How can I set a maximum limit for gzip module?
Hello, I'm using nginx-1.11.2 for proxy server with gzip-module. I hope to use such like a "gzip_max_length" directive in ngx_http_gzip_module. Because some upstream response's sizes exceeded the settings of gzip_buffers. (But there were no error... These are strange things for me...) I can change the gzip_buffers to enough size for upstream, but there is no limit. Can I set a limit of maximum content-size for gzip module? Thank you. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273899,273899#msg-273899 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: $upstream_addr returning "-" only on requests with "del" in them
And the usual debug information I just found on https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/ that I should provide (very sorry for doing that in 3 parts, won't happen again): nginx -V nginx version: nginx/1.10.0 (Ubuntu) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-auth-pam --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-echo --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-upstream-fair --add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/ngx_http_substitutions_filter_module cat /etc/nginx/nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; } http { sendfile on; tcp_nopush on tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 50m; # Avoid timeouts send_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; log_format compression '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"' '[$upstream_addr: $request |$upstream_connect_time|$upstream_header_time|$upstream_response_time|$request_time|$bytes_sent|$pipe|$upstream_status]'; gzip on; gzip_disable "msie6"; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } cat sites-enabled/load-balancer upstream apache { server webdevw1.myorg.edu; } cat sites-enabled/dev.www.myorg.edu server { listen 80; listen [::]:80; server_name dev.www.myorg.edu; error_log /var/log/nginx/www.myorg.edu-error.log debug; access_log /var/log/nginx/www.myorg.edu-access.log compression; location / { proxy_buffers 64 128k; proxy_buffer_size 2k; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://apache; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273898#msg-273898 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: $upstream_addr returning "-" only on requests with "del" in them
Sometimes writing your thought helps... Apparently something wasn't reporting correctly so far, but using the debug level, I finally end up getting some information. I should mention that the word that seems to provoke this issue is ' del ' (with two spaces around it). If those 3 letters are included in another word, nothing weird happens. When the word is there on its own, though, this is my debug log (I have surrounded the most obvious issue with two blank lines): 2017/04/26 18:38:52 [debug] 6496#6496: *350 http keepalive handler 2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 55B18C6ADF30:1024 2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 978 of 1024 2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0 2017/04/26 18:38:52 [debug] 6496#6496: *350 posix_memalign: 55B18C6C0F10:4096 @16 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Host: dev.www.myorg.edu" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Connection: keep-alive" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Length: 16639" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Pragma: no-cache" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cache-Control: no-cache" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Origin: http://dev.www.myorg.edu; 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Upgrade-Insecure-Requests: 1" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/57.0.2987.98 Chrome/57.0.2987.98 Safari/537.36" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Type: multipart/form-data; boundary=WebKitFormBoundaryfufPzGfQx0XTvHjM" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Referer: http://dev.www.myorg.edu/en/node/734/edit; 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Encoding: gzip, deflate" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Language: en-US,en;q=0.8,es;q=0.6,fr-FR;q=0.4,fr;q=0.2" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cookie: DrupalModuleFilter=activeTab%3Dall; SESSb62f82f041805dbb55d5167522aaa24e=y-yFLoyVXBRCGSmicYphWW-OCVYIGphmDhmx9k9wubQ; SESSd452cfca8c0eccb9b5e4447bc1fa95dc=ENsFfcPE5jv4sTxlDxc40kg09aFMu7S-ZXJHPn0osb4; has_js=1; Drupal.tableDrag.showWeight=0" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "DNT: 1" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http header done 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 0 2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 1 2017/04/26 18:38:52 [debug] 6496#6496: *350 test location: "/" 2017/04/26 18:38:52 [debug] 6496#6496: *350 using configuration "/" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http cl:16639 max:52428800 2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 3 2017/04/26 18:38:52 [debug] 6496#6496: *350 post rewrite phase: 4 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 5 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 6 2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 7 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 8 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 9 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 10 2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 11 2017/04/26 18:38:52 [debug] 6496#6496: *350 post access phase: 12 2017/04/26 18:38:52 [debug] 6496#6496: *350 try files phase: 13 2017/04/26 18:38:52 [debug] 6496#6496: *350 http request body content length filter 2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 55B18C6F4100:8192 2017/04/26 18:38:52 [debug] 6496#6496: *350 http read client request body 2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 -1 of 8192 2017/04/26 18:38:52 [info] 6496#6496: *350 recv() failed (104: Connection reset by peer), client: 190.117.233.77, server: dev.www.myorg.edu, request: "POST /en/node/734/edit HTTP/1.1", host: "dev.www.myorg.edu", referrer: "http://dev.www.myorg.edu/en/node/734/edit; 2017/04/26 18:38:52 [debug] 6496#6496: *350 http client request body recv -1 2017/04/26 18:38:52 [debug] 6496#6496: *350 http finalize request: 400, "/en/node/734/edit?" a:1, c:1 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate request count:1 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate cleanup count:1 blk:0 2017/04/26 18:38:52 [debug] 6496#6496: *350 http posted request: "/en/node/734/edit?" 2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate handler count:1 2017/04/26 18:38:52 [debug] 6496#6496: *350 http request count:1 blk:0 2017/04/26 18:38:52 [debug] 6496#6496: *350 http close request 2017/04/26 18:38:52 [debug] 6496#6496: *350 http log handler 2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 55B18C6F4100
xslt question
Hi I am using https://gist.github.com/wilhelmy/5a59b8eea26974a468c9 for location /ts/ { #autoindex on; #autoindex_format html; try_files $uri @autoindex; } # need xlst module location @autoindex { autoindex on; autoindex_format xml; xslt_stylesheet xslt/dirlist.xslt path='$uri'; } my problem is, i have a file with a % in it and I need to escape / encode it as a uri but when I use the xml functions to encode a uri I get function not found. more reading I need xslt 2 not 1. how can I tell if I am using 1 or 2 ? A ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
$upstream_addr returning "-" only on requests with "del" in them
Hi guys, I have a problem with some of the requests sent to my Nginx load balancer, which reports (in the access_log configured to show $upstream_addr) that $upstream_addr is equal to "-", but only in a weird case where the post contains the word "del". I'm using Nginx 1.10.0 packaged in Ubuntu 16.04.4, in a development cluster of VMs with Nginx serving as load balancer to serve a bunch Drupal 7 sites that an Apache+modPHP is serving (I could use Nginx+PHP-FPM but that's not the point here). So it's a web-facing VM with Nginx that passes to another VM with Apache (through proxy_pass). No "effective" load balancing (only one upstream server in the backend block). I've tried to maintain customizations to a reasonable minimum to avoid introducing too many variables. Inside Drupal 7 (which I installed under the Apache backend server), I have nodes that I would like to edit. Now, on several nodes, when I edit a textarea with whatever I like, everything works fine. The request is passed to Nginx, then to Apache, and I can see that in the access logs for both. However, if the textarea contains the work "del" (I know... weird), then the request gets to Nginx and the $upstream_addr is generated as "-" and no request reaches the upstream server. How can I debug that? I've tried putting the error_log to "debug" but it's apparently not an error. The access_log provides me with this weird case of $upstream_addr = '-', but that's all I get... Thanks for your help! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273895,273895#msg-273895 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: how add RewriteRule .* index.php in nginx
On Wed, Apr 26, 2017 at 10:22:20AM -0400, e.htabar wrote: Hi there, > how set add " RewriteRule .* index.php " in nginx.conf for subfolder ? You probably put the config in a suitable location{} block. What config do you have right now that does most of what you want? Do you "return" or "rewrite" or "try_files" or something else? The best config depends on what else you want the system to do. Cheers, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx Nodejs Raspberry Pi2 Bad Gateway
On Tue, Apr 25, 2017 at 10:13:19AM -0400, marciokoko wrote: Hi there, I confess that it's a bit confusing to me what exactly you are doing here. Can you create one "curl" command which makes one request, that gives a response that is not what you want to see? If you can show what you expect to see instead, that might be helpful too. If at all possible, copy-paste the pieces you are reporting, rather than re-typing things. It looks like there may be some typographical errors in what you report here, which might be what is unclear to me. > INTERNET (subdomain.domain.com A Record to public IP 186187) > Hurl.it -POST-> Public IP: > https://186187/API/switches?sw1?password=123456 -> Linksys Router > IP:186...187:443 Port Forward to 192...53 > > ONLAN (nginx setup https with ssl from letsencrypt) > 19253 RPi2 nginx config bypass 192...53:442 . --> nodejs app.js > listening on port 442 I *think* that the intention here is that a https request gets to nginx, and then nginx makes a http request to the port-442 listener. Can you show the request that gets to nginx, and the request that gets to port 442, and see what the port-442 listener does with it? > error_page 404 /404.html; > error_page 500 502 503 504 /50x.html; Unless you have a location{} that matches those html urls, they may be proxy_pass'ed to port 442 as well, which may make it more difficult than necessary to interpret the log files. > 2017/04/23 20:08:38 [error] 20424#0: *4 upstream prematurely closed > connection while reading response header from upstream, client: > 192.168.1.56, server: subdomain.domain.com, request: "GET /aism/ HTTP/1.1", > upstream: "http://192.168.1.53:442/aism/;, host: "subdomain.domain.com" "upstream prematurely closed connection" suggests that nginx thinks that the port 442 listener did something wrong. Are there logs of what the port 442 listener thinks happened? Good luck with it, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Health checks and reloads
Hi Aditya, On 26/04/2017 23:30, Aditya Umrani wrote: > Hello, > > We are using nginx plus and we use application health-checks. We > want to move to the 'mandatory' parameter which requires that > servers pass the health check before it becomes active. > [...] I'd suggest to approach -plus support channel. You can open a support ticket just by forwarding this email. -- Maxim Konovalov ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Health checks and reloads
Hello, We are using nginx plus and we use application health-checks. We want to move to the 'mandatory' parameter which requires that servers pass the health check before it becomes active. Currently, we have a system which reloads all configs (rather than a diff based system which would just only apply the changes via the APIs). It does this by generating a new set of configs (routing rules, upstreams, etc) and then calling reload on the parent (which essentially results in creating new worker processes). We are wondering what happens when nginx receives a reload. For an upstream (for simplicity - say 1 host in that upstream) which is present in the old config and is also present in the new config: 1. Will it block traffic till that host has successfully passed 'N' checks (configured) 2. Will it return 502's as there are no more active hosts to serve for this upstream. 3. Anything else? Thanks, Aditya ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
critique my config file
I am using Nginx 1.13 and have removed all the "if"s from the config file and would now like someone to analyse it, look at the rewrites, etc if possible. It works fine but seems a bit unorganized and I'm wondering if there are some duplicate things. I have created a bunch of 444 locations to drop the malicious scripts and visitors from reading such locations which don't exist. I also make the admin area unassessable then uncomment whenever I want to access such areas for security. The only issue I'm aware of is the I am using the resolver 8.8.8.8; which is said to leave open to man in the middle DNS attack or spoofing but haven't been excited about running BIND with all the extra overhead so haven't done so. Here is the config file: https://pastebin.com/szFGQ2SD Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273889,273889#msg-273889 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: remove if from code
Thanks! I got it to work but had to put my fastcgi stuff inside. location ~ \.php$ { try_files $uri /index.php; # fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; expires off; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; ## Tweak fastcgi buffers, just in case. fastcgi_buffer_size 256k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; #fastcgi_connect_timeout 300; #fastcgi_send_timeout 300; #fastcgi_read_timeout 300; fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; include fastcgi_params; } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273865,273888#msg-273888 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Why does nginx rewrite sending https to http?
Hi, I'm trying to rewrite some route in cloud foundry static buildpack, but whenever I rewrite, the https goes to http. So I add return with / with /login, then it goes to http://server/, even it starts with https://server/login. location /login { return 301 /; <% if ENV["FORCE_HTTPS"] %> if ($http_x_forwarded_proto != "https") { return 301 https://$host$request_uri; } <% end %> } ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: UDP reverse proxying for OpenVPN isn't working using Nginx streams
On Wed, Apr 26, 2017 at 09:42:22AM -0400, akb-nginx wrote: > Thanks for your responce. I think I am out of luck then as far as proxying > UDP openvpn is concerned. Any particular reason that Nginx took this > approach instead of how very basic load balancers like "Pen" etc do it. > > I was able to proxy using simpler tools like pen and nc but a more loaded > Nginx fails for the reasons you mentioned. When operating in multi-worker mode, a UDP packet from a client may be received by any worker. Using SO_REUSEPORT can help with that on Linux, but not always. Proxying becomes complicated if every packet of a UDP packet sequence is received by a different worker. -- Roman Arutyunyan ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Passing small request_body to auth_request through a header
I have a small body (less than 512 bytes) that I'd like to pass to auth_request. Since the body is discarded, I've tried passing it through a header with no luck. Is there any way to do this? location = /my_auth { internal; include fastcgi_params; fastcgi_pass unix:/tmp/nginx/sock/my_auth.sock; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header MYBODY $request_body; fastcgi_param MYBODY $request_body; } location = /login { auth_request /my_auth; client_max_body_size 512; } ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Client certificate authentication error
There is an incorrect syntax to fix. I have registered p12 certificate and ca certificate in my Firefox browser, but I get "400 Bad Request". ==> I have registered client.p12 and ca.crt file in my Firefox browser, but I get "400 Bad Request". Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273879,273880#msg-273880 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
how add RewriteRule .* index.php in nginx
down vote favorite how set add " RewriteRule .* index.php " in nginx.conf for subfolder ? and dont redirect for root example: https://www.bidbarg.com/ (index.php redirect to none) https://www.bidbarg.com/bimeh/index.php/ (index.php needed) thank you Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273883,273883#msg-273883 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Way to deny all requests if any upstream is down
Hi All, Is there any way to deny all requests if any upstream servers are down?. Thanks Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273881,273881#msg-273881 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.13.0
Hello! On Wed, Apr 26, 2017 at 07:15:13AM +1000, Alex Samad wrote: > On 26 April 2017 at 00:32, Maxim Douninwrote: > > > > > *) Change: SSL renegotiation is now allowed on backend connections. > > > > What does this mean ? > > > reason I am asking is I would like to setup a site say example.com, that is > SSL, with no need for client certs at root URI > > but I would like to force a reneg at say /private/<...> > > is that possible ..(I know its not backend, my hope is that if the code is > there for the backend, then it might be available at the front end as well) No, it is not possible to client certificates only for some URIs in nginx, and unlikely will be possible in the foreseeable future. This is implemented by some other servers though, and in the past there were several reports about interoperability problems with such servers when nginx talked to them via proxy_pass. For additional details see http://hg.nginx.org/nginx/rev/ac9b1df5b246. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: UDP reverse proxying for OpenVPN isn't working using Nginx streams
Thanks for your responce. I think I am out of luck then as far as proxying UDP openvpn is concerned. Any particular reason that Nginx took this approach instead of how very basic load balancers like "Pen" etc do it. I was able to proxy using simpler tools like pen and nc but a more loaded Nginx fails for the reasons you mentioned. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273875,273878#msg-273878 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Blocking all URIs except for one directory
Hello! On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote: > Hello, > > I want to secure a site using the allow/deny directives so that only > allowed networks will be able to access it. There is one "public" > directory, however, that I want to be accessible for everyone. > > nginx serves as a reverse proxy on that site, and requests for URIs that > end with the suffix ".cfm" are proxied to Tomcat. > > So I currently have something like: > > location / { > allow 10.0.0.0/24; > deny all; > } > > location /public/ { > allow all;# does that make sense? > } > > location ~ \.cfm$ { > ## proxy settings go here > } > > Keep in mind that .cfm scripts are both in /public/ as well as in other > directories. > > How can I achieve that? Try this instead: location / { allow ... deny all; location ~ \.cfm$ { ... } } location /public/ { # access allowed to all by default - unless there is # something restrictive defined on previous levels location ~ \.cfm$ { ... } } You may also find this talk interesting: https://youtu.be/YWRYbLKsS0I -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
UDP reverse proxying for OpenVPN isn't working using Nginx streams
Hi. I was just wondering whether UDP stream proxying on Nginx is in its infacy or there is something which I am doing wrong. I have this simple config: events { worker_connections 1024; } worker_processes 1; error_log /dev/stderr debug; daemon off; stream { server { listen X.X.X.X:1194 udp; proxy_pass 127.0.0.1:1195; } } to make Nginx a reverse proxy for my OpenVPN server listening on UDP port 1195 on localhost. But it just doesn't work. When a client connects, Nginx keeps logging these lines on stderr: 2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method 2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13 2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64 2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096 2017/04/26 12:14:43 [notice] 17125#0: start worker processes 2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126 2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to X.X.X.X:1194 2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected to 127.0.0.1:1195 2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to X.X.X.X:1194 2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected to 127.0.0.1:1195 2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to X.X.X.X:1194 2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected to 127.0.0.1:1195 2017/04/26 12:14:47 [info] 17126#0: *7 udp client Y.Y.Y.Y:40332 connected to X.X.X.X:1194 2017/04/26 12:14:47 [info] 17126#0: *7 udp proxy 127.0.0.1:60363 connected to 127.0.0.1:1195 2017/04/26 12:14:50 [info] 17126#0: *9 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:50 [info] 17126#0: *9 udp proxy 127.0.0.1:52499 connected to 127.0.0.1:1195 2017/04/26 12:14:50 [info] 17126#0: *11 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:50 [info] 17126#0: *11 udp proxy 127.0.0.1:48850 connected to 127.0.0.1:1195 2017/04/26 12:14:50 [info] 17126#0: *13 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:50 [info] 17126#0: *13 udp proxy 127.0.0.1:60125 connected to 127.0.0.1:1195 2017/04/26 12:14:50 [info] 17126#0: *15 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:50 [info] 17126#0: *15 udp proxy 127.0.0.1:54133 connected to 127.0.0.1:1195 2017/04/26 12:14:52 [info] 17126#0: *17 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:52 [info] 17126#0: *17 udp proxy 127.0.0.1:50184 connected to 127.0.0.1:1195 2017/04/26 12:14:52 [info] 17126#0: *19 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:52 [info] 17126#0: *19 udp proxy 127.0.0.1:48836 connected to 127.0.0.1:1195 2017/04/26 12:14:53 [info] 17126#0: *21 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 2017/04/26 12:14:53 [info] 17126#0: *21 udp proxy 127.0.0.1:42665 connected to 127.0.0.1:1195 2017/04/26 12:14:56 [info] 17126#0: *23 udp client Y.Y.Y.Y:56226 connected to X.X.X.X:1194 ... ... Whereas the OpenVPN client is stuck on: Wed Apr 26 12:14:50 2017 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015 Wed Apr 26 12:14:50 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Wed Apr 26 12:14:50 2017 Control Channel Authentication: tls-auth using INLINE static key file Wed Apr 26 12:14:50 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 26 12:14:50 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 26 12:14:50 2017 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Apr 26 12:14:50 2017 UDPv4 link local: [undef] Wed Apr 26 12:14:50 2017 UDPv4 link remote: [AF_INET]X.X.X.X:1194 Wed Apr 26 12:14:50 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=afcea479 758711e0 Even there trivial setups work as expected: pen X.X.X.X:1194 127.0.0.1:1195 -U OR nc -u -l -p 1194 -c "nc -u 127.0.0.1 1195" But I fail to understand why isn't Nginx working. By the way, if everything is replaced with TCP in both nginx and OpenVPN file, it works. Also UDP proxying for DNS: listen X.X.X.X:53 udp; proxy_pass 8.8.8.8:53; works. The Nginx version is: 1.11.13. Will really appreciate any advice on this. Thanks & Regards. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273875,273875#msg-273875 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: N00b - confused ssl
So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ? Seems fine. p.s. just if you trust your backend there is in general no need to use proxy_ssl_verifyon; When it’s off (by default) nginx will be fine with whatever certificate the backend server provides as far the the connection is via ssl/tls. rr ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: N00b - confused ssl
So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ? server { ## # This is acting like the server side to decrypt the incoming traffic ## listen 443 ssl;# 'ssl' parameter tells NGINX to decrypt the traffic server_name _;# any server # root cert in PEM format ssl_certificate/etc/ssl/certs/server.crt; # root private key ssl_certificate_key/etc/ssl/certs/server.key; ssl_protocolsTLSv1.2; ssl_ciphersHIGH:!aNULL:!MD5; # can tweak caching stradegy if needed ssl_session_cacheshared:SSL:20m; ssl_session_timeout4h; ssl_handshake_timeout30s; ## # This is acting like the client side and re-encrypting ## proxy_sslon; # ssl client cert proxy_ssl_certificate/etc/ssl/certs/backend.crt; # ssl client private key proxy_ssl_certificate_key/etc/ssl/certs/backend.key; proxy_ssl_protocolsSSLv3 TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphersHIGH:!aNULL:!MD5; # if requires trusted cert # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verifyon; proxy_ssl_verify_depth2; proxy_ssl_session_reuseon; log_format replay '[$time_local] $server_name $status $content_type $request_method XX_HOST_XX$request_uri Authorization:"$http_authorization" $request_body_file'; client_body_in_file_only on; access_log /var/log/nginx/request_response.log replay; location / { proxy_pass https://backend; # 'https' prefix tells NGINX to encrypt the traffic } } On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitiswrote: > > so if I put both of these in one server block so that the incoming is > de-crypted and the outgoing is decrypted. Do I put both the server and > client certs in the same server block ? > confused. > > Depends on what setup/requirements you actually have: > > - If your backend server requires authentication then you have to provide > a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/ > http/ngx_http_proxy_module.html#proxy_ssl_certificate ). > > - If your clients need to authenticate versus your nginx proxy then you > use ssl_verify_client / ssl_trusted_certificate ( > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client > ). > > - If your backend requires passing through the user certificates it's a > bit tricky as depending on backend it might or might not work > https://trac.nginx.org/nginx/ticket/857 > > rr > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.13.0
Hello Nginx users, (I forgot to send this email yesterday.) Now available: Nginx 1.13.0 for Windows https://kevinworthington.com/n ginxwin1130 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Google+ https://plus.google.com/+KevinWorthington/ Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) http://kevinworthington.com/ http://twitter.com/kworthington https://plus.google.com/+KevinWorthington/ On Tue, Apr 25, 2017 at 10:32 AM, Maxim Douninwrote: > Changes with nginx 1.13.025 Apr > 2017 > > *) Change: SSL renegotiation is now allowed on backend connections. > > *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen" >directives of the mail proxy and stream modules. > > *) Feature: the "return" and "error_page" directives can now be used to >return 308 redirections. >Thanks to Simon Leblanc. > > *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive. > > *) Feature: when logging signals nginx now logs PID of the process > which >sent the signal. > > *) Bugfix: in memory allocation error handling. > > *) Bugfix: if a server in the stream module listened on a wildcard >address, the source address of a response UDP datagram could differ >from the original datagram destination address. > > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: remove if from code
Does anyone know how to rewrite this snippet? ## Execute PHP Scripts using FastCGI location ~ \.php(/.*)? { if (!-e $request_filename) { rewrite / /index.php last; } You can use try_files for that ( http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files ) location ~ \.php$ { try_files $uri /index.php; } p.s. obviously for this location you need to add php handling also. rr ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx