Проксирование SSL трафика для клиентов с авторизацией по сертификату

2018-03-06 Thread digger 
На территории клиента за NAT стоит http-сервер с адресом из локальной сети.
Я делаю к нему доступ с сервера в датацентре с помощью nginx и OpenVPN. При
этом клиент, написанный на Perl, использует авторизацию по сертификату.

Цепочка серверов выглядит так:

[Сервер в датацентре] -> [ Сервер OpenVPN и nginx в датацентре] ->
[NAT]->[сервер nginx у клиента]->[сервер http у клиента]

Все это задумано для того, чтобы перловые скрипты, работающие на сайте в
датацентре, могли обращаться к серверу http, который стоит в офисе клиента.
Этот http сервер имеет серый IP из локальной сети клиента.

Без авторизации все прекрасно работает. 
Также нет проблем, когда скрипт Perl с авторизацией по сертификату
запускается на сервере nginx у клиента, обращаясь по адресу, выданному
OpenVPN.

Однако у меня не получается настроить nginx в датацентре таким образом,
чтобы я мог запускать скрипт с авторизацией по сертификату на сервере в
датацентре. 

При этом запросы должны проходить через два сервера nginx - вначале они
попадают по белому адресу на сервер nginx а датацентре, затем уже по адресу
OpenVPN попадают на nginx в фоисе клиента, и уже потом - на сервер http в
офисе клиента.

Подскажите, пожалуйста, как настроить первый из этих серверов nginx,
расположенный в датацентре по белому адресу IP, чтобы он мог проксировать
(или делать редирект?) на второй сервер nginx запросы из скрипта Perl с
авторизацией по сертификату?

Спасибо!

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?21,278948,278948#msg-278948

___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: thread_pool in Windows

2018-03-06 Thread Sergey Sandler 
Thank you, Valentin.

There is something I am missing. Please see the start of the error.log
below,

2018/03/04 14:05:50 [notice] 5144#9212: using the "select" event method
2018/03/04 14:05:50 [notice] 5144#9212: using the "select" event method
2018/03/04 14:05:50 [notice] 5144#9212: nginx/1.12.2
2018/03/04 14:05:50 [notice] 5144#9212: nginx/1.12.2
2018/03/04 14:05:50 [info] 5144#9212: OS: 260200 build:9200, "", suite:300,
type:1
2018/03/04 14:05:50 [notice] 5144#9212: start worker processes
2018/03/04 14:05:50 [notice] 5144#9212: start worker processes
2018/03/04 14:05:50 [notice] 5144#9212: start worker process 13648
2018/03/04 14:05:50 [notice] 5144#9212: start worker process 13648
2018/03/04 14:05:51 [notice] 13648#4924: nginx/1.12.2
2018/03/04 14:05:51 [notice] 13648#4924: nginx/1.12.2
2018/03/04 14:05:51 [info] 13648#4924: OS: 260200 build:9200, "", suite:300,
type:1
2018/03/04 14:05:51 [notice] 13648#4924: create thread 17496
2018/03/04 14:05:51 [notice] 13648#4924: create thread 17496
2018/03/04 14:05:51 [notice] 13648#4924: create thread 16328
2018/03/04 14:05:51 [notice] 13648#4924: create thread 16328
2018/03/04 14:05:51 [notice] 13648#4924: create thread 13940
2018/03/04 14:05:51 [notice] 13648#4924: create thread 13940

There is a single process (worker_processes  1 in the nginx.conf), with
seemingly three threads (not sure why the lines in the log file are
duplicated). Is the purpose of the additional threads to read static files
(from the server)?

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,278909,278946#msg-278946

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Check the size of one of the request header in nginx conf

2018-03-06 Thread Aziz Rozyev 
by the way, there is easier solution to this (thanks to Ruslan Ermilov)

something like this:

map $http_ $disabled {
^.{65,} 1
}

location / {
  if $disable {
 return 404;
  }
  proxy_pass http://upstream;
}
 

br,
Aziz.





> On 6 Mar 2018, at 15:16, Aziz Rozyev  wrote:
> 
> hi,
> 
> I think you can do such a checking with lua/njs modules.
> 
> 
> br,
> Aziz.
> 
> 
> 
> 
> 
>> On 6 Mar 2018, at 15:13, mejetjoseph  wrote:
>> 
>> Dear Team,
>> 
>> I would like to know is it possible to check the size of one of header
>> values in nginx conf file . I need to reset the header value if the size of
>> this header value exceed 64 character.
>> 
>> Could you please provide can I able to do this condition check in ngnix conf
>> file?
>> 
>> 
>> Kind regards,
>> Joseph
>> 
>> Posted at Nginx Forum: 
>> https://forum.nginx.org/read.php?2,278940,278940#msg-278940
>> 
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Routing based on ALPN

2018-03-06 Thread Vladimir Homutov 
On Sun, Feb 25, 2018 at 08:16:18PM +0100, Wiktor Kwapisiewicz via nginx wrote:
> >> Is there a way to access and save ALPN value to a variable?
> >
> > It should possible to parse the incoming buffer with 
> > https://nginx.org/r/js_filter and create a variable to make a routing 
> > decision on.
> >
>
> Excellent idea for quickly solving this problem, thanks!
>
> Would a long term solution involve creating a new, additional variable
> in the ssl_preread module (e.g. ssl_preread_alpn)?
>

below is the initial version of patch that creates the
"$ssl_preread_alpn_protocols" variable; the content is a comma-separated
list of protocols, sent by client in ALPN extension, if present.

Any feedback is appretiated.

# HG changeset patch
# User Roman Arutyunyan 
# Date 1520346970 -10800
#  Tue Mar 06 17:36:10 2018 +0300
# Node ID edea1fea2b3970889946d38a077c7f3ed98613f5
# Parent  265c29b0b8b8c54b1c623268481ed85324ce3c79
Stream ssl_preread: $ssl_preread_alpn_protocols variable.

The variable keeps a comma-separated list of ALPN protocol names sent by client.

diff --git a/src/stream/ngx_stream_ssl_preread_module.c 
b/src/stream/ngx_stream_ssl_preread_module.c
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -17,10 +17,12 @@ typedef struct {
 typedef struct {
 size_t  left;
 size_t  size;
+size_t  ext;
 u_char *pos;
 u_char *dst;
 u_char  buf[4];
 ngx_str_t   host;
+ngx_str_t   alpn;
 ngx_log_t  *log;
 ngx_pool_t *pool;
 ngx_uint_t  state;
@@ -32,6 +34,8 @@ static ngx_int_t ngx_stream_ssl_preread_
 ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
 static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
 ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(
+ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf);
 static void *ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf);
 static char *ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void 
*parent,
@@ -85,6 +89,9 @@ static ngx_stream_variable_t  ngx_stream
 { ngx_string("ssl_preread_server_name"), NULL,
   ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 },
 
+{ ngx_string("ssl_preread_alpn_protocols"), NULL,
+  ngx_stream_ssl_preread_alpn_protocols_variable, 0, 0, 0 },
+
   ngx_stream_null_variable
 };
 
@@ -175,7 +182,7 @@ static ngx_int_t
 ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx,
 u_char *pos, u_char *last)
 {
-size_t   left, n, size;
+size_t   left, n, size, ext;
 u_char  *dst, *p;
 
 enum {
@@ -192,7 +199,10 @@ ngx_stream_ssl_preread_parse_record(ngx_
 sw_ext_header,  /* extension_type, extension_data length */
 sw_sni_len, /* SNI length */
 sw_sni_host_head,   /* SNI name_type, host_name length */
-sw_sni_host /* SNI host_name */
+sw_sni_host,/* SNI host_name */
+sw_alpn_len,/* ALPN length */
+sw_alpn_proto_len,  /* ALPN protocol_name length */
+sw_alpn_proto_data  /* ALPN protocol_name */
 } state;
 
 ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
@@ -201,6 +211,7 @@ ngx_stream_ssl_preread_parse_record(ngx_
 state = ctx->state;
 size = ctx->size;
 left = ctx->left;
+ext = ctx->ext;
 dst = ctx->dst;
 p = ctx->buf;
 
@@ -299,10 +310,18 @@ ngx_stream_ssl_preread_parse_record(ngx_
 break;
 
 case sw_ext_header:
-if (p[0] == 0 && p[1] == 0) {
+if (p[0] == 0 && p[1] == 0 && ctx->host.data == NULL) {
 /* SNI extension */
 state = sw_sni_len;
-dst = NULL;
+dst = p;
+size = 2;
+break;
+}
+
+if (p[0] == 0 && p[1] == 16 && ctx->alpn.data == NULL) {
+/* ALPN extension */
+state = sw_alpn_len;
+dst = p;
 size = 2;
 break;
 }
@@ -313,6 +332,7 @@ ngx_stream_ssl_preread_parse_record(ngx_
 break;
 
 case sw_sni_len:
+ext = (p[0] << 8) + p[1];
 state = sw_sni_host_head;
 dst = p;
 size = 3;
@@ -328,6 +348,13 @@ ngx_stream_ssl_preread_parse_record(ngx_
 state = sw_sni_host;
 size = (p[1] << 8) + p[2];
 
+if (ext < 3 + size) {
+ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
+   "ssl preread: SNI format error");
+return NGX_DECLINED;
+}
+ext -= 3 + size;
+
 ctx->host.data = ngx_pnalloc(ctx->pool, size);
 if

Re: thread_pool in Windows

2018-03-06 Thread Valentin V. Bartenev 
On Monday 05 March 2018 19:46:42 Sergey Sandler wrote:
> Hi Maxim,
> 
> Thank you for prompt reply.
> 
> I suspect there would be no delays/timeouts if there was a single thread in
> nginx that communicates with the upstream server.
> There is no simple way to restrict nginx threads number to one in Windows?
> 
[..]

nginx currently cannot use more than one thread in Windows for all operations.

Support for thread pool means adding support for more threads.  Moreover, thread
pools in nginx are used only for reading and writing files.  They are never used
for connections.

  wbr, Valentin V. Bartenev

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Check the size of one of the request header in nginx conf

2018-03-06 Thread mejetjoseph 
Dear Team,

I would like to know is it possible to check the size of one of header
values in nginx conf file . I need to reset the header value if the size of
this header value exceed 64 character.

Could you please provide can I able to do this condition check in ngnix conf
file?


Kind regards,
Joseph

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,278940,278940#msg-278940

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Stream module logging questions

2018-03-06 Thread Grzegorz Kulewski 
W dniu 06.03.2018 o 09:24, Maxim Konovalov pisze:
> Hi Grzegorz,
> 
> [..]
 3. I think that $tcpinfo_* aren't supported in stream. Is
 there any reason for this?
>>>
>>> There's a number of http module features still missing in
>>> stream. This is one of them.
>>
>> I can offer virtual (and real if in Poland) beer for adding this.
>> :)
>>
> Just wonder, how do you use this info in http?  Is it useful for you?

Hello,

We are using it mainly as an aid in debugging since we have sometimes clients 
with *very* poor internet connection (for example from Africa).

Also we are considering to use it to detect extremely badly GeoDNS routed 
clients and maybe as a test platform for clients to aid our further GeoDNS 
decissions.

I think this feature is not a silver bullet that solves all the problems but it 
can be usefull in some cases and should be easy to add to stream in nginx and 
to any other program.

-- 
Grzegorz Kulewski
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Stream module logging questions

2018-03-06 Thread Maxim Konovalov 
Hi Grzegorz,

[..]
>>> 3. I think that $tcpinfo_* aren't supported in stream. Is
>>> there any reason for this?
>> 
>> There's a number of http module features still missing in
>> stream. This is one of them.
> 
> I can offer virtual (and real if in Poland) beer for adding this.
> :)
> 
Just wonder, how do you use this info in http?  Is it useful for you?

-- 
Maxim Konovalov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Stream module logging questions

2018-03-06 Thread Grzegorz Kulewski 
Hello,

Thank you for your answer.


W dniu 01.03.2018 o 12:52, Roman Arutyunyan pisze:
> Hello,
> 
> On Thu, Mar 01, 2018 at 04:06:09AM +0100, Grzegorz Kulewski wrote:
>> Hello,
>>
>> 1. How can I log the IP and (especially) the port used by nginx (proxy) to 
>> connect to upstream when stream module is used?
>> 2. Can I somehow get a log entry also/instead at stream connection setup 
>> time, not only after it ends?
> 
> Stream module logs this in error.log with 'info' log level as soon as this
> information is available:
> 
> 2018/03/01 14:37:27 [info] 38462#0: *1 client 127.0.0.1:61020 connected to 
> 0.0.0.0:9000
> 2018/03/01 14:37:27 [info] 38462#0: *1 proxy 127.0.0.1:61021 connected to 
> 127.0.0.1:8001

Yes, I know about it. It would be really useful to have it in access log (== in 
some variable) too. Do you think you could add that?

Also it would be really usefull to have access_log_connect and 
access_log_upstream_connect directives in addition to access_log that enable 
logging things on connect and upstream connect, not only on disconnect.


>> 3. I think that $tcpinfo_* aren't supported in stream. Is there any reason 
>> for this?
> 
> There's a number of http module features still missing in stream.
> This is one of them.

I can offer virtual (and real if in Poland) beer for adding this. :)

-- 
Grzegorz Kulewski
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx