Websockets - recommended settings question

Hi, In the nginx documentation (https://www.nginx.com/blog/websocket-nginx), it is recommended to set the 'Connection' header to 'close' (if there is no upgrade header) - from my understanding, this disables keep alive from nginx to the upstream - is there a reason for this? Additionally, is

Re: --with-openssl and OPENSSL_OPT

Hello! On Mon, Sep 12, 2016 at 09:55:32PM +0200, Ondřej Nový wrote: > I want to use OpenSSL 1.0.2 static linked with nginx. So I'm using > --with-openssl option. But I want to set OpenSSL configure options. Option > OPENSSL_OPT looks like correct way. > > If I set this variable: > export

Re: Don't process requests containing folders

>> location ~ (^/[^/]*|.html)$ {} > > Yes, that should do what you describe. I realize now that I didn't define the requirement properly. I said: "match requests with a single / or ending in .html" but what I need is: "match requests with a single / *and* ending in .html, also match /". Will

Re: Don't process requests containing folders

On Mon, Sep 12, 2016 at 01:55:35PM -0700, Grant wrote: Hi there, > > If you want to match "requests with a second slash", do just that: > > > > location ~ ^/.*/ {} > > > > (the "^" is not necessary there, but I guess-without-testing that > > it helps.) > > When you say it helps, you mean for

Re: limit-req and greedy UAs

limit_req works with multiple connections, it is usually configured per IP using $binary_remote_addr. See http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone - you can use variables to set the key to whatever you like. limit_req generally helps protect eg your backend

Re: Don't process requests containing folders

>> My site doesn't have any folders in its URL structure so I'd like to >> have nginx process any request which includes a folder (cheap 404) >> instead of sending the request to my backend (expensive 404). > >> Currently I'm using a series of location blocks to check for a valid >> request.

Re: Don't process requests containing folders

On Mon, Sep 12, 2016 at 10:17:06AM -0700, Grant wrote: Hi there, > My site doesn't have any folders in its URL structure so I'd like to > have nginx process any request which includes a folder (cheap 404) > instead of sending the request to my backend (expensive 404). The location-matching

Re: limit-req and greedy UAs

> ‎https://www.nginx.com/blog/tuning-nginx/ > > ‎I have far more faith in this write up regarding tuning than the anti-ddos, > though both have similarities. > > My interpretation is the user bandwidth is connections times rate. But you > can't limit the connection to one because (again my

--with-openssl and OPENSSL_OPT

Hi, I want to use OpenSSL 1.0.2 static linked with nginx. So I'm using --with-openssl option. But I want to set OpenSSL configure options. Option OPENSSL_OPT looks like correct way. If I set this variable: export OPENSSL_OPT=no-idea After OpenSSL configure I got message: *** Because of

Re: Connecting Nginx to LDAP/Kerberos

On Mon, Sep 12, 2016 at 1:37 PM, A. Schulze wrote: > > > Am 12.09.2016 um 21:33 schrieb Joshua Schaeffer: > >> Any chance anybody has played around with Kerberos auth? Currently my SSO >> environment uses GSSAPI for most authentication. >> > > I compile also the module

Re: Connecting Nginx to LDAP/Kerberos

Am 12.09.2016 um 21:33 schrieb Joshua Schaeffer: Any chance anybody has played around with Kerberos auth? Currently my SSO environment uses GSSAPI for most authentication. I compile also the module https://github.com/stnoonan/spnego-http-auth-nginx-module but I've no time to configure /

Re: Connecting Nginx to LDAP/Kerberos

> > >> I'm using that one to authenticate my users. > > auth_ldap_cache_enabled on; > ldap_server my_ldap_server { > url ldaps://ldap.example.org/dc=u > sers,dc=mybase?uid?sub; > binddn cn=nginx,dc=mybase; > binddn_passwd

Re: Connecting Nginx to LDAP/Kerberos

Am 12.09.2016 um 21:04 schrieb Joshua Schaeffer: - https://github.com/kvspb/nginx-auth-ldap I'm using that one to authenticate my users. auth_ldap_cache_enabled on; ldap_server my_ldap_server { url ldaps://ldap.example.org/dc=users,dc=mybase?uid?sub;

Connecting Nginx to LDAP/Kerberos

Greetings Nginx list, I've setup git-http-backend on a sandbox nginx server to host my git projects inside my network. I'm trying to get everything setup so that I can require auth to that server block using SSO, which I have setup and working with LDAP and Kerberos. I have all my accounts in

[nginx] OCSP stapling: fixed using wrong responder with multiple certs.

details: http://hg.nginx.org/nginx/rev/6acbe9964ceb branches: changeset: 6688:6acbe9964ceb user: Maxim Dounin date: Mon Sep 12 20:11:06 2016 +0300 description: OCSP stapling: fixed using wrong responder with multiple certs. diffstat:

Don't process requests containing folders

My site doesn't have any folders in its URL structure so I'd like to have nginx process any request which includes a folder (cheap 404) instead of sending the request to my backend (expensive 404). Currently I'm using a series of location blocks to check for a valid request. Here's the last one

[nginx] SSL: improved session ticket callback error handling.

details: http://hg.nginx.org/nginx/rev/dfa626cdde6b branches: changeset: 6687:dfa626cdde6b user: Sergey Kandaurov date: Mon Sep 12 18:57:42 2016 +0300 description: SSL: improved session ticket callback error handling. Prodded by Guido Vranken. diffstat:

[nginx] SSL: factored out digest and cipher in session ticket callback.

details: http://hg.nginx.org/nginx/rev/f28e74f02c88 branches: changeset: 6686:f28e74f02c88 user: Sergey Kandaurov date: Mon Sep 12 18:57:42 2016 +0300 description: SSL: factored out digest and cipher in session ticket callback. No functional changes. diffstat:

Re: [PATCH 2 of 2] Core: add ngx_atomic_store() and ngx_atomic_load()

Hello! On Wed, Aug 17, 2016 at 05:29:32PM -0700, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1471265532 25200 > # Mon Aug 15 05:52:12 2016 -0700 > # Node ID 40765d8ee4dd29089b0e60ed5b6099ac624e804e > # Parent

Re: nginx not returning updated headers from origin server on conditional GET

Hello! On Sun, Sep 11, 2016 at 06:56:17AM -0400, jchannon wrote: > I have nginx and its cache working as expected apart from one minor issue. > When a request is made for the first time it hits the origin server, returns > a 200 and nginx caches that response. If I make another request I can see

Re: limit-req and greedy UAs

gariac Wrote: --- > ‎This page has all the secret sauce, including how to limit the number > of connections.  > > https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-ngin > x-plus/ > > I set up the firewall with a higher number as

Re: [PATCH] Added the $upstream_connection variable

+1 to that. Connection reuse to an upstream is a very important metric for Edge->DC communication. In our production since we have nginx on both sides we are are gathering that metric from the other side of the other side of a connection. I assume not everybody have that luxury, therefore that

Re: limit-req and greedy UAs

‎I picked 444 based on the following, though I see your point in that it is a non-standard code. I guess from a multiplier standpoint, returning nothing is as minimal as it gets, but the hacker often sends the message twice due to lack of response. A 304 return to an attempt to log into

Re: nginx not returning updated headers from origin server on conditional GET

>From what I understand, 304 answers should not try to modify headers, as the cache having made the conditional request to check the correctness of its entry will not necessarily update it: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5. The last sentence sums it all: '*If* a

Re: limit-req and greedy UAs

You could also generate 304 responses for content you won't provide (cf. return). nginx is good at dealing with loads of requests, no problem on that side. And since return generates an in-memory answer by default, you won't be hammering your resources. If yo uare CPU or RAM-limited because of