Re: Block countries - Nginx

[Sathish Kumar]

Hi All,

Is there a way, I can block the clients which is coming through load
balancer using http geo ip module nginx.


Currently, I can block the clients which is not coming through load
balancer or api gateway by geo ip module.




On Mon, May 21, 2018, 2:02 PM basti  wrote:

> hello,
> the way to block ip's can also be used for PTR records, I think.
> Also as wildcard.
>
> On 21.05.2018 05:49, Sathish Kumar wrote:
> > Hi All,
> >
> > I have a requirement to block certain countries coming to our website.
> > I managed to achieved it using the ngx_http_geoip_module. I have a
> > problem now, if the request comes through Amazon API Gateway, how can I
> > read the X-forwarded-for header or block these request too.
> >
> > nginx.conf
> > map $geoip_country_code $allow_country {
> >  default yes;
> > SG no;
> > }
> >
> >
> > geoip_country /etc/nginx/GeoIP.dat; # the country IP database
> > geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
> >
> >
> > domain.conf
> > if ($allow_country = no) {
> > return 444;
> > }
> >
> > Thanks & Regards
> > Sathish.V
> >
> >
> > ___
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Ошибка при отправке письма из PHP

[VovansystemS]

добрый вечер,

> Поскольку сайт работает через chroot, то его sendmail лежит здесь
> /home/rima/www/usr/sbin/
> Даже через него напрямую из консоли ./sendmail можно спокойно отправить
> тестовое письмо, но из самого php скрипта не не удается. Всему каталогу с
> сайтом, директориями и файлам заданы полные права (777).

а как Вы проверяете?
chroot /home/rima/www/
а потом
sendmail
?

мне кажется у Вас sendmail статически не слинкован и ему чего-то не
хватает, посмотрите через
ldd sendmail

также для всякой крипты (отправка через TLS) внутри чрута должны быть
/dev/random /dev/urandom и прочие устройства, но такие ошибки можно
отловить интерактивно в консоли
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Nginx Rate limiting for HTTPS requests

[Maxim Dounin]

Hello!

On Mon, May 21, 2018 at 09:55:20AM -0400, rickGsp wrote:

> >>I'm pretty sure the problem is with your tests, not with nginx 
> >>request rate limiting. Unfortunately, it is not possible to 
> >>reproduce your tests and check what's going wrong as you are using 
> >>proprietary software for tests.
> 
> >>As suggested previously, it might be a good idea to verify numbers 
> >>using nginx access logs. Seeing numbers of requests per seconds 
> >>should be as trivial as 
> 
> >>grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c
> 
> >>assuming default log format and only test requests in the log.
> 
> Hi Maxim,
> 
> Here is a piece of output for the following command as per our success
> return value as 202.
> grep ' 202 ' /path/to/log | awk '{print $4}' | uniq -c
> 
> 232 [17/May/2018:03:46:03
> 171 [17/May/2018:03:46:04
> 101 [17/May/2018:03:46:05
> 124 [17/May/2018:03:46:06
> 169 [17/May/2018:03:46:07
> 105 [17/May/2018:03:46:08
>   5 [17/May/2018:03:46:09
>   1 [17/May/2018:03:46:08
> 218 [17/May/2018:03:46:09
> 104 [17/May/2018:03:46:10
> 269 [17/May/2018:03:46:11
> 130 [17/May/2018:03:46:12
>  97 [17/May/2018:03:46:13
>  96 [17/May/2018:03:46:14
> 124 [17/May/2018:03:46:15
> 248 [17/May/2018:03:46:16
> 237 [17/May/2018:03:46:17
> 126 [17/May/2018:03:46:18

This certainly does not look right.  Either there are some 
unrelated requests in the log, or requests are not limited as it 
can be expected from your configuration.  Some additional things 
to check:

- Make sure the $host variable you use for the limiting is not 
  empty and not changed between requests created by your testing 
  tool.  Try logging the variable to see if it changes or not.  
  Alternatively, replace it with a static string to see if it helps.

- Make sure there are no unrelated requests in the log.  In 
  particular, you may want to use different logs in the server{} 
  block you are limiting and in the http{} block.

- Try another tool to see if you are able to reproduce the same 
  effect.  Something simple like "ab" or "http_load" might be a 
  good choice.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Ошибка при отправке письма из PHP

[akadjy]

> А в php.ini сайта прописан путь и необходимые параметры к его sendmail?
это актуально только для windows

21 мая 2018 г., 16:43 пользователь   написал:
> А в php.ini сайта прописан путь и необходимые параметры к его sendmail?
>
> 21.05.2018, 16:21, "warma2d" :
>> Если с Nginx никак не связано, то в чем предположительно может быть
>> проблема, в какую сторону копать ?
>>
>> Posted at Nginx Forum: 
>> https://forum.nginx.org/read.php?21,279882,279884#msg-279884
>>
>> ___
>> nginx-ru mailing list
>> nginx-ru@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-ru
> ___
> nginx-ru mailing list
> nginx-ru@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-ru
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Reverse proxy for multiple domains

[Mik J via nginx]

 Hello,

Sorry if I'm asking again a question on the same topic.

I would like to know what is the best practice to setup a web proxy.

I do it like this
- 1 virtual host per application on the reverse proxy and the proxy_pass points 
to one IP+path
- 1 virtual host (default) for all application on the backend server but one 
location stanza per application

The problem is that I meet many problems with installation of application: 
magento, glpi, etc

Is it the correct way to do it ?


On this reverse proxy I have a virtual host which looks like that
server {
listen 80;
server_name application1.org;
access_log /var/log/nginx/application1.org.access.log;
error_log /var/log/nginx/application1.org.error.log;
...
location ^~ / {
proxy_pass        http://10.1.1.10:80/app/application1/;
proxy_redirect    off;
proxy_set_header  Host            $http_host;
proxy_set_header  X-Real-IP        $remote_addr;
proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
}



On the web server behind the proxy I just have one virtual host which is the 
default one
server {
listen 80 default_server;
server_name _;
index index.html index.htm index.php;
root /var/www/htdocs;
location ^~ /app/application1 {
root /var/www;
index index.php;
location ~ \.php$ {
root          /var/www;
try_files $uri =404;
fastcgi_pass  unix:/run/php-fpm.application1.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index  index.php;
fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
include        fastcgi_params;
}

Le mercredi 30 août 2017 à 19:57:40 UTC+2, Francis Daly 
 a écrit :  
 
 On Sun, Aug 27, 2017 at 11:27:05AM +, Mik J via nginx wrote:

Hi there,

> > Thats because the pages are called by the reverse proxy server
> > like http://10.1.1.10:80/app/application1/;and it can't use a FQDN
> > because it's in a private adressing
> Francis: I don't follow that last part.=> I mean that the reverse proxy uses 
> an IP to connect to the backend web server. If it used a fqdn, it has to 
> resolve it, through a dns request

The backend web server can care about the IP:port you connect to, and
the Host: header you send.

You can connect to 10.1.1.10:80 and send a Host: header of "app1" if
you want to. No dns resolution involved.

Anyway, it sounds like you have this part working now; so that's good.


> I still have problems, the site doesn't diplay properly because it can't load 
> a javascript

> The request for the javascript looks like 
> thathttp://application1.org/?wooslider-javascript=load=1503832510=1.0.0 
> HTTP/1.1It arrives on the backend server I see it in the logs (file specified 
> in the stanza location)
> 10.1.1.10 forwarded for IP_CLIENT - - [27/Aug/2017:13:15:12 +0200] "GET 
> /app1/?wooslider-javascript=load=1503832510=1.0.0 HTTP/1.1" 404 5 
> "http://application1.org/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) 
> Gecko/20100101 Firefox/54.0"

A request for /?some-thing came to nginx; nginx reverse-proxied the request
as /app1/?same-thing. That is all you want nginx to do, so it is working.

If your back-end wordpress handles that request incorrectly, that is a
question for your back-end wordpress configuration.

People on this list who know about wordpress configuration are more
likely to see the question if it is in a new thread with words like
"wordpress" in the Subject: line.

(If the actual question is "why does my browser request /?some-thing
instead of /thing.js ?", that might also be related to the back-end
config.)

> Another question, if I want to set expires header, would it be better to do 
> it on the reverse proxy or on the backend server ?

Again, I'd suggest that people who know about "wordpress" and "expires"
are much more likely to see that question if it is in a thread with an
obvious Subject: line.

Good luck with it!

    f
-- 
Francis Daly        fran...@daoine.org
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
  ___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Nginx Rate limiting for HTTPS requests

[rickGsp]

>>I'm pretty sure the problem is with your tests, not with nginx 
>>request rate limiting. Unfortunately, it is not possible to 
>>reproduce your tests and check what's going wrong as you are using 
>>proprietary software for tests.

>>As suggested previously, it might be a good idea to verify numbers 
>>using nginx access logs. Seeing numbers of requests per seconds 
>>should be as trivial as 

>>grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c

>>assuming default log format and only test requests in the log.

Hi Maxim,

Here is a piece of output for the following command as per our success
return value as 202.
grep ' 202 ' /path/to/log | awk '{print $4}' | uniq -c

232 [17/May/2018:03:46:03
171 [17/May/2018:03:46:04
101 [17/May/2018:03:46:05
124 [17/May/2018:03:46:06
169 [17/May/2018:03:46:07
105 [17/May/2018:03:46:08
  5 [17/May/2018:03:46:09
  1 [17/May/2018:03:46:08
218 [17/May/2018:03:46:09
104 [17/May/2018:03:46:10
269 [17/May/2018:03:46:11
130 [17/May/2018:03:46:12
 97 [17/May/2018:03:46:13
 96 [17/May/2018:03:46:14
124 [17/May/2018:03:46:15
248 [17/May/2018:03:46:16
237 [17/May/2018:03:46:17
126 [17/May/2018:03:46:18

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,279802,279887#msg-279887

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Ошибка при отправке письма из PHP

[kvt]

А в php.ini сайта прописан путь и необходимые параметры к его sendmail?

21.05.2018, 16:21, "warma2d" :
> Если с Nginx никак не связано, то в чем предположительно может быть
> проблема, в какую сторону копать ?
>
> Posted at Nginx Forum: 
> https://forum.nginx.org/read.php?21,279882,279884#msg-279884
>
> ___
> nginx-ru mailing list
> nginx-ru@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-ru
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: unix sockets are not reused when restarting nginx

[Maxim Dounin]

Hello!

On Sun, May 20, 2018 at 01:20:07PM +0300, Volodymyr Kostyrko wrote:

> Hello.
> 
> I'm using nginx 1.14.0 on FreeBSD 11-STABLE. I'm trying to get caching 
> for internally generated content so I'm proxying nginx to nginx:
> 
> server {
>  listen unix:/home/someuser/.media.nginx.sock;
> 
>  …
> }
> 
> This perfectly works when starting nginx initially. However when 
> restarting I sometimes get error reopening sockets to serve them:
> 
> nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to 
> unix:/home/someuser/.site.nginx.sock failed (48: Address already in use)
> nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to 
> unix:/home/someuser/.site.nginx.sock failed (48: Address already in use)
> nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to 
> unix:/home/someuser/.site.nginx.sock failed (48: Address already in use)
> nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to 
> unix:/home/someuser/.site.nginx.sock failed (48: Address already in use)
> nginx.error.log:2018/05/14 02:05:30 [emerg] 3583#0: bind() to 
> unix:/home/someuser/.site.nginx.sock failed (48: Address already in use)
> 
> This can happen even on boot. Removing sockets allows nginx to start.

Check how do you stop nginx.

nginx removes unix sockets when it is stopped using the TERM and 
INT signals (fast shutdown), but not when it is stopped gracefully 
using the QUIT signal (graceful shutdown, see 
http://nginx.org/en/docs/control.html).  This is because graceful 
shutdown is normally used during binary upgrade, and open 
listening sockets are passed to the new master process, so 
removing them will break things.  If you are using graceful 
shutdown for other purposes than during binary upgrade for some 
reason, you have to remove listening unix sockets yourself.

> I also got this error:
> 
> error.log:2018/05/07 16:07:49 [notice] 89443#0: getsockopt(TCP_FASTOPEN) 
> unix:/home/someuser/.site.nginx.sock failed, ignored (22: Invalid argument)

This is safe to ignore.  The following patch will hide this 
notice:

diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -305,7 +305,9 @@ ngx_set_inherited_sockets(ngx_cycle_t *c
 {
 err = ngx_socket_errno;
 
-if (err != NGX_EOPNOTSUPP && err != NGX_ENOPROTOOPT) {
+if (err != NGX_EOPNOTSUPP && err != NGX_ENOPROTOOPT
+&& err != EINVAL)
+{
 ngx_log_error(NGX_LOG_NOTICE, cycle->log, err,
   "getsockopt(TCP_FASTOPEN) %V failed, ignored",
   [i].addr_text);


-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Ошибка при отправке письма из PHP

[warma2d]

Если с Nginx никак не связано, то в чем предположительно может быть
проблема, в какую сторону копать ?

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?21,279882,279884#msg-279884

___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Ошибка при отправке письма из PHP

[Iurii Medvedev]

Это никак не связано с nginx

On Mon, May 21, 2018 at 5:12 PM warma2d  wrote:

> Добрый день!
>
> Проблема в том, что при попытке отправить письмо из единственного PHP
> скрипта index.php (который расположен /home/rima/www/public) не
> отправляется
> письмо даже стандартной функцией mail(), var_dump возвращает false.
>
> При этом установлен Sendmail, Nginx, php как fpm. Для сайта создан
> отдельный
> пул с chroot.
> (Принимать письма не требуется, главное отправлять.)
>
> Поскольку сайт работает через chroot, то его sendmail лежит здесь
> /home/rima/www/usr/sbin/
> Даже через него напрямую из консоли ./sendmail можно спокойно отправить
> тестовое письмо, но из самого php скрипта не не удается. Всему каталогу с
> сайтом, директориями и файлам заданы полные права (777).
>
> mail.log выдаёт:
> [21-May-2018 07:31:33 America/New_York] mail() on [/public/index.php:7]:
> To:
> warm...@ya.ru -- Headers:
>
> На тему mail кроме этого лога нигде никакие логи не увидеть.
>
> Подскажите пожалуйста что-нибудь по данному вопросу ?
>
> Заранее спасибо !
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?21,279882,279882#msg-279882
>
> ___
> nginx-ru mailing list
> nginx-ru@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-ru

-- 
With best wishes
Iurii Medvedev
___
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Nginx Rate limiting for HTTPS requests

[Maxim Dounin]

Hello!

On Sun, May 20, 2018 at 04:24:21AM -0400, rickGsp wrote:

> >>As I tried to explain in my previous message, "test runs for 60 
> >>seconds" can have two different meanings: 1) the load is generated 
> >>for 60 seconds and 2) from first request started to the last 
> >>request finished it takes 60 seconds.
> 
> >>Make sure you are using the correct meaning. Also, it might 
> >>be a good idea to look into nginx access logs to verify both time 
> >>and numbers reported by your tool.
> 
> Yes Maxim, I had understood your point. My test actually ran for 60 to 65
> seconds which means it took 5 additional seconds to process the requests.
> Even access logs says the same. Also, on more powerful machine, I get
> expected result for the same test i.e 500 req/sec load but start seeing
> difference at relatively higher load.It seems to me that a results also
> depends on the resources available on the machine running Nginx.
> Surprisingly, CPU was not hitting the peak on both the machines.I am using
> CentOS systems for this testings.
> 
> Actually in another test with plain HTTP requests, I observed the same issue
> of more requests than expected getting processed. However, for HTTP case,
> this behaviour appeared at 700 req/sec input load instead of 500 req/sec as
> in HTTPS. In this test requests got processed within 60 secs.
> 
> With all the test results, I am being forced to think that Nginx rate
> limiting may not be able to stop DDoS attack with very high input load but
> is decent enough to handle sudden spikes and load which is slightly higher
> than configured rate limit, and computing power available also plays some
> role here. Do you think I am right?

I'm pretty sure the problem is with your tests, not with nginx 
request rate limiting.  Unfortunately, it is not possible to 
reproduce your tests and check what's going wrong as you are using 
proprietary software for tests.

As suggested previously, it might be a good idea to verify numbers 
using nginx access logs.  Seeing numbers of requests per seconds 
should be as trivial as 

grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c

assuming default log format and only test requests in the log.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Block countries - Nginx

[basti]

hello,
the way to block ip's can also be used for PTR records, I think.
Also as wildcard.

On 21.05.2018 05:49, Sathish Kumar wrote:
> Hi All,
> 
> I have a requirement to block certain countries coming to our website. 
> I managed to achieved it using the ngx_http_geoip_module. I have a
> problem now, if the request comes through Amazon API Gateway, how can I
> read the X-forwarded-for header or block these request too.
> 
> nginx.conf
> map $geoip_country_code $allow_country {
>  default yes; 
> SG no; 
> }
> 
> 
> geoip_country /etc/nginx/GeoIP.dat; # the country IP database 
> geoip_city /etc/nginx/GeoLiteCity.dat; # the city IP database
> 
> 
> domain.conf
> if ($allow_country = no) { 
> return 444; 
> }
> 
> Thanks & Regards
> Sathish.V
> 
> 
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx