The proxy_protocol 'passing' needs to be supported by the vpn/sshd service, not many can handle this (yet).
↧
Re: Preserving Source IP using SSL Preread + OpenVPN
↧
ADFS 2016 / ADFS 4.0 behind Nginx
As I can not find this information in a single place, I registered just to add it to save the next person some grief.
It is possible to run a Server 2016 ADFS infrastructure behind an Nginx load balancer (side note: it is possible to do this in two hours flat when you find out you somehow accidentally upgraded said ADFS infrastructure from 2.0 to 4.0 because of a typo and watched your TMG fall apart). The trick is simple enough - the ADFS server expects server name indication (SNI) in the protocol.
We are using this for Adobe Creative Cloud, Google gSuite, and a number of smaller SAML compliant services. This isn't passing every URL through to ADFS, but you will need to check your own endpoint requirements to handle any outliers.
For completeness sake: Ubuntu 16.04.2 LTS installing nginx/1.10.0 (Ubuntu) from the default apt repositories.
The load balancing is handled by an upstream block:
upstream adfsservers {
server adfs01.dev.internal:443;
server adfs02.dev.internal:443;
}
The server block is a little bit "different". I believe that this could be done with hostname specific forwarding (in which case you just pass the entire location / to the upstream) but I've done it with location blocks because (as I said in my aside) I was looking for quick and working, rather than trying to dissect the various howtos and bits of documentation on hostname based upstreams. Now that I've got it working, it shouldn't be too hard to move to the hostname model.
Below is my server block. The source IP address (from the point of view of the ADFS farm) for the Nginx unit is 10.10.10.10. The location / block is because of the aforementioned unexpected upgrade - so I'm pushing everything else to the existing Threat Management Gateway at the 172.16.1.1 address.
Please note that if you decide to use this config "as is" - NTLM authentication will not work through to the TMG. As I understand it you'll need to use the non-free version of Nginx to handle that.
server {
listen 443 ssl default_server http2;
ssl_certificate /etc/nginx/ssl/wildcard.chain.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
proxy_ssl_session_reuse off;
proxy_buffering off;
ssl_session_cache off; # Part of me questions this, but it's in my live and I haven't turned it on to test yet.
location /federationmetadata {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location /adfs {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
proxy_ssl_name $host;
proxy_set_header Host $host;
proxy_pass https://172.16.1.1;
}
}
Everything about this could probably be enhanced, or at the least condensed. I leave it here simply to share that yes, it is possible to do this with ADFS 4.0 or ADFS 2016 and hopefully save others the trouble of looking quite so hard for what was going on. Finally, sorry about the formatting, too new to the forums to know how to format a code block properly!
It is possible to run a Server 2016 ADFS infrastructure behind an Nginx load balancer (side note: it is possible to do this in two hours flat when you find out you somehow accidentally upgraded said ADFS infrastructure from 2.0 to 4.0 because of a typo and watched your TMG fall apart). The trick is simple enough - the ADFS server expects server name indication (SNI) in the protocol.
We are using this for Adobe Creative Cloud, Google gSuite, and a number of smaller SAML compliant services. This isn't passing every URL through to ADFS, but you will need to check your own endpoint requirements to handle any outliers.
For completeness sake: Ubuntu 16.04.2 LTS installing nginx/1.10.0 (Ubuntu) from the default apt repositories.
The load balancing is handled by an upstream block:
upstream adfsservers {
server adfs01.dev.internal:443;
server adfs02.dev.internal:443;
}
The server block is a little bit "different". I believe that this could be done with hostname specific forwarding (in which case you just pass the entire location / to the upstream) but I've done it with location blocks because (as I said in my aside) I was looking for quick and working, rather than trying to dissect the various howtos and bits of documentation on hostname based upstreams. Now that I've got it working, it shouldn't be too hard to move to the hostname model.
Below is my server block. The source IP address (from the point of view of the ADFS farm) for the Nginx unit is 10.10.10.10. The location / block is because of the aforementioned unexpected upgrade - so I'm pushing everything else to the existing Threat Management Gateway at the 172.16.1.1 address.
Please note that if you decide to use this config "as is" - NTLM authentication will not work through to the TMG. As I understand it you'll need to use the non-free version of Nginx to handle that.
server {
listen 443 ssl default_server http2;
ssl_certificate /etc/nginx/ssl/wildcard.chain.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
proxy_ssl_session_reuse off;
proxy_buffering off;
ssl_session_cache off; # Part of me questions this, but it's in my live and I haven't turned it on to test yet.
location /federationmetadata {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location /adfs {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
proxy_ssl_name $host;
proxy_set_header Host $host;
proxy_pass https://172.16.1.1;
}
}
Everything about this could probably be enhanced, or at the least condensed. I leave it here simply to share that yes, it is possible to do this with ADFS 4.0 or ADFS 2016 and hopefully save others the trouble of looking quite so hard for what was going on. Finally, sorry about the formatting, too new to the forums to know how to format a code block properly!
↧
↧
Trouble to reach IP-Cam from Internet
Hello,
i have a IP-Cam in my private network and i can reach the IP-Cam when i am in the local network. But from the Internet the IP-Cam is not working.
My config is:
server {
rewrite_log on;
access_log off;
#access_log /var/log/net-error_log;
error_log /var/log/net-error_log debug;
listen 80;
server_name test.privatedns.org;
root /var/www/http/test.privatedns.org/;
location ~ .php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location /wansview {
access_log /var/log/wansview-access_log;
error_log /var/log/wansview-error_log warn;
rewrite ^/wansview(.*) http://192.168.1.45/$1 permanent;
#return 301 http://192.168.1.45/$1;
#proxy_pass http://192.168.1.45/$1;
#proxy_http_version 1.1;
#proxy_pass_request_headers on;
#proxy_pass http://192.168.1.45:80;
#proxy_pass http://192.168.1.45:80/url$request_uri; #80 is your first port
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
#proxy_redirect http://192.168.1.45:80; http://192.168.1.45:80/mjpeg/snap.cgi?chn=1;
#proxy_redirect http://192.168.1.45:80/ $scheme://$host:$server_port/
#proxy_redirect default;
#more_set_input_headers 'Authorization: $http_authorization';
#proxy_set_header ns_server-ui yes;
#proxy_set_header Accept-Encoding "";
#proxy_set_header Connection "";
#proxy_pass_header Authorization;
proxy_redirect off;
proxy_buffering off;
#proxy_set_header Host $host;
#proxy_set_header Request_Uri_X $request_uri;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-for $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#port_in_redirect off;
#proxy_set_header HOST $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
#proxy_redirect off;
#proxy_set_header Host $host:$server_port;
#proxy_read_timeout 86400;
#proxy_buffering off;
#auth_basic "Restricted";
#auth_basic_user_file /var/www/http/test.privatedns.org/.htpasswd;
#proxy_intercept_errors on;
}
You see, i have tried many versions from Internet, but the rewrite rule is the only that works local, but not from the Internet.
The link i use from Internet to see the Picture from my IP-Cam is http://test.privatedns.org/wansview/mjpeg/snap.cgi?chn=1
What is wrong ?
i have a IP-Cam in my private network and i can reach the IP-Cam when i am in the local network. But from the Internet the IP-Cam is not working.
My config is:
server {
rewrite_log on;
access_log off;
#access_log /var/log/net-error_log;
error_log /var/log/net-error_log debug;
listen 80;
server_name test.privatedns.org;
root /var/www/http/test.privatedns.org/;
location ~ .php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location /wansview {
access_log /var/log/wansview-access_log;
error_log /var/log/wansview-error_log warn;
rewrite ^/wansview(.*) http://192.168.1.45/$1 permanent;
#return 301 http://192.168.1.45/$1;
#proxy_pass http://192.168.1.45/$1;
#proxy_http_version 1.1;
#proxy_pass_request_headers on;
#proxy_pass http://192.168.1.45:80;
#proxy_pass http://192.168.1.45:80/url$request_uri; #80 is your first port
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
#proxy_redirect http://192.168.1.45:80; http://192.168.1.45:80/mjpeg/snap.cgi?chn=1;
#proxy_redirect http://192.168.1.45:80/ $scheme://$host:$server_port/
#proxy_redirect default;
#more_set_input_headers 'Authorization: $http_authorization';
#proxy_set_header ns_server-ui yes;
#proxy_set_header Accept-Encoding "";
#proxy_set_header Connection "";
#proxy_pass_header Authorization;
proxy_redirect off;
proxy_buffering off;
#proxy_set_header Host $host;
#proxy_set_header Request_Uri_X $request_uri;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-for $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#port_in_redirect off;
#proxy_set_header HOST $http_host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-NginX-Proxy true;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
#proxy_redirect off;
#proxy_set_header Host $host:$server_port;
#proxy_read_timeout 86400;
#proxy_buffering off;
#auth_basic "Restricted";
#auth_basic_user_file /var/www/http/test.privatedns.org/.htpasswd;
#proxy_intercept_errors on;
}
You see, i have tried many versions from Internet, but the rewrite rule is the only that works local, but not from the Internet.
The link i use from Internet to see the Picture from my IP-Cam is http://test.privatedns.org/wansview/mjpeg/snap.cgi?chn=1
What is wrong ?
↧
NGINX frontending Kibana not working with “_plugin/kibana/” URL
I'm running the AWS Managed ElasticSearch to collect some logs and have created some Kibana dashboards to visualise the data, all that works fine.
Unfortunately the Kibana plugin included on with the AWS cluster is pretty much open to the world, so I have setup an NGINX reverse proxy to provide authenticated access. This is also working fine if I simply hit the domain URL and specify the full URI to the Kibana plugin. For example:
http://nginx.domain.com/_plugin/kibana/app/kibana works just fine, here in the nginx configuration I am using to achieve that:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/ /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
Rather than providing the full URL, I would like to simply hit the base domain name of the NGINX server, which would then redirect me to the full Kibana URI. So what I would LIKE to do is this:
http://nginx.domain.com
After entering the above URL, I would like to be redirected to the full Kibana URI, so I would end up with a URL like this
http://nginx.domain.com/_plugin/kibana/app/kibana
Here is the nginx configuration I have tried (in various different permutations) that does not work:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
With the configuration above, when I browse to http://nginx.mydomain.com the URL is redirected to:
http://nginx.myaws.com.au/_plugin/kibana/app/kibana
This looks like it SHOULD work, however I receive an error in the browser window:
{"statusCode":404,"error":"Not Found"}
I have about 4 hours experience with nginx, so hopefully I'm missing something simple.
Any help would be very much appreciated, thank you!
Unfortunately the Kibana plugin included on with the AWS cluster is pretty much open to the world, so I have setup an NGINX reverse proxy to provide authenticated access. This is also working fine if I simply hit the domain URL and specify the full URI to the Kibana plugin. For example:
http://nginx.domain.com/_plugin/kibana/app/kibana works just fine, here in the nginx configuration I am using to achieve that:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/ /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
Rather than providing the full URL, I would like to simply hit the base domain name of the NGINX server, which would then redirect me to the full Kibana URI. So what I would LIKE to do is this:
http://nginx.domain.com
After entering the above URL, I would like to be redirected to the full Kibana URI, so I would end up with a URL like this
http://nginx.domain.com/_plugin/kibana/app/kibana
Here is the nginx configuration I have tried (in various different permutations) that does not work:
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
server_name localhost;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header User-Agent $http_user_agent;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Auth Required";
proxy_pass https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana;
proxy_redirect https://search-mystuff.ap-southeast-2.es.amazonaws.com/_plugin/kibana/app/kibana /;
proxy_set_header Authorization "";
proxy_hide_header Authorization;
}
}
}
With the configuration above, when I browse to http://nginx.mydomain.com the URL is redirected to:
http://nginx.myaws.com.au/_plugin/kibana/app/kibana
This looks like it SHOULD work, however I receive an error in the browser window:
{"statusCode":404,"error":"Not Found"}
I have about 4 hours experience with nginx, so hopefully I'm missing something simple.
Any help would be very much appreciated, thank you!
↧
Redirect 301 only exact url and not all other sub urls
Dear All,
I'have some urls like these:
https://www.mydomain.com/catalog/category1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
...etc...
I have to redirect 301 only
https://www.mydomain.com/catalog/category1
to
https://www.mydomain.com/catalog/newcategory1
and not the other urls.
But if I do
location /catalog/category1 {
return 301 /catalog/newcategory1;
}
nginx redirect all the sub urls with https://www.mydomain.com/catalog/category1 as root to https://www.mydomain.com/catalog/newcategory1
How can I do?
Thank you very much.
Tarichecco
I'have some urls like these:
https://www.mydomain.com/catalog/category1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
...etc...
I have to redirect 301 only
https://www.mydomain.com/catalog/category1
to
https://www.mydomain.com/catalog/newcategory1
and not the other urls.
But if I do
location /catalog/category1 {
return 301 /catalog/newcategory1;
}
nginx redirect all the sub urls with https://www.mydomain.com/catalog/category1 as root to https://www.mydomain.com/catalog/newcategory1
How can I do?
Thank you very much.
Tarichecco
↧
↧
how to correct choosing wrong certificate
Hello,
i am new to nginx. the server script called "easyengine" for easy wordpress installation is using LEMP stack. So please bear with my novice experience.
What happened is, after latest apt-get update and upgrade Debian on my server, cloudflare started to threw 525 error regarding to SSL on my sites which using ssl.
I took out one of sites from Cloudflare. So currently i have 1 broken website for 525 error and 1 broken website which is picking wrong certificate. It picks certificate of my another site in my vps.
What should be the correct steps to correct this errors?
Thank you in advance,
i am new to nginx. the server script called "easyengine" for easy wordpress installation is using LEMP stack. So please bear with my novice experience.
What happened is, after latest apt-get update and upgrade Debian on my server, cloudflare started to threw 525 error regarding to SSL on my sites which using ssl.
I took out one of sites from Cloudflare. So currently i have 1 broken website for 525 error and 1 broken website which is picking wrong certificate. It picks certificate of my another site in my vps.
What should be the correct steps to correct this errors?
Thank you in advance,
↧
Re: how to correct choosing wrong certificate
You'll need to show the config files.
↧
How to forward SNMP Traps - UDP forwarding
Hi,
Just starting out with nginx - and trying to forward SNMP traps (UDP port 162) to two servers, one primary and one backup.
Current config is this:
# Load balance UDP-based trap traffic across two servers
stream {
upstream trap_lam {
server 172.16.225.140:163;
server 172.16.225.141:163 backup;
}
server {
listen 162 udp;
proxy_pass trap_lam;
proxy_timeout 1s;
proxy_responses 1;
error_log /var/log/nginx/trap.log debug;
}
}
If I send a trap to port 162 it does get forwarded - but always get forwarded to both servers. If I have a trap receiver or tcpdump running on both servers - I can see both being sent.
The debug shows this:
2017/05/25 10:53:21 [debug] 730#0: recvmsg on 0.0.0.0:162, ready: 0
2017/05/25 10:53:21 [debug] 730#0: posix_memalign: 00000000009B71A0:256 @16
2017/05/25 10:53:21 [debug] 730#0: posix_memalign: 00000000009B6C70:256 @16
2017/05/25 10:53:21 [debug] 730#0: malloc: 000000000099EAD0:827
2017/05/25 10:53:21 [debug] 730#0: *1 recvmsg: 172.16.225.140:58007 fd:11 n:827
2017/05/25 10:53:21 [info] 730#0: *1 udp client 172.16.225.140:58007 connected to 0.0.0.0:162
2017/05/25 10:53:21 [debug] 730#0: *1 proxy connection handler
2017/05/25 10:53:21 [debug] 730#0: *1 malloc: 0000000000999940:328
2017/05/25 10:53:21 [debug] 730#0: *1 posix_memalign: 000000000099BA10:256 @16
2017/05/25 10:53:21 [debug] 730#0: *1 get rr peer, try: 2
2017/05/25 10:53:21 [debug] 730#0: *1 get rr peer, current: 0000000000976A90 0
2017/05/25 10:53:21 [debug] 730#0: *1 dgram socket 3
2017/05/25 10:53:21 [debug] 730#0: *1 epoll add connection: fd:3 ev:80002005
2017/05/25 10:53:21 [debug] 730#0: *1 connect to 172.16.225.140:163, fd:3 #2
2017/05/25 10:53:21 [debug] 730#0: *1 connected
2017/05/25 10:53:21 [debug] 730#0: *1 proxy connect: 0
2017/05/25 10:53:21 [info] 730#0: *1 udp proxy 172.16.225.140:49464 connected to 172.16.225.140:163
2017/05/25 10:53:21 [debug] 730#0: *1 malloc: 000000000092CAD0:16384
2017/05/25 10:53:21 [debug] 730#0: *1 send: fd:3 827 of 827
2017/05/25 10:53:21 [debug] 730#0: *1 event timer add: 11: 1000:1495706002761
2017/05/25 10:53:21 [debug] 730#0: *1 event timer: 11, old: 1495706002761, new: 1495706002761
2017/05/25 10:53:22 [debug] 730#0: *1 event timer del: 11: 1495706002761
2017/05/25 10:53:22 [debug] 730#0: *1 stream proxy next upstream
2017/05/25 10:53:22 [debug] 730#0: *1 free rr peer 2 4
2017/05/25 10:53:22 [warn] 730#0: *1 upstream server temporarily disabled while proxying connection, udp client: 172.16.225.140, server: 0.0.0.0:162, upstream: "172.16.225.140:163", bytes from/to client:827/0, bytes from/to upstream:0/827
2017/05/25 10:53:22 [debug] 730#0: *1 free rr peer failed: 0000000000976A90 0
2017/05/25 10:53:22 [debug] 730#0: *1 close proxy upstream connection: 3
2017/05/25 10:53:22 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, try: 1
2017/05/25 10:53:22 [debug] 730#0: *1 backup servers
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, try: 1
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, current: 0000000000A09750 0
2017/05/25 10:53:22 [debug] 730#0: *1 dgram socket 3
2017/05/25 10:53:22 [debug] 730#0: *1 epoll add connection: fd:3 ev:80002005
2017/05/25 10:53:22 [debug] 730#0: *1 connect to 172.16.225.141:163, fd:3 #3
2017/05/25 10:53:22 [debug] 730#0: *1 connected
2017/05/25 10:53:22 [debug] 730#0: *1 proxy connect: 0
2017/05/25 10:53:22 [info] 730#0: *1 udp proxy 172.16.225.140:42569 connected to 172.16.225.141:163
2017/05/25 10:53:22 [debug] 730#0: *1 send: fd:3 827 of 827
2017/05/25 10:53:22 [debug] 730#0: *1 event timer add: 11: 1000:1495706003762
2017/05/25 10:53:22 [debug] 730#0: *1 event timer: 11, old: 1495706003762, new: 1495706003764
2017/05/25 10:53:22 [debug] 730#0: *1 event timer: 11, old: 1495706003762, new: 1495706003765
2017/05/25 10:53:23 [debug] 730#0: *1 event timer del: 11: 1495706003762
2017/05/25 10:53:23 [debug] 730#0: *1 stream proxy next upstream
2017/05/25 10:53:23 [debug] 730#0: *1 free rr peer 1 4
2017/05/25 10:53:23 [warn] 730#0: *1 upstream server temporarily disabled while proxying connection, udp client: 172.16.225.140, server: 0.0.0.0:162, upstream: "172.16.225.141:163", bytes from/to client:827/0, bytes from/to upstream:0/827
2017/05/25 10:53:23 [debug] 730#0: *1 free rr peer failed: 0000000000A09750 0
2017/05/25 10:53:23 [debug] 730#0: *1 finalize stream proxy: -5
2017/05/25 10:53:23 [debug] 730#0: *1 close stream proxy upstream connection: 3
2017/05/25 10:53:23 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:23 [debug] 730#0: *1 close stream connection: 11
2017/05/25 10:53:23 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000092CAD0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 0000000000999940
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000099EAD0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 00000000009B71A0, unused: 0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 00000000009B6C70, unused: 8
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000099BA10, unused: 160
I was wondering if it's the proxy_responses that are causing the issue - an SNMP trap is a fire and forget - no response is expected or sent.
Any ideas ?
I couldn't find anything on the forum about SNMP - but apologies if that has been covered previously.
Cheers
Spike
Just starting out with nginx - and trying to forward SNMP traps (UDP port 162) to two servers, one primary and one backup.
Current config is this:
# Load balance UDP-based trap traffic across two servers
stream {
upstream trap_lam {
server 172.16.225.140:163;
server 172.16.225.141:163 backup;
}
server {
listen 162 udp;
proxy_pass trap_lam;
proxy_timeout 1s;
proxy_responses 1;
error_log /var/log/nginx/trap.log debug;
}
}
If I send a trap to port 162 it does get forwarded - but always get forwarded to both servers. If I have a trap receiver or tcpdump running on both servers - I can see both being sent.
The debug shows this:
2017/05/25 10:53:21 [debug] 730#0: recvmsg on 0.0.0.0:162, ready: 0
2017/05/25 10:53:21 [debug] 730#0: posix_memalign: 00000000009B71A0:256 @16
2017/05/25 10:53:21 [debug] 730#0: posix_memalign: 00000000009B6C70:256 @16
2017/05/25 10:53:21 [debug] 730#0: malloc: 000000000099EAD0:827
2017/05/25 10:53:21 [debug] 730#0: *1 recvmsg: 172.16.225.140:58007 fd:11 n:827
2017/05/25 10:53:21 [info] 730#0: *1 udp client 172.16.225.140:58007 connected to 0.0.0.0:162
2017/05/25 10:53:21 [debug] 730#0: *1 proxy connection handler
2017/05/25 10:53:21 [debug] 730#0: *1 malloc: 0000000000999940:328
2017/05/25 10:53:21 [debug] 730#0: *1 posix_memalign: 000000000099BA10:256 @16
2017/05/25 10:53:21 [debug] 730#0: *1 get rr peer, try: 2
2017/05/25 10:53:21 [debug] 730#0: *1 get rr peer, current: 0000000000976A90 0
2017/05/25 10:53:21 [debug] 730#0: *1 dgram socket 3
2017/05/25 10:53:21 [debug] 730#0: *1 epoll add connection: fd:3 ev:80002005
2017/05/25 10:53:21 [debug] 730#0: *1 connect to 172.16.225.140:163, fd:3 #2
2017/05/25 10:53:21 [debug] 730#0: *1 connected
2017/05/25 10:53:21 [debug] 730#0: *1 proxy connect: 0
2017/05/25 10:53:21 [info] 730#0: *1 udp proxy 172.16.225.140:49464 connected to 172.16.225.140:163
2017/05/25 10:53:21 [debug] 730#0: *1 malloc: 000000000092CAD0:16384
2017/05/25 10:53:21 [debug] 730#0: *1 send: fd:3 827 of 827
2017/05/25 10:53:21 [debug] 730#0: *1 event timer add: 11: 1000:1495706002761
2017/05/25 10:53:21 [debug] 730#0: *1 event timer: 11, old: 1495706002761, new: 1495706002761
2017/05/25 10:53:22 [debug] 730#0: *1 event timer del: 11: 1495706002761
2017/05/25 10:53:22 [debug] 730#0: *1 stream proxy next upstream
2017/05/25 10:53:22 [debug] 730#0: *1 free rr peer 2 4
2017/05/25 10:53:22 [warn] 730#0: *1 upstream server temporarily disabled while proxying connection, udp client: 172.16.225.140, server: 0.0.0.0:162, upstream: "172.16.225.140:163", bytes from/to client:827/0, bytes from/to upstream:0/827
2017/05/25 10:53:22 [debug] 730#0: *1 free rr peer failed: 0000000000976A90 0
2017/05/25 10:53:22 [debug] 730#0: *1 close proxy upstream connection: 3
2017/05/25 10:53:22 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, try: 1
2017/05/25 10:53:22 [debug] 730#0: *1 backup servers
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, try: 1
2017/05/25 10:53:22 [debug] 730#0: *1 get rr peer, current: 0000000000A09750 0
2017/05/25 10:53:22 [debug] 730#0: *1 dgram socket 3
2017/05/25 10:53:22 [debug] 730#0: *1 epoll add connection: fd:3 ev:80002005
2017/05/25 10:53:22 [debug] 730#0: *1 connect to 172.16.225.141:163, fd:3 #3
2017/05/25 10:53:22 [debug] 730#0: *1 connected
2017/05/25 10:53:22 [debug] 730#0: *1 proxy connect: 0
2017/05/25 10:53:22 [info] 730#0: *1 udp proxy 172.16.225.140:42569 connected to 172.16.225.141:163
2017/05/25 10:53:22 [debug] 730#0: *1 send: fd:3 827 of 827
2017/05/25 10:53:22 [debug] 730#0: *1 event timer add: 11: 1000:1495706003762
2017/05/25 10:53:22 [debug] 730#0: *1 event timer: 11, old: 1495706003762, new: 1495706003764
2017/05/25 10:53:22 [debug] 730#0: *1 event timer: 11, old: 1495706003762, new: 1495706003765
2017/05/25 10:53:23 [debug] 730#0: *1 event timer del: 11: 1495706003762
2017/05/25 10:53:23 [debug] 730#0: *1 stream proxy next upstream
2017/05/25 10:53:23 [debug] 730#0: *1 free rr peer 1 4
2017/05/25 10:53:23 [warn] 730#0: *1 upstream server temporarily disabled while proxying connection, udp client: 172.16.225.140, server: 0.0.0.0:162, upstream: "172.16.225.141:163", bytes from/to client:827/0, bytes from/to upstream:0/827
2017/05/25 10:53:23 [debug] 730#0: *1 free rr peer failed: 0000000000A09750 0
2017/05/25 10:53:23 [debug] 730#0: *1 finalize stream proxy: -5
2017/05/25 10:53:23 [debug] 730#0: *1 close stream proxy upstream connection: 3
2017/05/25 10:53:23 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:23 [debug] 730#0: *1 close stream connection: 11
2017/05/25 10:53:23 [debug] 730#0: *1 reusable connection: 0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000092CAD0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 0000000000999940
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000099EAD0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 00000000009B71A0, unused: 0
2017/05/25 10:53:23 [debug] 730#0: *1 free: 00000000009B6C70, unused: 8
2017/05/25 10:53:23 [debug] 730#0: *1 free: 000000000099BA10, unused: 160
I was wondering if it's the proxy_responses that are causing the issue - an SNMP trap is a fire and forget - no response is expected or sent.
Any ideas ?
I couldn't find anything on the forum about SNMP - but apologies if that has been covered previously.
Cheers
Spike
↧
Re: Redirect 301 only exact url and not all other sub urls
Each nginx request is handled by one and only one location. Since these requests match the location you've put, that's where they're handled.
You'll need to set up two locations, once for that specific URI, and one for the others.
See http://nginx.org/en/docs/http/ngx_http_core_module.html#location.
You'll need to set up two locations, once for that specific URI, and one for the others.
See http://nginx.org/en/docs/http/ngx_http_core_module.html#location.
↧
↧
Re: how to correct choosing wrong certificate
Hi Jim, thanks for reaching out.
For the site that looking for wrong certificate and calling for wrong site (first alphabetical site) config files.
Main nginx.conf as follows
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events {
worker_connections 4096;
multi_accept on;
}
http {
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
#add_header X-Powered-By "EasyEngine 3.7.4";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
##
# SSL Settings
##
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ***i remove this part for public posting***;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
# Log format Settings
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
---------------------------------------------------------------------------
and config file for probematic sites in sites-available
server {
listen 80;
listen [::]:80;
server_name pratikk.net www.pratikk.net;
access_log /var/log/nginx/pratikk.net.access.log rt_cache;
error_log /var/log/nginx/pratikk.net.error.log;
root /var/www/pratikk.net/htdocs;
index index.php index.html index.htm;
include common/wpfc-php7.conf;
include common/wpcommon-php7.conf;
include common/locations-php7.conf;
}
-------------------------------------------------------------------------
default file in sites-available
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
------------
and also in folder that conf includes php7.conf
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7;
}
------------
in snippets folder fastcgi-php.conf :
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
For the site that looking for wrong certificate and calling for wrong site (first alphabetical site) config files.
Main nginx.conf as follows
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events {
worker_connections 4096;
multi_accept on;
}
http {
##
# EasyEngine Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
reset_timedout_connection on;
#add_header X-Powered-By "EasyEngine 3.7.4";
add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request
limit_req_status 403;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
# Proxy Settings
# set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
fastcgi_read_timeout 300;
client_max_body_size 100m;
##
# SSL Settings
##
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ***i remove this part for public posting***;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
# Log format Settings
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
---------------------------------------------------------------------------
and config file for probematic sites in sites-available
server {
listen 80;
listen [::]:80;
server_name pratikk.net www.pratikk.net;
access_log /var/log/nginx/pratikk.net.access.log rt_cache;
error_log /var/log/nginx/pratikk.net.error.log;
root /var/www/pratikk.net/htdocs;
index index.php index.html index.htm;
include common/wpfc-php7.conf;
include common/wpcommon-php7.conf;
include common/locations-php7.conf;
}
-------------------------------------------------------------------------
default file in sites-available
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
------------
and also in folder that conf includes php7.conf
# PHP NGINX CONFIGURATION
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php7;
}
------------
in snippets folder fastcgi-php.conf :
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
↧
Re: how to correct choosing wrong certificate
Something seems to be missing. Where are you defining 'ssl_certificate' and 'ssl_certificate_key'?
↧
Re: Redirect 301 only exact url and not all other sub urls [SOLVED]
Hi Jim,
Thank you very much!
In LOCATION statement I forgot the equal operator "="
location = /catalog/category1 {
return 301 /catalog/newcategory1;
}
In this way redirect only the exact match with (https://www.mydomain.com/catalog/category1 ) and the other sub urls remains the same.
Before
https://www.mydomain.com/catalog/category1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
After
https://www.mydomain.com/catalog/newcategory1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
Thank you very much!
In LOCATION statement I forgot the equal operator "="
location = /catalog/category1 {
return 301 /catalog/newcategory1;
}
In this way redirect only the exact match with (https://www.mydomain.com/catalog/category1 ) and the other sub urls remains the same.
Before
https://www.mydomain.com/catalog/category1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
After
https://www.mydomain.com/catalog/newcategory1
https://www.mydomain.com/catalog/category1/product1
https://www.mydomain.com/catalog/category1/product2
https://www.mydomain.com/catalog/category1/product3
↧
Re: how to correct choosing wrong certificate
ah indeed. i was just trying to disable https and because of that i had removed the row where includes the folder who has ssl.conf
#include /var/www/pratikk.net/conf/nginx/*.conf;
---
in that folder there is a ssl.conf (which i disabled by putting .disabled extension)
here is its content
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/pratikk.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pratikk.net/privkey.pem;
#include /var/www/pratikk.net/conf/nginx/*.conf;
---
in that folder there is a ssl.conf (which i disabled by putting .disabled extension)
here is its content
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/pratikk.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pratikk.net/privkey.pem;
↧
↧
Re: how to correct choosing wrong certificate
also this easyengine automation script creates lots of conf file and since i don't know exaclty which would be related, i just shared mightbe related conf contents.now i include the other files names in jpgs for you to look at the names.
↧
Re: how to correct choosing wrong certificate
OK, assuming you are using a valid certificate from Letsencrypt, check '/etc/letsencrypt/live/' directory for other possible paths. If you have a valid certificate it should be in there. You might need to regenerate your certificates and reload nginx.
↧
Single Sign-On
Hey everyone!
I'm using nginx 2 months now and i got everything to work like i wanted to. The last thing thats missing is Single Sign-On (SSO).
I googled how to set it up, but there are so many sites and different tutorials and i can't seem to find one that works. I always read that i have to add the "auth_request" module to nginx, but it's still not working.
I'm using CentOS 7 with the newest version of nginx.
So my question now is: Did anyone of you already set up nginx with SSO or knows a good tutorial for CentOS 7?
I would really appreciate it.
I'm using nginx 2 months now and i got everything to work like i wanted to. The last thing thats missing is Single Sign-On (SSO).
I googled how to set it up, but there are so many sites and different tutorials and i can't seem to find one that works. I always read that i have to add the "auth_request" module to nginx, but it's still not working.
I'm using CentOS 7 with the newest version of nginx.
So my question now is: Did anyone of you already set up nginx with SSO or knows a good tutorial for CentOS 7?
I would really appreciate it.
↧
Re: how to correct choosing wrong certificate
yes i have valid certificate. so should i enable the row where includes the folder who has ssl.conf
( this one >> #include /var/www/pratikk.net/conf/nginx/*.conf )
and regenerate the certificate (which is valid until july by the way) ?
( this one >> #include /var/www/pratikk.net/conf/nginx/*.conf )
and regenerate the certificate (which is valid until july by the way) ?
↧
↧
Re: how to correct choosing wrong certificate
hello, i want to give an update.i regenerated the certificates and i duplicated the nginx site conf files from a working site in the same server. then changed site references . and now it is working. i don't know if i forgot space or another character in config files. and it is now working. thanks for reaching out.
↧
Concat vars and text in map directive
Hi,
I'm trying to use the map directive to rewrite the URL arg of my request to force https instead of http.
Example :
Request is : "GET https://www.mywebsite.com/?url=http://www.mysecondwebsite.com"
In this example, i'm trying to rewrite the http in the URL arg with https to obtain "GET https://www.mywebsite.com/?url=httpS://www.mysecondwebsite.com"
Using this configuration :
map $arg_url $arg_url_https {
default $arg_url;
"~*http:(?<suite>.+)" https:$suite;
}
But concat of "https: + $suite" just makes the text value "https:$suite" instead of interpreting the $suite value.
$suite works well when alone.
If you have any solution or another directive that could be used to force https in the url arg, it could be great.
This is part of a reverse proxy setup using the url arg in the proxy_pass directive to forward traffic.
Thanks
Alex
I'm trying to use the map directive to rewrite the URL arg of my request to force https instead of http.
Example :
Request is : "GET https://www.mywebsite.com/?url=http://www.mysecondwebsite.com"
In this example, i'm trying to rewrite the http in the URL arg with https to obtain "GET https://www.mywebsite.com/?url=httpS://www.mysecondwebsite.com"
Using this configuration :
map $arg_url $arg_url_https {
default $arg_url;
"~*http:(?<suite>.+)" https:$suite;
}
But concat of "https: + $suite" just makes the text value "https:$suite" instead of interpreting the $suite value.
$suite works well when alone.
If you have any solution or another directive that could be used to force https in the url arg, it could be great.
This is part of a reverse proxy setup using the url arg in the proxy_pass directive to forward traffic.
Thanks
Alex
↧
Re: conflicting server name
Even after restart getting same error.Kindly provide us the exact steps
↧