Check the 'context' for the sub_filter directives you are trying to
use. They do not say they can be used with 'if'.
http://nginx.org/en/docs/http/ngx_http_sub_module.html
Also worth reading about using 'if':
https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
You really should use a custom named capture group as the default "$1"
(and $2, $3, $4...) can cause erroneous output if there is any other
capturing going on in your configuration files...
i.e.
location ~ ^/e/(?.*) {
return 301 /$x1$is_args$args;
}
As someone else mentioned, be
> Is this kind of DDOS attack or a legitimate request(which my server returns
> 400 for them)?
That's typically how various unicode characters are hex encoded. If
you aren't expecting that kind of input, then yes it is likely an
attack (probably trying to exploit an unknown specific piece of
> Please remove me from all of your contact lists, please. Thank you.
You have to unsubscribe from the mailing list via:
http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
"Is there any way to hide kernel information using Nginx?"
Scanners 'guess' kernel versions based on various TCP options and such
your server supports. Unless you want to kill performance and make
your server look like it's running an older kernel, there is nothing
to be done.
> I am assessing the capabilities and doing a POC on Nignx integration as
> reverse proxy. Are there any pre-configured image with all the protocols and
> the necessary clients to test and demo the capabilities of Nignx or Nignx
> plus? Doing a self-assessment with all the necessary setup on my
How much RAM is on your machine?
Have you tried disabling modsecurity temporarily?
What other (if any) 3rd party modules are you using?
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
One place you have $mylimit and another is $my_limit (with the underscore).
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Mmmm... If you set it to debug you would probably get something to pop
up sooner rather than later
My error log level is set to 'error' and I typically see some ocsp
cert timeouts and the occasional client exceeding my request (rate)
limit settings... Not a lot ends up in the nginx error log
> And the main page caches OK, but any page the resides on the "?page_id" is
> not getting cached. Is there more to the "try_files" that needs applied
> for caching of these permalinks?
Can you be more specific? Which "cache"? Browser cache? Nginx content
cache? try_files has nothing to do with
> location / {
> rewrite .* https://www.dfwelectronicsrecycling.com/$1;
> }
Don't do that...
The correct way when you want to redirect http to https would be:
server {
listen 80;
server_name dfwelectronicsrecycling.com www.dfwelectronicsrecycling.com;
access_log off;
return 301
Your certificate chain is incomplete, and curl is complaining...
https://www.ssllabs.com/ssltest/analyze.html?d=www.dfwelectronicsrecycling.com=on
You should add the Sectigo RSA Domain Validation Secure Server CA to
your cert file, then it will probably be happy...
First, you forgot to escape the period in settings.php to settings\.php
> I'd like to edit the match to PASS that^ logged match -- as
> specifically/uniquely as possible -- but CONTINUE to 'deny all'
> for all other/remaining matches on "config".
Second, it's all in the location documentation:
> My concern is as follows, proxy_cache_min_uses=1 effectively caches
> everything, which is too much... But proxy_cache_min_uses=2 doesn't cache
> enough. I'm struggling to understand exactly how proxy_cache_min_uses works,
> by setting it to 2 nginx needs to somehow know that 2 requests were
> I'd _like_ to setup different SSL cert/key/CA handshake configs to be used
> -- depending on the ingress IP.
You can specify an IP with the listen directive:
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
So you would end up with two similar copies of each 'server'... The
only
> After 2minutes response 'stabilizes' with correct size (in this example
> 1526025). Problem is also amplified due clients validate response and retry
> progressively if corrupted.
What is the response your upstream is sending back? If the 'corrupted'
data is still a 200, then nginx will cache
To redirect a browser from http to https, you don't need to do an 'if'
or 'rewrite'... The following would be the most efficient (and
simplest)...
server {
listen 80;
server_name myapps.example.com;
access_log off;
return 301 https://$host$request_uri;
}
> Okay. I exactly don't know how the Security Testing Team is able to get the
> kernel information. They use Qualys and Nessus for performing tests. All I
> can say is only port 443 allowed to the server and I thought asking you
> guys if it is from Nginx or is there any way to handle it. Server
> Until it is fixed, however, it would be extremely useful if, in the
> description of the 'map' stanza it mentioned
> that the regexp in 'map' can interfere with the regexp in a 'rewrite'
> directive, in such a way that positional groups in the latter don't
> work.
Yeah, I just realized I posted
> In particular, if limit_req uses a map with regular expressions,
> this might result in $1.$2 to be set to something completely
> different from what was expected from the location matching.
>
> The general rule is: avoid using positional captures from regular
> expressions in location and
I skimmed over the ngx_http_limit_req_module.c and didn't see anything
obvious in relation to file checking, but here's my scenario...
I have a location block that will re-write the requested 'versioned'
file name to the actual common file name, so I can set some things
immutable without having
I've never heard of 'ngx_http_slow_module'... Is there a github page
or similar with the source code?
It's going to take more than just selective snippets if you really
want someone to help debug it...
___
nginx mailing list
nginx@nginx.org
> # nginx -v
> nginx version: nginx/1.10.3 (Ubuntu)
The last update for that version was over 3 years ago...
Try updating to 1.17.9...
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> I have compiled 1.14.2 from source and for some binary analysis, I want to
> measure the response time under multiple connections, e.g. 1000 tcp
> connections. I am talking about sbin/nginx file.
> I didn't find a clear document on that. Does anybody know?
ab (apache bench)
siege
httperf
It's
> The Age header is the HTTP/1.1 way to decrement effective value of
> max-age, see here:
>
> https://tools.ietf.org/html/rfc7234#section-4.2.3
Interesting...
Well, I solved the issue by simply removing the 'max-age' portion from
the 'cache-control' header, keeping the other portion. Expiration
> There is no Age header support in nginx as of now (relevant ticket
> in Trac: https://trac.nginx.org/nginx/ticket/146). If you want
> pages to expire at a specific time regardless of intermediate
> caching, consider using the "Expires" header.
The 'age' header appears to be something else...
This was driving me crazy and I think I've figured out the problem.
I started using the proxy cache (which is great, saves regenerating a
lot of dynamic pages), except a bunch of my pages expire at a very
specific time, at the start of the hour, and my cache-control /
expires headers reflect
For my setup I use the 'upstream' directive, and in that module there
is the 'keepalive' syntax:
https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
I just noticed today in the proxy module there is the
'proxy_socket_keepalive' syntax:
> You can just set the inactive time longer than your possible maximum
> expire time for the objects then the cache manager won't purge the
> cache files even the object is still valid but not accessed.
That's what I ended up doing. Thanks for the suggestion though.
I've been doing some experimenting with nginx's proxy caching and
slowly working the kinks out.
>From what I read, the cache-control & expires headers take precedence
over the 'proxy_cache_valid' setting, which is great as certain pages
are valid for several hours at a time.
However, I am
> [crit] 1808#2740: *20747 SSL_read() failed (SSL: error:14095126:SSL
> routines:ssl3_read_n:unexpected eof while reading) while keepalive
Just curious, but were you getting these errors while running 1.1.1d
or they just started after upgrade to 1.1.1e ?
Without you being more specific on HOW you want to block direct
downloads and how extreme you want to prevent it, then it's all just a
wild guess what kind of solution you want.
>From the example link you gave for stackoverflow, it sounds like you
just want to prevent hotlinking (i.e. downloading
> Can someone please suggest me to use strong cipher suites for SSL/TLS
> encryption. Thanks in advance and I look forward to hearing from you.
Select your products / versions and what settings you want... It
should give you a good jumpstart on configuration settings:
Well, figured it out... I swear I tried this yesterday, but maybe I
didn't or my configuration was incomplete...
If you use "gzip_static always;" in combination with the below
statements, it works correctly! It sends the compressed response as
expected, and will decompress on-the-fly when
I did a lot of googling and only came up with answers from many years
ago, or unanswered questions. Maybe I'm just not using the right
search keywords, so I figured I would ask the following
Here's my scenario... I have a bunch of static html files that would
be served directly via nginx.
Is
> resolver 8.8.8.8 8.8.4.4 valid=3s ipv6=off;
I doubt this is related to your issue, but any reason you have 'valid'
set to only 3 seconds for your resolver conf? Seems like you could be
doing a lot of unnecessary repetitive lookups because that is set so
low.
> ssl_session_cache
> But when I connect to my website's through website name I get
> net::ERR_SSL_PROTOCOL_ERROR :
Guessing based on the "Certificate Common Name Invalid" is because you
are connecting with "localhost" and "129.168.1.7" whereas your
certificate has the actual DNS hostname...
> I found various code examples to add to the conf file and coupled this
> together and added it to the end of the conf file, but it doesn't work,
> entering a URL directly into the browser serves it
> server {
>location /radio/ {
>valid_referers none blocked server_names ~\.mysite\.;
> testssl.ch still laments about BREACH, when tested against a recent
> nginx 1.16.
>
> Qualys ssllabs doesn't mention it at all.
>
> Is it fixed?
>
> Can you safely enable gzip on ssl-vhosts?
I think you are confusing TLS compression with HTTP compression...
> Can you help us please?
You're going to have to be a *bit* more specific what your problem is...
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> I have an application runs on port 8080.
> Ex: 192.168.1.10:8080/Index.html.
>
> This landing page has basic username and password authentication to access
> it. After login, it changes the port automatically to 8088.
> Ex: 192.168.1.10:8088/#/monitor.
>
> I need external users to access this
> nginx version: nginx-1.9.5
Have you tried updating to a newer version of nginx? The 1.9 branch is
probably 5 years old...
It looks like the code you mention has changed somewhat, though I
don't know if it has any effect on $request_time.
> I want to make it so that NGINX serves up the HTML and images from the
> parent directory and omits the public directory from the URI.
In your case, using "alias" would be the way to go...
http://nginx.org/en/docs/http/ngx_http_core_module.html#alias
> Got it figured out, this is a quirk of HTTP/2.0 vs 1.1. Per RFC-2616:
I tried to follow all your comments on reddit & plex, but I'm not
really sure if you resolved this issue or just decided it was
impossible...
Have you tried using the nginx stream module?
> I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But
> sometime, I can find a few error messages in error.log, ".Operation
> timed out) while requesting certificate status", it seem the OCSP server
> of my SSL provider cannot be connected at that time.
>
> I want to
> If that is not doable, then possibly you could patch your nginx to accept
> this invalid header; or possibly you could try some other config-based
> manipulation to make things work the way that you want. I suspect that
> either of those is likely to be more work in the long run than fixing
>
Maybe you can write something with the njs module? Nothing that I have
read in the standard nginx docs or blogs really addresses how you want
to throttle (though it does make sense).
Maybe there is a 3rd party module?
___
nginx mailing list
> A typical vhost file is quite simple, it's just a proxy_pass to a backend,
> with some hack to do a retry is we first get and error message (based on
> proxy_intercept_errors). http2 is on. I don't use any caches.
Are you running PHP FPM? If so, check all your process manager
settings. I've
> Well, it looks like I've failed to explain. You can have things
> compressed between servers and then decompressed on the frontend
> server. To do so, you can configure additional proxying on the
> frontend server, for example:
Thanks for the sample configuration, that makes sense with the
> Also note that if you really need to force gunziping for some reason,
> you can do so out of the box by using an additional local proxying
> layer with appropriate "proxy_set_header Accept-Encoding".
Yes, that is how I had it configured before patching, all content
between nginx and the
Recently I was looking into having my upstream server gzip content
that is sent to nginx (which is acting as a reverse proxy) to reduce
local bandwidth. However, I needed to decompress the response so nginx
could do some manipulation, then obviously it would get re-compressed
(typically with
> I'm not a big fan of the location that sets the 418 error_page to the
> @foo_front_controller named location, but I don't know of any other way
> to essentially do a "return @foo_front_controller". Is there a better
> way?
Use "try_files" instead with a filename that will never exist (i.e.
52 matches
Mail list logo