Re: nginx-quic socket() 0.0.0.0:80 failed (94: Socket type not supported)
Ok fixed the patch and yup working now! No more socket() 0.0.0.0:80 failed (94: Socket type not supported) errors when listen directive is not specifically set. Thanks Roman! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295642,295646#msg-295646 ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: nginx-quic socket() 0.0.0.0:80 failed (94: Socket type not supported)
That was a quick reply, was about to pop on Nginx slack channel :) Tried the patch but getting patching file src/http/ngx_http_core_module.c patch: malformed patch at line 18: lsopt.socklen = sizeof(struct sockaddr_in); Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295642,295645#msg-295645 ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
nginx-quic socket() 0.0.0.0:80 failed (94: Socket type not supported)
I tested nginx-quic https://quic.nginx.org/README for HTTP/3 over QUIC using quictls openssl 1.1.1q forked library and ran into an interesting error for non-HTTPS nginx vhost configurations. If non-HTTPS nginx vhost doesn't specifically list the listen directive for port 80, I get this error when running nginx -t config check nginx: [emerg] socket() 0.0.0.0:80 failed (94: Socket type not supported) server { server_name domain.com www.domain.com; } but if I specifically list the listen directive no error server { listen 80; server_name domain1.com www.domain1.com; } Nginx was built on CentOS 7 with GCC 11.2.1 and quictls openssl 1.1.1q nginx -V nginx version: nginx/1.23.2 (011122-105436-centos7-d9e494b-br-6e975bc) built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC) built with OpenSSL 1.1.1q+quic 5 Jul 2022 TLS SNI support enabled This seems to only be an issue with nginx-quic built Nginx versions. If I build a regular Nginx version without nginx-quic/quictls the non-HTTPS vhost with no listen directive specifically listed for port 80 works fine and has been the expected case since I started using Nginx ~11yrs ago. So with nginx-quic, does the assumption that server{} contexts without a specifically mentioned listen port, no longer default to port 80? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295642,295642#msg-295642 ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: Nginx map assigned variable usage in upstream?
I see. I am currently trying to use the $pool assigned variable for PHP-FPM though as in fastcgi_pass $pool; and not proxy_pass Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293738,293741#msg-293741 ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Nginx map assigned variable usage in upstream?
I am trying use a Nginx map assigned variable in an upstream but it doesn't seem to work? The map is concatenated $uri$args assigning a PHP-FPM fastcgi PHP pool to variable $pool and then setting the $pool variable in an upstream. map $uri$args $pool { default127.0.0.1:9000; "~/index.php/args" 127.0.0.1:9002; } upstream php { zone php_zone 64k; server $pool; keepalive 2; } But if I try this, nginx config test gives me nginx -t nginx: [emerg] host not found in upstream "$pool" in ... What am I missing? cheers George Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293738,293738#msg-293738 ___ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
Re: nginx-1.21.5
Maxim Dounin Wrote: --- > Hello! > > On Wed, Dec 29, 2021 at 11:30:04PM -0500, George wrote: > > > Thanks for PCRE2 support! > > > > From what I read Nginx 1.21.5 will default to PCRE2 if found or > fallback to > > PCRE if not > > > > You can disable PCRE2 default by passing --without-pcre2 flag - > which works > > fine and > > > > ldd $(which nginx) > > > > shows > > > > libpcre.so.1 => /usr/local/nginx-dep/lib/libpcre.so.1 > (0x7f86c7445000) > > > > But is the same true, if you set --without-pcre flag with PCRE2 > library > > installed and detected? As that seems to end up with nginx failing > to > > configure > > > > ./configure: error: the HTTP rewrite module requires the PCRE > library. > > You can either disable the module by using > --without-http_rewrite_module > > option or you have to enable the PCRE support. > > > > Why is it looking for PCRE when PCRE2 is available? > > The "--without-pcre" configure option completely disables usage of > all versions of the PCRE library, both the original PCRE library > and PCRE2. > > Currently there is not option to disable the original PCRE library > while still using PCRE2. Note though that the original PCRE > library is not used as long as PCRE2 is available. That is, the > only potential difference such an option might introduce is what > happens if PCRE2 is not available: either nginx configure will > fail, or fallback to using the original PCRE library. > > -- > Maxim Dounin > http://mdounin.ru/ > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx Thanks Maxim for the clarification :) So far Nginx 1.21.5 with PCRE2 works fine from my tests with exception of Nginx Lua and ModSecurity Nginx modules being incompatible right now :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293170,293214#msg-293214 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.21.5
Thanks for PCRE2 support! >From what I read Nginx 1.21.5 will default to PCRE2 if found or fallback to PCRE if not You can disable PCRE2 default by passing --without-pcre2 flag - which works fine and ldd $(which nginx) shows libpcre.so.1 => /usr/local/nginx-dep/lib/libpcre.so.1 (0x7f86c7445000) But is the same true, if you set --without-pcre flag with PCRE2 library installed and detected? As that seems to end up with nginx failing to configure ./configure: error: the HTTP rewrite module requires the PCRE library. You can either disable the module by using --without-http_rewrite_module option or you have to enable the PCRE support. Why is it looking for PCRE when PCRE2 is available? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293170,293198#msg-293198 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
handling client disconnect. call-back?
My understanding is that abrupt client disconnects are transparent through nginx -- the connection to upstream is closed and the upstream should handle that as it can. Please correct me if I am wrong. Is there a way to use a call-back (or something similar, a redirect), in nginx.conf, for client disconnects? This would be useful when the upstream is not good at directly handling the disconnect (not async, and still processing the response for the now-disconnected client). This could help clean up resources, on a parallel channel. Best, George Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289006,289006#msg-289006 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: how to configure request rate limiting by Kerberos authenticated user?
Thank you Maxim. Adding an extra variable to the spnego auth module sounds intriguing, but also challenging because; as you mention "rate limiting happens before access checks" and this module mainly deals with access checks until now. Sounds like an extra level of proxying is the way ahead for now. It would be nice if Kerberos were supported directly by nginx. :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288976,288990#msg-288990 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
how to configure request rate limiting by Kerberos authenticated user?
Hi, We are currently using "limit_req_zone $binary_remote_addr" for rate limiting. However, some of our users are connecting from more than one IP address, using clients running on computer grids. We wanted to do request rate limiting by authenticated user (in addition to the existing one by $binary_remote_addr). Is there any way we could do request rate limiting based on authenticated user? We use Kerberos for authentication, using ngx_http_auth_spnego_module (https://github.com/stnoonan/spnego-http-auth-nginx-module). We tried "limit_req_zone $remote_user zone=user:10m rate=20r/s;" and "limit_req zone=user burst=20;" but the key was apparently empty - all requests, from all users, were getting limited (all bunched under one key). However, interestingly, $remote_user is passed fine to the upstream using "proxy_set_header X-Forwarded-User $remote_user;"... Apparently $remote_user only works for request limiting when using basic authentication. Thank you for any suggestions/pointers. Best, George -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: duplicate listen options for backlog directive for ip:80 and ip:443 pairs ?
I see. Thanks Maxim for the clarification. Much appreciated :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,284368,284402#msg-284402 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
duplicate listen options for backlog directive for ip:80 and ip:443 pairs ?
I am trying to troubleshoot a duplicate listen options error that only happens on one server and not the other. >From docs at http://nginx.org/en/docs/http/ngx_http_core_module.html backlog listen directive works for each ip:port pair so I should be able to set backlog directive on listen directive once on port 80 and once on port 443. But on one server I am not able to and can't see where the problem is coming from ? How shall I debug this ? --- working --- On working Nginx 1.17.0 server I have 2 nginx vhosts that set backlog properly and have not problems vhost 1 listen 80 default_server backlog=2048 reuseport fastopen=256; vhost 2 listen 443 ssl http2 reuseport backlog=2048; --- not working --- Now on another Nginx 1.17.0 server I have 3 nginx vhosts but nginx restarts complain of duplicate listen options once I add vhost 3 and the error is related for vhost 2's listen directive nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /path/to/vhost2/vhost vhost 1 listen 80 default_server backlog=4095 reuseport fastopen=256; vhost 2 listen 443 ssl http2 reuseport; vhost 3 listen 443 ssl http2 backlog=4095; if i remove vhost 3 backlog=4095 directive there's no error though ? --- working --- Now if I reverse it so backlog=4095 is set in vhost 2 and not vhost 3, then it works and nginx doesn't complain of errors ? No idea why that is the case or if it's a bug ? vhost 2 listen 443 ssl http2 reuseport backlog=4095; vhost 3 listen 443 ssl http2; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,284368,284368#msg-284368 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Google QUIC support in nginx
Roadmap suggests it is in Nginx 1.17 mainline QUIC = HTTP/3 https://trac.nginx.org/nginx/roadmap :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,256352,284367#msg-284367 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: https://hg.nginx.org certificate error ?
yeah updated mercurial works https://forum.nginx.org/read.php?2,283686,283694#msg-283694 though centos 7 still will use non-SNI supported mercurial 2.6.2 so folks doing hg clone for njs repo will always have this issue. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283695#msg-283695 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: https://hg.nginx.org certificate error ?
okay part of the problem is centos 7 uses mercurial 2.6.2 and fix is to update to mercurial >2.7.9 for SNI support hg --version Mercurial Distributed SCM (version 2.6.2) (see http://mercurial.selenic.com for more information) Copyright (C) 2005-2012 Matt Mackall and others This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. use mercurial own centos 7 yum repo /etc/yum.repos.d/mercurial.selenic.com.repo [mercurial.selenic.com] name=mercurial.selenic.com baseurl=https://www.mercurial-scm.org/release/centos7 enabled=1 # Temporary until we get a serious signing scheme in place, # check https://www.mercurial-scm.org/wiki/Download again gpgcheck=0 yum -y update mercurial hg --version Mercurial Distributed SCM (version 4.0-rc) (see https://mercurial-scm.org for more information) Copyright (C) 2005-2016 Matt Mackall and others This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. now mercurial 4.0 with SNI support works hg clone https://hg.nginx.org/njs/ destination directory: njs requesting all changes adding changesets adding manifests adding file changes added 874 changesets with 3131 changes to 187 files updating to branch default 162 files updated, 0 files merged, 0 files removed, 0 files unresolved but still best to add *.nginx.org to *.nginx.com common name for pubserv.nginx.com server's SSL cert ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283694#msg-283694 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: https://hg.nginx.org certificate error ?
looks like hg clone is a non-SNI request so looked up pubserv.nginx.com's SSL cert *.nginx.com common name so maybe best to add *.nginx.org as well to pubserv.nginx.com server's SSL cert ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283692#msg-283692 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: https://hg.nginx.org certificate error ?
testssl 3.0rc4 output for testssl hg.nginx.org:443 Testing server defaults (Server Hello) TLS extensions (standard)"server name/#0" "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15" "next protocol/#13172" "application layer protocol negotiation/#16" Session Ticket RFC 5077 hint 14400 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: yes TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usageTLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints030D311281F9B8198440D9E1F99E6DCBEA36 / SHA1 FCFED1288228D3D056CD63018F453AF21F2520E7 SHA256 237EE7B9E1FD73D9462D1730F6C706E4636CE2D85B2372E4936B61EFE58C0111 Common Name (CN) mailman.nginx.org (CN in response to request w/o SNI: *.nginx.com) subjectAltName (SAN) hg.nginx.org mailman.nginx.com mailman.nginx.org trac.nginx.org Issuer Let's Encrypt Authority X3 (Let's Encrypt from US) Trust (hostname) Ok via SAN (SNI mandatory) Chain of trust Ok EV cert (experimental) no "eTLS" (visibility info) not present Certificate Validity (UTC) 36 >= 30 days (2019-02-14 15:18 --> 2019-05-15 15:18) # of certificates provided 2 Certificate Revocation List -- OCSP URI http://ocsp.int-x3.letsencrypt.org OCSP staplingnot offered OCSP must staple extension -- DNS CAA RR (experimental)not offered Certificate Transparency yes (certificate extension) of note Common Name (CN) mailman.nginx.org (CN in response to request w/o SNI: *.nginx.com) subjectAltName (SAN) hg.nginx.org mailman.nginx.com mailman.nginx.org trac.nginx.org Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283691#msg-283691 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
https://hg.nginx.org certificate error ?
Hi when I try to clone njs repo I am getting the error below hg clone https://hg.nginx.org/njs/ abort: hg.nginx.org certificate error: certificate is for *.nginx.com, nginx.com (configure hostfingerprint bd:90:5e:95:b4:51:d8:0b:b0:36:41:6f:99:a7:80:01:4e:cf:ee:c2 or use --insecure to connect insecurely) and echo -n | openssl s_client -connect hg.nginx.org:443 CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = *.nginx.com verify return:1 --- Certificate chain 0 s:/CN=*.nginx.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- but the web browser hg.nginx.org ssl cert has SAN ssl cert for DNS Name=hg.nginx.org DNS Name=mailman.nginx.com DNS Name=mailman.nginx.org DNS Name=trac.nginx.org dig A hg.nginx.org +short 206.251.255.64 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,283686,283686#msg-283686 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Fwd: Encrypted SNI
Thanks Maxim. Guess we just need to wait :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281512,281540#msg-281540 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Fwd: Encrypted SNI
Nginx supports BoringSSL too and it already has ESNI support apparently https://www.theregister.co.uk/2018/07/17/encrypted_server_names/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281512,281517#msg-281517 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
WWW-Authenticate in 200 OK response
I am currently working on a multi-tier application, trying to use nginx as load balancer. The issue is that nginx seems to be adding WWW-Authenticate in the 200 OK response after the Kerberos authentication has taken place, which confuses the client. (The client could potentially ignore it, but that's possibly another issue.) Not sure this is expected... Any suggestion on how to avoid or work around this? [2018-09-14 14:46:14.471] root INFO: @@ Connecting to: 'http://host1:39609/url1' send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: application/json\r\n\r\n' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Server: nginx/1.14.0 header: Date: Fri, 14 Sep 2018 18:46:14 GMT header: Content-Type: text/html header: Content-Length: 195 header: Connection: close header: WWW-Authenticate: Negotiate header: WWW-Authenticate: Basic realm="" header: Access-Control-Allow-Credentials: true send: 'GET /url1 HTTP/1.1\r\nX-Client-User-Name: uname1\r\nAccept-Encoding: gzip\r\nConnection: close\r\nAccept: application/json\r\nUser-Agent: qz.qzdev.run\r\nHost: host1:39609\r\nX-Client-Host-Name: host2\r\nContent-Type: application/json\r\nAuthorization: Negotiate YII AghEw==\r\n\r\n' reply: 'HTTP/1.1 200 OK\r\n' header: Server: nginx/1.14.0 header: Date: Fri, 14 Sep 2018 18:46:14 GMT header: Content-Type: application/json header: Content-Length: 430908 header: Connection: close header: WWW-Authenticate: Negotiate YI .gA== header: WWW-Authenticate: Basic realm="" header: Set-Cookie: session=ey...ZW4; HttpOnly; Path=/ header: Access-Control-Allow-Credentials: true [2018-09-14 14:46:14.779] client_http_auth CRITICAL: GSSAPI failed! Best regards, George -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx reuseport duplicate listen options ?
correct meant vhost #1 'but if i had the 3 nginx vhosts where reuseport was used on vhost #3 instead of vhost #1, i get error ' Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280710,280711#msg-280711 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx reuseport duplicate listen options ?
I know that nginx reuseport is only usable per ip:port pair so I am confused about this error. I have 3 nginx vhosts vhost #1 server { listen 443 ssl http2 default_server backlog=2048 reuseport; } vhost #2 server { listen 80 default_server backlog=2048 reuseport fastopen=256; } vhost #3 server { listen 443 ssl http2; } This configuration works and I see socket sharding in use on 8 cpu thread centos 7.5 64 server ss -lnt | egrep -e ':80 |:443 ' LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:443 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* LISTEN 0 2048 *:80 *:* but if i had the 3 nginx vhosts where reuseport was used on vhost #3 instead of vhost #2, i get error 'nginx: [emerg] duplicate listen options for 0.0.0.0:443 in' vhost #1 server { listen 443 ssl http2 default_server backlog=2048; } vhost #2 server { listen 80 default_server backlog=2048 reuseport fastopen=256; } vhost #3 server { listen 443 ssl http2 reuseport; } nginx 1.15.3 and 1.15.2 with GCC 7.3.1/8.2 or OpenSSL 1.1.0h/1.1.1-pre8 all result in same error 'nginx: [emerg] duplicate listen options for 0.0.0.0:443 in' ??? nginx -V nginx version: nginx/1.15.3 (260718-233400) built by gcc 8.2.0 (GCC) built with OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018 TLS SNI support enabled configure arguments: --with-ld-opt='-L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=260718-233400 --with-compat --with-http_stub_status_module --with-http_secure_link_module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1-pre8 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3' Posted at Nginx Forum: https://forum.nginx.org/read.php?2,280710,280710#msg-280710 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.13.9 HTTP/2 Server Push - non-compressed assets ?
thanks Ruslan just tested your committed fixes for this in master branch and working nicely https://community.centminmod.com/threads/hurray-http-2-server-push-for-nginx.11910/page-2#post-59602 :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278481,278608#msg-278608 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.13.9 HTTP/2 Server Push - non-compressed assets ?
thanks Ruslan for the update appreciate all your work and looking forward to playing with HTTP/2 Push finally ! :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278481,278582#msg-278582 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.13.9 HTTP/2 Server Push - non-compressed assets ?
Reported bug at https://trac.nginx.org/nginx/ticket/1478 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278481,278488#msg-278488 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx 1.13.9 HTTP/2 Server Push - non-compressed assets ?
Hi compiled Nginx 1.13.9 from master branch to try out HTTP/2 Server Push but noticed the pushed assets loose their gzip compression and are served as non-compressed assets ? Is that as intended ? I posted my findings at https://community.centminmod.com/threads/hurray-http-2-server-push-for-nginx.11910/#post-59411 http2_push_preload on; add_header Link "; rel=preload; as=style"; add_header Link "; rel=preload; as=style"; push works as I see PUSH_PROMISE frames and chrome reports push nghttp -navs https://baremetal.doman.com/ [ 0.018] recv (stream_id=13) :method: GET [ 0.018] recv (stream_id=13) :path: /css/bootstrap.min.css [ 0.018] recv (stream_id=13) :authority: baremetal.domain.com [ 0.018] recv (stream_id=13) :scheme: https [ 0.018] recv PUSH_PROMISE frame
Re: Modsecurity dynamic module with Nginx-plus
yeah just use nginx open source free version if you need compile support - updated guide at https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,276008,276018#msg-276018 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
how nginx decide which server block to use
Hi all, i am running nginx version: nginx/1.12.0.i got following server block config as below, all request match regular expression work well,but request to server s01.example.com return 404.what's wrong? i googled for a while,most of the article said,it first try to match literal string ,then wildcard,and regular expression last. -- server { listen 80; server_name _; access_log /data/wwwlogs/access_nginx.log combined; root /data/wwwroot/public_html; index index.html index.htm index.php; #error_page 404 /404.html; #error_page 502 /502.html; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location ~ [^/]\.php(/|$) { #fastcgi_pass remote_php_ip:9000; fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ /\.ht { deny all; } } server { listen [ip1]:80; server_name ~^(?[a-z0-9]+)\.(?[a-z0-9\-]+)\.(?[a-z]+); index index.html index.php; root /home/$domain.$domext/$subdomain; location / { try_files $uri $uri/ @apache =404; } location ~ (.*)\.html$ { if (!-f '$document_root/$uri') { rewrite /(.*)\.html$ /$1.php last; } try_files $uri @apache =404; } location @apache { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(php|php5|cgi|pl)$ { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ /\.ht { deny all; } } server { listen [ip2]:80; #server_name ~^(?[a-z0-9]+).(?[a-z0-9.]+); server_name ~^(?[a-z0-9]+)\.(?[a-z0-9\-]+)\.(?[a-z]+); #server_name ~^(?[a-z0-9]+).com; #access_log off; index index.html index.php; root /ip100/$domain.$domext/$subdomain; #add_header aa $document_root; location / { try_files $uri $uri/ @apache =404; } location ~ (.*)\.html$ { if (!-f '$document_root/$uri') { rewrite /(.*)\.html$ /$1.php last; } try_files $uri @apache =404; } location @apache { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(php|php5|cgi|pl)$ { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ /\.ht { deny all; } #access_log /home/wwwlogs/$subdomain.$domain.com_access.log access; #error_log /home/wwwlogs/subdomain.$domain.com_error.log error; } server { listen [ip3]:80; server_name ~^(?[a-z0-9]+)\.(?[a-z0-9\-]+)\.(?[a-z]+); index index.html index.php; root /ip155/$domain.$domext/$subdomain; #add_header aa $document_root; location / { try_files $uri $uri/ @apache =404; } location ~ (.*)\.html$ { if (!-f '$document_root/$uri') { rewrite /(.*)\.html$ /$1.php last; } try_files $uri @apache =404; } location @apache { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(php|php5|cgi|pl)$ { fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off;
Re: slice module issue if redirected origin and have have fist slice
Hi Roman, Thank you a lot for detailed explanation. Initially I thought that NGX_HTTP_SUBREQUEST_CLONE option to ngx_http_subrequest (your latest fix in slice module - Slice filter: fetch slices in cloned subrequests) was intended to make full context in subrequest to be kept during redirects and because of minor bug it does not work in my case. I'll need some solution for cases like this: 1. Origin redirects us (assuming that it not under our administration and we can't do anything) 2. Origin is missing a object and send us 404, so we have to fallback to other origin If you have some suggestion how to workaround this tricky situation - I be very thankful. George On Tue, Jun 13, 2017 at 2:44 PM, Roman Arutyunyan <a...@nginx.com> wrote: > Hi George, > > On Mon, Jun 12, 2017 at 10:02:16AM +0300, George . wrote: > > Hi, > > I've discovered following strange issue with http_slice_module > > If I have a named location for internal 302 redirect and caching one > slice > > makes further request for whole object to brake upstream redirected > request > > (missing Rage header, see frame 254 in the attached capture > > slice_redirect_problem.pcapng > > <https://drive.google.com/a/ucdn.com/file/d/ > 0ByZ2nt00gtJ2NmtqVUU3OVozNXM/view?usp=drive_web> > > ). > > What happens is: > > - client requests 0-4m > - nginx creates the request for the 1st slice and proxies it to 8081 > - after receiving 302, the request is redirected to > @fetch_from_redirected_origin and the first slice is saved in the cache > > Note that in @fetch_from_redirected_origin there's a completely separate > slice context. By this time nginx only knows what client sent. Previous > slice context is completely lost as well as all other modules' contexts. > Coincidentally, it does what you expect because only the first slice was > requested. > > Then you request the entire file: > > - client request the entire file > - first slice is sent from the cache > - nginx creates a subrequest for the 2nd slice: 4m-8m and proxies it to > 8081 > - after receiving 302, the subrequest is redirected to > @fetch_from_redirected_origin > > After the redirect nginx does not have any idea that it should fetch the > second > slice. Moreover, the $slice_range variable is not filled with actual > range when > first accessed in a subrequest (after error_page redirect it looks like the > first access), so it remains empty. That's why the entire file is > requested. > But even if the variable was valid, that would still be bad since the slice > context is lost after error_page redirect. You would get the whole file > here > instead of 4m-8m range. > > The takeaway is you should avoid using the slice module with redirects > (error_page, X-Accel-Redirect) for fetching slices. Instead you should > proxy > directly to the origin server. > > > If there is no cached slice everything is okey (2nd capture > > slice_redirect_no_problem.pcapng > > <https://drive.google.com/a/ucdn.com/file/d/ > 0ByZ2nt00gtJ2SUpnc2VVbzBKdWc/view?usp=drive_web> > > ) > > No, it's not ok. The first redirect to @fetch_from_redirected_origin leads > to caching all file slices instead of the first one. > > > Problem appears in main branch and also nginx/1.12 ... and may be in all > > versions > > > > nginx version: nginx/1.13.2 > > built by gcc 4.9.2 (Debian 4.9.2-10) > > configure arguments: --prefix=/home/george/run/nginx_hg > > --with-http_slice_module > > > > > > > > > > nginx.conf > > user cdnuser cdnuser; > > worker_processes 1; > > > > error_log logs/error.log debug; > > > > events { > > worker_connections 1024; > > } > > > > > > http { > > include mime.types; > > default_type application/octet-stream; > > > > > > sendfileon; > > tcp_nopush on; > > > > proxy_cache_path /home/george/run/nginx_hg/cache/ > > keys_zone=zone_uid_default:4m levels=2:1 inactive=360d max_size=18329m; > > > > # our redirecting origin > > server { > > listen 8081; > > > > return 302 $scheme://127.0.0.1:8082$request_uri; > > } > > > > # our final origin > > server { > > listen 8082; > > add_header Cache-Control "max-age=3600"; > > root /home/george/run/nginx_hg/root; > > } > > > > server { > > listen 8080; > > server_name localhost; > > > > recursive_error_pages on; >
slice module issue if redirected origin and have have fist slice
Hi, I've discovered following strange issue with http_slice_module If I have a named location for internal 302 redirect and caching one slice makes further request for whole object to brake upstream redirected request (missing Rage header, see frame 254 in the attached capture slice_redirect_problem.pcapng <https://drive.google.com/a/ucdn.com/file/d/0ByZ2nt00gtJ2NmtqVUU3OVozNXM/view?usp=drive_web> ). If there is no cached slice everything is okey (2nd capture slice_redirect_no_problem.pcapng <https://drive.google.com/a/ucdn.com/file/d/0ByZ2nt00gtJ2SUpnc2VVbzBKdWc/view?usp=drive_web> ) Problem appears in main branch and also nginx/1.12 ... and may be in all versions nginx version: nginx/1.13.2 built by gcc 4.9.2 (Debian 4.9.2-10) configure arguments: --prefix=/home/george/run/nginx_hg --with-http_slice_module nginx.conf user cdnuser cdnuser; worker_processes 1; error_log logs/error.log debug; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfileon; tcp_nopush on; proxy_cache_path /home/george/run/nginx_hg/cache/ keys_zone=zone_uid_default:4m levels=2:1 inactive=360d max_size=18329m; # our redirecting origin server { listen 8081; return 302 $scheme://127.0.0.1:8082$request_uri; } # our final origin server { listen 8082; add_header Cache-Control "max-age=3600"; root /home/george/run/nginx_hg/root; } server { listen 8080; server_name localhost; recursive_error_pages on; proxy_intercept_errors on; location / { slice 4m; proxy_cache zone_uid_default; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_passhttp://localhost:8081; error_page 301 302 307 = @fetch_from_redirected_origin; } location @fetch_from_redirected_origin { slice 4m; internal; set $my_upstream_http_location $upstream_http_location; proxy_cache zone_uid_default; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_pass$my_upstream_http_location; } } } How to reproduce: 1. Create some empty object in our emulated origin mkdir /home/george/run/nginx_hg/root dd if=/dev/zero of=/home/george/run/nginx_hg/root/some_object bs=64M count=1 2. Ask our caching proxy for one 4m slice, so it will be cached curl -v -r 0-4194303 "http://127.0.0.1:8080/some_object; --header "Host: localhost" -o /dev/null 3. See it really there george@george ~/run/nginx_hg $ head /home/george/run/nginx_hg/cache/81/c/00214df7041ea53dd335ed5b055bfc81 Ļ:Y˩:Y��:YVʜ�r � "593aa9cb-400" KEY: /some_objectbytes=0-4194303 HTTP/1.1 206 Partial Content Server: nginx/1.13.2 Date: Fri, 09 Jun 2017 14:16:20 GMT Content-Type: application/octet-stream Content-Length: 4194304 Last-Modified: Fri, 09 Jun 2017 13:59:39 GMT Connection: close ETag: "593aa9cb-400" 4. This time request the whole object curl -v "http://127.0.0.1:8080/some_object; --header "Host: localhost" -o /dev/null ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: DTLS patches
thanks Vladimir :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274289,274312#msg-274312 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
thanks for sharing. Is it necessary to compile with --with-debug ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274289,274299#msg-274299 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx 1.11.12 + nginScript = failed to restart nginx server
Nginx compiles successfully with nginScript as a dynamic module. nginx -V nginx version: nginx/1.11.12 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.4.5 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --add-dynamic-module=../njs/nginx --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.5 But I've tried both the example nginScript configurations at https://www.nginx.com/blog/introduction-nginscript/ as well as example posted at http://nginx.org/en/docs/http/ngx_http_js_module.html. But both fail to restart nginx server with no indication as to why https://community.centminmod.com/posts/46868/ nginx -t nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed is all I see nothing else ? loaded nginScript module as a dynamic module via include file /usr/local/nginx/conf/dynamic-modules.conf in nginx.conf cat /usr/local/nginx/conf/dynamic-modules.conf load_module "modules/ngx_http_image_filter_module.so"; load_module "modules/ngx_http_fancyindex_module.so"; load_module "modules/ngx_http_brotli_filter_module.so"; load_module "modules/ngx_http_brotli_static_module.so"; load_module "modules/ngx_stream_module.so"; load_module "modules/ngx_http_js_module.so"; load_module "modules/ngx_stream_js_module.so"; nginx.conf excerpt user nginx nginx; worker_processes 4; worker_priority -10; worker_rlimit_nofile 26; timer_resolution 100ms; pcre_jit on; include /usr/local/nginx/conf/dynamic-modules.conf; pid logs/nginx.pid; events { worker_connections 1; accept_mutex off; accept_mutex_delay 200ms; use epoll; #multi_accept on; } http { Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273183,273183#msg-273183 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: coredump in 1.10.3
Yes, for me it looks like memory corruption and really hard to guess with only bt. We will run with in-memory debug, but we have to wait till next core. I'll update you when we have more info. On Mon, Mar 13, 2017 at 3:55 PM, Valentin V. Bartenev <vb...@nginx.com> wrote: > On Monday 13 March 2017 15:24:46 George . wrote: > > Hi Valentin, Sorry, I've sent the mail incidentally before I complete it > ;) > > > > > > ssl_proxy_cores # ./nginx -V > > nginx version: nginx/1.10.3 > > built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) > > built with OpenSSL 1.0.2g 1 Mar 2016 (running with OpenSSL 1.0.2g-fips > 1 > > Mar 2016) > > TLS SNI support enabled > > configure arguments: --prefix=/cdn/nginx_ssl_proxy --with-cc-opt='-O0 -g > > -ggdb -march=core2' --with-debug --with-http_geoip_module > > --with-http_realip_module --with-http_ssl_module > > --without-http_charset_module --without-http_ssi_module > > --without-http_userid_module --without-http_autoindex_module > > --without-http_scgi_module --without-http_uwsgi_module > > --without-http_fastcgi_module --without-http_limit_conn_module > > --without-http_split_clients_module --without-http_limit_req_module > > --with-http_stub_status_module --with-http_v2_module > > > > > > and some variables values : > > > > > > (gdb) p q > > $1 = (ngx_queue_t *) 0x3fb0ab0 > > (gdb) p * q > > $2 = {prev = 0xd3210507e0f72630, next = 0x5f5ded63e9edd904} > > (gdb) p h2c->waiting > > $3 = {prev = 0x3ac6ea0, next = 0x3fb0ab0} > > > > > > and here is the config > > > [..] > > Unfortunately, backtrace in this case is almost useless. > > You should enable in-memory debug log: > http://nginx.org/en/docs/debugging_log.html > > Thus it will be possible to trace the events that resulted > in segfault. > > wbr, Valentin V. Bartenev > > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: coredump in 1.10.3
it our build from nginx repository it a vanilla source On Mon, Mar 13, 2017 at 3:30 PM, Thomas Ward <tew...@dark-net.net> wrote: > Eww, that looks like a backport exploded. > > Do me a favor and file a bug in Ubuntu for this with `ubuntu-bug nginx` so > the retraced can trace the core dump. > > > Thomas > > > > *Sent from my iPhone. Please excuse any typos, as they are likely to > happen by accident.* > > On Mar 13, 2017, at 09:24, George . <geo...@ucdn.com> wrote: > > > Hi Valentin, Sorry, I've sent the mail incidentally before I complete it > ;) > > ssl_proxy_cores # ./nginx -V > nginx version: nginx/1.10.3 > built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) > built with OpenSSL 1.0.2g 1 Mar 2016 (running with OpenSSL 1.0.2g-fips 1 > Mar 2016) > TLS SNI support enabled > configure arguments: --prefix=/cdn/nginx_ssl_proxy --with-cc-opt='-O0 -g > -ggdb -march=core2' --with-debug --with-http_geoip_module > --with-http_realip_module --with-http_ssl_module > --without-http_charset_module --without-http_ssi_module > --without-http_userid_module --without-http_autoindex_module > --without-http_scgi_module --without-http_uwsgi_module > --without-http_fastcgi_module --without-http_limit_conn_module > --without-http_split_clients_module --without-http_limit_req_module > --with-http_stub_status_module --with-http_v2_module > > > and some variables values : > > > (gdb) p q > $1 = (ngx_queue_t *) 0x3fb0ab0 > (gdb) p * q > $2 = {prev = 0xd3210507e0f72630, next = 0x5f5ded63e9edd904} > (gdb) p h2c->waiting > $3 = {prev = 0x3ac6ea0, next = 0x3fb0ab0} > > > and here is the config > > nginx.conf: > > # SSL Proxy config for ** > > user cdnuser cdnuser; > worker_processes auto; > pid /cdn/tmp/nginx_ssl_proxy.pid; > > #error_log logs/error.nginx.log debug; > error_log /dev/null error; > > worker_rlimit_nofile 73728; > worker_rlimit_core 10240M; > working_directory /cdn/tmp/ssl_proxy_cores/; > > events { > worker_connections 24576; > use epoll; > } > > http { > > include mime.types; > default_typeapplication/octet-stream; > reset_timedout_connection on; > client_header_timeout 60s; > client_body_timeout 60s; > send_timeout60s; > client_header_buffer_size 16k; > large_client_header_buffers 4 16k; > client_body_buffer_size 1k; > client_max_body_size1k; > connection_pool_size512; > server_names_hash_bucket_size 4096; > server_names_hash_max_size 4096; > request_pool_size 8k; > output_buffers 1 256k; > postpone_output 1460; > proxy_buffers 8 8k; > > sendfile on; > tcp_nopush off; > tcp_nodelay on; > keepalive_timeout 60 20; > keepalive_requests 256; > ignore_invalid_headers on; > recursive_error_pages on; > resolver **; > resolver_timeout 5s; > > # > # SSL > # > > ssl_ciphers '*'; > ssl_prefer_server_ciphers on; > ssl_session_timeout 15m; > ssl_session_cache shared:SSL:50m; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_session_tickets on; > ssl_stapling on; > ssl_dhparam /cdn/ssl_certs/common/dhparam2048.pem; > ssl_buffer_size 16k; > > # > # GeoIP > # > > geoip_country /usr/share/GeoIP/GeoIP.dat; > set_real_ip_from 127.0.0.1; > real_ip_header X-Forwarded-For; > > # > # Dynamic config stuff > # > > variables_hash_max_size 2048; > variables_hash_bucket_size 256; > > # > # Log Formats > # > > log_format cdn_ssl_log '``$connection``$connection_ > requests``$remote_addr``$geoip_city_country_code``$ > http_host``$request``$status``$request_method``$http_range`` > $bytes_sent``$body_bytes_sent``$request_time``$http_user_ > agent``$http_referer``$https``$http2``$sent_http_content_ > type``$sent_http_content_length``$sent_http_location``$ > sent_http_connection``$sent_http_keep_alive``$sent_http_ > transfer_encoding``$sent_http_cache_control``$sent_http_ > content_range``$sent_http_expires``$tcpinfo_rtt``$ > tcpinfo_rttvar``$tcpinfo_snd_cwnd``$tcpinfo_rcv_space``$ > upstream_addr``$upstream_connect_time``$upstream
Re: coredump in 1.10.3
Hi Maxim Unfortunately I guess it will be hard to reproduce it quickly because it happened on production machine with heavy traffic. About the gdb warring - it't not a problem: causes because I've copied binary to folder were we've collected the core itself: -rwxr-xr-x 1 cdnuser cdnuser 4753416 Mar 13 11:24 nginx -rw--- 1 cdnuser cdnuser 92971008 Mar 13 10:03 core -rwxr-xr-x 1 cdnuser cdnuser 4753416 Feb 10 10:42 /cdn/nginx_ssl_proxy/sbin/nginx diff nginx /cdn/nginx_ssl_proxy/sbin/nginx On Mon, Mar 13, 2017 at 3:22 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Mon, Mar 13, 2017 at 03:06:17PM +0200, George . wrote: > > > Hi all, > > > > We've found two different coredumps in production machines running 1.10.3 > > handing ssl and http v2 traffic. > > > > Here is the backtrace of version compiles with -O0 -g -ggdb > > > > > > > > warning: exec file is newer than core file. > > [New LWP 28665] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib/x86_64-linux-gnu/ > libthread_db.so.1". > > Core was generated by `nginx: worker process '. > > Program terminated with signal SIGSEGV, Segmentation fault. > > #0 0x004aeecc in ngx_http_v2_state_window_update > (h2c=0x32c8aa0, > > pos=0x31a52fa "", end=0x31a5314 ")�") at src/http/v2/ngx_http_v2.c:2216 > > > > warning: Source file is more recent than executable. > > 2216ngx_queue_remove(q); > > Note: the warning here suggests that the core file is from a > different executable. The backtrace provided is likely incorrect. > Try to reproduce the problem with the current executable to get a > proper backtrace. > > It might be also be a good idea to look into "nginx -V" output and > the configuration (first of all, to make sure there are no 3rd > party modules used; if there are any - try to reproduce the > problem without them), as well as to check if you are able to > reproduce the problem with the latest mainline version. > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: coredump in 1.10.3
proxy_set_header X-CDN-HTTP2 "$http2"; proxy_set_header X-CDN-HTTPS "$https"; location / { proxy_pass http://local_rp; error_page 301 302 307 = @redir; } location @redir { internal; set $cdn_upstream_http_location $upstream_http_location; proxy_pass $cdn_upstream_http_location; } } # other equivalent server blocks # . # . # . # . } On Mon, Mar 13, 2017 at 3:17 PM, Valentin V. Bartenev <vb...@nginx.com> wrote: > On Monday 13 March 2017 15:06:17 George . wrote: > > Hi all, > > > > We've found two different coredumps in production machines running 1.10.3 > > handing ssl and http v2 traffic. > > > > Here is the backtrace of version compiles with -O0 -g -ggdb > > > [..] > > Do you use any 3rd-party modules or patches? Could you show > nginx -V output? > > wbr, Valentin V. Bartenev > > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: nginx-1.11.8
thanks Maxim working nicely here ! Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271747,271754#msg-271754 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.11.6
Yeah some other nginx modules by OpenResty ran into 1.11.6 changes * https://github.com/openresty/redis2-nginx-module/issues/41 * https://github.com/openresty/memc-nginx-module/issues/26 the workarounds * https://github.com/openresty/redis2-nginx-module/pull/42 * https://github.com/openresty/memc-nginx-module/pull/27 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270963,270999#msg-270999 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Bloking Bad bots
I use nginx maps which depending on user agent either block, rate limit or whitelist https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/ as the list gets large nginx maps just make it easier to manage Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270930,270940#msg-270940 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
multiple php-fpm pool upstream alternating 503 & 502 errors
Was wondering if anyone could shed some light on this issue I am experiencing only with multiple php-fpm pool setups but not with single php-fpm pool. The issue is when a forum software like Xenforo or Invision board uses their native forum close option to turn off the forums for guests but still allow forum admins access, the forum via php issue a HTTP 503 status message. This seems to trip up and causes issues only for multiple php-fpm pool upstream setups causing alternating 503 and 502 bad gateway errors. Probably partially to do with the http_503 definition for fastcgi_next_upstream. The upstream settings upstream phpbackend { zone zone_phpbackend 64k; ip_hash; keepalive 5; server 127.0.0.1:9000 weight=50; server 127.0.0.1:9002 weight=50; server 127.0.0.1:9003 weight=50; server 127.0.0.1:9004 weight=50; server 127.0.0.1:9005 weight=50; } and relevant php-fpm changes made were to change from single php-fpm pool fastcgi_pass 127.0.0.1:9000; to multiple php-fpm upstream pools fastcgi_next_upstream error timeout http_500 http_503; fastcgi_pass phpbackend; fastcgi_keep_conn on; I can replicate the issue with multiple php-fpm pool upstream setup by creating a 503.php file with contents and then refreshing the 503.php page and it will alternate between 503 and 502 errors The access.log's alternating 503 and 502 errors excerpt IPADDR - - [10/Nov/2016:06:07:07 +] "GET /503.php HTTP/1.1" 502 1672 "-" "Mozilla/5.0 snipped" "-" rt=0.000 ua="phpbackend" us="502" ut="0.000" ul="0" cs=- IPADDR - - [10/Nov/2016:06:07:03 +] "GET /503.php HTTP/1.1" 503 1665 "-" "Mozilla/5.0 snipped" "-" rt=0.000 ua="127.0.0.1:9004, 127.0.0.1:9002, 127.0.0.1:9005, 127.0.0.1:9003, 127.0.0.1:9000" us="502, 502, 502, 502, 503" ut="0.000, 0.000, 0.000, 0.000, 0.000" ul="0, 0, 0, 0, 0" cs=- IPADDR - - [10/Nov/2016:06:07:05 +] "GET /503.php HTTP/1.1" 502 1672 "-" "Mozilla/5.0 snipped" "-" rt=0.000 ua="phpbackend" us="502" ut="0.000" ul="0" cs=- IPADDR - - [10/Nov/2016:06:07:07 +] "GET /503.php HTTP/1.1" 502 1672 "-" "Mozilla/5.0 snipped" "-" rt=0.000 ua="phpbackend" us="502" ut="0.000" ul="0" cs=- using log format below log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'rt=$request_time ua="$upstream_addr" ' 'us="$upstream_status" ut="$upstream_response_time" ' 'ul="$upstream_response_length" ' 'cs=$upstream_cache_status' ; Using nginx 1.11.5 with PHP 5.6.27 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270850,270850#msg-270850 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: freeing buffers after sending them
Hi Valentin, Than you for your fast and correct reply. Yes, you are right, it was oversight that r->out->buf if taken from pipe->pool, which is actually r->pool. What if we pfree this bufs from r->pool? Who holds the reference after sending these buffers (except may be in NGX_THREADS version)? On Wed, Oct 12, 2016 at 2:30 PM, Valentin V. Bartenev <vb...@nginx.com> wrote: > On Wednesday 12 October 2016 13:22:08 George . wrote: > > Hi all, > > > > What do you think about freeing buffers after being sent by send_chain? > > Because we have a special case were we use 4 megabyte buffer instead of > > nginx default 8 * 8 K and we found that these buffers are actually freed > > after request had been finished, so if there hundreds of slow downstream > > connection nginx will eat a lot of RAM. > > > > I'm just curious if I explicitly return already consumed buffer with > > ngx_pfree will affect something (our bunch of tests shows at least there > > is not crash or unexpected behaviour) > > > > > Buffers are not allocated from "c->pool", so > the code below does nothing except wasting CPU. > > And this is the only reason, why the patch doesn't > break everything. > > wbr, Valentin V. Bartenev > > > > > > > @@ -284,6 +284,13 @@ ngx_http_write_filter(ngx_http_request_t *r, > > ngx_chain_t *in) > > > > chain = c->send_chain(c, r->out, limit); > > > > +/* free buffs that are already sent */ > > +for (cl = r->out; cl; /* void */) { > > +ln = cl; > > +cl = cl->next; > > +ngx_pfree(c->pool, ln->buf); > > +} > > + > > ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, > > "http write filter %p", chain) > > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
freeing buffers after sending them
Hi all, What do you think about freeing buffers after being sent by send_chain? Because we have a special case were we use 4 megabyte buffer instead of nginx default 8 * 8 K and we found that these buffers are actually freed after request had been finished, so if there hundreds of slow downstream connection nginx will eat a lot of RAM. I'm just curious if I explicitly return already consumed buffer with ngx_pfree will affect something (our bunch of tests shows at least there is not crash or unexpected behaviour) @@ -284,6 +284,13 @@ ngx_http_write_filter(ngx_http_request_t *r, ngx_chain_t *in) chain = c->send_chain(c, r->out, limit); +/* free buffs that are already sent */ +for (cl = r->out; cl; /* void */) { +ln = cl; +cl = cl->next; +ngx_pfree(c->pool, ln->buf); +} + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "http write filter %p", chain) ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: nginScript + nginx 1.11.4, js_run unknown directive ?
Hi Igor thanks for the clarification. Looking forward to updated examples/wiki for nginScript :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269548,269559#msg-269559 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginScript + nginx 1.11.4, js_run unknown directive ?
and examples in wiki for nginxScript for js_run https://www.nginx.com/resources/wiki/nginScript/#section-1-overview Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269548,269552#msg-269552 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginScript + nginx 1.11.4, js_run unknown directive ?
even location /njs { js_run " var res; res = $r.response; res.status = 200; res.send('Hello World!'); res.finish(); "; } gives an error nginx -t nginx: [emerg] unknown directive "js_run" in /usr/local/nginx/conf/conf.d/virtual.conf:36 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269548,269551#msg-269551 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginScript + nginx 1.11.4, js_run unknown directive ?
sorry i meant from old example readme at http://hg.nginx.org/njs/file/11d4d66851ed/README Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269548,269550#msg-269550 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginScript + nginx 1.11.4, js_run unknown directive ?
Tried compiling nginScript with nginx 1.11.4 as a dynamic module and the README github example at https://github.com/nginx/njs/blob/master/README gives me js_run unknown directive so looks like maybe didn't install correctly ? CentOS 7.2 64bit nginx -V nginx version: nginx/1.11.4 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with LibreSSL 2.4.2 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_pagespeed-release-1.11.33.3-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --add-dynamic-module=../njs/nginx --with-stream_geoip_module --with-stream_realip_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.31 --with-pcre=../pcre-8.39 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.2 with loaded modules as load_module "modules/ngx_http_brotli_filter_module.so"; load_module "modules/ngx_http_brotli_static_module.so"; load_module "modules/ngx_http_image_filter_module.so"; load_module "modules/ngx_http_fancyindex_module.so"; load_module "modules/ngx_pagespeed.so"; load_module "modules/ngx_stream_module.so"; load_module "modules/ngx_http_js_module.so"; load_module "modules/ngx_stream_js_module.so"; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269548,269548#msg-269548 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: pcre.org down?
yeah ran into the same problem and still seems to be down right now Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269359,269379#msg-269379 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.11.3
thanks Maxim works now :) cat /usr/local/nginx/conf/dynamic-modules.conf load_module "modules/ngx_http_image_filter_module.so"; load_module "modules/ngx_http_fancyindex_module.so"; load_module "modules/ngx_stream_module.so"; load_module "modules/ngx_stream_geoip_module.so"; load_module "modules/ngx_http_geoip_module.so"; ngxrestart Restarting nginx (via systemctl): [ OK ] nginx -V nginx version: nginx/1.11.3 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.3.6 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module=dynamic --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.30 --add-module=../echo-nginx-module-0.59 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.39 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.3.6 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,268473,268517#msg-268517 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.11.3
trying to enable ngx_stream_geoip_module as a dynamic module and getting this error ONLY on SOME servers and not others all compiled with same settings ? nginx -t nginx: [emerg] dlopen() "/usr/local/nginx/modules/ngx_stream_geoip_module.so" failed (/usr/local/nginx/modules/ngx_stream_geoip_module.so: undefined symbol: ngx_stream_add_variable) in /usr/local/nginx/conf/dynamic-modules.conf:3 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed /usr/local/nginx/conf/dynamic-modules.conf include file in nginx.conf load_module "modules/ngx_http_image_filter_module.so"; load_module "modules/ngx_http_fancyindex_module.so"; load_module "modules/ngx_stream_geoip_module.so"; load_module "modules/ngx_http_geoip_module.so"; load_module "modules/ngx_stream_module.so"; configure ./configure --with-ld-opt="-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib" --with-cc-opt="-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings" --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt="enable-tlsext" --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module=dynamic --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.30 --add-module=../echo-nginx-module-0.59 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.39 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.3.6 checking for OS + Linux 4.5.5-x86_64-linode69 x86_64 checking for C compiler ... found + using Clang C compiler + clang version: 3.4.2 (tags/RELEASE_34/dot2-final) checking for --with-ld-opt="-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib" ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for sched_setaffinity() ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for nobody group ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... not found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_RECVDSTADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for eventfd() ... found checking for int size ... 4 bytes checking for long size ... 8 bytes
Re: nginx-1.11.0
nice RSA + ECDSA certs support ! what's the recommended way to setup HTTP Public Key Pinning with regards to dual SSL certificates ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,267113,267124#msg-267124 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANN] OpenResty 1.9.7.4 released
cheers agentzh thanks for that workaround for LibreSSL and ssl_certificiate_by_lua* incompatibility :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265422,265450#msg-265450 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.9.12
thanks I switched back to OpenSSL for now :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264770,264794#msg-264794 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.9.12
Thanks Maxim and Nginx ! But no love for LibreSSL users as Nginx 1.9.12 seems to broken compilation against LibreSSL 2.2.6 for me https://trac.nginx.org/nginx/ticket/908#ticket ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264770,264780#msg-264780 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx HTTP/2 server push support ?
Curious if anyone has heard or knows if or when Nginx HTTP/2 support will add server push https://http2.github.io/faq/#how-can-i-use-http2-server-push ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264252,264252#msg-264252 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: nginx-1.9.10
Thanks updated to 1.9.10 fine with ngx_brotli + ngx_pagespeed 1.10 branch :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,264158,264187#msg-264187 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANNOUNCE] ngx_brotli
cheers Piotr :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,262088,262254#msg-262254 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANNOUNCE] ngx_brotli
Piotr just installed ngx_brotli on my Nginx stack and works nicely in Firefox 44 nightly tests. However, it might have broken ngx_pagespeed support for me in Firefox 44 nightly https://github.com/pagespeed/ngx_pagespeed/issues/1021. ngx_pagspeed works fine for https on my site with Chrome, Opera and Firefox 43 dev edition as they don't support Brotli so I am assuming Firefox 44 + brotli is what is breaking ngx_pagespeed ? cheers George Posted at Nginx Forum: http://forum.nginx.org/read.php?2,262088,262190#msg-262190 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANNOUNCE] ngx_brotli
thanks Piotr for the clarification definitely going to give ngx_brotli a spin :D Posted at Nginx Forum: http://forum.nginx.org/read.php?2,262088,262189#msg-262189 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [ANNOUNCE] ngx_brotli
interesting thanks for sharing :) so how does this interact or conflict with gzip static/gzip ? do we need to turn off gzip/gzip static in nginx to use brotli or can both be enabled ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,262088,262096#msg-262096 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: http2
It's already slated for Nginx 1.9.5 community/free edition :) Although I have been playing with HTTP/2 patches since Nginx 1.9.3 :D Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261669,261676#msg-261676 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: wrong $bytes_sent on nginx-1.8.0 if aio threads is enabled
Hi all, I'd like to ask if there are plans somebody to fix the issue with wrong $bytes_sent in aio threads mode. If no, is there a chance to get some hit or direction, so I can try fix it myself and contribute to better and bug free nginx? Thanks in advance, George On Fri, May 15, 2015 at 11:37 PM, Valentin V. Bartenev vb...@nginx.com wrote: On Friday 15 May 2015 17:45:44 George . wrote: Hi, I found following bug in nginx-1.8.0: if aio is configured with threads support - sometime (one in thousands requests) $bytes_sent contains only length of the header. I'm attaching my nginx.conf, build params and simple python script I'm using the reproduce this issue. Here is the output of test script when the problem appears: . . . received: 10170 from access_log : 10170 on 26 iteration 127.0.0.1 - - [15/May/2015 17:27:45] GET /test HTTP/1.0 200 - 127.0.0.1 - - [15/May/2015 17:27:47] GET /test HTTP/1.0 200 - received: 10170 from access_log : 10170 on 27 iteration 127.0.0.1 - - [15/May/2015 17:27:58] GET /test HTTP/1.0 200 - 127.0.0.1 - - [15/May/2015 17:28:00] GET /test HTTP/1.0 200 - received: 10170 from access_log : 10169 on 28 iteration test failed!! also in access_log file . . . 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 . . Thank you for the report. It caused by a race condition between sendfile() task completion and connection close notifications. If the latter comes first, nginx logs that client prematurely closed connection. Unfortunately, it's not easy to fix. I'll look at it later. wbr, Valentin V. Bartenev ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Nginx LibreSSL and BoringSSL alternative to OpenSSL ?
Tested fine with ECC 256 bit and RSA 2048 bit SSL and chacha20_poly1305 https://community.centminmod.com/threads/nginx-and-libressl-alternative-to-openssl.3146/ :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,259325,259333#msg-259333 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx LibreSSL and BoringSSL alternative to OpenSSL ?
thanks seems with LibreSSL 2.1.6 no longer need the steps for creating .openssl/lib and copying files to that directory and symlink to make it work seems it works on Nginx 1.9.1 with LibreSSL 2.1.6 sweet ! nginx -V nginx version: nginx/1.9.1 built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) built with LibreSSL 2.1.6 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --add-module=../openresty-memc-nginx-module-1518da4 --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../ngx_devel_kit-0.2.19 --add-module=../set-misc-nginx-module-0.28 --add-module=../echo-nginx-module-0.57 --add-module=../lua-nginx-module-0.9.16rc1 --add-module=../lua-upstream-nginx-module-0.02 --add-module=../lua-upstream-cache-nginx-module-0.1.1 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../nginx-module-vts --with-openssl=../portable-2.1.6 --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-pcre=../pcre-8.37 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.9.32.3-beta Posted at Nginx Forum: http://forum.nginx.org/read.php?2,259325,259331#msg-259331 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx LibreSSL and BoringSSL alternative to OpenSSL ?
Currently on CentOS 6/7, I source compile my Nginx 1.9.x versions with static OpenSSL 1.02a patched for chacha20_poly1305 but thinking about switching to LibreSSL or BoringSSL (for equal preference group cipher support). The question I have is anyone else using Nginx with LibreSSL or BoringSSL on CentOS/Redhat ? Any issues that needed working around or any features lost ? e.g. BoringSSL and OSCP stapling support etc ? Recommended steps for compilation with Nginx ? thanks George Posted at Nginx Forum: http://forum.nginx.org/read.php?2,259325,259325#msg-259325 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx virtual host traffic status module
Thanks for the excellent module, I have it working for my builds https://community.centminmod.com/threads/centmin-mod-nginx-live-vhost-traffic-statistics-preview-discussion.3022/ :D Would be great if there's some documentation on how to customise the CSS in html mode https://github.com/vozlt/nginx-module-vts/issues/13 cheers George Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256699,259274#msg-259274 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
wrong $bytes_sent on nginx-1.8.0 if aio threads is enabled
Hi, I found following bug in nginx-1.8.0: if aio is configured with threads support - sometime (one in thousands requests) $bytes_sent contains only length of the header. I'm attaching my nginx.conf, build params and simple python script I'm using the reproduce this issue. Here is the output of test script when the problem appears: . . . received: 10170 from access_log : 10170 on 26 iteration 127.0.0.1 - - [15/May/2015 17:27:45] GET /test HTTP/1.0 200 - 127.0.0.1 - - [15/May/2015 17:27:47] GET /test HTTP/1.0 200 - received: 10170 from access_log : 10170 on 27 iteration 127.0.0.1 - - [15/May/2015 17:27:58] GET /test HTTP/1.0 200 - 127.0.0.1 - - [15/May/2015 17:28:00] GET /test HTTP/1.0 200 - received: 10170 from access_log : 10169 on 28 iteration test failed!! also in access_log file . . . 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 10170 GET /test HTTP/1.1 . . Best regards, George nginx.conf Description: Binary data my_configure Description: Binary data #!/usr/bin/env python import os import time import urllib2 import threading from BaseHTTPServer import BaseHTTPRequestHandler ACCESS_LOG = './run_nginx-1.8.0/access_log' class GetHandler(BaseHTTPRequestHandler): def do_GET(self): # print do_GET resp = 'a' * 1 self.send_response(200) self.send_header('Cache-Control', 'max-age=1') self.send_header('Content-Type', 'text/html') self.send_header('Date', 'Thu, 24 Nov 2011 16:28:33 GMT') self.send_header('Content-Length', len(resp)) self.end_headers() self.wfile.write(resp) def main(): from BaseHTTPServer import HTTPServer server = HTTPServer(('localhost', 8081), GetHandler) thread = threading.Thread(target = server.serve_forever) thread.daemon = True thread.start() url = 'http://127.0.0.1:8080/test' num_tests = 0 while True: open(ACCESS_LOG, 'w').close() # empty access log file received_total_bytes = 0 for i in xrange(1): try: request = urllib2.Request(url) request.add_header('Host', 'rp-test.com') response = urllib2.urlopen(request) data = response.read() received_total_bytes += len(data) + len(str(response.headers)) + 19 except urllib2.HTTPError as e: print error, e exit() if len(data) + len(str(response.headers)) + 19 != 10170: print len(data) + len(str(response.headers)) + 19, len(data), len(str(response.headers)) #print response.headers #print exit(1) time.sleep(10) # wait some time to flush access_log access_log_total_bytes = 0 f = open(ACCESS_LOG) for line in f.xreadlines(): bytes_sent = int(line.split(' ')[0]) access_log_total_bytes += bytes_sent f.close() num_tests += 1 print 'received:', received_total_bytes, 'from access_log :', access_log_total_bytes, 'on', num_tests, 'iteration' if received_total_bytes != access_log_total_bytes: print 'test failed!!!' exit(1) #os.remove(ACCESS_LOG) return True if __name__ == '__main__': main() ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Google dumps SPDY in favour of HTTP/2, any plans for nginx?
thanks Sarah dug deeper and apparently those nginx reported header sites were behind Google Pagespeed's service so that must of been why HTTP/2 was reported Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256561,257778#msg-257778 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
native variable for one level above $document_root ?
At the nginx vhost level, is there a native nginx value similar to $document_root for one directory level above $document_root ? for example if $document_root = /home/username/public or /home/username2/public is there a variable I can reference at nginx vhost level that references /home/username or /home/username2 ? thanks George Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257127,257127#msg-257127 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: NGINX using 100% of the server CPU when testing with Blitz.io
maybe switch to using Wordpress Super Cache ? handled blitz.io 8000 user stress test fine with Nginx 1.7.7, PHP-FPM 7.0.0-dev, MariaDB 10.0.x and CentOS 7.0 = 237 million hits/day on 2GB DigitalOcean KVM VPS server http://wordpress7.centminmod.com/74/wordpress-super-cache-benchmarks-blitz-io-load-test-237-million-hitsday/ Posted at Nginx Forum: http://forum.nginx.org/read.php?2,255158,255213#msg-255213 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Use of boringssl equal-preference cipher groups with nginx
thanks Alex so what's the updated way to compile Nginx against BoringSSL ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252640,252779#msg-252779 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx + boringSSL
Thanks for sharing :) So SPDY/3.1 SSL works ? Posted at Nginx Forum: http://forum.nginx.org/read.php?2,251740,251748#msg-251748 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.7.0 failed make with Phusion Passenger ?
thanks for the reply and fix :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249586,249595#msg-249595 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Nginx 1.7.0 failed make with Phusion Passenger ?
Anyone experience this problem ? I have Nginx 1.5.13 working fine with Phusion Passenger 4.0.37 source compile. But trying to update Nginx from 1.5.13 to 1.7.0 fails at make stage. I tried both Phusion Passenger 4.0.37 and 4.0.41 and it fails. Working Nginx 1.5.13 configuration nginx -V nginx version: nginx/1.5.13 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled configure arguments: --sbin-path=/usr/local/sbin --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_flv_module --with-http_realip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.1 --add-module=../headers-more-nginx-module-0.25 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --add-module=/usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.37/ext/nginx --with-openssl=../openssl-1.0.1g --with-libatomic --with-pcre=../pcre-8.35 --with-pcre-jit --with-http_spdy_module --add-module=../ngx_pagespeed-release-1.7.30.4-beta Now when updating to Nginx 1.7.0 fails at this point with both Phusion Passenger 4.0.37 and 4.0.41 passenger -v Phusion Passenger version 4.0.41 error message -o objs/addon/nginx/StaticContentHandler.o \ /usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.41/ext/nginx/StaticContentHandler.c /usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.41/ext/nginx/StaticContentHandler.c: In function 'passenger_static_content_handler': /usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.41/ext/nginx/StaticContentHandler.c:72: error: 'ngx_http_request_t' has no member named 'zero_in_uri' make[1]: *** [objs/addon/nginx/StaticContentHandler.o] Error 1 make[1]: Leaving directory `/svr-setup/nginx-1.7.0' make: *** [build] Error 2 * Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249586,249586#msg-249586 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx 1.7.0 failed make with Phusion Passenger ?
grep -C10 zero_in_uri /usr/local/rvm/gems/ruby-2.1.1/gems/passenger-4.0.41/ext/nginx/StaticContentHandler.c if (!(r-method (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) { return NGX_HTTP_NOT_ALLOWED; } if (r-uri.data[r-uri.len - 1] == '/') { return NGX_DECLINED; } #if (PASSENGER_NGINX_MINOR_VERSION == 8 PASSENGER_NGINX_MICRO_VERSION 38) || \ (PASSENGER_NGINX_MINOR_VERSION == 7 PASSENGER_NGINX_MICRO_VERSION 66) if (r-zero_in_uri) { return NGX_DECLINED; } #endif log = r-connection-log; ngx_log_debug1(NGX_LOG_DEBUG_HTTP, log, 0, http filename: \%s\, filename-data); clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); Posted at Nginx Forum: http://forum.nginx.org/read.php?2,249586,249587#msg-249587 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Guide on switching from distro-provided nginx to nginx built from source?
Maybe this will help http://www.howtoforge.com/using-ngx_pagespeed-with-nginx-on-debian-wheezy and http://www.howtoforge.com/using-ngx_pagespeed-with-nginx-on-debian-jessie-testing - right up your alley for Debian distro :) I personally use CentOS build via Centmin Mod Nginx as it already includes ngx_pagespeed support out of the box http://centminmod.com/nginx_ngx_pagespeed.html :) As to minimal downtime and risk, easiest would be to do a test run first, DigitalOcean VPS charged on an hourly basis is a good platform to do testing for end users wanting to make the jump from pre-packaged Nginx builds to source compilation. I suppose you could even automate the entire transition and shell script something to do all the leg work. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,248335,248342#msg-248342 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
help: How to cache video in nginx when dynamic link request
Hi, everybody, Please give me a hand. In VOD system, Nginx is reverse proxy and Lighttpd is application server with video files. And getting video files is the type play.jsp?videoid=123456. Now , I want to cache video files in Nginx server from dynamic link with ?. How to define the Nginx configure? Thanks Regards George yuan ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Turn off Nginx SPDY ?
I want to test non-SPDY vs SPDY performance for Nginx and I have Nginx compiled with SPDY support and it's enabled by adding to listen directive the spdy option as per http://nginx.org/en/docs/http/ngx_http_spdy_module.html. I thought that omitting the spdy option would disable SPDY temporarily ? But it seems spdycheck.org still reports the https:// site supports SPDY and browser shows site with SPDY support even with the spdy line removed from listen directive ? Or is only way to disable, is to recompile Nginx without SPDY support ? cheers Posted at Nginx Forum: http://forum.nginx.org/read.php?2,242665,242665#msg-242665 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Turn off Nginx SPDY ?
I see i believe my problem is #2 as i have another vhost with spdy enabled on same addr:port pairing ! Thanks Valentin :) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,242665,242668#msg-242668 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Announcing ngx_pagespeed beta 1.5.27.1
Yup http://ngxpagespeed.com/ isn't accessible at all from my end either. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,238650,238656#msg-238656 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx