How can I set a maximum limit for gzip module?

[t.nishiyori]

Hello,

I'm using nginx-1.11.2 for proxy server with gzip-module.

I hope to use such like a "gzip_max_length" directive in
ngx_http_gzip_module.
Because some upstream response's sizes exceeded the settings of
gzip_buffers.
(But there were no error... These are strange things for me...)

I can change the gzip_buffers to enough size for upstream, but there is no
limit.

Can I set a limit of maximum content-size for gzip module?

Thank you.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273899,273899#msg-273899

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: $upstream_addr returning "-" only on requests with "del" in them

[ywarnier]

And the usual debug information I just found on
https://www.nginx.com/resources/wiki/start/topics/tutorials/debugging/ that
I should provide (very sorry for doing that in 3 parts, won't happen
again):

 nginx -V
nginx version: nginx/1.10.0 (Ubuntu)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong
-Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2'
--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_auth_request_module
--with-http_addition_module --with-http_dav_module --with-http_geoip_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_image_filter_module --with-http_v2_module --with-http_sub_module
--with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail
--with-mail_ssl_module --with-threads
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-auth-pam
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-echo
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-pzhfc2/nginx-1.10.0/debian/modules/ngx_http_substitutions_filter_module

 cat /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
worker_connections 768;
}

http {
sendfile on;
tcp_nopush on
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 50m;
# Avoid timeouts
send_timeout 600;
proxy_send_timeout   600;
proxy_read_timeout   600;

include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
log_format compression '$remote_addr - $remote_user [$time_local] '
   '"$request" $status $body_bytes_sent '
   '"$http_referer" "$http_user_agent"
"$gzip_ratio"'
   '[$upstream_addr: $request
|$upstream_connect_time|$upstream_header_time|$upstream_response_time|$request_time|$bytes_sent|$pipe|$upstream_status]';

gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


 cat sites-enabled/load-balancer 

upstream apache {
  server webdevw1.myorg.edu;
}

 cat sites-enabled/dev.www.myorg.edu

server {
  listen 80;
  listen [::]:80;
  server_name dev.www.myorg.edu;
  error_log /var/log/nginx/www.myorg.edu-error.log debug;
  access_log /var/log/nginx/www.myorg.edu-access.log compression;
  location / {
proxy_buffers 64 128k;
proxy_buffer_size 2k;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://apache;
  }
}

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273895,273898#msg-273898

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: $upstream_addr returning "-" only on requests with "del" in them

[ywarnier]

Sometimes writing your thought helps...
Apparently something wasn't reporting correctly so far, but using the debug
level, I finally end up getting some information. I should mention that the
word that seems to provoke this issue is ' del ' (with two spaces around
it). If those 3 letters are included in another word, nothing weird
happens.

When the word is there on its own, though, this is my debug log (I have
surrounded the most obvious issue with two blank lines):

2017/04/26 18:38:52 [debug] 6496#6496: *350 http keepalive handler
2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 55B18C6ADF30:1024
2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 978 of 1024
2017/04/26 18:38:52 [debug] 6496#6496: *350 reusable connection: 0
2017/04/26 18:38:52 [debug] 6496#6496: *350 posix_memalign:
55B18C6C0F10:4096 @16
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Host:
dev.www.myorg.edu"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Connection:
keep-alive"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Length:
16639"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Pragma: no-cache"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cache-Control:
no-cache"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Origin:
http://dev.www.myorg.edu;
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header:
"Upgrade-Insecure-Requests: 1"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "User-Agent:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Ubuntu Chromium/57.0.2987.98 Chrome/57.0.2987.98 Safari/537.36"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Content-Type:
multipart/form-data; boundary=WebKitFormBoundaryfufPzGfQx0XTvHjM"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Referer:
http://dev.www.myorg.edu/en/node/734/edit;
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Encoding:
gzip, deflate"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Accept-Language:
en-US,en;q=0.8,es;q=0.6,fr-FR;q=0.4,fr;q=0.2"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "Cookie:
DrupalModuleFilter=activeTab%3Dall;
SESSb62f82f041805dbb55d5167522aaa24e=y-yFLoyVXBRCGSmicYphWW-OCVYIGphmDhmx9k9wubQ;
SESSd452cfca8c0eccb9b5e4447bc1fa95dc=ENsFfcPE5jv4sTxlDxc40kg09aFMu7S-ZXJHPn0osb4;
has_js=1; Drupal.tableDrag.showWeight=0"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header: "DNT: 1"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http header done
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 0
2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 1
2017/04/26 18:38:52 [debug] 6496#6496: *350 test location: "/"
2017/04/26 18:38:52 [debug] 6496#6496: *350 using configuration "/"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http cl:16639 max:52428800
2017/04/26 18:38:52 [debug] 6496#6496: *350 rewrite phase: 3
2017/04/26 18:38:52 [debug] 6496#6496: *350 post rewrite phase: 4
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 5
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 6
2017/04/26 18:38:52 [debug] 6496#6496: *350 generic phase: 7
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 8
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 9
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 10
2017/04/26 18:38:52 [debug] 6496#6496: *350 access phase: 11
2017/04/26 18:38:52 [debug] 6496#6496: *350 post access phase: 12
2017/04/26 18:38:52 [debug] 6496#6496: *350 try files phase: 13
2017/04/26 18:38:52 [debug] 6496#6496: *350 http request body content length
filter
2017/04/26 18:38:52 [debug] 6496#6496: *350 malloc: 55B18C6F4100:8192
2017/04/26 18:38:52 [debug] 6496#6496: *350 http read client request body
2017/04/26 18:38:52 [debug] 6496#6496: *350 recv: fd:16 -1 of 8192

2017/04/26 18:38:52 [info] 6496#6496: *350 recv() failed (104: Connection
reset by peer), client: 190.117.233.77, server: dev.www.myorg.edu, request:
"POST /en/node/734/edit HTTP/1.1", host: "dev.www.myorg.edu", referrer:
"http://dev.www.myorg.edu/en/node/734/edit;

2017/04/26 18:38:52 [debug] 6496#6496: *350 http client request body recv
-1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http finalize request: 400,
"/en/node/734/edit?" a:1, c:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate request count:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate cleanup count:1
blk:0
2017/04/26 18:38:52 [debug] 6496#6496: *350 http posted request:
"/en/node/734/edit?"
2017/04/26 18:38:52 [debug] 6496#6496: *350 http terminate handler count:1
2017/04/26 18:38:52 [debug] 6496#6496: *350 http request count:1 blk:0
2017/04/26 18:38:52 [debug] 6496#6496: *350 http close request
2017/04/26 18:38:52 [debug] 6496#6496: *350 http log handler
2017/04/26 18:38:52 [debug] 6496#6496: *350 free: 55B18C6F4100

xslt question

[Alex Samad]

Hi

I am using
https://gist.github.com/wilhelmy/5a59b8eea26974a468c9

for


location /ts/ {
#autoindex on;
#autoindex_format html;
try_files $uri @autoindex;
}


# need xlst module
location @autoindex {
autoindex on;
autoindex_format xml;
xslt_stylesheet xslt/dirlist.xslt path='$uri';

}


my problem is, i have a file with a % in it and I need to escape / encode
it as a uri

but when I use the xml functions to encode a uri I get function not found.

more reading I need xslt 2 not 1. how can I tell if I am using 1 or 2 ?

A
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

$upstream_addr returning "-" only on requests with "del" in them

[ywarnier]

Hi guys,

I have a problem with some of the requests sent to my Nginx load balancer,
which reports (in the access_log configured to show $upstream_addr) that
$upstream_addr is equal to "-", but only in a weird case where the post
contains the word "del".

I'm using Nginx 1.10.0 packaged in Ubuntu 16.04.4, in a development cluster
of VMs with Nginx serving as load balancer to serve a bunch Drupal 7 sites
that an Apache+modPHP is serving (I could use Nginx+PHP-FPM but that's not
the point here).

So it's a web-facing VM with Nginx that passes to another VM with Apache
(through proxy_pass). No "effective" load balancing (only one upstream
server in the backend block).

I've tried to maintain customizations to a reasonable minimum to avoid
introducing too many variables.

Inside Drupal 7 (which I installed under the Apache backend server), I have
nodes that I would like to edit.

Now, on several nodes, when I edit a textarea with whatever I like,
everything works fine. The request is passed to Nginx, then to Apache, and I
can see that in the access logs for both.

However, if the textarea contains the work "del" (I know... weird), then the
request gets to Nginx and the $upstream_addr is generated as "-" and no
request reaches the upstream server.

How can I debug that?
I've tried putting the error_log to "debug" but it's apparently not an
error.
The access_log provides me with this weird case of $upstream_addr = '-', but
that's all I get...

Thanks for your help!

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273895,273895#msg-273895

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: how add RewriteRule .* index.php in nginx

[Francis Daly]

On Wed, Apr 26, 2017 at 10:22:20AM -0400, e.htabar wrote:

Hi there,

> how set add " RewriteRule .* index.php " in nginx.conf for subfolder ?

You probably put the config in a suitable location{} block.

What config do you have right now that does most of what you want?

Do you "return" or "rewrite" or "try_files" or something else?

The best config depends on what else you want the system to do.

Cheers,

f
-- 
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Nginx Nodejs Raspberry Pi2 Bad Gateway

[Francis Daly]

On Tue, Apr 25, 2017 at 10:13:19AM -0400, marciokoko wrote:

Hi there,

I confess that it's a bit confusing to me what exactly you are doing here.

Can you create one "curl" command which makes one request, that gives
a response that is not what you want to see?

If you can show what you expect to see instead, that might be helpful too.

If at all possible, copy-paste the pieces you are reporting, rather than
re-typing things.

It looks like there may be some typographical errors in what you report
here, which might be what is unclear to me.

> INTERNET (subdomain.domain.com A Record to public IP 186187)
> Hurl.it -POST-> Public IP:
> https://186187/API/switches?sw1?password=123456 -> Linksys Router
> IP:186...187:443 Port Forward to 192...53
> 
> ONLAN (nginx setup https with ssl from letsencrypt)
> 19253 RPi2 nginx config bypass 192...53:442 . --> nodejs app.js
> listening on port 442 

I *think* that the intention here is that a https request gets to nginx,
and then nginx makes a http request to the port-442 listener.

Can you show the request that gets to nginx, and the request that gets
to port 442, and see what the port-442 listener does with it?

> error_page 404 /404.html;
> error_page 500 502 503 504 /50x.html;

Unless you have a location{} that matches those html urls, they may be
proxy_pass'ed to port 442 as well, which may make it more difficult than
necessary to interpret the log files.

> 2017/04/23 20:08:38 [error] 20424#0: *4 upstream prematurely closed
> connection while reading response header from upstream, client:
> 192.168.1.56, server: subdomain.domain.com, request: "GET /aism/ HTTP/1.1",
> upstream: "http://192.168.1.53:442/aism/;, host: "subdomain.domain.com"

"upstream prematurely closed connection" suggests that nginx thinks that
the port 442 listener did something wrong. Are there logs of what the
port 442 listener thinks happened?

Good luck with it,

f
-- 
Francis Dalyfran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Health checks and reloads

[Maxim Konovalov]

Hi Aditya,

On 26/04/2017 23:30, Aditya Umrani wrote:
> Hello,
> 
> We are using nginx plus and we use application health-checks. We
> want to move to the 'mandatory' parameter which requires that
> servers pass the health check before it becomes active.
> 
[...]

I'd suggest to approach -plus support channel.  You can open a
support ticket just by forwarding this email.

-- 
Maxim Konovalov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Health checks and reloads

[Aditya Umrani]

Hello,

We are using nginx plus and we use application health-checks. We want to
move to the 'mandatory' parameter which requires that servers pass the
health check before it becomes active.

Currently, we have a system which reloads all configs (rather than a diff
based system which would just only apply the changes via the APIs). It does
this by generating a new set of configs (routing rules, upstreams, etc) and
then calling reload on the parent (which essentially results in creating
new worker processes).

We are wondering what happens when nginx receives a reload. For an upstream
(for simplicity - say 1 host in that upstream) which is present in the old
config and is also present in the new config:
1. Will it block traffic till that host has successfully passed 'N' checks
(configured)
2. Will it return 502's as there are no more active hosts to serve for this
upstream.
3. Anything else?

Thanks,
Aditya
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

critique my config file

[tommygunner]

I am using Nginx 1.13 and have removed all the "if"s from the config file
and would now like someone to analyse it, look at the rewrites, etc if
possible. It works fine but seems a bit unorganized and I'm wondering if
there are some duplicate things. I have created a bunch of 444 locations to
drop the malicious scripts and visitors from reading such locations which
don't exist. I also make the admin area unassessable then uncomment whenever
I want to access such areas for security. 

The only issue I'm aware of is the I am using the resolver 8.8.8.8; which is
said to leave open to man in the middle DNS attack or spoofing but haven't
been excited about running BIND with all the extra overhead so haven't done
so.

Here is the config file:
https://pastebin.com/szFGQ2SD

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273889,273889#msg-273889

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: remove if from code

[tommygunner]

Thanks! I got it to work but had to put my fastcgi stuff inside.


location ~ \.php$ {
try_files $uri /index.php;


# fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
expires off;
fastcgi_pass   127.0.0.1:9000;
fastcgi_index  index.php;
   fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
## Tweak fastcgi buffers, just in case.
fastcgi_buffer_size 256k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
#fastcgi_connect_timeout 300;
#fastcgi_send_timeout 300;
#fastcgi_read_timeout 300;
fastcgi_param HTTPS on;
fastcgi_param   HTTP_SCHEME https;

include fastcgi_params;
}

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273865,273888#msg-273888

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Why does nginx rewrite sending https to http?

[Kevin]

Hi,

I'm trying to rewrite some route in cloud foundry static buildpack, but
whenever I rewrite, the https goes to http.

So I add return with / with /login, then it goes to http://server/, even it
starts with https://server/login.


location /login {
  return 301 /;

  <% if ENV["FORCE_HTTPS"] %>
if ($http_x_forwarded_proto != "https") {
  return 301 https://$host$request_uri;
}
  <% end %>
 }
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: UDP reverse proxying for OpenVPN isn't working using Nginx streams

[Roman Arutyunyan]

On Wed, Apr 26, 2017 at 09:42:22AM -0400, akb-nginx wrote:
> Thanks for your responce. I think I am out of luck then as far as proxying
> UDP openvpn is concerned. Any particular reason that Nginx took this
> approach instead of how very basic load balancers like "Pen" etc do it.
> 
> I was able to proxy using simpler tools like pen and nc but a more loaded
> Nginx fails for the reasons you mentioned.

When operating in multi-worker mode, a UDP packet from a client may be received
by any worker.  Using SO_REUSEPORT can help with that on Linux, but not always.
Proxying becomes complicated if every packet of a UDP packet sequence is
received by a different worker.

-- 
Roman Arutyunyan
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Passing small request_body to auth_request through a header

[Danomi Czaski]

I have a small body (less than 512 bytes) that I'd like to pass to
auth_request. Since the body is discarded, I've tried passing it
through a header with no luck. Is there any way to do this?

location = /my_auth
{
internal;

include  fastcgi_params;
fastcgi_pass  unix:/tmp/nginx/sock/my_auth.sock;

proxy_pass_request_body off;
proxy_set_header Content-Length "";

proxy_set_header MYBODY $request_body;
fastcgi_param  MYBODY $request_body;
}

location = /login
{
auth_request /my_auth;
client_max_body_size 512;
}
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Client certificate authentication error

[tory]

There is an incorrect syntax to fix.

I have registered p12 certificate and ca certificate in my Firefox browser,
but I get "400 Bad Request". 

==> I have registered client.p12 and ca.crt file in my Firefox browser, but
I get "400 Bad Request".

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273879,273880#msg-273880

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

how add RewriteRule .* index.php in nginx

[e.htabar]

down vote
favorite
how set add " RewriteRule .* index.php " in nginx.conf for subfolder ?

and dont redirect for root example:

https://www.bidbarg.com/ (index.php redirect to none)

https://www.bidbarg.com/bimeh/index.php/ (index.php needed)

thank you

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273883,273883#msg-273883

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Way to deny all requests if any upstream is down

[lchennup]

Hi All,

Is there any way to deny all requests if any upstream servers are down?.

Thanks

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273881,273881#msg-273881

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: nginx-1.13.0

[Maxim Dounin]

Hello!

On Wed, Apr 26, 2017 at 07:15:13AM +1000, Alex Samad wrote:

> On 26 April 2017 at 00:32, Maxim Dounin  wrote:
> 
> >
> > *) Change: SSL renegotiation is now allowed on backend connections.
> >
> 
> What does this mean ?
> 
> 
> reason I am asking is I would like to setup a site say example.com, that is
> SSL, with no need for client certs at root URI
> 
> but I would like to force a reneg at say /private/<...>
> 
> is that possible ..(I know its not backend, my hope is that if the code is
> there for the backend, then it might be available at the front end as well)

No, it is not possible to client certificates only for some URIs 
in nginx, and unlikely will be possible in the foreseeable future.  
This is implemented by some other servers though, and in the past 
there were several reports about interoperability problems with 
such servers when nginx talked to them via proxy_pass.  For 
additional details see http://hg.nginx.org/nginx/rev/ac9b1df5b246.

-- 
Maxim Dounin
http://nginx.org/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: UDP reverse proxying for OpenVPN isn't working using Nginx streams

[akb-nginx]

Thanks for your responce. I think I am out of luck then as far as proxying
UDP openvpn is concerned. Any particular reason that Nginx took this
approach instead of how very basic load balancers like "Pen" etc do it.

I was able to proxy using simpler tools like pen and nc but a more loaded
Nginx fails for the reasons you mentioned.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273875,273878#msg-273878

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Blocking all URIs except for one directory

[Maxim Dounin]

Hello!

On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote:

> Hello,
> 
> I want to secure a site using the allow/deny directives so that only 
> allowed networks will be able to access it.  There is one "public" 
> directory, however, that I want to be accessible for everyone.
> 
> nginx serves as a reverse proxy on that site, and requests for URIs that 
> end with the suffix ".cfm" are proxied to Tomcat.
> 
> So I currently have something like:
> 
> location / {
>  allow 10.0.0.0/24;
>  deny all;
> }
> 
> location /public/ {
>  allow all;# does that make sense?
> }
> 
> location ~ \.cfm$ {
>  ## proxy settings go here
> }
> 
> Keep in mind that .cfm scripts are both in /public/ as well as in other 
> directories.
> 
> How can I achieve that?

Try this instead:

location / {
allow ...
deny all;

location ~ \.cfm$ {
...
}
}

location /public/ {
# access allowed to all by default - unless there is 
# something restrictive defined on previous levels

location ~ \.cfm$ {
...
}
}

You may also find this talk interesting:

https://youtu.be/YWRYbLKsS0I

-- 
Maxim Dounin
http://nginx.org/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

UDP reverse proxying for OpenVPN isn't working using Nginx streams

[akb-nginx]

Hi.

I was just wondering whether UDP stream proxying on Nginx is in its infacy
or there is something which I am doing wrong. I have this simple config: 

events { worker_connections  1024; }

worker_processes  1;
error_log /dev/stderr debug;
daemon off;

stream {
server {
listen X.X.X.X:1194 udp;
proxy_pass 127.0.0.1:1195;
}
}

to make Nginx a reverse proxy for my OpenVPN server listening on UDP port
1195 on localhost. But it just doesn't work. When a client connects, Nginx
keeps logging these lines on stderr:

2017/04/26 12:14:43 [notice] 17125#0: using the "epoll" event method
2017/04/26 12:14:43 [notice] 17125#0: nginx/1.11.13
2017/04/26 12:14:43 [notice] 17125#0: built by gcc 4.9.2 (Debian 4.9.2-10) 
2017/04/26 12:14:43 [notice] 17125#0: OS: Linux 3.16.0-4-amd64
2017/04/26 12:14:43 [notice] 17125#0: getrlimit(RLIMIT_NOFILE): 1024:4096
2017/04/26 12:14:43 [notice] 17125#0: start worker processes
2017/04/26 12:14:43 [notice] 17125#0: start worker process 17126
2017/04/26 12:14:47 [info] 17126#0: *1 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *1 udp proxy 127.0.0.1:55424 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *3 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *3 udp proxy 127.0.0.1:48958 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *5 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *5 udp proxy 127.0.0.1:56732 connected
to 127.0.0.1:1195
2017/04/26 12:14:47 [info] 17126#0: *7 udp client Y.Y.Y.Y:40332 connected to
X.X.X.X:1194
2017/04/26 12:14:47 [info] 17126#0: *7 udp proxy 127.0.0.1:60363 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *9 udp client Y.Y.Y.Y:56226 connected to
X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *9 udp proxy 127.0.0.1:52499 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *11 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *11 udp proxy 127.0.0.1:48850 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *13 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *13 udp proxy 127.0.0.1:60125 connected
to 127.0.0.1:1195
2017/04/26 12:14:50 [info] 17126#0: *15 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:50 [info] 17126#0: *15 udp proxy 127.0.0.1:54133 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *17 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *17 udp proxy 127.0.0.1:50184 connected
to 127.0.0.1:1195
2017/04/26 12:14:52 [info] 17126#0: *19 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:52 [info] 17126#0: *19 udp proxy 127.0.0.1:48836 connected
to 127.0.0.1:1195
2017/04/26 12:14:53 [info] 17126#0: *21 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
2017/04/26 12:14:53 [info] 17126#0: *21 udp proxy 127.0.0.1:42665 connected
to 127.0.0.1:1195
2017/04/26 12:14:56 [info] 17126#0: *23 udp client Y.Y.Y.Y:56226 connected
to X.X.X.X:1194
...
...

Whereas the OpenVPN client is stuck on:

Wed Apr 26 12:14:50 2017 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
Wed Apr 26 12:14:50 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO
2.08
Wed Apr 26 12:14:50 2017 Control Channel Authentication: tls-auth using
INLINE static key file
Wed Apr 26 12:14:50 2017 Outgoing Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Incoming Control Channel Authentication: Using 160
bit message hash 'SHA1' for HMAC authentication
Wed Apr 26 12:14:50 2017 Socket Buffers: R=[212992->212992]
S=[212992->212992]
Wed Apr 26 12:14:50 2017 UDPv4 link local: [undef]
Wed Apr 26 12:14:50 2017 UDPv4 link remote: [AF_INET]X.X.X.X:1194
Wed Apr 26 12:14:50 2017 TLS: Initial packet from [AF_INET]X.X.X.X:1194,
sid=afcea479 758711e0

Even there trivial setups work as expected:

pen X.X.X.X:1194 127.0.0.1:1195  -U

OR

nc -u -l -p 1194 -c "nc -u 127.0.0.1 1195"

But I fail to understand why isn't Nginx working. By the way, if everything
is replaced with TCP in both nginx and OpenVPN file, it works. Also UDP
proxying for DNS:

listen X.X.X.X:53 udp; 
proxy_pass 8.8.8.8:53;

works. The Nginx version is: 1.11.13. Will really appreciate any advice on
this.

Thanks & Regards.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,273875,273875#msg-273875

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: N00b - confused ssl

[Reinis Rozitis]

So it sounds like if I want to decrypt incoming traffic and upstream 
traffic I would put them in the same block like this ?


Seems fine.

p.s. just if you trust your backend there is in general no need to use 
proxy_ssl_verifyon;
When it’s off (by default) nginx will be fine with whatever certificate the 
backend server provides as far the the connection is via ssl/tls.



rr

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: N00b - confused ssl

[Joel Parker]

So it sounds like if I want to decrypt incoming traffic and upstream
traffic I would put them in the same block like this ?

server {

##
# This is acting like the  server side  to decrypt the incoming
traffic

##

listen 443 ssl;# 'ssl' parameter tells NGINX to decrypt the
traffic
server_name _;# any server

# root cert in PEM format
ssl_certificate/etc/ssl/certs/server.crt;

# root private key
ssl_certificate_key/etc/ssl/certs/server.key;

ssl_protocolsTLSv1.2;
ssl_ciphersHIGH:!aNULL:!MD5;

# can tweak caching stradegy if needed
ssl_session_cacheshared:SSL:20m;
ssl_session_timeout4h;
ssl_handshake_timeout30s;


##
# This is acting like the client side and re-encrypting

##

proxy_sslon;

# ssl client cert
proxy_ssl_certificate/etc/ssl/certs/backend.crt;

# ssl client private key
proxy_ssl_certificate_key/etc/ssl/certs/backend.key;
proxy_ssl_protocolsSSLv3 TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphersHIGH:!aNULL:!MD5;

# if requires trusted cert
# proxy_ssl_trusted_certificate
/etc/ssl/certs/trusted_ca_cert.crt;

proxy_ssl_verifyon;
proxy_ssl_verify_depth2;
proxy_ssl_session_reuseon;

log_format replay '[$time_local] $server_name $status $content_type
$request_method XX_HOST_XX$request_uri Authorization:"$http_authorization"
$request_body_file';

client_body_in_file_only on;
access_log /var/log/nginx/request_response.log replay;

location / {
proxy_pass https://backend; # 'https' prefix tells NGINX to
encrypt the traffic
}
}

On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis  wrote:

> > so if I put both of these in one server block so that the incoming is
> de-crypted and the outgoing is decrypted. Do I put both the server and
> client certs in the same server block ?
> confused.
>
> Depends on what setup/requirements you actually have:
>
> - If your backend server requires authentication then you have to provide
> a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/
> http/ngx_http_proxy_module.html#proxy_ssl_certificate ).
>
> - If your clients need to authenticate versus your nginx proxy then you
> use ssl_verify_client / ssl_trusted_certificate (
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
> ).
>
> - If your backend requires passing through the user certificates it's a
> bit tricky as depending on backend it might or might not work
> https://trac.nginx.org/nginx/ticket/857
>
> rr
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: nginx-1.13.0

[Kevin Worthington]

Hello Nginx users,

(I forgot to send this email yesterday.)

Now available: Nginx 1.13.0 for Windows https://kevinworthington.com/n
ginxwin1130 (32-bit and 64-bit versions)

These versions are to support legacy users who are already using Cygwin
based builds of Nginx. Officially supported native Windows binaries are at
nginx.org.

Announcements are also available here:
Twitter http://twitter.com/kworthington
Google+ https://plus.google.com/+KevinWorthington/

Thank you,
Kevin
--
Kevin Worthington
kworthington *@* (gmail]  [dot} {com)
http://kevinworthington.com/
http://twitter.com/kworthington
https://plus.google.com/+KevinWorthington/


On Tue, Apr 25, 2017 at 10:32 AM, Maxim Dounin  wrote:

> Changes with nginx 1.13.025 Apr
> 2017
>
> *) Change: SSL renegotiation is now allowed on backend connections.
>
> *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
>directives of the mail proxy and stream modules.
>
> *) Feature: the "return" and "error_page" directives can now be used to
>return 308 redirections.
>Thanks to Simon Leblanc.
>
> *) Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
>
> *) Feature: when logging signals nginx now logs PID of the process
> which
>sent the signal.
>
> *) Bugfix: in memory allocation error handling.
>
> *) Bugfix: if a server in the stream module listened on a wildcard
>address, the source address of a response UDP datagram could differ
>from the original datagram destination address.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: remove if from code

[Reinis Rozitis]

Does anyone know how to rewrite this snippet?



## Execute PHP Scripts using FastCGI
location ~ \.php(/.*)? {
   if (!-e $request_filename) {
   rewrite / /index.php last;
   }


You can use try_files for that ( 
http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files )


location ~ \.php$ {
   try_files $uri /index.php;
}


p.s. obviously for this location you need to add php handling also.

rr 


___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx