Stuck in weird issue - need help pls
Hi Team,
I am stuck in this weird issue. I have nginx as my reverse proxy set in
front of Apache web server Some how my proxy_pass is not working as expected
and getting 404 not found error while retrieving page. Can someone pls
help?
Reve Proxy IP - 10.122.0.4
Apache 10.122.0.3
On my Rev Proxy /etc/hosts file
10.122.0.3 ipbl..xxx
Here is my nginx stanza
server {
listen 80;
server_name threat.list.xxx.xxx;
# return 301 https://$server_name$request_uri;
add_header X-Frame-Options "SAMEORIGIN";
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
error_page 404 403 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
access_log /var/log/nginx/threatlist/access.log;
error_log /var/log/nginx/threatlist/error.log;
location / {
if ($request_method !~ "GET") {
return 403;
break;
}
include /etc/nginx/threatlistacl/ipacls;
deny all;
client_max_body_size10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_pass http://ipbl..;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Now if I access ipbl.xxx.xxx/ipbl.txt page it gets accessed successfully
Request URL: http://threat.list.xxx.xxx/ipbl.txt
Request Method: GET
Status Code: 404 Not Found
Remote Address: xxx.xx.xx.xx:80
Referrer Policy: strict-origin-when-cross-origin
Connection: keep-alive
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 13 Mar 2021 04:50:53 GMT
Server: nginx
Transfer-Encoding: chunked
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Connection: keep-alive
DNT: 1
Host: threat.list.xxx.xxx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36
And my access.log
xx.xx.xx.xx - - [13/Mar/2021:10:31:17 +0530] "GET /ipbl.txt HTTP/1.1" 404
183 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36"
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,290958,290958#msg-290958
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Possible to make subdomain only accessible through 'embed'
Hi there, I have pages served from "embed.domain.com" that I'd only like to be accessible when they're embedded in files served from "docs.domain.com" Visualisation below: Is it possible to lock down "embed.domain.com" so it can only be accessed through "docs.domain.com"? Can this be done with nginx conf or another method? Thank you! Jore ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [PATCH] Keepalive: add new option "keepalive_ssl_respect_sni"
Hello! On Thu, Mar 11, 2021 at 09:28:49PM +0300, geniuss99 wrote: > src/http/modules/ngx_http_upstream_keepalive_module.c | 42 > +++ > 1 files changed, 42 insertions(+), 0 deletions(-) > > > # HG changeset patch > # User geniuss99 > # Date 1615484979 -10800 > # Thu Mar 11 20:49:39 2021 +0300 > # Node ID ed1348e8e25381b3b1a2540289effcf7ccec6fd6 > # Parent 0215ec9aaa8af6036c62e1db676c9b0cc1d5fca4 > Keepalive: add new option "keepalive_ssl_respect_sni". > > This option allows handling the following usecase: > 1. proxy https requests with different hostnames to server with same ip; > 2. use cache of upstream connections via keepalive option in upstream module; > 3. reuse connection from keepalive pool only if ip and servername used during >handshake with upstream match hostname from downstream request. > > When this option is turned on not only the ip address of upstream server is > taken into account upon connection search but also servername used during > handshake procedure. Thank you for the patch. Please see the answer here: http://mailman.nginx.org/pipermail/nginx-devel/2019-August/012583.html -- Maxim Dounin http://mdounin.ru/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [QUIC][BUG] function 'ngx_hkdf_extract ' has memory leak when use OPENSSL but not BoringSSL.
No thx, my pleasure Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290935,290954#msg-290954 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [QUIC][BUG] function 'ngx_hkdf_extract ' has memory leak when use OPENSSL but not BoringSSL.
On Tue, Mar 09, 2021 at 10:17:43PM -0500, lingtao.klt wrote:
> In ngx_hkdf_expand, when use OPENSSL, the *pctx need to be free.
>
>
> ```
>
> static ngx_int_t
> ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
> const uint8_t *prk, size_t prk_len, const u_char *info, size_t
> info_len)
> {
> #ifdef OPENSSL_IS_BORINGSSL
> if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
> == 0)
> {
> return NGX_ERROR;
> }
> #else
>
> EVP_PKEY_CTX *pctx;
>
> pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
>
> if (EVP_PKEY_derive_init(pctx) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0)
> {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) {
> return NGX_ERROR;
> }
>
> if (EVP_PKEY_derive(pctx, out_key, _len) <= 0) {
> return NGX_ERROR;
> }
>
> #endif
>
> return NGX_OK;
> }
>
> ```
Thank you for reporting, this was fixed:
http://hg.nginx.org/nginx-quic/rev/1c48629cfa74
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
