Re: Block countries - Nginx
Hi All, Is there a way, I can block the clients which is coming through load balancer using http geo ip module nginx. Currently, I can block the clients which is not coming through load balancer or api gateway by geo ip module. On Mon, May 21, 2018, 2:02 PM bastiwrote: > hello, > the way to block ip's can also be used for PTR records, I think. > Also as wildcard. > > On 21.05.2018 05:49, Sathish Kumar wrote: > > Hi All, > > > > I have a requirement to block certain countries coming to our website. > > I managed to achieved it using the ngx_http_geoip_module. I have a > > problem now, if the request comes through Amazon API Gateway, how can I > > read the X-forwarded-for header or block these request too. > > > > nginx.conf > > map $geoip_country_code $allow_country { > > default yes; > > SG no; > > } > > > > > > geoip_country /etc/nginx/GeoIP.dat; # the country IP database > > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database > > > > > > domain.conf > > if ($allow_country = no) { > > return 444; > > } > > > > Thanks & Regards > > Sathish.V > > > > > > ___ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Ошибка при отправке письма из PHP
добрый вечер, > Поскольку сайт работает через chroot, то его sendmail лежит здесь > /home/rima/www/usr/sbin/ > Даже через него напрямую из консоли ./sendmail можно спокойно отправить > тестовое письмо, но из самого php скрипта не не удается. Всему каталогу с > сайтом, директориями и файлам заданы полные права (777). а как Вы проверяете? chroot /home/rima/www/ а потом sendmail ? мне кажется у Вас sendmail статически не слинкован и ему чего-то не хватает, посмотрите через ldd sendmail также для всякой крипты (отправка через TLS) внутри чрута должны быть /dev/random /dev/urandom и прочие устройства, но такие ошибки можно отловить интерактивно в консоли ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Nginx Rate limiting for HTTPS requests
Hello! On Mon, May 21, 2018 at 09:55:20AM -0400, rickGsp wrote: > >>I'm pretty sure the problem is with your tests, not with nginx > >>request rate limiting. Unfortunately, it is not possible to > >>reproduce your tests and check what's going wrong as you are using > >>proprietary software for tests. > > >>As suggested previously, it might be a good idea to verify numbers > >>using nginx access logs. Seeing numbers of requests per seconds > >>should be as trivial as > > >>grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c > > >>assuming default log format and only test requests in the log. > > Hi Maxim, > > Here is a piece of output for the following command as per our success > return value as 202. > grep ' 202 ' /path/to/log | awk '{print $4}' | uniq -c > > 232 [17/May/2018:03:46:03 > 171 [17/May/2018:03:46:04 > 101 [17/May/2018:03:46:05 > 124 [17/May/2018:03:46:06 > 169 [17/May/2018:03:46:07 > 105 [17/May/2018:03:46:08 > 5 [17/May/2018:03:46:09 > 1 [17/May/2018:03:46:08 > 218 [17/May/2018:03:46:09 > 104 [17/May/2018:03:46:10 > 269 [17/May/2018:03:46:11 > 130 [17/May/2018:03:46:12 > 97 [17/May/2018:03:46:13 > 96 [17/May/2018:03:46:14 > 124 [17/May/2018:03:46:15 > 248 [17/May/2018:03:46:16 > 237 [17/May/2018:03:46:17 > 126 [17/May/2018:03:46:18 This certainly does not look right. Either there are some unrelated requests in the log, or requests are not limited as it can be expected from your configuration. Some additional things to check: - Make sure the $host variable you use for the limiting is not empty and not changed between requests created by your testing tool. Try logging the variable to see if it changes or not. Alternatively, replace it with a static string to see if it helps. - Make sure there are no unrelated requests in the log. In particular, you may want to use different logs in the server{} block you are limiting and in the http{} block. - Try another tool to see if you are able to reproduce the same effect. Something simple like "ab" or "http_load" might be a good choice. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Ошибка при отправке письма из PHP
> А в php.ini сайта прописан путь и необходимые параметры к его sendmail? это актуально только для windows 21 мая 2018 г., 16:43 пользовательнаписал: > А в php.ini сайта прописан путь и необходимые параметры к его sendmail? > > 21.05.2018, 16:21, "warma2d" : >> Если с Nginx никак не связано, то в чем предположительно может быть >> проблема, в какую сторону копать ? >> >> Posted at Nginx Forum: >> https://forum.nginx.org/read.php?21,279882,279884#msg-279884 >> >> ___ >> nginx-ru mailing list >> nginx-ru@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx-ru > ___ > nginx-ru mailing list > nginx-ru@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-ru ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Reverse proxy for multiple domains
Hello, Sorry if I'm asking again a question on the same topic. I would like to know what is the best practice to setup a web proxy. I do it like this - 1 virtual host per application on the reverse proxy and the proxy_pass points to one IP+path - 1 virtual host (default) for all application on the backend server but one location stanza per application The problem is that I meet many problems with installation of application: magento, glpi, etc Is it the correct way to do it ? On this reverse proxy I have a virtual host which looks like that server { listen 80; server_name application1.org; access_log /var/log/nginx/application1.org.access.log; error_log /var/log/nginx/application1.org.error.log; ... location ^~ / { proxy_pass http://10.1.1.10:80/app/application1/; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } On the web server behind the proxy I just have one virtual host which is the default one server { listen 80 default_server; server_name _; index index.html index.htm index.php; root /var/www/htdocs; location ^~ /app/application1 { root /var/www; index index.php; location ~ \.php$ { root /var/www; try_files $uri =404; fastcgi_pass unix:/run/php-fpm.application1.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } Le mercredi 30 août 2017 à 19:57:40 UTC+2, Francis Dalya écrit : On Sun, Aug 27, 2017 at 11:27:05AM +, Mik J via nginx wrote: Hi there, > > Thats because the pages are called by the reverse proxy server > > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN > > because it's in a private adressing > Francis: I don't follow that last part.=> I mean that the reverse proxy uses > an IP to connect to the backend web server. If it used a fqdn, it has to > resolve it, through a dns request The backend web server can care about the IP:port you connect to, and the Host: header you send. You can connect to 10.1.1.10:80 and send a Host: header of "app1" if you want to. No dns resolution involved. Anyway, it sounds like you have this part working now; so that's good. > I still have problems, the site doesn't diplay properly because it can't load > a javascript > The request for the javascript looks like > thathttp://application1.org/?wooslider-javascript=load=1503832510=1.0.0 > HTTP/1.1It arrives on the backend server I see it in the logs (file specified > in the stanza location) > 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET > /app1/?wooslider-javascript=load=1503832510=1.0.0 HTTP/1.1" 404 5 > "http://application1.org/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) > Gecko/20100101 Firefox/54.0" A request for /?some-thing came to nginx; nginx reverse-proxied the request as /app1/?same-thing. That is all you want nginx to do, so it is working. If your back-end wordpress handles that request incorrectly, that is a question for your back-end wordpress configuration. People on this list who know about wordpress configuration are more likely to see the question if it is in a new thread with words like "wordpress" in the Subject: line. (If the actual question is "why does my browser request /?some-thing instead of /thing.js ?", that might also be related to the back-end config.) > Another question, if I want to set expires header, would it be better to do > it on the reverse proxy or on the backend server ? Again, I'd suggest that people who know about "wordpress" and "expires" are much more likely to see that question if it is in a thread with an obvious Subject: line. Good luck with it! f -- Francis Daly fran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx Rate limiting for HTTPS requests
>>I'm pretty sure the problem is with your tests, not with nginx >>request rate limiting. Unfortunately, it is not possible to >>reproduce your tests and check what's going wrong as you are using >>proprietary software for tests. >>As suggested previously, it might be a good idea to verify numbers >>using nginx access logs. Seeing numbers of requests per seconds >>should be as trivial as >>grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c >>assuming default log format and only test requests in the log. Hi Maxim, Here is a piece of output for the following command as per our success return value as 202. grep ' 202 ' /path/to/log | awk '{print $4}' | uniq -c 232 [17/May/2018:03:46:03 171 [17/May/2018:03:46:04 101 [17/May/2018:03:46:05 124 [17/May/2018:03:46:06 169 [17/May/2018:03:46:07 105 [17/May/2018:03:46:08 5 [17/May/2018:03:46:09 1 [17/May/2018:03:46:08 218 [17/May/2018:03:46:09 104 [17/May/2018:03:46:10 269 [17/May/2018:03:46:11 130 [17/May/2018:03:46:12 97 [17/May/2018:03:46:13 96 [17/May/2018:03:46:14 124 [17/May/2018:03:46:15 248 [17/May/2018:03:46:16 237 [17/May/2018:03:46:17 126 [17/May/2018:03:46:18 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279802,279887#msg-279887 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Ошибка при отправке письма из PHP
А в php.ini сайта прописан путь и необходимые параметры к его sendmail? 21.05.2018, 16:21, "warma2d": > Если с Nginx никак не связано, то в чем предположительно может быть > проблема, в какую сторону копать ? > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?21,279882,279884#msg-279884 > > ___ > nginx-ru mailing list > nginx-ru@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-ru ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: unix sockets are not reused when restarting nginx
Hello! On Sun, May 20, 2018 at 01:20:07PM +0300, Volodymyr Kostyrko wrote: > Hello. > > I'm using nginx 1.14.0 on FreeBSD 11-STABLE. I'm trying to get caching > for internally generated content so I'm proxying nginx to nginx: > > server { > listen unix:/home/someuser/.media.nginx.sock; > > … > } > > This perfectly works when starting nginx initially. However when > restarting I sometimes get error reopening sockets to serve them: > > nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to > unix:/home/someuser/.site.nginx.sock failed (48: Address already in use) > nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to > unix:/home/someuser/.site.nginx.sock failed (48: Address already in use) > nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to > unix:/home/someuser/.site.nginx.sock failed (48: Address already in use) > nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to > unix:/home/someuser/.site.nginx.sock failed (48: Address already in use) > nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to > unix:/home/someuser/.site.nginx.sock failed (48: Address already in use) > > This can happen even on boot. Removing sockets allows nginx to start. Check how do you stop nginx. nginx removes unix sockets when it is stopped using the TERM and INT signals (fast shutdown), but not when it is stopped gracefully using the QUIT signal (graceful shutdown, see http://nginx.org/en/docs/control.html). This is because graceful shutdown is normally used during binary upgrade, and open listening sockets are passed to the new master process, so removing them will break things. If you are using graceful shutdown for other purposes than during binary upgrade for some reason, you have to remove listening unix sockets yourself. > I also got this error: > > error.log:2018/05/07 16:07:49 [notice] 89443#0: getsockopt(TCP_FASTOPEN) > unix:/home/someuser/.site.nginx.sock failed, ignored (22: Invalid argument) This is safe to ignore. The following patch will hide this notice: diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c --- a/src/core/ngx_connection.c +++ b/src/core/ngx_connection.c @@ -305,7 +305,9 @@ ngx_set_inherited_sockets(ngx_cycle_t *c { err = ngx_socket_errno; -if (err != NGX_EOPNOTSUPP && err != NGX_ENOPROTOOPT) { +if (err != NGX_EOPNOTSUPP && err != NGX_ENOPROTOOPT +&& err != EINVAL) +{ ngx_log_error(NGX_LOG_NOTICE, cycle->log, err, "getsockopt(TCP_FASTOPEN) %V failed, ignored", [i].addr_text); -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Ошибка при отправке письма из PHP
Если с Nginx никак не связано, то в чем предположительно может быть проблема, в какую сторону копать ? Posted at Nginx Forum: https://forum.nginx.org/read.php?21,279882,279884#msg-279884 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Ошибка при отправке письма из PHP
Это никак не связано с nginx On Mon, May 21, 2018 at 5:12 PM warma2dwrote: > Добрый день! > > Проблема в том, что при попытке отправить письмо из единственного PHP > скрипта index.php (который расположен /home/rima/www/public) не > отправляется > письмо даже стандартной функцией mail(), var_dump возвращает false. > > При этом установлен Sendmail, Nginx, php как fpm. Для сайта создан > отдельный > пул с chroot. > (Принимать письма не требуется, главное отправлять.) > > Поскольку сайт работает через chroot, то его sendmail лежит здесь > /home/rima/www/usr/sbin/ > Даже через него напрямую из консоли ./sendmail можно спокойно отправить > тестовое письмо, но из самого php скрипта не не удается. Всему каталогу с > сайтом, директориями и файлам заданы полные права (777). > > mail.log выдаёт: > [21-May-2018 07:31:33 America/New_York] mail() on [/public/index.php:7]: > To: > warm...@ya.ru -- Headers: > > На тему mail кроме этого лога нигде никакие логи не увидеть. > > Подскажите пожалуйста что-нибудь по данному вопросу ? > > Заранее спасибо ! > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?21,279882,279882#msg-279882 > > ___ > nginx-ru mailing list > nginx-ru@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-ru -- With best wishes Iurii Medvedev ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Nginx Rate limiting for HTTPS requests
Hello! On Sun, May 20, 2018 at 04:24:21AM -0400, rickGsp wrote: > >>As I tried to explain in my previous message, "test runs for 60 > >>seconds" can have two different meanings: 1) the load is generated > >>for 60 seconds and 2) from first request started to the last > >>request finished it takes 60 seconds. > > >>Make sure you are using the correct meaning. Also, it might > >>be a good idea to look into nginx access logs to verify both time > >>and numbers reported by your tool. > > Yes Maxim, I had understood your point. My test actually ran for 60 to 65 > seconds which means it took 5 additional seconds to process the requests. > Even access logs says the same. Also, on more powerful machine, I get > expected result for the same test i.e 500 req/sec load but start seeing > difference at relatively higher load.It seems to me that a results also > depends on the resources available on the machine running Nginx. > Surprisingly, CPU was not hitting the peak on both the machines.I am using > CentOS systems for this testings. > > Actually in another test with plain HTTP requests, I observed the same issue > of more requests than expected getting processed. However, for HTTP case, > this behaviour appeared at 700 req/sec input load instead of 500 req/sec as > in HTTPS. In this test requests got processed within 60 secs. > > With all the test results, I am being forced to think that Nginx rate > limiting may not be able to stop DDoS attack with very high input load but > is decent enough to handle sudden spikes and load which is slightly higher > than configured rate limit, and computing power available also plays some > role here. Do you think I am right? I'm pretty sure the problem is with your tests, not with nginx request rate limiting. Unfortunately, it is not possible to reproduce your tests and check what's going wrong as you are using proprietary software for tests. As suggested previously, it might be a good idea to verify numbers using nginx access logs. Seeing numbers of requests per seconds should be as trivial as grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c assuming default log format and only test requests in the log. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Block countries - Nginx
hello, the way to block ip's can also be used for PTR records, I think. Also as wildcard. On 21.05.2018 05:49, Sathish Kumar wrote: > Hi All, > > I have a requirement to block certain countries coming to our website. > I managed to achieved it using the ngx_http_geoip_module. I have a > problem now, if the request comes through Amazon API Gateway, how can I > read the X-forwarded-for header or block these request too. > > nginx.conf > map $geoip_country_code $allow_country { > default yes; > SG no; > } > > > geoip_country /etc/nginx/GeoIP.dat; # the country IP database > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database > > > domain.conf > if ($allow_country = no) { > return 444; > } > > Thanks & Regards > Sathish.V > > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx