Re: geoip variables evaluation vs map

[Maxim Dounin]

Hello!

On Fri, May 05, 2017 at 08:27:34AM -0400, beatnut wrote:

> Hello!
> When using variables via map directive they are evaluated when they are
> used. 
> My question is if variables from geoip module like $geoip_country_code are
> evaluated only when they are used, like map or every time?

Only when they are used.

-- 
Maxim Dounin
http://nginx.org/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

geoip variables evaluation vs map

[beatnut]

Hello!
When using variables via map directive they are evaluated when they are
used. 
My question is if variables from geoip module like $geoip_country_code are
evaluated only when they are used, like map or every time?

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274078,274078#msg-274078

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Nginx rewrite rules codeigniter

[Antonio González]

I have an application in codeigniter.

This same application has a common code made in codeigniter and then
distributed in subdirectories each of which has a configuration, but
all pull the same common code.

The problem I have is that the application used to run in apache and
everything works correctly using the .htaccess.
Now I'm migrating the application to nginx and everything works fine
if we put the index.php
(eg http://baybay.es/ Farmaciacm / index.php / dashboard)
but if I remove it does not work.

I have tried several configurations in nginx but none solves the problem.

I would need someone with nginx knowledge to see if I applied a proper
configuration to be able to run the application without the index.php.
The structure I have of directories is: the project root is
in /home_datos/fisiotes/domains/baybay.es/public_html/
subdirectories are:
/ quadromandos / -> common code for all applications
(codeigniter, but only for code , Etc.)

/ farmaciacm / -> an application (here if there is an index.php)

/ farmaciacm1 / -> another application (here if there is an index.php)

In root there is no code, Everything is in subdirectories.

A greeting.



Libre
de virus. www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: [ANN] OpenResty 1.11.2.3 released

[Maxim Konovalov]

Hi Yichun,

On 22/04/2017 04:31, Yichun Zhang (agentzh) wrote:
> Hi folks,
> 
> Long time no releases. We've been very busy setting up the OpenResty
> Inc. commercial company in the US. That's why we've been quiet in the
> last few months. The good news is that we now have a strong full-time
> engineering team that can work on both the OpenResty open source
> platform and higher-level commercial products based on that. The
> OpenResty web platform will always remain open source. There's no
> doubt about that ;)
>
[...]

This is the great news, our congratulations!

We wish you and all your team success with your project.

-- 
Maxim Konovalov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Return Specific Error Page in NGinX when all the upstream servers are marked down

[shivramg94]

I have an upstream block as follows

upstream sample{
server abc1.example.com down;
server abd2.example.com down;
}

Currently I get a 502 error. In this special case where I receive a 502 and
all upstream servers are down I would like a receive a specific error page
as temporarily unavailable.

How can i achieve that?

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274075,274075#msg-274075

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

New variable $ssl_raw_handshake

[Benny Baumann]

Hi,

in course of building up a dataset of mappings of User-Agents and their
common SSL ClientHello messages[1] I started to implement a small patch
to nginx 1.13.0 mainline to implement a small transcript of the
handshake process similar to the one enabled in openssl s_client -msg.

The format of this new variable is a series of semicolon-delimited
blocks starting with a direction (C: -> sent by client, S: -> sent by
server) and followed by colon-delimited hexdumps of processed blocks of
data. The string C:00:01;S:0203:0405:0607;C:08090A; denotes 2 blocks of
1 byte each sent by the client, followed by 3 blocks 2 byte each from
the server and finally 1 block of 3 bytes from the client. Blocks
usually conform to how OpenSSL tries to process the data.

I'd appreciate a short review of the patch with comments for possible
improvements, code style and other related things. One yet open aspect
is configurable behaviour to only enable collection on-demand. Also
ideas for migrating this code into a separate module are welcome.

NB: Due to size of transcribed information it is commonly not feasible
to pass this variable to other backend servers via HTTP headers. Trying
to do so will most likely result in the backend responding 400 Bad
Request, sometimes also remarking about the overlong header. I'm still
looking at ways how this can be done in a sane way (abusing memcached
for transporting could be an option) - but this is outside the scope of
this patch. Plainly logging the information of this header to some
custom log will do just fine.

Kind regards,
BenBE.

[1] Original paper on this approach at [2]
[2] https://jhalderm.com/pub/papers/interception-ndss17.pdf
From 5cf530602b0d73e388cecf5cf4b26d1c124ae847 Mon Sep 17 00:00:00 2001
From: Benny Baumann 
Date: Mon, 1 May 2017 18:32:00 +0200
Subject: [PATCH] add: Transcript of SSL Handshake similar to openssl s_client
 -msg

---
 src/event/ngx_event_openssl.c  | 110 +
 src/event/ngx_event_openssl.h  |   5 ++
 src/http/modules/ngx_http_ssl_module.c |   3 +
 3 files changed, 118 insertions(+)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index fdbd0c9..0ad1b34 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1171,6 +1171,9 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 return NGX_ERROR;
 }
 
+sc->handshake_transcript = NULL;
+sc->handshake_transcript_next = >handshake_transcript;
+
 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
 sc->buffer_size = ssl->buffer_size;
 
@@ -1219,6 +1222,55 @@ ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
 return NGX_OK;
 }
 
+static void
+ngx_ssl_handshake_transcribe(int write_p, int version, int content_type,
+const void *buf, size_t len, SSL *ssl, void *arg) {
+ngx_connection_t* c = (ngx_connection_t*) arg;
+if ( !c ) {
+return;
+}
+
+ngx_ssl_connection_t* sc = c->ssl;
+if ( !sc ) {
+return;
+}
+
+// Sanity check:
+if ( ssl != sc->connection ) {
+return;
+}
+
+ngx_pool_t* p = c->pool;
+
+ngx_chain_t* cl = ngx_alloc_chain_link( p );
+if ( !cl ) {
+return;
+}
+
+ngx_buf_t* b = ngx_calloc_buf( p );
+if ( !b ) {
+return;
+}
+
+b->temporary = 1;
+b->start = ngx_pcalloc( p, len );
+if ( !b->start ) {
+return;
+}
+
+b->pos = b->start;
+b->end = b->start + len;
+
+b->last = ngx_cpymem( b->pos, buf, len );
+
+b->tag = (ngx_buf_tag_t)(uintptr_t)!!write_p;
+
+cl->buf = b;
+cl->next = NULL;
+
+*sc->handshake_transcript_next = cl;
+sc->handshake_transcript_next = >next;
+}
 
 ngx_int_t
 ngx_ssl_handshake(ngx_connection_t *c)
@@ -1228,8 +1280,14 @@ ngx_ssl_handshake(ngx_connection_t *c)
 
 ngx_ssl_clear_error(c->log);
 
+SSL_set_msg_callback(c->ssl->connection, ngx_ssl_handshake_transcribe);
+SSL_set_msg_callback_arg(c->ssl->connection, c);
+
 n = SSL_do_handshake(c->ssl->connection);
 
+SSL_set_msg_callback(c->ssl->connection, NULL);
+SSL_set_msg_callback_arg(c->ssl->connection, NULL);
+
 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
 
 if (n == 1) {
@@ -4088,6 +4146,58 @@ ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 return NGX_OK;
 }
 
+ngx_int_t ngx_ssl_get_raw_handshake(ngx_connection_t *c, ngx_pool_t *pool,
+ngx_str_t *s) {
+
+if(!s) {
+return NGX_ERROR;
+}
+
+ngx_ssl_connection_t* sc = c->ssl;
+if(!sc) {
+return NGX_ERROR;
+}
+
+ngx_chain_t* hsp = sc->handshake_transcript;
+if(!hsp) {
+ngx_str_null(s);
+return NGX_OK;
+}
+
+size_t hs_len = 0;
+
+for(ngx_chain_t* cp = hsp; cp; cp = cp->next) {
+hs_len += 2; //Client/Server designation
+hs_len += 2 * (cp->buf->last -