[nginx] Typos fixed.
details: http://hg.nginx.org/nginx/rev/f1e05e533c8b branches: changeset: 5780:f1e05e533c8b user: Sergey Kandaurov pluk...@nginx.com date: Thu Jul 31 13:59:37 2014 +0400 description: Typos fixed. diffstat: docs/xml/nginx/changes.xml | 8 1 files changed, 4 insertions(+), 4 deletions(-) diffs (39 lines): diff -r e0eaf2d92a8c -r f1e05e533c8b docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xmlWed Jul 30 04:32:16 2014 -0700 +++ b/docs/xml/nginx/changes.xmlThu Jul 31 13:59:37 2014 +0400 @@ -5329,7 +5329,7 @@ the bug had appeared in 0.9.0. change type=feature para lang=ru -поддержка строки If-Unmodified-Since в заголовке запросе клиента. +поддержка строки If-Unmodified-Since в заголовке запроса клиента. /para para lang=en the If-Unmodified-Since client request header line support. @@ -11560,7 +11560,7 @@ if keepalive was enabled. change type=bugfix para lang=ru -nginx не обрабатывал ответ FastCGI-сервера, если строка заголовка ответ была +nginx не обрабатывал ответ FastCGI-сервера, если строка заголовка ответа была в конце записи FastCGI; ошибка появилась в 0.6.2.br/ Спасибо Сергею Серову. @@ -14974,7 +14974,7 @@ the ip_hash directive inside the upst change type=feature para lang=ru -статус WAIT в строке Auth-Status в заголовка ответа сервера аутентификации +статус WAIT в строке Auth-Status в заголовке ответа сервера аутентификации IMAP/POP3 прокси. /para para lang=en @@ -19701,7 +19701,7 @@ then nginx started to request all backen change type=change para lang=ru -если в заголовке запросе есть дублирующиеся строки Host, Connection, +если в заголовке запроса есть дублирующиеся строки Host, Connection, Content-Length и Authorization, то nginx теперь выдаёт ошибку 400. /para para lang=en ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH] Configure: remove outdated and unused patch.zlib.h
# HG changeset patch # User Piotr Sikora pi...@cloudflare.com # Date 1406803948 25200 # Thu Jul 31 03:52:28 2014 -0700 # Node ID 5be611309d6f7983879104054d4a68feece64142 # Parent f1e05e533c8b7028121104740f2ab76e49d9212f Configure: remove outdated and unused patch.zlib.h. Signed-off-by: Piotr Sikora pi...@cloudflare.com diff -r f1e05e533c8b -r 5be611309d6f auto/lib/zlib/patch.zlib.h --- a/auto/lib/zlib/patch.zlib.hThu Jul 31 13:59:37 2014 +0400 +++ /dev/null Thu Jan 01 00:00:00 1970 + @@ -1,10 +0,0 @@ zlib.h Thu Jul 9 20:06:56 1998 -+++ zlib-1.1.3/zlib.h Tue Mar 22 13:41:04 2005 -@@ -709,7 +709,6 @@ -(0 in case of error). - */ - --ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...)); - /* - Converts, formats, and writes the args to the compressed file under -control of the format string, as in fprintf. gzprintf returns the number of ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Config: enhancing nginx default config file with added security options
Hello! On Thu, Jul 31, 2014 at 03:56:59AM -0700, Kristian Erik Hermansen wrote: # HG changeset patch # User Kristian Erik Hermansen kristian.herman...@gmail.com # Date 1406803911 25200 # Thu Jul 31 03:51:51 2014 -0700 # Node ID 8966ff589f5de5e9155335373247de4485451304 # Parent e0eaf2d92a8cee90abe592d7ac01d3118cb0853a Config: enhancing nginx default config file with added security options. No, thanks. We intentionally avoid various security recommendations except via providing appropriate defaults. People tend to have different ideas of what security is, and how it should be achieved. Additionally, all such recommendations tend to become stale in a very short period of time. Goal of the sample configuration file is to show how to configure things, not to give any recommendations. Some additional comments below. diff -r e0eaf2d92a8c -r 8966ff589f5d conf/nginx.conf --- a/conf/nginx.conf Wed Jul 30 04:32:16 2014 -0700 +++ b/conf/nginx.conf Thu Jul 31 03:51:51 2014 -0700 @@ -105,9 +105,34 @@ #ssl_session_cacheshared:SSL:1m; #ssl_session_timeout 5m; +# recommended protocols that provide better security and compatibility +# +#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + This is the default and usually there is no need to set it explicitly. #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; +# security headers recommended by OWASP to block common attacks +# +#add_header X-Frame-Options 'DENY'; +#add_header X-Content-Type-Options 'nosniff'; +#add_header X-XSS-Protection '1; mode=block'; +#add_header Cache-Control 'no-cache, no-store, must-revalidate'; +#add_header Pragma 'no-cache'; +#add_header Expires '-1'; Cache-related headers are either invalid (Expires syntax doesn't allow -1 as a valid value, and Pragma: no-cache behaviour is unspecified when used in a response) or just silly (Cache-Control in question disables caching, which is irrelevant for security in most cases, but will make things much slower). Moreover, there is the expires directive to control cache-related headers, and it should be used in a proper nginx configuration instead, see http://nginx.org/r/expires. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] allow to use engine keyform for server private key
Hello! On Wed, Jul 30, 2014 at 07:29:10PM +0400, Dmitrii Pichulin wrote: # HG changeset patch # User Dmitrii Pichulin # Date 1406733892 -14400 # Wed Jul 30 19:24:52 2014 +0400 # Node ID a4c89ae85f45153760637058a75f4338b3974219 # Parent 4d092aa2f4637ce50284d2accd99a8e91aae2b4c allow to use engine keyform for server private key diff -r 4d092aa2f463 -r a4c89ae85f45 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Mon Jul 28 12:27:57 2014 -0700 +++ b/src/event/ngx_event_openssl.c Wed Jul 30 19:24:52 2014 +0400 @@ -17,6 +17,11 @@ ngx_uint_t engine; /* unsigned engine:1; */ } ngx_openssl_conf_t; +typedef struct { +const void *password; +const char *prompt_info; +} PW_CB_DATA; + static int ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata); @@ -265,11 +270,16 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) { +char*p, *last; BIO *bio; X509*x509; +ENGINE *engine; +EVP_PKEY*private_key; +PW_CB_DATA pwd_data; u_long n; ngx_str_t *pwd; ngx_uint_t tries; +u_char pwd_buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; if (ngx_conf_full_name(cf-cycle, cert, 1) != NGX_OK) { return NGX_ERROR; @@ -352,6 +362,75 @@ BIO_free(bio); +if (ngx_strncmp(key-data, engine:, sizeof(engine:) - 1) == 0) { + +p = (char *) key-data + sizeof(engine:) - 1; +last = ngx_strchr(p, ':'); + +if (last == NULL) { +ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, invalid syntax: %V, key); +return NGX_ERROR; +} + +p[last - p] = '\0'; + +engine = ENGINE_by_id(p); After Piotr's patch (http://hg.nginx.org/nginx/rev/4d092aa2f463) we are able to work with OpenSSL compiled with OPENSSL_NO_ENGINE. Breaking this wouldn't be a good idea. + +if (engine == NULL) { +ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, + ENGINE_by_id(\%s\) failed, p); +return NGX_ERROR; +} + +p[last - p] = ':'; + +if (passwords) { +pwd = passwords-elts; + +ngx_cpystrn(pwd_buf, pwd-data, pwd-len + 1); + +pwd_data.password = pwd_buf; +} else { +pwd_data.password = NULL; +} +pwd_data.prompt_info = NULL; + +last++; + +private_key = ENGINE_load_private_key(engine, last, 0, + (void *) pwd_data); I don't see how it's expected to work. You only pass private data for UI callbacks, but not callbacks itself. Anyway, proper implementation of passing key passwords into an engine seems to be rather big, and as per my reading of the code under crypto/engine won't work with most of the engines anyway. It might be better idea to don't try to do this for now. + +ngx_memzero(pwd_buf, NGX_SSL_PASSWORD_BUFFER_SIZE); + +if (private_key == NULL) { +ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, + ENGINE_load_private_key(\%s\) failed, last); + +if (ENGINE_free(engine) == 0) { +ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, + ENGINE_free() failed); +} +return NGX_ERROR; +} The above referenced commit shows that we don't check ENGINE_free() return codes, so probably we shouldn't try this here as well. + +if (ENGINE_free(engine) == 0) { +ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, ENGINE_free() failed); +EVP_PKEY_free(private_key); +return NGX_ERROR; +} + +if (SSL_CTX_use_PrivateKey(ssl-ctx, private_key) == 0) { +ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, + SSL_CTX_use_PrivateKey(\%s\) failed, last); +EVP_PKEY_free(private_key); +return NGX_ERROR; +} + +EVP_PKEY_free(private_key); + +return NGX_OK; +} + if (ngx_conf_full_name(cf-cycle, key, 1) != NGX_OK) { return NGX_ERROR; } ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Config: enhancing nginx default config file with added security options
привет! On Thu, Jul 31, 2014 at 5:25 AM, Maxim Dounin mdou...@mdounin.ru wrote: We intentionally avoid various security recommendations except via providing appropriate defaults. People tend to have different ideas of what security is, and how it should be achieved. Additionally, all such recommendations tend to become stale in a very short period of time. How do you define very short period of time? These are standards that will remain effectively indefinitely. Goal of the sample configuration file is to show how to configure things, not to give any recommendations. And I thought that it was useful to be secure by default, rather than insecure by default. If nginx would like to take the stance that security should be avoided while preferring ease of use, well OK then, but state that publicly here and take ownership of that stance so that I can reference your lack of commitment. Cache-related headers are either invalid (Expires syntax doesn't allow -1 as a valid value, and Pragma: no-cache behaviour is unspecified when used in a response) or just silly (Cache-Control in question disables caching, which is irrelevant for security in most cases, but will make things much slower). If you don't agree that Expires '-1' is valid, then maybe you should update your own internal documentation and stop recommending it, but I think your stance is incorrect. It is not only valid, but recommended. http://nginx.org/en/docs/http/ngx_http_headers_module.html The Pragma / Cache-Control options are actually very relevant, especially in corporate environments. For instance, most corporations force outbound connections via an internal web proxy. By caching content served over HTTPS, an internal attacker can infer content via the proxy cache, which is a security issue. Sensitive content should not be cached, I hope we agree. And I request you consult RFC2616 if you think the behavior is unspecified as you surely aren't considering the same RFCs I am referencing. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html Moreover, there is the expires directive to control cache-related headers, and it should be used in a proper nginx configuration instead, see http://nginx.org/r/expires. Great. Again, see my comments above regarding using it. You contradict yourself... -- Regards, Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://google.com/+KristianHermansen ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Dav: ngx_http_map_uri_to_path() errors were not checked.
details: http://hg.nginx.org/nginx/rev/1f70fe0d9576 branches: changeset: 5781:1f70fe0d9576 user: FengGu flygo...@126.com date: Wed Jul 30 14:45:08 2014 +0800 description: Dav: ngx_http_map_uri_to_path() errors were not checked. Once error occured, it could lead to use uninitialized variables to log, even more segmentation fault. diffstat: src/http/modules/ngx_http_dav_module.c | 20 1 files changed, 16 insertions(+), 4 deletions(-) diffs (58 lines): diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c --- a/src/http/modules/ngx_http_dav_module.c +++ b/src/http/modules/ngx_http_dav_module.c @@ -212,7 +212,10 @@ ngx_http_dav_put_handler(ngx_http_reques return; } -ngx_http_map_uri_to_path(r, path, root, 0); +if (ngx_http_map_uri_to_path(r, path, root, 0) == NULL) { +ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); +return; +} path.len--; @@ -320,7 +323,9 @@ ngx_http_dav_delete_handler(ngx_http_req ok: -ngx_http_map_uri_to_path(r, path, root, 0); +if (ngx_http_map_uri_to_path(r, path, root, 0) == NULL) { +return NGX_HTTP_INTERNAL_SERVER_ERROR; +} ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r-connection-log, 0, http delete filename: \%s\, path.data); @@ -488,6 +493,9 @@ ngx_http_dav_mkcol_handler(ngx_http_requ } p = ngx_http_map_uri_to_path(r, path, root, 0); +if (p == NULL) { +return NGX_HTTP_INTERNAL_SERVER_ERROR; +} *(p - 1) = '\0'; r-uri.len--; @@ -666,7 +674,9 @@ destination_done: overwrite_done: -ngx_http_map_uri_to_path(r, path, root, 0); +if (ngx_http_map_uri_to_path(r, path, root, 0) == NULL) { +return NGX_HTTP_INTERNAL_SERVER_ERROR; +} ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r-connection-log, 0, http copy from: \%s\, path.data); @@ -674,7 +684,9 @@ overwrite_done: uri = r-uri; r-uri = duri; -ngx_http_map_uri_to_path(r, copy.path, root, 0); +if (ngx_http_map_uri_to_path(r, copy.path, root, 0) == NULL) { +return NGX_HTTP_INTERNAL_SERVER_ERROR; +} r-uri = uri; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Configure: remove outdated and unused patch.zlib.h.
details: http://hg.nginx.org/nginx/rev/428303916425 branches: changeset: 5782:428303916425 user: Piotr Sikora pi...@cloudflare.com date: Thu Jul 31 03:52:28 2014 -0700 description: Configure: remove outdated and unused patch.zlib.h. Signed-off-by: Piotr Sikora pi...@cloudflare.com diffstat: auto/lib/zlib/patch.zlib.h | 10 -- 1 files changed, 0 insertions(+), 10 deletions(-) diffs (15 lines): diff --git a/auto/lib/zlib/patch.zlib.h b/auto/lib/zlib/patch.zlib.h deleted file mode 100644 --- a/auto/lib/zlib/patch.zlib.h +++ /dev/null @@ -1,10 +0,0 @@ zlib.h Thu Jul 9 20:06:56 1998 -+++ zlib-1.1.3/zlib.h Tue Mar 22 13:41:04 2005 -@@ -709,7 +709,6 @@ -(0 in case of error). - */ - --ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...)); - /* - Converts, formats, and writes the args to the compressed file under -control of the format string, as in fprintf. gzprintf returns the number of ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Configure: remove outdated and unused patch.zlib.h
Hello! On Thu, Jul 31, 2014 at 03:53:20AM -0700, Piotr Sikora wrote: # HG changeset patch # User Piotr Sikora pi...@cloudflare.com # Date 1406803948 25200 # Thu Jul 31 03:52:28 2014 -0700 # Node ID 5be611309d6f7983879104054d4a68feece64142 # Parent f1e05e533c8b7028121104740f2ab76e49d9212f Configure: remove outdated and unused patch.zlib.h. Signed-off-by: Piotr Sikora pi...@cloudflare.com Committed, thanks. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Core: add support for expressing size in gigabytes
Hello! On Thu, Jul 31, 2014 at 03:41:30AM -0700, Piotr Sikora wrote: # HG changeset patch # User Piotr Sikora pi...@cloudflare.com # Date 1406803246 25200 # Thu Jul 31 03:40:46 2014 -0700 # Node ID c1aeec0f33fe6a42fde0a1851228a130f5ab12a1 # Parent e0eaf2d92a8cee90abe592d7ac01d3118cb0853a Core: add support for expressing size in gigabytes. Signed-off-by: Piotr Sikora pi...@cloudflare.com diff -r e0eaf2d92a8c -r c1aeec0f33fe src/core/ngx_parse.c --- a/src/core/ngx_parse.cWed Jul 30 04:32:16 2014 -0700 +++ b/src/core/ngx_parse.cThu Jul 31 03:40:46 2014 -0700 @@ -33,6 +33,12 @@ ngx_parse_size(ngx_str_t *line) scale = 1024 * 1024; break; +case 'G': +case 'g': +len--; +scale = 1024 * 1024 * 1024; +break; + default: scale = 1; } Memory sizes in gigabytes are almost always wrong, and we intentionally don't understand gigabytes here as an additional safety belt. I don't think this should be added. -- Maxim Dounin http://nginx.org/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] allow to use engine keyform for server private key
On 31.07.2014 17:49, Maxim Dounin wrote: + if (engine == NULL) { + ngx_ssl_error(NGX_LOG_EMERG, ssl-log, 0, + ENGINE_by_id(\%s\) failed, p); + return NGX_ERROR; + } + + p[last - p] = ':'; + + if (passwords) { + pwd = passwords-elts; + + ngx_cpystrn(pwd_buf, pwd-data, pwd-len + 1); + + pwd_data.password = pwd_buf; + } else { + pwd_data.password = NULL; + } + pwd_data.prompt_info = NULL; + + last++; + + private_key = ENGINE_load_private_key(engine, last, 0, + (void *) pwd_data); I don't see how it's expected to work. You only pass private data for UI callbacks, but not callbacks itself. Anyway, proper implementation of passing key passwords into an engine seems to be rather big, and as per my reading of the code under crypto/engine won't work with most of the engines anyway. It might be better idea to don't try to do this for now. Maxim, our vision is based on 2 implementations of engines as previously noted: 1) gost_capi — doesn't support external passwords 2) opensc — with such code from get_pin function (https://github.com/OpenSC/engine_pkcs11/blob/master/src/engine_pkcs11.c): /* either get the pin code from the supplied callback data, or get the pin * via asking our self. In both cases keep a copy of the pin code in the * pin variable (strdup'ed copy). */ static int get_pin(UI_METHOD * ui_method, void *callback_data) { UI *ui; struct { const void *password; const char *prompt_info; } *mycb = callback_data; /* pin in the call back data, copy and use */ if (mycb != NULL mycb-password) { pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char)); if (!pin) return 0; strncpy(pin,mycb-password,MAX_PIN_LENGTH); pin_length = MAX_PIN_LENGTH; return 1; } ... As you can see, there's no need for ui_method if a password is present. We suggest to implement something like this: typedef struct { const void *password; const char *prompt_info; ngx_array_t *passwords; ngx_uint_t position; } ngx_openssl_pw_cb_data_ex; In this case, our ui_read implementation can run through all passwords, while supporting the basics. Or it would be better to pass nothing for now? ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: вложенные include virtual в SSI
Hello! On Wed, Jul 30, 2014 at 04:35:04PM -0400, mistercx wrote: Приветствую всех! Только что при переносе статического проекта с Apache на Nginx столкнулся с пренепреятнейшей особенностью - невозможностью использования вложенных include virtual в SSI. Например: файл lang.shtml !--#set var=company value=Компания -- !--#set var=video value=Видео -- !--#set var=gb value=Гостевая книга -- файл test.shtml !--#include virtual=lang.shtml-- !--#echo var=company-- Результат: Nginx - вместо Компания в браузере видим None; Apache - отображается Компания SHTML-страниц в проекте около 6000. Есть какое-либо мысли как сие разруливается, или смотреть назад в сторону Apache? Надо так: !--#include virtual=lang.shtml wait=yes -- Потому что по умолчанию nginx обрабатывает SSI-подзапросы параллельно, и приведённом случае переменная company устанавливается уже после того, как её попытались вывести. Вообще следует иметь в виду, что SSI в Apache и в nginx'е - местами различаются. При миграции подобных объемов кода - имеет смысл тщательно проверять работоспособность всех используемых конструкций. То, что умеет делать nginx, подробно описано в документации[1], но нюансы вроде вышеназванного могут быть неочевидны. http://nginx.org/ru/docs/http/ngx_http_ssi_module.html#commands -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: вложенные include virtual в SSI
Да, благодарю, я тоже дочитался до этого параметра. Ещё заметил интересную особенность SSI в Nginx: !--#set var=item value=$QUERY_STRING -- должно быть установлено в родительском shtml - только тогда оно актуально и для дочернего. Если я пытаюсь установить переменную в дочернем подключаемом SHTML - получаю None. В Апаче это не имеет значения, работает в обоих вариантах. Posted at Nginx Forum: http://forum.nginx.org/read.php?21,252162,252177#msg-252177 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
postpone_gzipping
Hi, I encountered the directive postpone_gzipping but i couldnt find an explanation in the documentation although i found the directive in the source code of nginx, how is that directive different from gzip_min_length? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252171,252171#msg-252171 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: postpone_gzipping
Hello! On Thu, Jul 31, 2014 at 06:47:01AM -0400, husseingalal wrote: Hi, I encountered the directive postpone_gzipping but i couldnt find an explanation in the documentation although i found the directive in the source code of nginx, how is that directive different from gzip_min_length? The original idea is to save CPU cycles by avoiding small deflate() operations, and buffering up to specified amount of data before calling deflate() instead. It's and old experiment and believed to have bugs, don't use it unless you are ready to dig into the code. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Repeated include /etc/includes/ssl.conf Passes configtest, fails SSL Handshake
Hello! On Wed, Jul 30, 2014 at 10:14:05AM +0800, Matt Silverlock wrote: Hi all, Had a chat with a helpful person on IRC but both are stumped as to why my configuration passes a check (nginx -t) but fails to properly handle SSL. – I’ve split a couple of repetitive blocks out into /etc/nginx/includes/ssl.conf (-rw-r--r-- root:root - same as nginx.conf - should not be a problem) – Doing so results in SSL handshake issues (and the connection fails appropriately) [...] If I move the include directive (effectively removing the duplication) into the http block and put the ssl_certificate and ssl_certificate_key directives into each of the two (2) server blocks instead of includes/ssl.conf, all is well. But this conflicts with the documentation (as I interpret it) and still results in some duplicated configuration. It's good idea to show _full_ config which shows the problem. The snipped you've showed looks fine and expected to work, but it's easy to make things wrong by some hardly noticeable mistake - e.g., missing semicolon. It's also a good idea to take a look into error log - it may have something for you. BTW, as long as there is only one certificate, it's expected to work fine with all ssl options at http{} levels. You don't need to put ssl_certificate and ssl_certificate_key into server{} blocks. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
I also noticed you added the PHP and Nginx User setups for security would you also add a FTP / MySQL option even though it is easy for us to just edit the vb scripts to suit our needs for other services but i was just thinking for others.(Maybe they are lazy) I am not sure if anyone else uses the following program https://bitsum.com/processlasso/ but for me in a server enviorment it works wounders i can set the CPU affinities and seperate Nginx from PHP to its own CPU Cores. But i am curious if it is a bad thing to do this when i have worker_processes auto; set to be auto and create the number of Nginx instances for the number of CPU cores avaliable. http://nginx.org/en/docs/ngx_core_module.html#worker_processes Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252180#msg-252180 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
c0nw0nk Wrote: --- I also noticed you added the PHP and Nginx User setups for security would you also add a FTP / MySQL option even though it is easy for us to just edit the vb scripts to suit our needs for other services but i was just thinking for others.(Maybe they are lazy) The way we made those scripts show that anything is possible with Windows with security in mind and minimal effort, there is no excuse for not securing nginx / php or laziness anymore. PHP to its own CPU Cores. But i am curious if it is a bad thing to do this when i have worker_processes auto; set to be auto and create the number of Nginx instances for the number of CPU cores avaliable. http://nginx.org/en/docs/ngx_core_module.html#worker_processes Whatever works best for you, there are many tools to force cpu affinity, for some apps 1 worker/cpu works best for other apps 2 workers/cpu works better. There is no clear guideline other then testing/tuning everything not just nginx. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252181#msg-252181 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
Thats what i have been doing not enocunterd any issues as such yet with Nginx or PHP i am also curious if it possible to execute compression of images via Nginx, For those of us who use CloudFlare.com already know that cloudflare performs lossless image compression most likely the same way via linux. On windows we have the following tool avaliable what just executes a series of command line tools to compress images. http://nikkhokkho.sourceforge.net/static.php?page=FileOptimizer aswell as various other files zip, rar, gzip, png ,jpeg the list is endless. But to save having to compress images manualy especialy if dealing with a site that takes image/media uploads could we not have nginx execute the program via a command line module for images it is serving. I looked through the modules list the only one i could find that might make use of the exec function is the following. http://wiki.nginx.org/HttpEchoModule http://wiki.nginx.org/3rdPartyModules Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252182#msg-252182 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
I also see LUA can do the job but i get the feeling i will hit a dead end if i did this. location /compress-images { content_by_lua 'os.execute(C:/server/bin/compress.exe)'; } Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252183#msg-252183 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
The trick with pre-compressed files is to have a separate process doing the compression and doing a test inside nginx for the existence of this compressed file. Ea. if file.jpg.extracompressed exists then serve directly from filesystem else do something with zlib. Ea2. http://nginx.org/en/docs/http/ngx_http_gzip_static_module.html http://www.cambus.net/serving-precompressed-content-with-nginx-and-zopfli/ Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252184#msg-252184 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
Well what i was describing was to compress the original media items. Saving storage/disk space. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252064,252185#msg-252185 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] Windows nginx 1.7.4.2 WhiteRabbit
Hello! On Thu, Jul 31, 2014 at 10:06 AM, c0nw0nk wrote: I also see LUA can do the job but i get the feeling i will hit a dead end if i did this. location /compress-images { content_by_lua 'os.execute(C:/server/bin/compress.exe)'; } Oh no, os.execute() is blocking. You should avoid that whenever possible :) Regards, -agentzh ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: RE: GeoIP FirstNonPrivateXForwardedForIP
Hi, some time ago I had a similar issue and I grab some parts of nginx internals modules and did one specific to me. My issue was to use the first XForwardedFor IP, but only when the client address was the Google Chrome Proxy. I don't know if this is the best approach, but I check the client ip using the reverse dns and, if the ip came from Google, I change it for the first ip on XFowardedFor header. Doing that, the GeoIP module can be executed with the real ip instead of the Google. If you want to look how I did, the code is here https://github.com/wandenberg/nginx-trusted-proxy-resolver-module. (The idea is to expand this module to support other mobiles proxies like Windows Phone and Mini Opera.) Regards, Wandenberg Posted at Nginx Forum: http://forum.nginx.org/read.php?2,250823,252190#msg-252190 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx