From nginx745 at gmail.com Wed Sep 1 20:16:59 2021 From: nginx745 at gmail.com (temp pmet) Date: Wed, 1 Sep 2021 16:16:59 -0400 Subject: Reverse Proxy - Backend via Forward Proxy Message-ID: Good day everyone, I am new to NGINX and looking for some help with a reverse proxy setup.. The reverse proxy itself is straightforward and working for myself however we now have requirements to forward the backend connection to the destination via a forward proxy. Is this possible? The flow looks like this: Client to -> NGINX reverse proxy server to -> backend server via forward proxy Any assistance would be sincerely appreciated! Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From francis at daoine.org Wed Sep 1 22:18:00 2021 From: francis at daoine.org (Francis Daly) Date: Wed, 1 Sep 2021 23:18:00 +0100 Subject: Reverse Proxy - Backend via Forward Proxy In-Reply-To: References: Message-ID: <20210901221800.GC18734@daoine.org> On Wed, Sep 01, 2021 at 04:16:59PM -0400, temp pmet wrote: Hi there, > we now have requirements to forward the backend connection to the > destination via a forward proxy. Is this possible? The flow looks like > this: > > Client to -> NGINX reverse proxy server to -> backend server via forward > proxy When (stock) nginx is a client talking to a backend server, it can talk http; it can't be configured to talk proxied-http. So if you need a proxy server that only listens to proxied-http, you probably want something other than nginx as the client. However... if your proxy server can be configured as "transparent" -- which basically means that it will listen to http and interpret what it probably would have been if it had been proxied-http -- then you should be able to tell nginx that the proxy server *is* the backend server, and maybe it will work well enough in your use case. If that is worth testing, you can use an "upstream" block with the name of the backend server, containing a "server" directive with the ip:port of the proxy. (Or have the system resolver resolve the backend name to the proxy ip, if special ports are not needed.) (If your backend is https not http, then things are different again.) Good luck with it! f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Sep 2 08:53:30 2021 From: nginx-forum at forum.nginx.org (psychesnet) Date: Thu, 02 Sep 2021 04:53:30 -0400 Subject: Run script before cgi Message-ID: Hi all, We are working on OpenWrt 17.07.8 project with our own developing device. Since device only have 128MB RAM, it is not enough to do sysupgrade from WebUI. So, we would like to stop some services before upload firmware.bin. The url is /cgi-bin/cgi-upload and it has following rules definitions(we use nginx+uwsgi). location ~ /cgi-bin/cgi-(backup|download|upload|exec) { include uwsgi_params; uwsgi_param SERVER_ADDR $server_addr; uwsgi_modifier1 9; uwsgi_pass unix:////var/run/luci-cgi_io.socket; } We would like to know if it is possible to 1. stop services before pass upload data to be luci-cgi_io.socket? 2. filiter url(cgi-upload) and stop services? Please share anything if you know something. Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292338,292338#msg-292338 From jfs.world at gmail.com Thu Sep 2 10:25:05 2021 From: jfs.world at gmail.com (Jeffrey 'jf' Lim) Date: Thu, 2 Sep 2021 18:25:05 +0800 Subject: what will get logged when send_timeout is exceeded? Message-ID: Does anybody know what will get logged (I assume in error_log) for the case when send_timeout is exceeded? -jf -- He who settles on the idea of the intelligent man as a static entity only shows himself to be a fool. From pluknet at nginx.com Thu Sep 2 12:14:36 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Thu, 2 Sep 2021 15:14:36 +0300 Subject: what will get logged when send_timeout is exceeded? In-Reply-To: References: Message-ID: <81C2B4FE-12E5-44D3-BBE4-4C3ACAB56045@nginx.com> > On 2 Sep 2021, at 13:25, Jeffrey 'jf' Lim wrote: > > Does anybody know what will get logged (I assume in error_log) for the > case when send_timeout is exceeded? > Something like this at the info level (logging action may differ): "client timed out (60: Operation timed out) while sending response to client" -- Sergey Kandaurov From community at thoughtmaybe.com Mon Sep 6 04:58:37 2021 From: community at thoughtmaybe.com (Jore) Date: Mon, 6 Sep 2021 14:58:37 +1000 Subject: A pretty URL for a specific PHP page? Message-ID: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> Hi there, Is it possible to make a pretty URL for a specific PHP page? I'd like https://domain.com/report/ to render https://domain.com/index.php?r=app%2Fform&id=2lyEsw So I tried this location block, but I get 403 forbidden: ??? location /report { ??????? index index.php?r=app%2Fform&id=2lyEsw; ??????? alias /var/www/easyforms; ??? } Here's my whole config: server { ??? listen?????? 443 ssl http2; ??? server_name? report.DOMAIN.COM; ??? root /var/www/easyforms; ??? gzip on; ??? ssl_certificate /var/lib/acmesh/report.DOMAIN.COM/fullchain.cer; ??? ssl_certificate_key /var/lib/acmesh/report.DOMAIN.COM/report.DOMAIN.COM.key; ??? ssl_protocols TLSv1.2; ??? ssl_prefer_server_ciphers on; ??? ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES12$ ??? ssl_session_cache shared:SSL:5m; ??? ssl_session_timeout 10m; ??? location /report { ??????? index index.php?r=app%2Fform&id=2lyEsw; ??????? alias /var/www/easyforms; ??? } ??? location / { ??????? index index.php index.html; ??????? try_files $uri $uri/ /index.php?$args; ??? } ??? location ~ \.php$ { ??????? include fastcgi.conf; ??????? fastcgi_intercept_errors on; ??????? include fastcgi_params; ??????? fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; ??????? fastcgi_pass unix:/run/php/php-fpm.sock; ??????? fastcgi_index index.php; ??????? fastcgi_read_timeout 300s; ??? } } What am I doing wrong? Thanks! Jore From nginx-forum at forum.nginx.org Mon Sep 6 18:20:56 2021 From: nginx-forum at forum.nginx.org (blason) Date: Mon, 06 Sep 2021 14:20:56 -0400 Subject: Citrix server deployment behind nginx reverse proxy? Message-ID: <4b9913228111c4c35fe9cf0c0ec8d7b8.NginxMailingListEnglish@forum.nginx.org> Hi Team, Wondering if anyone has deployed Citrix server behind nginx reverse proxy server? Or if anyone has success about implementing Check Point Mobile Access VPN portal behind nginx reverse proxy? I am still wondering if such encryption technology can work with Nginx reverse proxy? TIA Blason R Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292360,292360#msg-292360 From mdounin at mdounin.ru Tue Sep 7 15:31:58 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Sep 2021 18:31:58 +0300 Subject: nginx-1.21.3 Message-ID: Changes with nginx 1.21.3 07 Sep 2021 *) Change: optimization of client request body reading when using HTTP/2. *) Bugfix: in request body filters internal API when using HTTP/2 and buffering of the data being processed. -- Maxim Dounin http://nginx.org/ From nginx-forum at forum.nginx.org Thu Sep 9 06:57:27 2021 From: nginx-forum at forum.nginx.org (NCviQwilt) Date: Thu, 09 Sep 2021 02:57:27 -0400 Subject: Resurrecting the Async Open Discussion In-Reply-To: <20210803091459.62vhkwkms6qglvtp@Romans-MacBook-Pro.local> References: <20210803091459.62vhkwkms6qglvtp@Romans-MacBook-Pro.local> Message-ID: <36bb753390bee33782c8166c7a09c81c.NginxMailingListEnglish@forum.nginx.org> Hi, I've replied to the mailing list, though it opened a new reply thread to the original, instead of a direct reply to latest patch thread there. See https://forum.nginx.org/read.php?29,280794,292341#msg-292341 for our initial impressions. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292104,292370#msg-292370 From maxim at nginx.com Fri Sep 10 09:42:46 2021 From: maxim at nginx.com (Maxim Konovalov) Date: Fri, 10 Sep 2021 12:42:46 +0300 Subject: nginx brand survey, we are looking for your feedback In-Reply-To: References: Message-ID: Hi everyone, This is just a reminder that our marketing team is looking for your participation in the nginx community survey: https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB We'll be grateful for your participation. Thanks, Maxim On 24.08.2021 14:43, Maxim Konovalov wrote: > Hi, > > On behalf of our marketing team I'd like to invite you, NGINX community > members, users and developers, to participate in the NGINX Annual > Community Survey. > > There are 20 questions there. It will take around 10 minutes of your > valuable time to fill it: > > The NGINX Annual Community Survey is open, and we would like to hear > from you. Over the past seven years, you've helped us improve our > solutions and evolve our product roadmap. > > Please continue to share your experiences and ideas with us ? we value > your feedback. > > The anonymous survey is here: > > https://survey.f5.com/v1/sites/nginx/SurveyResponse?at=1I0025DXE6KKG8JCV1KHEZ8U6WNP8QI5ONSB > > > Upon completion, you will receive an exclusive 90% discount code for the > NGINX swag store. > > Thank you for helping shape the future of NGINX. > > Regards, > NGINX team > -- Maxim Konovalov From francis at daoine.org Fri Sep 10 21:31:30 2021 From: francis at daoine.org (Francis Daly) Date: Fri, 10 Sep 2021 22:31:30 +0100 Subject: A pretty URL for a specific PHP page? In-Reply-To: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> References: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> Message-ID: <20210910213130.GG18734@daoine.org> On Mon, Sep 06, 2021 at 02:58:37PM +1000, Jore wrote: Hi there, > Is it possible to make a pretty URL for a specific PHP page? Some php scripts make it straightforward, by handling that themselves. I guess that yours is not one of those? > I'd like https://domain.com/report/ to render > https://domain.com/index.php?r=app%2Fform&id=2lyEsw The simple thing -- that you possibly do not want to do here? -- would be to redirect to the desired url; in that case, the browser would make the "pretty" request, get the redirect response, make the "real" request, and get the full response. That would be something like location = /report/ { return 301 /index.php?r=app%2Fform&id=2lyEsw; } > So I tried this location block, but I get 403 forbidden: > > ??? location /report { > ??????? index index.php?r=app%2Fform&id=2lyEsw; > ??????? alias /var/www/easyforms; > ??? } "index" expects a filename argument; when that fails, it will probably try a directory index of /var/www/easyforms, which presumably leads to the 403 here. What you can try, is to call fastcgi_pass with appropriate parameters, directly. The exact parameters wanted by your fastcgi server and by your php script, depend on what they expect. And if you send the same parameter name more than once, whether the fastcgi server will provide the first, the last, or all amalgamated, to the php script, depends on the fastcgi server. But often "SCRIPT_FILENAME" and "QUERY_STRING" are enough to start with; if you need other things from your fastcgi.conf or fastcgi_params files, you can "include" those too, in a place where the manually-provided variables are not overridden. So the following might have a chance of working as you want; and if it does not, then the fastcgi error log or the nginx (debug) error log might help point at other changes that might be needed. location = /report/ { fastcgi_pass unix:/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root/index.php; fastcgi_param QUERY_STRING r=app%2Fform&id=2lyEsw; } One extra note: if the returned content includes relative links -- something like "img src=new.png"-- then the browser will make a different follow-up request for it if the browser asked for "/report/", and if the browser asked for "/index.php?anything". If your output shows some broken-image links or the like, that might be a thing to check for. But that only matters after the rest of the config is working. Good luck with it! f -- Francis Daly francis at daoine.org From community at thoughtmaybe.com Sat Sep 11 11:51:01 2021 From: community at thoughtmaybe.com (Jore) Date: Sat, 11 Sep 2021 21:51:01 +1000 Subject: A pretty URL for a specific PHP page? In-Reply-To: <20210910213130.GG18734@daoine.org> References: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> <20210910213130.GG18734@daoine.org> Message-ID: Hi Francis, Thank you for that suggestion! The latter example has got me on track. Cheers, Jore On 11/9/21 7:31 am, Francis Daly wrote: > On Mon, Sep 06, 2021 at 02:58:37PM +1000, Jore wrote: > > Hi there, > >> Is it possible to make a pretty URL for a specific PHP page? > Some php scripts make it straightforward, by handling that themselves. I > guess that yours is not one of those? > >> I'd like https://domain.com/report/ to render >> https://domain.com/index.php?r=app%2Fform&id=2lyEsw > The simple thing -- that you possibly do not want to do here? -- would be > to redirect to the desired url; in that case, the browser would make the > "pretty" request, get the redirect response, make the "real" request, > and get the full response. That would be something like > > location = /report/ { return 301 /index.php?r=app%2Fform&id=2lyEsw; } > >> So I tried this location block, but I get 403 forbidden: >> >> ??? location /report { >> ??????? index index.php?r=app%2Fform&id=2lyEsw; >> ??????? alias /var/www/easyforms; >> ??? } > "index" expects a filename argument; when that fails, it will probably > try a directory index of /var/www/easyforms, which presumably leads to > the 403 here. > > What you can try, is to call fastcgi_pass with appropriate parameters, > directly. > > The exact parameters wanted by your fastcgi server and by your php script, > depend on what they expect. And if you send the same parameter name more > than once, whether the fastcgi server will provide the first, the last, > or all amalgamated, to the php script, depends on the fastcgi server. > > But often "SCRIPT_FILENAME" and "QUERY_STRING" are enough to start with; > if you need other things from your fastcgi.conf or fastcgi_params files, > you can "include" those too, in a place where the manually-provided > variables are not overridden. > > So the following might have a chance of working as you want; and if > it does not, then the fastcgi error log or the nginx (debug) error log > might help point at other changes that might be needed. > > location = /report/ { > fastcgi_pass unix:/run/php/php-fpm.sock; > fastcgi_param SCRIPT_FILENAME $document_root/index.php; > fastcgi_param QUERY_STRING r=app%2Fform&id=2lyEsw; > } > > One extra note: if the returned content includes relative links -- > something like "img src=new.png"-- then the browser will make a different > follow-up request for it if the browser asked for "/report/", and if > the browser asked for "/index.php?anything". If your output shows some > broken-image links or the like, that might be a thing to check for. But > that only matters after the rest of the config is working. > > Good luck with it! > > f From nginx-forum at forum.nginx.org Sun Sep 12 06:39:21 2021 From: nginx-forum at forum.nginx.org (malzad) Date: Sun, 12 Sep 2021 02:39:21 -0400 Subject: How to use C++ code in nginx Message-ID: Hi there, I am trying to implement a load balancing module and need to use some c++ codes in it. I tried to run a demo as follows: I have a cpp_library.h, a cpp_library.cpp and my_load_balancer_module.c. cpp_library.h #ifndef C_BASE_CPP_LIBRARY_H #define C_BASE_CPP_LIBRARY_H #ifdef __cplusplus extern "C" { #endif int cpp_hello_world(); #ifdef __cplusplus } #endif #endif //C_BASE_CPP_LIBRARY_H cpp_library.cpp #include #include "cpp_library.h" int cpp_hello_world() { return 0; } my_load_balancer_module.c #include #include #include #include "cpp_library.h" ........................................ ........................................ ........................................ ........................................ And I enabled --with-ld-opt="-lstdc++". It complied without any errors. But when I loaded the my_load_balancer_module in the nginx.conf and tried to start nginx, I am getting the following error: nginx: [emerg] dlopen() "/usr/local/Cellar/nginx/1.21.0/modules/my_load_balancer_module.so" failed (dlopen(/usr/local/Cellar/nginx/1.21.0/modules/my_load_balancer_module.so, 10): Symbol not found: _cpp_hello_world Referenced from: /usr/local/Cellar/nginx/1.21.0/modules/my_load_balancer_module.so Expected in: flat namespace in /usr/local/Cellar/nginx/1.21.0/modules/my_load_balancer_module.so) in /usr/local/etc/nginx/nginx.conf:4 I think I am messing up something since I have very limited knowledge of C/C++. Can you please help to figure out how to do it correctly? Thanks in advance. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292378,292378#msg-292378 From nevis2us at gmail.com Sun Sep 12 07:59:29 2021 From: nevis2us at gmail.com (=?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCa0LjRgNC40LvQu9C+0LI=?=) Date: Sun, 12 Sep 2021 10:59:29 +0300 Subject: A pretty URL for a specific PHP page? In-Reply-To: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> References: <784d050c-d9d4-c818-be0b-40c264d7a6cf@thoughtmaybe.com> Message-ID: Try rewrite ^/report/$ /index.php?r=app%2Fform&id=2lyEsw last; ??, 6 ????. 2021 ?. ? 07:59, Jore : > Hi there, > > Is it possible to make a pretty URL for a specific PHP page? > > I'd like https://domain.com/report/ to render > https://domain.com/index.php?r=app%2Fform&id=2lyEsw > > So I tried this location block, but I get 403 forbidden: > > location /report { > index index.php?r=app%2Fform&id=2lyEsw; > alias /var/www/easyforms; > } > > > > Here's my whole config: > > > server { > listen 443 ssl http2; > server_name report.DOMAIN.COM; > root /var/www/easyforms; > gzip on; > ssl_certificate /var/lib/acmesh/report.DOMAIN.COM/fullchain.cer; > ssl_certificate_key > /var/lib/acmesh/report.DOMAIN.COM/report.DOMAIN.COM.key; > ssl_protocols TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_ciphers > > 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES12$ > ssl_session_cache shared:SSL:5m; > ssl_session_timeout 10m; > > location /report { > index index.php?r=app%2Fform&id=2lyEsw; > alias /var/www/easyforms; > } > > location / { > index index.php index.html; > try_files $uri $uri/ /index.php?$args; > } > > location ~ \.php$ { > include fastcgi.conf; > fastcgi_intercept_errors on; > include fastcgi_params; > fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; > fastcgi_pass unix:/run/php/php-fpm.sock; > fastcgi_index index.php; > fastcgi_read_timeout 300s; > } > } > > > What am I doing wrong? > > Thanks! > Jore > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From tim.siebels at iserv.eu Mon Sep 13 09:32:19 2021 From: tim.siebels at iserv.eu (Tim Siebels) Date: Mon, 13 Sep 2021 11:32:19 +0200 Subject: No request body when using fastcgi and chunked transfer-encoding Message-ID: <229476b5-b961-00a3-dcc3-64a1a4a9b018@iserv.eu> Hi everyone, We are experiencing an issue when using `fastcgi_request_buffering off;` in combination with chunked transfer-encoding. The application will not receive any body. Depending on the system, we *sometimes* receive a body. Enabling `fastcgi_request_buffering` fixes the issue. However, we would like not to enable this for every request. We are using Debian Bullseye [0]. Additionally, I was able to reproduce this issue using a self compiled 1.21.3 [1]. We are using a very simple configuration [2], only disabling `fastcgi_request_buffering`. The application is using PHP over fastcgi [3]. Furthermore, we log `$request_body` in a custom log file. Whenever this logfile contains the expected request body, the application receives the expected body. As far as I understand, this cannot work without buffering. I assume this to be an in-memory buffer. This goes in line with the body not being passed, when we increase the size. The implementation of `ngx_http_read_client_request_body` does have an optimization, if the entire body fits into header_in. `sleep`ing between chunks also removes the possibility that the body is passed to the application. We could not reproduce that the body is *sometimes* passed in a self-contained docker container or using a self-compiled version of nginx. These never work with fastcgi_request_buffering off. At least not, if the body is large enough. Apache had a bug that had a similar effect [4,5,6]. Our understanding from these bugreports is, that the fastcgi protocol expects a defined content-length to be able to read the request body. Our conclusion is, that nginx is supposed to buffer all request with a chunked transfer-encoding, when using fastcgi. Regardless of the fastcgi_request_buffering option. A comment on a older, unrelated, bugreport for nginx confirms this [7]. Therefore, we expect this to be a supported use case. There are some bug reports out there experiencing similar issues [8,9]. We tried to set `client_body_in_file_only` to `on` to be able to see the buffer files. However, these are never created with buffering off. error.log is empty. Can anyone help us how to debug this further? Thanks, Tim [0] nginx -V for the debian bullseye version nginx version: nginx/1.18.0 built with OpenSSL 1.1.1k 25 Mar 2021 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-ndk --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-echo --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-geoip2 --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/nchan --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-lua --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/rtmp --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-q9LD4J/nginx-1.18.0/debian/modules/http-subs-filter [1] nginx -V for the self compiled version ginx version: nginx/1.21.3 built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-debug [2] user nginx; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; } http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; fastcgi_request_buffering off; include /etc/nginx/sites-enabled/*; } [3] log_format postdata '"$request" $status $request_body ($request_length)'; server { listen *:982; location /iserv/helloworld { root /usr/share/iserv/helloworld/public; access_log /var/log/nginx/postdata.log postdata; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SCRIPT_FILENAME $document_root/index.php$fastcgi_script_name; fastcgi_pass unix:/run/php/php-fpm.iserv-helloworld.sock; } } [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=53332 [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=57087 [6] https://bugs.php.net/bug.php?id=60826 [7] https://trac.nginx.org/nginx/ticket/1344 [8] https://trac.cyberduck.io/wiki/help/en/howto/mount/issues/fastcgi [9] https://github.com/nextcloud/server/issues/7995 From pluknet at nginx.com Mon Sep 13 11:51:52 2021 From: pluknet at nginx.com (Sergey Kandaurov) Date: Mon, 13 Sep 2021 14:51:52 +0300 Subject: No request body when using fastcgi and chunked transfer-encoding In-Reply-To: <229476b5-b961-00a3-dcc3-64a1a4a9b018@iserv.eu> References: <229476b5-b961-00a3-dcc3-64a1a4a9b018@iserv.eu> Message-ID: <212536F8-9450-4EED-A88C-32F57D7965D4@nginx.com> > On 13 Sep 2021, at 12:32, Tim Siebels wrote: > > Hi everyone, > > We are experiencing an issue when using `fastcgi_request_buffering off;` in combination with chunked transfer-encoding. The application will not receive any body. Depending on the system, we *sometimes* receive a body. Enabling `fastcgi_request_buffering` fixes the issue. However, we would like not to enable this for every request. > > We are using Debian Bullseye [0]. Additionally, I was able to reproduce this issue using a self compiled 1.21.3 [1]. > > We are using a very simple configuration [2], only disabling `fastcgi_request_buffering`. The application is using PHP over fastcgi [3]. > > Furthermore, we log `$request_body` in a custom log file. > Whenever this logfile contains the expected request body, the application receives the expected body. As far as I understand, this cannot work without buffering. I assume this to be an in-memory buffer. This goes in line with the body not being passed, when we increase the size. The implementation of `ngx_http_read_client_request_body` does have an optimization, if the entire body fits into header_in. > `sleep`ing between chunks also removes the possibility that the body is passed to the application. > We could not reproduce that the body is *sometimes* passed in a self-contained docker container or using a self-compiled version of nginx. > These never work with fastcgi_request_buffering off. At least not, if the body is large enough. > > Apache had a bug that had a similar effect [4,5,6]. > Our understanding from these bugreports is, that the fastcgi protocol expects a defined content-length to be able to read the request body. FastCGI is essentially a protocol with builtin chunked encoding, see http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S3.3. Hence, the Content-Length header is rather complementary (like in HTTP/2), e.g. it allows to communicate the message length knowledge in advance. So, when nginx doesn't buffer request body, and it's not wholly present in the request body memory buffers at the time of forming request headers, in this case the length cannot be calculated for chunked body requests. See also the description of $content_length: nginx.org/r/$content_length > Our conclusion is, that nginx is supposed to buffer all request with a chunked transfer-encoding, when using fastcgi. Regardless of the fastcgi_request_buffering option. A comment on a older, unrelated, bugreport for nginx confirms this [7]. > Therefore, we expect this to be a supported use case. When a client uses chunked transfer encoding, and nginx is configured to pass requests to fastcgi with disabled fastcgi_request_buffering, the intent is to pass request body chunks to backend (with conversion to fastcgi records) as soon as they are received from a client. > > There are some bug reports out there experiencing similar issues [8,9]. > Looks like they are suffering from the same sort of a problem. > We tried to set `client_body_in_file_only` to `on` to be able to see the buffer files. However, these are never created with buffering off. > It is disabled in the unbuffered mode. > error.log is empty. > > Can anyone help us how to debug this further? For a start, you may want to examine what is actually passed to backend. > > Thanks, > Tim > > [..] > [2] > user nginx; > worker_processes auto; > pid /run/nginx.pid; > > events { > worker_connections 768; > } > > http { > access_log /var/log/nginx/access.log; > error_log /var/log/nginx/error.log; > > fastcgi_request_buffering off; > > include /etc/nginx/sites-enabled/*; > } > > [3] > log_format postdata '"$request" $status $request_body ($request_length)'; > > server { > listen *:982; > > location /iserv/helloworld { > root /usr/share/iserv/helloworld/public; > > access_log /var/log/nginx/postdata.log postdata; > > fastcgi_param QUERY_STRING $query_string; > fastcgi_param REQUEST_METHOD $request_method; > fastcgi_param CONTENT_TYPE $content_type; > fastcgi_param CONTENT_LENGTH $content_length; Looks like the backend is expecting to receive something in the CONTENT_LENGTH header to read the request body. The best solution is to teach your FastCGI backend how to receive the request body without CONTENT_LENGTH. > > fastcgi_param SCRIPT_NAME $fastcgi_script_name; > fastcgi_param REQUEST_URI $request_uri; > fastcgi_param DOCUMENT_URI $document_uri; > fastcgi_param DOCUMENT_ROOT $document_root; > > fastcgi_param SCRIPT_FILENAME $document_root/index.php$fastcgi_script_name; > > fastcgi_pass unix:/run/php/php-fpm.iserv-helloworld.sock; > } > > } > > [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=53332 > [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=57087 > [6] https://bugs.php.net/bug.php?id=60826 > [7] https://trac.nginx.org/nginx/ticket/1344 > [8] https://trac.cyberduck.io/wiki/help/en/howto/mount/issues/fastcgi > [9] https://github.com/nextcloud/server/issues/7995 > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Sergey Kandaurov From tim.siebels at iserv.eu Mon Sep 13 15:57:18 2021 From: tim.siebels at iserv.eu (Tim Siebels) Date: Mon, 13 Sep 2021 17:57:18 +0200 Subject: No request body when using fastcgi and chunked transfer-encoding In-Reply-To: <212536F8-9450-4EED-A88C-32F57D7965D4@nginx.com> References: <229476b5-b961-00a3-dcc3-64a1a4a9b018@iserv.eu> <212536F8-9450-4EED-A88C-32F57D7965D4@nginx.com> Message-ID: <917457dd-1459-cfeb-5ba0-729bf77e38ef@iserv.eu> Hi Sergey, thank you for your answer. When I'm hardcoding the value of `fastcgi_param CONTENT_LENGTH` to the expected length for my test request, the request's body *is* available. That does confirm your thoughts on the backend expecting a length indication. However, I'm not sure if your if your assumption about FastCGI being inherently chunked using their records is correct. The spec says [0] > Next the Responder application receives CGI/1.1 stdin data from the Web server over FCGI_STDIN. The application receives at most CONTENT_LENGTH bytes from this stream before receiving the end-of-stream indication. (The application receives less than CONTENT_LENGTH bytes only if the HTTP client fails to provide them, e.g. because the client crashed.) Considering FastCGI is an extension to CGI, is it supposed to conform to the CGI spec as well? There it says > The server MUST set this meta-variable if and only if the request is > accompanied by a message-body entity. The CONTENT_LENGTH value must > reflect the length of the message-body after the server has removed > any transfer-codings or content-codings. Our FastCGI backend, php [2], does rely on the CONTENT_LENGTH parameter. This is in line with your remark, that our backend expects it. While I see that it is possible to implement reading the request's body without the CONTENT_LENGHT value, I am not sure how to tackly this problem exactly. At this point, I'd say this is either an nginx bug, due to the fact that it streams the body and does not set a CONTENT_LENGTH value, or a bug in php-fpm, due to the fact that it relies on this value. What do you think? [0] http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S6.2 [1] https://datatracker.ietf.org/doc/html/rfc3875#section-4.1.2 [2] https://github.com/php/php-src/blob/1f9b044c809159b90a2298aa462346131d1c1207/sapi/fpm/fpm/fpm_main.c#L432 On 13.09.21 13:51, Sergey Kandaurov wrote: > >> On 13 Sep 2021, at 12:32, Tim Siebels wrote: >> >> Hi everyone, >> >> We are experiencing an issue when using `fastcgi_request_buffering off;` in combination with chunked transfer-encoding. The application will not receive any body. Depending on the system, we *sometimes* receive a body. Enabling `fastcgi_request_buffering` fixes the issue. However, we would like not to enable this for every request. >> >> We are using Debian Bullseye [0]. Additionally, I was able to reproduce this issue using a self compiled 1.21.3 [1]. >> >> We are using a very simple configuration [2], only disabling `fastcgi_request_buffering`. The application is using PHP over fastcgi [3]. >> >> Furthermore, we log `$request_body` in a custom log file. >> Whenever this logfile contains the expected request body, the application receives the expected body. As far as I understand, this cannot work without buffering. I assume this to be an in-memory buffer. This goes in line with the body not being passed, when we increase the size. The implementation of `ngx_http_read_client_request_body` does have an optimization, if the entire body fits into header_in. >> `sleep`ing between chunks also removes the possibility that the body is passed to the application. >> We could not reproduce that the body is *sometimes* passed in a self-contained docker container or using a self-compiled version of nginx. >> These never work with fastcgi_request_buffering off. At least not, if the body is large enough. > > >> >> Apache had a bug that had a similar effect [4,5,6]. >> Our understanding from these bugreports is, that the fastcgi protocol expects a defined content-length to be able to read the request body. > > FastCGI is essentially a protocol with builtin chunked encoding, > see http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S3.3. > Hence, the Content-Length header is rather complementary (like in HTTP/2), > e.g. it allows to communicate the message length knowledge in advance. > > So, when nginx doesn't buffer request body, and it's not wholly present > in the request body memory buffers at the time of forming request headers, > in this case the length cannot be calculated for chunked body requests. > See also the description of $content_length: nginx.org/r/$content_length > >> Our conclusion is, that nginx is supposed to buffer all request with a chunked transfer-encoding, when using fastcgi. Regardless of the fastcgi_request_buffering option. A comment on a older, unrelated, bugreport for nginx confirms this [7]. >> Therefore, we expect this to be a supported use case. > > When a client uses chunked transfer encoding, and nginx is configured > to pass requests to fastcgi with disabled fastcgi_request_buffering, > the intent is to pass request body chunks to backend (with conversion > to fastcgi records) as soon as they are received from a client. > >> >> There are some bug reports out there experiencing similar issues [8,9]. >> > > Looks like they are suffering from the same sort of a problem. > >> We tried to set `client_body_in_file_only` to `on` to be able to see the buffer files. However, these are never created with buffering off. >> > > It is disabled in the unbuffered mode. > >> error.log is empty. >> >> Can anyone help us how to debug this further? > > For a start, you may want to examine what is actually passed to backend. > >> >> Thanks, >> Tim >> >> [..] >> [2] >> user nginx; >> worker_processes auto; >> pid /run/nginx.pid; >> >> events { >> worker_connections 768; >> } >> >> http { >> access_log /var/log/nginx/access.log; >> error_log /var/log/nginx/error.log; >> >> fastcgi_request_buffering off; >> >> include /etc/nginx/sites-enabled/*; >> } >> >> [3] >> log_format postdata '"$request" $status $request_body ($request_length)'; >> >> server { >> listen *:982; >> >> location /iserv/helloworld { >> root /usr/share/iserv/helloworld/public; >> >> access_log /var/log/nginx/postdata.log postdata; >> >> fastcgi_param QUERY_STRING $query_string; >> fastcgi_param REQUEST_METHOD $request_method; >> fastcgi_param CONTENT_TYPE $content_type; >> fastcgi_param CONTENT_LENGTH $content_length; > > Looks like the backend is expecting to receive something > in the CONTENT_LENGTH header to read the request body. > > The best solution is to teach your FastCGI backend how to receive > the request body without CONTENT_LENGTH. > >> >> fastcgi_param SCRIPT_NAME $fastcgi_script_name; >> fastcgi_param REQUEST_URI $request_uri; >> fastcgi_param DOCUMENT_URI $document_uri; >> fastcgi_param DOCUMENT_ROOT $document_root; >> >> fastcgi_param SCRIPT_FILENAME $document_root/index.php$fastcgi_script_name; >> >> fastcgi_pass unix:/run/php/php-fpm.iserv-helloworld.sock; >> } >> >> } >> >> [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=53332 >> [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=57087 >> [6] https://bugs.php.net/bug.php?id=60826 >> [7] https://trac.nginx.org/nginx/ticket/1344 >> [8] https://trac.cyberduck.io/wiki/help/en/howto/mount/issues/fastcgi >> [9] https://github.com/nextcloud/server/issues/7995 >> _______________________________________________ >> nginx mailing list >> nginx at nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > From b4too at pm.me Tue Sep 14 11:40:35 2021 From: b4too at pm.me (Baptiste) Date: Tue, 14 Sep 2021 11:40:35 +0000 Subject: Error 504 Message-ID: Hello, I'm getting an error 504 for a day with docker container heimdall though it was working properly for some days before that. It's still accessible locally with ip:port but alas nothing I could do to make it work with server name. I asked for help in heimdall support section but in case it is nginx related I ask here also. What I tried : reboot the host removed etc/nginx/ then apt purge nginx nginx-common nginx-full + reinstall them along with conf files same for /etc/letsencrypt and issuing the certificates again change the port change fqdn removed the containers and reload the stack with the binded volumes still there then without This is the host nginx error.log I'm getting repeatedly : 2021/09/14 11:19:14 [error] 168423#168423: *1 upstream timed out (110: Connection timed out) while SSL handshaking to upstream, client: remote_ip, server: server_name, request: "GET / HTTP/1.1", upstream: "https://local_address:local_port", host: "server_name", referrer: "FQDN" Also, all other sites are working properly, which is why I doubt it is necessary to enhance the timeout since any other request is served properly. Does anyone experienced this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From m_joshi at hotmail.com Tue Sep 14 17:04:43 2021 From: m_joshi at hotmail.com (Mohit Joshi) Date: Tue, 14 Sep 2021 17:04:43 +0000 Subject: Custom Message-ID: Dear experts Need a help on a custom configuration block directive. I have created a dynamic module for logging (some specific features). Looking for a custom configuration block for my module, since this needs to be applied to all servers so wanted to block inside http as in MY_MODULE_CONFIGURATION below. What is the way to do this? any samples will help (right now on doing this I get unsupported directive error http { MY_MODULE_CONFIGURATION { name "logging module"; log_collector "localhost" log_port 9607 log_frequency 10 } .... access_log /var/log/nginx/access.log ; keepalive_timeout 65; server { listen 80; server_name localhost; location / { .... } } Thanx -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Sep 15 15:19:51 2021 From: nginx-forum at forum.nginx.org (joshuawillis) Date: Wed, 15 Sep 2021 11:19:51 -0400 Subject: Nginx fails on high load on debian 10 vs no problems on debian 9 In-Reply-To: References: Message-ID: <68cf306ad77653ab2d1f26d00756d3e6.NginxMailingListEnglish@forum.nginx.org> @janning - was curious if you had found a solution to this problem? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286893,292393#msg-292393 From nginx-forum at forum.nginx.org Wed Sep 15 15:29:49 2021 From: nginx-forum at forum.nginx.org (janning) Date: Wed, 15 Sep 2021 11:29:49 -0400 Subject: Nginx fails on high load on debian 10 vs no problems on debian 9 In-Reply-To: <68cf306ad77653ab2d1f26d00756d3e6.NginxMailingListEnglish@forum.nginx.org> References: <68cf306ad77653ab2d1f26d00756d3e6.NginxMailingListEnglish@forum.nginx.org> Message-ID: <429b08d82fdb0a26bd7c24b97544e8ee.NginxMailingListEnglish@forum.nginx.org> Yes I found a solution in my answer here: https://serverfault.com/questions/1002021/nginx-fails-on-high-load-with-debian10-and-not-with-debian9 accept_mutex changed from on to off in the default value. Setting it back to "on" and Nginx is happily running with 10k requests per second again. I guess it is a combination of multi_accept and accept_mutex which caused my troubles. regards Janning Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286893,292394#msg-292394 From dashdruid at protonmail.ch Wed Sep 15 17:39:15 2021 From: dashdruid at protonmail.ch (dashdruid) Date: Wed, 15 Sep 2021 17:39:15 +0000 Subject: Dns DoH gateway tutorial out of date? Message-ID: Hello, I trying to follow this tutorial (which works for DoT but not DoH): https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ I have all these installed: nginx-1.16.1-r6 armv7 {nginx} (BSD-2-Clause) [installed] nginx-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [upgradable from: nginx-1.16.1-r6] nginx-mod-http-geoip2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) collectd-nginx-5.9.2-r0 armv7 {collectd} (GPL-2.0-or-later) nginx-mod-mail-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-lua-upstream-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-js-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-upload-progress-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-rtmp-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) bareos-webui-nginx-18.2.6-r2 armv7 {bareos} (AGPL-3.0) nginx-mod-http-echo-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-set-misc-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) patchwork-uwsgi-nginx-2.1.4-r1 armv7 {patchwork} (GPL-2.0-or-later) perl-test-nginx-doc-0.26-r0 armv7 {perl-test-nginx} (BSD) nginx-mod-http-image-filter-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-nchan-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-debug-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-lua-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-geoip2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-shibboleth-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-cache-purge-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) perl-test-nginx-0.26-r0 armv7 {perl-test-nginx} (BSD) certbot-nginx-1.0.0-r0 armv7 {certbot-nginx} (Apache) nginx-mod-http-fancyindex-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-redis2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-geoip-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-headers-more-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-xslt-filter-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-vim-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-devel-kit-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-perl-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-js-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-upstream-fair-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-vod-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-doc-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-geoip-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) I have configured everything according the tutorial, downloaded the njs package. When I try to test with: curl -v -k -H 'accept: application/dns-json' 'https://doh.myserver.lan/dns-query?name=google.com&type=A' I get 502 bad gateway. This is what's in the error log: 2021/09/15 19:32:22 [error] 185#185: *10 upstream prematurely closed connection while reading response header from upstream, client: 172.17.0.1, server: doh.myserver.lan, request: "GET /dns-query?name=google.com&type=A HTTP/2.0", upstream: "http://127.0.0.1:8053/dns-query?name=google.com&type=A", host: "doh.myserver.lan" The upstream DNS works because DoT using the same and that works. From hritikxx8 at gmail.com Wed Sep 15 19:35:11 2021 From: hritikxx8 at gmail.com (Hritik Vijay) Date: Thu, 16 Sep 2021 01:05:11 +0530 Subject: Confusing version ranges in security advisories Message-ID: Hello We're working on an open source tool to aggregate security advisories and build an open vulnerabilities database. (https://github.com/nexB/vulnerablecode/). This requires us to parse affected and fixed versions from nginx advisories published at https://nginx.org/en/security_advisories.html. Going through the page, I'm having a hard time understanding the plus (+) notation used to denote the version range. Please help me in this regard. I'm assuming that the versions are in semver format. Given the following information: CVE-2021-23017 Not vulnerable: 1.21.0+, 1.20.1+ Vulnerable: 0.6.18-1.20.0 If I consider + to mean >= for versions, the bound 1.20.1+ should be enough for the "Not vulnerable" field. How does it make sense to have another 1.21.0+ ? Does the plus notation only apply for the patch field in semver (the number after the second dot) ? In this case, does it mean that the upcoming version 1.22.0 will be vulnerable as well ? To further clarify, I'll like to quote CVE-2019-9511 Not vulnerable: 1.17.3+, 1.16.1+ Vulnerable: 1.9.5-1.17.2 Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are fixed but this version clearly lies in the range 1.9.5-1.17.2, which is the vulnerable range. I'm assuming that this was done for a stable release of 1.16. This further favors the assumption that the plus operator only stands for the patch field in the semver. Thus making the not vulnerable range as >=1.16.1 AND < 1.17.0, using the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0. Would this again mean that future versions will be vulnerable ? This is highly unlikely. As per my current understanding I'd define the plus operator as: "If the version before it appears in the vulnerable range, the plus operator only denotes a >= range for the patch field in semver and <= the next minor version. Otherwise, it operates on the entire version string thus marking *all* the future versions" This definition is not perfect at all as it does not justify the first example where neither 1.21.0 nor 1.20.1 is in the vulnerable range thus making 1.21.0 totally redundant. However, if we ignore the redundancies, I hope that the definition could work. Please let me know if there's something wrong with my deduction, also it would be very helpful to define the plus operator as a footnote/topnote on the advisories page for future. -- Regards Hritik Vijay From rlsawyer at mac.com Wed Sep 15 21:36:54 2021 From: rlsawyer at mac.com (Robert Sawyer) Date: Wed, 15 Sep 2021 17:36:54 -0400 Subject: Reverse proxy help. Message-ID: <4EF64D91-2EB6-4D77-8B83-25FFA12F9553@mac.com> I am new to nginx so please be patient, if this info is available elsewhere please tell me where. I have 3 nginx servers. 1 is used as a reverse proxy and that is where my question is. I have 2 web sites running on my home network. I have configured the DNS to refer the site names to my (fixed) home address. I have configured my home modem/router to forward port 80 to the machine running the nginx reverse proxy. I have made scripts in the sites-available on the reverse proxy with the names of the sites I wish to proxy, configured thus: wordpress1.org.conf server { listen 80; server_name wordpress1.org www.wordpress1.org; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { proxy_pass http://10.111.111.31; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } wordpress2.com.conf server { listen 80; server_name wordpress2.com www.wordpress2.com; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { proxy_pass http://10.111.111.32; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; } I have commented out the "proxy_set_header Host $host;? because with it I get ?too many redirects?. This seems to be working. I want to have the configuration have a ? name not found? where it goes to the proxy server itself and can display a web page an error or a php page defined by the query string if there is one. I.E. if someone tries to simply access the external IP present an error or if there is a known page that exists on the proxy server ( I have a php page with a known name that displays phpinfo for validating server info) display it, do not proxy. curently if I simply use the IP it displays the server for wordpress2. ( the actual names for the sites wordpress2 is alphebetically first ) so basically how do I make the webpages on the proxy server the ?fallback? web server ? From mdounin at mdounin.ru Wed Sep 15 21:44:09 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 16 Sep 2021 00:44:09 +0300 Subject: Confusing version ranges in security advisories In-Reply-To: References: Message-ID: Hello! On Thu, Sep 16, 2021 at 01:05:11AM +0530, Hritik Vijay wrote: > We're working on an open source tool to aggregate security advisories > and build an open vulnerabilities database. > (https://github.com/nexB/vulnerablecode/). > This requires us to parse affected and fixed versions from nginx > advisories published at https://nginx.org/en/security_advisories.html. > Going through the page, I'm having a hard time understanding the plus > (+) notation used to denote the version range. Please help me in this > regard. > > I'm assuming that the versions are in semver format. Given the > following information: > CVE-2021-23017 > Not vulnerable: 1.21.0+, 1.20.1+ > Vulnerable: 0.6.18-1.20.0 > If I consider + to mean >= for versions, the bound 1.20.1+ should be > enough for the "Not vulnerable" field. How does it make sense to have > another 1.21.0+ ? > Does the plus notation only apply for the patch field in semver (the > number after the second dot) ? In this case, does it mean that the > upcoming version 1.22.0 will be vulnerable as well ? The 1.21.0+ notation means "1.21.0 and newer", or, more formally, "1.21.0 and derived versions". This includes all future nginx versions on the mainline branch, and all future stable branches (which aren't yet created). The 1.20.1+ means the same for 1.20.1 and derived versions on the 1.20.x stable branch. This includes all future versions on the 1.20.x branch, but not versions on the other branches. > To further clarify, I'll like to quote > CVE-2019-9511 > Not vulnerable: 1.17.3+, 1.16.1+ > Vulnerable: 1.9.5-1.17.2 > Here, if I take + as >=, 1.16.1+ means that versions >= 1.16.1 are > fixed but this version clearly lies in the range 1.9.5-1.17.2, which > is the vulnerable range. > I'm assuming that this was done for a stable release of 1.16. This > further favors the assumption that the plus operator only stands for > the patch field in the semver. > Thus making the not vulnerable range as >=1.16.1 AND < 1.17.0, using > the same assumption for 1.17.3+ would mean >=1.17.3 AND <1.18.0. > Would this again mean that future versions will be vulnerable ? This > is highly unlikely. See above, 1.16.1+ only applies to 1.16.x stable branch, while 1.17.3+, which is on the mainline branch, applies to all newer versions on the mainline branch and newer stable branches. > As per my current understanding I'd define the plus operator as: > "If the version before it appears in the vulnerable range, the plus > operator only denotes a >= range for the patch field in semver and <= > the next minor version. > Otherwise, it operates on the entire version string thus marking *all* > the future versions" > > This definition is not perfect at all as it does not justify the first > example where neither 1.21.0 nor 1.20.1 is in the vulnerable range > thus making 1.21.0 totally redundant. However, if we ignore the > redundancies, I hope that the definition could work. That's a reasonable heuristic to find out if the version is vulnerable without considering the branch structure. > Please let me know if there's something wrong with my deduction, also > it would be very helpful to define the plus operator as a > footnote/topnote on the advisories page for future. Hope the above explains things formally enough. Not sure it needs any additional clarification though, as the notation never caused questions and is believed to be obvious to anybody at least minimally familiar with nginx branches. -- Maxim Dounin http://mdounin.ru/ From francis at daoine.org Wed Sep 15 23:08:29 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Sep 2021 00:08:29 +0100 Subject: Custom In-Reply-To: References: Message-ID: <20210915230829.GL18734@daoine.org> On Tue, Sep 14, 2021 at 05:04:43PM +0000, Mohit Joshi wrote: Hi there, > Looking for a custom configuration block for my module, since this needs to be applied to all servers so wanted to block inside http as in MY_MODULE_CONFIGURATION below. I suspect that you will find more examples that can be followed, if you change your design to use directives like my_module_name my_module_log_collector my_module_log_port and accept them in http context (and maybe also server and location contexts). Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Wed Sep 15 23:18:10 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Sep 2021 00:18:10 +0100 Subject: Reverse proxy help. In-Reply-To: <4EF64D91-2EB6-4D77-8B83-25FFA12F9553@mac.com> References: <4EF64D91-2EB6-4D77-8B83-25FFA12F9553@mac.com> Message-ID: <20210915231810.GM18734@daoine.org> On Wed, Sep 15, 2021 at 05:36:54PM -0400, Robert Sawyer wrote: Hi there, > if someone tries to simply access the external IP present an error or > if there is a known page that exists on the proxy server ( I have a > php page with a known name that displays phpinfo for validating server > info) display it, do not proxy. curently if I simply use the IP it > displays the server for wordpress2. ( the actual names for the sites > wordpress2 is alphebetically first ) so basically how do I make the > webpages on the proxy server the ?fallback? web server ? http://nginx.org/en/docs/http/request_processing.html You want one more server{} block, which includes "listen 80 default_server;". Then any request to that port that does not match one of the other server_name values will be handled in that server{}. Right now, you do not have an explicit default_server declared for this "listen" address, so you are using the implicit one, which in this case is wordpress2. Good luck with it, f -- Francis Daly francis at daoine.org From johnmoreira1019 at gmail.com Thu Sep 16 03:50:10 2021 From: johnmoreira1019 at gmail.com (John Moreira) Date: Wed, 15 Sep 2021 23:50:10 -0400 Subject: Can't add custom library path while compiling nginx from source on Windows Message-ID: Hello, I'm trying to compile nginx from source code on Windows with xslt support. I followed all of the directions from the official page http://nginx.org/en/docs/howto_build_on_win32.html to a tee and it works when I do not specify --with-http_xslt_module When specifying --with-http_xslt_module as part of the config, a notification appears indicating that I don't have libxlst/.libxml2 libraries checking for libxslt ... not found checking for libxslt in /usr/local/ ... not found checking for libxslt in /usr/pkg/ ... not found checking for libxslt in /opt/local/ ... not found auto/configure: error: the HTTP XSLT module requires the libxml2/libxslt libraries. You can either do not enable the module or install the libraries. I am using MSYS2 as the official page recommends - the packages for libxml2/libxslt were already installed. I reinstalled them (using the standard package manager pacman) and placed them all over my file system in different places trying to get the configure script to find the libs. When this didn't work I resorted to specifying locations using --with-ld-opt= like so --with-http_xslt_module --with-ld-opt=-Llibxml2-2.9.10-9 --with-ld-opt=-Llibxslt-1.1.34-4 I also tried many variations of this, -I instead of -L, different paths, etc. to no avail How can I get the configure script to see these packages so I can compile from source? -------------- next part -------------- An HTML attachment was scrubbed... URL: From fusca14 at gmail.com Thu Sep 16 19:25:59 2021 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Thu, 16 Sep 2021 16:25:59 -0300 Subject: "proxy_intercept_errors on" with @location setup Message-ID: Hello... I have the following issue... Is it possible to use "proxy_intercept_errors on" with @location? Invalid config: location /images/ { proxy_intercept_errors on; try_files $uri @backend; } location / { try_files $uri @backend; } location @backend { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_pass http://my_upstream; } The only valid configuration I've found to intercept errors is not using the @location but I want to use it to simplify the configuration. Valid config: location /images/ { proxy_intercept_errors on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_pass http://my_upstream_config; } location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_pass http://my_upstream; } Thanks in advance. From francis at daoine.org Thu Sep 16 22:37:42 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Sep 2021 23:37:42 +0100 Subject: "proxy_intercept_errors on" with @location setup In-Reply-To: References: Message-ID: <20210916223742.GN18734@daoine.org> On Thu, Sep 16, 2021 at 04:25:59PM -0300, Fabiano Furtado Pessoa Coelho wrote: Hi there, > Is it possible to use "proxy_intercept_errors on" with @location? Yes; but it is only useful if "proxy_pass" sees the "proxy_intercept_errors". Which means: if the config directives are in, or are inherited into, the location{} where the request is handled. > Invalid config: This looks like valid nginx config to me. I guess you mean "does not do what I want", rather than "is rejected by nginx as invalid"? > The only valid configuration I've found to intercept errors is not > using the @location but I want to use it to simplify the > configuration. Depending on how you understand "simplify" -- you could potentially "include" a file with the common pieces and just have the unique directives in each location{}; or you could put the common pieces (apart from proxy_pass) outside the location{}s, and just have the unique directives and proxy_pass inside the location{}s (note: your current example has the same set of proxy_set_header directives in each location{}, so this can work); or potentially you could use an external macro-processing tool to generate your complicated nginx.conf from whatever simplified input you want to use. In general, nginx's config is fast for nginx to read and process; it does not particularly try to be compact for people to write if there are different configs wanted. Hopefully you'll find a config setup that you're happy with. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Thu Sep 16 22:57:16 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 16 Sep 2021 23:57:16 +0100 Subject: Can't add custom library path while compiling nginx from source on Windows In-Reply-To: References: Message-ID: <20210916225716.GO18734@daoine.org> On Wed, Sep 15, 2021 at 11:50:10PM -0400, John Moreira wrote: Hi there, > I'm trying to compile nginx from source code on Windows with xslt support. > I followed all of the directions from the official page > http://nginx.org/en/docs/howto_build_on_win32.html to a tee and it works > when I do not specify --with-http_xslt_module > > When specifying --with-http_xslt_module as part of the config, a > notification appears indicating that I don't have libxlst/.libxml2 > libraries > > checking for libxslt ... not found > checking for libxslt in /usr/local/ ... not found > checking for libxslt in /usr/pkg/ ... not found > checking for libxslt in /opt/local/ ... not found > > auto/configure: error: the HTTP XSLT module requires the libxml2/libxslt > libraries. You can either do not enable the module or install the libraries. You can read the file auto/lib/libxslt/conf to get an idea of what nginx is testing for. Do you have, for example, the file libxml/parser.h somewhere on your system? > I am using MSYS2 as the official page recommends - the packages for > libxml2/libxslt were already installed. Did you install the library packages for running programs with; or did you install the development packages to allow programs be built against the libraries? Possibly you want packages with "-dev" or "-devel" in the name, if you don't already have them. > How can I get the configure script to see these packages so I can compile > from source? The content of https://packages.msys2.org/package/libxml2-devel and https://packages.msys2.org/package/libxslt-devel makes it look like it should Just Work, if both are installed. If that doesn't happen, then probably auto/lib/libxslt/conf can be adjusted to let it happen. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Fri Sep 17 05:34:32 2021 From: nginx-forum at forum.nginx.org (blason) Date: Fri, 17 Sep 2021 01:34:32 -0400 Subject: Nginx reverse proxy regex help Message-ID: Hi Team, I have server whose URL is https://xx.xx.xx.xx/TestPage/ which gets generated as https://xxxx.xxx.xxx/TestPage/(S(0inoxzi14rxqq1uix1tiyp1t))/index.aspx Now I have implemented nginx reverse proxy in front this server and then I have done the config proxy_pass as proxy_pass https://xxx.ssss.sss.ss/TestPage; Now if you see after TestPage there is a unique value gets added and then index.aspx however whenever request is passed through nginx I get 502 badgateway. Wondering how do I pass that unique value through regex? Please help here is lcoation location /TestPage { client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_http_version 1.1; proxy_read_timeout 90; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_connect_timeout 30s; proxy_pass https://xx.ss.xx.ss/TestPage; proxy_redirect default; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer-when-downgrade"; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292405,292405#msg-292405 From dashdruid at protonmail.ch Fri Sep 17 07:26:56 2021 From: dashdruid at protonmail.ch (dashdruid) Date: Fri, 17 Sep 2021 07:26:56 +0000 Subject: Dns DoH gateway tutorial out of date? Message-ID: Hello, I trying to follow this tutorial (which works for DoT but not DoH): https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ I have all these installed: nginx-1.16.1-r6 armv7 {nginx} (BSD-2-Clause) [installed] nginx-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [upgradable from: nginx-1.16.1-r6] nginx-mod-http-geoip2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) collectd-nginx-5.9.2-r0 armv7 {collectd} (GPL-2.0-or-later) nginx-mod-mail-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-lua-upstream-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-js-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-upload-progress-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-rtmp-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) bareos-webui-nginx-18.2.6-r2 armv7 {bareos} (AGPL-3.0) nginx-mod-http-echo-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-set-misc-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) patchwork-uwsgi-nginx-2.1.4-r1 armv7 {patchwork} (GPL-2.0-or-later) perl-test-nginx-doc-0.26-r0 armv7 {perl-test-nginx} (BSD) nginx-mod-http-image-filter-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-nchan-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-debug-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-lua-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-geoip2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-shibboleth-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-cache-purge-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) perl-test-nginx-0.26-r0 armv7 {perl-test-nginx} (BSD) certbot-nginx-1.0.0-r0 armv7 {certbot-nginx} (Apache) nginx-mod-http-fancyindex-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-redis2-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-geoip-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-headers-more-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-xslt-filter-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-vim-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-devel-kit-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-perl-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-js-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) [installed] nginx-mod-http-upstream-fair-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-http-vod-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-doc-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) nginx-mod-stream-geoip-1.16.1-r8 armv7 {nginx} (BSD-2-Clause) I have configured everything according the tutorial, downloaded the njs package. When I try to test with: curl -v -k -H 'accept: application/dns-json' 'https://doh.myserver.lan/dns-query?name=google.com&type=A' I get 502 bad gateway. This is what's in the error log: 2021/09/15 19:32:22 [error] 185#185: *10 upstream prematurely closed connection while reading response header from upstream, client: 172.17.0.1, server: doh.myserver.lan, request: "GET /dns-query?name=google.com&type=A HTTP/2.0", upstream: "http://127.0.0.1:8053/dns-query?name=google.com&type=A", host: "doh.myserver.lan" The upstream DNS works because DoT using the same and that works. From fusca14 at gmail.com Fri Sep 17 17:36:11 2021 From: fusca14 at gmail.com (Fabiano Furtado Pessoa Coelho) Date: Fri, 17 Sep 2021 14:36:11 -0300 Subject: "proxy_intercept_errors on" with @location setup In-Reply-To: <20210916223742.GN18734@daoine.org> References: <20210916223742.GN18734@daoine.org> Message-ID: Hi Francis... On Thu, Sep 16, 2021 at 7:37 PM Francis Daly wrote: > > On Thu, Sep 16, 2021 at 04:25:59PM -0300, Fabiano Furtado Pessoa Coelho wrote: > > Hi there, > > > Is it possible to use "proxy_intercept_errors on" with @location? > > Yes; but it is only useful if "proxy_pass" sees the > "proxy_intercept_errors". Which means: if the config directives are in, > or are inherited into, the location{} where the request is handled. I understood! > > Invalid config: > > This looks like valid nginx config to me. > > I guess you mean "does not do what I want", rather than "is rejected by > nginx as invalid"? I mean... "does not do what I want". ;) > > The only valid configuration I've found to intercept errors is not > > using the @location but I want to use it to simplify the > > configuration. > > Depending on how you understand "simplify" -- you could potentially > "include" a file with the common pieces and just have the unique > directives in each location{}; or you could put the common pieces (apart > from proxy_pass) outside the location{}s, and just have the unique > directives and proxy_pass inside the location{}s (note: your current > example has the same set of proxy_set_header directives in each > location{}, so this can work); or potentially you could use an external > macro-processing tool to generate your complicated nginx.conf from > whatever simplified input you want to use. I think I will "put the common pieces (apart from proxy_pass) outside the location{}s". This is the best config for me! > In general, nginx's config is fast for nginx to read and process; it > does not particularly try to be compact for people to write if there > are different configs wanted. > > > Hopefully you'll find a config setup that you're happy with. > > Cheers, Thank you! From drodriguez at unau.edu.ar Sat Sep 18 01:24:44 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Fri, 17 Sep 2021 22:24:44 -0300 Subject: Reverse proxy redirection issue In-Reply-To: References: Message-ID: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> Hello, I am new in this world (of nginx) and I have a problem that has me crazy. I am using nginx as a reverse proxy, I managed to configure SSL certificates using LetsEncrypt but nginx does the redirection to the wrong vhost. This is the configuration of one of the vhost, they are 3 identical ones pointing to the same virtual machine. I have a fourth one pointing to another virtual machine that works without problems. I have the domains 1.DOMAIN.edu.ar, 2.DOMAIN.edu.ar and 3.DOMAIN.edu.ar pointing to the same internal IP. But any domain I enter in the browser the redirection is made to 1.DOMAIN.edu.ar. Also set a 4th as default_server, but behaviuor still remains. This is the vhost configuration --- # cat /etc/nginx/sites-enabled/2.DOMAIN.edu.ar.conf server { listen 80; server_name 2.DOMAIN.edu.ar; server_tokens off; # Don't show the nginx version number include /etc/nginx/snippets/location-letsencrypt.conf; # return 301 https://2.DOMAIN.edu.ar$request_uri; rewrite ^ https://2.DOMAIN.edu.ar$request_uri? permanent; } server { listen 443 ssl http2; server_name 2.DOMAIN.edu.ar; server_tokens off; # Don't show the nginx version number include /etc/nginx/snippets/location-letsencrypt.conf; ssl_certificate /etc/letsencrypt/live/2.DOMAIN.edu.ar/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/2.DOMAIN.edu.ar/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; # Defining option to share SSL Connection with Passed Proxy ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Defining used protocol versions. ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; # Defining ciphers to use. ssl_prefer_server_ciphers on; # Enabling ciphers location / { proxy_http_version 1.1; #For Websockets and keepalive connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #required when using Websockets proxy_set_header Host $host; #Contains: # hostname from the request line, # or hostname from the Host request header field, # or the server name matching a request. proxy_set_header X-Real-IP $remote_addr; #Forwards the real visitor remote IP address proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #List containing the IP addresses of every server the client has been proxied through. proxy_set_header X-Forwarded-Proto $scheme; #When used inside an HTTPS server block, #each HTTP response from the proxied server is rewritten to HTTPS proxy_set_header X-Forwarded-Host $host; #Original host requested by the client proxy_set_header X-Forwarded-Port $server_port; #Original port requested by the client proxy_pass http://INTERNAL-IP/; } access_log /var/log/nginx/2.DOMAIN.edu.ar/access.log; error_log /var/log/nginx/2.DOMAIN.edu.ar/error.log; } --- Any hint will be much appreciated. Thanks in advance.- From francis at daoine.org Sat Sep 18 07:34:09 2021 From: francis at daoine.org (Francis Daly) Date: Sat, 18 Sep 2021 08:34:09 +0100 Subject: "proxy_intercept_errors on" with @location setup In-Reply-To: References: <20210916223742.GN18734@daoine.org> Message-ID: <20210918073409.GP18734@daoine.org> On Fri, Sep 17, 2021 at 02:36:11PM -0300, Fabiano Furtado Pessoa Coelho wrote: > On Thu, Sep 16, 2021 at 7:37 PM Francis Daly wrote: > > On Thu, Sep 16, 2021 at 04:25:59PM -0300, Fabiano Furtado Pessoa Coelho wrote: Hi there, > > > The only valid configuration I've found to intercept errors is not > > > using the @location but I want to use it to simplify the > > > configuration. > > > > Depending on how you understand "simplify" -- you could potentially > > "include" a file with the common pieces and just have the unique > > directives in each location{}; or you could put the common pieces (apart > > from proxy_pass) outside the location{}s, and just have the unique > > directives and proxy_pass inside the location{}s (note: your current > > example has the same set of proxy_set_header directives in each > > location{}, so this can work); or potentially you could use an external > > macro-processing tool to generate your complicated nginx.conf from > > whatever simplified input you want to use. > > I think I will "put the common pieces (apart from proxy_pass) outside > the location{}s". > This is the best config for me! Good to hear that you found a configuration that works for you :-) Once you understand how nginx uses its config, and how directive inheritance works, then you won't be surprised by the behaviour you configured. (With a few exceptions, often related to the rewrite module, the general pattern is: one request is handled in one location{}; and each directive *not* explicit in that location either inherits from the surrounding context, or does not inherit at all. And a directive is something like "proxy_set_header", not "proxy_set_header X-Real-IP".) Good luck with it, f -- Francis Daly francis at daoine.org From francis at daoine.org Sat Sep 18 07:48:50 2021 From: francis at daoine.org (Francis Daly) Date: Sat, 18 Sep 2021 08:48:50 +0100 Subject: Nginx reverse proxy regex help In-Reply-To: References: Message-ID: <20210918074850.GQ18734@daoine.org> On Fri, Sep 17, 2021 at 01:34:32AM -0400, blason wrote: Hi there, > I have server whose URL is https://xx.xx.xx.xx/TestPage/ which gets > generated as > > https://xxxx.xxx.xxx/TestPage/(S(0inoxzi14rxqq1uix1tiyp1t))/index.aspx You have a variety of .xx and .ss, and it's not immediately clear to me which sets are the same and which sets are not. If you use something like "one.example.com" and "two.example.com", or "IP1" and "IP2", then if the problem is that you are using and unexpected address, that might become obvious. Thanks. I'm also not quite clear on what you mean by "which gets generated as". Do you mean that if you make a request for https://backend-server/TestPage/ it returns a http redirect to https://backend-server/TestPage/(S(0inoxzi14rxqq1uix1tiyp1t))/index.aspx, and you are then expected to make a new request for https://backend-server/TestPage/(S(0inoxzi14rxqq1uix1tiyp1t))/index.aspx? Or it is something else? > Now I have implemented nginx reverse proxy in front this server and then I > have done the config proxy_pass as > > proxy_pass https://xxx.ssss.sss.ss/TestPage; > > Now if you see after TestPage there is a unique value gets added and then > index.aspx however whenever request is passed through nginx I get 502 > badgateway. What does the nginx error log say about the 502 response? > Wondering how do I pass that unique value through regex? You should not need to do anything special, as you are using a "prefix-match" location. Because you are doing "proxy_pass https://", you may want to check what the backend-server responds with when you make this request from the nginx server -- if it is serving more than one site on the same ip:port, you will want to be sure that it is using the site that you want it to be using. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Sat Sep 18 08:03:41 2021 From: francis at daoine.org (Francis Daly) Date: Sat, 18 Sep 2021 09:03:41 +0100 Subject: Reverse proxy redirection issue In-Reply-To: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> Message-ID: <20210918080341.GR18734@daoine.org> On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez wrote: Hi there, > I am using nginx as a reverse proxy, I managed to configure SSL certificates > using LetsEncrypt but nginx does the redirection to the wrong vhost. > > This is the configuration of one of the vhost, they are 3 identical ones > pointing to the same virtual machine. I have a fourth one pointing to > another virtual machine that works without problems. > > I have the domains 1.DOMAIN.edu.ar, 2.DOMAIN.edu.ar and 3.DOMAIN.edu.ar > pointing to the same internal IP. But any domain I enter in the browser the > redirection is made to 1.DOMAIN.edu.ar. I think you are reporting that if you do curl -i http://1.DOMAIN.edu.ar you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which is what you want); and if you do curl -i http://2.DOMAIN.edu.ar you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which is not what you want). Is that correct? If so... > Also set a 4th as default_server, but behaviuor still remains. > > This is the vhost configuration > --- > # cat /etc/nginx/sites-enabled/2.DOMAIN.edu.ar.conf > server { > listen 80; > server_name 2.DOMAIN.edu.ar; > server_tokens off; > # Don't show the nginx version number > > include /etc/nginx/snippets/location-letsencrypt.conf; > > # return 301 https://2.DOMAIN.edu.ar$request_uri; > rewrite ^ https://2.DOMAIN.edu.ar$request_uri? permanent; > } ...can you show the "server" blocks that have "listen 80", to make sure that they each have the expected "server_name" values and return/rewrite value? The output of "nginx -T" should list the configuration that nginx actually reads; that might be simpler to copy from than the files. (There are other possible things to check too -- perhaps the problem is not that "curl -i http://2.DOMAIN.edu.ar" gives the unwanted response, but that "curl -i https://2.DOMAIN.edu.ar" gives the unwanted response. Or perhaps the problem is that the requests are not getting to this nginx at all. But, one step at a time, to identify where the problem is.) Good luck with it, f -- Francis Daly francis at daoine.org From drodriguez at unau.edu.ar Sat Sep 18 12:16:28 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Sat, 18 Sep 2021 09:16:28 -0300 Subject: Reverse proxy redirection issue In-Reply-To: <20210918080341.GR18734@daoine.org> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> Message-ID: <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> El 2021-09-18 05:03, Francis Daly escribi?: > On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez > wrote: > > Hi there, > >> I am using nginx as a reverse proxy, I managed to configure SSL >> certificates >> using LetsEncrypt but nginx does the redirection to the wrong vhost. >> >> This is the configuration of one of the vhost, they are 3 identical >> ones >> pointing to the same virtual machine. I have a fourth one pointing to >> another virtual machine that works without problems. >> >> I have the domains 1.DOMAIN.edu.ar, 2.DOMAIN.edu.ar and >> 3.DOMAIN.edu.ar >> pointing to the same internal IP. But any domain I enter in the >> browser the >> redirection is made to 1.DOMAIN.edu.ar. > > I think you are reporting that if you do > > curl -i http://1.DOMAIN.edu.ar > > you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar > (which > is what you want); and if you do > > curl -i http://2.DOMAIN.edu.ar > > you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar > (which > is not what you want). > > Is that correct? Yep, that was exactly the issu. And saying 'was' 'cause this morning everything is working like a charm. Without made any further modification I mean. Really don't know what have happened here, but glad to see it working as expected. > > If so... > >> Also set a 4th as default_server, but behaviuor still remains. >> >> This is the vhost configuration >> --- >> # cat /etc/nginx/sites-enabled/2.DOMAIN.edu.ar.conf >> server { >> listen 80; >> server_name 2.DOMAIN.edu.ar; >> server_tokens off; >> # Don't show the nginx version number >> >> include /etc/nginx/snippets/location-letsencrypt.conf; >> >> # return 301 https://2.DOMAIN.edu.ar$request_uri; >> rewrite ^ https://2.DOMAIN.edu.ar$request_uri? permanent; >> } > > ...can you show the "server" blocks that have "listen 80", to make sure > that they each have the expected "server_name" values and > return/rewrite > value? At the time the mail was sent I've double check those values. > The output of "nginx -T" should list the configuration that nginx > actually > reads; that might be simpler to copy from than the files. > > > (There are other possible things to check too -- perhaps the problem is > not that "curl -i http://2.DOMAIN.edu.ar" gives the unwanted response, > but that "curl -i https://2.DOMAIN.edu.ar" gives the unwanted response. > Or > perhaps the problem is that the requests are not getting to this nginx > at all. But, one step at a time, to identify where the problem is.) The issue raised on https redirection, indeed. But, as said, no changes made at all and now it's all working. > Good luck with it, Thank's for taking the time to read, and sorry for the noise. ATB f _______________________________________________ Daniel A. Rodriguez Inform?tica, Conectividad y Sistemas Universidad Nacional del Alto Uruguay San Vicente - Misiones - Argentina www.unau.edu.ar From nginx-forum at forum.nginx.org Sun Sep 19 02:53:57 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sat, 18 Sep 2021 22:53:57 -0400 Subject: Nginx reverse proxy regex help In-Reply-To: <20210918074850.GQ18734@daoine.org> References: <20210918074850.GQ18734@daoine.org> Message-ID: Oh my bad those xxx. and sss consider those are single url. I just typed while creating this post randomly Here are my error.log - 2021/09/17 11:23:09 [error] 9429#9429: *1814357 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 10.0.22.99, server: xxx.xxxx.xxx.xxx, request: "GET /TestPage/ HTTP/1.1", upstream: "https://10.0.20.77:443/TestPage/", host: "xx.xxx.xxx.xx" Wondering why this is making connection to host when my proxy_pass says https:// Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292405,292414#msg-292414 From francis at daoine.org Sun Sep 19 07:00:07 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 19 Sep 2021 08:00:07 +0100 Subject: Reverse proxy redirection issue In-Reply-To: <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> Message-ID: <20210919070007.GS18734@daoine.org> On Sat, Sep 18, 2021 at 09:16:28AM -0300, Daniel Armando Rodriguez wrote: > El 2021-09-18 05:03, Francis Daly escribi?: > > On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez > > wrote: Hi there, > > if you do > > > > curl -i http://2.DOMAIN.edu.ar > > > > you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which > > is not what you want). > > > > Is that correct? > > Yep, that was exactly the issu. And saying 'was' 'cause this morning > everything is working like a charm. Without made any further modification I > mean. Really don't know what have happened here, but glad to see it working > as expected. Great that you have a config and setup that now does what you want :-) Now that is isn't broken, with no known changes, it's hard to guess what might have been the problem. Maybe something restarted overnight, or caches cleared, or something odd like that. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Sun Sep 19 07:15:35 2021 From: francis at daoine.org (Francis Daly) Date: Sun, 19 Sep 2021 08:15:35 +0100 Subject: Nginx reverse proxy regex help In-Reply-To: References: <20210918074850.GQ18734@daoine.org> Message-ID: <20210919071535.GT18734@daoine.org> On Sat, Sep 18, 2021 at 10:53:57PM -0400, blason wrote: Hi there, > Oh my bad those xxx. and sss consider those are single url. I just typed > while creating this post randomly It Will probably be helpful in any future mails if you consistently replace any information that you want to keep secret. Perhaps use something like "client-ip" or "client-name"; or "nginx-ip" or "nginx-name" (or "nginx-name2", if there is more than one); or "upstream-ip" or "upstream-name". > Here are my error.log - > > 2021/09/17 11:23:09 [error] 9429#9429: *1814357 peer closed connection in > SSL handshake (104: Connection reset by peer) while SSL handshaking to > upstream, client: 10.0.22.99, server: xxx.xxxx.xxx.xxx, request: "GET > /TestPage/ HTTP/1.1", upstream: "https://10.0.20.77:443/TestPage/", host: > "xx.xxx.xxx.xx" (Is xxx.xxxx.xxx.xxx the same as xx.xxx.xxx.xx? And if not, do you expect a request for xx.xxx.xxx.xx to be handled by the nginx server block with server_name xxx.xxxx.xxx.xxx? If not, then that's the first place to look for the fix.) > Wondering why this is making connection to host when my proxy_pass says > https:// "Host_name" could resolve to anything; and what it resolves to can change over time. nginx is telling you which specific IP address it was talking to when this problem happened. "Connection reset by peer" suggests that the upstream service did not like some aspect of the request that nginx made to it. Is 10.0.20.77 the current IP address of xx.ss.xx.ss/Host_name, and is that different from the IP that that name resolved to when nginx started? What do you see if you try to talk to that service manually, from the nginx server? The output of something like curl -v https://xx.ss.xx.ss/TestPage will probably be helpful -- that's not exactly equivalent to what nginx does, but is usually a good starting point. (If it shows a different IP address being connected to, then maybe that is part of the problem.) Cheers, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Sun Sep 19 12:25:34 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 08:25:34 -0400 Subject: Nginx reverse proxy regex help In-Reply-To: <20210919071535.GT18734@daoine.org> References: <20210919071535.GT18734@daoine.org> Message-ID: <66ed9393e21bd9089c6452ae1ebfa19c.NginxMailingListEnglish@forum.nginx.org> Sure I'll note that. and I feed something is not right at remote end server. Thanks for your help. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292405,292417#msg-292417 From nginx-forum at forum.nginx.org Sun Sep 19 12:44:18 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 08:44:18 -0400 Subject: Nginx reverse proxy regex help In-Reply-To: <20210919071535.GT18734@daoine.org> References: <20210919071535.GT18734@daoine.org> Message-ID: <11f1b7e49c263c9c2f84030d568cb7af.NginxMailingListEnglish@forum.nginx.org> Well actually while doing a curl request site is being moved and here is I am getting curl -vk https://xx.xx.xx/TestPage/ Object moved

Object moved to here.

* Connection #0 to host xx.xx.xx left intact Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292405,292418#msg-292418 From nginx-forum at forum.nginx.org Sun Sep 19 14:24:25 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 10:24:25 -0400 Subject: Nginx reverse proxy regex help In-Reply-To: <11f1b7e49c263c9c2f84030d568cb7af.NginxMailingListEnglish@forum.nginx.org> References: <20210919071535.GT18734@daoine.org> <11f1b7e49c263c9c2f84030d568cb7af.NginxMailingListEnglish@forum.nginx.org> Message-ID: <9a4d3be2e33b996036f1c4403d1eb2f7.NginxMailingListEnglish@forum.nginx.org> Hi Team, Looks like my issue is resolved by adding this line after proxy_pass proxy_ssl_server_name on; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292405,292419#msg-292419 From nginx-forum at forum.nginx.org Sun Sep 19 17:35:02 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 13:35:02 -0400 Subject: Websocket is not working with Nginx Reverse Proxy Message-ID: <307d585b3bfb0af597a47843e1826c51.NginxMailingListEnglish@forum.nginx.org> Hi Team, I am trying to add nginx reverse proxy behind Check Point Mobile access portal which is a SSL VPN portal. Somehow this not working and when I captured and analyzed the har file I observed that the portal is accepting websocket calls. I tried implementing the same with nginx but I am still unable to find the solution. Here is what I am seeing with Har file and then I have given my config ################ General: Request URL: https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP Version: HTTP/1.1Request method: GET Headers: Cache-Control no-cache Connection Upgrade Cookie selected_realm=ssl_vpn; CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3; CPCVPN_BASE_HOST=vpn.xxxx.com; CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775 DNT 1 Host vpn.xxxx.com Origin https://vpn.xxxx.com Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q== Sec-WebSocket-Version 13 Upgrade websocket User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Query arguments: url https://vpn.xxxx.com/Portal/Main nocache 1632059231484 ############################## And here is my config ************************* upstream websocket { server vpn.xxxx.com:443; } server { listen 443 ssl; server_name vpn.xxxx.com; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /etc/nginx/ssls/labcerts/wild.crt; ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_dhparam /etc/ssl/dhparams2048.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_session_timeout 1d; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; access_log /var/log/nginx/sslvpn/access.log; error_log /var/log/nginx/sslvpn/error.log; error_page 404 403 /custom_404.html; location = /custom_404.html { root /usr/share/nginx/html; internal; } location /SNX/ { proxy_pass https://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } location / { proxy_send_timeout 90; proxy_http_version 1.1; proxy_read_timeout 90; proxy_connect_timeout 30s; proxy_pass https://websocket; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_ssl_server_name on; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ******************************************** Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292420#msg-292420 From nginx-forum at forum.nginx.org Sun Sep 19 17:36:21 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 13:36:21 -0400 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: <307d585b3bfb0af597a47843e1826c51.NginxMailingListEnglish@forum.nginx.org> References: <307d585b3bfb0af597a47843e1826c51.NginxMailingListEnglish@forum.nginx.org> Message-ID: <99759131417f089fbc5acae7931efdea.NginxMailingListEnglish@forum.nginx.org> My bad - Just a typo with this topic. I want to add Nginx reverse proxy in front of my checkpoint mobile access portal not behind Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292421#msg-292421 From osa at freebsd.org.ru Sun Sep 19 23:12:10 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Mon, 20 Sep 2021 02:12:10 +0300 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: <307d585b3bfb0af597a47843e1826c51.NginxMailingListEnglish@forum.nginx.org> References: <307d585b3bfb0af597a47843e1826c51.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hi, On Sun, Sep 19, 2021 at 01:35:02PM -0400, blason wrote: > Hi Team, > > I am trying to add nginx reverse proxy behind Check Point Mobile access > portal which is a SSL VPN portal. Somehow this not working and when I > captured and analyzed the har file I observed that the portal is accepting > websocket calls. I tried implementing the same with nginx but I am still > unable to find the solution. > > Here is what I am seeing with Har file and then I have given my config > > ################ > General: > Request URL: > https://vpn.xxxx.com/7D8B79A2-8974-4D7B-A76A-F4F29624C06BMCNu92Dm4l-Zi00Q9XmCAEP2W0TG236BR4s3ROIfxiy7ICrrEllGkIikmth2jOjkklZMt4z1porwm5BgBNByrQ/websocket?url=https%3A%2F%2Fvpn.xxxx.com%2FPortal%2FMain&nocache=1632059231484HTTP > Version: HTTP/1.1Request method: GET > Headers: > Cache-Control no-cache > Connection Upgrade > Cookie selected_realm=ssl_vpn; > CPCVPN_SESSION_ID=e27df7fe2b0ce359198a5b703b9402d235668bb3; > CPCVPN_BASE_HOST=vpn.xxxx.com; > CPCVPN_OBSCURE_KEY=23f63321355ce5d11767b258178d9775 > DNT 1 > Host vpn.xxxx.com > Origin https://vpn.xxxx.com > Sec-WebSocket-Key ehTLIcXsKwaddkSug5rN9Q== > Sec-WebSocket-Version 13 > Upgrade websocket > User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like > Gecko > Query arguments: > url https://vpn.xxxx.com/Portal/Main > nocache 1632059231484 > ############################## > > And here is my config > > ************************* > upstream websocket { > server vpn.xxxx.com:443; > } > server { > listen 443 ssl; > server_name vpn.xxxx.com; > ssl_protocols TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_session_cache shared:SSL:10m; > ssl_certificate /etc/nginx/ssls/labcerts/wild.crt; > ssl_certificate_key /etc/nginx/ssls/labcerts/wild.key; > ssl_ciphers > 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; > ssl_dhparam /etc/ssl/dhparams2048.pem; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains; preload" always; > ssl_session_timeout 1d; > ssl_session_tickets off; > ssl_stapling on; > ssl_stapling_verify on; > resolver 8.8.8.8 8.8.4.4 valid=300s; > access_log /var/log/nginx/sslvpn/access.log; > error_log /var/log/nginx/sslvpn/error.log; > error_page 404 403 /custom_404.html; > location = /custom_404.html { > root /usr/share/nginx/html; > internal; > } > location /SNX/ { > proxy_pass https://websocket; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_set_header Host $host; > } > location / { > proxy_send_timeout 90; > proxy_http_version 1.1; > proxy_read_timeout 90; > proxy_connect_timeout 30s; > proxy_pass https://websocket; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_ssl_server_name on; > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > } > ******************************************** Could you try to slightly update your configuration to the "more sophisticated example" as it's descibed on http://nginx.org/en/docs/http/websocket.html -- Sergey Osokin From drodriguez at unau.edu.ar Mon Sep 20 01:08:08 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Sun, 19 Sep 2021 22:08:08 -0300 Subject: Reverse proxy redirection issue In-Reply-To: <20210919070007.GS18734@daoine.org> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> Message-ID: <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> El 2021-09-19 04:00, Francis Daly escribi?: > On Sat, Sep 18, 2021 at 09:16:28AM -0300, Daniel Armando Rodriguez > wrote: >> El 2021-09-18 05:03, Francis Daly escribi?: >> > On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez >> > wrote: > > Hi there, > >> > if you do >> > >> > curl -i http://2.DOMAIN.edu.ar >> > >> > you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which >> > is not what you want). >> > >> > Is that correct? >> >> Yep, that was exactly the issu. And saying 'was' 'cause this morning >> everything is working like a charm. Without made any further >> modification I >> mean. Really don't know what have happened here, but glad to see it >> working >> as expected. > > Great that you have a config and setup that now does what you want :-) > > Now that is isn't broken, with no known changes, it's hard to guess > what might have been the problem. Maybe something restarted overnight, > or caches cleared, or something odd like that. > > Cheers, > > f Today I added a new domain, and the issue showed up again. curl -i http://4.DOMAIN.edu.ar Returns a redirect to https://4.DOMAIN.edu.ar But curl -i https://4.DOMAIN.edu.ar Returns a redirect to https://4.DOMAIN.edu.ar I really would like to understand why this happens. This is the output of nginx -T # configuration file /etc/nginx/sites-enabled/4.DOMAIN.edu.ar.conf: server { listen 80; server_name 4.DOMAIN.edu.ar; server_tokens off; # Don't show the nginx version number include /etc/nginx/snippets/location-letsencrypt.conf; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name 4.DOMAIN.edu.ar; server_tokens off; # Don't show the nginx version number include /etc/nginx/snippets/location-letsencrypt.conf; include /etc/nginx/snippets/ssl-params.conf; ssl_certificate /etc/letsencrypt/live/4.DOMAIN.edu.ar/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/4.DOMAIN.edu.ar/privkey.pem; location / { proxy_http_version 1.1; #For Websockets and keepalive connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #required when using Websockets proxy_set_header Host $host; #Contains: # hostname from the request line, # or hostname from the Host request header field, # or the server name matching a request. proxy_set_header X-Real-IP $remote_addr; #Forwards the real visitor remote IP address proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #List containing the IP addresses of every server the client has been proxied through. proxy_set_header X-Forwarded-Proto $scheme; #When used inside an HTTPS server block, #each HTTP response from the proxied server is rewritten to HTTPS proxy_set_header X-Forwarded-Host $host; #Original host requested by the client proxy_set_header X-Forwarded-Port $server_port; #Original port requested by the client proxy_pass http://INTERNAL-IP/; } access_log /var/log/nginx/4.DOMAIN.edu.ar/access.log; error_log /var/log/nginx/4.DOMAIN.edu.ar/error.log; } From nginx-forum at forum.nginx.org Mon Sep 20 02:30:42 2021 From: nginx-forum at forum.nginx.org (blason) Date: Sun, 19 Sep 2021 22:30:42 -0400 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: References: Message-ID: Well - I tried that as well ************ location /SNX/ { proxy_pass https://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; ******************** And in nginx.conf file http { map $http_upgrade $connection_upgrade { default upgrade; '' close; } And still no luck - Here is what I see in access.log and it just stops there 182.48.206.98 - - [20/Sep/2021:07:59:32 +0530] "GET /Login/ComponentFrame?nPageMode=2&snxVersion=80,0,0064,18 HTTP/1.1" 200 1150 "https://vpn.xxxx.com/SNX/extender" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292425#msg-292425 From jpfuntne at cisco.com Mon Sep 20 13:17:55 2021 From: jpfuntne at cisco.com (John Pfuntner -X (jpfuntne - EASI LLC at Cisco)) Date: Mon, 20 Sep 2021 13:17:55 +0000 Subject: NGINX RPMs for RHEL 8 arm64? Message-ID: I am trying to install NGINX from package files (*.rpm, *.deb) on various arm64 Linux distros and the RPMs are not available for RHEL 8 at https://nginx.org/packages/mainline/rhel/8/. RPMs are available for RHEL 7 and CentOS 8 at their respective URLs so I was disappointed that they are missing for RHEL 8. Are there plans for provide RPMs for RHEL 8 arm64? Are there issues with providing the RPMs? -------------- next part -------------- An HTML attachment was scrubbed... URL: From drodriguez at unau.edu.ar Mon Sep 20 14:01:59 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Mon, 20 Sep 2021 11:01:59 -0300 Subject: Reverse proxy redirection issue In-Reply-To: <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> Message-ID: <2a2a9b4708995a5486035e23197689fc@unau.edu.ar> El 2021-09-19 22:08, Daniel Armando Rodriguez escribi?: > El 2021-09-19 04:00, Francis Daly escribi?: >> On Sat, Sep 18, 2021 at 09:16:28AM -0300, Daniel Armando Rodriguez >> wrote: >>> El 2021-09-18 05:03, Francis Daly escribi?: >>> > On Fri, Sep 17, 2021 at 10:24:44PM -0300, Daniel Armando Rodriguez >>> > wrote: >> >> Hi there, >> >>> > if you do >>> > >>> > curl -i http://2.DOMAIN.edu.ar >>> > >>> > you get a http 301 redirect from nginx to https://1.DOMAIN.edu.ar (which >>> > is not what you want). >>> > >>> > Is that correct? >>> >>> Yep, that was exactly the issu. And saying 'was' 'cause this morning >>> everything is working like a charm. Without made any further >>> modification I >>> mean. Really don't know what have happened here, but glad to see it >>> working >>> as expected. >> >> Great that you have a config and setup that now does what you want :-) >> >> Now that is isn't broken, with no known changes, it's hard to guess >> what might have been the problem. Maybe something restarted overnight, >> or caches cleared, or something odd like that. >> >> Cheers, >> >> f > > Today I added a new domain, and the issue showed up again. > > curl -i http://4.DOMAIN.edu.ar > > Returns a redirect to https://4.DOMAIN.edu.ar > > But > > curl -i https://4.DOMAIN.edu.ar > > Returns a redirect to https://4.DOMAIN.edu.ar > > I really would like to understand why this happens. > > This is the output of nginx -T > > # configuration file /etc/nginx/sites-enabled/4.DOMAIN.edu.ar.conf: > server { > listen 80; > server_name 4.DOMAIN.edu.ar; > server_tokens off; > # Don't show the nginx version number > > include /etc/nginx/snippets/location-letsencrypt.conf; > > return 301 https://$server_name$request_uri; > } > > server { > listen 443 ssl http2; > > server_name 4.DOMAIN.edu.ar; > server_tokens off; > # Don't show the nginx version number > > include /etc/nginx/snippets/location-letsencrypt.conf; > include /etc/nginx/snippets/ssl-params.conf; > > ssl_certificate > /etc/letsencrypt/live/4.DOMAIN.edu.ar/fullchain.pem; > ssl_certificate_key > /etc/letsencrypt/live/4.DOMAIN.edu.ar/privkey.pem; > > location / { > proxy_http_version 1.1; > #For Websockets and keepalive connections > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > #required when using Websockets > proxy_set_header Host $host; > #Contains: > # hostname from the request line, > # or hostname from the Host request header field, > # or the server name matching a request. > proxy_set_header X-Real-IP $remote_addr; > #Forwards the real visitor remote IP address > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > #List containing the IP addresses of every server the client > has been proxied through. > proxy_set_header X-Forwarded-Proto $scheme; > #When used inside an HTTPS server block, > #each HTTP response from the proxied server is rewritten to > HTTPS > proxy_set_header X-Forwarded-Host $host; > #Original host requested by the client > proxy_set_header X-Forwarded-Port $server_port; > #Original port requested by the client > proxy_pass http://INTERNAL-IP/; > } > > access_log /var/log/nginx/4.DOMAIN.edu.ar/access.log; > error_log /var/log/nginx/4.DOMAIN.edu.ar/error.log; > > } Gave a try adding server { listen 80; return 444; } server { listen 443; return 444; } to prevent processing requests with undefined server names, but the message was 'Connection closed' From francis at daoine.org Mon Sep 20 16:49:26 2021 From: francis at daoine.org (Francis Daly) Date: Mon, 20 Sep 2021 17:49:26 +0100 Subject: Reverse proxy redirection issue In-Reply-To: <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> Message-ID: <20210920164926.GU18734@daoine.org> On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez wrote: > El 2021-09-19 04:00, Francis Daly escribi?: Hi there, > Today I added a new domain, and the issue showed up again. > > curl -i http://4.DOMAIN.edu.ar > > Returns a redirect to https://4.DOMAIN.edu.ar Ok, so that much is doing what is wanted. > But > > curl -i https://4.DOMAIN.edu.ar > > Returns a redirect to https://4.DOMAIN.edu.ar And that is a redirect loop, which is not what you want. When you request https://4.DOMAIN.edu.ar, that should get to nginx, which should make a http request to INTERNAL_IP and return the response. > server { > listen 443 ssl http2; > > server_name 4.DOMAIN.edu.ar; > location / { > proxy_http_version 1.1; > #For Websockets and keepalive connections > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; > #required when using Websockets > proxy_set_header Host $host; ... > proxy_pass http://INTERNAL-IP/; > } What response do you get if you start on the nginx server and run the command curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ ? I'm not sure if the Connection header will make a difference here; it is possible that some of the X- headers are specially handled by the internal server; and maybe adding --http1.1 to the curl command line will make a difference too. The aim is to see how the internal server responds, to see if there is an nginx-side config that can be made to make the end-user experience more useful. It is possible that the internal server logs, or the nginx debug log, could give more detail; but the "curl" command is probably relatively quick to run and interpret. Cheers, f -- Francis Daly francis at daoine.org From francis at daoine.org Mon Sep 20 17:12:01 2021 From: francis at daoine.org (Francis Daly) Date: Mon, 20 Sep 2021 18:12:01 +0100 Subject: Nginx reverse proxy regex help In-Reply-To: <11f1b7e49c263c9c2f84030d568cb7af.NginxMailingListEnglish@forum.nginx.org> References: <20210919071535.GT18734@daoine.org> <11f1b7e49c263c9c2f84030d568cb7af.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210920171201.GV18734@daoine.org> On Sun, Sep 19, 2021 at 08:44:18AM -0400, blason wrote: Hi there, > Well actually while doing a curl request site is being moved and here is I > am getting > > > curl -vk https://xx.xx.xx/TestPage/ I'm not sure if this xx.xx.xx is a hostname or an IP address; or how it compares to any of the previous xx.ss strings. "-k" is "accept the server certificate, no matter what"; that's a reasonable test here, if your nginx is doing the same thing. "-v" output would normally show the IP address that is connected to; and the http response headers, which for a 301 redirect would include a "Location:" header that may or may not match something that nginx expects to modify before it returns it to the client. All of that information should help you see where things start to go wrong. It looks like in your follow-up mail, you have found a configuration that works, by making sure that the back-end is using the site that you want it to be using for this request from the nginx server. Good stuff! Cheers, f -- Francis Daly francis at daoine.org From jpfuntne at cisco.com Mon Sep 20 19:36:07 2021 From: jpfuntne at cisco.com (John Pfuntner -X (jpfuntne - EASI LLC at Cisco)) Date: Mon, 20 Sep 2021 19:36:07 +0000 Subject: NGINX RPMs for RHEL 8 arm64? In-Reply-To: References: Message-ID: I noticed that Debian 9 doesn't have arm64 packages at https://nginx.org/packages/mainline/debian/dists/stretch/nginx/ either. I was able to get nginx installed but it installed an old version (1.10.3) which came from the regular Debian package sources but I want a newer version. Debian 10 has arm64 packages at https://nginx.org/packages/mainline/debian/dists/buster/nginx/. Can the arm64 packages be made available for Debian 9? From: nginx On Behalf Of John Pfuntner -X (jpfuntne - EASI LLC at Cisco) Sent: Monday, September 20, 2021 9:18 AM To: nginx at nginx.org Subject: NGINX RPMs for RHEL 8 arm64? I am trying to install NGINX from package files (*.rpm, *.deb) on various arm64 Linux distros and the RPMs are not available for RHEL 8 at https://nginx.org/packages/mainline/rhel/8/. RPMs are available for RHEL 7 and CentOS 8 at their respective URLs so I was disappointed that they are missing for RHEL 8. Are there plans for provide RPMs for RHEL 8 arm64? Are there issues with providing the RPMs? -------------- next part -------------- An HTML attachment was scrubbed... URL: From drodriguez at unau.edu.ar Mon Sep 20 20:20:55 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Mon, 20 Sep 2021 17:20:55 -0300 Subject: Reverse proxy redirection issue In-Reply-To: <20210920164926.GU18734@daoine.org> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> <20210920164926.GU18734@daoine.org> Message-ID: <1169d7081d9c5d3fe2e5980a1419bd39@unau.edu.ar> El 2021-09-20 13:49, Francis Daly escribi?: > On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez > wrote: >> El 2021-09-19 04:00, Francis Daly escribi?: > > Hi there, > >> Today I added a new domain, and the issue showed up again. >> >> curl -i http://4.DOMAIN.edu.ar >> >> Returns a redirect to https://4.DOMAIN.edu.ar > > Ok, so that much is doing what is wanted. > >> But >> >> curl -i https://4.DOMAIN.edu.ar >> >> Returns a redirect to https://4.DOMAIN.edu.ar > > And that is a redirect loop, which is not what you want. > > When you request https://4.DOMAIN.edu.ar, that should get to nginx, > which should make a http request to INTERNAL_IP and return the > response. > >> server { >> listen 443 ssl http2; >> >> server_name 4.DOMAIN.edu.ar; > >> location / { >> proxy_http_version 1.1; >> #For Websockets and keepalive connections >> proxy_set_header Upgrade $http_upgrade; >> proxy_set_header Connection "upgrade"; >> #required when using Websockets >> proxy_set_header Host $host; > ... >> proxy_pass http://INTERNAL-IP/; >> } > > What response do you get if you start on the nginx server and run the > command > > curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > > ? I'm not sure if the Connection header will make a difference here; > it is possible that some of the X- headers are specially handled by the > internal server; and maybe adding --http1.1 to the curl command line > will make a difference too. > > The aim is to see how the internal server responds, to see if there is > an nginx-side config that can be made to make the end-user experience > more useful. > > > > It is possible that the internal server logs, or the nginx debug log, > could give more detail; but the "curl" command is probably relatively > quick to run and interpret. > > Cheers, > > f This is the output # curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ * Expire in 0 ms for 6 (transfer 0x56179d823c10) * Trying INTERNAL-IP... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x56179d823c10) * Connected to INTERNAL-IP (INTERNAL-IP) port 80 (#0) > GET / HTTP/1.1 > Host:4.DOMAIN.edu.ar > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < Date: Mon, 20 Sep 2021 20:07:38 GMT < Server: Apache/2.4.38 < X-Pingback: http://1.DOMAIN.edu.ar/xmlrpc.php < X-Redirect-By: WordPress < Location: https://1.DOMAIN.edu.ar/ < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host INTERNAL-IP left intact However, the same target machine hosts other services (each one with its own subdomain: 1, 2 & 3) that also go through the proxy. And they work as expected. Just to compare, this is the output. # curl -v -H Host:2.DOMAIN.edu.ar http://INTERNAL-IP/ * Expire in 0 ms for 6 (transfer 0x55c30497ac10) * Trying INTERNAL-IP... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55c30497ac10) * Connected to INTERNAL-IP (INTERNAL-IP) port 80 (#0) > GET / HTTP/1.1 > Host:2.DOMAIN.edu.ar > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 20 Sep 2021 20:12:01 GMT < Server: Apache/2.4.38 < Set-Cookie: PHPSESSID=qujrksv6dbcf4t2pvf53judvnk; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Vary: Accept-Encoding < Content-Length: 4364 < Content-Type: text/html; charset=UTF-8 From osa at freebsd.org.ru Mon Sep 20 23:04:33 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 21 Sep 2021 02:04:33 +0300 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: References: Message-ID: On Sun, Sep 19, 2021 at 10:30:42PM -0400, blason wrote: > Well - I tried that as well > > ************ > location /SNX/ { > proxy_pass https://websocket; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $connection_upgrade; > proxy_set_header Connection "Upgrade"; > proxy_set_header Host $host; > ******************** > And in nginx.conf file > > http { > map $http_upgrade $connection_upgrade { > default upgrade; > '' close; > } > > And still no luck - Here is what I see in access.log and it just stops > there > > 182.48.206.98 - - [20/Sep/2021:07:59:32 +0530] "GET > /Login/ComponentFrame?nPageMode=2&snxVersion=80,0,0064,18 HTTP/1.1" 200 1150 > "https://vpn.xxxx.com/SNX/extender" "Mozilla/5.0 (Windows NT 10.0; WOW64; > Trident/7.0; rv:11.0) like Gecko" So, I'd try to extend log_format by adding the variables from the map directive to the log file to see what's going on. And if that doesn't help I'd enable the debug log. -- Sergey Osokin From nginx-forum at forum.nginx.org Tue Sep 21 03:17:55 2021 From: nginx-forum at forum.nginx.org (blason) Date: Mon, 20 Sep 2021 23:17:55 -0400 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: References: Message-ID: <56553637e74e76ae0a8f8eb1b9e93f35.NginxMailingListEnglish@forum.nginx.org> Bummer!! I am not that pro - but would really appreciate if you can give me certain reference links or configuration? Please Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292420,292447#msg-292447 From nginx-forum at forum.nginx.org Tue Sep 21 03:51:40 2021 From: nginx-forum at forum.nginx.org (blason) Date: Mon, 20 Sep 2021 23:51:40 -0400 Subject: Port redirection is not working as expected Message-ID: Hi Team, Here is one more issue I am facing. I have portal running on http://test.example.com:8080/AppWise and http://test.example.com/WebAdmin Now I diverted that portal through Nginx reverse proxy here is my config ********** server { listen 8080; listen 80; server_name test.example.com; access_log /var/log/nginx/twprod/access.log; error_log /var/log/nginx/twprod/error.log; include /etc/nginx/applox/feeds/badips.txt; location /AppWise/{ client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_connect_timeout 30s; proxy_pass http://test.example.com:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /WebAdmin/{ client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_connect_timeout 30s; proxy_pass http://test.example.com:8080; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ******************* The thing is First page open properly and then it asks for username password; this is fine. now after login suddenly I receive 302 and page is diverted to http://test/example.com/Appwise/<...........REST of the URI.....> ############# 10.0.22.99 - - [20/Sep/2021:18:41:05 +0530] "POST /AppWise/servlet/TeamAccess/Login HTTP/1.1" 302 0 "http://test.example.com:8080/AppWise/servlet/TeamAccess/Login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36" 10.0.22.99 - - [20/Sep/2021:18:47:42 +0530] "POST /AppWise/servlet/TeamAccess/Login HTTP/1.1" 302 0 "http://test.example.com:8080/AppWise/servlet/TeamAccess/Login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36" 10.0.22.99 - - [20/Sep/2021:18:51:04 +0530] "POST /AppWise/servlet/TeamAccess/Login HTTP/1.1" 302 0 "http://test.example.com:8080/AppWise/servlet/TeamAccess/Login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36" ############### I expected for this page to stay at http://test.example.com:8080 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292448,292448#msg-292448 From thresh at nginx.com Tue Sep 21 08:19:36 2021 From: thresh at nginx.com (Konstantin Pavlov) Date: Tue, 21 Sep 2021 11:19:36 +0300 Subject: NGINX RPMs for RHEL 8 arm64? In-Reply-To: References: Message-ID: <8e16bea2-a090-afab-1e86-1f420416fd73@nginx.com> Hi John, Regarding the RHEL 8 aarch64 packages - they're now available at the expected place - thanks! For Debian 9, it's not possible since the distribution is officially EOL by the vendor (LTS is not an official security support), so we don't build nginx packages for that operating system anymore. Please use Debian 10 and Debian 11 instead. Have a great day, 20.09.2021 22:36, John Pfuntner -X (jpfuntne - EASI LLC at Cisco) wrote: > I noticed that Debian 9 doesn?t have arm64 packages at > https://nginx.org/packages/mainline/debian/dists/stretch/nginx/ > > either.? I was able to get nginx installed but it installed an old > version (1.10.3) which came from the regular Debian package sources but > I want a newer version.? Debian 10 has arm64 packages at > https://nginx.org/packages/mainline/debian/dists/buster/nginx/ > .? Can > the arm64 packages be made available for Debian 9? > > ? > > *From:* nginx *On Behalf Of *John Pfuntner -X > (jpfuntne - EASI LLC at Cisco) > *Sent:* Monday, September 20, 2021 9:18 AM > *To:* nginx at nginx.org > *Subject:* NGINX RPMs for RHEL 8 arm64? > > ? > > I am trying to install NGINX from package files (*.rpm, *.deb) on > various arm64 Linux distros and the RPMs are not available for RHEL 8 at > https://nginx.org/packages/mainline/rhel/8/ > .? RPMs are available for > RHEL 7 and CentOS 8 at their respective URLs so I was disappointed that > they are missing for RHEL 8. > > ? > > Are there plans for provide RPMs for RHEL 8 arm64?? Are there issues > with providing the RPMs? > -- Konstantin Pavlov https://www.nginx.com/ From francis at daoine.org Tue Sep 21 12:23:45 2021 From: francis at daoine.org (Francis Daly) Date: Tue, 21 Sep 2021 13:23:45 +0100 Subject: Reverse proxy redirection issue In-Reply-To: <1169d7081d9c5d3fe2e5980a1419bd39@unau.edu.ar> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> <20210920164926.GU18734@daoine.org> <1169d7081d9c5d3fe2e5980a1419bd39@unau.edu.ar> Message-ID: <20210921122345.GW18734@daoine.org> On Mon, Sep 20, 2021 at 05:20:55PM -0300, Daniel Armando Rodriguez wrote: > El 2021-09-20 13:49, Francis Daly escribi?: > > On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez > > wrote: Hi there, > > > curl -i https://4.DOMAIN.edu.ar > > > > > > Returns a redirect to https://4.DOMAIN.edu.ar > > > > And that is a redirect loop, which is not what you want. > > > > When you request https://4.DOMAIN.edu.ar, that should get to nginx, > > which should make a http request to INTERNAL_IP and return the response. > > What response do you get if you start on the nginx server and run the > > command > > > > curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > This is the output > > # curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > > GET / HTTP/1.1 > > Host:4.DOMAIN.edu.ar > < HTTP/1.1 301 Moved Permanently > < Location: https://1.DOMAIN.edu.ar/ This indicates that the internal web server is returning a redirect to https://1, when you ask it for http://4. Is there any chance that that internal web server is not yet configured to believe that it is 4, and it instead redirects to its default name of 1? > However, the same target machine hosts other services (each one with its own > subdomain: 1, 2 & 3) that also go through the proxy. And they work as > expected. Just to compare, this is the output. > > # curl -v -H Host:2.DOMAIN.edu.ar http://INTERNAL-IP/ > > GET / HTTP/1.1 > > Host:2.DOMAIN.edu.ar > < HTTP/1.1 200 OK (And, presumably, the correct content from 2.) That might also explain why the first test failed, then started working -- perhaps the internal web server reloaded its configuration and it started behaving as expected? (And maybe it works for 4 now too, if the config reloaded over night?) Cheers, f -- Francis Daly francis at daoine.org From drodriguez at unau.edu.ar Tue Sep 21 13:04:16 2021 From: drodriguez at unau.edu.ar (Daniel Armando Rodriguez) Date: Tue, 21 Sep 2021 10:04:16 -0300 Subject: Reverse proxy redirection issue In-Reply-To: <20210921122345.GW18734@daoine.org> References: <4706c9478fff1c36af61132b6b7d899f@unau.edu.ar> <20210918080341.GR18734@daoine.org> <23dafc8f849a1a2b2b4a835bd316326a@unau.edu.ar> <20210919070007.GS18734@daoine.org> <0c8b77a5a966af49025d7dcea5f21e27@unau.edu.ar> <20210920164926.GU18734@daoine.org> <1169d7081d9c5d3fe2e5980a1419bd39@unau.edu.ar> <20210921122345.GW18734@daoine.org> Message-ID: El 2021-09-21 09:23, Francis Daly escribi?: > On Mon, Sep 20, 2021 at 05:20:55PM -0300, Daniel Armando Rodriguez > wrote: >> El 2021-09-20 13:49, Francis Daly escribi?: >> > On Sun, Sep 19, 2021 at 10:08:08PM -0300, Daniel Armando Rodriguez >> > wrote: > > Hi there, > >> > > curl -i https://4.DOMAIN.edu.ar >> > > >> > > Returns a redirect to https://4.DOMAIN.edu.ar >> > >> > And that is a redirect loop, which is not what you want. >> > >> > When you request https://4.DOMAIN.edu.ar, that should get to nginx, >> > which should make a http request to INTERNAL_IP and return the response. > >> > What response do you get if you start on the nginx server and run the >> > command >> > >> > curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > > >> This is the output >> >> # curl -v -H Host:4.DOMAIN.edu.ar http://INTERNAL-IP/ > > > >> > GET / HTTP/1.1 >> > Host:4.DOMAIN.edu.ar > >> < HTTP/1.1 301 Moved Permanently >> < Location: https://1.DOMAIN.edu.ar/ > > This indicates that the internal web server is returning a redirect to > https://1, when you ask it for http://4. > > Is there any chance that that internal web server is not yet configured > to > believe that it is 4, and it instead redirects to its default name of > 1? > >> However, the same target machine hosts other services (each one with >> its own >> subdomain: 1, 2 & 3) that also go through the proxy. And they work as >> expected. Just to compare, this is the output. >> >> # curl -v -H Host:2.DOMAIN.edu.ar http://INTERNAL-IP/ > >> > GET / HTTP/1.1 >> > Host:2.DOMAIN.edu.ar > >> < HTTP/1.1 200 OK > > (And, presumably, the correct content from 2.) > > > That might also explain why the first test failed, then started working > -- perhaps the internal web server reloaded its configuration and it > started behaving as expected? > > (And maybe it works for 4 now too, if the config reloaded over night?) > > Cheers, > > f Well, reloaded conf in internal server but issue is still there. Seems there's some odd behaviuor from Apache in that host. So, my quest will go that way. Thanks for taking the time to read. Regards From shaam.ramphal at kpn.com Wed Sep 22 09:48:55 2021 From: shaam.ramphal at kpn.com (shaam.ramphal at kpn.com) Date: Wed, 22 Sep 2021 09:48:55 +0000 Subject: captive portal support In-Reply-To: References: Message-ID: Hi, Does nginx have an official captive portal feature? Or does nginx support a specific captive portal setup? Many thanks, Shaam -------------- next part -------------- An HTML attachment was scrubbed... URL: From osa at freebsd.org.ru Wed Sep 22 17:27:05 2021 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Wed, 22 Sep 2021 20:27:05 +0300 Subject: Websocket is not working with Nginx Reverse Proxy In-Reply-To: <56553637e74e76ae0a8f8eb1b9e93f35.NginxMailingListEnglish@forum.nginx.org> References: <56553637e74e76ae0a8f8eb1b9e93f35.NginxMailingListEnglish@forum.nginx.org> Message-ID: On Mon, Sep 20, 2021 at 11:17:55PM -0400, blason wrote: > Bummer!! I am not that pro - but would really appreciate if you can give me > certain reference links or configuration? Please Here's the new log format: log_format bummer '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '"$http_upgrade" "$connection_upgrade"'; It's possible to use it for a specific server or location: access_log /path/to/access.log.with.bummer.format.log bummer; In case of debugging log please follow the instruction on the next page, http://nginx.org/en/docs/debugging_log.html Hope that helps. -- Sergey Osokin From aomjeff.root at gmail.com Mon Sep 27 12:47:53 2021 From: aomjeff.root at gmail.com (Aom Jeff Root) Date: Mon, 27 Sep 2021 12:47:53 +0000 Subject: Load Balancing Apache Tomcat with Nginx : (OpenMeetings Cluster using Apache Tomcat Server) Message-ID: Hi dear, - I'm student and i work on open source web conferencing project (school project) I choose Openmeetings I work on clustering openmeetings with two nodes and I want to make single access to the group server. I want to use nginx load balancer . How to configure the nginx to make it or set a custom nginx load balancer to openmeetings clustered app? Kind regards, Jeffrey - Student in computer science and *nix newbie. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Tue Sep 28 08:57:05 2021 From: nginx-forum at forum.nginx.org (seekvn) Date: Tue, 28 Sep 2021 04:57:05 -0400 Subject: How nginx's "location if" works (Was Re: Setting cache parameters via if directives) In-Reply-To: References: Message-ID: <4a42ccc87421c7c045a5bacc4e5643b3.NginxMailingListEnglish@forum.nginx.org> Hello Help me convert this .htaccess content RewriteEngine On RewriteCond %{HTTP_REFERER} !domain1\.com [NC] RewriteCond %{HTTP_REFERER} !domain2\.com [NC] RewriteCond %{HTTP_REFERER} !domain3\.com [NC] RewriteRule \.rar$ - [F,NC] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ http://domain1.com/file/$1 [L,R,NC] Thanks agentzh Wrote: ------------------------------------------------------- > On Tue, Feb 1, 2011 at 11:45 PM, Ryan Malayter > wrote: > > > > It does in fact work in production on nginx 0.7.6x. Below is my > actual > > configuration (trimmed to the essentials and with a few > substitutions > > of actual URIs). > > > > Well, ngx_proxy module's directive inheritance is in action here, > which gives you nice side effects that you want :) > > I'll analyze some examples here such that people *may* get some light. > > [Case 1] > > location /proxy { > set $a 32; > if ($a = 32) { > set $a 56; > } > set $a 76; > proxy_pass http://127.0.0.1:$server_port/$a; > } > > location ~ /(\d+) { > echo $1; > } > > Calling /proxy gives 76 because it works in the following steps: > > 1. Nginx runs all the rewrite phase directives in the order that > they're in the config file, i.e., > > set $a 32; > if ($a = 32) { > set $a 56; > } > set $a 76; > > and $a gets the final value of 76. > > 2. Nginx traps into the "if" inner block because its condition $a = 32 > was met in step 1. > > 3. The inner block does not has any content handler, ngx_proxy > inherits the content handler (that of ngx_proxy) in the outer scope > (see src/http/modules/ngx_http_proxy_module.c:2025). > > 4. Also the config specified by proxy_pass also gets inherited by the > inner "if" block (see src/http/modules/ngx_http_proxy_module.c:2015) > > 5. Request terminates (and the control flow never goes outside of the > "if" block). > > That is, the proxy_pass directive in the outer scope will never run in > this example. It is "if" inner block that actually serves you. > > Let's see what happens when we override the inner "if" block's content > handler with out own: > > [Case 2] > > location /proxy { > set $a 32; > if ($a = 32) { > set $a 56; > echo "a = $a"; > } > set $a 76; > proxy_pass http://127.0.0.1:$server_port/$a; > } > location ~ /(\d+) { > echo $1; > } > > You will get this while accessing /proxy: > > a = 76 > > Looks counter-intuitive? Oh, well, let's see what's happening this > time: > > 1. Nginx runs all the rewrite phase directives in the order that > they're in the config file, i.e., > > set $a 32; > if ($a = 32) { > set $a 56; > } > set $a 76; > > and $a gets the final value of 76. > > 2. Nginx traps into the "if" inner block because its condition $a = 32 > was met in step 1. > > 3. The inner block *does* has a content handler specified by "echo", > then the value of $a (76) gets emitted to the client side. > > 4. Request terminates (and the control flow never goes outside of the > "if" block), as in Case 1. > > We do have a choice to make Case 2 work as we like: > > [Case 3] > > location /proxy { > set $a 32; > if ($a = 32) { > set $a 56; > break; > > echo "a = $a"; > } > set $a 76; > proxy_pass http://127.0.0.1:$server_port/$a; > } > location ~ /(\d+) { > echo $1; > } > > This time, we just add a "break" directive inside the if block. This > will stop nginx from running the rest ngx_rewrite directives. So we > get > > a = 56 > > So this time, nginx works this way: > > 1. Nginx runs all the rewrite phase directives in the order that > they're in the config file, i.e., > > set $a 32; > if ($a = 32) { > set $a 56; > break; > } > > and $a gets the final value of 56. > > 2. Nginx traps into the "if" inner block because its condition $a = 32 > was met in step 1. > > 3. The inner block *does* has a content handler specified by "echo", > then the value of $a (56) gets emitted to the client side. > > 4. Request terminates (and the control flow never goes outside of the > "if" block), just as in Case 1. > > Okay, you see how ngx_proxy module's config inheritance among nested > locations take the key role here, and make you *believe* it works the > way that you want. But other modules (like "echo" mentioned in one of > my earlier emails) may not inherit content handlers in nested > locations (in fact, most content handler modules, including upstream > ones, don't). > > And one must be careful about bad side effects of config inheritance > of "if" blocks in other cases, consider the following example: > > [Case 5] > > location /proxy { > set $a 32; > if ($a = 32) { > return 404; > } > set $a 76; > proxy_pass http://127.0.0.1:$server_port/$a; > more_set_headers "X-Foo: $a"; > } > location ~ /(\d+) { > echo $1; > } > > Here, ngx_header_more's "more_set_headers" will also be inherited by > the implicit location created by the "if" block. So you will get: > > curl localhost/proxy > HTTP/1.1 404 Not Found > Server: nginx/0.8.54 (without pool) > Date: Mon, 14 Feb 2011 05:24:00 GMT > Content-Type: text/html > Content-Length: 184 > Connection: keep-alive > X-Foo: 32 > > which may or may not what you want :) > > BTW, the "add_header" directive will not emit a "X-Foo" header in this > case, and it does not mean no directive inheritance happens here, but > add_header's header filter will skip 404 responses. > > You see, how tricky it is behind the scene! No wonder people keep > saying "nginx's if is evil". > > Cheers, > -agentzh > > Disclaimer: There may be other corner cases that I've missed here, and > other more knowledgeable people can correct me wherever I'm wrong :) > > _______________________________________________ > nginx mailing list > nginx at nginx.org > http://nginx.org/mailman/listinfo/nginx Posted at Nginx Forum: https://forum.nginx.org/read.php?2,174917,292478#msg-292478 From nginx-forum at forum.nginx.org Tue Sep 28 10:02:14 2021 From: nginx-forum at forum.nginx.org (Hukato) Date: Tue, 28 Sep 2021 06:02:14 -0400 Subject: upstream timed out (110: Connection timed out) while reading response header from upstream. In-Reply-To: References: Message-ID: <1d267db50b1be0ce424379a1fce16e52.NginxMailingListEnglish@forum.nginx.org> Were you able to figure out this? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289511,292479#msg-292479 From keith6014 at gmail.com Tue Sep 28 19:29:24 2021 From: keith6014 at gmail.com (Keith Brown) Date: Tue, 28 Sep 2021 15:29:24 -0400 Subject: nginx authentication and authorization Message-ID: I have two modules: spnego-http-auth-nginx-module and nginx-auth-ldap working perfectly. However, I am just not sure how to make them work together. I have an endpoint I have an end point /login which gives me the remote_user because I am using auth_gss. How can I use that information to check if the user is in a LDAP group? From nginx-forum at forum.nginx.org Tue Sep 28 20:25:21 2021 From: nginx-forum at forum.nginx.org (grrusaps) Date: Tue, 28 Sep 2021 16:25:21 -0400 Subject: Reverse Proxy - API call errors with Sign in failed because the number of sessions has reached the licensed limit Message-ID: We have Laserfiche (document management system) installed on a Windows server with IIS. We have another system that makes calls to our Docusign subscription and triggers a pull of the signed documents into the Laserfiche repository when new docs are available with an authenticated API call. Additionally users can log into this site and access the user interactive document management system through authentication within the application. Currently this has traffic going to the web ports directly to IIS without any issue. We are looking to add in Nginx with ModSecurity for added protection of this service. The Nginx is setup with HTTPS and the backend IIS server also uses HTTPS. Working on just the reverse proxy portion at this point and we have the user interactive site working fine where users can log in and do all normal functions within the platform. The issue we have is when we trigger a download of the Docusign documents. We can get 2 of the documents to load before we start getting the message "Sign in failed because the number of sessions has reached the licensed limit, or the user account has reached its session limit, or no named user license has been allocated to the user account. [9030]" from the LaserFiche.HandlerService. At this point it appears that the way we have Nginx setup, it is making each document/call from Docusign as a separate connection to the backend IIS/Laserfiche server, which we believe is why we are seeing the account have too many sessions. Going straight to the IIS server, this works without error. Looking for any pointers of what we are doing wrong or things we can try correct our config and have this working. sitename.conf server { # SSL configuration # listen 443 ssl http2 default_server; listen [::]:443 ssl http2; ssl_certificate /etc/nginx/ssl/wildcard_domain_net.crt; ssl_certificate_key /etc/nginx/ssl/wildcard_domain_net.key; gzip off; server_name lf.domain.net; # Tell client which ciphers are available ssl_prefer_server_ciphers on; ssl_ecdh_curve secp521r1:secp384r1; ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # Set HSTS to 365 days add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; location / { proxy_pass https://backend_server_ip/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-User $http_authorization; proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; } location /mobile/ { # set mobile to forbidden to protect it return 403 ; #root /var/www/html ; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292487,292487#msg-292487 From jfs.world at gmail.com Wed Sep 29 04:47:58 2021 From: jfs.world at gmail.com (Jeffrey 'jf' Lim) Date: Wed, 29 Sep 2021 12:47:58 +0800 Subject: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate? Message-ID: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling has a note about not needing 'ssl_trusted_certificate' if ssl_certificate has intermediate certificates. I do not see a similar note for ssl_stapling_verify (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) though. Is this also the same? -jf -- He who settles on the idea of the intelligent man as a static entity only shows himself to be a fool. From nginx-forum at forum.nginx.org Wed Sep 29 13:20:20 2021 From: nginx-forum at forum.nginx.org (rjvbzeoibvpzie) Date: Wed, 29 Sep 2021 09:20:20 -0400 Subject: Nginx upstream return name instead of server ip Message-ID: <4458d3936b6f3776c44c7992c97e899b.NginxMailingListEnglish@forum.nginx.org> Here is my config: ----- upstream http_backend { server 127.0.0.1:81; server 10.1.1.2 backup; } server { ... location /http/ { proxy_pass http://http_backend; ... } } ----- As long as everything is working, $upstream_addr returns the IP (127.0.0.1:81). But when any backend returns HTTP/502, $upstream_addr returns the upstream name (http_backend) as the $upstream_addr. Shouldn't this return the lastest server IP tried before failure? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292491,292491#msg-292491 From mdounin at mdounin.ru Wed Sep 29 13:23:46 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 16:23:46 +0300 Subject: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate? In-Reply-To: References: Message-ID: Hello! On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote: > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > has a note about not needing 'ssl_trusted_certificate' if > ssl_certificate has intermediate certificates. I do not see a similar > note for ssl_stapling_verify > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) > though. Is this also the same? No. To verify OCSP response OpenSSL needs a full chain up to a trusted root certificate. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Wed Sep 29 13:28:42 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 16:28:42 +0300 Subject: Nginx upstream return name instead of server ip In-Reply-To: <4458d3936b6f3776c44c7992c97e899b.NginxMailingListEnglish@forum.nginx.org> References: <4458d3936b6f3776c44c7992c97e899b.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Wed, Sep 29, 2021 at 09:20:20AM -0400, rjvbzeoibvpzie wrote: > Here is my config: > > ----- > upstream http_backend { > server 127.0.0.1:81; > server 10.1.1.2 backup; > } > > server { > ... > > location /http/ { > proxy_pass http://http_backend; > ... > } > } > ----- > > As long as everything is working, $upstream_addr returns the IP > (127.0.0.1:81). But when any backend returns HTTP/502, $upstream_addr > returns the upstream name (http_backend) as the $upstream_addr. > > Shouldn't this return the lastest server IP tried before failure? The upstream name can be seen in $upstream_addr as long as nginx is not able to select an upstream server because all servers are not available per max_fails/fail_timeout. The "no live upstreams" error is logged at the same time. -- Maxim Dounin http://mdounin.ru/ From jfs.world at gmail.com Wed Sep 29 13:42:01 2021 From: jfs.world at gmail.com (Jeffrey 'jf' Lim) Date: Wed, 29 Sep 2021 21:42:01 +0800 Subject: ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate? In-Reply-To: References: Message-ID: On Wed, Sep 29, 2021 at 9:24 PM Maxim Dounin wrote: > > Hello! > > On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote: > > > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > > has a note about not needing 'ssl_trusted_certificate' if > > ssl_certificate has intermediate certificates. I do not see a similar > > note for ssl_stapling_verify > > (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify) > > though. Is this also the same? > > No. To verify OCSP response OpenSSL needs a full chain up to a > trusted root certificate. > Ok. I am reading the description for ssl_stapling again, and am wanting to clarify a few things. if "ssl_stapling on": if the certificate of the server certificate issuer is present in , we do not need to have otherwise must have the certificate of the server certificate issuer if "ssl_stapling_verify on": if has the full chain, we *still* need Is my understanding correct? thanks, -jf From nginx-forum at forum.nginx.org Wed Sep 29 13:43:54 2021 From: nginx-forum at forum.nginx.org (rjvbzeoibvpzie) Date: Wed, 29 Sep 2021 09:43:54 -0400 Subject: Nginx upstream return name instead of server ip In-Reply-To: References: Message-ID: <696203805596324322b6fc506072f2a4.NginxMailingListEnglish@forum.nginx.org> Well, I was just assuming that no live upstreams were availbale, but this is not the case. At least, this is not logged (access or error). Here are the lines from access_log i'm talking about (see the difference on $upstream_addr): ---- log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '$request_length $request_time ' '"$upstream_addr" "$upstream_response_length" "time=$upstream_response_time" "$host" "$limit_req_status"'; ---- ---- 208.115.199.18 - - [29/Sep/2021:12:42:43 +0200] "GET /login HTTP/1.1" 200 150 "https://example.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "-" 408 0.105 "127.0.0.1:81" "0" "time=0.000" "example.com" "PASSED" ---- ---- 208.115.199.18 - - [29/Sep/2021:12:43:35 +0200] "GET /login HTTP/1.1" 502 150 "https://example.com" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "-" 408 0.000 "http_backend" "0" "time=0.000" "example.com" "PASSED" ---- Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292491,292494#msg-292494 From mdounin at mdounin.ru Wed Sep 29 14:00:03 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 17:00:03 +0300 Subject: Nginx upstream return name instead of server ip In-Reply-To: <696203805596324322b6fc506072f2a4.NginxMailingListEnglish@forum.nginx.org> References: <696203805596324322b6fc506072f2a4.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Wed, Sep 29, 2021 at 09:43:54AM -0400, rjvbzeoibvpzie wrote: > Well, I was just assuming that no live upstreams were availbale, but this is > not the case. At least, this is not logged (access or error). The "no live upstreams" error is expected to be logged to the error log at the "error" level. If you don't see it in the error log, check your logging configuration. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Wed Sep 29 14:41:20 2021 From: nginx-forum at forum.nginx.org (rjvbzeoibvpzie) Date: Wed, 29 Sep 2021 10:41:20 -0400 Subject: Nginx upstream return name instead of server ip In-Reply-To: References: Message-ID: <6dc3448f7cc3111c690c72d6d4f0d66c.NginxMailingListEnglish@forum.nginx.org> You are right, those lines are logged (i've forced upstreams to fail by stopping them). But i can't see such problem using "proxy_pass http://127.0.0.1:81" instead of "proxy_pass http://http_backend" (no more 502 errors). Strange... Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292491,292498#msg-292498 From axespam at protonmail.com Wed Sep 29 17:13:38 2021 From: axespam at protonmail.com (axespam) Date: Wed, 29 Sep 2021 17:13:38 +0000 Subject: WebDAV permission error Message-ID: Hello, I am trying to setup a WebDAV share but I am running into an issue. After I have the WebDAV share created and mounted I can delete files but not folders. When I try to delete a folder it says I don't have permissions. I have given rw access to all. This is the error log from trying to delete the folder. 2021/09/29 01:20:00 [error] 3098#3098: *1 DELETE "/data/dav/http/dav/test/del" failed (21: Is a directory), client: 10.0.5.5, server: localhost, request: "DELETE /dav/test/del HTTP/1.1", host: "192.168.0.129" Any help appreciated thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From nginx-forum at forum.nginx.org Wed Sep 29 17:19:24 2021 From: nginx-forum at forum.nginx.org (Lucky Prince) Date: Wed, 29 Sep 2021 13:19:24 -0400 Subject: captive portal support Message-ID: <891c6500b158fcf28bf4f33ccec6e45d.NginxMailingListEnglish@forum.nginx.org> Hi, Does nginx have an official captive portal feature? Or does nginx support a specific captive portal setup? Many thanks, https://apksprofree.com/ Lucky Prince Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292500,292500#msg-292500 From mdounin at mdounin.ru Wed Sep 29 17:21:50 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 20:21:50 +0300 Subject: Nginx upstream return name instead of server ip In-Reply-To: <6dc3448f7cc3111c690c72d6d4f0d66c.NginxMailingListEnglish@forum.nginx.org> References: <6dc3448f7cc3111c690c72d6d4f0d66c.NginxMailingListEnglish@forum.nginx.org> Message-ID: Hello! On Wed, Sep 29, 2021 at 10:41:20AM -0400, rjvbzeoibvpzie wrote: > You are right, those lines are logged (i've forced upstreams to fail by > stopping them). > > But i can't see such problem using "proxy_pass http://127.0.0.1:81" instead > of "proxy_pass http://http_backend" (no more 502 errors). > > Strange... That's because max_fails/fail_timeout are not used when only one server is available in an upstream group, and "no live upstreams" errors cannot happen. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Wed Sep 29 17:34:58 2021 From: nginx-forum at forum.nginx.org (rjvbzeoibvpzie) Date: Wed, 29 Sep 2021 13:34:58 -0400 Subject: Nginx upstream return name instead of server ip In-Reply-To: References: Message-ID: <2a4bb2b801bb4c70889bc0e13343b7e2.NginxMailingListEnglish@forum.nginx.org> Got it! Thanks. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292491,292502#msg-292502 From mdounin at mdounin.ru Wed Sep 29 17:38:28 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 20:38:28 +0300 Subject: WebDAV permission error In-Reply-To: References: Message-ID: Hello! On Wed, Sep 29, 2021 at 05:13:38PM +0000, axespam wrote: > Hello, I am trying to setup a WebDAV share but I am running into an issue. After I have the WebDAV share created and mounted I can delete files but not folders. When I try to delete a folder it says I don't have permissions. I have given rw access to all. > > This is the error log from trying to delete the folder. > 2021/09/29 01:20:00 [error] 3098#3098: *1 DELETE "/data/dav/http/dav/test/del" failed (21: Is a directory), client: 10.0.5.5, server: localhost, request: "DELETE /dav/test/del HTTP/1.1", host: "192.168.0.129" > > Any help appreciated thank you If you want to delete a WebDAV collection (directory), use a trailing "/" in the URI. -- Maxim Dounin http://mdounin.ru/ From axespam at protonmail.com Wed Sep 29 17:43:06 2021 From: axespam at protonmail.com (axespam) Date: Wed, 29 Sep 2021 17:43:06 +0000 Subject: WebDAV permission error In-Reply-To: References: Message-ID: I'm sorry but what does that mean? When I right click and delete a folder I don't enter anything.. Does this go in the config file? -------- Original Message -------- On Sep 29, 2021, 12:38 PM, Maxim Dounin < mdounin at mdounin.ru> wrote: Hello! On Wed, Sep 29, 2021 at 05:13:38PM +0000, axespam wrote: > Hello, I am trying to setup a WebDAV share but I am running into an issue. After I have the WebDAV share created and mounted I can delete files but not folders. When I try to delete a folder it says I don't have permissions. I have given rw access to all. > > This is the error log from trying to delete the folder. > 2021/09/29 01:20:00 [error] 3098#3098: *1 DELETE "/data/dav/http/dav/test/del" failed (21: Is a directory), client: 10.0.5.5, server: localhost, request: "DELETE /dav/test/del HTTP/1.1", host: "192.168.0.129" > > Any help appreciated thank you If you want to delete a WebDAV collection (directory), use a trailing "/" in the URI. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Sep 29 17:53:19 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 29 Sep 2021 20:53:19 +0300 Subject: WebDAV permission error In-Reply-To: References: Message-ID: Hello! On Wed, Sep 29, 2021 at 05:43:06PM +0000, axespam wrote: > I'm sorry but what does that mean? When I right click and delete > a folder I don't enter anything.. Does this go in the config > file? That's up to the WebDAV client you are using. Note well that WebDAV support in nginx is quite limited and not enough for general-purpose clients such as filesystem mounts via WebDAV. -- Maxim Dounin http://mdounin.ru/ From nginx-forum at forum.nginx.org Wed Sep 29 18:59:26 2021 From: nginx-forum at forum.nginx.org (blason) Date: Wed, 29 Sep 2021 14:59:26 -0400 Subject: Can nginx act as a load-balancer for IBM Aspera? Message-ID: <45d01bcc4de8435b4e75deeb6d2d3648.NginxMailingListEnglish@forum.nginx.org> Hi Team, I am trying to build a reverse proxy as well as load balancer using below link. Can someone please confirm if below scenario can be achieved? I would really appreciate if someone can go through the links and wanted to understand if sticky or persistence connection can be possible with Nginx LB? https://www.ibm.com/docs/en/aspera-faspex/4.4.1?topic=systems-expected-load-balancer-behavior Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292505,292505#msg-292505 From francis at daoine.org Thu Sep 30 16:42:36 2021 From: francis at daoine.org (Francis Daly) Date: Thu, 30 Sep 2021 17:42:36 +0100 Subject: Can nginx act as a load-balancer for IBM Aspera? In-Reply-To: <45d01bcc4de8435b4e75deeb6d2d3648.NginxMailingListEnglish@forum.nginx.org> References: <45d01bcc4de8435b4e75deeb6d2d3648.NginxMailingListEnglish@forum.nginx.org> Message-ID: <20210930164236.GX18734@daoine.org> On Wed, Sep 29, 2021 at 02:59:26PM -0400, blason wrote: Hi there, > I am trying to build a reverse proxy as well as load balancer using below > link. Can someone please confirm if below scenario can be achieved? > I would really appreciate if someone can go through the links and wanted to > understand if sticky or persistence connection can be possible with Nginx > LB? Untested, but it looks like using "hash" with the $remote_addr for both http and stream, should probably do what you want for this "persistence". https://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#hash https://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash > https://www.ibm.com/docs/en/aspera-faspex/4.4.1?topic=systems-expected-load-balancer-behavior If you have a system that you can test against, it should hopefully be clear whether the traffic is going to where you want it to go. Good luck with it, f -- Francis Daly francis at daoine.org From nginx-forum at forum.nginx.org Thu Sep 30 17:46:19 2021 From: nginx-forum at forum.nginx.org (blason) Date: Thu, 30 Sep 2021 13:46:19 -0400 Subject: Can nginx act as a load-balancer for IBM Aspera? In-Reply-To: <20210930164236.GX18734@daoine.org> References: <20210930164236.GX18734@daoine.org> Message-ID: <818d5a7470ac208d75032ae1a0e01a48.NginxMailingListEnglish@forum.nginx.org> Thanks for message. Let me test that and revert. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,292505,292512#msg-292512 From oscaretu at gmail.com Thu Sep 30 18:39:07 2021 From: oscaretu at gmail.com (Oscar Fernandez Sierra) Date: Thu, 30 Sep 2021 20:39:07 +0200 Subject: New tool: an nginx playground Message-ID: Perhaps this article from Julia Evans can be useful for people using nginx... https://jvns.ca/blog/2021/09/24/new-tool--an-nginx-playground/ The first paragraph is: New tool: an nginx playground Hello! On Wednesday I was talking to a friend about how it would be cool to have an nginx playground website where you can just paste in an nginx config and test it out. And then I realized it might actually be pretty easy to build, so got excited and started coding and I built it. It?s at https://nginx-playground.wizardzines.com. Kind regards, -- Oscar Fernandez Sierra oscaretu at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: