Проксирование SSL трафика для клиентов с авторизацией по сертификату
На территории клиента за NAT стоит http-сервер с адресом из локальной сети. Я делаю к нему доступ с сервера в датацентре с помощью nginx и OpenVPN. При этом клиент, написанный на Perl, использует авторизацию по сертификату. Цепочка серверов выглядит так: [Сервер в датацентре] -> [ Сервер OpenVPN и nginx в датацентре] -> [NAT]->[сервер nginx у клиента]->[сервер http у клиента] Все это задумано для того, чтобы перловые скрипты, работающие на сайте в датацентре, могли обращаться к серверу http, который стоит в офисе клиента. Этот http сервер имеет серый IP из локальной сети клиента. Без авторизации все прекрасно работает. Также нет проблем, когда скрипт Perl с авторизацией по сертификату запускается на сервере nginx у клиента, обращаясь по адресу, выданному OpenVPN. Однако у меня не получается настроить nginx в датацентре таким образом, чтобы я мог запускать скрипт с авторизацией по сертификату на сервере в датацентре. При этом запросы должны проходить через два сервера nginx - вначале они попадают по белому адресу на сервер nginx а датацентре, затем уже по адресу OpenVPN попадают на nginx в фоисе клиента, и уже потом - на сервер http в офисе клиента. Подскажите, пожалуйста, как настроить первый из этих серверов nginx, расположенный в датацентре по белому адресу IP, чтобы он мог проксировать (или делать редирект?) на второй сервер nginx запросы из скрипта Perl с авторизацией по сертификату? Спасибо! Posted at Nginx Forum: https://forum.nginx.org/read.php?21,278948,278948#msg-278948 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: thread_pool in Windows
Thank you, Valentin. There is something I am missing. Please see the start of the error.log below, 2018/03/04 14:05:50 [notice] 5144#9212: using the "select" event method 2018/03/04 14:05:50 [notice] 5144#9212: using the "select" event method 2018/03/04 14:05:50 [notice] 5144#9212: nginx/1.12.2 2018/03/04 14:05:50 [notice] 5144#9212: nginx/1.12.2 2018/03/04 14:05:50 [info] 5144#9212: OS: 260200 build:9200, "", suite:300, type:1 2018/03/04 14:05:50 [notice] 5144#9212: start worker processes 2018/03/04 14:05:50 [notice] 5144#9212: start worker processes 2018/03/04 14:05:50 [notice] 5144#9212: start worker process 13648 2018/03/04 14:05:50 [notice] 5144#9212: start worker process 13648 2018/03/04 14:05:51 [notice] 13648#4924: nginx/1.12.2 2018/03/04 14:05:51 [notice] 13648#4924: nginx/1.12.2 2018/03/04 14:05:51 [info] 13648#4924: OS: 260200 build:9200, "", suite:300, type:1 2018/03/04 14:05:51 [notice] 13648#4924: create thread 17496 2018/03/04 14:05:51 [notice] 13648#4924: create thread 17496 2018/03/04 14:05:51 [notice] 13648#4924: create thread 16328 2018/03/04 14:05:51 [notice] 13648#4924: create thread 16328 2018/03/04 14:05:51 [notice] 13648#4924: create thread 13940 2018/03/04 14:05:51 [notice] 13648#4924: create thread 13940 There is a single process (worker_processes 1 in the nginx.conf), with seemingly three threads (not sure why the lines in the log file are duplicated). Is the purpose of the additional threads to read static files (from the server)? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278909,278946#msg-278946 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Check the size of one of the request header in nginx conf
by the way, there is easier solution to this (thanks to Ruslan Ermilov) something like this: map $http_ $disabled { ^.{65,} 1 } location / { if $disable { return 404; } proxy_pass http://upstream; } br, Aziz. > On 6 Mar 2018, at 15:16, Aziz Rozyevwrote: > > hi, > > I think you can do such a checking with lua/njs modules. > > > br, > Aziz. > > > > > >> On 6 Mar 2018, at 15:13, mejetjoseph wrote: >> >> Dear Team, >> >> I would like to know is it possible to check the size of one of header >> values in nginx conf file . I need to reset the header value if the size of >> this header value exceed 64 character. >> >> Could you please provide can I able to do this condition check in ngnix conf >> file? >> >> >> Kind regards, >> Joseph >> >> Posted at Nginx Forum: >> https://forum.nginx.org/read.php?2,278940,278940#msg-278940 >> >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Routing based on ALPN
On Sun, Feb 25, 2018 at 08:16:18PM +0100, Wiktor Kwapisiewicz via nginx wrote: > >> Is there a way to access and save ALPN value to a variable? > > > > It should possible to parse the incoming buffer with > > https://nginx.org/r/js_filter and create a variable to make a routing > > decision on. > > > > Excellent idea for quickly solving this problem, thanks! > > Would a long term solution involve creating a new, additional variable > in the ssl_preread module (e.g. ssl_preread_alpn)? > below is the initial version of patch that creates the "$ssl_preread_alpn_protocols" variable; the content is a comma-separated list of protocols, sent by client in ALPN extension, if present. Any feedback is appretiated. # HG changeset patch # User Roman Arutyunyan# Date 1520346970 -10800 # Tue Mar 06 17:36:10 2018 +0300 # Node ID edea1fea2b3970889946d38a077c7f3ed98613f5 # Parent 265c29b0b8b8c54b1c623268481ed85324ce3c79 Stream ssl_preread: $ssl_preread_alpn_protocols variable. The variable keeps a comma-separated list of ALPN protocol names sent by client. diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c --- a/src/stream/ngx_stream_ssl_preread_module.c +++ b/src/stream/ngx_stream_ssl_preread_module.c @@ -17,10 +17,12 @@ typedef struct { typedef struct { size_t left; size_t size; +size_t ext; u_char *pos; u_char *dst; u_char buf[4]; ngx_str_t host; +ngx_str_t alpn; ngx_log_t *log; ngx_pool_t *pool; ngx_uint_t state; @@ -32,6 +34,8 @@ static ngx_int_t ngx_stream_ssl_preread_ ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last); static ngx_int_t ngx_stream_ssl_preread_server_name_variable( ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable( +ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf); static void *ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf); static char *ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent, @@ -85,6 +89,9 @@ static ngx_stream_variable_t ngx_stream { ngx_string("ssl_preread_server_name"), NULL, ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 }, +{ ngx_string("ssl_preread_alpn_protocols"), NULL, + ngx_stream_ssl_preread_alpn_protocols_variable, 0, 0, 0 }, + ngx_stream_null_variable }; @@ -175,7 +182,7 @@ static ngx_int_t ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last) { -size_t left, n, size; +size_t left, n, size, ext; u_char *dst, *p; enum { @@ -192,7 +199,10 @@ ngx_stream_ssl_preread_parse_record(ngx_ sw_ext_header, /* extension_type, extension_data length */ sw_sni_len, /* SNI length */ sw_sni_host_head, /* SNI name_type, host_name length */ -sw_sni_host /* SNI host_name */ +sw_sni_host,/* SNI host_name */ +sw_alpn_len,/* ALPN length */ +sw_alpn_proto_len, /* ALPN protocol_name length */ +sw_alpn_proto_data /* ALPN protocol_name */ } state; ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0, @@ -201,6 +211,7 @@ ngx_stream_ssl_preread_parse_record(ngx_ state = ctx->state; size = ctx->size; left = ctx->left; +ext = ctx->ext; dst = ctx->dst; p = ctx->buf; @@ -299,10 +310,18 @@ ngx_stream_ssl_preread_parse_record(ngx_ break; case sw_ext_header: -if (p[0] == 0 && p[1] == 0) { +if (p[0] == 0 && p[1] == 0 && ctx->host.data == NULL) { /* SNI extension */ state = sw_sni_len; -dst = NULL; +dst = p; +size = 2; +break; +} + +if (p[0] == 0 && p[1] == 16 && ctx->alpn.data == NULL) { +/* ALPN extension */ +state = sw_alpn_len; +dst = p; size = 2; break; } @@ -313,6 +332,7 @@ ngx_stream_ssl_preread_parse_record(ngx_ break; case sw_sni_len: +ext = (p[0] << 8) + p[1]; state = sw_sni_host_head; dst = p; size = 3; @@ -328,6 +348,13 @@ ngx_stream_ssl_preread_parse_record(ngx_ state = sw_sni_host; size = (p[1] << 8) + p[2]; +if (ext < 3 + size) { +ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, + "ssl preread: SNI format error"); +return NGX_DECLINED; +} +ext -= 3 + size; + ctx->host.data = ngx_pnalloc(ctx->pool, size); if
Re: thread_pool in Windows
On Monday 05 March 2018 19:46:42 Sergey Sandler wrote: > Hi Maxim, > > Thank you for prompt reply. > > I suspect there would be no delays/timeouts if there was a single thread in > nginx that communicates with the upstream server. > There is no simple way to restrict nginx threads number to one in Windows? > [..] nginx currently cannot use more than one thread in Windows for all operations. Support for thread pool means adding support for more threads. Moreover, thread pools in nginx are used only for reading and writing files. They are never used for connections. wbr, Valentin V. Bartenev ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Check the size of one of the request header in nginx conf
Dear Team, I would like to know is it possible to check the size of one of header values in nginx conf file . I need to reset the header value if the size of this header value exceed 64 character. Could you please provide can I able to do this condition check in ngnix conf file? Kind regards, Joseph Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278940,278940#msg-278940 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Stream module logging questions
W dniu 06.03.2018 o 09:24, Maxim Konovalov pisze: > Hi Grzegorz, > > [..] 3. I think that $tcpinfo_* aren't supported in stream. Is there any reason for this? >>> >>> There's a number of http module features still missing in >>> stream. This is one of them. >> >> I can offer virtual (and real if in Poland) beer for adding this. >> :) >> > Just wonder, how do you use this info in http? Is it useful for you? Hello, We are using it mainly as an aid in debugging since we have sometimes clients with *very* poor internet connection (for example from Africa). Also we are considering to use it to detect extremely badly GeoDNS routed clients and maybe as a test platform for clients to aid our further GeoDNS decissions. I think this feature is not a silver bullet that solves all the problems but it can be usefull in some cases and should be easy to add to stream in nginx and to any other program. -- Grzegorz Kulewski ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Stream module logging questions
Hi Grzegorz, [..] >>> 3. I think that $tcpinfo_* aren't supported in stream. Is >>> there any reason for this? >> >> There's a number of http module features still missing in >> stream. This is one of them. > > I can offer virtual (and real if in Poland) beer for adding this. > :) > Just wonder, how do you use this info in http? Is it useful for you? -- Maxim Konovalov ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Stream module logging questions
Hello, Thank you for your answer. W dniu 01.03.2018 o 12:52, Roman Arutyunyan pisze: > Hello, > > On Thu, Mar 01, 2018 at 04:06:09AM +0100, Grzegorz Kulewski wrote: >> Hello, >> >> 1. How can I log the IP and (especially) the port used by nginx (proxy) to >> connect to upstream when stream module is used? >> 2. Can I somehow get a log entry also/instead at stream connection setup >> time, not only after it ends? > > Stream module logs this in error.log with 'info' log level as soon as this > information is available: > > 2018/03/01 14:37:27 [info] 38462#0: *1 client 127.0.0.1:61020 connected to > 0.0.0.0:9000 > 2018/03/01 14:37:27 [info] 38462#0: *1 proxy 127.0.0.1:61021 connected to > 127.0.0.1:8001 Yes, I know about it. It would be really useful to have it in access log (== in some variable) too. Do you think you could add that? Also it would be really usefull to have access_log_connect and access_log_upstream_connect directives in addition to access_log that enable logging things on connect and upstream connect, not only on disconnect. >> 3. I think that $tcpinfo_* aren't supported in stream. Is there any reason >> for this? > > There's a number of http module features still missing in stream. > This is one of them. I can offer virtual (and real if in Poland) beer for adding this. :) -- Grzegorz Kulewski ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx