From larry.martell at gmail.com Thu Feb 1 16:34:08 2024 From: larry.martell at gmail.com (Larry Martell) Date: Thu, 1 Feb 2024 11:34:08 -0500 Subject: modules after upgrade Message-ID: We run Ubuntu 20.04, which has nginx 1.18. I was asked to upgrade it to 1.25.3, which I did following the instructions here: https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/. We had 6 modules installed (http-ndk, http-image-filter, http-lua, http-xslt-filter, mail, stream) which all got removed in the upgrade. When I try to reinstall them it fails with libnginx-mod-http-ndk : Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be installed. How can I install the modules I need for 1.25.3? Do I have to build them from source now? From osa at freebsd.org.ru Thu Feb 1 16:56:54 2024 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 1 Feb 2024 19:56:54 +0300 Subject: modules after upgrade In-Reply-To: References: Message-ID: Hi Larry, On Thu, Feb 01, 2024 at 11:34:08AM -0500, Larry Martell wrote: > We run Ubuntu 20.04, which has nginx 1.18. I was asked to upgrade it > to 1.25.3, which I did following the instructions here: > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/. > We had 6 modules installed (http-ndk, http-image-filter, http-lua, > http-xslt-filter, mail, stream) which all got removed in the upgrade. > When I try to reinstall them it fails with libnginx-mod-http-ndk : > Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be > installed. How can I install the modules I need for 1.25.3? Do I have > to build them from source now? There two types of modules in the list: - native, developed by nginx development team; - third-party, from vendors. So, http-ndk, [1] and http-lua, [2] are third-party modules. Those modules need to be recompiled with a corresponding version of nginx. I'd recommend to visit reference pages to get details how to build those third-party modules. References ---------- 1. https://github.com/vision5/ngx_devel_kit 2. https://github.com/openresty/lua-nginx-module -- Sergey A. Osokin From larry.martell at gmail.com Thu Feb 1 17:28:40 2024 From: larry.martell at gmail.com (Larry Martell) Date: Thu, 1 Feb 2024 12:28:40 -0500 Subject: modules after upgrade In-Reply-To: References: Message-ID: On Thu, Feb 1, 2024 at 11:57 AM Sergey A. Osokin wrote: > > Hi Larry, > > On Thu, Feb 01, 2024 at 11:34:08AM -0500, Larry Martell wrote: > > We run Ubuntu 20.04, which has nginx 1.18. I was asked to upgrade it > > to 1.25.3, which I did following the instructions here: > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/. > > We had 6 modules installed (http-ndk, http-image-filter, http-lua, > > http-xslt-filter, mail, stream) which all got removed in the upgrade. > > When I try to reinstall them it fails with libnginx-mod-http-ndk : > > Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be > > installed. How can I install the modules I need for 1.25.3? Do I have > > to build them from source now? > > There two types of modules in the list: > - native, developed by nginx development team; > - third-party, from vendors. > > So, http-ndk, [1] and http-lua, [2] are third-party modules. Those > modules need to be recompiled with a corresponding version of nginx. > I'd recommend to visit reference pages to get details how to build > those third-party modules. > > References > ---------- > 1. https://github.com/vision5/ngx_devel_kit > 2. https://github.com/openresty/lua-nginx-module Hi Sergey, I was able to install nginx-module-image-filter with apt, but http-xslt-filter, mail, stream all fail with the same message Depends: nginx-common (= 1.18.0-0ubuntu1.4). I looked at the 2 links you gave and both talk about building nginx from source to get those modules included. Is that now required? With 1.18 I simply did: sudo apt install lua5.3 sudo apt install libluajit-5.1-2 sudo apt install lua-sql-mysql sudo apt install libnginx-mod-http-lua Thanks! Larry From osa at freebsd.org.ru Thu Feb 1 17:48:15 2024 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 1 Feb 2024 20:48:15 +0300 Subject: modules after upgrade In-Reply-To: References:

Message-ID: Hi Larry, On Thu, Feb 01, 2024 at 12:28:40PM -0500, Larry Martell wrote: > > I was able to install nginx-module-image-filter with apt, but > http-xslt-filter, mail, stream all fail with the same message Depends: > nginx-common (= 1.18.0-0ubuntu1.4). > > I looked at the 2 links you gave and both talk about building nginx > from source to get those modules included. Is that now required? With > 1.18 I simply did: > > sudo apt install lua5.3 > sudo apt install libluajit-5.1-2 > sudo apt install lua-sql-mysql > sudo apt install libnginx-mod-http-lua I've forgotten to mention that you'd need to rebuild all native modules or use packages from the official site, https://nginx.org/en/linux_packages.html#Ubuntu And please do not mix packages from official site and Ubuntu packages, please choose only one source of true. Hope that helps. -- Sergey A. Osokin From larry.martell at gmail.com Thu Feb 1 18:10:35 2024 From: larry.martell at gmail.com (Larry Martell) Date: Thu, 1 Feb 2024 13:10:35 -0500 Subject: modules after upgrade In-Reply-To: References:

Message-ID: On Thu, Feb 1, 2024 at 12:48 PM Sergey A. Osokin wrote: > > Hi Larry, > > On Thu, Feb 01, 2024 at 12:28:40PM -0500, Larry Martell wrote: > > > > I was able to install nginx-module-image-filter with apt, but > > http-xslt-filter, mail, stream all fail with the same message Depends: > > nginx-common (= 1.18.0-0ubuntu1.4). > > > > I looked at the 2 links you gave and both talk about building nginx > > from source to get those modules included. Is that now required? With > > 1.18 I simply did: > > > > sudo apt install lua5.3 > > sudo apt install libluajit-5.1-2 > > sudo apt install lua-sql-mysql > > sudo apt install libnginx-mod-http-lua > > I've forgotten to mention that you'd need to rebuild all native > modules or use packages from the official site, > https://nginx.org/en/linux_packages.html#Ubuntu > > And please do not mix packages from official site and Ubuntu > packages, please choose only one source of true. I had already done all that. (Those instructors are the same as the page I initially referenced, https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/.) But it still seems to be using Ubuntu packages: $ sudo apt policy libnginx-mod-mail libnginx-mod-mail: Installed: (none) Candidate: 1.18.0-0ubuntu1.4 Version table: 1.18.0-0ubuntu1.4 500 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 1.17.10-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages From osa at freebsd.org.ru Thu Feb 1 18:27:55 2024 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 1 Feb 2024 21:27:55 +0300 Subject: modules after upgrade In-Reply-To: References:

Message-ID: On Thu, Feb 01, 2024 at 01:10:35PM -0500, Larry Martell wrote: > > I had already done all that. (Those instructors are the same as the > page I initially referenced, > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/.) > But it still seems to be using Ubuntu packages: > > $ sudo apt policy libnginx-mod-mail > libnginx-mod-mail: > Installed: (none) > Candidate: 1.18.0-0ubuntu1.4 > Version table: > 1.18.0-0ubuntu1.4 500 > 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main > amd64 Packages > 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages > 100 /var/lib/dpkg/status > 1.17.10-0ubuntu1 500 > 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages The nginx prebuilt packages for Ubuntu has built with the mail module, so you do not need to install it as a separate package. Ubuntu' nginx packages can be safely removed. To see how nginx has been built run the following command: % nginx -V -- Sergey A. Osokin From larry.martell at gmail.com Thu Feb 1 18:41:16 2024 From: larry.martell at gmail.com (Larry Martell) Date: Thu, 1 Feb 2024 13:41:16 -0500 Subject: modules after upgrade In-Reply-To: References:

Message-ID: On Thu, Feb 1, 2024 at 1:28 PM Sergey A. Osokin wrote: > > On Thu, Feb 01, 2024 at 01:10:35PM -0500, Larry Martell wrote: > > > > I had already done all that. (Those instructors are the same as the > > page I initially referenced, > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/.) > > But it still seems to be using Ubuntu packages: > > > > $ sudo apt policy libnginx-mod-mail > > libnginx-mod-mail: > > Installed: (none) > > Candidate: 1.18.0-0ubuntu1.4 > > Version table: > > 1.18.0-0ubuntu1.4 500 > > 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main > > amd64 Packages > > 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages > > 100 /var/lib/dpkg/status > > 1.17.10-0ubuntu1 500 > > 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages > > The nginx prebuilt packages for Ubuntu has built with the mail module, > so you do not need to install it as a separate package. Ubuntu' nginx > packages can be safely removed. > > To see how nginx has been built run the following command: > > % nginx -V $ sudo nginx -V > /tmp/nginx.V nginx version: nginx/1.25.3 built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.25.3/debian/debuild-base/nginx-1.25.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' So I see mail and stream there, but not http-xslt-filter. That also gives the same error: libnginx-mod-http-xslt-filter : Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be installed $ sudo apt policy libnginx-mod-http-xslt-filter libnginx-mod-http-xslt-filter: Installed: (none) Candidate: 1.18.0-0ubuntu1.4 Version table: 1.18.0-0ubuntu1.4 500 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages 100 /var/lib/dpkg/status 1.17.10-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages Also concerning the third party packages, how do I get those into nginx? is a build from source required? From osa at freebsd.org.ru Thu Feb 1 18:57:13 2024 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Thu, 1 Feb 2024 21:57:13 +0300 Subject: modules after upgrade In-Reply-To: References:

Message-ID: On Thu, Feb 01, 2024 at 01:41:16PM -0500, Larry Martell wrote: > > $ sudo nginx -V > /tmp/nginx.V [...] > So I see mail and stream there, but not http-xslt-filter. That also > gives the same error: According to https://nginx.org/en/docs/http/ngx_http_xslt_module.html, this module is not built by default, it should be enabled with the --with-http_xslt_module configuration parameter. Please note: that module depends on libxml2/libxslt libraries. [...] > Also concerning the third party packages, how do I get those into > nginx? is a build from source required? Yes, that's requirement to rebuild third-party modules from their source code. -- Sergey A. Osokin From jordanc.carter at outlook.com Thu Feb 1 19:03:04 2024 From: jordanc.carter at outlook.com (J Carter) Date: Thu, 1 Feb 2024 19:03:04 +0000 Subject: modules after upgrade In-Reply-To: References:

Message-ID: Hello, On Thu, 1 Feb 2024 12:28:40 -0500 Larry Martell wrote: > On Thu, Feb 1, 2024 at 11:57 AM Sergey A. Osokin wrote: > > > > Hi Larry, > > > > On Thu, Feb 01, 2024 at 11:34:08AM -0500, Larry Martell wrote: > > > We run Ubuntu 20.04, which has nginx 1.18. I was asked to upgrade it > > > to 1.25.3, which I did following the instructions here: > > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/. > > > We had 6 modules installed (http-ndk, http-image-filter, http-lua, > > > http-xslt-filter, mail, stream) which all got removed in the upgrade. > > > When I try to reinstall them it fails with libnginx-mod-http-ndk : > > > Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be > > > installed. How can I install the modules I need for 1.25.3? Do I have > > > to build them from source now? > > > > There two types of modules in the list: > > - native, developed by nginx development team; > > - third-party, from vendors. > > > > So, http-ndk, [1] and http-lua, [2] are third-party modules. Those > > modules need to be recompiled with a corresponding version of nginx. > > I'd recommend to visit reference pages to get details how to build > > those third-party modules. > > > > References > > ---------- > > 1. https://github.com/vision5/ngx_devel_kit > > 2. https://github.com/openresty/lua-nginx-module > > Hi Sergey, > > I was able to install nginx-module-image-filter with apt, but > http-xslt-filter, mail, stream all fail with the same message Depends: > nginx-common (= 1.18.0-0ubuntu1.4). > > I looked at the 2 links you gave and both talk about building nginx > from source to get those modules included. Is that now required? With > 1.18 I simply did: > It's nothing to do with version. What you've done is switch from Ubuntu provided packages to nginx.org provided packages. Ubuntu provides third party binary modules that are not in the offical repo. The list of offical packges in the repo can be quickly seen by browsing: https://nginx.org/packages/mainline/ubuntu/pool/nginx/n/ > sudo apt install lua5.3 > sudo apt install libluajit-5.1-2 > sudo apt install lua-sql-mysql > sudo apt install libnginx-mod-http-lua > > Thanks! > Larry For Lua (and Luajit) you can build from source using make files from the nginx offical packaging mercurial repo: https://hg.nginx.org/pkg-oss/file/1c4041361462/contrib/src https://hg.nginx.org/pkg-oss/file/1c4041361462/build_module.sh (1.25.3 commit) There are many other useful modules there too that are not shipped as binaries. However, I don't believe lua-sql-mysql is included there, so you will still need to build that from sources on github: https://github.com/openresty/lua-resty-mysql From larry.martell at gmail.com Fri Feb 2 18:07:40 2024 From: larry.martell at gmail.com (Larry Martell) Date: Fri, 2 Feb 2024 13:07:40 -0500 Subject: nginx looking in wrong dir for module Message-ID: I built nginx from source and it fails to start with: 2024/02/02 13:00:59 [emerg] 1961284#1961284: dlopen() "/usr/modules/ndk_http_module.so" failed (/usr/modules/ndk_http_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/modules-enabled/10-mod-http-ndk.conf:1 -V shows: $ sudo /usr/sbin/nginx -V nginx version: nginx/1.18.0 built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-lUTckl/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module ndk_http_module.so does exist in /usr/lib/nginx/modules/: $ ls -l /usr/lib/nginx/modules/ndk_http_module.so -rw-r--r-- 1 root root 18688 Nov 10 2022 /usr/lib/nginx/modules/ndk_http_module.so Why is it looking in the wrong dir for this? From mdounin at mdounin.ru Sat Feb 3 01:42:52 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 3 Feb 2024 04:42:52 +0300 Subject: nginx looking in wrong dir for module In-Reply-To: References: Message-ID: Hello! On Fri, Feb 02, 2024 at 01:07:40PM -0500, Larry Martell wrote: > I built nginx from source and it fails to start with: > > 2024/02/02 13:00:59 [emerg] 1961284#1961284: dlopen() > "/usr/modules/ndk_http_module.so" failed > (/usr/modules/ndk_http_module.so: cannot open shared object file: No > such file or directory) in > /etc/nginx/modules-enabled/10-mod-http-ndk.conf:1 > > -V shows: > > $ sudo /usr/sbin/nginx -V [...] > --prefix=/usr [...] > --modules-path=/usr/lib/nginx/modules [...] > ndk_http_module.so does exist in /usr/lib/nginx/modules/: > > $ ls -l /usr/lib/nginx/modules/ndk_http_module.so > -rw-r--r-- 1 root root 18688 Nov 10 2022 > /usr/lib/nginx/modules/ndk_http_module.so > > Why is it looking in the wrong dir for this? Paths in nginx configuration file are resolved from prefix (with the exception of various included configuration files or similar resources, which are resolved from configuration prefix). Your configuration seems to contain load_module modules/ndk_http_module.so; which is resolved from /usr to /usr/modules/ndk_http_module.so. There is no such file, hence the error. Note that the --modules-path configure option defines where to install modules. It is, however, your responsibility to provide proper paths to modules in load_module directives. The "modules/foo.so" construct will work with the default --modules-path, which is "modules" under prefix, but you'll have to use something different if you've modified --modules-path to a custom value. -- Maxim Dounin http://mdounin.ru/ From victor at camb.com Sat Feb 3 18:50:39 2024 From: victor at camb.com (Victor Oppenheimer) Date: Sat, 3 Feb 2024 13:50:39 -0500 Subject: Problem using nginx as reverse proxy server on Windows Server 2016 Message-ID: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> I am trying to run nginx as a reverse proxy server on my Microsoft Windows Server 2016 Standard computer. I previously have used Microsoft IIS and Apache Tomcat on this computer to serve webpages on port 80 and port 8080 respectively. However, I want to have some of my websites use SSL and be accessed using HTTPS. So, I decided to install the nginx web server software on the computer. I planned to using it as a reverse proxy server which would receive both insecure HTML and secure HTTPS webpage requests and then proxy them to the appropriate software webservers on the same computer. I changed all the IIS sites that had been using port 80 to use port 81 instead. I then wrote the nginx.conf configuration file which listens on port 80 for each of my server_names and then proxy the page requests to the appropriate software webserver. Once that works, I plan to install the SSL certificates in nginx and process secure HTMLS requests as well. But nginx fails to start on the computer. It produces the following error message. bind() to 0.0.0.0:80 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions) Because the message appears to indicate that there is a conflict using port 80 decided to see which tasks were using port 80. To do so, I opened a command window with administrative privileges and ran the following command: netstat -ano | findstr :80 I then examined the output for entries with a state of "LISTENING" and a local address of "0.0.0.0:80" or ":::80" (IPv6). The output's "PID" column provided the process ID (PID) of the process using port 80. I then used Task Manager to find the process names associated with that PIDs. I found that port 80 is being used by both task "System" by user "SYSTEM" for "NT Kernel and System" with a PID of 4 and also for task "System Idle Process" by user "SYSTEM" for "Percentage of time the processor is idle" with a PID of 0. I then tried to open nginx on my Windows 11 pro home desktop computer. It opened successfully and functioned doing reverse proxying as I desired. For comparison sake, I looked at the tasks using port 80 as I had on my windows server. On the desktop, the only task using port 80 is nginx. I then changed the nginx listening directives on the Windows Server computer to listen on port 90 rather than port 80. After this change on the MS Windows Server 2016 nginx succeeded in starting and performed reverse proxying successfully. This seems to indicate that the problem is with a conflict in the use of port 80 rather than in my nginx configuration. However, remote website users browse to my website pages using the default port of 80 rather than port 90. How can I make the system work? For completeness I am copying the nginx.conf file listening on port 80 below. # directives in the 'main' context worker_processes 1; events { # events context/block # configuration of connection processing } http { # http context specific to HTTP affecting all virtual servers server_names_hash_bucket_size 64; # avoids error message for multiple server_Name entries server { # configuration of yogisource HTTP virtual port 80 server listen 80; server_name yogisource.com www.yogisource.com; location / { proxy_pass http://yogisource.com:81/; } # end of location block } # end of yogisource server block server { # configuration of clearwaterescapes HTTP virtual port 80 server listen 80; server_name clearwaterescapes.com www.clearwaterescapes.com; location / { # send local host requests of the form http://clearwaterescapes.com to # http://clearwaterescapes.com:8080/vo/Clearwater proxy_pass http://clearwaterescapes.com:8080/vo/Clearwater/; } # end of location block location /camp/ { proxy_pass http://clearwaterescapes.com:8080/vo/Clearwater/Camp/?Prop=2; } # end of location block # // http://clearwaterescapes.com:81/Clearwater/Camp/camprental.pdf works ... # The following Nginx location directives sends clearwaterescapes.com urls # containing case insensitive "camp" or "house" to ClearwaterEscapes on # port 81 where to be served by the Microsoft IIS server location ~* ^/camp/ { set $proxy_pass_url http://ClearwaterEscapes.com:81/camp/; proxy_pass $proxy_pass_url; # proxy_pass http://ClearwaterEscapes.com:81/camp/ ; } # end of location block location ~* ^/House/ { set $proxy_pass_url http://ClearwaterEscapes.com:81/house/; proxy_pass $proxy_pass_url; } # end of location block } # end of ClearwaterEscapes server block server { # configuration of freshpondrentals HTTP virtual port 80 server listen 80; server_name freshpondrentals.com www.freshpondrentals.com; location / { # send local host requests of the form http://freshpondrentals.com to # http://freshpondrentals.com:8080/vo/camb proxy_pass http://freshpondrentals.com:8080/vo/camb/; } # end of location block location /StudioApartment/ { # send local host requests of the form # http://freshpondrentals.com/camb/StudioApartment # to # http://freshpondrentals.com:8080/vo/camb/StudioApartment proxy_pass http://freshpondrentals.com:8080/vo/camb/StudioApartment/index.jsp/; } # end of location block } # end of freshpondrentals server block server { # configuration of oppsprops HTTP virtual port 80 server listen 80; server_name oppsprops.com www.oppsprops.com; # listen 443 ssl; # ssl_certificate "C:/nginx/conf/ssl/certs/oppsprops.com.crt"; # ssl_certificate_key "C:/nginx/conf/ssl/keys/oppsprops.com.key"; # # location / { # proxy_pass http://oppsprops.com:81/; # } # end of location block location ~ /.jsp$ { set $proxy_pass_url http://oppsprops.com:8080; proxy_pass $proxy_pass_url; } # end of location block location / { proxy_pass http://oppsprops.com:8080/; } # end of location block } # end of oppsprops server block } # end of http block From Sam at SimpleSamples.info Sat Feb 3 21:15:37 2024 From: Sam at SimpleSamples.info (Sam Hobbs) Date: Sat, 3 Feb 2024 13:15:37 -0800 Subject: Problem using nginx as reverse proxy server on Windows Server 2016 In-Reply-To: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> References: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> Message-ID: <079fc15e-2ad4-9f7d-d9b4-f3f69a5cc2fd@SimpleSamples.info> > insecure HTML and secure HTTPS webpage requests Did you mean to say insecure HTTP and secure HTTPS webpage requests? > process secure HTMLS requests as well Did you mean to say process secure HTTPS requests as well? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at jeremy.cx Sat Feb 3 22:27:33 2024 From: jeremy at jeremy.cx (Jeremy Cocks) Date: Sat, 3 Feb 2024 22:27:33 +0000 Subject: Problem using nginx as reverse proxy server on Windows Server 2016 In-Reply-To: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> References: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> Message-ID: Hello! > I found that port 80 is being used by both task "System" by user "SYSTEM" for "NT Kernel and System" with a PID of 4 and also for task "System Idle Process" by user "SYSTEM" for "Percentage of time the processor is idle" with a PID of 0. This is typically the Web Deployment Agent Service (MsDepSvc) (this often uses PID4) or Host Network Service - both stoppable from from services.msc Let us know how you get on! On Sat, 3 Feb 2024 at 18:51, Victor Oppenheimer wrote: > I am trying to run nginx as a reverse proxy server on my Microsoft Windows > Server 2016 Standard computer. > > I previously have used Microsoft IIS and Apache Tomcat on this computer to > serve webpages on port 80 and port 8080 respectively. > > However, I want to have some of my websites use SSL and be accessed > using HTTPS. > > So, I decided to install the nginx web server software on > the computer. I planned to using it as a reverse proxy server which > would receive both insecure HTML and secure HTTPS webpage requests and > then proxy them to the appropriate software webservers on the same > computer. > > I changed all the IIS sites that had been using port 80 to use port 81 > instead. > I then wrote the nginx.conf configuration file which listens on port 80 > for each of > my server_names and then proxy the page requests to the appropriate > software webserver. > > Once that works, I plan to install the SSL certificates in nginx and > process secure > HTMLS requests as well. > > But nginx fails to start on the computer. It produces the following > error message. > bind() to 0.0.0.0:80 failed (10013: An attempt was made to access > a socket in a way > forbidden by its access permissions) > > Because the message appears to indicate that there is a conflict using > port 80 decided > to see which tasks were using port 80. To do so, I opened a command > window with > administrative privileges and ran the following command: > netstat -ano | findstr :80 > > I then examined the output for entries with a state of "LISTENING" and a > local address > of "0.0.0.0:80" or ":::80" (IPv6). The output's "PID" column provided > the process ID > (PID) of the process using port 80. > > I then used Task Manager to find the process names associated with that > PIDs. > > I found that port 80 is being used by both task "System" by user > "SYSTEM" for "NT Kernel and System" > with a PID of 4 and also for task "System Idle Process" by user "SYSTEM" > for > "Percentage of time the processor is idle" with a PID of 0. > > I then tried to open nginx on my Windows 11 pro home desktop computer. > It opened successfully > and functioned doing reverse proxying as I desired. For comparison > sake, I looked at the > tasks using port 80 as I had on my windows server. On the desktop, the > only task using port > 80 is nginx. > > I then changed the nginx listening directives on the Windows Server > computer to listen on > port 90 rather than port 80. After this change on the MS Windows Server > 2016 nginx > succeeded in starting and performed reverse proxying successfully. > > This seems to indicate that the problem is with a conflict in the use of > port 80 rather than in my > nginx configuration. > > However, remote website users browse to my website pages using the > default port of 80 rather than port 90. > > How can I make the system work? > > For completeness I am copying the nginx.conf file listening on port 80 > below. > > # directives in the 'main' context > worker_processes 1; > events { # events context/block > # configuration of connection processing > } > > http { # http context specific to HTTP affecting all virtual servers > server_names_hash_bucket_size 64; # avoids error message for > multiple server_Name entries > > server { # configuration of yogisource HTTP virtual port 80 server > listen 80; > server_name yogisource.com www.yogisource.com; > > location / { > proxy_pass http://yogisource.com:81/; > } # end of location block > } # end of yogisource server block > > server { # configuration of clearwaterescapes HTTP virtual port 80 > server > listen 80; > server_name clearwaterescapes.com www.clearwaterescapes.com; > > location / { > # send local host requests of the form > http://clearwaterescapes.com to > # http://clearwaterescapes.com:8080/vo/Clearwater > proxy_pass http://clearwaterescapes.com:8080/vo/Clearwater/; > } # end of location block > > location /camp/ { > proxy_pass > http://clearwaterescapes.com:8080/vo/Clearwater/Camp/?Prop=2; > } # end of location block > > # // http://clearwaterescapes.com:81/Clearwater/Camp/camprental.pdf > works ... > > # The following Nginx location directives sends clearwaterescapes.com > urls > # containing case insensitive "camp" or "house" to ClearwaterEscapes on > # port 81 where to be served by the Microsoft IIS server > > location ~* ^/camp/ { > set $proxy_pass_url http://ClearwaterEscapes.com:81/camp/; > proxy_pass $proxy_pass_url; > # proxy_pass http://ClearwaterEscapes.com:81/camp/ ; > } # end of location block > > location ~* ^/House/ { > set $proxy_pass_url http://ClearwaterEscapes.com:81/house/; > proxy_pass $proxy_pass_url; > } # end of location block > > } # end of ClearwaterEscapes server block > > server { # configuration of freshpondrentals HTTP virtual port 80 > server > listen 80; > server_name freshpondrentals.com www.freshpondrentals.com; > > location / { > # send local host requests of the form > http://freshpondrentals.com to > # http://freshpondrentals.com:8080/vo/camb > > proxy_pass http://freshpondrentals.com:8080/vo/camb/; > } # end of location block > > location /StudioApartment/ { > # send local host requests of the form > # http://freshpondrentals.com/camb/StudioApartment > # to > # http://freshpondrentals.com:8080/vo/camb/StudioApartment > proxy_pass > http://freshpondrentals.com:8080/vo/camb/StudioApartment/index.jsp/; > } # end of location block > > } # end of freshpondrentals server block > > server { # configuration of oppsprops HTTP virtual port 80 server > listen 80; > server_name oppsprops.com www.oppsprops.com; > > # listen 443 ssl; > # ssl_certificate "C:/nginx/conf/ssl/certs/oppsprops.com.crt"; > # ssl_certificate_key "C:/nginx/conf/ssl/keys/oppsprops.com.key"; > # > # location / { > # proxy_pass http://oppsprops.com:81/; > # } # end of location block > > location ~ /.jsp$ { > set $proxy_pass_url http://oppsprops.com:8080; > proxy_pass $proxy_pass_url; > } # end of location block > > location / { > proxy_pass http://oppsprops.com:8080/; > } # end of location block > } # end of oppsprops server block > > } # end of http block > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From victor at camb.com Sun Feb 4 01:02:34 2024 From: victor at camb.com (Victor Oppenheimer) Date: Sat, 3 Feb 2024 20:02:34 -0500 Subject: Problem using nginx as reverse proxy server on Windows Server 2016 In-Reply-To: References: <7e7d066d-48a0-480c-82dd-f8a510c62f02@camb.com> Message-ID: <5b178d0d-94ea-4ff6-bf44-5a10ddb66efb@camb.com> Jeremy, Thank you. I tried to stopping the Web Deployment Agency Service and ran a test that seemed to work! I will test it more extensively tomorrow. and let you know Do you know if there are adverse consequences to changing it's start up type to "Manual". Best, Victor On 2/3/2024 5:27 PM, Jeremy Cocks via nginx wrote: > > Hello! > > > I found that port 80 is being used by both task "System" by user > "SYSTEM" for "NT Kernel and System" > with a PID of 4 and also for task "System Idle Process" by user "SYSTEM" > for > "Percentage of time the processor is idle" with a PID of 0. > > This is typically the Web Deployment Agent Service (MsDepSvc) (this > often uses PID4) or Host Network Service - both stoppable from from > services.msc > > Let us know how you get on! > > > On Sat, 3 Feb 2024 at 18:51, Victor Oppenheimer wrote: > > I am trying to run nginx as a reverse proxy server on my Microsoft > Windows > Server 2016 Standard computer. > > I previously have used Microsoft IIS and Apache Tomcat on this > computer to > serve webpages on port 80 and port 8080 respectively. > > However, I want to have some of my websites use SSL and be accessed > using HTTPS. > > So, I decided to install the nginx web server software on > the computer. I planned to using it as a reverse proxy server which > would receive both insecure HTML and secure HTTPS webpage requests and > then proxy them to the appropriate software webservers on the same > computer. > > I changed all the IIS sites that had been using port 80 to use > port 81 > instead. > I then wrote the nginx.conf configuration file which listens on > port 80 > for each of > my server_names and then proxy the page requests to the appropriate > software webserver. > > Once that works, I plan to install the SSL certificates in nginx and > process secure > HTMLS requests as well. > > But nginx fails to start on the computer. It produces the following > error message. > bind() to 0.0.0.0:80 failed (10013: An > attempt was made to access > a socket in a way > forbidden by its access permissions) > > Because the message appears to indicate that there is a conflict > using > port 80 decided > to see which tasks were using port 80. To do so, I opened a command > window with > administrative privileges and ran the following command: > netstat -ano | findstr :80 > > I then examined the output for entries with a state of "LISTENING" > and a > local address > of "0.0.0.0:80 " or ":::80" (IPv6). The > output's "PID" column provided > the process ID > (PID) of the process using port 80. > > I then used Task Manager to find the process names associated with > that > PIDs. > > I found that port 80 is being used by both task "System" by user > "SYSTEM" for "NT Kernel and System" > with a PID of 4 and also for task "System Idle Process" by user > "SYSTEM" > for > "Percentage of time the processor is idle" with a PID of 0. > > I then tried to open nginx on my Windows 11 pro home desktop > computer. > It opened successfully > and functioned doing reverse proxying as I desired. For comparison > sake, I looked at the > tasks using port 80 as I had on my windows server. On the > desktop, the > only task using port > 80 is nginx. > > I then changed the nginx listening directives on the Windows Server > computer to listen on > port 90 rather than port 80. After this change on the MS Windows > Server > 2016 nginx > succeeded in starting and performed reverse proxying successfully. > > This seems to indicate that the problem is with a conflict in the > use of > port 80 rather than in my > nginx configuration. > > However, remote website users browse to my website pages using the > default port of 80 rather than port 90. > > How can I make the system work? > > For completeness I am copying the nginx.conf file listening on > port 80 > below. > > # directives in the 'main' context > worker_processes 1; > events { # events context/block > # configuration of connection processing > } > > http { # http context specific to HTTP affecting all virtual > servers > server_names_hash_bucket_size 64; # avoids error message for > multiple server_Name entries > > server { # configuration of yogisource HTTP virtual port 80 server > listen 80; > server_name yogisource.com > www.yogisource.com ; > > location / { > proxy_pass http://yogisource.com:81/; > } # end of location block > } # end of yogisource server block > > server { # configuration of clearwaterescapes HTTP virtual > port 80 > server > listen 80; > server_name clearwaterescapes.com > www.clearwaterescapes.com > ; > > location / { > # send local host requests of the form > http://clearwaterescapes.com to > # http://clearwaterescapes.com:8080/vo/Clearwater > proxy_pass http://clearwaterescapes.com:8080/vo/Clearwater/; > } # end of location block > > location /camp/ { > proxy_pass > http://clearwaterescapes.com:8080/vo/Clearwater/Camp/?Prop=2; > } # end of location block > > # // > http://clearwaterescapes.com:81/Clearwater/Camp/camprental.pdf > works ... > > # The following Nginx location directives sends > clearwaterescapes.com > urls > # containing case insensitive "camp" or "house" to > ClearwaterEscapes on > # port 81 where to be served by the Microsoft IIS server > > location ~* ^/camp/ { > set $proxy_pass_url http://ClearwaterEscapes.com:81/camp/ > ; > proxy_pass $proxy_pass_url; > # proxy_pass http://ClearwaterEscapes.com:81/camp/ > ; > } # end of location block > > location ~* ^/House/ { > set $proxy_pass_url http://ClearwaterEscapes.com:81/house/ > ; > proxy_pass $proxy_pass_url; > } # end of location block > > } # end of ClearwaterEscapes server block > > server { # configuration of freshpondrentals HTTP virtual > port 80 > server > listen 80; > server_name freshpondrentals.com > www.freshpondrentals.com > ; > > location / { > # send local host requests of the form > http://freshpondrentals.com to > # http://freshpondrentals.com:8080/vo/camb > > proxy_pass http://freshpondrentals.com:8080/vo/camb/; > } # end of location block > > location /StudioApartment/ { > # send local host requests of the form > # http://freshpondrentals.com/camb/StudioApartment > # to > # http://freshpondrentals.com:8080/vo/camb/StudioApartment > proxy_pass > http://freshpondrentals.com:8080/vo/camb/StudioApartment/index.jsp/; > } # end of location block > > } # end of freshpondrentals server block > > server { # configuration of oppsprops HTTP virtual port 80 server > listen 80; > server_name oppsprops.com > www.oppsprops.com ; > > # listen 443 ssl; > # ssl_certificate "C:/nginx/conf/ssl/certs/oppsprops.com.crt"; > # ssl_certificate_key "C:/nginx/conf/ssl/keys/oppsprops.com.key"; > # > # location / { > # proxy_pass http://oppsprops.com:81/; > # } # end of location block > > location ~ /.jsp$ { > set $proxy_pass_url http://oppsprops.com:8080; > proxy_pass $proxy_pass_url; > } # end of location block > > location / { > proxy_pass http://oppsprops.com:8080/; > } # end of location block > } # end of oppsprops server block > > } # end of http block > > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From hnakamur at gmail.com Sun Feb 4 09:33:40 2024 From: hnakamur at gmail.com (Hiroaki Nakamura) Date: Sun, 4 Feb 2024 18:33:40 +0900 Subject: Occasional "400 Bad Request" Responses from Nginx Message-ID: Hello, During my experimentation with Nginx's rate limit features, I encountered an issue where Nginx occasionally sends "400 Bad Request" responses for requests that appear to be correct. With further investigation, I discovered that this issue also occurs even when not utilizing the rate limit features. I have provided a reproduction of this issue on GitHub: https://github.com/hnakamur/ats-nginx-bad-request/tree/enable_debug_log Additionally, I have included log files and tcpdump outputs within the repository for further analysis. Your assistance in investigating this matter would be greatly appreciated. Thank you. -- 中村弘輝 )Hioraki Nakamura) hnakamur at gmail.com From mdounin at mdounin.ru Sun Feb 4 10:47:28 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 4 Feb 2024 13:47:28 +0300 Subject: Occasional "400 Bad Request" Responses from Nginx In-Reply-To: References: Message-ID: Hello! On Sun, Feb 04, 2024 at 06:33:40PM +0900, Hiroaki Nakamura wrote: > During my experimentation with Nginx's rate limit features, I > encountered an issue where Nginx occasionally sends "400 Bad Request" > responses for requests that appear to be correct. > With further investigation, I discovered that this issue also occurs > even when not utilizing the rate limit features. > > I have provided a reproduction of this issue on GitHub: > https://github.com/hnakamur/ats-nginx-bad-request/tree/enable_debug_log > > Additionally, I have included log files and tcpdump outputs within the > repository for further analysis. > > Your assistance in investigating this matter would be greatly appreciated. Take a look at the tcpdump, notably the previous request before 400 is returned: it is obviously incomplete, there is just 344 bytes of the request body instead of 1024 bytes promised in the headers: https://github.com/hnakamur/ats-nginx-bad-request/blob/7d573464627c834c97fb020997ad4a54777b8181/tcpdump-nginx.port45732.log#L267 12:46:39.140200 ? In IP (tos 0x0, ttl 64, id 32961, offset 0, flags [DF], proto TCP (6), length 373) 172.18.0.3.45732 > 172.18.0.2.80: Flags [P.], cksum 0x5991 (incorrect -> 0x999c), seq 4036:4357, ack 1087, win 501, options [nop,nop,TS val 948481122 ecr 2789766215], length 321: HTTP, length: 321 PUT / HTTP/1.1 Host: nginx User-Agent: hey/0.0.1 Content-Length: 1024 Content-Type: text/html X-Request-Id: 066a1a44a1e961068d479205d489ab85 Accept-Encoding: gzip Client-ip: 172.18.0.4 X-Forwarded-For: 172.18.0.4 Via: http/1.1 traffic_server[8e38d2ba-96f3-40ca-8974-a0df3c1575f3] (ApacheTrafficServer/10.0.0) E..u.. at .@.`............P.J..u.$;....Y...... 8..b.HtGPUT / HTTP/1.1 Host: nginx User-Agent: hey/0.0.1 Content-Length: 1024 Content-Type: text/html X-Request-Id: 066a1a44a1e961068d479205d489ab85 Accept-Encoding: gzip Client-ip: 172.18.0.4 X-Forwarded-For: 172.18.0.4 Via: http/1.1 traffic_server[8e38d2ba-96f3-40ca-8974-a0df3c1575f3] (ApacheTrafficServer/10.0.0) 12:46:39.141364 ? In IP (tos 0x0, ttl 64, id 32962, offset 0, flags [DF], proto TCP (6), length 396) 172.18.0.3.45732 > 172.18.0.2.80: Flags [P.], cksum 0x59a8 (incorrect -> 0xce64), seq 4357:4701, ack 1087, win 501, options [nop,nop,TS val 948481123 ecr 2789766304], length 344: HTTP E..... at .@.`............P.J..u.$;....Y...... 8..c.Ht.0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567 And then the request which "appears to be correct" comes: 12:46:39.183005 ? In IP (tos 0x0, ttl 64, id 32963, offset 0, flags [DF], proto TCP (6), length 52) 172.18.0.3.45732 > 172.18.0.2.80: Flags [.], cksum 0x5850 (incorrect -> 0x792f), seq 4701, ack 1449, win 501, options [nop,nop,TS val 948481165 ecr 2789766305], length 0 E..4.. at .@.a............P.J.nu.%.....XP..... 8....Ht. 12:46:39.256214 ? In IP (tos 0x0, ttl 64, id 32964, offset 0, flags [DF], proto TCP (6), length 373) 172.18.0.3.45732 > 172.18.0.2.80: Flags [P.], cksum 0x5991 (incorrect -> 0x5c94), seq 4701:5022, ack 1449, win 501, options [nop,nop,TS val 948481238 ecr 2789766305], length 321: HTTP, length: 321 PUT / HTTP/1.1 Host: nginx User-Agent: hey/0.0.1 Content-Length: 1024 Content-Type: text/html X-Request-Id: 371df78553b367dd7b5dc699b920029c Accept-Encoding: gzip Client-ip: 172.18.0.4 X-Forwarded-For: 172.18.0.4 Via: http/1.1 traffic_server[8e38d2ba-96f3-40ca-8974-a0df3c1575f3] (ApacheTrafficServer/10.0.0) E..u.. at .@.`............P.J.nu.%.....Y...... 8....Ht.PUT / HTTP/1.1 Host: nginx User-Agent: hey/0.0.1 Content-Length: 1024 Content-Type: text/html X-Request-Id: 371df78553b367dd7b5dc699b920029c Accept-Encoding: gzip Client-ip: 172.18.0.4 X-Forwarded-For: 172.18.0.4 Via: http/1.1 traffic_server[8e38d2ba-96f3-40ca-8974-a0df3c1575f3] (ApacheTrafficServer/10.0.0) 12:46:39.258000 ? In IP (tos 0x0, ttl 64, id 32965, offset 0, flags [DF], proto TCP (6), length 1076) 172.18.0.3.45732 > 172.18.0.2.80: Flags [P.], cksum 0x5c50 (incorrect -> 0xa5cf), seq 5022:6046, ack 1449, win 501, options [nop,nop,TS val 948481240 ecr 2789766305], length 1024: HTTP E..4.. at .@.]............P.J..u.%.....\P..... 8....Ht.0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef Since first 680 bytes of this "request" is actually the request body of the previous request, the request line actually starts somewhere in "0123456789abcdef0123..." bytes, and the method is clearly incorrect, as indicated by nginx. Looks like an ATS bug to me. -- Maxim Dounin http://mdounin.ru/ From larry.martell at gmail.com Sun Feb 4 21:44:26 2024 From: larry.martell at gmail.com (Larry Martell) Date: Sun, 4 Feb 2024 16:44:26 -0500 Subject: nginx looking in wrong dir for module In-Reply-To: References: Message-ID: On Fri, Feb 2, 2024 at 8:43 PM Maxim Dounin wrote: > > Hello! > > On Fri, Feb 02, 2024 at 01:07:40PM -0500, Larry Martell wrote: > > > I built nginx from source and it fails to start with: > > > > 2024/02/02 13:00:59 [emerg] 1961284#1961284: dlopen() > > "/usr/modules/ndk_http_module.so" failed > > (/usr/modules/ndk_http_module.so: cannot open shared object file: No > > such file or directory) in > > /etc/nginx/modules-enabled/10-mod-http-ndk.conf:1 > > > > -V shows: > > > > $ sudo /usr/sbin/nginx -V > > [...] > > > --prefix=/usr > > [...] > > > --modules-path=/usr/lib/nginx/modules > > [...] > > > ndk_http_module.so does exist in /usr/lib/nginx/modules/: > > > > $ ls -l /usr/lib/nginx/modules/ndk_http_module.so > > -rw-r--r-- 1 root root 18688 Nov 10 2022 > > /usr/lib/nginx/modules/ndk_http_module.so > > > > Why is it looking in the wrong dir for this? > > Paths in nginx configuration file are resolved from prefix (with > the exception of various included configuration files or similar > resources, which are resolved from configuration prefix). > > Your configuration seems to contain > > load_module modules/ndk_http_module.so; > > which is resolved from /usr to /usr/modules/ndk_http_module.so. > There is no such file, hence the error. > > Note that the --modules-path configure option defines where to > install modules. It is, however, your responsibility to provide > proper paths to modules in load_module directives. The > "modules/foo.so" construct will work with the default > --modules-path, which is "modules" under prefix, but you'll have > to use something different if you've modified --modules-path to a > custom value. Thanks so much Maxim. It was not clear at all that --modules-path does not set where it looks for modules and I have to set it with --prefix. I set that to /usr so the nginx executable would end up in /usr/sbin, but I can just copy it there after the make install. Larry From larry.martell at gmail.com Sun Feb 4 21:50:58 2024 From: larry.martell at gmail.com (Larry Martell) Date: Sun, 4 Feb 2024 16:50:58 -0500 Subject: modules after upgrade In-Reply-To: References:

Message-ID: On Thu, Feb 1, 2024 at 2:03 PM J Carter wrote: > > Hello, > > On Thu, 1 Feb 2024 12:28:40 -0500 > Larry Martell wrote: > > > On Thu, Feb 1, 2024 at 11:57 AM Sergey A. Osokin wrote: > > > > > > Hi Larry, > > > > > > On Thu, Feb 01, 2024 at 11:34:08AM -0500, Larry Martell wrote: > > > > We run Ubuntu 20.04, which has nginx 1.18. I was asked to upgrade it > > > > to 1.25.3, which I did following the instructions here: > > > > https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/. > > > > We had 6 modules installed (http-ndk, http-image-filter, http-lua, > > > > http-xslt-filter, mail, stream) which all got removed in the upgrade. > > > > When I try to reinstall them it fails with libnginx-mod-http-ndk : > > > > Depends: nginx-common (= 1.18.0-0ubuntu1.4) but it is not going to be > > > > installed. How can I install the modules I need for 1.25.3? Do I have > > > > to build them from source now? > > > > > > There two types of modules in the list: > > > - native, developed by nginx development team; > > > - third-party, from vendors. > > > > > > So, http-ndk, [1] and http-lua, [2] are third-party modules. Those > > > modules need to be recompiled with a corresponding version of nginx. > > > I'd recommend to visit reference pages to get details how to build > > > those third-party modules. > > > > > > References > > > ---------- > > > 1. https://github.com/vision5/ngx_devel_kit > > > 2. https://github.com/openresty/lua-nginx-module > > > > Hi Sergey, > > > > I was able to install nginx-module-image-filter with apt, but > > http-xslt-filter, mail, stream all fail with the same message Depends: > > nginx-common (= 1.18.0-0ubuntu1.4). > > > > I looked at the 2 links you gave and both talk about building nginx > > from source to get those modules included. Is that now required? With > > 1.18 I simply did: > > > > It's nothing to do with version. What you've done is switch from Ubuntu > provided packages to nginx.org provided packages. Ubuntu provides third > party binary modules that are not in the offical repo. > > The list of offical packges in the repo can be quickly seen by > browsing: > https://nginx.org/packages/mainline/ubuntu/pool/nginx/n/ > > > sudo apt install lua5.3 > > sudo apt install libluajit-5.1-2 > > sudo apt install lua-sql-mysql > > sudo apt install libnginx-mod-http-lua > > > > Thanks! > > Larry > > For Lua (and Luajit) you can build from source using make files from > the nginx offical packaging mercurial repo: > > https://hg.nginx.org/pkg-oss/file/1c4041361462/contrib/src > https://hg.nginx.org/pkg-oss/file/1c4041361462/build_module.sh > (1.25.3 commit) > > There are many other useful modules there too that are not shipped as > binaries. > > However, I don't believe lua-sql-mysql is included there, so you will > still need to build that from sources on github: > > https://github.com/openresty/lua-resty-mysql Thanks to all for the replies. The reason we wanted to upgrade to 1.25 was because of the vulnerabilities identified in 1.18. But for now we decided to patch 1.18 to mitigate them. We may end up not needing lua or maybe the 1.25 versions will make it into the Ubuntu repos. From clima.gabrielphoto at gmail.com Mon Feb 5 21:24:39 2024 From: clima.gabrielphoto at gmail.com (Clima Gabriel) Date: Mon, 5 Feb 2024 23:24:39 +0200 Subject: ngx_http_v3_init_session function Message-ID: Hello everyone, (the code is probably clearer and attached below) This function modifies what ngx_connection_t->data points to. ngx_connection_t->data is initially *ngx_http_connection_t. The *ngx_http_connection_t is assigned to ngx_http_v3_session_t->http_connection And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. Result: before ngx_connection_t->data is *ngx_http_connection_t after ngx_connection_t->data is *ngx_http_v3_session_t My question is: what is the proper way to find out what c->data is at any given time? I need to know this because I'm writing a function which uses the ngx_http_connection_t to obtain the hostname of the request, and it may be invoked before or after the ngx_http_v3_init_session. ngx_int_t ngx_http_v3_init_session(ngx_connection_t *c) { ngx_pool_cleanup_t *cln; ngx_http_connection_t *hc; ngx_http_v3_session_t *h3c; hc = c->data; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http3 init session"); h3c = ngx_pcalloc(c->pool, sizeof(ngx_http_v3_session_t)); if (h3c == NULL) { goto failed; } h3c->http_connection = hc; ngx_queue_init(&h3c->blocked); h3c->keepalive.log = c->log; h3c->keepalive.data = c; h3c->keepalive.handler = ngx_http_v3_keepalive_handler; h3c->table.send_insert_count.log = c->log; h3c->table.send_insert_count.data = c; h3c->table.send_insert_count.handler = ngx_http_v3_inc_insert_count_handler; cln = ngx_pool_cleanup_add(c->pool, 0); if (cln == NULL) { goto failed; } cln->handler = ngx_http_v3_cleanup_session; cln->data = h3c; c->data = h3c; return NGX_OK; failed: ngx_log_error(NGX_LOG_ERR, c->log, 0, "failed to create http3 session"); return NGX_ERROR; } Regards, Gabriel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jordanc.carter at outlook.com Tue Feb 6 00:16:31 2024 From: jordanc.carter at outlook.com (J Carter) Date: Tue, 6 Feb 2024 00:16:31 +0000 Subject: ngx_http_v3_init_session function In-Reply-To: References: Message-ID: Hello, On Mon, 5 Feb 2024 23:24:39 +0200 Clima Gabriel wrote: > Hello everyone, > > (the code is probably clearer and attached below) > This function modifies what ngx_connection_t->data points to. > ngx_connection_t->data is initially *ngx_http_connection_t. > The *ngx_http_connection_t is assigned to > ngx_http_v3_session_t->http_connection > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > Result: before ngx_connection_t->data is *ngx_http_connection_t > after ngx_connection_t->data is *ngx_http_v3_session_t In C, a pointer to struct can be cast to a pointer to the first member of that struct, as there is no padding before the first member per the standard. The first member of ngx_http_v3_session_t is *ngx_http_connection_t. Here is the commit where this was implemented. https://mailman.nginx.org/pipermail/nginx-devel/2023-September/BWH23FTMRUWCUZSNKXJJXEEN76ZYOK62.html [...] From jordanc.carter at outlook.com Tue Feb 6 00:44:56 2024 From: jordanc.carter at outlook.com (J Carter) Date: Tue, 6 Feb 2024 00:44:56 +0000 Subject: ngx_http_v3_init_session function In-Reply-To: References: Message-ID: On Tue, 6 Feb 2024 00:16:31 +0000 J Carter wrote: > Hello, > > On Mon, 5 Feb 2024 23:24:39 +0200 > Clima Gabriel wrote: > > > Hello everyone, > > > > (the code is probably clearer and attached below) > > This function modifies what ngx_connection_t->data points to. > > ngx_connection_t->data is initially *ngx_http_connection_t. > > The *ngx_http_connection_t is assigned to > > ngx_http_v3_session_t->http_connection > > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > > > Result: before ngx_connection_t->data is *ngx_http_connection_t > > after ngx_connection_t->data is *ngx_http_v3_session_t > > In C, a pointer to struct can be cast to a pointer to the first member > of that struct, as there is no padding before the first member per the > standard. > > The first member of ngx_http_v3_session_t is *ngx_http_connection_t. *Sorry typo here - first member is ngx_http_connection_t of course. > > Here is the commit where this was implemented. > > https://mailman.nginx.org/pipermail/nginx-devel/2023-September/BWH23FTMRUWCUZSNKXJJXEEN76ZYOK62.html > > [...] From hnakamur at gmail.com Tue Feb 6 03:30:32 2024 From: hnakamur at gmail.com (Hiroaki Nakamura) Date: Tue, 6 Feb 2024 12:30:32 +0900 Subject: Occasional "400 Bad Request" Responses from Nginx In-Reply-To: References: Message-ID: Hello, 2024年2月4日(日) 19:48 Maxim Dounin : > Take a look at the tcpdump, notably the previous request before > 400 is returned: it is obviously incomplete, there is just 344 > bytes of the request body instead of 1024 bytes promised in > the headers: Ah, I missed that. Thanks for pointing it out. I have filed an issue in the ATS repository. From jordanc.carter at outlook.com Tue Feb 6 05:08:52 2024 From: jordanc.carter at outlook.com (J Carter) Date: Tue, 6 Feb 2024 05:08:52 +0000 Subject: ngx_http_v3_init_session function In-Reply-To: References: Message-ID: On Tue, 6 Feb 2024 00:44:56 +0000 J Carter wrote: > On Tue, 6 Feb 2024 00:16:31 +0000 > J Carter wrote: > > > Hello, > > > > On Mon, 5 Feb 2024 23:24:39 +0200 > > Clima Gabriel wrote: > > > > > Hello everyone, > > > > > > (the code is probably clearer and attached below) > > > This function modifies what ngx_connection_t->data points to. > > > ngx_connection_t->data is initially *ngx_http_connection_t. > > > The *ngx_http_connection_t is assigned to > > > ngx_http_v3_session_t->http_connection > > > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > > > > > Result: before ngx_connection_t->data is *ngx_http_connection_t > > > after ngx_connection_t->data is *ngx_http_v3_session_t > > > > In C, a pointer to struct can be cast to a pointer to the first member > > of that struct, as there is no padding before the first member per the > > standard. > > > > The first member of ngx_http_v3_session_t is *ngx_http_connection_t. > > *Sorry typo here - first member is ngx_http_connection_t of course. > > > > Here is the commit where this was implemented. > > > > https://mailman.nginx.org/pipermail/nginx-devel/2023-September/BWH23FTMRUWCUZSNKXJJXEEN76ZYOK62.html > > > > [...] Oh, I've just realized that is the wrong patch. There were a couple of reworks to that patch later that I missed.. Here is the actual changeset version, with *ngx_http_connection_t as you say: https://hg.nginx.org/nginx/rev/4939fd04737f It appears that this macro should be used to get ngx_http_connection_t: https://hg.nginx.org/nginx/file/tip/src/http/v3/ngx_http_v3.h#l85 However it's likely a good idea to wait to see if the author/s will comment on if that is safe and correct in all situations. From arut at nginx.com Wed Feb 7 09:28:53 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Wed, 7 Feb 2024 13:28:53 +0400 Subject: ngx_http_v3_init_session function In-Reply-To: References: Message-ID: <20240207092853.j3h4sn2f4rb2fy3q@N00W24XTQX> Hi, On Mon, Feb 05, 2024 at 11:24:39PM +0200, Clima Gabriel wrote: > Hello everyone, > > (the code is probably clearer and attached below) Please note that this mailing list is not for development question. We have a separate list nginx-devel at nginx.org for this. > This function modifies what ngx_connection_t->data points to. > ngx_connection_t->data is initially *ngx_http_connection_t. > The *ngx_http_connection_t is assigned to > ngx_http_v3_session_t->http_connection > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > Result: before ngx_connection_t->data is *ngx_http_connection_t > after ngx_connection_t->data is *ngx_http_v3_session_t > > My question is: what is the proper way to find out what c->data is at any > given time? I need to know this because I'm writing a function which uses > the ngx_http_connection_t to obtain the hostname of the request, and it may > be invoked before or after the ngx_http_v3_init_session. There's no way to tell what object is referenced by c->data without taking context into consideration. Similarly you can't do that for HTTP/1 as well. You need to know what's the current connection stage to tell this. ngx_http_v3_init_session() is called right before initializing QUIC streams for the session. When exactly do you call your function? [..] -- Roman Arutyunyan From clima.gabrielphoto at gmail.com Wed Feb 7 13:34:42 2024 From: clima.gabrielphoto at gmail.com (Clima Gabriel) Date: Wed, 7 Feb 2024 15:34:42 +0200 Subject: ngx_http_v3_init_session function In-Reply-To: <20240207092853.j3h4sn2f4rb2fy3q@N00W24XTQX> References: <20240207092853.j3h4sn2f4rb2fy3q@N00W24XTQX> Message-ID: Hello Roman, Thank you. Noted about the mailing list. My function will be called from / inline in ngx_http_ssl_servername. ngx_http_ssl_servername itself is registered as a SNI TSL extensions callback like this: #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, ngx_http_ssl_servername) == 0) { ngx_log_error(NGX_LOG_WARN, cf->log, 0, "nginx was built with SNI support, however, now it is linked " "dynamically to an OpenSSL library which has no tlsext support, " "therefore SNI is not available"); } #endif ./src/http/modules/ngx_http_ssl_module.c Regards, Gabriel On Wed, Feb 7, 2024 at 11:29 AM Roman Arutyunyan wrote: > Hi, > > On Mon, Feb 05, 2024 at 11:24:39PM +0200, Clima Gabriel wrote: > > Hello everyone, > > > > (the code is probably clearer and attached below) > > Please note that this mailing list is not for development question. > We have a separate list nginx-devel at nginx.org for this. > > > This function modifies what ngx_connection_t->data points to. > > ngx_connection_t->data is initially *ngx_http_connection_t. > > The *ngx_http_connection_t is assigned to > > ngx_http_v3_session_t->http_connection > > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > > > Result: before ngx_connection_t->data is *ngx_http_connection_t > > after ngx_connection_t->data is *ngx_http_v3_session_t > > > > My question is: what is the proper way to find out what c->data is at any > > given time? I need to know this because I'm writing a function which uses > > the ngx_http_connection_t to obtain the hostname of the request, and it > may > > be invoked before or after the ngx_http_v3_init_session. > > There's no way to tell what object is referenced by c->data without taking > context into consideration. Similarly you can't do that for HTTP/1 as > well. > > You need to know what's the current connection stage to tell this. > ngx_http_v3_init_session() is called right before initializing QUIC > streams for > the session. > > When exactly do you call your function? > > [..] > > -- > Roman Arutyunyan > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From victor at camb.com Wed Feb 7 19:21:09 2024 From: victor at camb.com (Victor Oppenheimer) Date: Wed, 7 Feb 2024 14:21:09 -0500 Subject: Serving pdf configuration issue Message-ID: I am running nginx 1.24.0 on a computer with Windows Server 2016 Server standard OS. I am truing to use nginx to function as a reverse proxy server when it received requests for some URLs and to directly serve web pages for others. I was successful s configuing nginx to do the reverse proxy serving. However, when I tried to directly serve some .pdf pages I kept getting errors. To isolate the problem I edited nginx.config to only function as a direct server for a .pdf file. I have a file named camprental.pdf in the directory C:\Users\victor\My Drive\Properties\rental_manuals_documents_and_email_templates\Clearwater I want users to be able to browse to: www.clearwaterescapes.com/camp/camprental.pdf to see the file. The nginx.conf file I am using to try to accomplish this is copied below. When I start nginx with this config file and browse to: http://clearwaterescapes.com/camp/camprrental.pdf I receive the following error message: This page isn’t working right nowclearwaterescapes.com redirected you too many times. I assume that I am probably making a simple error. But I do not see it. Hopefully somebody will point it out. --- Victor The nginx.config file follows: ________________________________________________ # directives in the 'main' context worker_processes auto; events { # events context/block # configuration of connection processing } http { # http context specific to HTTP affecting all virtual servers server_names_hash_bucket_size 64; # avoids error message for multiple server_Name entries server { listen 80; server_name clearwaterescapes.com; # Make incoming URLs lowercase rewrite ^(.*)$ /$1 permanent; # Rewrite rule for PDF files rewrite ^clearwaterescapes.com/camp/camprental.pdf$ http://www.clearwaterescapes.com/documentation/camprental.pdf break; # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location ~* ^/documentation/ { # Convert URL to lowercase and capture filename rewrite ^/documentation/(.*)$ /documentation/$1 break; # Serve documentation files directly root "C:/Users/victor/My Drive/Properties/rental_manuals_documents_and_email_templates/clearwater"; try_files /$1 =404; } # Add location block for /camp/ requests location ~* ^/camp/ { root "C:/Users/victor/My Drive/Properties/rental_manuals_documents_and_email_templates/clearwater"; try_files $uri =404; } # Other server configuration... } # end of ClearwaterEscapes server block } # end of http block From xeioex at nginx.com Wed Feb 7 23:18:08 2024 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 7 Feb 2024 15:18:08 -0800 Subject: njs-0.8.3 Message-ID: <63f4277a-fe47-490c-9095-78c05bbde9a4@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on stabilization of recently released features and fixing bugs found by various fuzzers. Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Additional examples and howtos can be found here: - Github: https://github.com/nginx/njs-examples Changes with njs 0.8.3 07 Feb 2024 nginx modules: *) Bugfix: fixed Headers.set(). *) Bugfix: fixed js_set with Buffer values. *) Bugfix: fixed clear() method of a shared dictionary when timeout is not specified. *) Bugfix: fixed stub_status statistic when js_periodic is enabled. Core: *) Bugfix: fixed building with libxml2 2.12 and later. *) Bugfix: fixed Date constructor for overflows and with NaN values. *) Bugfix: fixed underflow in querystring.parse(). *) Bugfix: fixed potential buffer overread in String.prototype.match(). *) Bugfix: fixed parsing of for-in loops. *) Bugfix: fixed parsing of hexadecimal, octal, and binary literals with no digits. From mdounin at mdounin.ru Fri Feb 9 02:52:18 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 9 Feb 2024 05:52:18 +0300 Subject: Serving pdf configuration issue In-Reply-To: References: Message-ID: Hello! On Wed, Feb 07, 2024 at 02:21:09PM -0500, Victor Oppenheimer wrote: > I am running nginx 1.24.0 on a computer with > Windows Server 2016 Server standard OS. > > I am truing to use nginx to function as a reverse proxy > server when it received requests for some URLs and > to directly serve web pages for others. I was successful s > configuing nginx to do the reverse proxy serving. > > However, when I tried to directly serve some .pdf pages I kept > getting errors. To isolate the problem I edited nginx.config > to only function as a direct server for a .pdf file. > > I have a file named camprental.pdf in the directory > C:\Users\victor\My > Drive\Properties\rental_manuals_documents_and_email_templates\Clearwater > > I want users to be able to browse to: > www.clearwaterescapes.com/camp/camprental.pdf to see the file. > > The nginx.conf file I am using to try to accomplish this is copied below. > > When I start nginx with this config file and browse to: > http://clearwaterescapes.com/camp/camprrental.pdf > > I receive the following error message: > This page isn’t working right nowclearwaterescapes.com redirected you > too many times. > > I assume that I am probably making a simple error. But I do not see it. > > Hopefully somebody will point it out. [...] > server { > listen 80; > server_name clearwaterescapes.com; > > # Make incoming URLs lowercase > rewrite ^(.*)$ /$1 permanent; This is going to be a infinite redirection loop, as you redirect any requests to the same URI. Likely this is what causes the "redirected too many times" error you are seeing. > > # Rewrite rule for PDF files > rewrite ^clearwaterescapes.com/camp/camprental.pdf$ > http://www.clearwaterescapes.com/documentation/camprental.pdf break; This is not going to work, as rewrite works with URI as seen in the HTTP request, that is, URI path, and it doesn't contain domain. (And it does not seem to be needed, given the following locations.) > > # avoid errors when favicon.ico file is missing > location = /favicon.ico { > access_log off; > log_not_found off; > return 204; > } > > location ~* ^/documentation/ { > # Convert URL to lowercase and capture filename > rewrite ^/documentation/(.*)$ /documentation/$1 break; > > # Serve documentation files directly > root "C:/Users/victor/My > Drive/Properties/rental_manuals_documents_and_email_templates/clearwater"; > try_files /$1 =404; Just location /documentation/ { alias "C:/.../clearwater/"; } should do the trick. > } > > # Add location block for /camp/ requests > location ~* ^/camp/ { > root "C:/Users/victor/My > Drive/Properties/rental_manuals_documents_and_email_templates/clearwater"; > try_files $uri =404; > } There is no need to use regex location here, just a prefix one will be equivalent on Windows (since on Windows location matching is caseless). Similarly, in most cases there is no need to use try_files, as simply serving static files is equivalent (unless you specifically want to return 404 for directories). That is, just location /camp/ { root "C:/.../clearwater"; } would be (mostly) equivalent. But, given that you want "/camp/camprental.pdf" to access the file in the "C:/.../Clearwater" directory, correct approach would be to use "alias" instead of "root", similarly to the above. location /camp/ { alias "C:/.../clearwater/"; } Hope this helps. -- Maxim Dounin http://mdounin.ru/ From arut at nginx.com Fri Feb 9 11:57:52 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Fri, 9 Feb 2024 15:57:52 +0400 Subject: ngx_http_v3_init_session function In-Reply-To: References: <20240207092853.j3h4sn2f4rb2fy3q@N00W24XTQX> Message-ID: <20240209115752.se7nxy42veki7wcm@N00W24XTQX> Hi Gabriel, On Wed, Feb 07, 2024 at 03:34:42PM +0200, Clima Gabriel wrote: > Hello Roman, > Thank you. Noted about the mailing list. > > > My function will be called from / inline in ngx_http_ssl_servername. > ngx_http_ssl_servername itself is registered as a SNI TSL extensions > callback like this: > > #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME > > if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, > ngx_http_ssl_servername) > == 0) > { > ngx_log_error(NGX_LOG_WARN, cf->log, 0, > "nginx was built with SNI support, however, now it is linked " > "dynamically to an OpenSSL library which has no tlsext support, > " > "therefore SNI is not available"); > } > > #endif > ./src/http/modules/ngx_http_ssl_module.c As you see in ngx_http_ssl_servername() code, it already assumes that c->data references a ngx_http_connection_t object, so can you. > Regards, > Gabriel > > On Wed, Feb 7, 2024 at 11:29 AM Roman Arutyunyan wrote: > > > Hi, > > > > On Mon, Feb 05, 2024 at 11:24:39PM +0200, Clima Gabriel wrote: > > > Hello everyone, > > > > > > (the code is probably clearer and attached below) > > > > Please note that this mailing list is not for development question. > > We have a separate list nginx-devel at nginx.org for this. > > > > > This function modifies what ngx_connection_t->data points to. > > > ngx_connection_t->data is initially *ngx_http_connection_t. > > > The *ngx_http_connection_t is assigned to > > > ngx_http_v3_session_t->http_connection > > > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > > > > > Result: before ngx_connection_t->data is *ngx_http_connection_t > > > after ngx_connection_t->data is *ngx_http_v3_session_t > > > > > > My question is: what is the proper way to find out what c->data is at any > > > given time? I need to know this because I'm writing a function which uses > > > the ngx_http_connection_t to obtain the hostname of the request, and it > > may > > > be invoked before or after the ngx_http_v3_init_session. > > > > There's no way to tell what object is referenced by c->data without taking > > context into consideration. Similarly you can't do that for HTTP/1 as > > well. > > > > You need to know what's the current connection stage to tell this. > > ngx_http_v3_init_session() is called right before initializing QUIC > > streams for > > the session. > > > > When exactly do you call your function? > > > > [..] > > > > -- > > Roman Arutyunyan > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -- Roman Arutyunyan From david at connors.com Sat Feb 10 05:14:02 2024 From: david at connors.com (David Connors) Date: Sat, 10 Feb 2024 15:14:02 +1000 Subject: International characters and serving files Message-ID: Hi All, I have moved off IIS/WIndows onto nginx on ubuntu a while back. Since doing so I receive 404s for files with international characters in their name. I've added the charset utf-8 directive to the nginx config. Looking at the request: https://www.davidconnors.com/wp-content/uploads/2022/08/Aliinale-Für-Alina.pdf Confirm that is exists on the file exist on the filesystem: -rwx------ 1 www-data www-data 10560787 Aug 21 2022 Aliinale-Für-Alina.pdf if I copy that from that name to a.pdf and request that it serves fine. Access log shows the character with the diacritic mark is escaped: 172.68.210.38 - - [10/Feb/2024:05:11:27 +0000] "GET /wp-content/uploads/2022/08/Aliinale-F%C3%BCr-Alina.pdf HTTP/1.1" 404 27524 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15" What confirmation directive am I missing? TIA, David. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Sat Feb 10 14:24:34 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sat, 10 Feb 2024 17:24:34 +0300 Subject: International characters and serving files In-Reply-To: References: Message-ID: Hello! On Sat, Feb 10, 2024 at 03:14:02PM +1000, David Connors wrote: > Hi All, > > I have moved off IIS/WIndows onto nginx on ubuntu a while back. Since doing > so I receive 404s for files with international characters in their name. > I've added the charset utf-8 directive to the nginx config. Looking at the > request: > > https://www.davidconnors.com/wp-content/uploads/2022/08/Aliinale-Für-Alina.pdf > > Confirm that is exists on the file exist on the filesystem: > > -rwx------ 1 www-data www-data 10560787 Aug 21 2022 Aliinale-Für-Alina.pdf > > if I copy that from that name to a.pdf and request that it serves fine. > > Access log shows the character with the diacritic mark is escaped: > 172.68.210.38 - - [10/Feb/2024:05:11:27 +0000] "GET > /wp-content/uploads/2022/08/Aliinale-F%C3%BCr-Alina.pdf HTTP/1.1" 404 27524 > "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 > (KHTML, like Gecko) Version/17.2.1 Safari/605.1.15" > > What confirmation directive am I missing? File names on Unix systems are typically stored as bytes, and it is user's responsibility to interpret them according to a particular character set. As long as nginx returns 404, this suggests that you don't have a file with the name with C3 BC UTF-8 bytes in it: instead, there is something different. My best guess is that you are using Latin1 as a charset for your terminal, and there is an FC byte instead. To see what's there in fact, consider looking at the raw bytes in the file name with something like "ls | hd". Also, you can use nginx autoindex module - it will generate a page with properly escaped links, so it will be possible to access files regardless of the charset used in the file names. -- Maxim Dounin http://mdounin.ru/ From david at connors.com Sun Feb 11 02:07:11 2024 From: david at connors.com (David Connors) Date: Sun, 11 Feb 2024 12:07:11 +1000 Subject: International characters and serving files In-Reply-To: References: Message-ID: On Sun, 11 Feb 2024 at 00:24, Maxim Dounin wrote: > File names on Unix systems are typically stored as bytes, and it > is user's responsibility to interpret them according to a > particular character set. > > As long as nginx returns 404, this suggests that you don't have a > file with the name with C3 BC UTF-8 bytes in it: instead, there is > something different. My best guess is that you are using Latin1 > as a charset for your terminal, and there is an FC byte instead. To > see what's there in fact, consider looking at the raw bytes in the > file name with something like "ls | hd". > > Also, you can use nginx autoindex module - it will generate a page > with properly escaped links, so it will be possible to access > files regardless of the charset used in the file names. > You were spot on Maxim. Thank you so much. I fixed it with mv Aliinale-Für-Alina.pdf Aliinale-Für-Alina.pdf where the first was the autocompletion from the shell and the second was the UTF-8 pasted from WordPress. -------------- next part -------------- An HTML attachment was scrubbed... URL: From victor at camb.com Sun Feb 11 22:15:44 2024 From: victor at camb.com (Victor Oppenheimer) Date: Sun, 11 Feb 2024 17:15:44 -0500 Subject: SSL issue Message-ID: Thank you so much for the help you have provided me with nginx on my Windows 2016 server thus far. I'm now attempting to add serving https files to my configuration. Although I want to eventually support a number of servers being browsed for both http and https pages, I am starting with my oppsprops.com website. I generated an SSL certificate and private key for the website. I stored them at the following paths: C:\nginx\conf\ssl\certs\oppsprops_com.crt and C:\nginx\conf\ssl\keys\oppsprops.com.private.key I then tried to start nginx with various versions of my nginx.config file with differing results as described below. I suspect that this only needs a small tweak ... but would appreciate some guidance in addressing the issue. Thanks, Victor The following full nginx.config file with commented SSL configuration statements serves http:\\oppsprops.com successfully. # directives in the 'main' context # serves all sites http not https # uses Adobe Tomcat to serve PDFs which must be in proper case worker_processes auto; events { # events context/block # configuration of connection processing } http { # http context specific to HTTP affecting all virtual servers server_names_hash_bucket_size 64; # avoid multiple server_Name entry errors server { # configure oppsprops server listen 80; # listen 443 ssl; server_name oppsprops.com www.oppsprops.com; # ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; # ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block server { # configuration of clearwaterescapes HTTP server server_name clearwaterescapes.com www.clearwaterescapes.com; listen 80; # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # send http://clearwaterescapes.com to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/Clearwater/; } # end of location block } # end of clearwaterescapes server block server { # configure freshpondrentals server server_name FreshPondRentals.com www.freshpondrentals.com; listen 80; # rewrite ^(.*)$ /$1 permanent; # Make incoming URLs lowercase # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # proxy freshpondrentals pages to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/camb/; } # end of location block } # end of freshpondrentals server block server { # configure yogisource HTTP port 80 server server_name yogisource.com www.yogisource.com; listen 80; location / { proxy_pass http://yogisource.com:81/; } # end of location block } # end of yogisource server block } # end of http block ______________________________________ Modifying the nginx.config file above to include the following statements produce the following error.log file errors and nginx fails to start server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key conf/ssl/keys/oppsprops.com.private.key; 2024/02/11 14:34:08 [emerg] 14600#11064: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:10 [emerg] 9048#12520: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:14 [emerg] 6620#16260: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:22 [emerg] 13008#12828: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:38 [emerg] 13928#1068: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:35:10 [emerg] 3664#8660: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) _________ Modifying the nginx.config file above to include the following statements produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate ssl/certs/oppsprops_com.crt; ssl_certificate_key ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block _________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate /ssl/certs/oppsprops_com.crt; ssl_certificate_key /ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block ______________________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block From teward at thomas-ward.net Sun Feb 11 22:47:41 2024 From: teward at thomas-ward.net (Thomas Ward) Date: Sun, 11 Feb 2024 22:47:41 +0000 Subject: SSL issue In-Reply-To: References: Message-ID: your SSL listen commands are commented out and so are your cert declarations. Uncomment them and restart your nginx and see if that fixes it Sent from my Galaxy -------- Original message -------- From: Victor Oppenheimer Date: 2/11/24 17:17 (GMT-05:00) To: Jeremy Cocks via nginx Subject: SSL issue Thank you so much for the help you have provided me with nginx on my Windows 2016 server thus far. I'm now attempting to add serving https files to my configuration. Although I want to eventually support a number of servers being browsed for both http and https pages, I am starting with my oppsprops.com website. I generated an SSL certificate and private key for the website. I stored them at the following paths: C:\nginx\conf\ssl\certs\oppsprops_com.crt and C:\nginx\conf\ssl\keys\oppsprops.com.private.key I then tried to start nginx with various versions of my nginx.config file with differing results as described below. I suspect that this only needs a small tweak ... but would appreciate some guidance in addressing the issue. Thanks, Victor The following full nginx.config file with commented SSL configuration statements serves http:\\oppsprops.com successfully. # directives in the 'main' context # serves all sites http not https # uses Adobe Tomcat to serve PDFs which must be in proper case worker_processes auto; events { # events context/block # configuration of connection processing } http { # http context specific to HTTP affecting all virtual servers server_names_hash_bucket_size 64; # avoid multiple server_Name entry errors server { # configure oppsprops server listen 80; # listen 443 ssl; server_name oppsprops.com www.oppsprops.com; # ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; # ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block server { # configuration of clearwaterescapes HTTP server server_name clearwaterescapes.com www.clearwaterescapes.com; listen 80; # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # send http://clearwaterescapes.com to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/Clearwater/; } # end of location block } # end of clearwaterescapes server block server { # configure freshpondrentals server server_name FreshPondRentals.com www.freshpondrentals.com; listen 80; # rewrite ^(.*)$ /$1 permanent; # Make incoming URLs lowercase # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # proxy freshpondrentals pages to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/camb/; } # end of location block } # end of freshpondrentals server block server { # configure yogisource HTTP port 80 server server_name yogisource.com www.yogisource.com; listen 80; location / { proxy_pass http://yogisource.com:81/; } # end of location block } # end of yogisource server block } # end of http block ______________________________________ Modifying the nginx.config file above to include the following statements produce the following error.log file errors and nginx fails to start server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key conf/ssl/keys/oppsprops.com.private.key; 2024/02/11 14:34:08 [emerg] 14600#11064: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:10 [emerg] 9048#12520: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:14 [emerg] 6620#16260: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:22 [emerg] 13008#12828: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:38 [emerg] 13928#1068: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:35:10 [emerg] 3664#8660: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) _________ Modifying the nginx.config file above to include the following statements produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate ssl/certs/oppsprops_com.crt; ssl_certificate_key ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block _________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate /ssl/certs/oppsprops_com.crt; ssl_certificate_key /ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block ______________________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block _______________________________________________ nginx mailing list nginx at nginx.org https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Sun Feb 11 22:51:42 2024 From: teward at thomas-ward.net (Thomas Ward) Date: Sun, 11 Feb 2024 22:51:42 +0000 Subject: SSL issue In-Reply-To: References: Message-ID: I misread. NGINX doesnt see the certs exist meaning whatever user is running it doesnt have permissions. Make sure your user running NGINX has access down the whole folder chain. Sent from my Galaxy -------- Original message -------- From: Victor Oppenheimer Date: 2/11/24 17:17 (GMT-05:00) To: Jeremy Cocks via nginx Subject: SSL issue Thank you so much for the help you have provided me with nginx on my Windows 2016 server thus far. I'm now attempting to add serving https files to my configuration. Although I want to eventually support a number of servers being browsed for both http and https pages, I am starting with my oppsprops.com website. I generated an SSL certificate and private key for the website. I stored them at the following paths: C:\nginx\conf\ssl\certs\oppsprops_com.crt and C:\nginx\conf\ssl\keys\oppsprops.com.private.key I then tried to start nginx with various versions of my nginx.config file with differing results as described below. I suspect that this only needs a small tweak ... but would appreciate some guidance in addressing the issue. Thanks, Victor The following full nginx.config file with commented SSL configuration statements serves http:\\oppsprops.com successfully. # directives in the 'main' context # serves all sites http not https # uses Adobe Tomcat to serve PDFs which must be in proper case worker_processes auto; events { # events context/block # configuration of connection processing } http { # http context specific to HTTP affecting all virtual servers server_names_hash_bucket_size 64; # avoid multiple server_Name entry errors server { # configure oppsprops server listen 80; # listen 443 ssl; server_name oppsprops.com www.oppsprops.com; # ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; # ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block server { # configuration of clearwaterescapes HTTP server server_name clearwaterescapes.com www.clearwaterescapes.com; listen 80; # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # send http://clearwaterescapes.com to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/Clearwater/; } # end of location block } # end of clearwaterescapes server block server { # configure freshpondrentals server server_name FreshPondRentals.com www.freshpondrentals.com; listen 80; # rewrite ^(.*)$ /$1 permanent; # Make incoming URLs lowercase # avoid errors when favicon.ico file is missing location = /favicon.ico { access_log off; log_not_found off; return 204; } location / { # proxy freshpondrentals pages to Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/camb/; } # end of location block } # end of freshpondrentals server block server { # configure yogisource HTTP port 80 server server_name yogisource.com www.yogisource.com; listen 80; location / { proxy_pass http://yogisource.com:81/; } # end of location block } # end of yogisource server block } # end of http block ______________________________________ Modifying the nginx.config file above to include the following statements produce the following error.log file errors and nginx fails to start server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key conf/ssl/keys/oppsprops.com.private.key; 2024/02/11 14:34:08 [emerg] 14600#11064: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:10 [emerg] 9048#12520: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:14 [emerg] 6620#16260: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:22 [emerg] 13008#12828: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:34:38 [emerg] 13928#1068: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) 2024/02/11 14:35:10 [emerg] 3664#8660: cannot load certificate "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed (SSL: error:02001003:system library:fopen:No such process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) _________ Modifying the nginx.config file above to include the following statements produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate ssl/certs/oppsprops_com.crt; ssl_certificate_key ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block _________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate /ssl/certs/oppsprops_com.crt; ssl_certificate_key /ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block ______________________________ Modifying the nginx.config file above to include the following statements also produces no error.log errors but fails to load the page with a browser error of: This site can’t be reached oppsprops.com refused to connect. server { # configure oppsprops server listen 80; listen 443 ssl; server_name oppsprops.com www.oppsprops.com; ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; location /{ # process oppsprops domain using Adobe Tomcat proxy_pass http://127.0.0.1:8080/vo/; } # end of location block } # end of OppsProps server block _______________________________________________ nginx mailing list nginx at nginx.org https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From victor at camb.com Mon Feb 12 00:45:22 2024 From: victor at camb.com (Victor Oppenheimer) Date: Sun, 11 Feb 2024 19:45:22 -0500 Subject: SSL issue In-Reply-To: References: Message-ID: <57a73235-f912-4fa8-9d65-21f8d9d79c2f@camb.com> Thanks for your response. I'm an administrator on the computer and nginx is running on my account. So, it does seem likely that the problem is "permissions" as I have "full control" permission for the folders. --- Victor On 2/11/2024 5:51 PM, Thomas Ward via nginx wrote: > I misread. NGINX doesnt see the certs exist meaning whatever user is > running it doesnt have permissions. Make sure your user running NGINX > has access down the whole folder chain. > > > > Sent from my Galaxy > > > > -------- Original message -------- > From: Victor Oppenheimer > Date: 2/11/24 17:17 (GMT-05:00) > To: Jeremy Cocks via nginx > Subject: SSL issue > > Thank you so much for the help you have provided me with > nginx on my Windows 2016 server thus far. > > I'm now attempting to add serving https files to my > configuration. Although I want to eventually support > a number of servers being browsed for both http and https > pages, I am starting with my oppsprops.com website. > > I generated an SSL certificate and private key for the website. > > I stored them at the following paths: > C:\nginx\conf\ssl\certs\oppsprops_com.crt > and > C:\nginx\conf\ssl\keys\oppsprops.com.private.key > > I then tried to start nginx with various versions of my > nginx.config file with differing results as described below. > > I suspect that this only needs a small tweak ... but would appreciate > some guidance in addressing the issue. > > Thanks, > Victor > > The following full nginx.config file with commented SSL > configuration statements serves http:\\oppsprops.com > > successfully. > > # directives in the 'main' context > > # serves all sites http not https > # uses Adobe Tomcat to serve PDFs which must be in proper case > > worker_processes auto; > events { # events context/block > # configuration of connection processing > } > > http { # http context specific to HTTP affecting all virtual servers > server_names_hash_bucket_size 64; # avoid multiple server_Name entry > errors > > server { # configure oppsprops server > listen 80; > # listen 443 ssl; > server_name oppsprops.com www.oppsprops.com > ; > > # ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; > # ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; > > location /{ # process oppsprops domain using Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/; > } # end of location block > } # end of OppsProps server block > > server { # configuration of clearwaterescapes HTTP server > server_name clearwaterescapes.com www.clearwaterescapes.com > ; > listen 80; > > # avoid errors when favicon.ico file is missing > location = /favicon.ico { > access_log off; > log_not_found off; > return 204; > } > > location / { > # send http://clearwaterescapes.com to Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/Clearwater/; > } # end of location block > } # end of clearwaterescapes server block > > server { # configure freshpondrentals server > server_name FreshPondRentals.com www.freshpondrentals.com > ; > listen 80; > > # rewrite ^(.*)$ /$1 permanent; # Make incoming URLs lowercase > > # avoid errors when favicon.ico file is missing > location = /favicon.ico { > access_log off; > log_not_found off; > return 204; > } > > location / { > # proxy freshpondrentals pages to Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/camb/; > } # end of location block > } # end of freshpondrentals server block > > server { # configure yogisource HTTP port 80 server > server_name yogisource.com www.yogisource.com > ; > listen 80; > > location / { > proxy_pass http://yogisource.com:81/; > } # end of location block > > } # end of yogisource server block > > } # end of http block > > > ______________________________________ > Modifying the nginx.config file above to include the following statements > produce the following error.log file errors and nginx fails to start > > server { # configure oppsprops server > listen 80; > listen 443 ssl; > server_name oppsprops.com www.oppsprops.com > ; > ssl_certificate conf/ssl/certs/oppsprops_com.crt; > ssl_certificate_key conf/ssl/keys/oppsprops.com.private.key; > > 2024/02/11 14:34:08 [emerg] 14600#11064: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:10 [emerg] 9048#12520: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:14 [emerg] 6620#16260: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:22 [emerg] 13008#12828: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:38 [emerg] 13928#1068: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:35:10 [emerg] 3664#8660: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > > > _________ > Modifying the nginx.config file above to include the following statements > produces no error.log errors but fails to load the page with a browser > error of: > This site can’t be reached > oppsprops.com refused to connect. > > server { # configure oppsprops server > listen 80; > listen 443 ssl; > server_name oppsprops.com www.oppsprops.com > ; > ssl_certificate ssl/certs/oppsprops_com.crt; > ssl_certificate_key ssl/keys/oppsprops.com.private.key; > > location /{ # process oppsprops domain using Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/; > } # end of location block > } # end of OppsProps server block > > _________________ > Modifying the nginx.config file above to include the following statements > also produces no error.log errors but fails to load the page with a > browser error of: > > This site can’t be reached > oppsprops.com refused to connect. > > server { # configure oppsprops server > listen 80; > listen 443 ssl; > server_name oppsprops.com www.oppsprops.com > ; > ssl_certificate /ssl/certs/oppsprops_com.crt; > ssl_certificate_key /ssl/keys/oppsprops.com.private.key; > > location /{ # process oppsprops domain using Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/; > } # end of location block > } # end of OppsProps server block > ______________________________ > Modifying the nginx.config file above to include the following statements > also produces no error.log errors but fails to load the page with a > browser error of: > This site can’t be reached > oppsprops.com refused to connect. > > server { # configure oppsprops server > listen 80; > listen 443 ssl; > server_name oppsprops.com www.oppsprops.com > ; > > ssl_certificate c:/nginx/conf/ssl/certs/oppsprops_com.crt; > ssl_certificate_key c:/nginx/conf/ssl/keys/oppsprops.com.private.key; > > location /{ # process oppsprops domain using Adobe Tomcat > proxy_pass http://127.0.0.1:8080/vo/; > } # end of location block > } # end of OppsProps server block > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From teward at thomas-ward.net Mon Feb 12 01:28:36 2024 From: teward at thomas-ward.net (Thomas Ward) Date: Sun, 11 Feb 2024 20:28:36 -0500 Subject: SSL issue In-Reply-To: <57a73235-f912-4fa8-9d65-21f8d9d79c2f@camb.com> References: <57a73235-f912-4fa8-9d65-21f8d9d79c2f@camb.com> Message-ID: Rereading from my computer, and sorry for the partial snippet/quote, your entire path is being prepended with `C:\nginx/conf/` so your setting that triggers this of `conf/ssl/...` is not proper. Your configuration root is `C:\nginx\conf` already, so either change your configuration lines to just have `ssl/...` instead of `conf/ssl/...` or use Full Paths to the files directly (i.e. `C:/nginx/conf/ssl/certs/oppsprops_com.crt`) instead of relative pathing. Thomas On 2/11/24 19:45, Victor Oppenheimer wrote: > 2024/02/11 14:34:08 [emerg] 14600#11064: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:10 [emerg] 9048#12520: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:14 [emerg] 6620#16260: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:22 [emerg] 13008#12828: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:34:38 [emerg] 13928#1068: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) > 2024/02/11 14:35:10 [emerg] 3664#8660: cannot load certificate > "C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt": BIO_new_file() failed > (SSL: error:02001003:system library:fopen:No such > process:fopen('C:\nginx/conf/conf/ssl/certs/oppsprops_com.crt','r') > error:2006D080:BIO routines:BIO_new_file:no such file) From clima.gabrielphoto at gmail.com Wed Feb 14 16:26:17 2024 From: clima.gabrielphoto at gmail.com (Clima Gabriel) Date: Wed, 14 Feb 2024 18:26:17 +0200 Subject: ngx_http_v3_init_session function In-Reply-To: <20240209115752.se7nxy42veki7wcm@N00W24XTQX> References: <20240207092853.j3h4sn2f4rb2fy3q@N00W24XTQX> <20240209115752.se7nxy42veki7wcm@N00W24XTQX> Message-ID: Thanks you On Fri, Feb 9, 2024 at 1:58 PM Roman Arutyunyan wrote: > Hi Gabriel, > > On Wed, Feb 07, 2024 at 03:34:42PM +0200, Clima Gabriel wrote: > > Hello Roman, > > Thank you. Noted about the mailing list. > > > > > > My function will be called from / inline in ngx_http_ssl_servername. > > ngx_http_ssl_servername itself is registered as a SNI TSL extensions > > callback like this: > > > > #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME > > > > if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, > > ngx_http_ssl_servername) > > == 0) > > { > > ngx_log_error(NGX_LOG_WARN, cf->log, 0, > > "nginx was built with SNI support, however, now it is linked > " > > "dynamically to an OpenSSL library which has no tlsext > support, > > " > > "therefore SNI is not available"); > > } > > > > #endif > > ./src/http/modules/ngx_http_ssl_module.c > > As you see in ngx_http_ssl_servername() code, it already assumes that > c->data > references a ngx_http_connection_t object, so can you. > > > Regards, > > Gabriel > > > > On Wed, Feb 7, 2024 at 11:29 AM Roman Arutyunyan wrote: > > > > > Hi, > > > > > > On Mon, Feb 05, 2024 at 11:24:39PM +0200, Clima Gabriel wrote: > > > > Hello everyone, > > > > > > > > (the code is probably clearer and attached below) > > > > > > Please note that this mailing list is not for development question. > > > We have a separate list nginx-devel at nginx.org for this. > > > > > > > This function modifies what ngx_connection_t->data points to. > > > > ngx_connection_t->data is initially *ngx_http_connection_t. > > > > The *ngx_http_connection_t is assigned to > > > > ngx_http_v3_session_t->http_connection > > > > And the *ngx_http_v3_session_t assigned to ngx_connection_t->data. > > > > > > > > Result: before ngx_connection_t->data is *ngx_http_connection_t > > > > after ngx_connection_t->data is *ngx_http_v3_session_t > > > > > > > > My question is: what is the proper way to find out what c->data is > at any > > > > given time? I need to know this because I'm writing a function which > uses > > > > the ngx_http_connection_t to obtain the hostname of the request, and > it > > > may > > > > be invoked before or after the ngx_http_v3_init_session. > > > > > > There's no way to tell what object is referenced by c->data without > taking > > > context into consideration. Similarly you can't do that for HTTP/1 as > > > well. > > > > > > You need to know what's the current connection stage to tell this. > > > ngx_http_v3_init_session() is called right before initializing QUIC > > > streams for > > > the session. > > > > > > When exactly do you call your function? > > > > > > [..] > > > > > > -- > > > Roman Arutyunyan > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > https://mailman.nginx.org/mailman/listinfo/nginx > > > > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > > -- > Roman Arutyunyan > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pluknet at nginx.com Wed Feb 14 16:59:17 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 20:59:17 +0400 Subject: nginx-1.25.4 Message-ID: Changes with nginx 1.25.4 14 Feb 2024 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). *) Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes. *) Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes. *) Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest. *) Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive. *) Bugfixes and improvements in HTTP/3. -- Sergey Kandaurov From pluknet at nginx.com Wed Feb 14 17:00:03 2024 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 14 Feb 2024 21:00:03 +0400 Subject: nginx security advisory (CVE-2024-24989, CVE-2024-24990) Message-ID: <58BC23FE-7B3B-417C-9C9A-70E97928E83B@nginx.com> Two security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or might have potential other impact (CVE-2024-24990). The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issue affects nginx 1.25.0 - 1.25.3. The issue is fixed in nginx 1.25.4. -- Sergey Kandaurov From mdounin at mdounin.ru Wed Feb 14 17:59:10 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 14 Feb 2024 20:59:10 +0300 Subject: announcing freenginx.org Message-ID: Hello! As you probably know, F5 closed Moscow office in 2022, and I no longer work for F5 since then. Still, we’ve reached an agreement that I will maintain my role in nginx development as a volunteer. And for almost two years I was working on improving nginx and making it better for everyone, for free. Unfortunately, some new non-technical management at F5 recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position. That’s quite understandable: they own the project, and can do anything with it, including doing marketing-motivated actions, ignoring developers position and community. Still, this contradicts our agreement. And, more importantly, I no longer able to control which changes are made in nginx within F5, and no longer see nginx as a free and open source project developed and maintained for the public good. As such, starting from today, I will no longer participate in nginx development as run by F5. Instead, I’m starting an alternative project, which is going to be run by developers, and not corporate entities: http://freenginx.org/ The goal is to keep nginx development free from arbitrary corporate actions. Help and contributions are welcome. Hope it will be beneficial for everyone. -- Maxim Dounin http://freenginx.org/ From jfs.world at gmail.com Wed Feb 14 19:24:59 2024 From: jfs.world at gmail.com (Jeffrey 'jf' Lim) Date: Thu, 15 Feb 2024 03:24:59 +0800 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: On Thu, Feb 15, 2024 at 1:59 AM Maxim Dounin wrote: > Hello! > > As you probably know, F5 closed Moscow office in 2022, and I no > longer work for F5 since then. Still, we’ve reached an agreement > that I will maintain my role in nginx development as a volunteer. > And for almost two years I was working on improving nginx and > making it better for everyone, for free. > wow, I did not know that. Thank you for your work and contribution over these 2 years! > Unfortunately, some new non-technical management at F5 recently > decided that they know better how to run open source projects. In > particular, they decided to interfere with security policy nginx > uses for years, ignoring both the policy and developers’ position. > > That’s quite understandable: they own the project, and can do > anything with it, including doing marketing-motivated actions, > ignoring developers position and community. would you be able to (within reason) give any examples of these? Still, this > contradicts our agreement. And, more importantly, I no longer able > to control which changes are made in nginx within F5, and no longer > see nginx as a free and open source project developed and > maintained for the public good. > > As such, starting from today, I will no longer participate in nginx > development as run by F5. Instead, I’m starting an alternative > project, which is going to be run by developers, and not corporate > entities: > > http://freenginx.org/ > > The goal is to keep nginx development free from arbitrary corporate > actions. Help and contributions are welcome. Hope it will be > beneficial for everyone. > > thank you for continuing on with your efforts, and for this new effort! -jf -- He who settles on the idea of the intelligent man as a static entity only shows himself to be a fool. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Feb 14 19:53:08 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 14 Feb 2024 22:53:08 +0300 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: Hello! On Thu, Feb 15, 2024 at 03:24:59AM +0800, Jeffrey 'jf' Lim wrote: > On Thu, Feb 15, 2024 at 1:59 AM Maxim Dounin wrote: > > > Hello! > > > > As you probably know, F5 closed Moscow office in 2022, and I no > > longer work for F5 since then. Still, we’ve reached an agreement > > that I will maintain my role in nginx development as a volunteer. > > And for almost two years I was working on improving nginx and > > making it better for everyone, for free. > > wow, I did not know that. Thank you for your work and contribution over > these 2 years! > > > Unfortunately, some new non-technical management at F5 recently > > decided that they know better how to run open source projects. In > > particular, they decided to interfere with security policy nginx > > uses for years, ignoring both the policy and developers’ position. > > > > That’s quite understandable: they own the project, and can do > > anything with it, including doing marketing-motivated actions, > > ignoring developers position and community. > > would you be able to (within reason) give any examples of these? The most recent "security advisory" was released despite the fact that the particular bug in the experimental HTTP/3 code is expected to be fixed as a normal bug as per the existing security policy, and all the developers, including me, agree on this. And, while the particular action isn't exactly very bad, the approach in general is quite problematic. > > Still, this > > contradicts our agreement. And, more importantly, I no longer able > > to control which changes are made in nginx within F5, and no longer > > see nginx as a free and open source project developed and > > maintained for the public good. > > > > As such, starting from today, I will no longer participate in nginx > > development as run by F5. Instead, I’m starting an alternative > > project, which is going to be run by developers, and not corporate > > entities: > > > > http://freenginx.org/ > > > > The goal is to keep nginx development free from arbitrary corporate > > actions. Help and contributions are welcome. Hope it will be > > beneficial for everyone. > > > > > thank you for continuing on with your efforts, and for this new effort! Thanks, appreciated. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Wed Feb 14 20:00:14 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 14 Feb 2024 23:00:14 +0300 Subject: announcing freenginx.org In-Reply-To: <256a9e2eae31943300e2d5be11b00b4d@hayachi.com> References: <256a9e2eae31943300e2d5be11b00b4d@hayachi.com> Message-ID: Hello! On Wed, Feb 14, 2024 at 07:32:48PM +0000, agill--- via nginx wrote: > Is there a way for us to also financially support the project or > is it going under the umbrella of a funder? Thanks for the suggestion. For now, I have enough resources to support the project and myself. -- Maxim Dounin http://mdounin.ru/ From noloader at gmail.com Wed Feb 14 20:56:01 2024 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 14 Feb 2024 15:56:01 -0500 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: On Wed, Feb 14, 2024 at 12:59 PM Maxim Dounin wrote: > > As you probably know, F5 closed Moscow office in 2022, and I no > longer work for F5 since then. Still, we’ve reached an agreement > that I will maintain my role in nginx development as a volunteer. > And for almost two years I was working on improving nginx and > making it better for everyone, for free. > > Unfortunately, some new non-technical management at F5 recently > decided that they know better how to run open source projects. In > particular, they decided to interfere with security policy nginx > uses for years, ignoring both the policy and developers’ position. > > That’s quite understandable: they own the project, and can do > anything with it, including doing marketing-motivated actions, > ignoring developers position and community. Still, this > contradicts our agreement. And, more importantly, I no longer able > to control which changes are made in nginx within F5, and no longer > see nginx as a free and open source project developed and > maintained for the public good. > > As such, starting from today, I will no longer participate in nginx > development as run by F5. Instead, I’m starting an alternative > project, which is going to be run by developers, and not corporate > entities: > > http://freenginx.org/ > > The goal is to keep nginx development free from arbitrary corporate > actions. Help and contributions are welcome. Hope it will be > beneficial for everyone. Thanks for all the hard work, Maxim. There's a Request for Packaging for freenginx over at Debian at . Hopefully someone will pick it up quickly. Jeff From community at thoughtmaybe.com Wed Feb 14 21:12:26 2024 From: community at thoughtmaybe.com (Jore) Date: Thu, 15 Feb 2024 08:12:26 +1100 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: <76ff629a-0670-42d8-8cfb-8c61c4e2ec71@thoughtmaybe.com> Thank you all for all your great work!!! From manuel.baesler at gmail.com Thu Feb 15 01:33:51 2024 From: manuel.baesler at gmail.com (Manuel) Date: Thu, 15 Feb 2024 02:33:51 +0100 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: <3D71D289-EA4E-44FC-BE10-35C4DBC50F71@gmail.com> Good Evening Maxim, thank you for the work. I am speechless. My personal opinion: @F5 get an advisor for open source and maybe read something about enshittification m( TT Will follow freenginx then. Thx. > Am 14.02.2024 um 18:59 schrieb Maxim Dounin : > > Hello! > > As you probably know, F5 closed Moscow office in 2022, and I no > longer work for F5 since then. Still, we’ve reached an agreement > that I will maintain my role in nginx development as a volunteer. > And for almost two years I was working on improving nginx and > making it better for everyone, for free. > > Unfortunately, some new non-technical management at F5 recently > decided that they know better how to run open source projects. In > particular, they decided to interfere with security policy nginx > uses for years, ignoring both the policy and developers’ position. > > That’s quite understandable: they own the project, and can do > anything with it, including doing marketing-motivated actions, > ignoring developers position and community. Still, this > contradicts our agreement. And, more importantly, I no longer able > to control which changes are made in nginx within F5, and no longer > see nginx as a free and open source project developed and > maintained for the public good. > > As such, starting from today, I will no longer participate in nginx > development as run by F5. Instead, I’m starting an alternative > project, which is going to be run by developers, and not corporate > entities: > > http://freenginx.org/ > > The goal is to keep nginx development free from arbitrary corporate > actions. Help and contributions are welcome. Hope it will be > beneficial for everyone. > > > -- > Maxim Dounin > http://freenginx.org/ > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx From mdounin at mdounin.ru Thu Feb 15 10:24:13 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 15 Feb 2024 13:24:13 +0300 Subject: announcing freenginx.org In-Reply-To: <3D71D289-EA4E-44FC-BE10-35C4DBC50F71@gmail.com> References: <3D71D289-EA4E-44FC-BE10-35C4DBC50F71@gmail.com> Message-ID: Hello! On Thu, Feb 15, 2024 at 02:33:51AM +0100, Manuel wrote: > Good Evening Maxim, > > thank you for the work. > > I am speechless. My personal opinion: > @F5 get an advisor for open source > and maybe read something about enshittification m( > > TT > > Will follow freenginx then. > Thx. Thanks. Interesting term, never heard it before. -- Maxim Dounin http://mdounin.ru/ From arut at nginx.com Thu Feb 15 12:31:49 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 15 Feb 2024 16:31:49 +0400 Subject: announcing freenginx.org In-Reply-To: References: Message-ID: <20240215123149.2ztuyl6vuzvputt7@N00W24XTQX> Hello, On Wed, Feb 14, 2024 at 08:59:10PM +0300, Maxim Dounin wrote: > Hello! > > As you probably know, F5 closed Moscow office in 2022, and I no > longer work for F5 since then. Still, we’ve reached an agreement > that I will maintain my role in nginx development as a volunteer. > And for almost two years I was working on improving nginx and > making it better for everyone, for free. > > Unfortunately, some new non-technical management at F5 recently > decided that they know better how to run open source projects. In > particular, they decided to interfere with security policy nginx > uses for years, ignoring both the policy and developers’ position. > > That’s quite understandable: they own the project, and can do > anything with it, including doing marketing-motivated actions, > ignoring developers position and community. Still, this > contradicts our agreement. And, more importantly, I no longer able > to control which changes are made in nginx within F5, and no longer > see nginx as a free and open source project developed and > maintained for the public good. > > As such, starting from today, I will no longer participate in nginx > development as run by F5. Instead, I’m starting an alternative > project, which is going to be run by developers, and not corporate > entities: > > http://freenginx.org/ > > The goal is to keep nginx development free from arbitrary corporate > actions. Help and contributions are welcome. Hope it will be > beneficial for everyone. All the best to you, Maxim. On behalf of everyone that has been involved in the nginx project, I would like to take this opportunity to recognize your incredible contribution, not only to nginx, but to open source software and the Internet itself. We wish you the best of luck and would be pleased to work with you again in future. -- Roman Arutyunyan From mdounin at mdounin.ru Thu Feb 15 13:41:45 2024 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 15 Feb 2024 16:41:45 +0300 Subject: announcing freenginx.org In-Reply-To: <20240215123149.2ztuyl6vuzvputt7@N00W24XTQX> References: <20240215123149.2ztuyl6vuzvputt7@N00W24XTQX> Message-ID: Hello! On Thu, Feb 15, 2024 at 04:31:49PM +0400, Roman Arutyunyan wrote: > Hello, > > On Wed, Feb 14, 2024 at 08:59:10PM +0300, Maxim Dounin wrote: > > Hello! > > > > As you probably know, F5 closed Moscow office in 2022, and I no > > longer work for F5 since then. Still, we’ve reached an agreement > > that I will maintain my role in nginx development as a volunteer. > > And for almost two years I was working on improving nginx and > > making it better for everyone, for free. > > > > Unfortunately, some new non-technical management at F5 recently > > decided that they know better how to run open source projects. In > > particular, they decided to interfere with security policy nginx > > uses for years, ignoring both the policy and developers’ position. > > > > That’s quite understandable: they own the project, and can do > > anything with it, including doing marketing-motivated actions, > > ignoring developers position and community. Still, this > > contradicts our agreement. And, more importantly, I no longer able > > to control which changes are made in nginx within F5, and no longer > > see nginx as a free and open source project developed and > > maintained for the public good. > > > > As such, starting from today, I will no longer participate in nginx > > development as run by F5. Instead, I’m starting an alternative > > project, which is going to be run by developers, and not corporate > > entities: > > > > http://freenginx.org/ > > > > The goal is to keep nginx development free from arbitrary corporate > > actions. Help and contributions are welcome. Hope it will be > > beneficial for everyone. > > All the best to you, Maxim. On behalf of everyone that has been involved > in the nginx project, I would like to take this opportunity to recognize > your incredible contribution, not only to nginx, but to open source > software and the Internet itself. > > We wish you the best of luck and would be pleased to work with you again > in future. Thank you for your words, appreciated. You are welcome to contribute to freenginx. -- Maxim Dounin http://mdounin.ru/ From Sam at SimpleSamples.info Thu Feb 15 15:53:55 2024 From: Sam at SimpleSamples.info (Sam Hobbs) Date: Thu, 15 Feb 2024 07:53:55 -0800 Subject: announcing freenginx.org In-Reply-To: <3D71D289-EA4E-44FC-BE10-35C4DBC50F71@gmail.com> References: <3D71D289-EA4E-44FC-BE10-35C4DBC50F71@gmail.com> Message-ID: Enshittification is not a generally accepted term. It was created. There are probably simpler ways to say what is meant, such as degrade and shift. Manuel wrote on 2/14/2024 5:33 PM: > @F5 get an advisor for open source > and maybe read something about enshittification m( > From patrick at collinatorstudios.com Thu Feb 15 20:48:01 2024 From: patrick at collinatorstudios.com (Patrick J. Collins) Date: Thu, 15 Feb 2024 13:48:01 -0700 (MST) Subject: Trying to use nginx + passenger for a rails 6 + angular 14 app... Message-ID: I have a rails app that is purely an api server, with an angular frontend living under a subfolder in the public directory.. So the server's file structure is like this: ``` home/ my-app/ app/ controllers/ ..etc config/ ..etc public favicon.ico 404.html angular-app/ index.html 12345.js 45678.js some-picture.jpg ``` I had a wildcard route in my rails app that was manually loading the angular files and serving them, and I am trying to let nginx server them as static files and no longer do this. The desired behavior that I am looking for is: * visiting '/api/*' will render the response from the rails server * visiting '/' will render the index file inside `public/angular-app/index.html` * visiting '/404.html' will render `public/404.html` * visiting '/some-picture.jpg' will render `public/angular-app/some-picture.jpg` it seems that passenger is breaking the behavior that I want... If I have just a vanilla nginx config that has: ``` server { ... root '/home/my-app/public' location = / { index angular-app/index.html; } location { try_files $uri angular-app/$uri; } ... } ``` Then the behavior for visiting `/`, `/404.html`, and `/some-picture.jpg` is all perfect... But to get the rails server stuff to work, I need passenger... and as I add to the config: ``` passenger_app_root /home/my-app/; passenger_enabled on; ``` Then trying to go to anything other than an api route (routes defined in the rails app's config) will result in a 500... I tried experimenting with restructuring my nginx config to something like: ``` server { ... root '/home/my-app/public' location /api/ { passenger_app_root /home/my-app/; passenger_enabled on; } location ^/api/ { index angular-app/index.html; passenger_enabled off; } ... } ``` And I still end up with 500s going anywhere other than api endpoints... Does anyone one know what I can do to make this work? Patrick J. Collins https://collinatorstudios.com From patrick at collinatorstudios.com Fri Feb 16 16:48:03 2024 From: patrick at collinatorstudios.com (Patrick J. Collins) Date: Fri, 16 Feb 2024 09:48:03 -0700 (MST) Subject: Trying to use nginx + passenger for a rails 6 + angular 14 app... In-Reply-To: References: Message-ID: <021f6a04-9c96-39ac-4c60-3bea5359612c@collinatorstudios.com> Nevermind, I got it all figured out. Patrick J. Collins https://collinatorstudios.com On Thu, 15 Feb 2024, Patrick J. Collins wrote: > I have a rails app that is purely an api server, with an angular frontend living under a subfolder in the public directory.. So the server's file structure is like this: > > ``` > home/ > my-app/ > app/ > controllers/ > ..etc > config/ > ..etc > public > favicon.ico > 404.html > angular-app/ > index.html > 12345.js > 45678.js > some-picture.jpg > ``` > > I had a wildcard route in my rails app that was manually loading the angular files and serving them, and I am trying to let nginx server them as static files and no longer do this. The desired behavior that I am looking for is: > > * visiting '/api/*' will render the response from the rails server > * visiting '/' will render the index file inside `public/angular-app/index.html` > * visiting '/404.html' will render `public/404.html` > * visiting '/some-picture.jpg' will render `public/angular-app/some-picture.jpg` > > it seems that passenger is breaking the behavior that I want... If I have just a vanilla nginx config that has: > > ``` > server { > ... > root '/home/my-app/public' > > location = / { > index angular-app/index.html; > } > > location { > try_files $uri angular-app/$uri; > } > ... > } > ``` > > Then the behavior for visiting `/`, `/404.html`, and `/some-picture.jpg` is all perfect... But to get the rails server stuff to work, I need passenger... and as I add to the config: > ``` > passenger_app_root /home/my-app/; > passenger_enabled on; > ``` > > Then trying to go to anything other than an api route (routes defined in the rails app's config) will result in a 500... > > I tried experimenting with restructuring my nginx config to something like: > ``` > server { > ... > root '/home/my-app/public' > > location /api/ { > passenger_app_root /home/my-app/; > passenger_enabled on; > } > > location ^/api/ { > index angular-app/index.html; > passenger_enabled off; > } > ... > } > ``` > And I still end up with 500s going anywhere other than api endpoints... Does > anyone one know what I can do to make this work? > > Patrick J. Collins > https://collinatorstudios.com > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > From duluxoz at gmail.com Sun Feb 18 04:47:42 2024 From: duluxoz at gmail.com (duluxoz) Date: Sun, 18 Feb 2024 15:47:42 +1100 Subject: Mirroring The NginX Repo Locally Message-ID: Hi All, I haven't been able to locate any (relevant) info on this, so I thought I'd tap into the collective wisdom of the NginX Community: What's the best way to arrange for a local mirror of the NginX Repository: rsync, wget/curl, some other way? We currently run local mirrors of Rocky Linux, EPEL, ElRepo, RPMFusion-Free, Remi, and a whole lot more, and so we'd like to do the same with the NginX repos. Unfortunately my Google-Foo can only find info on running a local repo *using* NginX, not how to actually mirror the NginX repo itself. Any help greatly appreciated. Cheers Dulux-Oz From community at thoughtmaybe.com Sun Feb 18 06:26:26 2024 From: community at thoughtmaybe.com (Jore) Date: Sun, 18 Feb 2024 17:26:26 +1100 Subject: Mirroring The NginX Repo Locally In-Reply-To: References: Message-ID: <31384811-5e28-45be-b14d-50a89bbd3aca@thoughtmaybe.com> On 18/2/24 3:47 pm, duluxoz wrote: > What's the best way to arrange for a local mirror of the NginX > Repository: rsync, wget/curl, some other way? How about: hg clone https://hg.nginx.org/nginx/ Or: git clone https://github.com/nginx/nginx.git ? From ckinseng at gmail.com Mon Feb 19 08:24:04 2024 From: ckinseng at gmail.com (Kin Seng) Date: Mon, 19 Feb 2024 16:24:04 +0800 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity Message-ID: My current nginx setup always kill the TCP connection after 5 minutes of inactivity, i.e no transaction. [From wireshark, nginx send RST to upstream server and then send FIN,ACK to downstream client] I have this setup which requires TLS1.2 connection connecting from my internal network [client application] to public network [server]. It only use TCP ports (not http/https) and establish with a server located at public network. The client application does not support TLS1.2 connection hence the introduction of nginx proxy/reverse proxy for TLS wrapping purpose. You may refer below : Internal Network | INTERNET/Public [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public Server] - using stream module - no error shown in nginx error log - access log showing TCP 200 Status but the session only last 300s everytime. [Recorded in the access_log] Below is my nginx configuration # more nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 2048; } stream { resolver 127.0.0.1; include /etc/nginx/conf.d/*.conf; log_format basic '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time $upstream_addr' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; access_log /var/log/nginx/stream.access.log basic; error_log log_file; error_log /var/log/nginx/error_log; server { listen 35012; proxy_pass X.X.X.X:35012; proxy_timeout 86400s; proxy_connect_timeout 1200s; proxy_socket_keepalive on; ssl_session_cache shared:SSL:5m; ssl_session_timeout 30m; # For securing TCP Traffic with upstream servers. proxy_ssl on; proxy_ssl_certificate /etc/ssl/certs/backend.crt; proxy_ssl_certificate_key /etc/ssl/certs/backend.key; proxy_ssl_protocols TLSv1.2; proxy_ssl_ciphers HIGH:!aNULL:!MD5; # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; # proxy_ssl_verify on; proxy_ssl_verify_depth 2; #To have NGINX proxy previously negotiated connection parameters and use a so-called abbreviated handshake - Fast proxy_ssl_session_reuse on; } } After capturing the tcp packet and check via wireshark, I found out that the nginx is sending out the RST to the public server and then send FIN/ACK (refer attached pcap picture) to client application. I have tried to enable keepalive related parameters as per the nginx config above and also check on the OS's TCP tunable and i could not find any related settings which make NGINX to kill the TCP connection. Anyone encountering the same issues? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckinseng at gmail.com Mon Feb 19 08:24:48 2024 From: ckinseng at gmail.com (Kin Seng) Date: Mon, 19 Feb 2024 16:24:48 +0800 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References: Message-ID: Please refer to the attachments for reference. On Mon, Feb 19, 2024 at 4:24 PM Kin Seng wrote: > My current nginx setup always kill the TCP connection after 5 minutes of > inactivity, i.e no transaction. > [From wireshark, nginx send RST to upstream server and then send FIN,ACK > to downstream client] > > I have this setup which requires TLS1.2 connection connecting from my > internal network [client application] to public network [server]. It only > use TCP ports (not http/https) and establish with a server located at > public network. The client application does not support TLS1.2 connection > hence the introduction of nginx proxy/reverse proxy for TLS wrapping > purpose. You may refer below : > > Internal Network > | INTERNET/Public > [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public > Server] > > > > - using stream module > - no error shown in nginx error log > - access log showing TCP 200 Status but the session only last 300s > everytime. [Recorded in the access_log] > > Below is my nginx configuration > > # more nginx.conf > > user nginx; > worker_processes auto; > error_log /var/log/nginx/error.log; > pid /run/nginx.pid; > > # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. > include /usr/share/nginx/modules/*.conf; > > events { > worker_connections 2048; > } > > stream { > resolver 127.0.0.1; > include /etc/nginx/conf.d/*.conf; > > log_format basic '$remote_addr [$time_local] ' > '$protocol $status $bytes_sent $bytes_received ' > '$session_time $upstream_addr' > '"$upstream_bytes_sent" "$upstream_bytes_received" > "$upstream_connect_time"'; > > access_log /var/log/nginx/stream.access.log basic; > > error_log log_file; > error_log /var/log/nginx/error_log; > > server { > listen 35012; > proxy_pass X.X.X.X:35012; > proxy_timeout 86400s; > proxy_connect_timeout 1200s; > proxy_socket_keepalive on; > ssl_session_cache shared:SSL:5m; > ssl_session_timeout 30m; > > # For securing TCP Traffic with upstream servers. > proxy_ssl on; > proxy_ssl_certificate /etc/ssl/certs/backend.crt; > proxy_ssl_certificate_key /etc/ssl/certs/backend.key; > proxy_ssl_protocols TLSv1.2; > proxy_ssl_ciphers HIGH:!aNULL:!MD5; > > # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; > # proxy_ssl_verify on; > proxy_ssl_verify_depth 2; > > #To have NGINX proxy previously negotiated connection parameters and use a > so-called abbreviated handshake - Fast > proxy_ssl_session_reuse on; > > } > } > > > After capturing the tcp packet and check via wireshark, I found out that > the nginx is sending out the RST to the public server and then send FIN/ACK > (refer attached pcap picture) to client application. > > I have tried to enable keepalive related parameters as per the nginx > config above and also check on the OS's TCP tunable and i could not find > any related settings which make NGINX to kill the TCP connection. > > Anyone encountering the same issues? > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: accesslog1.jpg Type: image/jpeg Size: 30817 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wiresharkpcap1.png Type: image/png Size: 40488 bytes Desc: not available URL: From arut at nginx.com Mon Feb 19 17:01:59 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Mon, 19 Feb 2024 21:01:59 +0400 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References: Message-ID: <20240219170159.c3hazbeargagzzea@N00W24XTQX> Hi, On Mon, Feb 19, 2024 at 04:24:04PM +0800, Kin Seng wrote: > My current nginx setup always kill the TCP connection after 5 minutes of > inactivity, i.e no transaction. > [From wireshark, nginx send RST to upstream server and then send FIN,ACK to > downstream client] This could be the normal behavior if you had 'proxy_timeout 5m;' in your config. But since apparently you have 86400s as proxy timeout value, something else is going on. Could you provide more details like debug log for example? > I have this setup which requires TLS1.2 connection connecting from my > internal network [client application] to public network [server]. It only > use TCP ports (not http/https) and establish with a server located at > public network. The client application does not support TLS1.2 connection > hence the introduction of nginx proxy/reverse proxy for TLS wrapping > purpose. You may refer below : > > Internal Network > | INTERNET/Public > [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public > Server] > > > > - using stream module > - no error shown in nginx error log > - access log showing TCP 200 Status but the session only last 300s > everytime. [Recorded in the access_log] > > Below is my nginx configuration > > # more nginx.conf > > user nginx; > worker_processes auto; > error_log /var/log/nginx/error.log; > pid /run/nginx.pid; > > # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. > include /usr/share/nginx/modules/*.conf; > > events { > worker_connections 2048; > } > > stream { > resolver 127.0.0.1; > include /etc/nginx/conf.d/*.conf; > > log_format basic '$remote_addr [$time_local] ' > '$protocol $status $bytes_sent $bytes_received ' > '$session_time $upstream_addr' > '"$upstream_bytes_sent" "$upstream_bytes_received" > "$upstream_connect_time"'; > > access_log /var/log/nginx/stream.access.log basic; > > error_log log_file; > error_log /var/log/nginx/error_log; > > server { > listen 35012; > proxy_pass X.X.X.X:35012; > proxy_timeout 86400s; > proxy_connect_timeout 1200s; > proxy_socket_keepalive on; > ssl_session_cache shared:SSL:5m; > ssl_session_timeout 30m; > > # For securing TCP Traffic with upstream servers. > proxy_ssl on; > proxy_ssl_certificate /etc/ssl/certs/backend.crt; > proxy_ssl_certificate_key /etc/ssl/certs/backend.key; > proxy_ssl_protocols TLSv1.2; > proxy_ssl_ciphers HIGH:!aNULL:!MD5; > > # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; > # proxy_ssl_verify on; > proxy_ssl_verify_depth 2; > > #To have NGINX proxy previously negotiated connection parameters and use a > so-called abbreviated handshake - Fast > proxy_ssl_session_reuse on; > > } > } > > > After capturing the tcp packet and check via wireshark, I found out that > the nginx is sending out the RST to the public server and then send FIN/ACK > (refer attached pcap picture) to client application. > > I have tried to enable keepalive related parameters as per the nginx config > above and also check on the OS's TCP tunable and i could not find any > related settings which make NGINX to kill the TCP connection. > > Anyone encountering the same issues? > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -- Roman Arutyunyan From jordanc.carter at outlook.com Tue Feb 20 01:32:48 2024 From: jordanc.carter at outlook.com (J Carter) Date: Tue, 20 Feb 2024 01:32:48 +0000 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References:

Message-ID: Hello, On Mon, 19 Feb 2024 16:24:48 +0800 Kin Seng wrote: [...] > Please refer to the attachments for reference. > > On Mon, Feb 19, 2024 at 4:24 PM Kin Seng wrote: > > After capturing the tcp packet and check via wireshark, I found out that > > the nginx is sending out the RST to the public server and then send FIN/ACK > > (refer attached pcap picture) to client application. > > > > I have tried to enable keepalive related parameters as per the nginx > > config above and also check on the OS's TCP tunable and i could not find > > any related settings which make NGINX to kill the TCP connection. > > > > Anyone encountering the same issues? > > The screenshot shows only 1 segment with FIN flag set too which is odd - there should be one from each party in close sequence. Also the client only returns an ACK, rather than FIN+ACK, which it should if nginx was the initiator of closing the connection... From ckinseng at gmail.com Tue Feb 20 01:38:06 2024 From: ckinseng at gmail.com (Kin Seng) Date: Tue, 20 Feb 2024 09:38:06 +0800 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: <20240219170159.c3hazbeargagzzea@N00W24XTQX> References: <20240219170159.c3hazbeargagzzea@N00W24XTQX> Message-ID: Hi Roman, Thanks for the suggestion. Let me get the debugging log up and retest again. On Tue, Feb 20, 2024, 1:02 AM Roman Arutyunyan wrote: > Hi, > > On Mon, Feb 19, 2024 at 04:24:04PM +0800, Kin Seng wrote: > > My current nginx setup always kill the TCP connection after 5 minutes of > > inactivity, i.e no transaction. > > [From wireshark, nginx send RST to upstream server and then send FIN,ACK > to > > downstream client] > > This could be the normal behavior if you had 'proxy_timeout 5m;' in your > config. > But since apparently you have 86400s as proxy timeout value, something > else is > going on. > > Could you provide more details like debug log for example? > > > I have this setup which requires TLS1.2 connection connecting from my > > internal network [client application] to public network [server]. It only > > use TCP ports (not http/https) and establish with a server located at > > public network. The client application does not support TLS1.2 connection > > hence the introduction of nginx proxy/reverse proxy for TLS wrapping > > purpose. You may refer below : > > > > Internal Network > > | INTERNET/Public > > [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public > > Server] > > > > > > > > - using stream module > > - no error shown in nginx error log > > - access log showing TCP 200 Status but the session only last 300s > > everytime. [Recorded in the access_log] > > > > Below is my nginx configuration > > > > # more nginx.conf > > > > user nginx; > > worker_processes auto; > > error_log /var/log/nginx/error.log; > > pid /run/nginx.pid; > > > > # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. > > include /usr/share/nginx/modules/*.conf; > > > > events { > > worker_connections 2048; > > } > > > > stream { > > resolver 127.0.0.1; > > include /etc/nginx/conf.d/*.conf; > > > > log_format basic '$remote_addr [$time_local] ' > > '$protocol $status $bytes_sent $bytes_received ' > > '$session_time $upstream_addr' > > '"$upstream_bytes_sent" "$upstream_bytes_received" > > "$upstream_connect_time"'; > > > > access_log /var/log/nginx/stream.access.log basic; > > > > error_log log_file; > > error_log /var/log/nginx/error_log; > > > > server { > > listen 35012; > > proxy_pass X.X.X.X:35012; > > proxy_timeout 86400s; > > proxy_connect_timeout 1200s; > > proxy_socket_keepalive on; > > ssl_session_cache shared:SSL:5m; > > ssl_session_timeout 30m; > > > > # For securing TCP Traffic with upstream servers. > > proxy_ssl on; > > proxy_ssl_certificate /etc/ssl/certs/backend.crt; > > proxy_ssl_certificate_key /etc/ssl/certs/backend.key; > > proxy_ssl_protocols TLSv1.2; > > proxy_ssl_ciphers HIGH:!aNULL:!MD5; > > > > # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; > > # proxy_ssl_verify on; > > proxy_ssl_verify_depth 2; > > > > #To have NGINX proxy previously negotiated connection parameters and use > a > > so-called abbreviated handshake - Fast > > proxy_ssl_session_reuse on; > > > > } > > } > > > > > > After capturing the tcp packet and check via wireshark, I found out that > > the nginx is sending out the RST to the public server and then send > FIN/ACK > > (refer attached pcap picture) to client application. > > > > I have tried to enable keepalive related parameters as per the nginx > config > > above and also check on the OS's TCP tunable and i could not find any > > related settings which make NGINX to kill the TCP connection. > > > > Anyone encountering the same issues? > > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > -- > Roman Arutyunyan > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckinseng at gmail.com Tue Feb 20 01:40:13 2024 From: ckinseng at gmail.com (Kin Seng) Date: Tue, 20 Feb 2024 09:40:13 +0800 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References:

Message-ID: Hi J Carter, This is the only results from the whole 5 minutes session (intentionally without any transaction to create inactivity). Is there any symptoms which can prove that other parties are the one who Initiate the closing? On Tue, Feb 20, 2024, 9:33 AM J Carter wrote: > Hello, > > On Mon, 19 Feb 2024 16:24:48 +0800 > Kin Seng wrote: > > [...] > > Please refer to the attachments for reference. > > > > On Mon, Feb 19, 2024 at 4:24 PM Kin Seng wrote: > > > After capturing the tcp packet and check via wireshark, I found out > that > > > the nginx is sending out the RST to the public server and then send > FIN/ACK > > > (refer attached pcap picture) to client application. > > > > > > I have tried to enable keepalive related parameters as per the nginx > > > config above and also check on the OS's TCP tunable and i could not > find > > > any related settings which make NGINX to kill the TCP connection. > > > > > > Anyone encountering the same issues? > > > > > The screenshot shows only 1 segment with FIN flag set too which is > odd - there should be one from each party in close sequence. Also the > client only returns an ACK, rather than FIN+ACK, which it should if > nginx was the initiator of closing the connection... > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jordanc.carter at outlook.com Tue Feb 20 02:06:39 2024 From: jordanc.carter at outlook.com (J Carter) Date: Tue, 20 Feb 2024 02:06:39 +0000 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References:

Message-ID: Hello, On Tue, 20 Feb 2024 09:40:13 +0800 Kin Seng wrote: > Hi J Carter, > > This is the only results from the whole 5 minutes session (intentionally > without any transaction to create inactivity). Is there any symptoms which > can prove that other parties are the one who Initiate the closing? > Packet capture is the easiest, however it looks like you have missing data in PCAP for some reason (like tcpdump filters). I suppose you could also perform packet capture on the client app host instead of on the nginx host to corroborate the data - that would show who sent FIN first. Also, as Roman says in adjacent thread, debug level logs will also show what happened. > On Tue, Feb 20, 2024, 9:33 AM J Carter wrote: > > > Hello, > > > > On Mon, 19 Feb 2024 16:24:48 +0800 > > Kin Seng wrote: > > > > [...] > > > Please refer to the attachments for reference. > > > > > > On Mon, Feb 19, 2024 at 4:24 PM Kin Seng wrote: > > > > After capturing the tcp packet and check via wireshark, I found out > > that > > > > the nginx is sending out the RST to the public server and then send > > FIN/ACK > > > > (refer attached pcap picture) to client application. > > > > > > > > I have tried to enable keepalive related parameters as per the nginx > > > > config above and also check on the OS's TCP tunable and i could not > > find > > > > any related settings which make NGINX to kill the TCP connection. > > > > > > > > Anyone encountering the same issues? > > > > > > > > The screenshot shows only 1 segment with FIN flag set too which is > > odd - there should be one from each party in close sequence. Also the > > client only returns an ACK, rather than FIN+ACK, which it should if > > nginx was the initiator of closing the connection... > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > From ckinseng at gmail.com Tue Feb 20 03:57:27 2024 From: ckinseng at gmail.com (Kin Seng) Date: Tue, 20 Feb 2024 11:57:27 +0800 Subject: NGINX Reverse Proxy terminate TCP connection after 5 minutes of inactivity In-Reply-To: References:

Message-ID: Hi J Carter, Thank you for your reply. I am capturing the packet from firewall, and the filtering is as per below for the previously attached pcap. Source : client app -- Dest : nginx proxy , any port to any port Source : public server -- Dest : nginx proxy , any port to any port Source : nginx proxy -- Dest : client app , any port to any port Source : nginx proxy -- Dest : public server , any port to any port. Perhaps I will try to do tcpdump from the client app as well. One more info that I notice from client app host, from the netstat command, it shows CLOSE_WAIT for the terminated session, it seems like close_wait is the symbol that the closing is from external ( in this case client app is connect to nginx proxy), is this right? On Tue, Feb 20, 2024, 10:06 AM J Carter wrote: > Hello, > > On Tue, 20 Feb 2024 09:40:13 +0800 > Kin Seng wrote: > > > Hi J Carter, > > > > This is the only results from the whole 5 minutes session (intentionally > > without any transaction to create inactivity). Is there any symptoms > which > > can prove that other parties are the one who Initiate the closing? > > > > Packet capture is the easiest, however it looks like you have > missing data in PCAP for some reason (like tcpdump filters). > > I suppose you could also perform packet capture on the client app host > instead of on the nginx host to corroborate the data - that would show > who sent FIN first. > > Also, as Roman says in adjacent thread, debug level logs will also show > what happened. > > > On Tue, Feb 20, 2024, 9:33 AM J Carter > wrote: > > > > > Hello, > > > > > > On Mon, 19 Feb 2024 16:24:48 +0800 > > > Kin Seng wrote: > > > > > > [...] > > > > Please refer to the attachments for reference. > > > > > > > > On Mon, Feb 19, 2024 at 4:24 PM Kin Seng > wrote: > > > > > After capturing the tcp packet and check via wireshark, I found > out > > > that > > > > > the nginx is sending out the RST to the public server and then > send > > > FIN/ACK > > > > > (refer attached pcap picture) to client application. > > > > > > > > > > I have tried to enable keepalive related parameters as per the > nginx > > > > > config above and also check on the OS's TCP tunable and i could > not > > > find > > > > > any related settings which make NGINX to kill the TCP connection. > > > > > > > > > > Anyone encountering the same issues? > > > > > > > > > > > The screenshot shows only 1 segment with FIN flag set too which is > > > odd - there should be one from each party in close sequence. Also the > > > client only returns an ACK, rather than FIN+ACK, which it should if > > > nginx was the initiator of closing the connection... > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > https://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rttwyjz at gmail.com Tue Feb 20 05:22:55 2024 From: rttwyjz at gmail.com (=?UTF-8?B?5p2o6YeR5rO9?=) Date: Tue, 20 Feb 2024 13:22:55 +0800 Subject: Issues building Nginx using boringssl Message-ID: Hello, I encountered the following error when using boringssl to build Nginx: checking for OpenSSL library ... not found checking for OpenSSL library in /usr/local/ ... not found checking for OpenSSL library in /usr/pkg/ ... not found checking for OpenSSL library in /opt/local/ ... not found ./auto/configure: error: SSL modules require the OpenSSL library. You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source with nginx by using --with-openssl= option. At first I thought it was caused by openssl not existing, but when I ran openssl version -a, everything was normal: root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) built on: Mon Oct 23 17:52:22 2023 UTC platform: debian-amd64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map= /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3" MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb Later my friend and I discovered that the latest boringssl compatible OpenSSL version seems to have been upgraded to 3.2.x, but I am not sure if this is the problem. The final solution was to switch to https://github.com/google/boringssl /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I don't think switching to a previous commit to build is a perfect solution, so I'd like to ask for some help. My build steps are as follows: apt update apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config git clone https://github.com/google/boringssl.git cd boringssl mkdir build cd build cmake -GNinja .. ninja cd ../.. git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli cd ngx_brotli/deps/brotli mkdir out && cd out cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed .. cmake --build . --config Release --target brotlienc cd ../../../.. hg clone https://hg.nginx.org/nginx cd nginx ./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt=-I ../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' make make install System information： checking for OS + Linux 6.1.0-18-amd64 x86_64 checking for C compiler ... found + using GNU C compiler + gcc version: 12.2.0 (Debian 12.2.0-14) -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Tue Feb 20 06:02:20 2024 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 20 Feb 2024 01:02:20 -0500 Subject: Issues building Nginx using boringssl In-Reply-To: References: Message-ID: On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 wrote: > > I encountered the following error when using boringssl to build Nginx: > checking for OpenSSL library ... not found > checking for OpenSSL library in /usr/local/ ... not found > checking for OpenSSL library in /usr/pkg/ ... not found > checking for OpenSSL library in /opt/local/ ... not found > ./auto/configure: error: SSL modules require the OpenSSL library. > You can either do not enable the modules, or install the OpenSSL library > into the system, or build the OpenSSL library statically from the source > with nginx by using --with-openssl= option. > > At first I thought it was caused by openssl not existing, but when I ran openssl version -a, everything was normal: > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) > built on: Mon Oct 23 17:52:22 2023 UTC > platform: debian-amd64 > options: bn(64,64) > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -ffile-prefix-map= /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 > OPENSSLDIR: "/usr/lib/ssl" > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3" > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules" > Seeding source: os-specific > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb > > Later my friend and I discovered that the latest boringssl compatible OpenSSL version seems to have been upgraded to 3.2.x, but I am not sure if this is the problem. The final solution was to switch to https://github.com/google/boringssl /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I don't think switching to a previous commit to build is a perfect solution, so I'd like to ask for some help. > > My build steps are as follows: > apt update > apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config > > git clone https://github.com/google/boringssl.git > cd boringssl > mkdir build > cd build > cmake -GNinja .. > ninja > cd ../.. > > git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli > cd ngx_brotli/deps/brotli > mkdir out && cd out > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed .. > cmake --build . --config Release --target brotlienc > cd ../../../.. > > hg clone https://hg.nginx.org/nginx > cd nginx > ./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt=-I ../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' > make > make install > > System information： > checking for OS > + Linux 6.1.0-18-amd64 x86_64 > checking for C compiler ... found > + using GNU C compiler > + gcc version: 12.2.0 (Debian 12.2.0-14) This does not look correct to me, based on my knowledge of OpenSSL. (I don't have experience with BoringSSL): --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' You are trying to link two OpenSSL-compatible libraries. They are libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually placed in a lib/ directory, not in separate ssl/ and crypto/ directories. (Two separate directories may be a BoringSSL-ism). So I believe the proper flag would be similar to: --with-ld-opt='-L../boringssl/build/lib You should also consider using the the following option so the library used at runtime is the same library used at compile and link time: -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags But you should change ../boringssl/build/lib to the full path, and not use the relative path. Also see or the BoringSSL equivalent document. Jeff From rttwyjz at gmail.com Tue Feb 20 08:29:03 2024 From: rttwyjz at gmail.com (Jinze YANG) Date: Tue, 20 Feb 2024 16:29:03 +0800 Subject: Issues building Nginx using boringssl Message-ID: Hello, As you can see, boringssl's libcrypto.a and libssl.a are in two separate directories, as shown below: root at VM-8-12-debian ~/boringssl/build # ls bssl CMakeCache.txt cmake_install.cmake crypto_test decrepit embed_test_data_args.txt libpki.a pki_test ssl_test urandom_test build.ninja CMakeFiles crypto crypto_test_data.cc decrepit_test libboringssl_gtest.a libtest_support_lib.a ssl tool util root at VM-8-12-debian ~/boringssl/build # cd crypto root at VM-8-12-debian ~/boringssl/build/crypto # ls chacha cipher_extra CMakeFiles cmake_install.cmake crypto_test err_data.c fipsmodule libcrypto.a test urandom_test root at VM-8-12-debian ~/boringssl/build/crypto # cd .. root at VM-8-12-debian ~/boringssl/build # cd ssl root at VM-8-12-debian ~/boringssl/build/ssl # ls CMakeFiles cmake_install.cmake libssl.a ssl_test test I tried using absolute paths and adding -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags but this Doesn't play any role. -- Best Regards, Jinze Yang ------------------------------------------------------- > On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 wrote: > > > > I encountered the following error when using boringssl to build > Nginx: > > checking for OpenSSL library ... not found > > checking for OpenSSL library in /usr/local/ ... not found > > checking for OpenSSL library in /usr/pkg/ ... not found > > checking for OpenSSL library in /opt/local/ ... not found > > ./auto/configure: error: SSL modules require the OpenSSL library. > > You can either do not enable the modules, or install the OpenSSL > library > > into the system, or build the OpenSSL library statically from the > source > > with nginx by using --with-openssl= option. > > > > At first I thought it was caused by openssl not existing, but when I > ran openssl version -a, everything was normal: > > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a > > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) > > built on: Mon Oct 23 17:52:22 2023 UTC > > platform: debian-amd64 > > options: bn(64,64) > > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall > -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 > -Wa,--noexecstack -g -O2 -ffile-prefix-map= > /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong > -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time > -D_FORTIFY_SOURCE=2 > > OPENSSLDIR: "/usr/lib/ssl" > > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3" > > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules" > > Seeding source: os-specific > > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb > > > > Later my friend and I discovered that the latest boringssl > compatible OpenSSL version seems to have been upgraded to 3.2.x, but I > am not sure if this is the problem. The final solution was to switch > to https://github.com/google/boringssl > /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I > don't think switching to a previous commit to build is a perfect > solution, so I'd like to ask for some help. > > > > My build steps are as follows: > > apt update > > apt install build-essential ca-certificates zlib1g-dev libpcre3 > libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build > mercurial libunwind-dev pkg-config > > > > git clone https://github.com/google/boringssl.git > > cd boringssl > > mkdir build > > cd build > > cmake -GNinja .. > > ninja > > cd ../.. > > > > git clone --recurse-submodules -j8 > https://github.com/google/ngx_brotli > > cd ngx_brotli/deps/brotli > > mkdir out && cd out > > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF > -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" > -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" > -DCMAKE_INSTALL_PREFIX=./installed .. > > cmake --build . --config Release --target brotlienc > > cd ../../../.. > > > > hg clone https://hg.nginx.org/nginx > > cd nginx > > ./auto/configure --user=www --group=www --prefix=/www/server/nginx > --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module > --with-stream --with-stream_ssl_module --with-http_ssl_module > --with-http_gzip_static_module --with-http_gunzip_module > --with-http_sub_module --with-http_flv_module > --with-http_addition_module --with-http_realip_module > --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error > --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module > --with-cc-opt=-I ../boringssl/include > --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' > > make > > make install > > > > System information： > > checking for OS > > + Linux 6.1.0-18-amd64 x86_64 > > checking for C compiler ... found > > + using GNU C compiler > > + gcc version: 12.2.0 (Debian 12.2.0-14) > > This does not look correct to me, based on my knowledge of OpenSSL. (I > don't have experience with BoringSSL): > > --with-ld-opt='-L../boringssl/build/ssl > -L../boringssl/build/crypto' > > You are trying to link two OpenSSL-compatible libraries. They are > libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually > placed in a lib/ directory, not in separate ssl/ and crypto/ > directories. (Two separate directories may be a BoringSSL-ism). > > So I believe the proper flag would be similar to: > > --with-ld-opt='-L../boringssl/build/lib > > You should also consider using the the following option so the library > used at runtime is the same library used at compile and link time: > > -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags > > But you should change ../boringssl/build/lib to the full path, and not > use the relative path. > > Also see > _RPATHs> > or the BoringSSL equivalent document. > > Jeff > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -------------- next part -------------- An HTML attachment was scrubbed... URL: From arut at nginx.com Tue Feb 20 13:12:40 2024 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 20 Feb 2024 17:12:40 +0400 Subject: Issues building Nginx using boringssl In-Reply-To: References: Message-ID: <840345EC-C7B2-495C-8714-571C96461BA1@nginx.com> Hi, Your boringssl paths look ok. What's in objs/autoconf.err ? > On 20 Feb 2024, at 12:29, Jinze YANG wrote: > > Hello, > As you can see, boringssl's libcrypto.a and libssl.a are in two separate directories, as shown below: > root at VM-8-12-debian ~/boringssl/build # ls > bssl CMakeCache.txt cmake_install.cmake crypto_test decrepit embed_test_data_args.txt libpki.a pki_test ssl_test urandom_test > build.ninja CMakeFiles crypto crypto_test_data.cc decrepit_test libboringssl_gtest.a libtest_support_lib.a ssl tool util > root at VM-8-12-debian ~/boringssl/build # cd crypto > root at VM-8-12-debian ~/boringssl/build/crypto # ls > chacha cipher_extra CMakeFiles cmake_install.cmake crypto_test err_data.c fipsmodule libcrypto.a test urandom_test > root at VM-8-12-debian ~/boringssl/build/crypto # cd .. > root at VM-8-12-debian ~/boringssl/build # cd ssl > root at VM-8-12-debian ~/boringssl/build/ssl # ls > CMakeFiles cmake_install.cmake libssl.a ssl_test test > > I tried using absolute paths and adding -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags but this Doesn't play any role. > > -- > Best Regards, > Jinze Yang > > ------------------------------------------------------- > > On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 > wrote: > > > > > > I encountered the following error when using boringssl to build > > Nginx: > > > checking for OpenSSL library ... not found > > > checking for OpenSSL library in /usr/local/ ... not found > > > checking for OpenSSL library in /usr/pkg/ ... not found > > > checking for OpenSSL library in /opt/local/ ... not found > > > ./auto/configure: error: SSL modules require the OpenSSL library. > > > You can either do not enable the modules, or install the OpenSSL > > library > > > into the system, or build the OpenSSL library statically from the > > source > > > with nginx by using --with-openssl= option. > > > > > > At first I thought it was caused by openssl not existing, but when I > > ran openssl version -a, everything was normal: > > > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a > > > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) > > > built on: Mon Oct 23 17:52:22 2023 UTC > > > platform: debian-amd64 > > > options: bn(64,64) > > > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall > > -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 > > -Wa,--noexecstack -g -O2 -ffile-prefix-map= > > /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong > > -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN > > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time > > -D_FORTIFY_SOURCE=2 > > > OPENSSLDIR: "/usr/lib/ssl" > > > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3" > > > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules" > > > Seeding source: os-specific > > > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb > > > > > > Later my friend and I discovered that the latest boringssl > > compatible OpenSSL version seems to have been upgraded to 3.2.x, but I > > am not sure if this is the problem. The final solution was to switch > > to https://github.com/google/boringssl > > /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I > > don't think switching to a previous commit to build is a perfect > > solution, so I'd like to ask for some help. > > > > > > My build steps are as follows: > > > apt update > > > apt install build-essential ca-certificates zlib1g-dev libpcre3 > > libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build > > mercurial libunwind-dev pkg-config > > > > > > git clone https://github.com/google/boringssl.git > > > cd boringssl > > > mkdir build > > > cd build > > > cmake -GNinja .. > > > ninja > > > cd ../.. > > > > > > git clone --recurse-submodules -j8 > > https://github.com/google/ngx_brotli > > > cd ngx_brotli/deps/brotli > > > mkdir out && cd out > > > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF > > -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto > > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" > > -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto > > -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" > > -DCMAKE_INSTALL_PREFIX=./installed .. > > > cmake --build . --config Release --target brotlienc > > > cd ../../../.. > > > > > > hg clone https://hg.nginx.org/nginx > > > cd nginx > > > ./auto/configure --user=www --group=www --prefix=/www/server/nginx > > --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module > > --with-stream --with-stream_ssl_module --with-http_ssl_module > > --with-http_gzip_static_module --with-http_gunzip_module > > --with-http_sub_module --with-http_flv_module > > --with-http_addition_module --with-http_realip_module > > --with-http_mp4_module --with-ld -opt=-Wl,-E --with-cc-opt=-Wno-error > > --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module > > --with-cc-opt=-I ../boringssl/include > > --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' > > > make > > > make install > > > > > > System information： > > > checking for OS > > > + Linux 6.1.0-18-amd64 x86_64 > > > checking for C compiler ... found > > > + using GNU C compiler > > > + gcc version: 12.2.0 (Debian 12.2.0-14) > > > > This does not look correct to me, based on my knowledge of OpenSSL. (I > > don't have experience with BoringSSL): > > > > --with-ld-opt='-L../boringssl/build/ssl > > -L../boringssl/build/crypto' > > > > You are trying to link two OpenSSL-compatible libraries. They are > > libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually > > placed in a lib/ directory, not in separate ssl/ and crypto/ > > directories. (Two separate directories may be a BoringSSL-ism). > > > > So I believe the proper flag would be similar to: > > > > --with-ld-opt='-L../boringssl/build/lib > > > > You should also consider using the the following option so the library > > used at runtime is the same library used at compile and link time: > > > > -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags > > > > But you should change ../boringssl/build/lib to the full path, and not > > use the relative path. > > > > Also see > > > _RPATHs> > > or the BoringSSL equivalent document. > > > > Jeff > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx ---- Roman Arutyunyan arut at nginx.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rttwyjz at gmail.com Tue Feb 20 13:29:21 2024 From: rttwyjz at gmail.com (Jinze YANG) Date: Tue, 20 Feb 2024 21:29:21 +0800 Subject: Issues building Nginx using boringssl Message-ID: Hi, I have attached this file, please check it out. ------------------------------------------------------- > Hi, > > Your boringssl paths look ok. > > What's in objs/autoconf.err ? > > > On 20 Feb 2024, at 12:29, Jinze YANG wrote: > > > > Hello, > > As you can see, boringssl's libcrypto.a and libssl.a are in two > separate directories, as shown below: > > root at VM-8-12-debian ~/boringssl/build # ls > > bssl CMakeCache.txt cmake_install.cmake crypto_test decrepit > embed_test_data_args.txt libpki.a pki_test ssl_test urandom_test > > build.ninja CMakeFiles crypto crypto_test_data.cc decrepit_test > libboringssl_gtest.a libtest_support_lib.a ssl tool util > > root at VM-8-12-debian ~/boringssl/build # cd crypto > > root at VM-8-12-debian ~/boringssl/build/crypto # ls > > chacha cipher_extra CMakeFiles cmake_install.cmake crypto_test > err_data.c fipsmodule libcrypto.a test urandom_test > > root at VM-8-12-debian ~/boringssl/build/crypto # cd .. > > root at VM-8-12-debian ~/boringssl/build # cd ssl > > root at VM-8-12-debian ~/boringssl/build/ssl # ls > > CMakeFiles cmake_install.cmake libssl.a ssl_test test > > > > I tried using absolute paths and adding > -Wl,-rpath=/root/boringssl/build/ssl > -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags but > this Doesn't play any role. > > > > -- > > Best Regards, > > Jinze Yang > > > > ------------------------------------------------------- > > > On Tue, Feb 20, 2024 at 12:23 AM 杨金泽 > wrote: > > > > > > > > I encountered the following error when using boringssl to build > > > Nginx: > > > > checking for OpenSSL library ... not found > > > > checking for OpenSSL library in /usr/local/ ... not found > > > > checking for OpenSSL library in /usr/pkg/ ... not found > > > > checking for OpenSSL library in /opt/local/ ... not found > > > > ./auto/configure: error: SSL modules require the OpenSSL > library. > > > > You can either do not enable the modules, or install the OpenSSL > > > library > > > > into the system, or build the OpenSSL library statically from > the > > > source > > > > with nginx by using --with-openssl= option. > > > > > > > > At first I thought it was caused by openssl not existing, but > when I > > > ran openssl version -a, everything was normal: > > > > root at iZ2hmeokcpbj42Z ~/nginx # openssl version -a > > > > OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023) > > > > built on: Mon Oct 23 17:52:22 2023 UTC > > > > platform: debian-amd64 > > > > options: bn(64,64) > > > > compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall > > > -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 > > > -Wa,--noexecstack -g -O2 -ffile-prefix-map= > > > /build/reproducible-path/openssl-3.0.11=. -fstack-protector-strong > > > -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN > > > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time > > > -D_FORTIFY_SOURCE=2 > > > > OPENSSLDIR: "/usr/lib/ssl" > > > > ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3" > > > > MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules" > > > > Seeding source: os-specific > > > > CPUINFO: OPENSSL_ia32cap=0xfffa32035f8bffff:0xd01e4fbb > > > > > > > > Later my friend and I discovered that the latest boringssl > > > compatible OpenSSL version seems to have been upgraded to 3.2.x, > but I > > > am not sure if this is the problem. The final solution was to > switch > > > to https://github.com/google/boringssl > > > /commit/c39e6cd9ec5acebb6de2adffc03cfe03b07f08ab this commit.But I > > > don't think switching to a previous commit to build is a perfect > > > solution, so I'd like to ask for some help. > > > > > > > > My build steps are as follows: > > > > apt update > > > > apt install build-essential ca-certificates zlib1g-dev libpcre3 > > > libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build > > > mercurial libunwind-dev pkg-config > > > > > > > > git clone https://github.com/google/boringssl.git > > > > cd boringssl > > > > mkdir build > > > > cd build > > > > cmake -GNinja .. > > > > ninja > > > > cd ../.. > > > > > > > > git clone --recurse-submodules -j8 > > > https://github.com/google/ngx_brotli > > > > cd ngx_brotli/deps/brotli > > > > mkdir out && cd out > > > > cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF > > > -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto > > > -funroll-loops -ffunction-sections -fdata-sections > -Wl,--gc-sections" > > > -DCMAKE_CXX_FLAGS ="-Ofast -m64 -march=native -mtune=native -flto > > > -funroll-loops -ffunction-sections -fdata-sections > -Wl,--gc-sections" > > > -DCMAKE_INSTALL_PREFIX=./installed .. > > > > cmake --build . --config Release --target brotlienc > > > > cd ../../../.. > > > > > > > > hg clone https://hg.nginx.org/nginx > > > > cd nginx > > > > ./auto/configure --user=www --group=www > --prefix=/www/server/nginx > > > --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module > > > --with-stream --with-stream_ssl_module --with-http_ssl_module > > > --with-http_gzip_static_module --with-http_gunzip_module > > > --with-http_sub_module --with-http_flv_module > > > --with-http_addition_module --with-http_realip_module > > > --with-http_mp4_module --with-ld -opt=-Wl,-E > --with-cc-opt=-Wno-error > > > --with-ld-opt=-ljemalloc --with-http_dav_module > --with-http_v3_module > > > --with-cc-opt=-I ../boringssl/include > > > --with-ld-opt='-L../boringssl/build/ssl > -L../boringssl/build/crypto' > > > > make > > > > make install > > > > > > > > System information： > > > > checking for OS > > > > + Linux 6.1.0-18-amd64 x86_64 > > > > checking for C compiler ... found > > > > + using GNU C compiler > > > > + gcc version: 12.2.0 (Debian 12.2.0-14) > > > > > > This does not look correct to me, based on my knowledge of > OpenSSL. (I > > > don't have experience with BoringSSL): > > > > > > --with-ld-opt='-L../boringssl/build/ssl > > > -L../boringssl/build/crypto' > > > > > > You are trying to link two OpenSSL-compatible libraries. They are > > > libcrypto.{a|so}, and libssl.{a|so}. Those artifacts are usually > > > placed in a lib/ directory, not in separate ssl/ and crypto/ > > > directories. (Two separate directories may be a BoringSSL-ism). > > > > > > So I believe the proper flag would be similar to: > > > > > > --with-ld-opt='-L../boringssl/build/lib > > > > > > You should also consider using the the following option so the > library > > > used at runtime is the same library used at compile and link time: > > > > > > -Wl,-rpath=../boringssl/build/lib -Wl,--enable-new-dtags > > > > > > But you should change ../boringssl/build/lib to the full path, and > not > > > use the relative path. > > > > > > Also see > > > > > > _RPATHs> > > > or the BoringSSL equivalent document. > > > > > > Jeff > > > _______________________________________________ > > > nginx mailing list > > > nginx at nginx.org > > > https://mailman.nginx.org/mailman/listinfo/nginx > > _______________________________________________ > > nginx mailing list > > nginx at nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > ---- > Roman Arutyunyan > arut at nginx.com > > > > > _______________________________________________ > nginx mailing list > nginx at nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx -- Best Regards, Jinze Yang -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- ---------------------------------------- checking for C compiler ---------------------------------------- checking for gcc -pipe switch ---------------------------------------- checking for --with-ld-opt="-L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags" ---------------------------------------- checking for -Wl,-E switch ---------------------------------------- checking for gcc builtin atomic operations ---------------------------------------- checking for C99 variadic macros ---------------------------------------- checking for gcc variadic macros ---------------------------------------- checking for gcc builtin 64 bit byteswap ---------------------------------------- checking for unistd.h ---------------------------------------- checking for inttypes.h ---------------------------------------- checking for limits.h ---------------------------------------- checking for sys/filio.h objs/autotest.c:3:10: fatal error: sys/filio.h: No such file or directory 3 | #include | ^~~~~~~~~~~~~ compilation terminated. ---------- #include int main(void) { return 0; } ---------- cc -o objs/autotest objs/autotest.c ---------- ---------------------------------------- checking for sys/param.h ---------------------------------------- checking for sys/mount.h ---------------------------------------- checking for sys/statvfs.h ---------------------------------------- checking for crypt.h ---------------------------------------- checking for epoll ---------------------------------------- checking for EPOLLRDHUP ---------------------------------------- checking for EPOLLEXCLUSIVE ---------------------------------------- checking for eventfd() ---------------------------------------- checking for O_PATH ---------------------------------------- checking for sendfile() ---------------------------------------- checking for sendfile64() ---------------------------------------- checking for sys/prctl.h ---------------------------------------- checking for prctl(PR_SET_DUMPABLE) ---------------------------------------- checking for prctl(PR_SET_KEEPCAPS) ---------------------------------------- checking for capabilities ---------------------------------------- checking for crypt_r() ---------------------------------------- checking for sys/vfs.h ---------------------------------------- checking for BPF sockhash ---------------------------------------- checking for SO_COOKIE ---------------------------------------- checking for UDP_SEGMENT ---------------------------------------- checking for poll() ---------------------------------------- checking for /dev/poll objs/autotest.c:4:10: fatal error: sys/devpoll.h: No such file or directory 4 | #include | ^~~~~~~~~~~~~~~ compilation terminated. ---------- #include #include #include int main(void) { int n, dp; struct dvpoll dvp; dp = 0; dvp.dp_fds = NULL; dvp.dp_nfds = 0; dvp.dp_timeout = 0; n = ioctl(dp, DP_POLL, &dvp); if (n == -1) return 1; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for kqueue objs/autotest.c:4:10: fatal error: sys/event.h: No such file or directory 4 | #include | ^~~~~~~~~~~~~ compilation terminated. ---------- #include #include #include int main(void) { (void) kqueue(); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for crypt() /usr/bin/ld: /tmp/ccYR4UY1.o: in function `main': autotest.c:(.text+0x19): undefined reference to `crypt' collect2: error: ld returned 1 exit status ---------- #include #include int main(void) { crypt("test", "salt");; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for crypt() in libcrypt ---------------------------------------- checking for F_READAHEAD objs/autotest.c: In function 'main': objs/autotest.c:7:14: error: 'F_READAHEAD' undeclared (first use in this function) 7 | fcntl(0, F_READAHEAD, 1);; | ^~~~~~~~~~~ objs/autotest.c:7:14: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include int main(void) { fcntl(0, F_READAHEAD, 1);; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for posix_fadvise() ---------------------------------------- checking for O_DIRECT ---------------------------------------- checking for F_NOCACHE objs/autotest.c: In function 'main': objs/autotest.c:7:14: error: 'F_NOCACHE' undeclared (first use in this function) 7 | fcntl(0, F_NOCACHE, 1);; | ^~~~~~~~~ objs/autotest.c:7:14: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include int main(void) { fcntl(0, F_NOCACHE, 1);; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for directio() objs/autotest.c: In function 'main': objs/autotest.c:8:5: warning: implicit declaration of function 'directio' [-Wimplicit-function-declaration] 8 | directio(0, DIRECTIO_ON);; | ^~~~~~~~ objs/autotest.c:8:17: error: 'DIRECTIO_ON' undeclared (first use in this function) 8 | directio(0, DIRECTIO_ON);; | ^~~~~~~~~~~ objs/autotest.c:8:17: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include #include int main(void) { directio(0, DIRECTIO_ON);; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for statfs() ---------------------------------------- checking for statvfs() ---------------------------------------- checking for dlopen() ---------------------------------------- checking for sched_yield() ---------------------------------------- checking for sched_setaffinity() ---------------------------------------- checking for SO_SETFIB objs/autotest.c: In function 'main': objs/autotest.c:7:31: error: 'SO_SETFIB' undeclared (first use in this function) 7 | setsockopt(0, SOL_SOCKET, SO_SETFIB, NULL, 0); | ^~~~~~~~~ objs/autotest.c:7:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include int main(void) { setsockopt(0, SOL_SOCKET, SO_SETFIB, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for SO_REUSEPORT ---------------------------------------- checking for SO_ACCEPTFILTER objs/autotest.c: In function 'main': objs/autotest.c:7:31: error: 'SO_ACCEPTFILTER' undeclared (first use in this function); did you mean 'SO_LOCK_FILTER'? 7 | setsockopt(0, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0); | ^~~~~~~~~~~~~~~ | SO_LOCK_FILTER objs/autotest.c:7:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include int main(void) { setsockopt(0, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for SO_BINDANY objs/autotest.c: In function 'main': objs/autotest.c:7:31: error: 'SO_BINDANY' undeclared (first use in this function) 7 | setsockopt(0, SOL_SOCKET, SO_BINDANY, NULL, 0); | ^~~~~~~~~~ objs/autotest.c:7:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include int main(void) { setsockopt(0, SOL_SOCKET, SO_BINDANY, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for IP_TRANSPARENT ---------------------------------------- checking for IP_BINDANY objs/autotest.c: In function 'main': objs/autotest.c:8:31: error: 'IP_BINDANY' undeclared (first use in this function) 8 | setsockopt(0, IPPROTO_IP, IP_BINDANY, NULL, 0); | ^~~~~~~~~~ objs/autotest.c:8:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include #include int main(void) { setsockopt(0, IPPROTO_IP, IP_BINDANY, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for IP_BIND_ADDRESS_NO_PORT ---------------------------------------- checking for IP_RECVDSTADDR objs/autotest.c: In function 'main': objs/autotest.c:8:31: error: 'IP_RECVDSTADDR' undeclared (first use in this function); did you mean 'IP_ORIGDSTADDR'? 8 | setsockopt(0, IPPROTO_IP, IP_RECVDSTADDR, NULL, 0); | ^~~~~~~~~~~~~~ | IP_ORIGDSTADDR objs/autotest.c:8:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include #include int main(void) { setsockopt(0, IPPROTO_IP, IP_RECVDSTADDR, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for IP_SENDSRCADDR objs/autotest.c: In function 'main': objs/autotest.c:8:31: error: 'IP_SENDSRCADDR' undeclared (first use in this function) 8 | setsockopt(0, IPPROTO_IP, IP_SENDSRCADDR, NULL, 0); | ^~~~~~~~~~~~~~ objs/autotest.c:8:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include #include int main(void) { setsockopt(0, IPPROTO_IP, IP_SENDSRCADDR, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for IP_PKTINFO ---------------------------------------- checking for IPV6_RECVPKTINFO ---------------------------------------- checking for IP_MTU_DISCOVER ---------------------------------------- checking for IPV6_MTU_DISCOVER ---------------------------------------- checking for IP_DONTFRAG objs/autotest.c: In function 'main': objs/autotest.c:8:31: error: 'IP_DONTFRAG' undeclared (first use in this function); did you mean 'IPV6_DONTFRAG'? 8 | setsockopt(0, IPPROTO_IP, IP_DONTFRAG, NULL, 0); | ^~~~~~~~~~~ | IPV6_DONTFRAG objs/autotest.c:8:31: note: each undeclared identifier is reported only once for each function it appears in ---------- #include #include #include #include int main(void) { setsockopt(0, IPPROTO_IP, IP_DONTFRAG, NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for IPV6_DONTFRAG ---------------------------------------- checking for TCP_DEFER_ACCEPT ---------------------------------------- checking for TCP_KEEPIDLE ---------------------------------------- checking for TCP_FASTOPEN ---------------------------------------- checking for TCP_INFO ---------------------------------------- checking for accept4() ---------------------------------------- checking for int size ---------------------------------------- checking for long size ---------------------------------------- checking for long long size ---------------------------------------- checking for void * size ---------------------------------------- checking for uint32_t ---------------------------------------- checking for uint64_t ---------------------------------------- checking for sig_atomic_t ---------------------------------------- checking for sig_atomic_t size ---------------------------------------- checking for socklen_t ---------------------------------------- checking for in_addr_t ---------------------------------------- checking for in_port_t ---------------------------------------- checking for rlim_t ---------------------------------------- checking for uintptr_t ---------------------------------------- checking for system byte ordering ---------------------------------------- checking for size_t size ---------------------------------------- checking for off_t size ---------------------------------------- checking for time_t size ---------------------------------------- checking for AF_INET6 ---------------------------------------- checking for setproctitle() objs/autotest.c: In function 'main': objs/autotest.c:7:5: warning: implicit declaration of function 'setproctitle' [-Wimplicit-function-declaration] 7 | setproctitle("test");; | ^~~~~~~~~~~~ /usr/bin/ld: /tmp/ccfGBZko.o: in function `main': autotest.c:(.text+0x14): undefined reference to `setproctitle' collect2: error: ld returned 1 exit status ---------- #include #include #include int main(void) { setproctitle("test");; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for pread() ---------------------------------------- checking for pwrite() ---------------------------------------- checking for pwritev() ---------------------------------------- checking for strerrordesc_np() objs/autotest.c: In function 'main': objs/autotest.c:7:16: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 7 | char *p; p = strerrordesc_np(0); | ^ ---------------------------------------- checking for localtime_r() ---------------------------------------- checking for clock_gettime(CLOCK_MONOTONIC) ---------------------------------------- checking for posix_memalign() ---------------------------------------- checking for memalign() ---------------------------------------- checking for mmap(MAP_ANON|MAP_SHARED) ---------------------------------------- checking for mmap("/dev/zero", MAP_SHARED) ---------------------------------------- checking for System V shared memory ---------------------------------------- checking for POSIX semaphores ---------------------------------------- checking for struct msghdr.msg_control ---------------------------------------- checking for ioctl(FIONBIO) ---------------------------------------- checking for ioctl(FIONREAD) ---------------------------------------- checking for struct tm.tm_gmtoff ---------------------------------------- checking for struct dirent.d_namlen objs/autotest.c: In function 'main': objs/autotest.c:8:29: error: 'struct dirent' has no member named 'd_namlen'; did you mean 'd_name'? 8 | struct dirent dir; dir.d_namlen = 0; | ^~~~~~~~ | d_name objs/autotest.c:9:42: error: 'struct dirent' has no member named 'd_namlen'; did you mean 'd_name'? 9 | printf("%d", (int) dir.d_namlen); | ^~~~~~~~ | d_name ---------- #include #include #include #include int main(void) { struct dirent dir; dir.d_namlen = 0; printf("%d", (int) dir.d_namlen); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags ---------- ---------------------------------------- checking for struct dirent.d_type ---------------------------------------- checking for sysconf(_SC_NPROCESSORS_ONLN) ---------------------------------------- checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ---------------------------------------- checking for openat(), fstatat() ---------------------------------------- checking for getaddrinfo() ---------------------------------------- checking for PCRE2 library objs/autotest.c:5:36: fatal error: pcre2.h: No such file or directory 5 | #include | ^~~~~~~~~ compilation terminated. ---------- #include #include #define PCRE2_CODE_UNIT_WIDTH 8 #include int main(void) { pcre2_code *re; re = pcre2_compile(NULL, 0, 0, NULL, NULL, NULL); if (re == NULL) return 1; return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags -lpcre2-8 ---------- ---------------------------------------- checking for PCRE library ---------------------------------------- checking for PCRE JIT support ---------------------------------------- checking for OpenSSL library /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_lib.cc.o):(.data.rel.local.DW.ref.__gxx_personality_v0[DW.ref.__gxx_personality_v0]+0x0): undefined reference to `__gxx_personality_v0' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::ECKeyShare::~ECKeyShare()': /root/boringssl/ssl/ssl_key_share.cc:41: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519KeyShare::~X25519KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:138: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519Kyber768KeyShare::~X25519Kyber768KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:194: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::SSLKeyShare::~SSLKeyShare()': /root/boringssl/ssl/internal.h:1082: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x0): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x18): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x30): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro._ZTIN4bssl11SSLKeyShareE[_ZTIN4bssl11SSLKeyShareE]+0x0): undefined reference to `vtable for __cxxabiv1::__class_type_info' collect2: error: ld returned 1 exit status ---------- #include #include #include int main(void) { SSL_CTX_set_options(NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags -lssl -lcrypto ---------- ---------------------------------------- checking for OpenSSL library in /usr/local/ /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_lib.cc.o):(.data.rel.local.DW.ref.__gxx_personality_v0[DW.ref.__gxx_personality_v0]+0x0): undefined reference to `__gxx_personality_v0' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::ECKeyShare::~ECKeyShare()': /root/boringssl/ssl/ssl_key_share.cc:41: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519KeyShare::~X25519KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:138: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519Kyber768KeyShare::~X25519Kyber768KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:194: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::SSLKeyShare::~SSLKeyShare()': /root/boringssl/ssl/internal.h:1082: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x0): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x18): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x30): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro._ZTIN4bssl11SSLKeyShareE[_ZTIN4bssl11SSLKeyShareE]+0x0): undefined reference to `vtable for __cxxabiv1::__class_type_info' collect2: error: ld returned 1 exit status ---------- #include #include #include int main(void) { SSL_CTX_set_options(NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -I /usr/local/include -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags -L/usr/local/lib -lssl -lcrypto ---------- ---------------------------------------- checking for OpenSSL library in /usr/pkg/ /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_lib.cc.o):(.data.rel.local.DW.ref.__gxx_personality_v0[DW.ref.__gxx_personality_v0]+0x0): undefined reference to `__gxx_personality_v0' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::ECKeyShare::~ECKeyShare()': /root/boringssl/ssl/ssl_key_share.cc:41: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519KeyShare::~X25519KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:138: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519Kyber768KeyShare::~X25519Kyber768KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:194: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::SSLKeyShare::~SSLKeyShare()': /root/boringssl/ssl/internal.h:1082: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x0): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x18): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x30): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro._ZTIN4bssl11SSLKeyShareE[_ZTIN4bssl11SSLKeyShareE]+0x0): undefined reference to `vtable for __cxxabiv1::__class_type_info' collect2: error: ld returned 1 exit status ---------- #include #include #include int main(void) { SSL_CTX_set_options(NULL, 0); return 0; } ---------- cc -I/root/boringssl/include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -I /usr/pkg/include -o objs/autotest objs/autotest.c -L/root/boringssl/build/ssl -L/root/boringssl/build/crypto -Wl,-rpath=/root/boringssl/build/ssl -Wl,-rpath=/root/boringssl/build/crypto -Wl,--enable-new-dtags -L/usr/pkg/lib -lssl -lcrypto ---------- ---------------------------------------- checking for OpenSSL library in /opt/local/ /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_lib.cc.o):(.data.rel.local.DW.ref.__gxx_personality_v0[DW.ref.__gxx_personality_v0]+0x0): undefined reference to `__gxx_personality_v0' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::ECKeyShare::~ECKeyShare()': /root/boringssl/ssl/ssl_key_share.cc:41: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519KeyShare::~X25519KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:138: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::(anonymous namespace)::X25519Kyber768KeyShare::~X25519Kyber768KeyShare()': /root/boringssl/ssl/ssl_key_share.cc:194: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o): in function `bssl::SSLKeyShare::~SSLKeyShare()': /root/boringssl/ssl/internal.h:1082: undefined reference to `operator delete(void*, unsigned long)' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x0): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x18): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro+0x30): undefined reference to `vtable for __cxxabiv1::__si_class_type_info' /usr/bin/ld: /root/boringssl/build/ssl/libssl.a(ssl_key_share.cc.o):(.data.rel.ro._ZTIN4bssl11SSLKeyShareE[_ZTIN4bssl11SSLKeyShareE]+0x0): undefined reference to `vtable for __cxxabiv1::__class_type_info' collect2: error: ld returned 1 exit status ---------- #include #include #include