Re: Help beating cloudflare

On Friday, 3 February 2023, Saint Michael wrote: > I have a reverse proxy but the newspaper that I am proxying is > protected by cloudflare, and the block me immediately, even if I use a > different IP. So somehow they know how to identify my reverse-proxy. > How is my request different than a

Re: Your connection is not private error on Android device

On Mon, 14 Nov 2022 at 22:56, James Read wrote: >> So the file needs to contain first your certificate and then the >> intermediate one. > > > OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs > is reporting no chain issues for Certificate #1: RSA 2048 bits

Re: Your connection is not private error on Android device

On Mon, 14 Nov 2022 at 21:33, James Read wrote: >> For nginx you need the base64 encoding, which is: >> >> https://ssl-ccp.secureserver.net/repository/sfig2.crt.pem >> > > I tried adding that certificate but sudo nginx -t now returns the following > error: > > nginx: [emerg]

Re: Your connection is not private error on Android device

On Mon, 14 Nov 2022 at 21:09, Lukas Tribus wrote: > > On Mon, 14 Nov 2022 at 21:00, James Read wrote: > > > > > > > > On Mon, Nov 14, 2022 at 5:58 PM Lukas Tribus wrote: > >> > >> On Mon, 14 Nov 2022 at 17:31, James Read wrote: > >>

Re: Your connection is not private error on Android device

On Mon, 14 Nov 2022 at 21:00, James Read wrote: > > > > On Mon, Nov 14, 2022 at 5:58 PM Lukas Tribus wrote: >> >> On Mon, 14 Nov 2022 at 17:31, James Read wrote: >> > >> > I have configured SSL on a number of subdomains including >> >

Re: Your connection is not private error on Android device

On Mon, 14 Nov 2022 at 17:31, James Read wrote: > > I have configured SSL on a number of subdomains including > https://us.wottot.com > > On my PC I can view the resulting web page without any problems so this leads > me to believe the SSL configuration is correct. Wrong, the intermediate

Re: Client can't negotiate with TLS 1.0 and 1.1

Hello, the *client* you are using to test this is just as important. Adjust CipherString in /etc/ssl/openssl.cnf or the client parameters (-cipher "DEFAULT:@SECLEVEL=0") too. ~# grep SEC /etc/ssl/openssl.cnf CipherString = DEFAULT:@SECLEVEL=2 ~# ~# openssl s_client -connect www.google.com:443

Re: Nginx with OpenSSL 1.1.1n

On Sun, 27 Mar 2022 at 15:58, Sergey A. Osokin wrote: > > Hi, > > On Sun, Mar 27, 2022 at 02:04:10AM -0400, sukeerthiadiga wrote: > > The Mainline version of Nginx i.e 1.12.6 has the OpenSSL version 1.1.1m and > > it is vulnerable. > > That's a bit far from true. NGINX, as many other products,

Re: SSL Cipher suites settings in Nginx webserver

On Mon, 3 May 2021 at 18:47, Kaushal Shriyan wrote: > > Hi, > > Is there a way to verify if the below cipher suites set are accurate > and are free from any vulnerabilities? I suggest you use tools like the public Qualys ssltest: https://www.ssllabs.com/ssltest/ or testssl:

AW: Secure connection failed on Firefox

Hello, > I'm currently testing nginx 1.13.6 x64 on my development machine, which is There is no 1.13.6. > I've tested 5a3ab1b5804b, 46ddff109e72, and 924b6ef942bf and they have the > same problem. Ah so you are running directly from the development tree. In that case, I suggest to bisect it

AW: Scaling nginx caching storage

> After some researching i've decided to go with individual nginx > nodes for now . If we encounter too much request to our > upstream, i'm gonna set up the multi layer architecture you > mentioned probably While multi layers of nginx cache may help with bandwidth, it wastes huge amount of

AW: Memory usage doubles on reload

Hello, starting with nginx 1.11.11 you can use worker_shutdown_timeout to limit the amount of time workers stall the shutdown. However, you will still have increased memory usage. You will always have increased memory usage while soft reloading. If you cannot accept that, then you have to stop

AW: MP4 module with pseudo streaming + proxy_cache

Hello, > thanks for your comment Roman, do you know how these guys did it? > https://www.maxcdn.com/one/tutorial/pseudo-streaming-maxcdn/ Why is pseudo streaming still a thing? With HTML5 video players, everything is handled with RFC compliant range requests and HTML5 video should be supported

AW: DNS Load Balancing keeps getting upstream errors

Hello, > Also, has anyone tried using nginx for DNS load balancing in production? I would not recommend using nginx to load-balance DNS traffic at all. nginx is just a dumb UDP proxy and I doubt it performs well enough in a DNS setup. dnsdist [1] is written with this purpose in mind and used

AW: ERR_SPDY_PROTOCOL_ERROR Nginx !!

Hello! > This issue often happens when a cipher is missing in your cipher list and > Chrome tries to use another cipher forbidden in the HTTP/2 spec. Wrong. In that case, Chrome would return: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY which is different than ERR_SPDY_PROTOCOL_ERROR. Also note

AW: bcrypt

Hello! > One of the bcrypt scheme main properties is that it allows to > control number of rounds, and thus control hashing speed.  With > low number of rounds it is reasonably fast.  For example, with 2^5 > rounds (default used by htpasswd) it takes about 4 milliseconds > here on a test

AW: HTTP/2 on the Upstream

> Please watch the clip at https://youtu.be/QpLtBftqM04?t=34m51s until > about 36m12s where Simone Bordet, a Jetty developer, claims that > HA Proxy is a better proxy solution than nginx because it talks > HTTP/2 to the Upstream. This statement is misleading. As of now, haproxy does not support

AW: Ticket #196 followup: disallow spaces in uri by default

> I think the main question here: is it ok to just drop support for > spaces, or we have to introduce some option to preserve the old > behaviour. My opinion: I think we will need the configuration knob, so there is time to fix the problem, as a client bug is not always immediatly fixable.

Ticket #196 followup: disallow spaces in uri by default

Hello list, in Ticket #196 [1], Maxim Dounin suggested that spaces in URI's could be disallowed by default. As far as I can tell, current code still does not "disallow" those requests (not by default and not via specific configuration either), is that correct? Could this be improved, as per

AW: AW: IPv6 upstream problem

> But, just curios, why IPv6 upstream can't serve the traffic? Because if you configure IPv6 on your system but don't have IPv6 connectivity, it will try and fail. > If I access the IP Address using browser, it's normal. Because the browser probably recognizes the broken configuration and

AW: IPv6 upstream problem

> Did anyone have a solution for this? I also have many of these errors logged > because I am using Google Container Engine that does not support IPv6. Try ´man gai.conf´ to configure getaddrinfo behavior [1]. You could also try forcing a ipv6=no nginx resolver by using a variable: set

AW: AW: AW: AW: SNI and certs.

> Why should I? I clearly defined the problem/misconfiguration. I don't > really see the need to justify why I want to fix it. To help others, myself included to comprehend a possible problem in similar configurations and learn more about it. After all, this is a community. > Well, you told

AW: AW: AW: SNI and certs.

> > Does it cause warnings in the webmaster tools? Who cares? > > Does it affect your ranking? I doubt it. > > Does it index pages or error pages from the default website and assign to > > your website? I doubt that even more. > > Does it upset my customer? YES. > > That's all the justification

AW: AW: SNI and certs.

> > Any real life experience and evidence backing this? > yes Care to elaborate? > Not sure why you're doubting me here Lukas. Yes, this is a problem. No > I'm not making it up. We know that crawlers like Googlebot try HTTPS as well, even if there is no https link towards the website. That

AW: SNI and certs.

> It seems that search engines are probing https: even for sites that > don't offer it Which is fine. > just because it's available for others, with the end > result that pages are being attributed to the wrong site. Sounds like an assumption. Any real life experience and evidence backing

AW: AW: AW: RE: slow https performance compared to http

> 4 threads and 4 CPU (both for apache and nginx) with 100% CPU load on test > So, what's the answer now about the http/https (4600/550) ratio for the > specific case I presented? It should perform the same as Apache in this case. ___ nginx mailing list

AW: AW: RE: slow https performance compared to http

> I agree but I think that separate/different simultaneous users won't use a > common connection so for this very specific scenario keep-alive won't > matter. Of course for every individual user keep-alive will matter but this > aspect for the moment I won't to ignore in testing. It does matter,

AW: AW: Nginx Kodi User Agent secure_link blocking / banning

> Yes the links are generated correctly but because their plugin does not > currently contain the regex to understand ampersands in HTML. If they was to > fix their plugin and use regex to replace the ampersand with & then > the link would work correctly. > > It bothers me because the fix is as

AW: Nginx Kodi User Agent secure_link blocking / banning

I have a question: secure_link is correctly blocking those requests so its not generating any traffic. Why does it bother you then, if it is already blocked? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

AW: AW: AW: Disabling HTTP/2 for a specific location

> @Lukas do you mean something like this Yes, that's what I mean. Lukas ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

AW: HTTP/2 without forward secrecy (Diffie-Hellman)

> This is a false statement, nginx doesn't do any restriction > regarding HTTP/2 and TLS ciphers configuration. Good thing, likely the restriction is on the browser side and Apache was not configured with the same exact cipher suite. > The list you are mentioning and which is directly linked

AW: AW: Disabling HTTP/2 for a specific location

Hello, On 08/16/16 07:37, Lukas Tribus wrote: >> I use nginx 1.11.3 with nginx upload module.The problem is that Nginx upload >> module don't support HTTP/2 and thus when you upload you get 500 Internal >> Error. > >> Use a dedicated subdomain, like upload.mywebsite.

AW: Disabling HTTP/2 for a specific location

> I use nginx 1.11.3 with nginx upload module.The problem is that Nginx upload > module don't support HTTP/2 and thus when you upload you get 500 Internal > Error. Use a dedicated subdomain, like upload.mywebsite.com. > For now i am trying to use  a separate server block to disable http2 just

AW: HTTP/2 without forward secrecy (Diffie-Hellman)

Hi, > for a test environment I successfully set up an nginx webserver (1.11.2) > with HTTP/2. > > But for further tests I need to decrypt traffic with wireshark using the > servers private key. The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric

AW: Issue with HTTP/2 and async file upload from Safari on iOS

> I was anticipating such a compatibility problem to be fixed in feature stable > but so far it’s looking like we will have to bite the bullet and move to > mainline. > Would I be correct here? It seems for our case at least, feature stable HTTP2 > is not stable for production use at this time.

AW: Issue with HTTP/2 and async file upload from Safari on iOS

> Any solution other than switching to > https://launchpad.net/~nginx/+archive/ubuntu/development (wich scares the > skull out of me, since this is a production server)? Use nginx provided binaries if compiling from source is not an option: http://nginx.org/en/linux_packages.html#mainline

AW: [nginx] Set IP_BIND_ADDRESS_NO_PORT socket option for upstream sockets.

>> if (setsockopt(s, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT > Isn't this a SOL_IP socket option? Actually SOL_IP and IPPROTO_IP are the same thing, so it doesn't make any difference. Sorry for the noise, Lukas ___ nginx-devel mailing list

AW: [nginx] Set IP_BIND_ADDRESS_NO_PORT socket option for upstream sockets.

Hello, > if (setsockopt(s, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, Isn't this a SOL_IP socket option? Also, does this cover IPv6? Thanks, Lukas ___ nginx-devel mailing list nginx-devel@nginx.org

RE: DNS Caching Issue For community version

> Even adding the valid parameter the issue was not solved. And what is the issue actually? Just saying "DNS caching issue" and "problem" isn't really helpful. ___ nginx mailing list nginx@nginx.org

RE: ssl test causes nginx to crash (SSL_do_handshake() failed)

> I updated nginx but the problem persists. > > Could it be some sort of misconfiguration of my nginx? No, but I suggest you try reconfiguring your cipher suites anyway to exclude anything kerberos related like previously suggested. Lukas

RE: ssl test causes nginx to crash (SSL_do_handshake() failed)

> nginx version: nginx/1.2.6 > built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) > [...] > CentOS 6.7 server Try disabling kerberos cipher suites [1], you may be hitting some obscure CentOS/RedHat libc issues [2]. [1]

RE: ssl test causes nginx to crash (SSL_do_handshake() failed)

> When ssllabs tests for deprecated cipher suites, it stays there forever. > I have to close the ssllabs test page and then my nginx server stays down > until i restart it. Please provide the output of nginx -V. ___

RE: TLS/SSL Cache Automatic Purge

Hi, > Just to be perfectly clear: does that mean that session tickets are  > supported for any version of nginx (including OpenSSL 0.9.8f is available? Yes. > So the directive would be kind of 'intercepting' TLS commands, a man in  > the middle of client and OpenSSL?

RE: opinions about Session tickets

Hi! > I found these two opinions. They suggest to disable session tickets. > > - https://www.farsightsecurity.com/Blog/20151202-thall-hardening-dh-and-ecc/ > - > https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ > > what do others think about

RE: nginx-1.9.11 -- "Floating point exception" on exec after upgrading 1.9.10 -> 1.9.11

> I also get a compile error related to Pagespeed: > [...] > /root/ngx_pagespeed-release-1.10.33.4-beta/src/ngx_pagespeed.cc:3148:1: > error: deprecated conversion from string constant to ‘char*’ > [-Werror=write-strings] > }; > ^ > cc1plus: all warnings being treated as errors Apply this patch:

RE: nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

> also stated "In Linux (and most other Unix based systems) ports below 1024 > need to be opened using the root user. So you need to start NGINX as root > which will open the port and then drop down to an unprivileged user for the > port." > > Is there a way to achieve this? Configure the user

RE: [nginx] Dynamic modules.

>> diffs (truncated from 1720 to 300 lines): > > makes this and other mail in the series a bit useless. You are supposed to checkout the mercury repository, not apply committed patches from the dev list manually if they are committed anyway. Just clone it: hg clone http://hg.nginx.org/nginx and

RE: Nginx / LRO on vmxnet3 / missing ACKs

> Hello, > > I'm currently investigating an issue with Linux (3.13.0), nginx (1.6.2), > vmxnet3 (1.2.0.0-k-NAPI), IPv6 connections and large receive offload (LRO) > enabled. The workflow we are investigating is a POST of a small file (jpg) > towards a php5-fpm pool. > > From a network (tcpdump)

RE: How about to add splice

Hi Maxim, >>> It only can be useful for proxying big amounts of data without any >>> processing. But if you need compression, or TLS, or SSI, or even some >>> simple substitution, then splice() cannot be used. >>> >> It should fit in our stream quite nicely. > > Not really, as stream is able to

RE: IPv6, HTTPS, and SNI

Hi, > listen 80; Afaik this will make nginx listen to both IPv4 and IPv6 family. Specify the real IPv4 adress you want to listen to, to avoid the IPv6 bind. > listen [::]:80; This will make nginx to listen to both IPv6 and IPv4 family. Specify ipv6only=on [1] as a keyword to avoid the

RE: 403 forbidden with lynx www browser

> The server header gives more information but what's displayed in the xhtml > body > of the 403 response is "nginx" only which is what will be displayed in the > user > www browser, and that's mis-leading and unfair for nginx. Maybe somebody > should contact CloudFlare to make them modify their

RE: Redirect request based on source $scheme !!

> shahzaib1232 Wrote: > --- >> So we're thinking to have some condition in place that if the request >> for >> HTTP embedded link comes from any HTTPS domain , nginx will detect >> that >> source $scheme and redirect that request to HTTPS. What

RE: Problem with http2 huge load average

> Yes I know, > but it's very strange situation that can't understand. Code is the same, > nothing is changed. Only nginx version and http2 support on host. nginx 1.9.5 has a bug (#800): $server_protocol is empty on HTTP2. This is fixed in nginx 1.9.6, so with 1.9.6 PHP/FCGI for the first time

RE: ignore bad conf file

> Thanks Lukas! I tried configtest but with 100k files in conf.d, it > takes 3 minutes to finish, during which time there may be another file > dropped in conf.d and trigger another configtest. This sometimes causes > several config test running at the same time. > A reload on the other hand

RE: ignore bad conf file

> Hi all,  >  > Is there a way to configure nginx to ignore bad conf files? No, that would lead to inconsistencies all over the place. > My master nginx.conf has a include elsewhere/*.conf towards the end.  > Other people and programs can drop new configs into "elsewhere"  > directory. nginx

RE: No ALPN, only NPN with http2

> I'm attempting to deploy http2 with nginx 1.9.6 using teward's Ubuntu > packages (https://launchpad.net/~nginx/+archive/ubuntu/development). I've > got openssl 1.0.2d on both client and server and I'm testing with Chrome > Canary and Firefox 41.0.2. Post "nginx -V" output.

RE: No ALPN, only NPN with http2

> Ah, this is probably the problem: > > built with OpenSSL 1.0.1f 6 Jan 2014 It is. ALPN is supported only in the 1.0.2 branch. Lukas ___ nginx mailing list nginx@nginx.org

RE: nginx 1.9.5 & SPDY

> I was under the impression that SPDY support had been dropped from > NGINX altogether - > however http://nginx.org/en/docs/http/ngx_http_core_module.html#listen > seems to suggest it might still be possible to select it. Yeah up until 1.9.4: > The spdy parameter (*1.3.15-1.9.4*) allows

RE: ipv6 on nginx.org

> [root@kackkiste]/home/dkraemer# telnet nginx.org 80 > Trying 2606:7100:1:69::3f... > Connected to nginx.org. > Escape character is '^]'. > HEAD / HTTP/1.0 > > Connection closed by foreign host. You will see the same exact behavior on IPv4: telnet -4 nginx.org 80 Use HTTP/1.1 to get proper

RE: ipv6 on nginx.org

> Thank you so far! > > > Looks like a problem in our network at work: > > [dkraemer@castleblack:~/] echo -ne "HEAD / HTTP/1.1\nHost: > nginx.org\n\n" |nc -6 nginx.org 80 > HTTP/1.1 200 OK > Server: nginx/1.7.7 > Date: Tue, 20 Oct 2015 11:06:02 GMT > Content-Type: text/html; charset=utf-8 >

RE: SEO gone mad...

> I'm apparently trying to do something that apache can, but so far, > nothing has worked - everything just ends in a loop. No, you cannot do this, see [1]: > If the target URI's path component is empty, the client MUST > send "/" as the path within the origin-form of request-target. An empty

RE: SEO gone mad...

> You can, see my map example, used here to redirect http to https except root > (/). Thats not what this thread is about. > site.com => tell user we've gone to ssl in plain http > site.com/ => tell user we've gone to ssl in plain http The original poster needs to differentiate between

RE: time to read packets for HTTP query

Hi, > I'm running a SAAS service running via NGINX and have been running tcpdump > to look at the incoming packets for HTTP queries. Many of the HTTP queries > are bigger than the MTU of 1,500 bytes and therefore arrive as 2, 3, or 4 > packets. I noticed that for some customers there are

RE: time to read packets for HTTP query

> Does not seem to do what the GP asked, from the docs: > > $request_time > request processing time in seconds with a milliseconds resolution > (1.3.9, 1.2.6); time elapsed since the first bytes were read from the client "request time" would imply the time (with our without parsing) of the actual

RE: Can thread pool improve performance for such scenario

Hi All: I am using Nginx as a reverse proxy which provide a web API (HTTP GET ) to client. and the backend application will get request from nginx and do some time-consuming processing (1-2 seconds) then response result to nginx, Nginx return result to client. I think this is synchronize

RE: Content-Type

Hi, ?php header('Content-Type: text/html;'); Thats invalid. Either: text/html; charset=iso-8859-1 or text/html but not with a trailing semicolon. breaks proper Content-Type detection. ... in a Browser, you mean? At least in the 1.6.3 version. What has nginx to do with it and why is

RE: SO_REUSEPORT

Some errors are still present: [emerg] 19351#19351: duplicate listen options for 0.0.0.0:80 in ... Is there a way to use reuseports for multiple locations? You have to declare it once and only once. Please read: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen Lukas

RE: My site is vulnerable to the SSL FREAK attacks.

my server is windows server. windows + nginx1.7.10 + tomcat Openssl 1.02 updates have been completed. How, are you recompiling nginx on your own? Nginx binary comes bundled with openssl, not sure you are able to update openssl on your own. Get nginx 1.7.12, it bundles with openssl-1.0.1m.

RE: My site is vulnerable to the SSL FREAK attacks.

i was update nginx-1.7.12 version. but, same error. What error? How exactly do you come to the conclusion that your site is vulnerable? ___ nginx mailing list nginx@nginx.org

RE: My site is vulnerable to the SSL FREAK attacks.

i testing this site, https://tools.keycdn.com/freak; result message : Vulnerable! The domain www.ktkumhorent.com:443 is vulnerable to the SSL FREAK attacks. Right, also see: https://www.ssllabs.com/ssltest/analyze.html?d=ktkumhorent.com Your site is extremely vulnerable, it even allows

RE: Core Dumps on 1.7.12 with SPDY

Hello I'm running Nginx installed from the nginx.org repos on a Ubuntu Server 14.04. There are about a dozen different sites running on this server, mostly using PHP-FPM backend. They are gonna need a backtrace from that coredump: http://wiki.nginx.org/Debugging#Core_dump Lukas

RE: 502 Gateway Timeout with error exited on signal 7 (SIGBUS) after clearing cache (nginx with php5-fpm)

installed on a openVZ VPS with 24GB Ram and 12 Cores also tested on a physical machine with 32GB ram and 8 cores. both managed with ISPconfig3. PHP 5.4.39-1~dotdeb.1 (fpm-fcgi) (built: Mar 22 2015 08:08:54) nginx/1.6.2 mysql PHP crashes, report the problem to whoever is providing support

RE: AES-NI support with nginx

I'm very interested in this issue I have a problem with use openssl version and engine AES-NI Detail my question: http://stackoverflow.com/questions/28939825/how-to-config-openssl-engine-aes-ni-in-nginx Please suggest a solution for me. Use official openssl distributions, not some github

RE: BoringSSL build issue

Hello, I get the following error when I try to build nginx 1.7.10 against boringssl latest revision : What do you mean by latest revision? Latest 2.1.3 or a the current git tree on github, or cloned from CVS? I don't really see how this could happen, libressl didn't remove this definition.

RE: BoringSSL build issue

https://boringssl.googlesource.com/boringssl They didn't release yet so I just cloned the repo ! Sorry, I was thinking about libressl instead. BoringSSL removed SSL_R_BLOCK_CIPHER_PAD_IS_WRONG return errors in commits 1e52ecac4d and 29b186736c, and the definition was finally removed in commit

RE: Intermittent SSL Handshake Errors

We've been unable to reproduce it with any one browser or IP address. It really is very intermittent. Fortunately, I believe we've gotten to the bottom of this. It looks like our data center switched us over to anti-DDoS route. This means all of our traffic has been passing through hardware

RE: CVE-2011-4968 Fix Included in Which Release?

Hello. I am well aware that CVE-2011-4968 had a fix included for it (based on http://trac.nginx.org/nginx/ticket/13 and http://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx) however I do not see an entry for it in the changelog. With what release/version did

RE: Dynamic/Wildcard SSL certificates with SNI ?

allowing demand-driven, request-time loading of certificate files I don't think thats possible with openssl, especially in a event-driven application like nginx. That having said, haproxy has a nice functionality: you can just point to one or more directories and haproxy will load every

RE: Bug re: openssl-1.0.1

I did an ssldump and this is the conversation between both servers: This ssldump seems incomplete, there is no response. Please post the full ssldump. The bug is probably neither in openssl nor in nginx, but in the origin server (but we don't have the full handshake here). Since nginx 1.5.6,

RE: Nginx Configuration saying Not found. Why and How to get rid of it?

Hi, I am compiling and installing NGinx from source [...] checking for sys/filio.h ... not found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for F_READAHEAD ... not found checking for F_NOCACHE ... not found checking

RE: Bug re: openssl-1.0.1

Hi All I'm trying to use nginx to also proxy to owa. I am getting the error peer closed connection in SSL handshake while SSL handshaking to upstream I have read that this is due to a bug and that the solution is to downgrade to openssl 1.0 Where did you read that? From the

RE: Bug re: openssl-1.0.1

Hi. Thanks for replying. I read it in two places. Here are the links. 1. http://serverfault.com/questions/436737/forcing-a-particular-ssl-protocol-for-an-nginx-proxying-server 2. http://w3facility.org/question/forcing-a-particular-ssl-protocol-for-an-nginx-proxying-server/

RE: Bug re: openssl-1.0.1

I guess are running with an nginx executable from a third party, that has been linked to an older release of openssl. Since you can reproduce it with openssl s_client, it probably is more complicated than that. can you provide an ssldump of the failed connection attempt? Lukas

RE: SPDY for http?

Now I'm curious. I have a setup that uses nginx to terminate SSL (listen 443 ssl spdy) that proxies to varnish, which in turn proxies and routes to various nginx servers with only a listen 80 directive. If I'm understanding your statement correctly, if varnish and the backend nginx

SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS

# HG changeset patch # User Lukas Tribus luky...@hotmail.com # Date 1418825570 -3600 # Wed Dec 17 15:12:50 2014 +0100 # Node ID 923f5d7061b6df59fb1d28c70379da8b9daf1c8c # Parent a23c35496c2fc0ba9a34d968c2ca6d1f9374f8a8 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS OpenSSL or its

RE: Boringssl + Nginx 1.8.7

Hi, I am trying to compile boringssl against nginx. I've got an error while compiling: This is due to: https://boringssl.googlesource.com/boringssl/+/e319a2f73a30147ae118190397a558b8a2a24733%5E%21/ Can you try the attached patch against nginx which safeguards

RE: XP/IE8 HTTPS support :(

I have a few users that are having issues with my website now that I  disabled SSLv3. Turns out the only cipher that would/should work with  XP/IE8 is TLS1.0: TLS_RSA_WITH_3DES_EDE_CBC_SHA (there are two RC4's  that also work, but I understand that is really not recommended).    Can anyone

RE: nginx centos build only supports SSLv3 and ignores ssl_protocols

thanks for your note -- i totally forgot to give specifics: - CentOS 6.5, x64, totally up2date - OpenSSL 1.0.1e-fips 11 Feb 2013 - nginx-1.6.2-1.el6.ngx.x86_64 (from nginx repo) - openssl-1.0.1e-16.el6_5.15.x86_64 - openssl-devel-1.0.1e-16.el6_5.15.x86_64 i did rebuild your src rpm on my

RE: nginx centos build only supports SSLv3 and ignores ssl_protocols

btw, it seems impossible to have ... ssl_protocols TLSv1.2; ... and a testresult of SSLv2 NOT offered (ok) SSLv3 offered TLSv1 not offered TLSv1.1 not offered TLSv1.2 not offered No, its very possible. A SSL_CTX_set_ssl_version() call can fail, or the call itself can be #ifdef'ed

RE: NGINX SSL passthrough without certificate

Hi, We currently have a backend server that listens for SSL requests, and (using SNI) chooses to pass them on to the correct place, or alternatively will serve the requested HTTPS. Our current configuration is slow (not painfully, just slower than we'd like), and we figured having NGINX do

RE: NGINX SSL passthrough without certificate

Hi, Hi Lukas, While HAProxy is able to do some of those things (not sure about X-FORWARDED-FOR workarounds?) Yes, haproxy supports and pushes the PROXY protocol for this exact reason. I'd still prefer to use NGINX where possible (for other reasons, such as PageSpeed support, etc)

Re: Significant increase in number of connections after renewing SSL certificate

Hi, Hello. We recently renewed our SSL certificate. After reloading nginx the number of connections increased significantly even if the number of requests remained the same. Does ssltest [1] show any chain issues? Any other warnings from that report? Regards, Lukas [1]

Re: Significant increase in number of connections after renewing SSL certificate

Hello. No, our site's grade is A. Grade is irrelevant. Does it have chain issues or not (read: does ssltest report chain issues: none)? ___ nginx mailing list nginx@nginx.org

RE: help debugging nginx core dump

anyone ? Help please. I am pretty much stuck. Thanks - try without third party module - update the third party module lukas ___ nginx mailing list nginx@nginx.org

RE: Building nginx with TCP_FASTOPEN enabled

Yes, you're right. glibc was the problem. I tried to build an nginx deb package on a development machine with updated glibc libs and installed it on the production server. Don't upgrade libc because of this (it will mess your system up). Just define it manually when compiling nginx by passing

RE: GeoIP FirstNonPrivateXForwardedForIP

Hello, Can someone please look into this.. I need it for proper website functionality. I don't see why you would need it once you properly setup the proxy whitelist? ___ nginx mailing list

RE: Download full mp4 file with proxy_cache or proxy_store !!

Hi, @Lukas, we're using nginx-1.6 and byte range caching is already enabled by default(i guess). Below is the curl request :- curl -H Range:bytes=16- -I http://videos.files.com/files/videos/2014/06/20/14032606291de19-360.mp4 HTTP/1.1 206 Partial Content Server: nginx Date:

RE: Download full mp4 file with proxy_cache or proxy_store !!

we're using two servers (one proxy and one backend). Proxy server  is using proxy_cache to cache mp4 files from backend server and working  fine. When i stream a full video from cache, the header response gives  me the cache-status: HIT but whenever i seek the mp4 file i.e 

RE: Optimization of Nginx for 128 MB RAM VPS

Hello, I have a 128 MB RAM VPS with 1 vcore of 2,2 GHz x86_64 CPU. The CPU is much faster than the Rapsberry one so that is not a problem but the RAM usage, I think, is. Could You help me optimize my Nginx installation? Is this really needed? Nginx doesn't use much RAM usually. How much

RE: Caching servers in Local ISPs !!

Hi, ok, but i have no idea why ISP is asking for BGP and matter of fact is, i'll have to make BGP work somehow, so local caching server will fetch the new subnets from ISP router automatically (and i don't know how). I strongly suggest you hire some consultant who can help you setting all

  1   2   >