message-ID: So after some more trial and error, I was able to display static content by including the following: location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { # Some basic cache-control for static files to be sent to the browser expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } and adding a root: root /var/www/html/; However, this breaks the Authelia authentication server which lives on / So, what I REALLY need to figure out is how to create a static location like above but instead of ~* have it specific for a location like /admin How would I go about accomplishing that?? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292742,292751#msg-292751 From osa at freebsd.org.ru Wed Nov 3 20:13:14 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 3 Nov 2021 23:13:14 +0300 Subject: SSL_write() failed (55: No buffer space available) while proxying upgraded connection In-Reply-To: References: Message-ID: Hi Johan, hope you're doing well thse days. On Wed, Nov 03, 2021 at 02:59:15PM -0400, johan.belin wrote: > I am a beginner so I am sorry for lacking info or stupid questions! > Building a WebRTC streaming media system based on mediasoup, the server runs > on a MacMini M1 in node, nginx port forwards to 8400. We are doing load > tests and at 120 connected clients nginx gives the following error message: > > 2021/11/03 19:10:07 [crit] 282#0: *659 SSL_write() failed (55: No buffer > space available) while proxying upgraded connection, client: 35.187.32.242, > server: idol.activeent.co, request: "GET /idol-server/ HTTP/1.1", upstream: > "https://127.0.0.1:8400/", host: "idol.activeent.co" It seems like the network stack requires some tuning for such load testing. > Then after that there is another error > 2021/11/03 19:10:11 [alert] 282#0: *771 socket() failed (24: Too many open > files) while connecting to upstream, client: 23.251.143.177, server: > idol.activeent.co, request: "GET /idol-server/ HTTP/1.1", upstream: > "https://127.0.0.1:8400/", host: "idol.activeent.co" Same here. > Any suggestions what it can be and what to do about it? Some of those network settings are required knowledge about the operating system and its version, network connectivity, hardware, including but not limited to memory, CPU and disk. -- Sergey Osokin From nginx-forum at forum.nginx.org Wed Nov 3 21:17:11 2021 From: nginx-forum at forum.nginx.org (johan.belin) Date: Wed, 03 Nov 2021 17:17:11 -0400 Subject: SSL_write() failed (55: No buffer space available) while proxying upgraded connection In-Reply-To: References: Message-ID: <115cd6b8d8cde01b1c3223ac2bd8d274.NginxMailingListEnglish@forum.nginx.org> Hi Sergey, Thanks for your reply! Unfortunately that is exactly the type of knowledge we lack! Any idea where we can find someone that can help us with that? MacMini M1 macOS BigSur 11.6 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292750,292753#msg-292753 From hongyi.zhao at gmail.com Sat Nov 6 07:24:34 2021 From: hongyi.zhao at gmail.com (Hongyi Zhao) Date: Sat, 6 Nov 2021 15:24:34 +0800 Subject: Port restore problem of reverse proxy after login. Message-ID: I've nginx installed on my Ubuntu based VPS with the domain name my.domain.xyz. A socks5 proxy listening on port 6001 of the VPS which can access the intranet website 10.8.10.220:2021. Now, I run socat as following on the VPS: $ socat -v -d -d TCP4-LISTEN:2021,fork,reuseaddr socks5:127.0.0.1:10.8.10.220:2021,socks5port=6001 Then I configure a reverse nginx proxy as follows: server { listen 8888; location / { proxy_pass http://localhost:2021; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } The above configuration will let me access the intranet website 10.8.10.220:2021 from outside with the following URL: http://my.domain.xyz:8888. The intranet website 10.8.10.220:2021 need login with specific username and password. After I open http://my.domain.xyz:8888 and then do the login, the URL always changes to the following form: http://my.domain.xyz:2021 This will cause subsequent operations to fail. Is there any way to continue using port 8888 to solve this problem? Regards, HZ From r at roze.lv Sat Nov 6 08:14:21 2021 From: r at roze.lv (Reinis Rozitis) Date: Sat, 6 Nov 2021 10:14:21 +0200 Subject: Port restore problem of reverse proxy after login. In-Reply-To: References: Message-ID: <000901d7d2e6$4dc86a10$e9593e30$@roze.lv> > The intranet website 10.8.10.220:2021 need login with specific username and password. After I open http://my.domain.xyz:8888 and then do the login, the URL always changes to the following form: > http://my.domain.xyz:2021 > > This will cause subsequent operations to fail. Is there any way to continue using port 8888 to solve this problem? Depending on what the application does in the background you can try to disable the port change on redirect with port_in_redirect off; http://nginx.org/en/docs/http/ngx_http_core_module.html#port_in_redirect Though if the application includes its own port (in absolute url) in code/html it might not help and then the only way (if it is not possible to change the app itself) is to alter the content with sub_filter module on the fly. rr From neha160212 at gmail.com Sat Nov 6 17:14:18 2021 From: neha160212 at gmail.com (Neha16 0212) Date: Sun, 7 Nov 2021 00:14:18 +0700 Subject: No subject Message-ID: Tesa neha160212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sun Nov 7 12:01:58 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Sun, 07 Nov 2021 07:01:58 -0500 Subject: trouble with static content (Revised) Message-ID: <1a23e1699c2e348b5e54beddc7f982e4.NginxMailingListEnglish@forum.nginx.org> I posted about this issue a few days ago, however I fear that I needlessly complicated the question and some of the problems that I encountered were due to browser cache. So, here I go again: With the following configuration, I get static content on the /admin location but NOT the / location: ==== STARTS HERE ==== server { #LISTEN CONFIG listen 443 ssl; server_name host.domain.tld #HSTS CONFIG UNCOMMENT BELOW TO ENABLE add_header Strict-Transport-Security "max-age=31536000; preload"; keepalive_timeout 70; #LOGS CONFIG access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log warn; #SSL LETS ENCRYPT CERTIFICATE CONFIG ssl_certificate /etc/letsencrypt/live/smtp-dev.deeztek.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/smtp-dev.deeztek.com/privkey.pem; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 #ssl_stapling on; #ssl_stapling_verify on; # maintain the .well-known directory alias for Lets Encrypt Certificate Renewals location /.well-known { root /var/www/html/; } ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_max_temp_file_size 5120m; client_max_body_size 5120m; include /etc/nginx/snippets/authelia.conf; # Authelia auth endpoint #root /var/www/html; index index.cfm; location / { set $upstream_authelia http://127.0.0.1:9091; proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; } location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } location /admin/ { proxy_pass http://localhost:8888; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; root /var/www/html/; include /etc/nginx/snippets/auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your configuration.yml } ==== ENDS HERE ==== However, if I remove the following from the configuration above, I get static content from the / location but NOT the /admin location: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292760,292760#msg-292760 From francis at daoine.org Sun Nov 7 13:23:29 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 7 Nov 2021 13:23:29 +0000 Subject: trouble with static content (Revised) In-Reply-To: <1a23e1699c2e348b5e54beddc7f982e4.NginxMailingListEnglish@forum.nginx.org> References: <1a23e1699c2e348b5e54beddc7f982e4.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20211107132329.GC12557@daoine.org> On Sun, Nov 07, 2021 at 07:01:58AM -0500, deeztek wrote: Hi there, > With the following configuration, I get static content on the /admin > location but NOT the / location: Can you give some specific examples of requests that you make, responses that you get, and responses that you want to get instead? Normally, in the context of nginx, "static content" means "requests that should be served by nginx direct from the filesystem". It is not immediately clear to me that that is the meaning that you are using. The "location" blocks that you have defined (apart, perhaps, from anything that was "include"d from other files, are > location /.well-known { > root /var/www/html/; > } > location / { > set $upstream_authelia http://127.0.0.1:9091; > proxy_pass $upstream_authelia; > } > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } > location /admin/ { > proxy_pass http://localhost:8888; > } So for each request that you make, it should be clear which on location{} is used to serve it. Any request that matches the regex location will be served from the filesystem, using whatever the compile-time default "root" value was. Any other request that starts with /.well-known will be served from below /var/www/html/. Any other request that starts with /admin/ will be proxy_pass'ed to one other server. Any other request will be proxy_pass'ed to a different other server. So, for example, a request for /one.js will come from (something like) /usr/local/nginx/html/one.js; and a request for /admin/two.js will come from /usr/local/nginx/html/admin/two.js; or give a 404 if the file does not exist. What response do you get from curl -v https://your_domain/one.js ? > However, if I remove the following from the configuration above, I get > static content from the / location but NOT the /admin location: In the case, the same thing applies, except now the request doe snot come from the filesystem. /one.js will be proxy_pass'ed to port 9091, and /admin/two.js will be proxy_pass'ed to port 8888. When you don't get the static content -- what do you get instead? Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sun Nov 7 13:46:17 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Sun, 07 Nov 2021 08:46:17 -0500 Subject: trouble with static content (Revised) In-Reply-To: <20211107132329.GC12557@daoine.org> References: <20211107132329.GC12557@daoine.org> Message-ID: <35d7747c71e0cc63a54e681d0cbcc2e0.NginxMailingListEnglish@forum.nginx.org> Hi, So when I say static content, I mean resources such as .css, .js .png, .jpg etc. so, with the following in place: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } Requests to the / location, I get 404s: GET https://host.domain.tld/static/js/vendor.d0bc79df.js net::ERR_ABORTED 404 (Not Found) GET https://host.domain.tld/static/css/index.393eb37d.css net::ERR_ABORTED 404 (Not Found) However requests to the /admin location all work. Also I forgot to add that the following: root /var/www/html; must also be present the server block before the /admin location works, which I think is odd because I have the: root /var/www/html/; in the /admin location. Anyways, if I remove the following: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } Requests to the /admin location, I get 404s: GET https://192.168.10.145/admin/fusion.css net::ERR_ABORTED 404 GET https://host.domain.tld/:142 GET https://192.168.10.145/admin/style.css net::ERR_ABORTED 404 GET https://host.domain.tld//:143 GET https://192.168.10.145/admin/site.css net::ERR_ABORTED 404 GET https://host.domain.tld//:232 GET https://192.168.10.145/admin/hermes_seg_menu2.js net::ERR_ABORTED 404 GET https://host.domain.tld//:349 GET https://192.168.10.145/admin/help.png 404 GET https://host.domain.tld//:232 GET https://192.168.10.145/admin/hermes_seg_menu2.js net::ERR_ABORTED 404 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292760,292762#msg-292762 From francis at daoine.org Sun Nov 7 15:07:38 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 7 Nov 2021 15:07:38 +0000 Subject: trouble with static content (Revised) In-Reply-To: <35d7747c71e0cc63a54e681d0cbcc2e0.NginxMailingListEnglish@forum.nginx.org> References: <20211107132329.GC12557@daoine.org> <35d7747c71e0cc63a54e681d0cbcc2e0.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20211107150738.GD12557@daoine.org> On Sun, Nov 07, 2021 at 08:46:17AM -0500, deeztek wrote: Hi there, > So when I say static content, I mean resources such as .css, .js .png, .jpg > etc. Ok, so let's use one "js" request as an example here. In nginx, one request is handled in one location. Only the config in, or inherited into, that location, matters. The nginx error log usually has useful information; when testing things, it can be useful to set a more-than-usual logging level, as per https://nginx.org/r/error_log > so, with the following in place: > > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } > > Requests to the / location, I get 404s: > > GET https://host.domain.tld/static/js/vendor.d0bc79df.js net::ERR_ABORTED > 404 (Not Found) > GET https://host.domain.tld/static/css/index.393eb37d.css net::ERR_ABORTED > 404 (Not Found) What specific response do you want to get, to those requests? The config above says that nginx should serve something like the file /usr/local/nginx/html/static/js/vendor.d0bc79df.js in response to the first request. The actual response is a 404. Does that file exist? (The 404 response suggests that the file does not exist.) (I say "something like", because your config does not show a "root" that is in, or inherited into, the "location ~*" block that handles this request. So the effective "root" value is whatever the compile-time value was, which could be anything.) So - what file on your filesystem do you want nginx to send you, when you make the request for /static/js/vendor.d0bc79df.js? If you want nginx to serve /var/www/html/static/js/vendor.d0bc79df.js, then probably your best bet is to add "root /var/www/html;" at "server" level, outside of all "location" blocks. > However requests to the /admin location all work. Again, for clarity: can you show one specific request that you make ("/admin/one.js", for example) and the response that you get ("http 200 and the contents of the file /var/www/html/admin/one.js" or "http 404", for example). > Also I forgot to add that the following: > > root /var/www/html; > > must also be present the server block before the /admin location works, > which I think is odd because I have the: > > root /var/www/html/; > > in the /admin location. Your "location /admin" has "proxy_pass", which means that "root" is essentially ignored for every request that is handled in the /admin location. If you have the "location ~*" block, then requests for "/admin/one.js" are handled in that location, not in the /admin location -- so everything in the /admin location is irrelevant for this request. > Anyways, if I remove the following: > > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } > > Requests to the /admin location, I get 404s: > > GET https://192.168.10.145/admin/fusion.css net::ERR_ABORTED 404 If you remove that "location ~*", then a request for "/admin/fusion.css" will be handled in your "location /admin" block, which means it will be proxy_pass'ed to the upstream service on port 8888. It will not be served by nginx from the filesystem. The logs from your nginx server should show what response nginx got from its upstream. The logs from your port-8888 server should show why it sent that response to nginx. So the same question exists: what do you want nginx to do when it gets the request for /admin/fusion.css? Once you can write down what you want nginx to do with each request, then it usually becomes easier to see how to tell nginx that you want nginx to do that thing. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sun Nov 7 16:00:39 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Sun, 07 Nov 2021 11:00:39 -0500 Subject: trouble with static content (Revised) In-Reply-To: <20211107150738.GD12557@daoine.org> References: <20211107150738.GD12557@daoine.org> Message-ID: >The config above says that nginx should serve something like the file >/usr/local/nginx/html/static/js/vendor.d0bc79df.js in response to the >first request. The actual response is a 404. Does that file exist? The specific /static/js/vendor.d0bc79df.js files does not exist in /usr/local/nginx/html directory. It's served by the service http://127.0.0.1:9091 and I don't know exactly the path in that service. All I can see is the /static/js/vendor.d0bc79df.js request. To expand further, the /static/js/vendor.d0bc79df.js works when I remove the following from the config: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } To give you a bit of background. The /admin location is served by Lucee/CFML server running on Tomcat on port 8888. Everything I read says to include the following location in order for Nginx to serve .ico, .css. js etc files: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } Please see here: http://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ So, when I include the location ~* the application that lives on port 8888 works fine, HOWEVER, the application that lives on 9091 breaks. If I remove: location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { expires max; } Then, the application that lives on port 9091 works but the application on port 8888 breaks. So, the way I'm figuring, I need a way to specify a /admin specific location for static files (.ico, .css, .js etc) since they are not being served by Nginx unless I have a specific directive for those type of files for the application in the /admin location. Hope that makes more sense. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292760,292764#msg-292764 From francis at daoine.org Sun Nov 7 17:28:35 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 7 Nov 2021 17:28:35 +0000 Subject: trouble with static content (Revised) In-Reply-To: References: <20211107150738.GD12557@daoine.org> Message-ID: <20211107172835.GE12557@daoine.org> On Sun, Nov 07, 2021 at 11:00:39AM -0500, deeztek wrote: Hi there, > >The config above says that nginx should serve something like the file > >/usr/local/nginx/html/static/js/vendor.d0bc79df.js in response to the > >first request. The actual response is a 404. Does that file exist? > > The specific /static/js/vendor.d0bc79df.js files does not exist in > /usr/local/nginx/html directory. It's served by the service > http://127.0.0.1:9091 and I don't know exactly the path in that service. All > I can see is the /static/js/vendor.d0bc79df.js request. Ok, that makes sense. You do not want nginx to serve this request from the filesystem; you want nginx to proxy_pass the request to port 9091. > To expand further, the /static/js/vendor.d0bc79df.js works when I remove the > following from the config: > > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } Yes, that makes sense too. Without that location{} block, the request is handled in "location /", which does the right thing. > To give you a bit of background. The /admin location is served by Lucee/CFML > server running on Tomcat on port 8888. Everything I read says to include the > following location in order for Nginx to serve .ico, .css. js etc files: Everything you read has misled you. What everything you read should have said, is something like "in order to get nginx to serve all matching requests from the filesystem, include this location". > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } Right now, I'm not sure if you want nginx to serve some matching requests from the filesystem, or no matching requests from the filesystem -- you seem to have confirmed that you do not want nginx to serve all matching requests from the filesystem. > Please see here: > http://dnando.github.io/blog/2015/01/05/advantages-of-nginx/ That seems to describe a reasonable way to have exactly one proxy_pass within a server{}, and have all "static" requests served from the filesystem. You are trying to have two proxy_pass:es within a server{}, which is not the same thing. That can still work; but you need to decide how you want nginx to handle each request, and then you need to tell nginx how you want nginx to handle each request. > So, when I include the location ~* the application that lives on port 8888 > works fine, HOWEVER, the application that lives on 9091 breaks. If I > remove: > > location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { > expires max; > } > > Then, the application that lives on port 9091 works but the application on > port 8888 breaks. Correct. With that "location ~*", you are telling nginx that every request that ends in js should be served from the filesytem. But that is not what you want nginx to do. > So, the way I'm figuring, I need a way to specify a /admin specific location > for static files (.ico, .css, .js etc) since they are not being served by > Nginx unless I have a specific directive for those type of files for the > application in the /admin location. > > Hope that makes more sense. One way could be to have location ~* ^/admin/.*(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { to regex-match all requests that start with "/admin/" and which end with things like "js" (case-insensitively). Another way could be to move the current location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { to be inside the "location /admin". (I prefer the second, because I dislike regex locations at the top level.) See https://nginx.org/r/location, for example. You have configurations B, C, and E; but the E that you have is not the E that you want. That page mentions, but does not describe in detail nested locations; they generally Do The Right Thing, which is probably why they are not expanded there. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Mon Nov 8 11:56:02 2021 From: nginx-forum at forum.nginx.org (deeztek) Date: Mon, 08 Nov 2021 06:56:02 -0500 Subject: trouble with static content (SOLVED) In-Reply-To: <20211107172835.GE12557@daoine.org> References: <20211107172835.GE12557@daoine.org> Message-ID: Hi, Thanks a lot for the suggestions. I ended up following your recommendation and I set the /admin location as follows which took care of it. Now I know that you setup a location within a location: location /admin/ { index index.cfm; location ~* .(?:ico|css|js|gif|jpe?g|png|woff2|map)$ { root /var/www/html; expires max; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } proxy_pass http://localhost:8888/admin/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; include /etc/nginx/snippets/auth.conf; # Activates Authelia for specified route/location, please ensure you have setup the domain in your configuration.yml } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292760,292767#msg-292767 From ts.stadler at gmx.de Mon Nov 8 20:57:39 2021 From: ts.stadler at gmx.de (Tobias Stadler) Date: Mon, 8 Nov 2021 21:57:39 +0100 Subject: http_proxy_module hooks Message-ID: <47074837-1A2D-478A-BF6F-9C85D10D04AF@gmx.de> ?Hello everyone, Does the http_proxy (or the http_upstream) module provide any hooks (for a 3rd party plugin) to intercept/process the request to the upstream server/the response received by the upstream server? Best regards Tobias From mdounin at mdounin.ru Mon Nov 8 21:05:43 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 9 Nov 2021 00:05:43 +0300 Subject: http_proxy_module hooks In-Reply-To: <47074837-1A2D-478A-BF6F-9C85D10D04AF@gmx.de> References: <47074837-1A2D-478A-BF6F-9C85D10D04AF@gmx.de> Message-ID: Hello! On Mon, Nov 08, 2021 at 09:57:39PM +0100, Tobias Stadler wrote: > Does the http_proxy (or the http_upstream) module provide any > hooks (for a 3rd party plugin) to intercept/process the request > to the upstream server/the response received by the upstream > server? No. Depending on what are you trying to do, either proxy configuration (such as proxy_set_header or proxy_set_body) or generic request handlers (and/or response filters) might be appropriate. -- Maxim Dounin http://mdounin.ru/ From ts.stadler at gmx.de Tue Nov 9 08:32:37 2021 From: ts.stadler at gmx.de (Tobias Stadler) Date: Tue, 9 Nov 2021 09:32:37 +0100 Subject: http_proxy_module hooks Message-ID: ?Hi Maxim, Thank You for the information. Do generic request handlers/response filters work for request to upstream servers? Do you now any documentation/example on how to implement such an handler/filter? Regards Tobias > Am 08.11.2021 um 22:05 schrieb Maxim Dounin : > > Hello! > > On Mon, Nov 08, 2021 at 09:57:39PM +0100, Tobias Stadler wrote: > >> Does the http_proxy (or the http_upstream) module provide any >> hooks (for a 3rd party plugin) to intercept/process the request >> to the upstream server/the response received by the upstream >> server? > > No. Depending on what are you trying to do, either proxy > configuration (such as proxy_set_header or proxy_set_body) or > generic request handlers (and/or response filters) might be > appropriate. > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From r at roze.lv Tue Nov 9 09:44:22 2021 From: r at roze.lv (Reinis Rozitis) Date: Tue, 9 Nov 2021 11:44:22 +0200 Subject: http_proxy_module hooks In-Reply-To: References: Message-ID: <000b01d7d54e$60731880$21594980$@roze.lv> > Do generic request handlers/response filters work for request to upstream servers? Do you now any documentation/example on how to implement such an handler/filter? As a variant the Sub filter module does http://nginx.org/en/docs/http/ngx_http_sub_module.html (the only requirement was that the response from the upstream shouldn?t be compressed though). But probably it would be more easy to suggest something if you wrote what exactly you want to achieve as there are also options to mangle with requests using Lua etc. rr From ts.stadler at gmx.de Tue Nov 9 12:20:58 2021 From: ts.stadler at gmx.de (Tobias Stadler) Date: Tue, 9 Nov 2021 13:20:58 +0100 Subject: http_proxy_module hooks Message-ID: <43CD2D0E-8D73-4E5D-8EA9-AEF6885820CE@gmx.de> ?Actually I want to adapt the OpenTelemetry module to create a span for the upstream request. Tobias > Am 09.11.2021 um 10:44 schrieb Reinis Rozitis : > >> Do generic request handlers/response filters work for request to upstream servers? Do you now any documentation/example on how to implement such an handler/filter? > > As a variant the Sub filter module does http://nginx.org/en/docs/http/ngx_http_sub_module.html (the only requirement was that the response from the upstream shouldn?t be compressed though). > > But probably it would be more easy to suggest something if you wrote what exactly you want to achieve as there are also options to mangle with requests using Lua etc. > > > rr > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Nov 9 19:32:48 2021 From: nginx-forum at forum.nginx.org (Danran) Date: Tue, 09 Nov 2021 14:32:48 -0500 Subject: Whitelist iPhone/office computer IP address to access wordpress login page, deny any other ip address Message-ID: I am running a lemp server which is working and running wordpress quite properly. As of now, I have my wordpress web login blacklisted by all IP addresses EXCEPT any IP on my lan with the following directive: server { # Allow local only to wp-login page location ~ /wp-login.php { allow 192.168.1.0/24; deny all; error_page 403 =444; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; This directive sucessfully blocks all internet traffic to "mywebsite.com/wp-login.php", which is the wordpress admin login page. In other words, with this directive set, I can access the wordpress login page anywhere on my internal LAN, but the directive denys any outside internet traffic from seeing the "mywebsite.com/wp-login.php" page. GREAT! 1. NOW, What I want to do, is to whitelist the ip address of my phone (and my office computer at work), so that I can access the wordpress login page from my phone's IP address and/or my office computer, while still blocking any other outside internet traffic. To do so I go to www.whatsmyip.org on my phone, copy the ip address that it gives me, then modify the previous directive to look like the following: server { # Allow local only to wp-login page location ~ /wp-login.php { allow my_phones_ip_address_as_shown_on_whatsmyip.org; allow 192.168.1.0/24; deny all; error_page 403 =444; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; HOWEVER, after reloading nginx, I still cannot access the wp-login (wordpress login) page from my phone. 2. What I also want to do, is for nginx to completely drop any connection that tries to access my wp-login page, instead of giving multiple redirects with "error_page 403 =444". I could not find any other way for nginx to completely drop the connection to the page if accessed from an outside source, and using the "error_page 403 =444" stanza was the closes workaround that I could find on the internet. Could someone please advise me on how to force nginx to completely drop any connection so it looks like the page doesn't exist when accessing it, instead of giving an error message? In other words, is there something I can use to replace "error_page 403 =444" with a directive that will make the page the user is trying to access non-existent? FOR REFERENCE#1 my nginx.conf has been copied and pasted on pastebin at the following link: [link]https://pastebin.com/0bUgW0QM[/link] FOR REFERENCE#2 my virtual host configuration has been copied and pasted on pastebin at the following link: [link]https://pastebin.com/jRC4nNi7[/link] My question is: 1) How can I properly whitelist my phones ip address, while blacklisting everything else and.. 2) How can I force nginx to initiate a dropped connection for blacklisted IP addresses, instead of my current "redirection" workaround? Dan Ran dan at nerd-tech.net dan at danran.rocks https://nerd-tech.net https://danran.rocks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292784,292784#msg-292784 From nginx-forum at forum.nginx.org Tue Nov 9 23:40:01 2021 From: nginx-forum at forum.nginx.org (frdcybermatrix) Date: Tue, 09 Nov 2021 18:40:01 -0500 Subject: Got "http reading blocked" on second request with same connection Message-ID: <21a27e5d22bc69d5bf10d09f36213cbc.NginxMailingListEnglish@forum.nginx.org> Hi I'm having problem with my custom nginx module. I created nginx module to detect wether the request is authorized or not, and I need to check request body. So I use ngx_http_read_client_request_body in NGX_HTTP_ACCESS_PHASE. Modules work perfectly on one request at a time. For example: 'curl -v localhost' But the problem happen when second request happen using same connection. For example: 'curl -v localhost localhost'. When I try to debug I got "http reading blocked". But when I remove ngx_http_read_client_request_body, and leave body empty, it's work static ngx_int_t ngx_http_ai_inspect_handler(ngx_http_request_t *r) { ngx_chain_t *in; ngx_http_read_client_request_body(r, ngx_http_ai_inspect_post_handler); off_t len = 0; if (r->request_body != NULL) { for (in = r->request_body->bufs; in; in = in->next) { len += ngx_buf_size(in->buf); } } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292785,292785#msg-292785 From community at thoughtmaybe.com Wed Nov 10 02:57:00 2021 From: community at thoughtmaybe.com (Jore) Date: Wed, 10 Nov 2021 13:57:00 +1100 Subject: Whitelist iPhone/office computer IP address to access wordpress login page, deny any other ip address In-Reply-To: References: Message-ID: Just a quick reply cos I'm on the run, but this might help for #2 location / { ??????? # drop the connection/blackhole for this block ??????? return 444; ??? } On 10/11/21 6:32 am, Danran wrote: > I am running a lemp server which is working and running wordpress quite > properly. As of now, I have my wordpress web login blacklisted by all IP > addresses EXCEPT any IP on my lan with the following directive: > > server { > # Allow local only to wp-login page > location ~ /wp-login.php { > allow 192.168.1.0/24; > deny all; > error_page 403 =444; > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > > This directive sucessfully blocks all internet traffic to > "mywebsite.com/wp-login.php", which is the wordpress admin login page. > In other words, with this directive set, I can access the wordpress login > page anywhere on my internal LAN, but the directive denys any outside > internet traffic from seeing the "mywebsite.com/wp-login.php" page. GREAT! > > 1. NOW, What I want to do, is to whitelist the ip address of my phone (and > my office computer at work), so that I can access the wordpress login page > from my phone's IP address and/or my office computer, while still blocking > any other outside internet traffic. To do so I go to www.whatsmyip.org on my > phone, copy the ip address that it gives me, then modify the previous > directive to look like the following: > > server { > # Allow local only to wp-login page > location ~ /wp-login.php { > allow my_phones_ip_address_as_shown_on_whatsmyip.org; > allow 192.168.1.0/24; > deny all; > error_page 403 =444; > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > > HOWEVER, after reloading nginx, I still cannot access the wp-login > (wordpress login) page from my phone. > > 2. What I also want to do, is for nginx to completely drop any connection > that tries to access my wp-login page, instead of giving multiple redirects > with "error_page 403 =444". I could not find any other way for nginx to > completely drop the connection to the page if accessed from an outside > source, and using the "error_page 403 =444" stanza was the closes workaround > that I could find on the internet. Could someone please advise me on how to > force nginx to completely drop any connection so it looks like the page > doesn't exist when accessing it, instead of giving an error message? In > other words, is there something I can use to replace "error_page 403 =444" > with a directive that will make the page the user is trying to access > non-existent? > > FOR REFERENCE#1 my nginx.conf has been copied and pasted on pastebin at the > following link: > [link]https://pastebin.com/0bUgW0QM[/link] > > FOR REFERENCE#2 my virtual host configuration has been copied and pasted on > pastebin at the following link: > [link]https://pastebin.com/jRC4nNi7[/link] > > My question is: > 1) How can I properly whitelist my phones ip address, while blacklisting > everything else and.. > 2) How can I force nginx to initiate a dropped connection for blacklisted IP > addresses, instead of my current "redirection" workaround? > > Dan Ran > dan at nerd-tech.net > dan at danran.rocks > https://nerd-tech.net > https://danran.rocks > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292784,292784#msg-292784 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From community at thoughtmaybe.com Wed Nov 10 02:57:43 2021 From: community at thoughtmaybe.com (Jore) Date: Wed, 10 Nov 2021 13:57:43 +1100 Subject: Whitelist iPhone/office computer IP address to access wordpress login page, deny any other ip address In-Reply-To: References: Message-ID: Just a quick reply cos I'm on the run, but this might help for #2 location /yourpath/file/whatever { ??????? # drop the connection/blackhole for this block ??????? return 444; ??? } On 10/11/21 6:32 am, Danran wrote: > I am running a lemp server which is working and running wordpress quite > properly. As of now, I have my wordpress web login blacklisted by all IP > addresses EXCEPT any IP on my lan with the following directive: > > server { > # Allow local only to wp-login page > location ~ /wp-login.php { > allow 192.168.1.0/24; > deny all; > error_page 403 =444; > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > > This directive sucessfully blocks all internet traffic to > "mywebsite.com/wp-login.php", which is the wordpress admin login page. > In other words, with this directive set, I can access the wordpress login > page anywhere on my internal LAN, but the directive denys any outside > internet traffic from seeing the "mywebsite.com/wp-login.php" page. GREAT! > > 1. NOW, What I want to do, is to whitelist the ip address of my phone (and > my office computer at work), so that I can access the wordpress login page > from my phone's IP address and/or my office computer, while still blocking > any other outside internet traffic. To do so I go to www.whatsmyip.org on my > phone, copy the ip address that it gives me, then modify the previous > directive to look like the following: > > server { > # Allow local only to wp-login page > location ~ /wp-login.php { > allow my_phones_ip_address_as_shown_on_whatsmyip.org; > allow 192.168.1.0/24; > deny all; > error_page 403 =444; > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > > HOWEVER, after reloading nginx, I still cannot access the wp-login > (wordpress login) page from my phone. > > 2. What I also want to do, is for nginx to completely drop any connection > that tries to access my wp-login page, instead of giving multiple redirects > with "error_page 403 =444". I could not find any other way for nginx to > completely drop the connection to the page if accessed from an outside > source, and using the "error_page 403 =444" stanza was the closes workaround > that I could find on the internet. Could someone please advise me on how to > force nginx to completely drop any connection so it looks like the page > doesn't exist when accessing it, instead of giving an error message? In > other words, is there something I can use to replace "error_page 403 =444" > with a directive that will make the page the user is trying to access > non-existent? > > FOR REFERENCE#1 my nginx.conf has been copied and pasted on pastebin at the > following link: > [link]https://pastebin.com/0bUgW0QM[/link] > > FOR REFERENCE#2 my virtual host configuration has been copied and pasted on > pastebin at the following link: > [link]https://pastebin.com/jRC4nNi7[/link] > > My question is: > 1) How can I properly whitelist my phones ip address, while blacklisting > everything else and.. > 2) How can I force nginx to initiate a dropped connection for blacklisted IP > addresses, instead of my current "redirection" workaround? > > Dan Ran > dan at nerd-tech.net > dan at danran.rocks > https://nerd-tech.net > https://danran.rocks > > Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292784,292784#msg-292784 > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From francis at daoine.org Wed Nov 10 08:33:41 2021 From: francis at daoine.org (Francis Daly) Date: Wed, 10 Nov 2021 08:33:41 +0000 Subject: Whitelist iPhone/office computer IP address to access wordpress login page, deny any other ip address In-Reply-To: References: Message-ID: <20211110083341.GF12557@daoine.org> On Tue, Nov 09, 2021 at 02:32:48PM -0500, Danran wrote: Hi there, > 1. NOW, What I want to do, is to whitelist the ip address of my phone (and > my office computer at work), so that I can access the wordpress login page > from my phone's IP address and/or my office computer, while still blocking > any other outside internet traffic. To do so I go to www.whatsmyip.org on my > phone, copy the ip address that it gives me, then modify the previous > directive to look like the following: > > server { > # Allow local only to wp-login page > location ~ /wp-login.php { > allow my_phones_ip_address_as_shown_on_whatsmyip.org; > allow 192.168.1.0/24; > deny all; > error_page 403 =444; > include snippets/fastcgi-php.conf; > fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; > fastcgi_split_path_info ^(.+\.php)(/.+)$; > > HOWEVER, after reloading nginx, I still cannot access the wp-login > (wordpress login) page from my phone. The above config looks like it should work to allow the request. What does your nginx log say? What IP address was rejected by nginx, when your phone made the request to it? (And if there are too many requests around the same time so that you can't easily identify the one from your phone, perhaps add something unique like ?testing=123 so you can find that in the logs.) My guess is that your phone is either caching things so that the request does not get to nginx at all; or that your phone's effective IP address is changing between requests, so that you might want to allow a range of addresses in that will include the next one your phone is likely to have. But by looking at the logs, you don't need to guess. > 2. What I also want to do, is for nginx to completely drop any connection > that tries to access my wp-login page, instead of giving multiple redirects > with "error_page 403 =444". I could not find any other way for nginx to > completely drop the connection to the page if accessed from an outside > source, and using the "error_page 403 =444" stanza was the closes workaround > that I could find on the internet. Could someone please advise me on how to > force nginx to completely drop any connection so it looks like the page > doesn't exist when accessing it, instead of giving an error message? In > other words, is there something I can use to replace "error_page 403 =444" > with a directive that will make the page the user is trying to access > non-existent? If the user tried to access a non-existent page, they would probably get a 404 response, not a closed connection, no? At this point in the request, the user has already successfully negotiated a SSL session; so they have a tcp connection and they have your server's certificate -- they know the server is there. You sending them a different response for /admin/wp-login.php compared with /admin/random-string is going to show them that /admin/wp-login.php *is* special, if they can just find the way in. (Note - it is sensible to not want to expend any more resources on them, so just closing the connection instead of giving them a useful http response is not unreasonable. Just so long as you know why you are doing it.) That said -- http://nginx.org/r/error_page says that the last argument it takes is the uri, so your configuration will end up sending a http 302 with a Location: of =444, which is likely to confuse any client. (And, I guess there is no reason why the client would not cache *that* response. So back to question#1 -- if your phone tried to access the login page in the past and got this redirect; and then you reconfigured the allow list and reloaded the config; and then you asked your phone to access the login page again, your phone might use the cached response without talking to nginx at all.) So -- untested by me -- perhaps test something like error_page 403 =444 /; in this location, or error_page 403 = /no; in this location along with location = /no { return 444 } nearby; or use "geo" (http://nginx.org/r/geo) at http level to set a good/bad variable based on the connecting IP, and use if ($bad) { return 444 } in this location. I think that the latter two should work; the first one I'm not sure about. Good luck with it, f -- Francis Daly francis at daoine.org From michiel.beijen at gmail.com Wed Nov 10 15:29:21 2021 From: michiel.beijen at gmail.com (Michiel Beijen) Date: Wed, 10 Nov 2021 16:29:21 +0100 Subject: nginx proxy_pass and proxy_cache Message-ID: Hi there, I use nginx as caching reverse proxy. I have requests coming as /something/data1/request123.xml I have other requests coming in as /something/data1/bigfile424.bin I want to forward all requests to an origin on /data1/ Currently I use a location block: location /something/ { proxy_cache disk_cache; proxy_pass http://origin/data1/; } This works great! Except the disk is rather slow and while the bin files are mostly static and can be cached pretty good, the xml files, which receive an awful lot of requests, update rather quickly. I prefer to cache them on a FAST disk cache (or rather on a tmpfs partition). So now I would try; location /something/ { proxy_cache disk_cache; proxy_pass http://origin/data1/; location ~* \.xml$ { proxy_cache fast_disk_cache; proxy_pass http://origin/data1; } } As we know, proxy_pass does not inherit so I have to specify it also in the nested location. But I can't use proxy_pass like this with a URI in a location block containing a regex. And I can't make a location block for a mimetype, or using another specifier than regexes to filter out requests to certain 'file types'. Is there any other 'good' solution except for, on my origin adding rewrites from /something/data1/ to /data1/? -- Michiel -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Nov 10 18:12:22 2021 From: nginx-forum at forum.nginx.org (malzad) Date: Wed, 10 Nov 2021 13:12:22 -0500 Subject: Variable value is resetting Message-ID: Hi, I have a static int variable in a load balancing module and initially set it to 0. I want to update this variable when there will be any HTTP requests with certain criteria. It gets updated but whenever the module receives a new HTTP request ( or after receiving a few HTTP requests), that int variable again resets to 0. how can I prevent it from resetting the value? Thanks in advance. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292794,292794#msg-292794 From r at roze.lv Wed Nov 10 18:58:54 2021 From: r at roze.lv (Reinis Rozitis) Date: Wed, 10 Nov 2021 20:58:54 +0200 Subject: nginx proxy_pass and proxy_cache In-Reply-To: References: Message-ID: <005201d7d665$023333f0$06999bd0$@roze.lv> > And I can't make a location block for a mimetype, or using another specifier than regexes to filter out requests to certain 'file types'. Is there any other 'good' solution except for, on my origin adding rewrites from /something/data1/ to /data1/? Why just not separate the locations rather make them nested? Something like: location /something/ { proxy_cache disk_cache; proxy_pass http://origin/data1/; } location ~* ^/something/.*\.xml$ { proxy_cache fast_disk_cache; proxy_pass http://origin/data1/; } If you don't want to multiply the whole location { proxy_pass } configuration you can use the map directive (http://nginx.org/en/docs/http/ngx_http_map_module.html) and just change the proxy_cache on the fly (you can easily add multiple cache locations this way): map $request_uri $cache { ^/something/.*\.xml fast_disk_cache; default disk_cache; } server { location /something/ { proxy_cache $cache; proxy_pass http://origin/data1/; } } rr From mdounin at mdounin.ru Wed Nov 10 19:27:53 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 10 Nov 2021 22:27:53 +0300 Subject: Got "http reading blocked" on second request with same connection In-Reply-To: <21a27e5d22bc69d5bf10d09f36213cbc.NginxMailingListEnglish@forum.nginx.org> References: <21a27e5d22bc69d5bf10d09f36213cbc.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Tue, Nov 09, 2021 at 06:40:01PM -0500, frdcybermatrix wrote: > Hi I'm having problem with my custom nginx module. > I created nginx module to detect wether the request is authorized or not, > and I need to check request body. So I use ngx_http_read_client_request_body > in NGX_HTTP_ACCESS_PHASE. > Modules work perfectly on one request at a time. For example: 'curl -v > localhost' > But the problem happen when second request happen using same connection. For > example: 'curl -v localhost localhost'. > > When I try to debug I got "http reading blocked". But when I remove > ngx_http_read_client_request_body, and leave body empty, it's work > > static ngx_int_t > ngx_http_ai_inspect_handler(ngx_http_request_t *r) > { > ngx_chain_t *in; > ngx_http_read_client_request_body(r, ngx_http_ai_inspect_post_handler); > off_t len = 0; > if (r->request_body != NULL) { > for (in = r->request_body->bufs; in; in = in->next) { > len += ngx_buf_size(in->buf); > } > } > > } First of all, it is not correct to use the request body after the ngx_http_read_client_request_body() call: the request body might not be available yet at this point. Instead, you should wait till the post handler is called, and only use the body after it's called. See the development guide for details: http://nginx.org/en/docs/dev/development_guide.html#http_request_body Second, when you are reading the request body from phase handlers, there are additional things to consider. In particular: - Things to do after the ngx_http_read_client_request_body() might differ from what one normally does in content handler, notably you'll have to call ngx_http_finalize_request(NGX_DONE) yourself; - It is important to restore phase processing after the request body is read and you've done with it, so you'll have to set r->write_event_handler back to ngx_http_core_run_phases in the post handler and run ngx_http_core_run_phases() when you're done. Refer to the src/http/modules/ngx_http_mirror_module.c for an example. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Wed Nov 10 20:00:06 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 10 Nov 2021 23:00:06 +0300 Subject: Variable value is resetting In-Reply-To: References: Message-ID: Hello! On Wed, Nov 10, 2021 at 01:12:22PM -0500, malzad wrote: > I have a static int variable in a load balancing module and initially set it > to 0. I want to update this variable when there will be any HTTP requests > with certain criteria. It gets updated but whenever the module receives a > new HTTP request ( or after receiving a few HTTP requests), that int > variable again resets to 0. how can I prevent it from resetting the value? Static variables in C are initialized to 0 on process creation, and that's all, there is nothing that can reset the variable to 0 except your own code. Note though that there can be multiple worker processes in nginx, and if you see the variable being 0 after you've updated it in a previous request, likely this means that you are looking at the variable in the different worker processes. To fix this, you have to re-think your code with multiple worker processes in mind. Depending on what you are trying to do, using a shared memory or writing logs might be a way to go. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Thu Nov 11 01:02:06 2021 From: nginx-forum at forum.nginx.org (malzad) Date: Wed, 10 Nov 2021 20:02:06 -0500 Subject: Variable value is resetting In-Reply-To: References: Message-ID: Hi Maxim, Thanks a lot for the response. I think I get it why I was having this problem. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292794,292799#msg-292799 From francis at daoine.org Thu Nov 11 08:54:21 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 11 Nov 2021 08:54:21 +0000 Subject: nginx proxy_pass and proxy_cache In-Reply-To: <005201d7d665$023333f0$06999bd0$@roze.lv> References: <005201d7d665$023333f0$06999bd0$@roze.lv> Message-ID: <20211111085421.GG12557@daoine.org> On Wed, Nov 10, 2021 at 08:58:54PM +0200, Reinis Rozitis wrote: Hi there, > > And I can't make a location block for a mimetype, or using another specifier than regexes to filter out requests to certain 'file types'. Is there any other 'good' solution except for, on my origin adding rewrites from /something/data1/ to /data1/? Assuming that other proxy criteria are the same, I think that the "map" suggestion with a variable for proxy_cache will be the simplest. But if you have reasons to want more explicit config: > Why just not separate the locations rather make them nested? > > Something like: > > location /something/ { > proxy_cache disk_cache; > proxy_pass http://origin/data1/; > } > > location ~* ^/something/.*\.xml$ { > proxy_cache fast_disk_cache; > proxy_pass http://origin/data1/; > } I think that that one would fail for the same reason as the initial attempt: proxy_pass-with-URI and regex location do not go well together. http://nginx.org/r/proxy_pass : """ In some cases, the part of a request URI to be replaced cannot be determined: """ lists three cases, and this is case#1. As it happens, you *can* do it if you take advantage of case#3. location ~* ^/something/(.*\.xml)$ { proxy_cache fast_disk_cache; proxy_pass http://origin/data1/$1; } (although you probably want to capture to a named variable, instead of hoping that $1 has not changed by the time proxy_pass uses it -- see http://nginx.org/en/docs/http/server_names.html#regex_names and choose the syntax that your version uses. Probably (?.*\.xml), and then use $this_bit.) You could possibly also take advantage of case#2, and do rewrite /something/(.*\.xml)$ /$1 break; but that feels a bit too subtle to me. Note that the regex-matching attempts may not do what you want if you have %-encodings in the incoming requests -- test your use cases to see that things work for you. Or just use the map. Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Nov 11 09:02:12 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 11 Nov 2021 09:02:12 +0000 Subject: nginx proxy_pass and proxy_cache In-Reply-To: <20211111085421.GG12557@daoine.org> References: <005201d7d665$023333f0$06999bd0$@roze.lv> <20211111085421.GG12557@daoine.org> Message-ID: <20211111090212.GH12557@daoine.org> On Thu, Nov 11, 2021 at 08:54:21AM +0000, Francis Daly wrote: > On Wed, Nov 10, 2021 at 08:58:54PM +0200, Reinis Rozitis wrote: Typo/thinko-fixes... > You could possibly also take advantage of case#2, and do > > rewrite /something/(.*\.xml)$ /$1 break; rewrite /something/(.*\.xml)$ /data/$1 break; Along with "proxy_pass http://origin;". > but that feels a bit too subtle to me. That remains true. > Note that the regex-matching attempts may not do what you want if you > have %-encodings in the incoming requests -- test your use cases to see > that things work for you. That is: the case#3 regex-location does that in my testing; the case#2 rewrite does not. Initial request of /something/file%20name.xml. > Or just use the map. That also remains true ;-) Cheers, f -- Francis Daly francis at daoine.org From zlmitche at syr.edu Thu Nov 11 17:04:43 2021 From: zlmitche at syr.edu (Zach Mitchell) Date: Thu, 11 Nov 2021 17:04:43 +0000 Subject: PCRE repo has been remove. Build with PCRE2? Message-ID: Hey all, Just stumbled upon that https://www.pcre.org/ no longer allows the download of PCRE-8.45 via their FTP so I'm at a loss on how to building nginx from source. Their site describes that they now have PCRE2 but every search I have done on it says that NGINX requires PCRE version 8.X. Has someone figured out how to build with PCRE2? Is there a better secure mirror for PCRE? Thanks, Zach Mitchell From maxim at nginx.com Fri Nov 12 09:02:33 2021 From: maxim at nginx.com (Maxim Konovalov) Date: Fri, 12 Nov 2021 12:02:33 +0300 Subject: nginx kTLS support blog post Message-ID: Hello, As some of you probably know we added kTLS support in nginx-1.21.4. We also published a blog post that provides more information about how it works and how to enable it in nginx: https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/ Additional reading: Drew Gallatin's from Netflix talks: kTLS and hardware TLS offload https://people.freebsd.org/~gallatin/talks/euro2019-ktls.pdf Serving Netflix Video at 400Gb/s on FreeBSD https://people.freebsd.org/~gallatin/talks/euro2021.pdf John Baldwin's "TLS offload in the kernel" https://freebsdfoundation.org/wp-content/uploads/2020/07/TLS-Offload-in-the-Kernel.pdf Hope you will enjoy it. -- Maxim Konovalov From nginx-forum at forum.nginx.org Fri Nov 12 14:21:58 2021 From: nginx-forum at forum.nginx.org (YvorL) Date: Fri, 12 Nov 2021 09:21:58 -0500 Subject: Handling cities with the same name using the GeoIP module Message-ID: <482c7f620491dcf07386b19b80ae68f9.NginxMailingListEnglish@forum.nginx.org> I was setting up GeoIP rules (https://nginx.org/en/docs/http/ngx_http_geoip_module.html) and looked into the MaxMind database when I realized there are multiple cities that has the same name. This means I can't simply match $geoip_city in a rule. The only data that's unique and is available for all cities in the world is the "geoname ID" (https://www.geonames.org/). However, it seems I can't use that field even if it's available in the database file. Also, I don't want to complicate the code with different approaches for different countries (e.g., metro code/DMA region code is only available in the US). Is there any way I can use that unique ID to identify a specific city in the Nginx configuration? If there isn't, what would be the best implementation to avoid multiple conditionals? Using the module already eats up memory and I'd like to provide the best experience for the websites. Examples: Clinton - 28 cities in the US (naturally all in different states) Aalst - 2 cities in Belgium (in two different provinces) Acailandia - 2 cities in Brazil (in two different "subdivision") ... version: nginx/1.21.3 Thank you, YvorL Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292821,292821#msg-292821 From mdounin at mdounin.ru Fri Nov 12 14:55:55 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 12 Nov 2021 17:55:55 +0300 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: <482c7f620491dcf07386b19b80ae68f9.NginxMailingListEnglish@forum.nginx.org> References: <482c7f620491dcf07386b19b80ae68f9.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Fri, Nov 12, 2021 at 09:21:58AM -0500, YvorL wrote: > I was setting up GeoIP rules > (https://nginx.org/en/docs/http/ngx_http_geoip_module.html) and looked into > the MaxMind database when I realized there are multiple cities that has the > same name. This means I can't simply match $geoip_city in a rule. The only > data that's unique and is available for all cities in the world is the > "geoname ID" (https://www.geonames.org/). However, it seems I can't use that > field even if it's available in the database file. Also, I don't want to > complicate the code with different approaches for different countries (e.g., > metro code/DMA region code is only available in the US). > Is there any way I can use that unique ID to identify a specific city in the > Nginx configuration? > If there isn't, what would be the best implementation to avoid multiple > conditionals? Using the module already eats up memory and I'd like to > provide the best experience for the websites. > > Examples: > Clinton - 28 cities in the US (naturally all in different states) > Aalst - 2 cities in Belgium (in two different provinces) > Acailandia - 2 cities in Brazil (in two different "subdivision") > ... > version: nginx/1.21.3 The MaxMind database also contains "region code", available in nginx as $geoip_region, which identifies appropriate region within a country. As far as I understand, to uniquely identify a city you have use $geoip_country + $geoip_region + $geoip_city. See docs and the MaxMind database description for more details. -- Maxim Dounin http://mdounin.ru/ From luca.manganelli at comune.trento.it Sun Nov 14 16:02:07 2021 From: luca.manganelli at comune.trento.it (Luca Manganelli) Date: Sun, 14 Nov 2021 17:02:07 +0100 Subject: auth_request and apache 2 with kerberos Message-ID: Hello, I have this configuration: - a docker with nginx - an apache2 server with kerberos authentication configured. nginx is the main http server (everyone in internet navigate into it). When the user clicks on the "LOGIN" from the website, nginx should use the apache2 as authentication since it connects to our Active Directory for kerberos. I have tried to use the auth_request directive, but the problem is that when it goes to apache2, the dialog box requesting user/password never pop ups and so it returns to nginix with 403 not authorized error. (If I go directly to apache2 server, it popus the dialog box and I can succeed with the authentication). Nginx configuration is as follows: location /login2/ { auth_request /auth; } location = /auth { internal; proxy_pass http://apache2server/; proxy_pass_request_body off; } What am I missing? -- Comune di Trento? via Belenzani, 19 - 38122 Trento | C.F e P. IVA: 00355870221 tel. +39 0461.884111 | www.comune.trento.it ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Sun Nov 14 17:54:47 2021 From: nginx-forum at forum.nginx.org (YvorL) Date: Sun, 14 Nov 2021 12:54:47 -0500 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: References: Message-ID: Thank you for your response! I see. It's weird that I can't use a column that's right there in the database and would uniquely identify any entry. When I checked the Nginx documentation, I saw this: "$geoip_region two-symbol country region code (region, territory, state, province, federal land and the like), for example, ?48?, ?DC?." That should be the "subdivision_1_iso_code" in the database. Meanwhile, when I logged my activity, I saw the name of the region (subdivision_1_name) in the logs and when I changed to "$geoip_region_name" nothing was logged. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292821,292824#msg-292824 From mdounin at mdounin.ru Sun Nov 14 21:23:43 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 15 Nov 2021 00:23:43 +0300 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: References: Message-ID: Hello! On Sun, Nov 14, 2021 at 12:54:47PM -0500, YvorL wrote: > I see. It's weird that I can't use a column that's right there in the > database and would uniquely identify any entry. That's because there is no such column in the database nginx uses. Note that GeoIP modules uses GeoIP databases, not GeoIP2. > When I checked the Nginx documentation, I saw this: > "$geoip_region > two-symbol country region code (region, territory, state, province, federal > land and the like), for example, ?48?, ?DC?." > That should be the "subdivision_1_iso_code" in the database. That's, literally, "region code" in the database: https://dev.maxmind.com/geoip/legacy/databases?lang=en#geoip-legacy-city-csv-database-fields > Meanwhile, when I logged my activity, I saw the name of the region > (subdivision_1_name) in the logs and when I changed to "$geoip_region_name" > nothing was logged. This probably means that GeoIP library provides no meaningful name for the region. Region names are hardcoded in the library, so you can check if it's present here: https://github.com/maxmind/geoip-api-c/blob/1a88de37a1e9001a7207ed2961477634b9efba97/libGeoIP/regionName.c -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Mon Nov 15 13:46:29 2021 From: nginx-forum at forum.nginx.org (YvorL) Date: Mon, 15 Nov 2021 08:46:29 -0500 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: References: Message-ID: Hi Maxim, I really appreciate your response! I just realized that in the background I'm converting the current GeoIP2 database to legacy format (https://github.com/sherpya/geolite2legacy). As I mentioned before, when I logged $geoip_region, I got a full string instead of 2 symbols as it's defined in the official documentation. Is this because I'm not using the legacy database? One last question :) Sometimes I got "00" instead of the region, I reckon that means that the IP address (e.g., 107.178.232.174 - Google app IP) isn't in the database file I'm using, right? Thank you! YvorL Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292821,292828#msg-292828 From mdounin at mdounin.ru Mon Nov 15 15:11:56 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 15 Nov 2021 18:11:56 +0300 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: References: Message-ID: Hello! On Mon, Nov 15, 2021 at 08:46:29AM -0500, YvorL wrote: > Hi Maxim, > > I really appreciate your response! > I just realized that in the background I'm converting the current GeoIP2 > database to legacy format (https://github.com/sherpya/geolite2legacy). > > As I mentioned before, when I logged $geoip_region, I got a full string > instead of 2 symbols as it's defined in the official documentation. Is this > because I'm not using the legacy database? Most likely. > One last question :) Sometimes I got "00" instead of the region, I reckon > that means that the IP address (e.g., 107.178.232.174 - Google app IP) isn't > in the database file I'm using, right? The "00" seems to be the default used by the converter: https://github.com/sherpya/geolite2legacy/blob/master/geolite2legacy.py#L262 -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Mon Nov 15 15:26:05 2021 From: nginx-forum at forum.nginx.org (YvorL) Date: Mon, 15 Nov 2021 10:26:05 -0500 Subject: Handling cities with the same name using the GeoIP module In-Reply-To: References: Message-ID: <9fff0316533a698ecb86857411bf8bdf.NginxMailingListEnglish@forum.nginx.org> Thank you for providing guidance on this topic, I really appreciate it! Have a great day! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292821,292830#msg-292830 From mdounin at mdounin.ru Tue Nov 16 14:58:34 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 16 Nov 2021 17:58:34 +0300 Subject: nginx-1.20.2 Message-ID: Changes with nginx 1.20.2 16 Nov 2021 *) Feature: OpenSSL 3.0 compatibility. *) Bugfix: SSL variables might be empty when used in logs; the bug had appeared in 1.19.5. *) Bugfix: keepalive connections with gRPC backends might not be closed after receiving a GOAWAY frame. *) Bugfix: backend SSL connections in the stream module might hang after an SSL handshake. *) Bugfix: SSL connections with gRPC backends might hang if select, poll, or /dev/poll methods were used. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From r at roze.lv Tue Nov 16 17:15:16 2021 From: r at roze.lv (Reinis Rozitis) Date: Tue, 16 Nov 2021 19:15:16 +0200 Subject: nginx kTLS support blog post In-Reply-To: References: Message-ID: <000301d7db0d$867e2230$937a6690$@roze.lv> > As some of you probably know we added kTLS support in nginx-1.21.4. Before testing myself wanted to quickly clarify - does this work in combination with older cipher suites (as in fallback from kTLS to standard non-kernel) to support older clients which still use tls 1.1 / 1.2 or you are locked into using Tls 1.3 ciphers only? wbr rr From nginx-forum at forum.nginx.org Wed Nov 17 03:24:38 2021 From: nginx-forum at forum.nginx.org (satay) Date: Tue, 16 Nov 2021 22:24:38 -0500 Subject: nginx DNS load balancing - Log client requests Message-ID: Hello, I would like to log the clients requests information basically DNS resolution requests A, PTR records etc.. How do I enable that logging? Please advise. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292863,292863#msg-292863 From mikhail.isachenkov at nginx.com Wed Nov 17 08:12:07 2021 From: mikhail.isachenkov at nginx.com (Mikhail Isachenkov) Date: Wed, 17 Nov 2021 11:12:07 +0300 Subject: nginx kTLS support blog post In-Reply-To: <000301d7db0d$867e2230$937a6690$@roze.lv> References: <000301d7db0d$867e2230$937a6690$@roze.lv> Message-ID: <81816844-80ec-47a2-c035-80ba0e437e81@nginx.com> Hello Reinis, TLSv1.2 ciphers is supported by kernel as well as TLSv1.3. If the particular cipher is not supported by kernel, BIO_get_ktls_send() function returns zero and SSL sendfile will not be used. Check https://hg.nginx.org/nginx/rev/65946a191197#l1.18 for details. 16.11.2021 20:15, Reinis Rozitis ?????: >> As some of you probably know we added kTLS support in nginx-1.21.4. > > Before testing myself wanted to quickly clarify - does this work in > combination with older cipher suites (as in fallback from kTLS to standard > non-kernel) to support older clients which still use tls 1.1 / 1.2 or you > are locked into using Tls 1.3 ciphers only? > > wbr > rr > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Best regards, Mikhail Isachenkov NGINX Professional Services From jay at gooby.org Thu Nov 18 09:57:14 2021 From: jay at gooby.org (Jay Caines-Gooby) Date: Thu, 18 Nov 2021 09:57:14 +0000 Subject: PCRE repo has been remove. Build with PCRE2? In-Reply-To: References: Message-ID: TLDR; Use the exim mirror. Exim was built by Philip Hazel who is also the author of PCRE, so it's about as official as it could be. Better than a shady Sourceforge one! https://ftp.exim.org/pub/pcre/ Made a brief issue about this in my build-nginx script: https://github.com/jaygooby/build-nginx/issues/6 On Thu, 11 Nov 2021 at 17:05, Zach Mitchell wrote: > Hey all, > Just stumbled upon that https://www.pcre.org/ no longer allows the > download of PCRE-8.45 via their FTP so I'm at a loss on how to building > nginx from source. Their site describes that they now have PCRE2 but every > search I have done on it says that NGINX requires PCRE version 8.X. > > Has someone figured out how to build with PCRE2? > > Is there a better secure mirror for PCRE? > > Thanks, > Zach Mitchell > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Jay Caines-Gooby http://jay.gooby.org jay at gooby.org +44 (0)7956 182625 twitter, skype & aim: jaygooby gtalk: jaygooby at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Thu Nov 18 10:51:08 2021 From: nginx-forum at forum.nginx.org (gunitinug) Date: Thu, 18 Nov 2021 05:51:08 -0500 Subject: nginx proxy pass only works for root location Message-ID: Hello. I posted a question: https://unix.stackexchange.com/questions/678060/nginx-proxy-pass-only-works-for-root-location Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292884,292884#msg-292884 From mdounin at mdounin.ru Thu Nov 18 13:36:58 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 18 Nov 2021 16:36:58 +0300 Subject: nginx proxy pass only works for root location In-Reply-To: References: Message-ID: Hello! On Thu, Nov 18, 2021 at 05:51:08AM -0500, gunitinug wrote: > Hello. I posted a question: > > https://unix.stackexchange.com/questions/678060/nginx-proxy-pass-only-works-for-root-location First of all you may want to define "won't work". What exactly happens, what goes wrong? Note that in general there are no problems with proxying in nginx: it will happily get a request from the client and pass it the backend server, and will return the response from the backend server to the client. But proxying, especially if you are trying to proxy with changed URI, might result in incorrect resulting page if your backend server uses absolute links in responses. Or your backend server might not like the request coming from nginx and will try to redirect the client. Most common issue which happens when proxying is wrong URLs in redirections returned by the backend server. This is something nginx is usually able to fix itself with the default settings of the proxy_redirect directive. In complex cases some adjustment might be needed though (see http://nginx.org/r/proxy_redirect for details). Another common issue is wrong links in the HTML pages returned. In some cases these can be fixed with sub_filter (http://nginx.org/r/sub_filter), but usually a better idea is to configure your backend server to return correct links instead. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Thu Nov 18 22:31:27 2021 From: nginx-forum at forum.nginx.org (gunitinug) Date: Thu, 18 Nov 2021 17:31:27 -0500 Subject: nginx proxy pass only works for root location In-Reply-To: References: Message-ID: <2b6872a2de859d521fb88a1182a298e0.NginxMailingListEnglish@forum.nginx.org> Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Thu, Nov 18, 2021 at 05:51:08AM -0500, gunitinug wrote: > > > Hello. I posted a question: > > > > > https://unix.stackexchange.com/questions/678060/nginx-proxy-pass-only- > works-for-root-location > > First of all you may want to define "won't work". What exactly > happens, what goes wrong? > > Note that in general there are no problems with proxying in nginx: > it will happily get a request from the client and pass it the > backend server, and will return the response from the backend > server to the client. > > But proxying, especially if you are trying to proxy with changed > URI, might result in incorrect resulting page if your backend > server uses absolute links in responses. Or your backend server > might not like the request coming from nginx and will try to > redirect the client. > > Most common issue which happens when proxying is wrong URLs in > redirections returned by the backend server. This is something > nginx is usually able to fix itself with the default settings of > the proxy_redirect directive. In complex cases some adjustment > might be needed though (see http://nginx.org/r/proxy_redirect for > details). > > Another common issue is wrong links in the HTML pages > returned. In some cases these can be fixed with sub_filter > (http://nginx.org/r/sub_filter), but usually a better idea is to > configure your backend server to return correct links instead. > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Loading of the app in browser fails. I checked the console and it says: Loading failed for the