Stuck in weird issue - need help pls
Hi Team, I am stuck in this weird issue. I have nginx as my reverse proxy set in front of Apache web server Some how my proxy_pass is not working as expected and getting 404 not found error while retrieving page. Can someone pls help? Reve Proxy IP - 10.122.0.4 Apache 10.122.0.3 On my Rev Proxy /etc/hosts file 10.122.0.3 ipbl..xxx Here is my nginx stanza server { listen 80; server_name threat.list.xxx.xxx; # return 301 https://$server_name$request_uri; add_header X-Frame-Options "SAMEORIGIN"; modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; error_page 404 403 /custom_404.html; location = /custom_404.html { root /usr/share/nginx/html; internal; } access_log /var/log/nginx/threatlist/access.log; error_log /var/log/nginx/threatlist/error.log; location / { if ($request_method !~ "GET") { return 403; break; } include /etc/nginx/threatlistacl/ipacls; deny all; client_max_body_size10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_connect_timeout 30s; proxy_pass http://ipbl..; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Now if I access ipbl.xxx.xxx/ipbl.txt page it gets accessed successfully Request URL: http://threat.list.xxx.xxx/ipbl.txt Request Method: GET Status Code: 404 Not Found Remote Address: xxx.xx.xx.xx:80 Referrer Policy: strict-origin-when-cross-origin Connection: keep-alive Content-Type: text/html; charset=iso-8859-1 Date: Sat, 13 Mar 2021 04:50:53 GMT Server: nginx Transfer-Encoding: chunked Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9 Connection: keep-alive DNT: 1 Host: threat.list.xxx.xxx Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36 And my access.log xx.xx.xx.xx - - [13/Mar/2021:10:31:17 +0530] "GET /ipbl.txt HTTP/1.1" 404 183 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36" Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290958,290958#msg-290958 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Possible to make subdomain only accessible through 'embed'
Hi there, I have pages served from "embed.domain.com" that I'd only like to be accessible when they're embedded in files served from "docs.domain.com" Visualisation below: Is it possible to lock down "embed.domain.com" so it can only be accessed through "docs.domain.com"? Can this be done with nginx conf or another method? Thank you! Jore ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [PATCH] Keepalive: add new option "keepalive_ssl_respect_sni"
Hello! On Thu, Mar 11, 2021 at 09:28:49PM +0300, geniuss99 wrote: > src/http/modules/ngx_http_upstream_keepalive_module.c | 42 > +++ > 1 files changed, 42 insertions(+), 0 deletions(-) > > > # HG changeset patch > # User geniuss99 > # Date 1615484979 -10800 > # Thu Mar 11 20:49:39 2021 +0300 > # Node ID ed1348e8e25381b3b1a2540289effcf7ccec6fd6 > # Parent 0215ec9aaa8af6036c62e1db676c9b0cc1d5fca4 > Keepalive: add new option "keepalive_ssl_respect_sni". > > This option allows handling the following usecase: > 1. proxy https requests with different hostnames to server with same ip; > 2. use cache of upstream connections via keepalive option in upstream module; > 3. reuse connection from keepalive pool only if ip and servername used during >handshake with upstream match hostname from downstream request. > > When this option is turned on not only the ip address of upstream server is > taken into account upon connection search but also servername used during > handshake procedure. Thank you for the patch. Please see the answer here: http://mailman.nginx.org/pipermail/nginx-devel/2019-August/012583.html -- Maxim Dounin http://mdounin.ru/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [QUIC][BUG] function 'ngx_hkdf_extract ' has memory leak when use OPENSSL but not BoringSSL.
No thx, my pleasure Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290935,290954#msg-290954 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [QUIC][BUG] function 'ngx_hkdf_extract ' has memory leak when use OPENSSL but not BoringSSL.
On Tue, Mar 09, 2021 at 10:17:43PM -0500, lingtao.klt wrote: > In ngx_hkdf_expand, when use OPENSSL, the *pctx need to be free. > > > ``` > > static ngx_int_t > ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest, > const uint8_t *prk, size_t prk_len, const u_char *info, size_t > info_len) > { > #ifdef OPENSSL_IS_BORINGSSL > if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len) > == 0) > { > return NGX_ERROR; > } > #else > > EVP_PKEY_CTX *pctx; > > pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); > > if (EVP_PKEY_derive_init(pctx) <= 0) { > return NGX_ERROR; > } > > if (EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) > { > return NGX_ERROR; > } > > if (EVP_PKEY_CTX_set_hkdf_md(pctx, digest) <= 0) { > return NGX_ERROR; > } > > if (EVP_PKEY_CTX_set1_hkdf_key(pctx, prk, prk_len) <= 0) { > return NGX_ERROR; > } > > if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, info_len) <= 0) { > return NGX_ERROR; > } > > if (EVP_PKEY_derive(pctx, out_key, _len) <= 0) { > return NGX_ERROR; > } > > #endif > > return NGX_OK; > } > > ``` Thank you for reporting, this was fixed: http://hg.nginx.org/nginx-quic/rev/1c48629cfa74 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx