Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

400 Bad Request

May 4, 2017, 11:32 am
$
0
0
Hi,
We are getting lot of 400 Bad Request errors on our site cjonline.com
We increased large_client_header_buffers from 16K to 4 64k in nginx configuration and restarted the services.
But we are still getting the errors. Please provide your thoughts as it is causing problem for our customers.

Regards
Devender
Search

Re: Nginx 'alias' downloading php file

May 5, 2017, 2:12 pm
$
0
0
I, I get the same problem.
How can I fix it?

nginx varnish

May 6, 2017, 8:28 am
$
0
0
Hey everyone

I tryed to install varnish before nginx

after this nginx do not use right vhost, because tryed to run files from default folder.
default vhost disabled.surely, ports on varnish backend and nginx vhost match!

in result 404.

nginx recieve host from varnish, where is can be possible problem?


2017/05/06 17:48:26 [error] 14188#14188: *1956 openat() "/etc/nginx/html/contact-us" failed (2: No such file or directory), client: 46.161.60.103, server: localhost, request: "GET /contact-us HTTP/1.1", host: "mydomen.com", referrer: "http://mydomen.com/music/22-classic"

Re: nginx varnish

May 6, 2017, 12:59 pm
$
0
0
how to use nginx limit_conn behind proxy (varnish)?

because now every connect from localhost, can I use somthing key for limit_conn_zone that get real ip client

Problems with nginx + router(Fritzbox) portforwarding

May 7, 2017, 5:26 am
$
0
0
(Sorry for bad English, I'm German)
Hello,
I'm not sure if this forum is the right one to ask, but I struggle to setup a webserver with nginx:
I installed nginx (and a few other programs) on my raspberry pi and configured a portforwarding on my router (Fritzbox) (portForwarding.png). After that I used ddnss.de (a dynDNS service) to bind my IP 78.**.**.** to ****.ddnss.de.
If I type http://192.168.178.66 (local ip of the raspberry pi) into the webbrowser I see the "Welcome to nginx! If you see this page, the nginx web server is successfully installed and working. Further configuration is required." page - everything works. But if I type http://78.**.**.** into the webbrowser or ****.ddnss.de the browser tells me that it can't reach the site.

Does anyone know how to fix this problem /has some links for explanation?

System Information:

PC used for nginx webserver: Raspberry Pi 3
Operating System: Linux (Ubuntu)
http://myip.is -> 78.**.**.**
ifconfig on the raspberry pi -> 192.168.178.66
Intention: Setting up nextcloud and nginx on the Raspberry Pi 3

$ host -t A ****.ddnss.de
****.ddnss.de has address 78.**.**.**

$ host -t AAAA ****.ddnss.de
****.ddnss.de has no AAAA record

$ ping ****.ddnss.de
PING ****.ddnss.de (78.**.**.**) 56(84) bytes of data.
-> no respnse

$ ping 78.**.**.**
PING 78.**.**.** (78.**.**.**) 56(84) bytes of data.
-> no response

Re: Can nginx use SNI to reverse-proxy *without* terminating SSL?

May 9, 2017, 1:44 pm
$
0
0
Did you find a solution to this? I believe I have a similar setup.

Re: Can nginx use SNI to reverse-proxy *without* terminating SSL?

May 9, 2017, 1:53 pm
$
0
0
You can with stream {}
See the docs at nginx

LoadBalancing with ip_hash, only hitting one backend server

May 9, 2017, 4:06 pm
$
0
0
Hello!

Im trying to get a solid load balancing solution in place that can rotate servers and keep sessions per IP. I like NGINX's setup so I first came here to get this done but am having an issue with requests only hitting one of the backend servers when I have ip_hash enabled. Ive gone through the access.logs and show a unique IP on each request, but each request only goes to the first server I have on the list. If I remove ip_hash, the request's round robin properly and I get a different server each time. However, when I add ip_hash and have everyone in the office try the site, they all just pull up the first server.

Am I missing something here? Is it not hashing via the local system IP and only through the external WAN IP?

Thanks in advance for your time to consider this issue.
Search

Re: LoadBalancing with ip_hash, only hitting one backend server

May 9, 2017, 11:51 pm
$
0
0
Hashing means in this case "ip ranges divided in blocks", so your LAN most likely is considered one block.

Re: LoadBalancing with ip_hash, only hitting one backend server

May 10, 2017, 9:49 am
$
0
0
Gotcha -- that makes sense. When I tried to access it from a different subnet, everything worked.

Thanks!

Nginx redirects .well-known endpoints

May 11, 2017, 1:54 pm
$
0
0
I have a web application that runs on `WSGI` server. The application has OpenID Connect identity provider endpoints, for instance:

/oidc/.well-known/openid-configuration
/oidc/.well-known/simple-web-discovery
/oidc/.well-known/webfinger

Requests to these endpoints are mapped to some functions in my project, which run necessary tasks for each endpoint. I can run my application, and all requests are successfully mapped and handled by the defined functions.

The challenge starts when I host my application on a public IP behind https. For this I use `nginx` to proxy access to my application. `nginx` makes my application accessible over a public IP over https. Here is key sections of my `nginx` config file:

server {
listen 80;
listen [::]:80 default_server;
server_name localhost;
root /home/user/myApp;
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://my_app;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-URL-SCHEME https;
}
}

server {
listen 443 ssl;
server_name localhost;
root /home/user/myApp;
ssl_certificate /home/user/cacert.pem;
ssl_certificate_key /home/user/privkey.pem;
include /etc/nginx/default.d/*.conf;
location ~ /\.well-known { allow all; }
location / {
proxy_pass http://my_app;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-URL-SCHEME https;
}
}


Every call is requested/posted correctly, except for the requests to `/.well-known/*` (actually `location ~ /\.well-known { allow all; }` in the config is an attempt to solve it), for which I get either `404` or `403` errors.

For instance, one error message in `nginx` error log reads:

`open() "/home/user/myApp/oidc/.well-known/openid-configuration" failed (13: Permission denied), client: X.X.X.X, server: localhost, request: "GET /oidc/.well-known/openid-configuration HTTP/1.1", host: "X.X.X.X"`

(IP addresses are masked out)

Few points:

- I'm running my application with `sudo` privileges, so the application has r/w access to all the paths.
- Actually, the path `/home/user/myApp/oidc/.well-known/openid-configuration` does not exist (and thats why I also get `404` error).

`/oidc/.well-known/openid-configuration` should be mapped to a function (as it happens when I host my application without `nginx`). So, I don't understand why `nginx` tries to access a non-existing `/oidc/.well-known/*` path/file ?!

Request denying in a specific time range

May 14, 2017, 1:22 pm
$
0
0
Hi,

I need to block requests that are made in a specific time range as long as it's not an exclusion like in the pseudo code below.

I know that perl moduele is not allowed to be called inside "if" block and there is no possibility to pass arguments to perl block from location or vice versa.

Any help would be appreciated..

location {
..
if (true){
set $block_request 1
}

perl req_time_control::handler $block_request;

}

R.

Request denying in a specific time range

May 14, 2017, 1:22 pm
$
0
0
Hi,

I need to block requests that are made in a specific time range as long as it's not an exclusion like in the pseudo code below.

I know that perl module is not allowed to be called inside "if" block and there is no possibility to pass arguments to perl block from location or vice versa.

Any help would be appreciated..

location {
..
if (true){
set $block_request 1
}

perl req_time_control::handler $block_request;

}

R.

Re: Problems with nginx + router(Fritzbox) portforwarding

May 15, 2017, 3:45 pm
$
0
0
i cannot explain why the routing does not working but you can work in your local network with your server do omething like this:

Don´t work with the external IP adress, rather work with domain names.
You have checked the dns and working fine (external) check it with anoter internet connection (like smartphone)
If DNS in the internet work fine, so your server is working in the i-net.

So you can use an internal DNS and bind your domain to your loacal ip adress 192.x.x.x

or

make an host entry

192.x.x.x. yourdomain.de

in

windows: C:\Windows\System32\drivers\etc\hosts (run editor as administrator/als Administrator ausführen and load the host file)
linux /etc/hosts

on all your local net clients.

This are the steps i am working since 2002 and serving services at DSL Deutsche Telekom.
Today iam working with static ip.
If you want a serious service take a business product 20€ higher and static ip. Further you can work with an accepted smtp relay.
You can setup a lots of domains like registering and delegating to your static ip.
and... don´t work unencrypted - use SSL to prevent other errors.

Best regards from Solingen, Germany

Deny Access to php files wordpress / excluding one path

May 15, 2017, 3:52 pm
$
0
0
Hello Folks!

I denied the direct access of php files ins my my site.conf (..../sites-enabled/mydomain.tld.conf)

# Disable direct access of any *.php in /wp_content folder
location ~ ^/wp-content/.+\.php$ {
return 444;
}

Thats working well!
But i grant access to one plugin folder:

/wp-content/plugins/these1plugin/

How can i exclude it?

Any idea
Search

Network Topology Assistance for newbie

May 15, 2017, 6:44 pm
$
0
0
Hi,

Newbie here.

I am looking to set up the MEAN Stack on Amazon & was curious as to whether best practice would be to have each component in its own subnet.

ie App Server (Node) 10.0.10.x, Mongo 10.0.15.x, NGINX 10.0.20.x

Thanks in advance

Todd

Re: Request denying in a specific time range

May 16, 2017, 3:21 am
$
0
0
It took a long time to reach the info below.. I think it could have documented better in official page of the module..


#nginx.conf

set $variable_name "xxxx";

#perl
my $value = $r->variable('variable_name');

nginx mod rewite issue

May 17, 2017, 5:12 pm
$
0
0
i'm trying to Convert Apache rewrite to nginx but mnay b due to some error i will fail please have a look

Apache version

DirectoryIndex index.php
<Files ~ "^\.ht">
order allow,deny
satisfy all
</Files>
# Deny most common except .php (Also protects your .tpl template files)
<FilesMatch "\.(db|inc|tpl|tmpl|h|ihtml|sql|ini|class|bin|spd|theme|module|cfg|cpl|tmp|log|err)$">
order allow,deny
satisfy all
</FilesMatch>
RewriteEngine On
RewriteRule ^sitemap.xml(/?)+$ sitemap.php [L]
RewriteRule ^search.html(/?)+$ ?do=search&%{QUERY_STRING} [L]
RewriteRule ^user(/?)+$ ?do=user&%{QUERY_STRING} [L]
RewriteRule ^users/([^/]*).html(/?)+$ ?do=users&iq=$1&%{QUERY_STRING} [L]
RewriteRule ^user/browse/([A-Z])(/?)+$ ?do=user&browse=$1 [L]
RewriteRule ^library(/?)+$ ?do=library&%{QUERY_STRING} [L]
RewriteRule ^contribute(/?)+$ ?do=contributions&%{QUERY_STRING} [L]
RewriteRule ^extras/print/([^/]*)-([^/]*).html(/?)+$ extras/print.php?iq=$2 [L]
RewriteRule ^extras/txt/([^/]*)-([^/]*).txt(/?)+$ extras/text.php?iq=$2 [L]
RewriteRule ^extras/pdf/([^/]*)-([^/]*).pdf(/?)+$ extras/pdf/pdf_output.php?iq=$2 [L]
RewriteRule ^extras/word/([^/]*)-([^/]*).doc(/?)+$ extras/word/word_output.php?iq=$2 [L]
RewriteRule ^images/user/([^/]*).jpg(/?)+$ image.php?t=users&iq=$1 [L]

And mine nginx version is

# nginx configuration
index index.php;
location /sitemap {
rewrite ^/sitemap.xml/*$ /sitemap.php break;
}
location /search {
rewrite ^/search.html/*$ /?do=search&$query_string break;
}
location /user {
rewrite ^/user/*$ /?do=user&$query_string break;
rewrite ^/user/browse/([A-Z])/*$ /?do=user&browse=$1 break;
}
location /users {
rewrite ^/users/([^/]*).html/*$ /?do=users&iq=$1&$query_string break;
}
location /library {
rewrite ^/library/*$ /?do=library&$query_string break;
}
location /contribute {
rewrite ^/contribute/*$ /?do=contributions&$query_string break;
}
location /extras {
rewrite ^/extras/print/([^/]*)-([^/]*).html/*$ /extras/print.php?iq=$2 break;
rewrite ^/extras/txt/([^/]*)-([^/]*).txt/*$ /extras/text.php?iq=$2 break;
rewrite ^/extras/pdf/([^/]*)-([^/]*).pdf/*$ /extras/pdf/pdf_output.php?iq=$2 break;
rewrite ^/extras/word/([^/]*)-([^/]*).doc/*$ /extras/word/word_output.php?iq=$2 break;
}
location /images {
rewrite ^/images/user/([^/]*).jpg/*$ /image.php?t=users&iq=$1 break;
}
location ~ ^\.ht {
deny all;
}
location ~ \.(db|inc|tpl|tmpl|h|ihtml|sql|ini|class|bin|spd|theme|module|cfg|cpl|tmp|log|err)$ {
deny all;
}
i'm Using cloudlinux + whm + Cpnginx for ngixn

Please help me to track the issue thanks in advance

How to allow NGINX one domain SSLDomain1\.info to use SSL whilst rest of the domains (hundreds of them and dynamically added, need wildcard _) are simple HTTP 80 ?

May 18, 2017, 12:26 pm
$
0
0
If I use
Server{ FOR SSLDOMAIN.info }
Server{ FOR REST}

Then
I can’t have both ssl and http ☹
It is one way or another, very annoying nginx, not flexible

Nginx gives error no matter how I try

Why can’t I use simple condition?

If ($host=”SSLDOMAIN1.info”){
ssl on;
ssl_certificate /var/www/SSLDomain1.info/ssl/SSLDomain1_info.bundle.crt;
ssl_certificate_key /var/www/SSLDomain1.info/ssl/SSLDomain1_info.key;
}



example of conf


server {
listen 80;
listen 443 ssl;



if ($host ~* (SSLDomain1\.info)){
#ssl on;
#ssl_certificate /var/www/SSLDomain1.info/ssl/SSLDomain1_info.bundle.crt;
#ssl_certificate_key /var/www/SSLDomain1.info/ssl/SSLDomain1_info.key;
}
server_name _;
server_name_in_redirect off;

if ($host ~* ^(.*\..*)$) {
set $domain $host;
}

if ($host ~* ^(.*)\.(.*\..*)$) {
set $domain $2;
}



root /var/www/$domain;

location / {
index index.php;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?$1 last;
break;
}

location ~ \.php$ {
fastcgi_pass php;
fastcgi_index index.php;
include fastcgi.conf;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
}

Re: Preserving Source IP using SSL Preread + OpenVPN

May 19, 2017, 3:09 pm
$
0
0
I am trying to accomplish a similar if not same task. I am running nginx 1.12.0 and am trying to maintain the source IP for logging purposes so that fail2ban can block the nefarious characters trying to compromise my system. I have a single server where I am trying to host a vpn server and a web server. To prevent my VPN from being blocked/filtered I want to run it on port 443 in tandem with a secure website.

Based on the last post I have two servers listening, port 443 and 1443. port 443 will forward to my vpn or 1443 for web traffic. This supports OpenVPN and my web server, but I have lost the source IP. Am I missing something? Here is my current config:

stream {
log_format basic '$remote_addr [$time_local] '
'protocol: $protocol Status: $status bytes sent: bytes_sent bytes received: $bytes_received '
'session duration: $session_time';

map $ssl_preread_server_name $name {
www.example.com pre_www_server;
example.com pre_www_server;
default vpn_server;
}

upstream vpn_server {
hash $remote_addr consistent;
server localhost:1194;
}

upstream pre_www_server {
server localhost:1443;
}

upstream www_server {
server localhost:8443;
}

server {
listen 1443;
proxy_pass www_server;
proxy_protocol on;
}

server {
listen 443 so_keepalive=on;
access_log /var/log/nginx/stream-access.log basic buffer=32k;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_pass $name;
ssl_preread on;
}
}

Again the goal is to capture the source IP so that I can filter IPs that appear as a threat while hosting an https website and an OpenVPN server from port 443 on one IP.

Thanks,
Phil
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>