nginx and atlassian crowd

Hi Whats considered the best way to auth again crowd. I see some old module - 6-7 year untouched https://github.com/kare/ngx_http_auth_crowd_module trying this one but can't compile it also noted crowd does openid

Re: Securing the HTTPS private key

HI isn't this a bit futile, if they can get onto the box that has nginx they can get either the private key or secret to get the private key. safer would be to make it that you need human interact to start nginx. But till a memory dump of the app would get you the private key. On Fri, 16

Re: no TLS1.3 with 1.15.5

Hi Don't you need a openssl that works with 1.3 as well. My sticking point is centos 6 - no openssl that comes with 1.3 - as far as i know A On Mon, 5 Nov 2018 at 06:10, Bogdan via nginx wrote: > Hi, Andreas! > > > I disabled NPN (Next Protocol Negotiation) because, as far as I know (not >

Feature request

Hi Not sure where to put this. But I would like to have the ability to add client cert required any where on the URI tree so www.abc.com.au/ you can access with out a cert but www.abc.com.au/private/ you need a cert www.abc.com.au/public/ no cert needed A

Re: Retaining upstream server

Look at sticky session, a routing code in a cookie that helps you decide where to send the packet. So on the 443 set the cookie and on the udp use the cookie in the header to route on the back end On 20 June 2018 at 17:16, nov1ce wrote: > Hello, > > 1.14.0-1 running on Debian Stretch: > > #

Re: Optimizing nginx mail proxy

Silly question why not use postfix for this ? On 20 February 2018 at 18:56, Azusa Taroura wrote: > Hi everyone, > > I’m trying to optimize mail-proxy. > My performance test is 1 client sends many request to 1 nginx server. > > > This is my current settings: > >

Re: ip address masking

Why not just change the log format to exclude the ip address or put in static ip On 14 February 2018 at 12:46, Tom wrote: > Hi, > > I'm wondering if anyone has successfully masked ip addresses in nginx > before they are written to a log file. > > I understand there are

Re: WordPress pingback mitigation

Hi can you give an example of using a map instead of the if statement ? Thanks On 21 May 2017 at 02:35, c0nw0nk wrote: > gariac Wrote: > --- > > I had run Naxsi with Doxi. Trouble is when it cause problems, it

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

On 20 May 2017 at 08:00, wrote: > My experience with deny in nginx is the url isn't hidden So you don't want to just restrict access but you want to send a 404 not found unless they come from a specific ip address. I think you should be able to ... but my nginx skills

Re: killed child process

te: > Hello! > > On Fri, May 19, 2017 at 11:28:05AM +1000, Alex Samad wrote: > > > Hi > > > > so I have lots of clients on long lived tcp connections , getting rp > into 2 > > back end app servers > > > > I had a line in my error log, saying one

Re: How to restrict acces to specific friendly URL by IP in Wordpress site?

wouldn't you use location /secret-page/ { deny all allow 1.1.1.1/32; } a On 19 May 2017 at 17:24, ohmykot wrote: > Hi! > I've got a server with nginx and a wordpress website running on it. > > On the web-site, I have a wordpress page, i.e.

killed child process

Hi so I have lots of clients on long lived tcp connections , getting rp into 2 back end app servers I had a line in my error log, saying one of the upstream was failed caused it timeout - then I got this 2017/05/18 13:30:42 [notice] 2662#2662: exiting 2017/05/18 13:30:42 [notice] 2662#2662:

Re: Nginx reload process in detail

Thats what support have advised me, reload finished the current request and then closes the connection. No longer honors the long lived Alex On 27 April 2017 at 19:21, shivramg94 wrote: > We have a persistent connection to Nginx on which we are issuing https >

xslt question

Hi I am using https://gist.github.com/wilhelmy/5a59b8eea26974a468c9 for location /ts/ { #autoindex on; #autoindex_format html; try_files $uri @autoindex; } # need xlst module location @autoindex { autoindex on; autoindex_format xml;

Re: nginx-1.13.0

On 26 April 2017 at 00:32, Maxim Dounin wrote: > > *) Change: SSL renegotiation is now allowed on backend connections. > What does this mean ? reason I am asking is I would like to setup a site say example.com, that is SSL, with no need for client certs at root URI

Re: Logging all requests onNginx

Will it not be logged as a timeout either in access or error/log ? On 20 April 2017 at 03:46, aT wrote: > HI , > > Is there a way to log all incoming requests on Nginx . > > Regardless of them being served or not . > > For example, In case of surge of crawler hits , if the

Re: Mechanism to avoid restarting nginx upon every change

But long live sessions are closed and I've had lua session information persist with a reload. Needed a restart A On Sun, 9 Apr 2017 at 21:35, B.R. via nginx wrote: > You could have got your answer yourself by Reading The... Fine? Manual: > https://nginx.org/en/docs/control.html

best practise with lua files

Hi I have started to use lua file for some dynamic stuff. Whats the best practice to secure them How do I stop them from being downloaded location ~ \.lua$ { send error back } is it best to place all of them into a different directory that isn't under a root ? A

Re: How to exact match a nginx location?

so (have a stab at this) location = /mini { equals http://10.21.169.13/mini and not http://10.21.169.13/mini/ or anything else http://10.21.169.13/mini/* try location /mini { or location /mini/ { A On 28 March 2017 at 12:43, Jun Chen via nginx wrote: > > I am

Custom Error pages

Hi I got something like this error_page 404 /stderror404.html; location = /stderror400.html { root /var/www/error; content_by_lua_file /var/www/error/stderror400.lua; internal; allow all; } and the lua file has ngx.say( "Your source ip address

Re: Question about custom error pages

; > On Tue, Mar 21, 2017 at 11:18 PM, Alex Samad <a...@samad.com.au> wrote: > >> Hi >> >> How would I added custom info to the error page. >> >> Say like for 400 if its a cert error, how can I add that

Question about custom error pages

Hi How would I added custom info to the error page. Say like for 400 if its a cert error, how can I add that to the page and maybe to add in the clients ip address as well A ___ nginx mailing list nginx@nginx.org

Re: Balancing NGINX reverse proxy

Hi Firstly, I am fairly new to nginx. >From what I understand you have a standard sort of setup. 2 nodes (vm's) with haproxy, allowing nginx to be active / passive. You have SSL requests which once nginx terminates the SSL, it injects a security header / token and then I presume it passes

Re: CRL validation

Hi I have a cron script that generates a crl file and places it a file for nginx to read... I believe I reload nginx after doing this I don't think - happy to be proved wrong - that nginx checks for a oscp or crl attribute in the cert and makes the relevant request Alex On 11 January 2017 at

Feature request ?

Hi I do a lot of stuff with client certs, we have just moved from an inhouse RP to using NGINX. But I find that the amount of information about the client cert is very limited. compared to say squid / apache. For example I looking for end date for the client cert. It would be nice if this sort

Re: ssllabs A+ rating

elying exclusively on one single opinion, e.g. > Qualsys, as THE authoritative source of truth for a 'proper' secure config > is dangerous). > > On Fri, Nov 4, 2016 at 2:20 PM, Alex Samad <a...@samad.com.au> wrote: >> >> Hi >> >> Any one got a write up on how t

ssllabs A+ rating

Hi Any one got a write up on how to get a A+ from this site. I can get a A and I have to support tls1.0 which might be dragging me down ! ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: nginx and FIX server

Hi So you have done a setup ? Alex On 2 November 2016 at 08:42, CJ Ess <zxcvbn4...@gmail.com> wrote: > Probably a better solution then most! > > On Fri, Oct 28, 2016 at 10:42 PM, Alex Samad <a...@samad.com.au> wrote: >> >> Hi >> >> Not reall

Re: nginx and FIX server

> happy to pay up. > > > > On Fri, Oct 28, 2016 at 1:29 AM, Alex Samad <a...@samad.com.au> wrote: >> >> Hi >> >> yeah I have had a very quick look, just wondering if any one on the >> list had set one up. >> >> Alex >> >>

Re: nginx and FIX server

ee the parts about proxy_download_rate and proxy_upload_rate > > On Thu, Oct 27, 2016 at 11:22 PM, Alex Samad <a...@samad.com.au> wrote: >> >> Yep >> >> On 28 October 2016 at 11:57, CJ Ess <zxcvbn4...@gmail.com> wrote: >> > FIX as in the financial information exc

nginx and FIX server

Hi any one setup nginx infront of a fix engine to do rate limiting ? Alex ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: NGINX not checking OCSP for revoked certificates

What I had to do was sent the depth to the number or greater than the number of ca's and I had to get all the crl's for each CA and concat into a crl file. On 14 October 2016 at 16:49, Zeal Vora wrote: > Thanks Maxim. > > I tried changing the ssl_verify_depth to 1 from

Re: newbie question

im Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Wed, Oct 12, 2016 at 12:43:12PM +1100, Alex Samad wrote: > >> Hi >> >> I am trying to create a dynamic auth address >> >> >> # grab ssoid >> map $cookie_SSOID $ssoid_cookie { >>

newbie question

Hi I am trying to create a dynamic auth address # grab ssoid map $cookie_SSOID $ssoid_cookie { default ""; ~SSOID=(?P.+) $ssoid; } location /imaadmin/ { proxy_cache off; proxy_pass http://IMAAdmin; auth_request /sso/validate?SSOID=$ssoid_cookie=imaadmin;

Re: question about client certs

Yep I think thats what i was asking. We have a home grown RP at work that does it and IIS used to do it, apply cert requirements on part of the tree. On 2 February 2016 at 20:56, Aleksandar Lazic <al-ng...@none.at> wrote: > Dear Alex. > > Am 02-02-2016 04:32, schrieb Alex

question about client certs

Hi Is it possible with nginx to do this https://www.abc.com / /noclientcert/ /clientcert/ so you can get to / with no client cert, but /clientcert/ you need a cert, but for /noclientcert/ you don't need a cert. Looks like from the config doco you can only set it for the whole tree ... A