From grobi at koppzu.de Fri Oct 1 08:47:01 2021 From: grobi at koppzu.de (Markus Grobelin) Date: Fri, 1 Oct 2021 10:47:01 +0200 (CEST) Subject: Rate Limit not applied when mapping $upstream_http_ headers Message-ID: <1064711324.79834.1633078021195.JavaMail.zimbra@koppzu.de> Hy everybody, I have a reverse-proxy setup with an upstream application that sets a header (x_tenant_id). Based on that headers value, I want to apply a rate limit to clients. I verified the rate limit applies* properly, when a usual request header (e.g. $http_x_tenant_id) is mapped. However the config below does not map $upstream_http_x_tenant_id** at all. Any advice how to achieve rate limiting using such $upstream_http_ headers? Thanks in advance, Markus * siege -c 10 -t5S -H 'x-tenant-id: 503' ** upstream myupstream { server 10.10.100.0:8000; } # does not work map $upstream_http_x_tenant_id $limit_key { 123 $binary_remote_addr; 503 $binary_remote_addr; default ""; } server { [...] location / { # Rate limiting for some tenants limit_req zone=limit_key; limit_req_status 444; uwsgi_read_timeout 300s; uwsgi_send_timeout 300s; uwsgi_pass myupstream; include /etc/nginx/uwsgi_params; } [...] } -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Fri Oct 1 17:09:08 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Fri, 1 Oct 2021 20:09:08 +0300 Subject: Load Balancing Apache Tomcat with Nginx : (OpenMeetings Cluster using Apache Tomcat Server) In-Reply-To: References: Message-ID: Hi Jeffrey, On Mon, Sep 27, 2021 at 12:47:53PM +0000, Aom Jeff Root wrote: > Hi dear, > > > - I'm student and i work on open source web conferencing project (school > project) I choose Openmeetings > > I work on clustering openmeetings with two nodes and I want to make single > access to the group server. I want to use nginx load balancer . How to > configure the nginx to make it or set a custom nginx load balancer to > openmeetings clustered app? I'd recommend to start with the following article, https://docs.nginx.com/nginx/deployment-guides/load-balance-third-party/apache-tomcat/ Hope it helps. -- Sergey Osokin From mdounin at mdounin.ru Fri Oct 1 17:33:40 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 1 Oct 2021 20:33:40 +0300 Subject: Rate Limit not applied when mapping $upstream_http_ headers In-Reply-To: <1064711324.79834.1633078021195.JavaMail.zimbra@koppzu.de> References: <1064711324.79834.1633078021195.JavaMail.zimbra@koppzu.de> Message-ID: Hello! On Fri, Oct 01, 2021 at 10:47:01AM +0200, Markus Grobelin wrote: > Hy everybody, > > I have a reverse-proxy setup with an upstream application that > sets a header (x_tenant_id). > > Based on that headers value, I want to apply a rate limit to > clients. > > I verified the rate limit applies* properly, when a usual > request header (e.g. $http_x_tenant_id) is mapped. However the > config below does not map $upstream_http_x_tenant_id** at all. > > Any advice how to achieve rate limiting using such > $upstream_http_ headers? Request rate limiting, as configured with the limit_req rate directive (not to be confused with response transmission rate limiting, limit_rate), happens before processing a request, that is, before the request is sent to the upstream server and a response is received. As such, you cannot rely on variables only available when a response is received from the upstream server, such as $upstream_http_* variables. If you want to reject requests based on the information only available on the upstream server, the best solution might be to actually reject requests on the upstream server. If you have to do it on nginx for some reason, it should be possible to configure things using X-Accel-Redirect redirections, though this going to be a complex configuration, and it will do two upstream request instead of just one. A better approach might be to re-think your limiting configuration to use something directly available from the request. -- Maxim Dounin http://mdounin.ru/ From keith6014 at gmail.com Fri Oct 1 20:32:59 2021 From: keith6014 at gmail.com (Keith Brown) Date: Fri, 1 Oct 2021 16:32:59 -0400 Subject: nginx authentication and authorization In-Reply-To: References: Message-ID: any help? On Tue, Sep 28, 2021 at 3:29 PM Keith Brown wrote: > > I have two modules: spnego-http-auth-nginx-module and nginx-auth-ldap > working perfectly. > > However, I am just not sure how to make them work together. > I have an endpoint > > I have an end point /login which gives me the remote_user because I > am using auth_gss. How can I use that information to check if the user > is in a LDAP group? From osa at freebsd.org.ru Fri Oct 1 21:32:01 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Sat, 2 Oct 2021 00:32:01 +0300 Subject: nginx authentication and authorization In-Reply-To: References:

Message-ID: On Fri, Oct 01, 2021 at 04:32:59PM -0400, Keith Brown wrote: > any help? > > On Tue, Sep 28, 2021 at 3:29 PM Keith Brown wrote: > > > > I have two modules: spnego-http-auth-nginx-module and nginx-auth-ldap > > working perfectly. > > > > However, I am just not sure how to make them work together. > > I have an endpoint > > > > I have an end point /login which gives me the remote_user because I > > am using auth_gss. How can I use that information to check if the user > > is in a LDAP group? Both modules are third-party module, not sure if authors of those are subscribers of this mailing list. In any cases, a potential solution may need to utilize the auth_request module http://nginx.org/en/docs/http/ngx_http_auth_request_module.html and the NGINX JavaScript module, http://nginx.org/en/docs/http/ngx_http_js_module.html as well. -- Sergey Osokin From keith6014 at gmail.com Sat Oct 2 11:47:00 2021 From: keith6014 at gmail.com (Keith Brown) Date: Sat, 2 Oct 2021 07:47:00 -0400 Subject: nginx authentication and authorization In-Reply-To: References:

Message-ID: Thanks. This looks interesting. I am afraid its a bit over my head. I am not sure how this could validate if $remote_user is in my LDAP group. On Fri, Oct 1, 2021 at 5:35 PM Sergey A. Osokin wrote: > > On Fri, Oct 01, 2021 at 04:32:59PM -0400, Keith Brown wrote: > > any help? > > > > On Tue, Sep 28, 2021 at 3:29 PM Keith Brown wrote: > > > > > > I have two modules: spnego-http-auth-nginx-module and nginx-auth-ldap > > > working perfectly. > > > > > > However, I am just not sure how to make them work together. > > > I have an endpoint > > > > > > I have an end point /login which gives me the remote_user because I > > > am using auth_gss. How can I use that information to check if the user > > > is in a LDAP group? > > Both modules are third-party module, not sure if authors of those are > subscribers of this mailing list. > > In any cases, a potential solution may need to utilize the auth_request module > http://nginx.org/en/docs/http/ngx_http_auth_request_module.html and the > NGINX JavaScript module, http://nginx.org/en/docs/http/ngx_http_js_module.html > as well. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx From nginx-forum at forum.nginx.org Sun Oct 3 06:50:14 2021 From: nginx-forum at forum.nginx.org (Hukato) Date: Sun, 03 Oct 2021 02:50:14 -0400 Subject: upstream timed out (110: Connection timed out) while reading response header from upstream. In-Reply-To: References: Message-ID: <827a28f902c42b1eab674b9d36e0d0d9.NginxMailingListEnglish@forum.nginx.org> Facing issues with this website. Don't know how developer installed everything. https://trackjrs.com/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289511,292522#msg-292522 From aomjeff.root at gmail.com Mon Oct 4 09:06:36 2021 From: aomjeff.root at gmail.com (Aom Jeff Root) Date: Mon, 4 Oct 2021 09:06:36 +0000 Subject: Load Balancing Apache Tomcat with Nginx : (OpenMeetings Cluster using Apache Tomcat Server) In-Reply-To: References: Message-ID: Hi Mr Sergey, Thank you for your email, this was enough helpful for me. Thanks once again. Kind regards, Jeffrey. Le ven. 1 oct. 2021 ? 17:09, Sergey A. Osokin a ?crit : > Hi Jeffrey, > > On Mon, Sep 27, 2021 at 12:47:53PM +0000, Aom Jeff Root wrote: > > Hi dear, > > > > > > - I'm student and i work on open source web conferencing project > (school > > project) I choose Openmeetings > > > > I work on clustering openmeetings with two nodes and I want to make > single > > access to the group server. I want to use nginx load balancer . How to > > configure the nginx to make it or set a custom nginx load balancer to > > openmeetings clustered app? > > I'd recommend to start with the following article, > > https://docs.nginx.com/nginx/deployment-guides/load-balance-third-party/apache-tomcat/ > > Hope it helps. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Oct 4 11:22:02 2021 From: nginx-forum at forum.nginx.org (petecooper) Date: Mon, 04 Oct 2021 07:22:02 -0400 Subject: TLS cipher hexadecimal logging Message-ID: Hello. Per the documentation: > $ssl_cipher > returns the name of the cipher used for an established SSL connection. This means `$ssl_cipher` returns e.g `TLS_CHACHA20_POLY1305_SHA256`. Is it possible to return the corresponding hex value e.g. `0x1303` instead? Thank you, and best wishes. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292525,292525#msg-292525 From osa at freebsd.org.ru Mon Oct 4 15:17:25 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Mon, 4 Oct 2021 18:17:25 +0300 Subject: TLS cipher hexadecimal logging In-Reply-To: References: Message-ID: Hi, hope you're doing well these days. On Mon, Oct 04, 2021 at 07:22:02AM -0400, petecooper wrote: > Hello. > > Per the documentation: > > > $ssl_cipher > > returns the name of the cipher used for an established SSL connection. > > This means `$ssl_cipher` returns e.g `TLS_CHACHA20_POLY1305_SHA256`. > Is it possible to return the corresponding hex value e.g. `0x1303` instead? I believe it's possible to use map in this case, https://nginx.org/en/docs/http/ngx_http_map_module.html -- Sergey Osokin From jfs.world at gmail.com Thu Oct 7 03:12:17 2021 From: jfs.world at gmail.com (Jeffrey 'jf' Lim) Date: Thu, 7 Oct 2021 11:12:17 +0800 Subject: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate? In-Reply-To: References: Message-ID: On Wed, Sep 29, 2021 at 9:42 PM Jeffrey 'jf' Lim wrote: > > On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin wrote: > > > > Hello! > > > > On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote: > > > > > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > > > has a note about not needing 'ssl_trusted_certificate' if > > > ssl_certificate has intermediate certificates. I do not see a similar > > > note for ssl_stapling_verify > > > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) > > > though. Is this also the same? > > > > No. To verify OCSP response OpenSSL needs a full chain up to a > > trusted root certificate. > > > > Ok. I am reading the description for ssl_stapling again, and am > wanting to clarify a few things. > > if "ssl_stapling on": > if the certificate of the server certificate issuer is present in > , we do not need to have > otherwise must have the certificate of the > server certificate issuer > > if "ssl_stapling_verify on": > if has the full chain, we *still* need > > > Is my understanding correct? > sorry, but can I get a clarification on whether my understanding is correct? thanks, -jf From jongsun89 at naver.com Fri Oct 8 03:31:23 2021 From: jongsun89 at naver.com (=?utf-8?B?67Cx7KKF7ISg?=) Date: Fri, 08 Oct 2021 12:31:23 +0900 Subject: Reverse proxy for tcp stream Message-ID: Hi nginx team. I'm trying to use nginx as reverse proxy for tcp stream. The server behind proxy is opening linux socket , and checking ip address of connected client for some use . But, if i use reverse proxy, ip would be proxy server ip address. I have found for these situation , and tried proxy_bind transparency. But, the socket server never get connection request. From proxy server , timed out logs are coming. How can socket server behind proxy get real client ip address? -------------- next part -------------- An HTML attachment was scrubbed... URL: From r at roze.lv Fri Oct 8 12:24:44 2021 From: r at roze.lv (Reinis Rozitis) Date: Fri, 8 Oct 2021 15:24:44 +0300 Subject: Reverse proxy for tcp stream In-Reply-To: References: Message-ID: <000001d7bc3f$7a4717c0$6ed54740$@roze.lv> > I have found for these situation , and tried proxy_bind transparency. > But, the socket server never get connection request. > From proxy server , timed out logs are coming. > How can socket server behind proxy get real client ip address? There are more steps/things you have to do to make ip transparency) work than just to enable it in nginx config - as in you have to change firewall (iptables) and routing. More detailed here: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#ip-transparency It's more complicated than with the simple http/header approach. Wbr rr From jongsun89 at naver.com Wed Oct 13 04:27:03 2021 From: jongsun89 at naver.com (=?utf-8?B?67Cx7KKF7ISg?=) Date: Wed, 13 Oct 2021 13:27:03 +0900 Subject: Reverse proxy for tcp stream In-Reply-To: <000001d7bc3f$7a4717c0$6ed54740$@roze.lv> References: <000001d7bc3f$7a4717c0$6ed54740$@roze.lv> Message-ID: ? Thanks Reinis I've managed to set up for this. And succeded. But, i have a problem after it. I used transparency way in the referred page. Client and upstream server are connected through linux sockets. Here is my problem. If upsteam server down(network also down), client does not recognize the situation . So socket connection is alive from client side. Actually client side should recognize it and close the connection. How do i handle this in nginx side? ? BR? ? -----Original Message----- From: "Reinis Rozitis" To: ; Cc: Sent: 2021-10-08 (?) 21:24:44 (GMT+09:00) Subject: RE: Reverse proxy for tcp stream > I have found for these situation , and tried proxy_bind transparency. > But, the socket server never get connection request. > From proxy server , timed out logs are coming. > How can socket server behind proxy get real client ip address? There are more steps/things you have to do to make ip transparency) work than just to enable it in nginx config - as in you have to change firewall (iptables) and routing. More detailed here: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#ip-transparency It's more complicated than with the simple http/header approach. Wbr rr _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.volkov at gmail.com Wed Oct 13 10:12:34 2021 From: peter.volkov at gmail.com (Peter Volkov) Date: Wed, 13 Oct 2021 13:12:34 +0300 Subject: nginx error pages and CORS Message-ID: Hi. We use Nginx as a reverse proxy for our service that manages CORS by itself. Yet we have problems with errors that Nginx generates itself, e.g. 413 Request Entity Too Large. Such error pages has no CORS headers and this causes browsers to report the CORS issue, and thus the user does not see the real reason for this problem. So we would like to add permissive CORS headers to all error pages that Nginx generates. Does there exist such a list of error codes that Nginx generates? Like wrong headers, bad requests, whatever? Thanks in advance for your help, -- Peter. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at wbock.de Wed Oct 13 21:56:01 2021 From: mailinglisten at wbock.de (Wolfgang Bock) Date: Wed, 13 Oct 2021 23:56:01 +0200 Subject: strange behavior of websites served by nginx Message-ID: <000001d7c07d$1d656bf0$583043d0$@wbock.de> Hello, I am new with using nginx. I am using it as a webserver for sympa and roundcube. There it shows a strange behavior. Clickable links with icons are not properly shown. For example roudcube see the file "roundcube-fehler.." and for sympa see "sympa-fehler .". I searched in all log Files but found no error messages . Can anyone help?? Thanks in advance. Regards Wolfgang -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: roundcube-fehler-2021-10-12-03.jpg Type: image/jpeg Size: 13850 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sympa-fehler-2021-10-11-01.jpg Type: image/jpeg Size: 19370 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sympa-fehler-2021-10-11_02.jpg Type: image/jpeg Size: 14108 bytes Desc: not available URL: From osa at freebsd.org.ru Wed Oct 13 22:41:19 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 14 Oct 2021 01:41:19 +0300 Subject: strange behavior of websites served by nginx In-Reply-To: <000001d7c07d$1d656bf0$583043d0$@wbock.de> References: <000001d7c07d$1d656bf0$583043d0$@wbock.de> Message-ID: Hi Wolfgang, hope you're doing well. On Wed, Oct 13, 2021 at 11:56:01PM +0200, Wolfgang Bock wrote: > Hello, > > I am new with using nginx. > I am using it as a webserver for sympa and roundcube. There it shows a > strange behavior. > > Clickable links with icons are not properly shown. > > For example roudcube see the file "roundcube-fehler.." and for sympa see > "sympa-fehler .". > > I searched in all log Files but found no error messages . > > Can anyone help?? > Thanks in advance. Could you please share the NGINX configuration files, hope that may help to catch an issue. Also, there are some configurations available in internet: - https://wiki.debian.org/Sympa/Nginx - https://pub.nethence.com/www/roundcube so you can use those as a starting point to configure NGINX. Thank you. -- Sergey Osokin From Jernej.Vodopivec at akson.si Sun Oct 17 07:18:36 2021 From: Jernej.Vodopivec at akson.si (Jernej Vodopivec) Date: Sun, 17 Oct 2021 07:18:36 +0000 Subject: Keycloak login issue - incorrect /_token call to non-existent backend server In-Reply-To: <1634455060881.41235@akson.si> References: <1634454976653.33426@akson.si>,<1634455060881.41235@akson.si> Message-ID: <1634455116938.41653@akson.si> Hi, after successful login on Keycloak webpage the user is not redirected to real backend service. The event log shows request to non-existent backend server (127.0.0.1) using malformed scheme (HTTPS with port 80). https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token" I've published two sites via Nginx: 1. Application: https://app.domain.com Application is running on backend IIS server https://appbackend.domain.com NGINX Virtual host config: a) Headers set: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer $http_referer; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; b) Keycloak part include conf.d/openid_connect.server_conf; set $oidc_authz_endpoint "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth"; set $oidc_token_endpoint "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token"; set $oidc_client "NGINX-Plus"; set $oidc_client_secret "acdce7.......7460"; set $oidc_jwt_keyfile "https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs"; set $oidc_hmac_key "38...asfumg3"; c) location part auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; auth_jwt_key_request /_jwks_uri; proxy_set_header username $jwt_claim_sub; proxy_pass https://appbackend.domain.com; 2. Keycloak: https://keycloak.domain.com Keycloak is running as a docker on separated virtual machine keycloak1.domain.com. Port redirection: - tcp/80 -> tcp/8080 - tcp/443 -> tcp/8443 SSL certificate is installed and activated. 1. Headers set: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer $http_referer; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; 2. Backend proxy_pass https://keycloak1.domain.com; ## Same issue if HTTP is user instead of HTTPS 3. Client configuration - admin part Valid Redirect URIs: https://app.domain.com:443/_codexch NGINX logs /var/log/nginx/app.domain.com-access.log <== remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET / HTTP/2.0" status=302 body_bytes_sent=145 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.002 upstream_connect_time="-" upstream_header_time="-" upstream_response_time="-" server_name=app.domain.com uri="/" ==> /var/log/nginx/keycloak.domain.com-access.log <== remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET /auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0 HTTP/2.0" status=302 body_bytes_sent=0 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.032 upstream_connect_time="0.020" upstream_header_time="0.032" upstream_response_time="0.032" server_name=keycloak.domain.com uri="/auth/realms/master/protocol/openid-connect/auth" 1c8&state=0 HTTP/2.0", status=302, waf_policy=Complete_OWASP_Top_Ten, waf_request_id=13388773729652827719, waf_action=PASSED, waf_action_reason=SECURITY_WAF_OK ==> /var/log/nginx/app.domain.com-error.log <== 2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111: Connection refused) while connecting to upstream, client: 184.55.14.22, server: app.domain.com, request: "GET /_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc HTTP/2.0", subrequest: "/_token", upstream: "https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token", host: "app.domain.com" Any help would be really appreciated. Regards, Jernej -------------- next part -------------- An HTML attachment was scrubbed... URL: From jernej.vodopivec at gmail.com Sun Oct 17 07:21:03 2021 From: jernej.vodopivec at gmail.com (Jernej Vodopivec) Date: Sun, 17 Oct 2021 09:21:03 +0200 Subject: Keycloak login issue - incorrect /_token call to non-existent backend server Message-ID: Hi, after successful login on Keycloak webpage the user is not redirected to real backend service. The event log shows request to non-existent backend server (127.0.0.1) using malformed scheme (HTTPS with port 80). https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token" I've published two sites via Nginx: 1. Application: https://app.domain.com Application is running on backend IIS server https://appbackend.domain.com NGINX Virtual host config: a) Headers set: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer $http_referer; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; b) Keycloak part include conf.d/openid_connect.server_conf; set $oidc_authz_endpoint " https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/auth "; set $oidc_token_endpoint " https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/token "; set $oidc_client "NGINX-Plus"; set $oidc_client_secret "acdce7.......7460"; set $oidc_jwt_keyfile " https://keycloak.domain.com/auth/realms/master/protocol/openid-connect/certs "; set $oidc_hmac_key "38...asfumg3"; c) location part auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; auth_jwt_key_request /_jwks_uri; proxy_set_header username $jwt_claim_sub; proxy_pass https://appbackend.domain.com; 2. Keycloak: https://keycloak.domain.com Keycloak is running as a docker on separated virtual machine keycloak1.domain.com. Port redirection: - tcp/80 -> tcp/8080 - tcp/443 -> tcp/8443 SSL certificate is installed and activated. 1. Headers set: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Referer $http_referer; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; 2. Backend proxy_pass https://keycloak1.domain.com; ## Same issue if HTTP is user instead of HTTPS 3. Client configuration - admin part Valid Redirect URIs: https://app.domain.com:443/_codexch NGINX logs /var/log/nginx/app.domain.com-access.log <== remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET / HTTP/2.0" status=302 body_bytes_sent=145 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.002 upstream_connect_time="-" upstream_header_time="-" upstream_response_time="-" server_name=app.domain.com uri="/" ==> /var/log/nginx/keycloak.domain.com-access.log <== remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 +0200] request="GET /auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0 HTTP/2.0" status=302 body_bytes_sent=0 http_referer="-" http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0" http_x_forwarded_for="-" request_time=0.032 upstream_connect_time="0.020" upstream_header_time="0.032" upstream_response_time="0.032" server_name=keycloak.domain.com uri="/auth/realms/master/protocol/openid-connect/auth" 1c8&state=0 HTTP/2.0", status=302, waf_policy=Complete_OWASP_Top_Ten, waf_request_id=13388773729652827719, waf_action=PASSED, waf_action_reason=SECURITY_WAF_OK ==> /var/log/nginx/app.domain.com-error.log <== 2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111: Connection refused) while connecting to upstream, client: 184.55.14.22, server: app.domain.com, request: "GET /_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc HTTP/2.0", subrequest: "/_token", upstream: " https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token", host: "app.domain.com" Any help would be really appreciated. Regards, Jernej -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Sun Oct 17 13:44:03 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 17 Oct 2021 14:44:03 +0100 Subject: Keycloak login issue - incorrect /_token call to non-existent backend server In-Reply-To: References: Message-ID: <20211017134403.GB12557@daoine.org> On Sun, Oct 17, 2021 at 09:21:03AM +0200, Jernej Vodopivec wrote: Hi there, I don't know about Keycloak; and I don't have the answer to your question; but I can see one thing that might not be doing what you expect: > 1. Application: https://app.domain.com > Application is running on backend IIS server https://appbackend.domain.com > > NGINX Virtual host config: > a) Headers set: > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header Host $host; > proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme"; ... > c) location part > auth_jwt "" token=$session_jwt; > error_page 401 = @do_oidc_flow; > auth_jwt_key_request /_jwks_uri; > proxy_set_header username $jwt_claim_sub; > proxy_pass https://appbackend.domain.com; If the "location" that handles this request includes "proxy_set_header username $jwt_claim_sub;", then all of the "Virtual host config" proxy_set_header lines will not apply to this request. If the thing at https://appbackend.domain.com is expecting to use anything like X-Real-IP or Host to decide how to handle the request, it may not be getting the values that you want it to be getting. Either remove the "proxy_set_header username", or add all of the other "proxy_set_header" lines to the location{} block. Other than that, your keycloak.domain.com-access.log does mention "client_id=NGINX-Plus" -- if you have an active nginx-plus subscription, you might find a more reliable and timely response if you contact the nginx-plus support system directly. (It's perfectly fine to ask here; asking there as well might get you a better answer.) > NGINX logs > /var/log/nginx/app.domain.com-access.log <== > remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 > +0200] request="GET / HTTP/2.0" status=302 body_bytes_sent=145 That is: your client asked app.domain.com for /, and was told to talk to keycloak first. (Here all we see is that the response was 302; I assume that the redirection was to keycloak.) > ==> /var/log/nginx/keycloak.domain.com-access.log <== > remote_addr=184.55.14.22 - remote_user=- time_local=[17/Oct/2021:09:06:17 > +0200] request="GET > /auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email+offline_access&client_id=NGINX-Plus&redirect_uri=https://app.domain.com:443/_codexch&nonce=5--Pw-iCkTs1hR-3V6wgLkd2vZNC0ys0NM9fRR4D1c8&state=0 > HTTP/2.0" status=302 body_bytes_sent=0 http_referer="-" Here, the same client asks keycloak.domain.com for the /auth/... url, and gets a 302 response, presumably back to the "redirect_uri" parameter -- https://app.domain.com:443/_codexch. > upstream_response_time="0.032" server_name=keycloak.domain.com > uri="/auth/realms/master/protocol/openid-connect/auth" > 1c8&state=0 HTTP/2.0", status=302, waf_policy=Complete_OWASP_Top_Ten, (There is possibly a bit missing in between those two lines -- it may not matter here.) > ==> /var/log/nginx/app.domain.com-error.log <== > 2021/10/17 09:06:18 [error] 3352262#3352262: *406 connect() failed (111: > Connection refused) while connecting to upstream, client: 184.55.14.22, > server: app.domain.com, request: "GET > /_codexch?state=0&session_state=0b783755-9b00-4b0f-9e63-1a047680272c&code=07ce9447-19a7-443f-abfb-54e92819a34a.0b783755-9b00-4b0f-9e63-1a047680272c.98d80b2d-9f0d-482a-bdfd-b680834bb9bc > HTTP/2.0", subrequest: "/_token", upstream: " > https://127.0.0.1:80/auth/realms/master/protocol/openid-connect/token", > host: "app.domain.com" And here, the same client asks app.domain.com for /_codexch with a query_string, which seems to lead the nginx at app.domain.com to make a subrequest for /_token, which it thinks it should handle by talking to something below https://127.0.0.1:80/. What is the proxy_pass line that app.domain.com has for /_token? It looks like it possibly should be "proxy_pass $oidc_token_endpoint;", and it looks like you have configured that variable to start with "https://keycloak.domain.com/". Can you see any reason why that might have become https://127.0.0.1:80/? Good luck with it, f -- Francis Daly francis at daoine.org From peter.volkov at gmail.com Mon Oct 18 13:18:22 2021 From: peter.volkov at gmail.com (Peter Volkov) Date: Mon, 18 Oct 2021 16:18:22 +0300 Subject: nginx error pages and CORS In-Reply-To: References: Message-ID: Hi, any ideas here? -- Peter. On Wed, Oct 13, 2021 at 1:12 PM Peter Volkov wrote: > Hi. > > We use Nginx as a reverse proxy for our service that manages CORS by > itself. Yet we have problems with errors that Nginx generates itself, e.g. > 413 Request Entity Too Large. Such error pages has no CORS headers and this > causes browsers to report the CORS issue, and thus the user does not see > the real reason for this problem. So we would like to add permissive CORS > headers to all error pages that Nginx generates. Does there exist such a > list of error codes that Nginx generates? Like wrong headers, bad requests, > whatever? > > Thanks in advance for your help, > -- > Peter. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Oct 19 08:20:58 2021 From: nginx-forum at forum.nginx.org (muthualagappanchess) Date: Tue, 19 Oct 2021 04:20:58 -0400 Subject: generate cryptographically safe nonce value Message-ID: Hi Team, Is there a way to generate cryptographically safe nonce value (random number) with standard ngnix installation without adding any other module dynamically? Regards, Muthu. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292631,292631#msg-292631 From osa at freebsd.org.ru Tue Oct 19 13:24:27 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 19 Oct 2021 16:24:27 +0300 Subject: generate cryptographically safe nonce value In-Reply-To: References: Message-ID: Hi Muthu, On Tue, Oct 19, 2021 at 04:20:58AM -0400, muthualagappanchess wrote: > > Is there a way to generate cryptographically safe nonce value (random > number) with standard ngnix installation without adding any other module > dynamically? NGINX generates a unique request identifier, please visit the following link for details, http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_id -- Sergey Osokin From xeioex at nginx.com Tue Oct 19 16:44:27 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 19 Oct 2021 19:44:27 +0300 Subject: njs-0.7.0 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release adds a bunch of long-awaited features. Notable new features: - async/await support: - HTTPS support in Fetch API: : async function content(r) { : let results = await Promise.all([ngx.fetch('https://nginx.org/'), : ngx.fetch('https://nginx.org/en/')]); : : r.return(200, JSON.stringify(results, undefined, 4)); : } - WebCrypto API support: : async function host_hash(r) { : let hash = await crypto.subtle.digest('SHA-512', r.headersIn.host); : r.setReturnValue(Buffer.from(hash).toString('hex')); : } Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html We are hiring: If you are a C programmer, passionate about Open Source and you love what we do, consider the following career opportunity: https://ffive.wd5.myworkdayjobs.com/NGINX/job/Ireland-Homebase/Software-Engineer-III---NGNIX-NJS_RP1022237 Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.7.0 19 Oct 2021 nginx modules: *) Feature: added HTTPS support for Fetch API. *) Feature: added setReturnValue() method. Core: *) Feature: introduced Async/Await implementation. *) Feature: added WebCrypto API implementation. *) Bugfix: fixed copying of closures for declared functions. The bug was introduced in 0.6.0. *) Bugfix: fixed unhandled promise rejection in handle events. *) Bugfix: fixed Response.headers getter in Fetch API. From mdounin at mdounin.ru Tue Oct 19 20:22:17 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 19 Oct 2021 23:22:17 +0300 Subject: generate cryptographically safe nonce value In-Reply-To: References: Message-ID: Hello! On Tue, Oct 19, 2021 at 04:24:27PM +0300, Sergey A. Osokin wrote: > Hi Muthu, > > On Tue, Oct 19, 2021 at 04:20:58AM -0400, muthualagappanchess wrote: > > > > Is there a way to generate cryptographically safe nonce value (random > > number) with standard ngnix installation without adding any other module > > dynamically? > > NGINX generates a unique request identifier, please visit the following > link for details, > http://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_id Note that it might not be cryptographically safe. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Wed Oct 20 16:00:36 2021 From: nginx-forum at forum.nginx.org (dimitre) Date: Wed, 20 Oct 2021 12:00:36 -0400 Subject: Using $host variable in ssl_certificate path Message-ID: hello, I'm trying to use the variable $host in this entry: ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; to potentially make one entry that fits multiple domains, but it is not possible I think the variable $host is not parsed in this specific directive nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/$host/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/$host/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) it would be great to be able to use it here. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292653,292653#msg-292653 From pluknet at nginx.com Wed Oct 20 16:23:36 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 20 Oct 2021 19:23:36 +0300 Subject: Using $host variable in ssl_certificate path In-Reply-To: References: Message-ID: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> > On 20 Oct 2021, at 19:00, dimitre wrote: > > hello, I'm trying to use the variable $host in this entry: > > ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; > ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; > > to potentially make one entry that fits multiple domains, but it is not > possible > I think the variable $host is not parsed in this specific directive > > nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/$host/fullchain.pem") > failed (SSL: error:02001002:system library:fopen:No such file or > directory:fopen('/etc/letsencrypt/live/$host/fullchain.pem','r') > error:2006D080:BIO routines:BIO_new_file:no such file) The error suggests you have too old nginx version. Variables support in the "ssl_certificate" and "ssl_certificate_key" directives first appeared in nginx 1.15.9. -- Sergey Kandaurov From nginx-forum at forum.nginx.org Wed Oct 20 16:43:54 2021 From: nginx-forum at forum.nginx.org (dimitre) Date: Wed, 20 Oct 2021 12:43:54 -0400 Subject: Using $host variable in ssl_certificate path In-Reply-To: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> References: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> Message-ID: <325d710bf833e894659eef5bad61458f.NginxMailingListEnglish@forum.nginx.org> Upgrading to mainline now. Unfortunately dnf still has the latest stable as 1.14 Thank you! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292653,292655#msg-292655 From nginx-forum at forum.nginx.org Wed Oct 20 17:27:50 2021 From: nginx-forum at forum.nginx.org (dimitre) Date: Wed, 20 Oct 2021 13:27:50 -0400 Subject: Using $host variable in ssl_certificate path In-Reply-To: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> References: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> Message-ID: I'm now using Nginx 1.21. I've noticed Nginx actually runs with variable in ssl certificate path, but the certificate itself doesn't run. ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; # managed by Certbot I double checked the $host variable using a special header and curl, to know if $host variable is the exact value of my folder there, and it is correct. add_header X-Host $host; Now checking Nginx error.log it indicates maybe it is because file permissions 2021/10/20 17:16:07 [error] 2408#2408: *412 cannot load certificate "/etc/letsencrypt/live/XXXXX/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/XXXX/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, client: 54.236.1.11, server: 0.0.0.0:443 But strangely enough it runs OK if I don't use the $host variable. I would like to keep permissions so when Certbot updates I don't have any surprises. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292653,292656#msg-292656 From gk at leniwiec.biz Wed Oct 20 20:13:21 2021 From: gk at leniwiec.biz (Grzegorz Kulewski) Date: Wed, 20 Oct 2021 22:13:21 +0200 Subject: Using $host variable in ssl_certificate path In-Reply-To: References: <52B404B8-B25E-47AB-A818-A490594AA319@nginx.com> Message-ID: W dniu 20.10.2021 o?19:27, dimitre pisze: > I'm now using Nginx 1.21. > I've noticed Nginx actually runs with variable in ssl certificate path, but > the certificate itself doesn't run. > ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; # managed by > Certbot > ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; # managed by > Certbot > > I double checked the $host variable using a special header and curl, to know > if $host variable is the exact value of my folder there, and it is correct. > > add_header X-Host $host; > > > Now checking Nginx error.log it indicates maybe it is because file > permissions > 2021/10/20 17:16:07 [error] 2408#2408: *412 cannot load certificate > "/etc/letsencrypt/live/XXXXX/fullchain.pem": BIO_new_file() failed (SSL: > error:0200100D:system library:fopen:Permission > denied:fopen('/etc/letsencrypt/live/XXXX/fullchain.pem','r') > error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, > client: 54.236.1.11, server: 0.0.0.0:443 > > But strangely enough it runs OK if I don't use the $host variable. I would > like to keep permissions so when Certbot updates I don't have any > surprises. It's not strange at all. When using static file names nginx opens these files at startup, before changing uid/gid from root to nginx. When using dynamic file names that, obviously, can't happen - nginx has to open these files at request time. So if you didn't configure Certbot to install certs with correct owner/perms then it can't and won't work. -- Grzegorz Kulewski From nginx-forum at forum.nginx.org Wed Oct 20 23:40:28 2021 From: nginx-forum at forum.nginx.org (dimitre) Date: Wed, 20 Oct 2021 19:40:28 -0400 Subject: Using $host variable in ssl_certificate path In-Reply-To: References: Message-ID: Thanks for the clarification Grzegorz, I'm going to research how to do it right with Certbot. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292653,292664#msg-292664 From ismail783 at gmail.com Thu Oct 21 05:54:05 2021 From: ismail783 at gmail.com (Ahmad Ismail) Date: Thu, 21 Oct 2021 11:54:05 +0600 Subject: Clarification on Nginx Unit ASGI Message-ID: I asked After Nginx Unit, Do we still need ASGI like Uvicorn, Hypercorn, Daphne etc There one comment confused me. The comment says: nginx unit is an ASGI compliant server; you're replacing > uvicorn/hypercorn/daphne/etc. with nginx unit instead. It's a choice you > make just like you'd make using either of those three or other alternatives. I am not understanding what it means. Does it mean, I have to install both nginx and nginx unit where nginx unit is the replacement for uvicorn / hypercorn / daphne etc. Or, nginx unit alone can do what nginx + uvicorn / hypercorn / daphne etc. does. I asked the same question on FastAPI github repo . There one part of the answer is unclear to me. > But, but, you will probably need https anyway, I personally prefer some > proxy, I didn't even try Nginx Unit "way" of applying tls but there is one > apparently. Nginx Ingress, traefik for k8s, nginx proxy manager for swarm, > alone traefik docker image or full nginx, probably tens of other solutions. > What I understood is I need to do few more things after installing nginx unit. However, the above quote is not clear to me. Can anyone please explain what he meant by it. And do I need to install other stuff after installing nginx unit? *Thanks and Best Regards,Ahmad Ismail* -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Thu Oct 21 13:35:31 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 21 Oct 2021 16:35:31 +0300 Subject: Clarification on Nginx Unit ASGI In-Reply-To: References: Message-ID: Hi Ahmad, hope you're doing well these days. On Thu, Oct 21, 2021 at 11:54:05AM +0600, Ahmad Ismail wrote: > I asked After Nginx Unit, Do we still need ASGI like Uvicorn, Hypercorn, > Daphne etc > > There one comment confused me. The comment says: > > nginx unit is an ASGI compliant server; you're replacing > > uvicorn/hypercorn/daphne/etc. with nginx unit instead. It's a choice you > > make just like you'd make using either of those three or other alternatives. Well, unicorn/Hypercorn/Daphnie are Asynchronous Server Gateway Interface (ASGI) servers, so it's possible to run an ASGI application with any of them. It's also true that NGINX Unit is an ASGI server, so it's also possible to run the same ASGI application on top of NGINX Unit. > I am not understanding what it means. Does it mean, I have to install both > nginx and nginx unit where nginx unit is the replacement for uvicorn / > hypercorn / daphne etc. Or, nginx unit alone can do what nginx + uvicorn / > hypercorn / daphne etc. does. An answer for the question how to run an application in an evnronment definitely depends on an application and its architecture. The list of questions here starts from the following: - does the application needs caching? - does the application needs to work with FQDNs or IP addresses? - does the application needs a session persistance? - TLS termination on a frontend (NGINX) or backend (NGINX Unit)? - load balancing and so on. > I asked the same question on FastAPI > > github repo > . > There one part of the answer is unclear to me. > > > But, but, you will probably need https anyway, I personally prefer some > > proxy, I didn't even try Nginx Unit "way" of applying tls but there is one > > apparently. Nginx Ingress, traefik for k8s, nginx proxy manager for swarm, > > alone traefik docker image or full nginx, probably tens of other solutions. > > What I understood is I need to do few more things after installing nginx > unit. However, the above quote is not clear to me. Can anyone please > explain what he meant by it. And do I need to install other stuff after > installing nginx unit? It's easy to start to work with NGINX Unit, deploy an application and see how it works. In case you need an additional functionality, it's possible to extend that with NGINX in front. Hope it's clear. -- Sergey Osokin From ismail783 at gmail.com Thu Oct 21 16:27:55 2021 From: ismail783 at gmail.com (Ahmad Ismail) Date: Thu, 21 Oct 2021 22:27:55 +0600 Subject: Clarification on Nginx Unit ASGI In-Reply-To: References: Message-ID: Dear Sergey Osokin, Thank you very much for the kind response. That is enough to get me started. *Thanks and Best Regards,Ahmad Ismail* On Thu, Oct 21, 2021 at 7:35 PM Sergey A. Osokin wrote: > Hi Ahmad, > > hope you're doing well these days. > > On Thu, Oct 21, 2021 at 11:54:05AM +0600, Ahmad Ismail wrote: > > I asked After Nginx Unit, Do we still need ASGI like Uvicorn, Hypercorn, > > Daphne etc > > > > There one comment confused me. The comment says: > > > > nginx unit is an ASGI compliant server; you're replacing > > > uvicorn/hypercorn/daphne/etc. with nginx unit instead. It's a choice > you > > > make just like you'd make using either of those three or other > alternatives. > > Well, unicorn/Hypercorn/Daphnie are Asynchronous Server Gateway Interface > (ASGI) servers, so it's possible to run an ASGI application with any of > them. > > It's also true that NGINX Unit is an ASGI server, so it's also possible to > run > the same ASGI application on top of NGINX Unit. > > > I am not understanding what it means. Does it mean, I have to install > both > > nginx and nginx unit where nginx unit is the replacement for uvicorn / > > hypercorn / daphne etc. Or, nginx unit alone can do what nginx + uvicorn > / > > hypercorn / daphne etc. does. > > An answer for the question how to run an application in an evnronment > definitely depends on an application and its architecture. The list of > questions here starts from the following: > > - does the application needs caching? > - does the application needs to work with FQDNs or IP addresses? > - does the application needs a session persistance? > - TLS termination on a frontend (NGINX) or backend (NGINX Unit)? > - load balancing > > and so on. > > > I asked the same question on FastAPI > > > > github repo > > >. > > There one part of the answer is unclear to me. > > > > > But, but, you will probably need https anyway, I personally prefer some > > > proxy, I didn't even try Nginx Unit "way" of applying tls but there is > one > > > apparently. Nginx Ingress, traefik for k8s, nginx proxy manager for > swarm, > > > alone traefik docker image or full nginx, probably tens of other > solutions. > > > > What I understood is I need to do few more things after installing nginx > > unit. However, the above quote is not clear to me. Can anyone please > > explain what he meant by it. And do I need to install other stuff after > > installing nginx unit? > > It's easy to start to work with NGINX Unit, deploy an application and see > how it works. In case you need an additional functionality, it's possible > to extend that with NGINX in front. > > Hope it's clear. > > -- > Sergey Osokin > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Mon Oct 25 11:50:42 2021 From: nginx-forum at forum.nginx.org (petecooper) Date: Mon, 25 Oct 2021 07:50:42 -0400 Subject: Compiling Nginx with `libdeflate` - possible? Message-ID: <0f3bf7616ac39c8e32e3e3383e4f1834.NginxMailingListEnglish@forum.nginx.org> I am attempting to compile Nginx 1.21.3 with libdeflate[1] with a view to comparing performance against classic Zlib and the Cloudflare fork of Zlib[2]. I can successfully compile Nginx with classic Zlib. I can also successfully compile Nginx with Cloudflare Zlib. I cannot yet compile Nginx with libdeflate. I am falling down during Nginx `make` with this error: --8<-- cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -m64 -march=native -mtune=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -ffat-lto-objects -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -Wno-deprecated-declarations -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -DNDK_SET_VAR -DNDK_UPSTREAM_LIST -D_GLIBCXX_USE_CXX11_ABI=0 -I src/core -I src/event -I src/event/modules -I src/os/unix -I ../../brotli-source//deps/brotli/c/include -I ../../devel-kit-source/ngx_devel_kit-0.3.1/objs -I objs/addon/ndk -I ../../devel-kit-source/ngx_devel_kit-0.3.1/src -I ../../devel-kit-source/ngx_devel_kit-0.3.1/objs -I objs/addon/ndk -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/chromium/src -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/google-sparsehash/src/src -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/google-sparsehash/gen/arch/linux/x64/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/grpc/src/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/protobuf/src/src -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/re2/src -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/out/Release/obj/gen -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/out/Release/obj/gen/protoc_out/instaweb -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/apr/src/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/aprutil/src/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/apr/gen/arch/linux/x64/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/third_party/aprutil/gen/arch/linux/x64/include -I ../../pagespeed-source/incubator-pagespeed-ngx-1.13.35.2-stable/psol/include/url -I ../../openssl-source/openssl-openssl-3.0.0/.openssl/include -I ../../libdeflate-source/libdeflate-1.8 -I /usr/include/libxml2 -I objs \ -o objs/ngx_modules.o \ objs/ngx_modules.c cd ../../libdeflate-source/libdeflate-1.8 \ && make distclean \ && CFLAGS="-O2 -fomit-frame-pointer -pipe " CC="cc" \ ./configure \ && make libz.a make[2]: Entering directory '/home/pete/libdeflate-source/libdeflate-1.8' make[2]: *** No rule to make target 'distclean'. Stop. make[2]: Leaving directory '/home/pete/libdeflate-source/libdeflate-1.8' make[1]: *** [objs/Makefile:3107: ../../libdeflate-source/libdeflate-1.8/libz.a] Error 2 make[1]: Leaving directory '/home/pete/nginx-source/nginx-1.21.3' make: *** [Makefile:10: build] Error 2 --8<-- I confirm the directory `/home/pete/libdeflate-source/libdeflate-1.8` has the Makefile and is readable by Nginx make. Compiling libdeflate in isolation outside of Nginx with `make distclean` throws the same error: --8<-- No rule to make target 'distclean' --8<-- There is no reference to distclean in the libdeflate Makefile[3], so I am at a dead end. Question #0: Am I attempting the impossible here? Question #1: Is there a way to persuade libdeflate in its current state to compile with Nginx? Question #2: Is there something I should be raising on the libdeflate project side to achieve a compilation with Nginx? Thank you for reading, I am grateful for any advice and feedback. [1] https://github.com/ebiggers/libdeflate [2] https://github.com/cloudflare/zlib [3] https://github.com/ebiggers/libdeflate/blob/master/Makefile Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292682,292682#msg-292682 From mdounin at mdounin.ru Mon Oct 25 16:50:52 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 25 Oct 2021 19:50:52 +0300 Subject: Compiling Nginx with `libdeflate` - possible? In-Reply-To: <0f3bf7616ac39c8e32e3e3383e4f1834.NginxMailingListEnglish@forum.nginx.org> References: <0f3bf7616ac39c8e32e3e3383e4f1834.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Mon, Oct 25, 2021 at 07:50:42AM -0400, petecooper wrote: > I am attempting to compile Nginx 1.21.3 with libdeflate[1] with a view to > comparing performance against classic Zlib and the Cloudflare fork of > Zlib[2]. > > I can successfully compile Nginx with classic Zlib. I can also successfully > compile Nginx with Cloudflare Zlib. I cannot yet compile Nginx with > libdeflate. > > I am falling down during Nginx `make` with this error: [...] > cd ../../libdeflate-source/libdeflate-1.8 \ > && make distclean \ > && CFLAGS="-O2 -fomit-frame-pointer -pipe " CC="cc" \ > ./configure \ > && make libz.a > make[2]: Entering directory '/home/pete/libdeflate-source/libdeflate-1.8' > make[2]: *** No rule to make target 'distclean'. Stop. > make[2]: Leaving directory '/home/pete/libdeflate-source/libdeflate-1.8' > make[1]: *** [objs/Makefile:3107: > ../../libdeflate-source/libdeflate-1.8/libz.a] Error 2 > make[1]: Leaving directory '/home/pete/nginx-source/nginx-1.21.3' > make: *** [Makefile:10: build] Error 2 > --8<-- > > I confirm the directory `/home/pete/libdeflate-source/libdeflate-1.8` has > the Makefile and is readable by Nginx make. > > Compiling libdeflate in isolation outside of Nginx with `make distclean` > throws the same error: [...] > Question #0: Am I attempting the impossible here? > Question #1: Is there a way to persuade libdeflate in its current state to > compile with Nginx? > Question #2: Is there something I should be raising on the libdeflate > project side to achieve a compilation with Nginx? > > Thank you for reading, I am grateful for any advice and feedback. It looks like you are trying to use "--with-zlib=..." configure option to compile nginx with libdeflate. It is, however, designed to compile zlib, and relies on zlib compilation procedure. It might not work (and, actually, not expected to work) with other libraries even if these libraries provide a zlib-compatible interface. Similarly, you cannot compile nginx with BoringSSL with "--with-openssl=...", because BoringSSL use build system quite different from OpenSSL's one. Consider instead compiling libdeflate yourself, and building nginx with appropriate --with-cc-opt="-I/path/to/include" and --with-ld-opt="-I/path/to/lib" to provide paths to the libdeflate includes and library files. This might work as long as libdeflate provides zlib-compatible interfaces. Note though that libdeflate does not seem to provide a zlib-compatible interface, its README.md says "libdeflate has a simple API that is not zlib-compatible". That is, using libdeflate instead of zlib is not going to work without rewriting the code to use libdeflate API. Further, README.md says that "There is currently no support for streaming". This means it is not usable in nginx (well, certainly one can write a module which uses it, but this will be something very different from the nginx gzip filter module). -- Maxim Dounin http://mdounin.ru/ From hobson42 at gmail.com Mon Oct 25 18:09:42 2021 From: hobson42 at gmail.com (Ian Hobson) Date: Mon, 25 Oct 2021 19:09:42 +0100 Subject: modules and compiling nginx 1.21.3 from source Message-ID: Hi all, When nginx is installed from the ubuntu 20.4 repos, it sets up assorted modules in nginx/modules-enabled When I load it, it loads just fine. However I need a few extra modules, which I compiled in using ubuntu 18.04. So, copied the Sources directory over and updated the modules that have been updated, and compiled on the new machine. make and make install are without errors. This is the configuration: ./configure --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=www-data \ --group=www-data \ --with-http_ssl_module \ --with-openssl=../openssl-1.1.1i \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ --with-http_auth_request_module \ --with-threads \ --with-stream \ --with-stream_ssl_module \ --with-http_slice_module \ --with-mail \ --with-mail_ssl_module \ --with-file-aio \ --with-http_v2_module \ --with-pcre=../pcre-8.44 \ --with-zlib=../zlib-1.2.11 \ --add-module=../nchan-1.2.12 Now it will not load, because it tries to load the first module in modules enabled (brotli) and fails - file missing. I have worked round it, by moving all the links from modules-enabled to modules-available. However my Google-foo has failed me trying to find out anything about those new modules. Can someone point me to the docs, or explain how (and when) to use. Regards Ian -- Ian Hobson Tel (+351) 910 418 473 -- This email has been checked for viruses by AVG. https://www.avg.com From tony_tabone at hotmail.com Thu Oct 28 08:22:53 2021 From: tony_tabone at hotmail.com (tony tabone) Date: Thu, 28 Oct 2021 08:22:53 +0000 Subject: Mapping to change URL In-Reply-To: References: Message-ID: I am trying to add a mapping to change the url being shown with every location. Do you know if this is possible since an error is being encountered on the mapping. map $geoip2_data_country_code $leovegas_com_index_file $request_uri $new { default /index-en.html default 0; MT /en-desktop.html ~^/tony/ maintenance.tony; } nginx: [emerg] invalid number of arguments in "map" directive in /etc/nginx/nginx.conf:91 Thanks & Regards, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Thu Oct 28 09:31:45 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 28 Oct 2021 12:31:45 +0300 Subject: Mapping to change URL In-Reply-To: References: Message-ID: Hi Tony, hope you're doing well. On Thu, Oct 28, 2021 at 08:22:53AM +0000, tony tabone wrote: > > I am trying to add a mapping to change the url being shown with every location. Do you know if this is possible since an error is being encountered on the mapping. > > map $geoip2_data_country_code $leovegas_com_index_file $request_uri $new { > default /index-en.html default 0; > MT /en-desktop.html ~^/tony/ maintenance.tony; > } According to the http_map module's documentation the map directive creates a new variable whose value depends on values of one or more of the source variables specified in the first parameter http://nginx.org/en/docs/http/ngx_http_map_module.html#map In other words, the map directive expects only two variables: a source and a destination. > nginx: [emerg] invalid number of arguments in "map" directive in /etc/nginx/nginx.conf:91 When nginx starts, it validates its configuration file and fails on incorrect usage of a directive. It seems like at least more than one map directive (probably two or three) need to be added to resolve the problem. -- Sergey Osokin From osa at freebsd.org.ru Thu Oct 28 09:39:29 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 28 Oct 2021 12:39:29 +0300 Subject: modules and compiling nginx 1.21.3 from source In-Reply-To: References: Message-ID: Hi Ian, hope you're doing well these days. On Mon, Oct 25, 2021 at 07:09:42PM +0100, Ian Hobson wrote: > Hi all, [...] Please take a look on the following line: > --add-module=../nchan-1.2.12 The "--add-module" configure argument adds a module as a static, i.e. built-in functionality, into main binary file nginx. To compile a dynamic module for NGINX, please use "--add-dynamic-module" argument for the configure script. Also, please do not forget to add the "--with-compat" argument for the configure script, see below link for details. [...] > Can someone point me to the docs, or explain how (and when) to use. Here's the document describes how to compile a third-party dynamic module for NGINX and NGINX Plus, https://www.nginx.com/blog/compiling-dynamic-modules-nginx-plus/ -- Sergey Osokin