Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

Re: Client certificate based AUTH (ssl_client_certificate vs ssl_trusted_certificate)

July 27, 2017, 12:54 am
$
0
0
Although this is an old post, I landed on it when asking myself the same type of question, so I am posting this reply in case it helps. I wanted to avoid and send a list of trusted CAs to the client during the initial TLS negotiation, especially as this can result in a relatively large payload sent during the TLS session setup if many CAs are trusted.

I then wondered how I could use ssl_trusted_certificate as this is indeed described with "the list of these certificates will not be sent to clients".

I figured out how to achieve that. I wished the nginx documentation was better describing that.
The configuration required is to use "ssl_verify_client optional_no_ca". In such case, and if "ssl_client_certificate" isn't defined, no list of CA is sent and a client certificate is requested, but is optional.

nginx verifies the client certificate against the list of CAs defined in ssl_trusted_certificate and set variable $ssl_client_verify accordingly. It is then important to check the content of this variable in the configuration file to accept or reject the request: "NONE" is no client certificate was sent, "SUCCESS" if the certificate is verified, and "FAILED:reason..." if verification failed
Search

How to resume TLS sessions with SSL session ticket on a different server?

July 27, 2017, 8:49 am
$
0
0
When using SSL session tickets for TLS session persistence no session state is supposed to be maintained by a server.

In a configuration with multiple Nginx reverse proxies behind a load balancer, which is round robin distributing requests, any server should be able to resume a TLS session with abbreviated TLS handshake, provided all servers are using the same ssl_session_ticket_key. Is this correct?

Unfortunately it doesn't work as expected for me. As long as subsequent requests are directed to the same Nginx, sessions are resumed by abbreviated hand shake.

Once the frontend load balancer switches to a different Nginx, I can observe a full hand shake. What do I need to configure to enable the session transition described above? Relevant options currently configured on server level:

proxy_ssl_session_reuse on;
ssl_protocols TLSv1.2;
ssl_dhparam ....pem;
ssl_session_cache shared:SSL:64m;
ssl_session_ticket_key ....key;

ssl_dhparam and ssl_session_ticket_key are pointing to identical files on all Nginx nodes.

Nginx version 1.10.3

Reverse Proxy Configurations

July 28, 2017, 2:29 am
$
0
0
Hi NGINX Team,

I am new to this tool and urgently need help on this issue.Please help

1. We have a BPM server associated with inbuilt UI for workitem reation and implementation of reverse proxy is in progres. I have installed NGINX windows on the BPM Server with port 8070 and its running.


BPM server URL: http://BPMSERVER:18120/
BPM UI URL: http://BPMSERVER:18080/openspace/#

What we are trying is

1. If user uses above BPM UI URL and logs in with his credentials(uname/password), UI should hit proxy NGINX server and then NGINX server should pass to/from request to BPM server.

Please let me know the configuration steps for the same.

nginx .htpasswd

July 30, 2017, 3:17 pm
$
0
0
Hi,

I've a question. I have created a protected dir with a htpasswd file on server (centos 7, apache/nginx, plesk)

I want to protect the dir /cms and all what comes after that. Only when I login on /cms with user/pwd and go to /cms/dir or /cms/file.php, then often I get a second time I have to authenticate (not always). Is this a know issue? Is there something wrong with the config? Current config:

location ~ ^/cms/* {
auth_basic "something protected";
auth_basic_user_file /path/to/.htpasswd;
}

Hope anyone has an idea.

Kind regards,
Alex

What is best way of hiding server IP?

August 1, 2017, 9:44 am
$
0
0
I have a domain name that I use with Nginx 1.13 and don't want to to have IP resolvable via browser. I was trying to do this in the /etc/nginx/conf.d/default.conf but was stilling getting 403 error message so then created another config file under sites-enabled with the following:

server {
listen 80 default_server;
server_name 0.0.0.0;
return 444;
}

(Replace 0.0.0.0 for privacy but my real IP in there on my end). It works fine now and doesn't return any pages for the IP address but am wondering if this is the best way. Is there another way that is better?

Re: What is best way of hiding server IP?

August 2, 2017, 1:58 am
$
0
0
Our web-servers have multiple IPs so we do it using:

if ( $http_host ~* "^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$" ) {
return 444;
}

Re: What is best way of hiding server IP?

August 2, 2017, 10:35 am
$
0
0
Thanks. I only have one IP for the VPS server.

Rewrite-like algorithm

August 3, 2017, 5:11 pm
$
0
0
Hello. I have the website running with Nginx 1.12.0. Since I started the development I don't think about folders сlean and tidy arrangement. So now i have a few pages on my website and they displays as https://www.example.com/about; In the folder this looks like /var/www/html/about/index.php. What I want to do is to move all index files of pages to directory /pages/ and name them not index.php, but the pages name. For example, /pages/about.php, but they still should displays as usual - https://www.example.com/about. Any ideas how to make this work? And is it possible at all?
Search

auth_basic question/issue

August 3, 2017, 6:22 pm
$
0
0
I have set up the following on an Ubuntu LTS server installation, using the "default" nginx site configuration file.
From what I have found so far, this should work -- and it does, sort of. If I know the name of a file in that directory, the browser can open it, after entering the userid and password. It can't display the file listing from the directory, I get "403 Forbidden".

Am I using the wrong auth_ module? I have tried with and without the ^~ in front of the directory -- not sure what that's for anyway, found it one one of the nginx doc pages.


[code]
server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ^~ /RMS6/ {
auth_basic "closed site";
auth_basic_user_file /etc/nginx/passwd/RMS.pwd;
}

[/code]

I'm not looking for anything complicated here, just a simple password authorization for access to the raw directory.
Is that possible?

WordPress: CSP Header

August 4, 2017, 3:16 am
$
0
0
Hi everyone,

I'm using nginx/1.6.2 on a GNU/Linux Debian (Jessie) system and hosting a WordPress site.

The 'generel' CSP header I use is:
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'";

But for a specific WordPress site I want to you use a different CSP header:

Right now this is my (not workding) solution:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
}
This ends in a "404 Not Found" error.


But this works:
location = /site/ {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
include /etc/nginx/conf/php5-ssl.conf;
}

But this means, that every site is getting the new CSP header.

Question is, how can I achieve to rewrite the CSP header only for the specific site?

Something like:
location = /site/ {
add_header Content-Security-Policy "default-src 'self'; img-src https: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'";
try_files ???;
}

Maybe someone can help me with this one.

Cheers!

Re: WordPress: CSP Header

August 7, 2017, 3:53 am
$
0
0
Anyone can help me with this riddle? :-)

Re: Loadbalance a website that only support https

August 7, 2017, 4:12 am
$
0
0
I think you should change proxy_pass value from https://myapp1; to myapp1; and add ssl on; parameter server section.

Strange Caching issue

August 7, 2017, 4:31 am
$
0
0
Hi team

I have strange issue with reverse proxy configuration. I'm using reverse proxy configuration due to SSL from sha1 to sha256 transformation with proxy pass configuration

"proxy_pass https://abc.mydomain.com/;"

When we update the abc.mydomain.com dns record, nginx still resolve old ip address until it's restarted.

But Operating System resolving new ip address.

What may cause this issue ? it looks ssl session caching issue but i'm not sure.

Here is session configs

ssl_session_cache builtin:1000 shared:SSL:10m;

Thank you.

Re: Strange Caching issue

August 7, 2017, 6:44 am
$
0
0
Hi team

Issue sort out. It's by desing. when nginx starting it's load all records own memory. if you can solve this issue you can use dynamic upstream's or resolver configuration http,server or location context.

Thank you.

Optimizing images before caching them using proxy_cache

August 7, 2017, 6:51 am
$
0
0
Hi

I have setup Nginx s.domain.com to act as an image cache for my IIS-servers on www.domain.com (the IIS-servers are upstreams).

I'm very new to Nginx but as far as I've understood this is what happens when I get a request for an image:
1. A request is made to s.domain.com/images/image.jpg
2. If Nginx already has that image it serves it. If not it asks www.domain.com for it and then caches it.

I would like to set it up so that I optimize the image before I cache it, so that further requests to the same image get an optimized version.

I've tried finding a guide for figuring this out and I keep coming back to mod_pagespeed. But after reading about that I'm not quite sure if it would work for me as the site itself doesn't run Nginx.

Is what I'm looking for possible and if so, would someone mind pointing me in the right direction as to figuring out how I would go about setting it up?

Thanks.
Search

Address already in use

August 7, 2017, 12:09 pm
$
0
0
Hi all.

Using nginx 1.10.3-0ubuntu0.16.04.2 I get several messages :

aug. 07 20:43:07 ubuntu nginx[9578]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)

my conig file has several entries with the same listen directive:

server {
listen 80;
server_name xxxx.no;
....
...
}

server {
listen 80;
server_name xxxx.no;
....
...
}


The strange thing is that this is OK on the same config running on my Unix and windows server.

The goal is to have nginx act as a proxy based on the server_name


/bwa

Nginx Reverse Proxy with HTTPS not working

August 8, 2017, 3:51 am
$
0
0
I had successfully got the cert of my SSL and now I was trying to implement it into my AWS server with NGINX reserve proxy setup, here is the config file:

server {
listen 80;
server_name example.com;
return 301 https://www.example.com$request_uri;
}

server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/cert_chain.crt;
ssl_certificate_key /etc/nginx/ssl/website.key;
server_name ~^(?<subdomain>.+)\.example\.com$;

location / {
proxy_pass http://www.example.com:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $subdomain.example.com;
proxy_cache_bypass $http_upgrade;
}
}

If I change the setting to listen to port 80 then it's working fine. I had enabled port 443 in AWS security group and here is the result of netstat -tulpn | grep 443:

(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -

So it means it's listening to port 443 already right? I also ensured that the nginx was run as root using ps aux|grep nginx|grep -v grep:

root 11567 0.0 0.3 177080 3060 ? Ss 09:36 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 11568 0.0 0.7 177344 7568 ? S 09:36 0:00 nginx: worker process

I had checked the Nginx error log and it got nothing inside, but when I access my url with https it just showing that it took too long to respond. Anyone able to help? Thank you.

Re: Address already in use

August 8, 2017, 1:46 pm
$
0
0
You get the same result with a default config?

[Help] Custom error_page is not working. Why?

August 8, 2017, 5:47 pm
$
0
0
I'm using latest nginx(sid) on Debian, and my nginx server's config is like this:

server {
server_....
error_page 400 401 403 404 405 408 500 502 503 504 /_an_error_page_.html;

... (misc 403 rules, such as: "if ($blah != 1){return 403;}") ...

location /_an_error_page_.html {internal;allow all;}
location /robots.txt {allow all;}
}

When I connect to https://my.website/ with bad browser/IP/whatever, nginx return 403 as expected
but it return "403 Forbidden - nginx"(generic error).

> "GET / HTTP/1.1" 403 320 "-" "curl/X"

And when I changed "error_page" line to(added =200):

> error_page 400 401 403 404 405 408 500 502 503 504 =200 /_an_error_page_.html;

It just return empty string(0 byte).

> "GET / HTTP/1.1" 200 0 "-" "curl/X"

Of course I reloaded nginx after modified my config file.
Why this is not working, and what I should do to make this work?

How to disable TLSv1 in Nginx?

August 9, 2017, 12:25 pm
$
0
0
I have this virtual host config in Nginx. TLSv1 is not configured in ssl_protocols but I'm still getting a response when doing curl or openssl s_client -tls1 -connect.

# OS and Nginx version

OS: Amazon Linux (4.9.32-15.41.amzn1.x86_64)
nginx version: nginx/1.10.2
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
TLS SNI support enabled

# Nginx main configuration

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.fedora.
include /usr/share/nginx/modules/*.conf;


events {
worker_connections 1024;
}

http {
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
gzip off;
gzip_disable "msie6";

index index.html;
index index.htm;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
resolver 1x.xx.xx.xx;
sendfile on;
server_names_hash_bucket_size 128;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

# Vhost configuration

server {
listen 8443;
server_name tls-test.domain.com;

# Source: https://cipherli.st/
ssl on;
ssl_certificate /etc/pki/tls/certs/wildcard.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/wildcard.domain.com.key;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

location / {
proxy_pass https://some-server.domain.com;
proxy_set_header Host tls-test.domain.com;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

# Tests

## cURL

curl -vk https://tls-test.domain.com:8443 --tlsv1.0
* Rebuilt URL to: https://tls-test.domain.com:8443/
* Trying 5x.xx.xx.xx...
* TCP_NODELAY set
* Connected to tls-test.domain.com (5x.xx.xx.xx) port 8443 (#0)
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.0 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: *.domain.com
* Server certificate: ISSUER RSA Domain Validation Secure Server CA
* Server certificate: ISSUER RSA Certification Authority
> GET / HTTP/1.1
> Host: tls-test.domain.com:8443
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.2
< Date: Wed, 09 Aug 2017 18:53:37 GMT
< Content-Type: text/html
< Content-Length: 217
< Connection: keep-alive
< accept-ranges: bytes
< cache-control: no-cache

## OpenSSL

openssl s_client -tls1 -connect tls-test.domain.com:8443 < /dev/null
CONNECTED(00000003)
---TRIMMED---
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6109 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
---TRIMMED---
---
DONE
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>