Re: [PATCH] http option for server identification removal
Hi Teo. On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote: # HG changeset patch # User Theodoros Tyrovouzis mailto:teoty...@gmail.com>> # Date 1697653906 -10800 # Wed Oct 18 21:31:46 2023 +0300 # Node ID 112e223511c087fac65c7eb99dd88e66b174 # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc Add "server_identification" http option that hides server information disclosure in responses In its responses, nginx by default sends a "Server" header which contains "nginx" and the nginx version. Most production systems would want this information hidden, as it is technical information disclosure (https://portswigger.net/web-security/information-disclosure). nginx does provide the option "server_tokens off;" which hides the version, but in order to get rid of the header, nginx needs to be compiled with the headers_more module, for the option "more_clear_headers". This patch provides an http option for hiding that information, which also hides the server information from the default error responses. An alternative would be to add a new option to server_tokens, e.g. "incognito". What's wrong with this directive? http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens [snipp] Regards Alex ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: source download from trac
Ho. Am 27.04.2019 um 10:09 schrieb jung.ji...@gmail.com: > Hello Nginx.devel > > I am pleased to join this group of wonderful software. > > I am trying to build from source for my mac partially study purpose. > > Due to unfamiliarity of trac, I am still struggling to find the way to > > download source. > > It would be appreciated if anyone give me howto. You can find the source here. https://nginx.org/en/download.html The doc how to build it is here. https://nginx.org/en/docs/configure.html In gernerall is the link https://nginx.org/en/docs/ a good start point for new nginx users, IMHO. > Regards, > > > jung.ji...@gmail.com Regards Aleks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: NGINX with CGI on Alpine Linux
Hi Postmaster (a.k.a. Bernard) I think this is a normal user user question not a development question so let's switch to ng...@nginx.org instead of nginx-devel@nginx.org. Am 22.10.2018 um 13:57 schrieb Postmaster: > Hi Team, > > I’m looking for the easiest way to allow CGI Script in my web site ? >> Any strait forward procedure available ? A short search shows at least two good options. https://stackoverflow.com/questions/11667489/how-to-run-cgi-scripts-on-nginx https://stackoverflow.com/questions/10252306/nginx-uwsgi-and-cgi-python-script Both recommend uwsgi, It's a robust solution. > Best Regards > > Bernard Best regards. Aleks > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Proxy Pass
Hi. Am 04-04-2017 17:02, schrieb Antonio Nappa: Hello, in another of my experiments I would like to redirect to a completely different website the request, I had a look at the proxy_pass directive and the corresponding module, and I see that a location handler is set, which means it will hook as the only content handler. My question is, could I do the same as proxy_pass dinamically and not at config time? For example in the rewrite phase as you would do with the ngx_http_internal_redirect. Could proxy_redirect http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect be a solution? Regards Aleks Thanks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: When nginx support tcp splicing?
Hi. Am 27-07-2016 10:34, schrieb baidu: Do have any plan for tcp splicing? This was asked in the past http://mailman.nginx.org/pipermail/nginx/2015-December/thread.html#49398 Best regards Aleks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Add support for Log ZMQ 3rd Party Module on vim syntax
Hi Dani. Am 29-04-2016 01:43, schrieb Dani Bento: # HG changeset patch # User Daniela Bento # Date 1461886571 -3600 # Fri Apr 29 00:36:11 2016 +0100 # Node ID 6a1f953371d22ab082f05b5249d29ec72f934411 # Parent 2f98b5709d7965e7c97cb74b8380014179c7bf0d Contrib: add support for Log ZMQ on Vim Syntax Add support for the 3rd party module Log ZMQ to the Vim Syntax [snipp] +" Log ZMQ http://https://www.nginx.com/resources/wiki/modules/log_zmq/> +" ZeroMQ logger module for nginx That's cool ;-) Do you think to make this module loadable and provide the SO file ?! Best regards Aleks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] proxy protocol proxified client port
Hi, Am 05-04-2016 09:55, schrieb Tony Fouchard: Hi guys, I need to log the user remote port at nginx level when requests are passed through proxy protocol (legal requirement), but looking at implementation I saw that all of the work stopped after reading source IP. In my setup, I have bgp sessions mounted on haproxy instances, but the haproxy acts at level 4 and only route traffic to different nginx farms depending of TLS extension value provided by client : it permits to serve for example both spdy and h2 over alpn. I have tried to implement what I needed and update the test case. Could this be the same request? PATCH]add proxy_protocol_port variable for rfc6302 http://thread.gmane.org/gmane.comp.web.nginx.devel/4273/focus=4390 Cheers aleks Regards. # HG changeset patch # User Tony Fouchard # Date 1459438244 -7200 # Thu Mar 31 17:30:44 2016 +0200 # Node ID 708e5e9873798be8786aa0234c9712ef94b5a1e2 # Parent 5debefd670bcbc1d4344913bd4754452892f4cb2 Retrieve the proxy protocol client port provided diff -r 5debefd670bc -r 708e5e987379 proxy_protocol.t --- a/proxy_protocol.t Mon Mar 28 19:47:38 2016 +0300 +++ b/proxy_protocol.t Thu Mar 31 17:30:44 2016 +0200 @@ -26,7 +26,7 @@ my $t = Test::Nginx->new()->has(qw/http access ipv6 realip/); -$t->write_file_expand('nginx.conf', <<'EOF')->plan(18); +$t->write_file_expand('nginx.conf', <<'EOF')->plan(22); %%TEST_GLOBALS%% @@ -38,7 +38,7 @@ http { %%TEST_GLOBALS_HTTP%% -log_format pp '$remote_addr $request'; +log_format pp '$remote_addr $request $proxy_protocol_port'; server { listen 127.0.0.1:8080 [1] proxy_protocol; @@ -47,6 +47,7 @@ set_real_ip_from 127.0.0.1/32 [2]; add_header X-IP $remote_addr; add_header X-PP $proxy_protocol_addr; +add_header X-PORT $proxy_protocol_port; location /pp { real_ip_header proxy_protocol; @@ -81,11 +82,14 @@ $r = pp_get('/t1', $tcp4); like($r, qr/SEE-THIS/, 'tcp4 request'); like($r, qr/X-PP: 192.0.2.1/ [3], 'tcp4 proxy'); +like($r, qr/X-PORT: 1234/, 'tcp4 proxy port'); unlike($r, qr/X-IP: 192.0.2.1/ [3], 'tcp4 client'); $r = pp_get('/t1', $tcp6); like($r, qr/SEE-THIS/, 'tcp6 request'); +like($r, qr/X-PORT: 1234/, 'tcp6 proxy port'); like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy'); + unlike($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client'); like(pp_get('/t1', $unk1), qr/SEE-THIS/, 'unknown request 1'); @@ -96,11 +100,13 @@ $r = pp_get('/pp', $tcp4); like($r, qr/SEE-THIS/, 'tcp4 request realip'); like($r, qr/X-PP: 192.0.2.1/ [3], 'tcp4 proxy realip'); +like($r, qr/X-PORT: 1234/, 'tcp4 proxy port realip'); like($r, qr/X-IP: 192.0.2.1/ [3], 'tcp4 client realip'); $r = pp_get('/pp', $tcp6); like($r, qr/SEE-THIS/, 'tcp6 request realip'); like($r, qr/X-PP: 2001:DB8::1/i, 'tcp6 proxy realip'); +like($r, qr/X-PORT: 1234/, 'tcp6 proxy port realip'); like($r, qr/X-IP: 2001:DB8::1/i, 'tcp6 client realip'); # access @@ -125,8 +131,8 @@ close LOG; } -like($log, qr!^192\.0\.2\.1 GET /pp_4!m, 'tcp4 access log'); -like($log, qr!^2001:DB8::1 GET /pp_6!mi, 'tcp6 access log'); +like($log, qr!^192\.0\.2\.1 GET /pp_4 HTTP/1.0 1234!m, 'tcp4 access log'); +like($log, qr!^2001:DB8::1 GET /pp_6 HTTP/1.0 1234!mi, 'tcp6 access log'); ### # HG changeset patch # User Tony Fouchard # Date 1459438562 -7200 # Thu Mar 31 17:36:02 2016 +0200 # Branch feat-proxy-protocol-port # Node ID 6cd4f889089344db865cd07400c15e4d5966aa01 # Parent 2b7dacb381ed1c4583aa048f1b22bdc141259407 Retrieve the proxy protocol client port provided diff -r 2b7dacb381ed -r 6cd4f8890893 src/core/ngx_connection.h --- a/src/core/ngx_connection.h Thu Mar 31 02:34:04 2016 +0300 +++ b/src/core/ngx_connection.h Thu Mar 31 17:36:02 2016 +0200 @@ -149,6 +149,7 @@ ngx_str_t addr_text; ngx_str_t proxy_protocol_addr; +ngx_str_t proxy_protocol_port; #if (NGX_SSL) ngx_ssl_connection_t *ssl; diff -r 2b7dacb381ed -r 6cd4f8890893 src/core/ngx_proxy_protocol.c --- a/src/core/ngx_proxy_protocol.c Thu Mar 31 02:34:04 2016 +0300 +++ b/src/core/ngx_proxy_protocol.c Thu Mar 31 17:36:02 2016 +0200 @@ -12,8 +12,8 @@ u_char * ngx_proxy_protocol_read(ngx_connection_t *c, u_char *buf, u_char *last) { -size_t len; -u_char ch, *p, *addr; +size_t len, plen; +u_char ch, *p, *addr, *paddr; p = buf; len = last - buf; @@ -74,6 +74,57 @@ ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, "PROXY protocol address: \"%V\"", &c->proxy_protocol_addr); +for ( ;; ) { +if (p == last) { +goto invalid; +} + +ch = *p++; + +if (ch == ' ') { +break; +} + +if (ch != ':' && ch != '.' +&& (ch < 'a' || ch > 'f') +&& (ch < 'A' || ch > 'F') +&& (ch < '0' || ch > '9')) +{ +
Re: Fwd: openshift-nginx docker image running as non-root
Dear Scott. I think this is not a devel question so I answer primarly to nginx list. Am 11-11-2015 19:23, schrieb Scott Creeley: - Forwarded Message - From: "Scott Creeley" To: nginx-devel@nginx.org Sent: Wednesday, November 11, 2015 12:13:49 PM Subject: openshift-nginx docker image running as non-root Hi, Been playing around with the https://github.com/nginxinc/openshift-nginx dockerfile and trying to find a way to run run nginx as non-root with openshift/k8/docker. Not having much luck, if I pass in a user or specify a user in the nginx.con or Dockerfile or via openshift/k8 runAsUser I always get some form permission errors. Is there a way to do this or am I wasting my time messing with this? nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied) 2015/11/10 14:40:40 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2 2015/11/10 14:40:40 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied) We had the same problem. tl;dr Add this to the dockerfile. RUN && chmod -R 777 /var/log/nginx /var/cache/nginx/ \ && chmod 644 /etc/nginx/* Longer explanation. Openshift v3 uses a randomly User inside the container. This makes the user and group setting in the most Dockerfile and app not very helpfully. You can take a look into the node-js example container oc exec nodejs-example-1-qerx1 -it bash ## bash-4.2$ ps aafxu USERPID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND 1000100+ 19 0.0 0.0 11740 1840 ?Ss 14:58 0:00 bash 1000100+ 34 0.0 0.0 19764 1204 ?R+ 14:58 0:00 \_ ps aafxu 1000100+ 1 0.0 0.0 863264 26216 ?Ssl Nov09 0:00 npm 1000100+ 17 0.0 0.0 701120 25892 ?Sl Nov09 0:00 node server.js ### The reason why the most of the programs have this user & group stuff is a security reason. Due to the fact that almost all Containers in Openshift v3 runs under a dedicated user (e.g.: 1000100+) you don't need and not allowed to change to a dedicated user. Please take a look into this docs. Due to the fact that I don't know if you use Openshift Enterprise (OSE) or Openshift origin I post the doc links from the origin ;-) https://docs.openshift.org/latest/architecture/index.html https://docs.openshift.org/latest/creating_images/guidelines.html https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile https://docs.openshift.org/latest/using_images/docker_images/index.html https://docs.openshift.org/latest/architecture/core_concepts/pods_and_services.html https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints Please give you some time to learn the Openshift ecosystem it's not like a 'docker run ...' on any machine ;-) BR Aleks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: HTTP2 Firefox Compatibility
Hi. Am 27-09-2015 23:49, schrieb SplitIce: Hi All, Yesterday we discovered a possible compatibility issue with a certain configuration, HTTP2 and Firefox. This configuration works successfully in Chrome and other HTTP2 enabled browsers, however Firefox users are unable to connect (connection reset). The pertinent part of the configuration is a port with SSLv3 enabled in the supported protocols (risk associated with POODLE attack has been accounted and mitigated for separately). Please can you post the output of 'nginx -V' and a anonymized config. which version of firefox is in use? Firefox have deactivated sslv3 by default. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ https://www.mozilla.org/en-US/firefox/34.0/releasenotes/ Disabled SSLv3 What shows this output of "Protocol Features" for your client? https://www.ssllabs.com/ssltest/viewMyClient.html Which value have 'about:config' => security.tls.version.min ? Test configuration: server { listen 443 ssl http2; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; [...] } Connect with Firefox (fail), connect with Chrome (pass). Is it possible to use http2 with sslv3?! http://nginx.org/en/docs/http/ngx_http_v2_module.html # cite from above link Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2. Using the “Next Protocol Negotiation” (NPN) TLS extension for this purpose (available since OpenSSL version 1.0.1) is not guaranteed. # What show the firefox network analyzer tool? https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor Is it possible to use debug log? http://nginx.org/en/docs/debugging_log.html Regards, Mathew Cheers Aleks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Question about another SSL-Library
Hi all. Are there any plans to add another SSL-Library into nginx? [ ] axtlshttp://axtls.sourceforge.net/ [ ] cyassl http://www.wolfssl.com/yaSSL/Home.html [ ] gnutls http://www.gnutls.org/ [ ] polarssl https://polarssl.org/ [ ] other: ... Best regards Aleksandar Lazic ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Request: upstream via a SOCKS proxy
Hi, There are some http2socks proxy out there. http://www.privoxy.org/ http://www.privoxy.org/user-manual/config.html#SOCKS http://www.delegate.org/delegate/ http://www.delegate.org/delegate/Manual.htm#SOCKS http://en.wikipedia.org/wiki/SOCKS#Translating_proxies The setup coul looks like client -> nginx -> http-proxylistener -> socks-proxyrequester -> socks-server OT: Sock5 is not so easy if you want to implement the full protocol, imho. I Agree with you that this would be a nice upsteam module, even that I don't need it at the moment. Cheers Aleks Am 23-01-2013 17:05, schrieb Tom van der Woerdt: Hi, A project I'm working on has a backend server that, for security reasons, can only be accessed via a SOCKS4a/SOCKS5 proxy. A frontend server for this project (nginx) has one simple task: to proxy all incoming connections to the backend server. Right now, nginx cannot do this, because it has no support for proxying upstream connections via a SOCKS proxy. The current temporary workaround is to run another service on the frontend machine that acts like a HTTP server but proxies the data to the backend - basically everything I'd like nginx to do. I cannot use this service as my main frontend, because there are a few other files that also need to be served. SOCKS4a and SOCKS5 are really easy protocols and are basically just sockets but with an alternate handshake (skip the DNS lookup, send the hostname to the socket instead). Since they should be so easy to implement, I'm requesting that on this mailing list. I was thinking of a config file that would look something like this : upstream backend { server hidden_dns.local socks4=127.0.0.1:1234; } server { location / { proxy_pass http://backend; } } As far as I'm aware, this feature wouldn't break anything, since a SOCKS connections behaves just like any other normal socket. Thanks for considering, Tom van der Woerdt ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel