Re: GeoIP2 Maxmind Module Support for Nginx

Am 2018-09-21 17:00, schrieb Frank Liu: nginx doesn't officially support geoip2. You have to use third party modules like https://github.com/leev/ngx_http_geoip2_module NGINX Plus does, though: https://www.nginx.com/products/nginx/modules/geoip2/ "Support details: Supported by NGINX, Inc. fo

Re: Securing the HTTPS private key

Am 2018-11-16 07:02, schrieb Roger Fischer: Hi Alex, our device is unattended, not always on, and in some cases in only semi-secured locations. Besides preventing root access, we also need to protect against the hacking of a stolen device (or disk). Human interaction is not practical (other tha

Re: I'm about to embark on creating 12000 vhosts

Am 2019-02-12 09:44, schrieb Richard Paul: Hi Robert, I've not looked in a while but I think that there where some large assumptions in openresty that you are running on Linux. I'll have a look again but it might not quite be a good fit for us. Another problem with SAN certificates is that i

Multiple server_name directives?

Hi, I found that using multiple server_name bla; server_name blu; directives seems to actually work. At least in 1.12. Can someone from @nginx comment on whether using that is a good idea? Or is that deprecated already? The documentation doesn't mention it. Best Regards R

Re: Multiple server_name directives?

Am 2019-07-25 12:09, schrieb basti: You can also use multiple names in one line. http://nginx.org/en/docs/http/server_names.html Yes, that is also what I would consider the default. I just came across the other format and I was honestly surprised it actually worked. _

What about BREACH (CVE-2013-3587)?

Hi, testssl.ch still laments about BREACH, when tested against a recent nginx 1.16. Qualys ssllabs doesn't mention it at all. Is it fixed? Can you safely enable gzip on ssl-vhosts? Best Regards Rainer ___ nginx mailing list nginx@ngin

Re: No HTTPS on nginx.org by default

Am 2016-08-22 17:44, schrieb Maxim Konovalov: On 8/22/16 6:40 PM, Richard Stanway wrote: 1. You could provide insecure.nginx.org mirror for such people, make nginx.org secure by default. No, thanks. It is secure by default and HTTPS by default do

proxy_pass generates double slash

Hi, I need to proxy a location and remove the location-URL at the same time. As I found out, this is achieved by adding a slash at the end of the proxy_pass directive. This works almost as intended, but it adds a double-slash to the beginning of the URL as it arrives on the other server.

ocsp-stapling through http proxy?

ound DNS... It would be cool if nginx would be able to do the stapling through a http-proxy. Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: ocsp-stapling through http proxy?

Am 2016-10-13 13:16, schrieb Reinis Rozitis: It would be cool if nginx would be able to do the stapling through a http- proxy. Technically you could just "override" (via /etc/hosts or if you have your own dns service) your ssl's provider ocsp ip to your own proxy which will forward then the re

Re: ocsp-stapling through http proxy?

use: NAT) than the IP the server is running on. Then I do create 127.0.0.1 entries in the hosts-file. Thanks for your input. Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: Using nginx as proxy

mbra admin interface that insisted on being called on port 7071. Rainer Am 2017-03-17 16:54, schrieb Wakkas Rafiq: Tried server { listen 169.254.2.2:12000; allow 169.254.169.254; deny all; proxy_pass 10.0.52.151:3260; } then when saw source port changing from 12000. Tr

Re: How to encrypt proxy cache

Am 2017-04-03 15:21, schrieb sachin.she...@gmail.com: Hi, We are testing using nginx as a file cache in front of our app, but the contents of the proxy cache directory are readable to any body who has access to the machine. Is there a way to encrypt the files stored in the proxy cache folde

Re: How to encrypt proxy cache

Am 2017-04-03 17:50, schrieb sachin.she...@gmail.com: Thanks Maxim for the reply. We have evaluated disk based encryption etc, but that does not prevent sysadmins from viewing user data which is a problem for us. Then you should put your servers someplace where you trust your the sysadmins.

Question about $upstream_cache_status

Hi, am I right that $upstream_cache_status primarily concerns nginx' own upstreams like fastcgi, uwsgi etc? Or is there a possibility to display whether an upstream varnish has had the page cached? Rainer ___ nginx mailing list nginx@ngin

server_name that starts with a number

Hi, I have a website that has a server_name that starts with a number (or two numbers, actually). I also have a catchall default_server configured with the server_name "_". Now, it seems when the server_name starts with a number, it's ignored and requests are routed to the default server.

Re: server_name that starts with a number

Am 2017-09-26 16:15, schrieb Maxim Dounin: Hello! Note well that testing with browsers is generally a bad idea, as browsers tend to cache responses. I almost always test with curl. I can see that the nginx access log of the vhost where the requests are supposed to show up is empty. They d

Client certificates and check for DN?

public CA and the client certificates need to be verified down to the correct O and OU. How do you do this with nginx? Something along these lines: https://www.tbs-certificates.co.uk/FAQ/en/183.html Best Regards Rainer ___ nginx mailing list nginx

Re: Client certificates and check for DN?

a lot. I'll look into it. Currently, the exact details are still a bit murky. Customer was very vague... I'll know more Friday next week. Regards, Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

nginx, php-fpm, 404

, host: "nghsbrtest.bla.dom" 2018/05/29 11:01:17 [notice] 94022#0: *1805515 rewritten data: "/install.php/", args: "", client: a.b.c.d, server: nghsbrtest.bla.dom, request: "GET /install/ HTTP/1.1", host: "nghsbrtest.bla.dom"

Re: nginx, php-fpm, 404

curl (I've long since given up trusting browsers...) I'll ask in their forum... Thanks nevertheless. Best Regards Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

try_files and expires

expires 1w; } breaks the first directive. Is there a way to have both? Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

How to check which directive actually delivers the files?

Hi, I've setup nginx + php-fpm for a typo3. It looks like this: server { listen 80; server_name the_server; access_log /home/the_server/logs/nginx_access_log mycustom; error_log /home/the_server/logs/nginx_error_log; root /home/the_server/FTPROOT/htdocs ; index index.ph

Question about rewrite directive

nginx 1.8.0 on FreeBSD 10-amd64. Regards Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: Nginx for media streaming

Am 2016-02-09 13:12, schrieb maziar: I want to setup nginx for media streaming web site like youtube I have some movie on my server with HD quality and I want to serve video like YouTube its mean that nginx should change video's quality by user internet connection quality, I found that this fea

nginx is too greedy with urls

x27;t get it to work. Any ideas? Best Regards, Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: Can't disable TLS 1.0

> Am 17.11.2018 um 04:56 schrieb Jeremy Ardley : > >ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_protocols TLSv1.2; You need to disable 1.0 and 1.1. AFAIK. If you look around, everybody (ebay, github, MSFT, Google etc.pp.) who disabled 1.0 also disabled 1.1.

Re: I'm about to embark on creating 12000 vhosts

> Am 11.02.2019 um 16:16 schrieb rick_pri : > > However, our customers, with about 12000 domain names at present have Let’s Encrypt rate limits will likely make these very difficult to obtain and also to renew. If you own the DNS, maybe using Wildcard DNS entries is more practical. Then, HA

Re: Weird problem cannot standup nginx on 443 ipv4

> Am 25.04.2019 um 21:27 schrieb Julian Brown : > > listen 443; > listen [::]:443; You most certainly want listen 443 ssl or listen 443 ssl http2 Not sure if it solves your problem. ___ nginx mailing list nginx@nginx.org http://mailma

Re: What about BREACH (CVE-2013-3587)?

> Am 04.02.2020 um 21:38 schrieb J.R. : > > I think you are confusing TLS compression with HTTP compression... Probably. I read that later somewhere else. I just wonder why it’s lumped-in in testssl.sh. ___ nginx mailing list nginx@nginx.org http

Re: packages.nginx.org IPv6 SSL is broken

> Am 27.09.2020 um 21:54 schrieb sergio : > > https://packages.nginx.org is not accessible via IPv6 > > It's pingable and http also works fine. > > % openssl s_client -connect packages.nginx.org:443 > CONNECTED(0003) > > > Please fix it of remove records. > > BTW, packages.nginx.o

wordpress with Nginx + fastcgi_cache with ssl but behind haproxy

lly Simple SSL“, I get a redirect loop (to https) on the front-page (as an unauthenticated user) but the backend works. I wonder what wordpress is missing so that it still thinks the connection is coming over http instead of https. Any ideas? Best Rega

Re: wordpress with Nginx + fastcgi_cache with ssl but behind haproxy

ple nginx, > php-fpm, fcgi cache works for me. And rate limiting works in nginx too. Try > simplifying the setup so there are less variables to deal with. > > On Mon, 8 Feb 2021, 10:16 PM Rainer Duffner, <mailto:rai...@ultra-secure.de>> wrote: > Hi, > > I have an i

Re: Getting weird issue with Nginx reverse Proxy

> Am 03.03.2022 um 19:26 schrieb blason : > > Hi Team, > > My portal name is lets say fs.example.com and it is > configured on apache > server which is then proxied to internet using Nginx reverse proxy. However And what does the apache config look like? __

Re: Getting weird issue with Nginx reverse Proxy

> Am 04.03.2022 um 04:37 schrieb blason : > > Here is Apache config > > >ServerAdmin webmas...@example.com >DocumentRoot /var/www/fs/ >ServerName fs.example.com >ServerAlias fs.example.com >ErrorLog /var/log/apache2/fs/error.log >CustomLog /var/log/

Re: different ssl_cerficate/ssl_cerficate_key pair for different $host in same server directive

> Am 09.03.2022 um 09:18 schrieb huiming via nginx : > > hi Hello, > > Is below configuration valid? nginx report > "nginx: [emerg] "ssl_certificate" directive is not allowed here in > /usr/local/nginx/clientcfg/www.waf.soptest.com.443.conf:16" > > I hope different ssl_cerfica

Re: fake googlebots

> Am 25.09.2016 um 23:58 schrieb li...@lazygranch.com: > > I got a spoofed googlebot hit. It was easy to detect since there were > probably a hundred requests that triggered my hacker detection map > scheme. Only two requests received a 200 return and both were harmless. > > 200 118.193.176.53 -

Re: Encrypting TLS client certificates`

> Am 26.10.2016 um 01:20 schrieb WGH : > > When nginx requests a client certificate with ssl_verify_client option, > and client complies, the latter sends its certificate in plain text. > > Although it's just a public part of the certificate, one can consider it > a kind of information disclosur

Re: Blocking tens of thousands of IP's

> Am 01.11.2016 um 22:46 schrieb Jeff Dyke : > > what is your firewall?, that is the place to block subnets etc, i assume they > are not random ips, they are likely from a block owned by someone?? Depends on the firewall, but our network-guys would refuse to do that (and have so in the past)

Re: Blocking tens of thousands of IP's

> Am 01.11.2016 um 23:35 schrieb Cox, Eric S : > > Currently we track all access logs realtime via an in house built log > aggregation solution. Various algorithms are setup to detect said IPS whether > it be by hit rate, country, known types of attacks etc. These IPS are > typically identifie

Re: Blocking tens of thousands of IP's

> Am 01.11.2016 um 23:43 schrieb Cox, Eric S : > > Unfortunately much like others have stated, we also don't have the automation > at the firewall layer to move as quickly as we would like. So at the moment > its not an option. If you get hammered, even serving the 403-page is actually notic

Re: Nginx SSL Setup

> Am 03.11.2016 um 20:40 schrieb Ashish Gupta : > > Hello Team, > > I am using NGINX as a web server ot host some of the file and I need some > help with the SSL Setup. Is there a way to create a keystore and use that in > the configuration for SSL setup? > > I don't want to use the self sign

Trouble with redirects from backend

e reverse-proxy. But that's a lot of work and not really a solution. nginx 1.10 Regards Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: How to cache static files under root /var/www/html/images

eed of local files. https://www.nginx.com/blog/nginx-and-netflix-contribute-new-sendfile2-to-freebsd/ <https://www.nginx.com/blog/nginx-and-netflix-contribute-new-sendfile2-to-freebsd/> Also take a look at https://calomel.org/nginx.html <https:/

Re: How to cache static files under root /var/www/html/images

> Am 14.02.2017 um 21:25 schrieb Ebayer Ebayer : > > Is there a more deterministic way besides fully trusting the MMU? I really > don't think the MMU will execute well on what I'm setting to accomplish. Some > more info: > > * I run Linux 2.6.32 (RH's) > > * I don't trust /dev/shm as a memory

Re: How to cache static files under root /var/www/html/images

> Am 14.02.2017 um 22:07 schrieb Ebayer Ebayer : > > I want to cache critical files indefinitely regardless of them being hot or > stale until they're purged (by the app). > If you have enough RAM, they will stay cached. Do you also want to do the memory-management of your apps, allocating

Re: Reverse Proxy with 500k connections

> Am 07.03.2017 um 22:12 schrieb Nelson Marcos : > > Do you really need to use different source ips or it's a solution that you > picked? > > Also, is it a option to set the keepalive option in your upstream configure > section? > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#kee

Re: Last roadblock changing from Apache: SSL & PHP #2

> Am 15.05.2017 um 00:50 schrieb Philip Rhoades : > > Also, nginx and php-fpm were actually running as services of course . . Maybe strip the comments next time you post a config file… I have: server { set_real_ip_from 127.0.0.12; real_ip_header X-Forwarded-For; listen 80;

Re: ERR_SPDY_PROTOCOL_ERROR Nginx !!

> Am 01.08.2017 um 23:51 schrieb shahzaib mushtaq : > > What do you think should i change it to ? What does SSL-Labs say to it? Or htbridge? Rainer___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: question about nginx/modsecurity

Am 19.06.2013 um 21:04 schrieb AJ Weber : > Is anyone maintaining a "current" version of nginx with mod-security > linked-in? > > I realize this is a bit lazy on my part -- the instructions seem relatively > straightforward to build -- but I didn't want to "re-invent the wheel" if I > didn't

Strange proxy_pass problem

Hi, I recently upgraded a server from nginx 1.2.8 to 1.4.3 (on FreeBSD amd64). nginx is a reverse-proxy to apache, intended to serve static files directly and pass all php requests zu apache - with one exception: the default vhost on both nginx and apache. It looks like this (on apache): Ali

Re: nginx and GeoLite2

Am Mon, 21 Oct 2013 17:12:51 +0400 schrieb Maxim Dounin : > Hello! > > On Mon, Oct 21, 2013 at 12:38:30PM +0300, wishmaster wrote: > > > Hi > > I am planning to use GeoLite with nginx. On the MaxMind website > > there is an announcement: > > > > Announcement > > Free access to the latest in IP

Re: High traffic on Nginx-Webservers !!

Am Tue, 22 Apr 2014 14:39:53 +0500 schrieb shahzaib shahzaib : > Hello, > >We're using the cluster of 5 webservers using nginx (reverse > proxy) > + apache to handle php requests. Our web-servers are constantly high > with load-avg of 2.0~3.0. I have seen people using varnish between > ng

Re: High traffic on Nginx-Webservers !!

Am Tue, 22 Apr 2014 15:21:09 +0500 schrieb shahzaib shahzaib : > Thanks for quick response, well our website is related to video > streaming just like youtube. Could you provide me some guide to learn > varnish for start-up ? > > Any suggestions will be highly appreciated. > > Shahzaib Do you

Re: Caching servers in Local ISPs !!

Am 09.05.2014 um 16:58 schrieb shahzaib shahzaib : > Hello, > > We're running a high traffic website similar to youtube.com. Due to > high bandwidth utilization over the network, we're in contact with the local > ISP in order to put caching server to reduce bandwidth utilization for file

Re: How to write nginx, NGINX or Nginx ?

> Am 30.12.2014 um 14:17 schrieb hpatoio >: > > Hello. I'm writing some documentation for a project that use NGINX. I'm > wondering what's the correct way to write nginx. > > a) NGINX - Always all uppercase > b) nginx - Always all lowercase. Even at the beginning of

Re: How to write nginx, NGINX or Nginx ?

> Am 30.12.2014 um 19:53 schrieb B.R. >: > > It seems the original and preferred way to spell it is 'nginx', the one cming > from Igor. I am still wondering about capitalizing the name, but since it is > to me a personal name, I do not apply rules that would nor

Re: Dynamic/Wildcard SSL certificates with SNI ?

> Am 15.01.2015 um 20:50 schrieb Gabriel L. Somlo : > > Hi, > > I'm working on a "Web simulator" designed to serve a large number of > web sites on a private, self-contained network, where I'm also in > control of issuing SSL certificates. > > The relevant bits of my nginx.conf look like this:

Re: Expected Server configuration for 100 users

> Am 18.02.2015 um 16:56 schrieb ragavd : > > Hi, > We are configuring the NGINX as a reverse proxy. We are expecting some 100 > concurrent users or connections/sessions to be active at any given moment of > time. Right now the server is acting as a reverse proxy for only one > application. These

Re: Google dumps SPDY in favour of HTTP/2, any plans for nginx?

e case for HTTP/2 in this scenario? > My guess would be if your upstream is actually a „real“ internet-server (that happens to do http/2). Somebody trying to build the next „CloudFlare/Akamai/WhateverCDN“? ;-) Is a world possible/imaginable that only does http/2? Rainer _

Re: nginx_slowfs_cache

> Am 19.04.2015 um 13:14 schrieb wishmaster : > > Hi, > > Today after upgrading from nginx version 1.6.x to 1.7.x I have got a > segmentation fault. After short investigation the culprit was found. It is > module by Frikle - nginx_slowfs_cache. > > Is anybody has the same issue? Is this modu

Re: nginx_slowfs_cache

> Am 19.04.2015 um 15:12 schrieb wishmaster : > > > `ngx_slowfs_cache` is `nginx` module which allows caching of static files > (served using `root` directive). This enables one to create fast caches > for files stored on slow filesystems, for example: > > - storage: network disks, cache: local

Re: nginx_slowfs_cache

> Am 19.04.2015 um 15:16 schrieb jb : > > At least in my experience unless your most used static files exceed in size > your available RAM, or are changing, they are effectively cached by the OS > anyway. > Normally, yes. Hence the reason why phk wrote Varnish, when he saw what squid was (an

Re: nginx_slowfs_cache

> Am 19.04.2015 um 15:24 schrieb wishmaster >: > >> >> >> I’ve briefly toyed with it myself, at some point. >> >> What is your „slow“ filesystem? > > SATA II single disk, UFS. Just let the OS do its work. https://openconnect.itp.netflix.com/software/index.html

Re: reverse proxy SMTP - How distinguish MUA and MTA

behave depending on that. > > How to achieve that ? > MUA = Port 587 + 465 MTA = Port 25 Maybe use something like Haraka for SMTP? It’s supposed to be for SMTP-servers what NGINX is for Webservers ;-) Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: running nginx-running and nginx concurrently

> Am 21.09.2015 um 11:49 schrieb Ekaterina Kukushkina : > > Hello Fabe, > > Unfortunately, you can't. > The 'nginx-plus' is a package name not a binary/service name and your > current 'nginx' package will be replaced with 'nginx-plus' package during > installation. > Well, on FreeBSD, the

Re: Debian Jessie, Nginx, PHP, UWSGI quick start

> Am 02.01.2016 um 08:37 schrieb Thomas Glanzmann : > > Hello, > I had to host a potential unsecure PHP web application. So I though about > writing a small c programm which creates a network, filesystem, pid, > uts, and ipc namespace and run php-fpm inside it. Excuse me if I’m blunt, but: can’

Re: nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11

ecurity. It didn’t segfault any more after this - but I haven’t had time to check how well it actually works. Rainer ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: Question about rewrite directive

it strips off just the last digits-dot pair. OK, that would be sub-optimal ;-) On request, the customer switched off the cache-breaking, so that problem has been solved. As for the regex itself, I checked it in regex101.com and it did match the files. The customer has elected not to use typo3’

Re: Nginx Slow download over 1Gbps load !!

addresses. So, if you test from one IP, you will only ever get 1 GBit/s. You could also play with some of the setting described on calomel.org <http://calomel.org/> for tuning tcp/ip. As others have pointed out, it won’t hurt moving this to fre