Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

Submit Query to a particular server behind NGINX

June 13, 2017, 2:53 pm
$
0
0
I am querying an NGINX server for static file, I believe there are more than one upstream servers behind the NGINX at :80. I say this by the two different 'Server' headers I receive in the response. One server is significantly faster than the other one, is there any way I could direct my request to a particular server from the client side ?
Or is there any way to re-set the proxy_cache_key associated with my requests from the client side ? so that my requests will go to the good server consecutively ?

Any guidance is greatly appreciated.

Thank you
Search

Re: redirect http to https, but exclude API

June 13, 2017, 3:00 pm
$
0
0
Thanks, but I can't follow :(

I can't see any specific info about /api/*
Some explanations would be very helpful :)

Re: redirect http to https, but exclude API

June 13, 2017, 11:30 pm
$
0
0
Change the '/well-known 0; ' line to an url (portion) which should not be redirected.

nginx domain not work, redirect all sub domain to main domain

June 14, 2017, 3:02 pm
$
0
0
I have a problem with my nginx, more specifically I have added several sub domains and the problem is that as it enters the sub domain it redirects to the main domain. My configuration below.

https://pastebin.com/iKsjQ9wX

How to prevent unauthorized domain forwarding with Nginx?

June 14, 2017, 10:55 pm
$
0
0
Hi,

An unauthorized domain koyblanafuc.cf is forwarding to our domain quackquack.in. We tried to stop this unauthorized domain from rendering our content/pages via nginx,

The solution to the problem worked on http. But doesnt seem to be working https. To Catch non authorized domains on both http and https.

-----
server{
listen 80 default_server;
root /aaa/bbb/www/404;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}

server{
listen 443 default_server;
root /aaa/bbb/www/404;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
----

But I received the error as...

-----
Secure Connection Failed

An error occurred during a connection to quackquack.in. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
-----

My Domain Non-SSL V-host:

-----
server {
listen 80;
server_name quackquack.in www.quackquack.in;
server_tokens off;
-----

My Domain SSL V-host:
-----
server {
listen 443;
server_name quackquack.in;

ssl on;
ssl_certificate /myssl_crt_file;
ssl_certificate_key /myssl_key_file;

ssl_protocols SSLv2 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHAHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
-----

Any suggestions will greatly help!

How to load balance dns with nginx and lua

June 15, 2017, 1:51 pm
$
0
0
Hello,
I've two dns that have differents purpose. Two of them listen locally and it's nginx which expose the udp port 53.
Basically one just filter some domain names and the other allow all the traffic.
I 'm choosing between the two dns based on a variable store in a redis database.

I would like to find a wat to script nginx in lua or else to read the redis variable and choose the right dns server to forward the request to.

I saw that I've to use stream directive to listen to the 53 udp port. But I cannot find a proper way to make the lua scripting working.

If you, nginx guru, have a solution to purpose I will be very thankfull.

Here's my no-working code:

stream {
upstream dns1 { server 172.16.0.1:53; }
upstream dns2 { server 172.16.0.2:53; }

server {
listen 53 udp;

# That part not working
set $dns;
content_by_lua_block {

local redis = require "resty.redis"
local red = redis:new()

local ok, err = red:connect("redis-ip", 6379)
if not ok then
nginx.say("failed to connect: ", err)
return
end

local res, err = red:get("The redis var")
if not res then
ngx.var.dns = upstream.get_servers("dns1")
else
ngx.var.dns = upstream.get_servers("dns2")
end

}
proxy_pass $dns
}

}

What different "$is_args$args" and "$query_string" ?

June 16, 2017, 12:28 am
$
0
0
Hi guys.

$is_args$args
and
$query_string
is same?

#patter 1
location ~ ^/test/enter1.html {
rewrite (.*) http://another.com/test/list1.html$is_args$args;
}

#patten 2
location ~ ^/test/enter2.html {
rewrite (.*) http://another.com/test/list2.html$query_string;
}

I tried
/test/enter1.html?page=10
/test/enter2.html?page=10

pat.1 -> list1.html?page=10?page=10
pat.2 -> list2.html?page=10

I think same
Am I misunderstanding?

Re: Preserving Source IP using SSL Preread + OpenVPN

June 16, 2017, 11:17 am
$
0
0
I have attempted this as well but so far no luck. I feel it is close but something may be missing.
Currently I have it listening on multiple ports in the stream block, and passing it back to the same server locally on another port.
I am able to view the source IP successfully on the website request, however not the VPN request.
Currently the only error I am experiencing is the one below.
This is a windows RAAS VPN Server.

10.0.0.55 is the NGINX server handling all of the request.
I have attached a screenshot of both the error and access logs.
For some reason the website request are preserving the IP but the VPN request are not.

Here is my web server block.
server {
listen 9999 ssl proxy_protocol;
ssl_certificate *;
ssl_certificate_key *;
server_name webserver;
set $upstream 10.0.0.62;

location / {
proxy_pass_header Authorization;
proxy_pass https://$upstream;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 300;
proxy_connect_timeout 300;
index index.html index.htm;
include /etc/nginx/mime.types;
}


Here is the VPN server block
server {
listen 9997 ssl proxy_protocol;
ssl_certificate *;
ssl_certificate_key *;
server_name vpn;
location / {
proxy_pass https://192.168.2.3:443;
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header Connection "";
proxy_buffering off;
proxy_connect_timeout 10;
}
}

Here is my stream block
stream {
map $ssl_preread_server_name $name {
server1.com server1;
server2.com server2;
server3.com server3;
}

upstream server1 {
server 10.0.0.55:9997;
}

upstream server2 {
server 10.0.0.55:9999;
}

upstream server3 {
server 10.0.0.55:9998;
}
server {
listen 443;
proxy_protocol on;
proxy_pass $name;
ssl_preread on;
}
}
Search

response page based on mod security rule in error logs?

June 19, 2017, 5:44 am
$
0
0
Hi, I would like to accomplish the following.

Modsecurity is enabled in NginX and I want when some false postitive hit is opened, some rule blocked some page the response page to be shown with the error code from the modsec rule. For example you have been blocked by mod security rule "XXX" as the rule is get from the logs. I think this eventually can be accomplished using if and map variable in the nginx configuration + some dynamical error page, but I am completely not sure. Can anyone share it's expert advice or experience?

thank you in advance!

Simplesaml configuration

June 20, 2017, 2:09 am
$
0
0
Hi, I'm having a little trouble configuring simplesaml with nginx.

My server config is:

location /simplesaml {
alias /var/simplesamlphp/www;

index index.php;

location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
}
}

I get the following error:

*203 FastCGI sent in stderr: "Unable to open primary script: /var/simplesamlphp/www/simplesaml/index.php (No such file or directory)"

The problem is that my url is being included in the alias, for example:

/var/simplesamlphp/www/simplesaml/index.php

Should be:

/var/simplesamlphp/www/index.php

Many thanks
Jonny

can login to site with reason=0

June 20, 2017, 7:44 am
$
0
0
Hello,

we are using nginx version: nginx/1.10.2
centos 7

and we have the weirdies issue with nginx,
we connected upstream to 2 servers
when both work - we see at access log

GET /owa/auth/logon.aspx?url=https%3a%2f%2fmail.domain.local%2fowa%2f&reason=0

and we cannot login and it redirect to the login page all over again but
if at the settings i make upstream to work on 1 site it logs fine!
what could be the issue ?

you can see the commented domain2 at the /etc/nginx/conf.d/default.conf below

conf files here :

/etc/nginx/nginx.conf


user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;

# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;

location / {
}

error_page 404 /404.html;
location = /40x.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}



/etc/nginx/conf.d/defult.conf


server {
listen 80;
return 301 https://$host$request_uri;
}

upstream cas {
server domain1:443;
# server domain2:443;
}

server {
listen 443 ssl;
server_name *.blackrock.local;

ssl on;
ssl_certificate /etc/nginx/certs/outlook_rev_proxy.cer;
ssl_certificate_key /etc/nginx/certs/outlook_rev_proxy.key;

location / {
proxy_pass https://cas;
proxy_read_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Help with redirects

June 22, 2017, 10:07 am
$
0
0
Good mates,

I tell you the case, I have made the ironing of the content of my website, I have generated some rules to display those files at the same time that I show my website in wordpress.

The rules for each url look like this:

Rewrite ^ / category / url1 / /category/file1/url1/index.php last;
Rewrite ^ / category / url1 / category / file1 / url1 / last;

When I visit the url it is shown as https: // domain / category / url1 /

But if I make the same request without https and without "/" at the end the path is shown: http: //domain/category/url1/index.php

How do I do that if it is accessed by https show the first url and not the second?


Thank you very much for your help!

DreamHost and craft cms

June 23, 2017, 12:31 pm
$
0
0
Hey folks,

I need some help dealing with DreamHost and installing Craft CMS (on DreamHost). I have a VPS (virtual private server) on DreamHost. I was told that I could have nginx, craft working on the VPS. But now I'm told that I do not have access to 'sudo', I can't configure default.conf. The DreamHost doc's suggest that I can create a conf by creating the file in domainName/nginx. The first problem is I don't know what is suppose to go into the conf file, a second problem what would be the name of the conf file.

Normally, the default.conf has very little in it and I setup a sitename.vhost that contains:

server {
listen 80;
# listen [::]:80 default_server;
listen 443 ssl http2;
# listen [::]:443 ssl http2;

# vhost specific logs.
access_log sitename/logs/craftcms.access.log;
error_log sitename/logs/craftcms.error.log error;

# Webroot directory
root sitename/public;
index index.html index.php;
server_name sitename


# SSL Configureations
include /etc/nginx/conf/ssl-craftcms-selfsigned.conf;

# Secure Configurations
include /etc/nginx/conf/secure-craftcms.conf;


# PHP Configurations
include /etc/nginx/conf/php-fpm.conf;
}

Since I don't even know where the php files are located and where php-fpm files are I'm at a lost.
I need some help and I'm hoping that someone understands the DreamHost setup.
Thanks for any help,
Johnf

Help with redirect

June 27, 2017, 7:04 am
$
0
0
Hi,
I want to redirect an url like
http://my-site.fr/?param1=xx&param2=xx&param3==xx to the homepage but that doesn't work.
Could you help me ?
I test many syntax but nothing work correctly
rewrite ^/?param1=xx&param2=xx&param3==xx http://my-site.fr permanent;

Could you help me ?

Thank you

Conditional secure_link

June 27, 2017, 2:28 pm
$
0
0
Hi everyone,

I need to set a new secured location in my nginx. For that I'm using http_secure_link_module.

If the URL contains the correct token I proceed to return the page to the user, and also add a "Set-Cookie" header status=is_authorized. If the token is incorrect I return and 403 status code to the user. Until here everything is working fine.

The thing is: I need this secure_link to be conditional, for example, if the user has the status cookie set as is_authorized the token won't be required to be a part of the url (or the secure_link directive to be disabled).

Is there a way to achieve that?

Here's what I've got so far:

=========================================================

location / {

if ($cookie_STATUS = "IS_AUTHORIZED") {
// if possible cancel secure_link for authorized (with cookie) users.
}

secure_link $arg_token;
secure_link_md5 "MD5_SECRET_PARAMETERS";

set $token $arg_token;

if ($secure_link = "") {
return 403;
}

if ($secure_link = "0") {
return 410;
}

add_header Set-Cookie STATUS=IS_AUTHORIZED;
add_header Set-Cookie TOKEN=$arg_token;

include /usr/local/nginx/conf/rewrite_rules.conf;

proxy_cache confluence_cache;
include /usr/local/nginx/conf/cache.conf;
# include /etc/nginx/shared/google_analytics.conf;

proxy_set_header Authorization "Basic BASE_64_HASH";
proxy_pass PROXY_URL;
}

=================================================

Thank you,
Raphael.
Search

Re: response page based on mod security rule in error logs?

June 27, 2017, 11:36 pm
$
0
0
I think that as workaround it can be used x-requested-id header. I have enabled request_id headers in nginx (which works as reverse proxy) by the following way:

In nginx.conf my log format hs included $request_id as follows:

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $request_id "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for”';


In the ghost configs I have headers like the following:
location / {
...
add_header X-Request-Id $request_id;
proxy_set_header X-Request-Id $request_id;

I would ike to accomplish the following thing.

1. In all logs and all requests (access, error, mod security audit logs) the request_id to be logged (as it should be, but currently not work).
2. When I open the site X-Request-ID to be set in request headers, not only in response headers. Currently I have the x-request-id header only in the response headers.
3. When I have been blocked my some mod security rule with status 403 the headers to be present and the id to be logged too in the logs. Currently on 403 response I haven’t the header neither in request headers and response headers (only on normal query).

Can you please explain me where I am wrong? Thank you in advance.

Re: Conditional secure_link

June 28, 2017, 2:26 pm
$
0
0
I've managed to do that with another variable inside my configuration file.

# if token is invalid nginx set $secure_link as empty string
if ($secure_link = "") {
set $is_allowed 'forbidden';
}

# if expiration time is gone nginx set $secure_link as 0
if ($secure_link = "0") {
set $is_allowed 'gone';
}

# if status cookie is set $is_allowed get 'authorized' as value
if ($cookie_STATUS = "IS_AUTHORIZED") {
set $is_allowed 'authorized';
}

# return 403 if $is_allowed = forbidden
if ($is_allowed = 'forbidden') {
return 403;
}

# return 410 if $is_allowed = gone
if ($is_allowed = 'gone') {
return 410;
}


Then it proceed normally setting proxy, and other things.

Is it ok to set up gzip compression with https?

June 29, 2017, 12:57 pm
$
0
0
Hello,

I'm new to Nginx and taking a course on it. The course recommends turning on gzip compression and using caching. I see that in the Nginx configuration file it makes a note of a bug from 2014. The bug seems to note a security issue when using Nginx with ssl and gzip for compression. Is this bug still a problem? Is it save to use gzip compression with ssl? [I'm planning on implementing a lets encrypt cert down the road.]

Bug from the debian bug tracker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332

I'm using ubuntu 16.04.2 LTS and nginx version
nginx/xenial,xenial,now 1.12.0-1+xenial1 all [installed]

in my nginx.conf
user www-data;
worker_processes auto;

pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
error_log /var/log/nginx_error.log error;
#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

# SSL
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # no sslv3 (poodle etc.)
ssl_prefer_server_ciphers on;

# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 512;
gzip_types text/plain text/html application/json application/javascript application/xml application/xml+rss application/x-javascript text/javascript application/javascript text/xml text/css application/font-sfnt;

fastcgi_cache_path /usr/share/nginx/cache/fcgi levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


Thanks!

Specifying multiple OpenSSL options when building NGINX

July 1, 2017, 7:52 am
$
0
0
Hello,

I want to compile NGINX and want to use non-system version of OpenSSL with some OpenSSL options. So, I wonder what is the syntax for specifying multiple OpenSSL options.

--with-openssl-opt=OPTION1 \
--with-openssl-opt=OPTION2 \
...


or


--with-openssl-opt=OPTION1 OPTION2 ... \

update nginx on windows

July 2, 2017, 5:33 am
$
0
0
Hi guys,

wanna update my nginx instance on a windows machine. Do i just have to replace the .exe file with the new one and restart the service or do i have to update any more files?

No major change (1.9.7 to 1.9.15)

I dont want to mess up my server :)

Thanks!
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>