Re: SSL-сертификат по умолчанию для клиентов без SNI
В письме от Ср, 11 июня 2014 11:45:01 пользователь Bogdan написал: Добрый день. Есть несколько сертификатов на одном адресе (различные server на одном порту). Как можно задать сертификат, который будет использоваться при общении с клиентами которые не поддерживают SNI? объявив его в default ssl вхосте Nginx 0.7.67 А так же желательно обновиться до современной версии, имхо. Спасибо. -- WBR, Bogdan B. Rudas -- Best regsrds, mva signature.asc Description: This is a digitally signed message part. ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Status Reading стал нулевым
Здравствуйте. Обновил nginx с версии 0.7.67 до версии 1.6.0. Визуально вроде все работает, беспокоит только то, что Reading в статусе стал 0. И другого значения я там не наблюдаю. Я понимаю что перепрыгнул через много версий, может быть было какое-то глобальное изменение в подсчете Reading, которое я пропустил? Спасибо. Posted at Nginx Forum: http://forum.nginx.org/read.php?21,250787,250787#msg-250787 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Status Reading стал нулевым
On Wednesday 11 June 2014 05:32:25 sahe123 wrote: Здравствуйте. Обновил nginx с версии 0.7.67 до версии 1.6.0. Визуально вроде все работает, беспокоит только то, что Reading в статусе стал 0. И другого значения я там не наблюдаю. Я понимаю что перепрыгнул через много версий, может быть было какое-то глобальное изменение в подсчете Reading, которое я пропустил? Спасибо. http://hg.nginx.org/nginx/rev/d346adac0462 -- Валентин Бартенев ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Status Reading стал нулевым
Я так и подумал, после того как попробовал telnet localhost 80 (reading не изменился) и после GET / HTTP/1.1 значение увеличилось. Спасибо за ответ! Posted at Nginx Forum: http://forum.nginx.org/read.php?21,250787,250789#msg-250789 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Status Reading стал нулевым
Валентин Бартенев Wrote: --- Визуально вроде все работает, беспокоит только то, что Reading в статусе стал 0. http://hg.nginx.org/nginx/rev/d346adac0462 Валентин, по этой же причине может уменьшиться количество принятых (и соответственно обработаннх) соединений в той же статистике? Posted at Nginx Forum: http://forum.nginx.org/read.php?21,250787,250799#msg-250799 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Об одной малоизвестной уязвимости в веб сайтах
Hello! On Wed, Jun 11, 2014 at 02:25:38PM +0300, Gena Makhomed wrote: On 11.06.2014 13:42, Валентин Бартенев wrote: http://habrahabr.ru/post/166855/ Единственный правильный способ: пойти в IETF с предложением исправить соответствующие RFC, которые в том числе оговаривают, что следует делать при получении нескольких заголовков Host, ну а потом уже сюда. http://tools.ietf.org/html/rfc7230#section-5.4 When a proxy receives a request with an absolute-form of request-target, the proxy MUST ignore the received Host header field (if any) and instead replace it with the host information of the request-target. A proxy that forwards such a request MUST generate a new Host field-value based on the received request-target rather than forward the received Host field-value. Referer: http://www.opennet.ru/opennews/art.shtml?num=39956 Не очень понятно, а что хотели сказать этой цитатой? Так, на всякий случай, nginx не является proxy согласно терминологии того же RFC 7230. Ok. http://tools.ietf.org/html/rfc7230#section-5.4 A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value. invalid field-value - это в том числе, когда клиент не выполняет требований, которые изложены выше в этом же документе: A client MUST send a Host header field in all HTTP/1.1 request messages. If the target URI includes an authority component, then a client MUST send a field-value for Host that is identical to that authority component, excluding any userinfo subcomponent and its @ delimiter (Section 2.7.1). Если исходить из такой трактовки термина invalid field-value, то ранее процитированное требование про the proxy MUST ignore the received Host header... и далее по тексту - не имеет смысла. Я просто оставлю эту ссылку здесь: http://lurkmore.to/Взаимоисключающие_параграфы -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Об одной малоизвестной уязвимости в веб сайтах
Не понял в чем проблема, чисто наитием использую давно:
# Add default fake server
include //default_server.conf;
где default_server.conf:
=
server {
listen *:80 default_server;
server_name _;
return 403;
}
2014-06-11 15:25 GMT+04:00 Gena Makhomed g...@csdoc.com:
On 11.06.2014 13:42, Валентин Бартенев wrote:
http://habrahabr.ru/post/166855/
Единственный правильный способ: пойти в IETF с предложением исправить
соответствующие RFC, которые в том числе оговаривают, что следует делать
при получении нескольких заголовков Host, ну а потом уже сюда.
http://tools.ietf.org/html/rfc7230#section-5.4
When a proxy receives a request with an absolute-form of
request-target, the proxy MUST ignore the received Host header field
(if any) and instead replace it with the host information of the
request-target. A proxy that forwards such a request MUST generate
a
new Host field-value based on the received request-target rather
than
forward the received Host field-value.
Referer: http://www.opennet.ru/opennews/art.shtml?num=39956
Не очень понятно, а что хотели сказать этой цитатой?
Так, на всякий случай, nginx не является proxy согласно терминологии
того
же RFC 7230.
Ok.
http://tools.ietf.org/html/rfc7230#section-5.4
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.
invalid field-value - это в том числе, когда клиент не выполняет
требований, которые изложены выше в этом же документе:
A client MUST send a Host header field in all HTTP/1.1 request
messages. If the target URI includes an authority component, then a
client MUST send a field-value for Host that is identical to that
authority component, excluding any userinfo subcomponent and its @
delimiter (Section 2.7.1).
следовательно, если приходит запрос
GET http://example.com/ HTTP/1.1
Host: example.org
- это Host header field with an invalid field-value
и nginx MUST respond with a 400 (Bad Request) status code.
Если такой запрос приходит по HTTP/1.0 - в этой версии
протокола нет absolute-form и тоже надо отвечать 400 статусом.
текущее поведение nginx не соответствует требованиям RFC 7230 ?
P.S.
и да, отвечать с 400 статусом тут даже более логично,
потому что если authority component в строке запроса
и в заголовке Host: разные - это явно попытка взлома.
--
Best regards,
Gena
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru
--
Dmitry Goryainov
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Status Reading стал нулевым
Валентин Бартенев Wrote: Валентин, по этой же причине может уменьшиться количество принятых (и соответственно обработаннх) соединений в той же статистике? Если речь идет об accepts и handled, то нет, это не влияет. То есть если к серверу подключиться в 10 потоков и не передавать ни одного байта, то reading будет 0, а accepted и handled будут 10? Posted at Nginx Forum: http://forum.nginx.org/read.php?21,250787,250808#msg-250808 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Status Reading стал нулевым
On Wednesday 11 June 2014 16:32:12 sahe123 wrote: Валентин Бартенев Wrote: Валентин, по этой же причине может уменьшиться количество принятых (и соответственно обработаннх) соединений в той же статистике? Если речь идет об accepts и handled, то нет, это не влияет. То есть если к серверу подключиться в 10 потоков и не передавать ни одного байта, то reading будет 0, а accepted и handled будут 10? Да, примерно так. -- Валентин Бартенев ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Life of objects allocated using the request pool?
What is the life of objects allocated using the request pool? If I allocate memory from the r-pool in a request handler, what would be the life of the object? Will the objects be freed if the request is over of will it sustain over multiple requests? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
proxy_pass to different upstreams based on a cookie in the http request header
Hello, Am wondering if there is a way to proxy (i.e proxy_pass inside location directive) to different set of upstreams based on whether a particular cookie is present or not in a http request header. Thanks -Kunal ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: location uri wildcard
Keep in mind this ML (and other places such as StackOverfflow or whatever fora are still open to help you if you are struggling on anything. People are usually glad to help others who demonstrated efforts in thinking about it and who provided details about their approach of the problem. That is, based on the docs, try to make a solution on your own. Once you hit the wall, and if all the docs you could find (nginx docs, Web search are a start) do not help you further, please come back with details of the process you followed. Doors might open this time. :o) --- *B. R.* On Tue, Jun 10, 2014 at 9:13 PM, grd2345 nginx-fo...@nginx.us wrote: Ah, gotcha, I am new to this and thanks for the link to this documentation. I will close this thread. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,250768,250774#msg-250774 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
tmp directory filling up
Hi, I have a rails application that is hosted through nginx and passenger. In this application I want provide very large files for the users to download (2GB) using send_file .. which is working just fine on the development and staging system. On the production system however the system tmp directory is limited to 1GB (separately mounted disk). When triggering a download, the tmp folder quickly fills up and the download breaks once it is completely full. I already moved passengers /tmp directory to a new location but could find how to do the same for nginx (I did set $tmp and $tmpdir with no effect). When looking into the /tmp directory however, I cannot find any large files that would explain what is happening, nevertheless, df reports it is filling up at the same time .. Lastly .. I also specified the proxy_temp_path directive in the nginx config. Again with no effect. Is there any way to specify which directory nginx uses for its tmp data? Is nginx even the culprit here? Thanks .. any help is greatly appreciated. Thanks Tim Posted at Nginx Forum: http://forum.nginx.org/read.php?2,250795,250795#msg-250795 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: location uri wildcard
I actually was looking around on google for the solution, but I lazied out
and came here, but I ended up finding the solution for this, buy getting
myself familiar with regex. I used the following command to do this to maybe
help someone else needing this.
location ~* \bClassScheduler.aspx\b {
rewrite ^ http://www.mysite.com/classScheduler/? permanent;
}
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250768,250796#msg-250796
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Rewrite rules from Apache again
On Tue, 10 Jun 2014 22:43:05 +0100
Francis Daly fran...@daoine.org wrote:
The rest of the config?
:)
Well, I've posted it in my previous request for help. Beeing
longish I tried to spare some bandwith... :)
==
server {
rewrite ^/(.*)_k(.*).htm$ /pagina.php?k=$2 ;
rewrite ^/privacy.php$ /pagina.php?k=privacy ;
Wow!
I had it under location /
Moving it to server level and adding a break seems to make it work!
location = /pagina.php {
return 200 I got $uri$is_args$args from $request_uri\n;
}
Many thanks for this elegant way of debugging this kind of
configuration problems.
What do you have that is different?
Another problem :(
If I try the same thing in a subdirectory, it doesn't work.
In the error log I get:
2014/06/11 17:51:46 [error] 602#0: *264 FastCGI sent in stderr: Primary script
unknown while reading response header from upstream, client: 212.121.88.183,
server: new.assirm.it, request: GET /en/privacy.php HTTP/1.1, upstream:
fastcgi://127.0.0.1:9004, host: new.assirm.it, referrer:
http://new.assirm.it/en/history_khistory.htm;
It seems that the location = that I've put to intercept the rewrite
doesn't match.
My configuration, now looks like this:
server {
listen 212.45.144.216:80 default_server;
server_name new.assirm.it test.assirm.it;
access_log /dati/log/http/assirm/access.log;
error_log /dati/log/http/assirm/error_new.log;
rewrite_log on;
rewrite ^/ultime-news.php$ /archivio-news.php?last=1 ;
rewrite ^/(.*)_news(.*).htm$ /news.php?id=$2 ;
rewrite ^/(.*)_ev(.*).htm$ /evento.php?id=$2 ;
rewrite ^/(.*)_att(.*).htm$ /attivita.php?id=$2 ;
rewrite ^/(.*)_k(.*).htm$ /pagina.php?k=$2 ;
rewrite ^/(.*)_sk(.*).htm$ /stampa-contenuto.php?k=$2 ;
rewrite ^/(.*)_sn(.*).htm$ /stampa-news.php?id=$2 ;
rewrite ^/(.*)_a(.*).htm$ /associato.php?id=$2$args ;
rewrite ^/(.*)_p(.*).htm$ /mypost.php?id=$2$args ;
rewrite ^/ricerca-(.*).htm$ /risultati.php?s=$1goo=1 ;
rewrite ^/privacy.php$ /pagina.php?k=privacy break;
location ~ \.php$ {
root /dati/httpd/web_assirm/sito_nginx;
fastcgi_pass 127.0.0.1:9004;
fastcgi_index index.php;
include /etc/nginx/fastcgi.conf;
}
location / {
root /dati/httpd/web_assirm/sito_nginx;
index index.html index.htm index.php home.html welcome.html;
}
location ^~ /en/ {
root /dati/httpd/web_assirm/sito_nginx;
index index.html index.htm index.php home.html;
rewrite ^/en/ultime-news.php$ /en/archivio-news.php?last=1 ;
rewrite ^/en/(.*)_news(.*).htm$ /en/news.php?id=$2 ;
rewrite ^/en/(.*)_ev(.*).htm$ /en/evento.php?id=$2 ;
rewrite ^/en/(.*)_att(.*).htm$ /en/attivita.php?id=$2 ;
rewrite ^/en/(.*)_k(.*).htm$ /en/pagina.php?k=$2 ;
rewrite ^/en/(.*)_sk(.*).htm$ /en/stampa-contenuto.php?k=$2 ;
rewrite ^/en/(.*)_sn(.*).htm$ /en/stampa-news.php?id=$2 ;
rewrite ^/en/(.*)_a(.*).htm$ /en/associato.php?id=$2$args ;
rewrite ^/en/(.*)_p(.*).htm$ /en/mypost.php?id=$2$args ;
rewrite ^/en/(.*)_wit(.*).htm$ /en/wit.php?c=$2$args ;
rewrite ^/en/ricerca-(.*).htm$ /en/risultati.php?s=$1goo=1 ;
rewrite ^/en/privacy.php /en/pagina.php?k=privacy ;
location = /en/pagina.php {
return 200 I got $uri$is_args$args from $request_uri\n;
}
location ~ \.php$ {
index index.html index.htm index.php home.html;
fastcgi_pass 127.0.0.1:9004;
fastcgi_index index.php;
include /etc/nginx/fastcgi.conf;
}
}
}
--
/\ /Via A. Salaino, 7 - 20144 Milano (Italy)
\ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org
/ \ AND POSTINGS/ WWW: http://www.lesassaie.IT/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: Rewrite rules from Apache again
On Wed, Jun 11, 2014 at 06:20:50PM +0200, Luciano Mannucci wrote:
On Tue, 10 Jun 2014 22:43:05 +0100
Francis Daly fran...@daoine.org wrote:
Hi there,
The rest of the config?
:)
Well, I've posted it in my previous request for help. Beeing
longish I tried to spare some bandwith... :)
No worries.
It can be useful to have a minimal test case that shows the problem.
I had it under location /
Moving it to server level and adding a break seems to make it work!
Very approximately, the order is:
choose the server{}
run the rewrite directives
choose the location{}
run the rewrite directives, looping back as necessary
handle the request
So your non-server-level rewrites will only apply if they are in the
location{} that is chosen.
location = /pagina.php {
return 200 I got $uri$is_args$args from $request_uri\n;
}
Many thanks for this elegant way of debugging this kind of
configuration problems.
You're welcome.
You may also find it useful to enable debug logging for your test client,
such as by putting something like
debug_connection 127.0.0.10;
within the events{} block, and then looking in error_log.
If I try the same thing in a subdirectory, it doesn't work.
Put the rewrites at server{} level, or in the location{} that is chosen.
It seems that the location = that I've put to intercept the rewrite
doesn't match.
No.
The rewrite that you want doesn't happen, because the request
/en/privacy.php is handled in:
location ~ \.php$ {
location / {
location ^~ /en/ {
location = /en/pagina.php {
location ~ \.php$ {
...that location, and not in the one two above it.
Good luck with it,
f
--
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Re: proxy_pass to different upstreams based on a cookie in the http request header
On Wed, Jun 11, 2014 at 12:46:41AM -0700, Kunal Pariani wrote: Hi there, Am wondering if there is a way to proxy (i.e proxy_pass inside location directive) to different set of upstreams based on whether a particular cookie is present or not in a http request header. You can use a map (http://nginx.org/r/map) to set a variable based on a cookie (http://nginx.org/en/docs/http/ngx_http_core_module.html#variables), and you can use a variable in your proxy_pass directive (http://nginx.org/r/proxy_pass). So it looks like it should Just Work. f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: location uri wildcard
On 10 June 2014 17:31, grd2345 nginx-fo...@nginx.us wrote: http://www.mysite.com/ClassScheduler.aspx [snip] I basically need a wild card to detect ClassScheduler.aspx from the above old urls This assumption looks wrong. Check out how location stanzas work: http://nginx.org/r/location Hint: locations in their simplest state just match path *prefixes* ... Also check the first parameter that a rewrite takes ... consider if you could use this functionality to avoid specifying a location /entirely/: http://nginx.org/r/rewrite J ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: tmp directory filling up
Hello! On Wed, Jun 11, 2014 at 10:58:47AM -0400, Tatonka wrote: Hi, I have a rails application that is hosted through nginx and passenger. In this application I want provide very large files for the users to download (2GB) using send_file .. which is working just fine on the development and staging system. On the production system however the system tmp directory is limited to 1GB (separately mounted disk). When triggering a download, the tmp folder quickly fills up and the download breaks once it is completely full. I already moved passengers /tmp directory to a new location but could find how to do the same for nginx (I did set $tmp and $tmpdir with no effect). When looking into the /tmp directory however, I cannot find any large files that would explain what is happening, nevertheless, df reports it is filling up at the same time .. Lastly .. I also specified the proxy_temp_path directive in the nginx config. Again with no effect. The proxy_temp_path is related to the problem, but it's for proxy, not for passenger, and it's expected that it has no effect in your case. Is there any way to specify which directory nginx uses for its tmp data? Is nginx even the culprit here? That's not about nginx, but rather about passenger module for nginx. Last time I checked, passenger module for nginx implemented its own protocol for the upstream module (like proxy/fastcgi/etc), and should have its own ..._temp_path directive, as well as ..._max_temp_file_size and so on. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: 400 bad requests now returning http headers? ( crossdomain.xml )
Hello! On Tue, Jun 10, 2014 at 04:07:28PM -0400, Thaxll wrote: Hi Maxim, Thank you for the quick reply, I guess there is no workaround for that problem? It isn't possible to remove headers or specify a dummy protocol for Nginx? I don't think there is anything that can be done at the configuration level. On the other hand, it should be more or less trivial to write a module to force nginx to think the protocol was HTTP/0.9 and to respond accordingly. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Accessing the location configuration of module 2 during post configuration processing of module 1 for a particular server
Hello Maxim
Thanks for your response. Here is a related query.
Say in module 1 I have a
typedef struct {
int flag;
ngx_str somestring;
} module1;
flag gets initialized with the following code
{ ngx_string(module1_directive),
NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(module1,configured),
NULL },
somestring gets iniitialized with a handler written in the module (i.e not
ngx_conf_set_flag_slot or any inbuilt handler).
In the post configuration, I see that flag is not properly set but somestring
is. Flag is properly set during request processing though.
Are the values set during processing of a directive in location struct
guaranteed to be set by the time post configuration is executed?
When is the time that one can check for the values set during configuration. I
need to test these values to ensure that they are sane when nginx is executed
with -t option
Thanks
Hello!
On Tue, Jun 10, 2014 at 02:09:13AM +0800, Rv Rv wrote:
How do we access the configuration of a an unrelated module in a
given module. This may be required for example to check if the
directives pertaining to module 2 were specified in location for
a particular server that has directives for module 1 in its
configuration.
I don't think it's something you should do at postconfiguration -
location structure is complex and not easily accessible. There
are location configuration merge callbacks where you are expected
to work with location configs and, in particular, can use
ngx_http_conf_get_module_loc_conf() macro to access a
configuration of other modules (note though, that order of modules
may be important in this case).
[...]
I did not find any documentation on how the configuration is stored within
nginx using these structs?
It's under src/, in C language.
I would rather say it's not a part of the API, and you'd better
avoid using it directly.
--
Maxim Dounin
http://nginx.org/
--
On Monday, 9 June 2014 11:39 PM, Rv Rv rvrv7...@yahoo.com wrote:
How do we access the configuration of a an unrelated module in a given module.
This may be required for example to check if the directives pertaining to
module 2 were specified in location for a particular server that has directives
for module 1 in its configuration.
From what I understand, code similar to this can be used
/* Get http main configuration */
cmcf = ctx-main_conf[ngx_http_core_module.ctx_index];
/* Get the list of servers */
cscfp = cmcf-servers.elts;
/* Iterate through the list */
for (s = 0; s cmcf-servers.nelts; s++) {
/* Problem : how to get the configuration of module 2*/
cscfp[s]-ctx-loc_conf[module2.ctx_index];-
does not yield the correct location struct of module 2
I did not find any documentation on how the configuration is stored within
nginx using these structs
typedef struct {
.
/* server ctx */ ngx_http_conf_ctx_t*ctx;
} ngx_http_core_srv_conf_t;
typedef struct {
void **main_conf;
void **srv_conf;
void **loc_conf;
} ngx_http_conf_ctx_t;___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
