Using a variable in PROXY_PASS

February 28, 2018, 7:10 am

≫ Next: nginx - rate limit by argument value

≪ Previous: Re: Imap proxy doesn't work

$

0

0

Dear friends,
I'll go straight to the point. This is my nginx.conf:

set $upstream_portainer "http://my_portainer-service:9000";

location /portainer/ {
proxy_http_version 1.1;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;

proxy_set_header Connection "";
proxy_buffers 32 4k;
#proxy_pass http://my_portainer-service:9000/; # --> this WORKS
#proxy_pass $upstream_portainer/; # --> this does NOT work
proxy_pass ${upstream_portainer}/; # --> this does NOT work
}

Why doesn't it work with the alias? I'm sure I have seen it used many times, especially in conunction with Docker service names, so that they'd be reevaluated periodically rather than just at startup of NGINX.

Thank you so much,
Best regards,
Roberto

---

nginx - rate limit by argument value

March 1, 2018, 12:00 am

≫ Next: Re: Using a variable in PROXY_PASS

≪ Previous: Using a variable in PROXY_PASS

$

0

0

First let me tell you that I'm new to nginx. I'm trying to limit request by arguments in uri.

localhost/?argId=1
localhost/?argId=2
localhost/?argId=3

----------------
nginx.conf

http {
...
limit_req_zone $arg_argId zone=mylimit:10m rate=1r/m;
...
server {
...

location / {
root html;
index index.html index.htm;

limit_req zone=mylimit;
}
...
----------------

I tried it with $request_uri but still not working. Request are treated as same. Any suggestions?

Re: Using a variable in PROXY_PASS

March 1, 2018, 11:09 pm

≫ Next: Re: Can't solve this redirect :(

≪ Previous: nginx - rate limit by argument value

$

0

0

Hi Tyler_durden_83;


I think you should remove the last slash of the prox_pass parameters.I mean, you could try this 'proxy_pass $upstream_portainer' and 'set $upstream_portainer "http://my_portainer-service:9000/"; ' .

Please inform us if it works.

Re: Can't solve this redirect :(

March 2, 2018, 12:23 pm

≫ Next: Proxy Server or Load Balancer to pass specific URLS

≪ Previous: Re: Using a variable in PROXY_PASS

$

0

0

Nowbody who have any suggestion for a solution? or could helo me make this rewrite

Proxy Server or Load Balancer to pass specific URLS

March 3, 2018, 9:51 am

≫ Next: Re: Can't solve this redirect :(

≪ Previous: Re: Can't solve this redirect :(

$

0

0

Hi, I am new to Nginx and require some beginner advice.

I have multiple webservers, running various apps (seafile, zammand, urbackup) all as VMs on the same network. All need to be accessed via https protocol.

After hours of reading, I'm still a bit lost on how to move forward. Looking at load-balancing, it doesn't seem to do what I'm after as it passes traffic to a random server in case one is down) BUT I see the backup/upstream is possibly what I'm after.

Actual scenario:

Servers:
172.16.1.21 - NGINX Server - All incoming WAN HTTP/HTTPS traffic goes to this Server
172.16.1.12 - WebServer1 - support.y-tec.co.uk
172.16.1.20 - WebServer2 - cloud.y-tec.co.uk

I want to pass all incoming HTTP/HTTPS traffic to "172.16.1.21 - NGINX Server" which will then pass to the correct server depending on which incoming url was passed;
So traffic to support.y-tec.co.uk will be routed to "172.16.1.12 - WebServer1" (https)
and
traffic to cloud.y-tec.co.uk will be routed to "172.16.1.20 - WebServer2" (https)

Is it possible to just edit say the config (or maybe active-sites) on "172.16.1.21 - NGINX Server" with "headers" (e.g. support.y-tec.co.uk) which then passes to the backend server?

Thanks.

Re: Can't solve this redirect :(

March 3, 2018, 2:45 pm

≫ Next: Re: gzip_types docx xlsx problem

≪ Previous: Proxy Server or Load Balancer to pass specific URLS

$

0

0

Hi JoakimR;

This will probably work.

location /filters {
rewrite .* /index.php?controller=filters permanent;
}

Permanent means, address that you try to access is moved to new address.QSA process is automatically doing in Nginx rewrite condition.Hence, you don't have to do an extra thing.

Re: gzip_types docx xlsx problem

March 4, 2018, 10:21 pm

≫ Next: subdirectory reverse proxy to root directory of internal proxy

≪ Previous: Re: Can't solve this redirect :(

$

0

0

Hi,

Did you found any solution for this? I am facing the same issue.

Thanks

subdirectory reverse proxy to root directory of internal proxy

March 5, 2018, 1:47 pm

≫ Next: Init script on Custom built nginx

≪ Previous: Re: gzip_types docx xlsx problem

$

0

0

Hello,

Im trying to configure a reverse proxy which would act as a frontend for all internal applications hosted on different servers. On the reverse proxy, each internal application would be served inside a sub-folder.

The URL scheme would be `https://frontend.net/internal_app` which would proxy to any `https://internal-app` or `https://internal-app/app`

For example:
server {
server_name frontend.net
location /app {
proxy_pass https://internal-service/app;
}
}


If i go straight to the internal app `https://login.nwk.jwm2.net` with my browser, my logs are so:
10.xxx.xx.202 - - [05/Mar/2018:21:28:05 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.xxx.xx.202 - - [05/Mar/2018:21:28:05 +0000] "GET /css/authelia.css HTTP/1.1" 304 0 "https://login.nwk.jwm2.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.xxx.xx.202 - - [05/Mar/2018:21:28:05 +0000] "GET /js/authelia.js HTTP/1.1" 304 0 "https://login.nwk.jwm2.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.xxx.x.202 - - [05/Mar/2018:21:28:05 +0000] "GET /img/icon.png HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.xxx.xx.202 - - [05/Mar/2018:21:28:05 +0000] "GET /img/user.png HTTP/1.1" 304 0 "https://login.nwk.jwm2.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.xxx.xx.202 - - [05/Mar/2018:21:28:05 +0000] "GET /img/background.svg HTTP/1.1" 304 0 "https://login.nwk.jwm2.net/css/authelia.css" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

No issues there!

But through the reverse...

internal app logs:
10.xxx.xx.212 - - [05/Mar/2018:21:42:35 +0000] "GET / HTTP/1.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

reverse frontend logs:
xxxxx - - [05/Mar/2018:16:25:38 -0500] "GET /login HTTP/2.0" 401 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
xxxxx - - [05/Mar/2018:16:25:52 -0500] "GET /login HTTP/2.0" 204 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36" "-"
xxxxx - - [05/Mar/2018:16:26:02 -0500] "GET /login HTTP/2.0" 401 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
xxxxx- - [05/Mar/2018:16:27:35 -0500] "GET /login HTTP/2.0" 200 1784 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
xxxxx - - [05/Mar/2018:16:27:35 -0500] "GET /css/authelia.css HTTP/2.0" 404 169 "https://squid-lab.nwk.jwm2.net/login" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
xxxxx - - [05/Mar/2018:16:27:35 -0500] "GET /img/user.png HTTP/2.0" 404 169 "https://squid-lab.nwk.jwm2.net/login" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
xxxxx - - [05/Mar/2018:16:27:35 -0500] "GET /js/authelia.js HTTP/2.0" 404 169 "https://squid-lab.nwk.jwm2.net/login" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

My reverse proxy location is configured as such:
location /login {
rewrite /login(.*)$ /$1 break;
proxy_pass https://login.nwk.jwm2.net;
}

With the above configuration im able to get some data but not all images and scripts show/run properly.

Im feel it has something to do with my `rewrite` rule but cant figure it out....
Any input would be appreciated.


Thanks!
dave

---

Init script on Custom built nginx

March 8, 2018, 11:17 pm

≫ Next: stream based on hostname

≪ Previous: subdirectory reverse proxy to root directory of internal proxy

$

0

0

Facing some problems after installing source built nginx
Installed using automatic pagespeed installer on NEW Ubuntu 16.04 (Clean install)
Doc Link : https://www.modpagespeed.com/doc/build_ngx_pagespeed_from_source

bash <(curl -f -L -sS https://ngxpagespeed.com/install) \
--nginx-version latest

i.e it is source built and not from ubuntu repo

root@xyz:~# vi "/usr/local/nginx/conf/nginx.conf"
root@xyz:~# vi "/usr/local/nginx/conf/nginx.conf"
root@xyz:~# nginx -t
The program 'nginx' can be found in the following packages:
* nginx-core
* nginx-extras
* nginx-full
* nginx-light
Try: apt install <selected package>
root@xyz:~# vi "/usr/local/nginx/conf/nginx.conf"
root@xyz:~# sudo service nginx restart
Failed to restart nginx.service: Unit nginx.service not found.
root@xyz:~# sudo /usr/sbin/nginx -V
sudo: /usr/sbin/nginx: command not found
root@xyz:~# sudo /usr/local/nginx -V
sudo: /usr/local/nginx: command not found
root@xyz:~# sudo /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.13.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
configure arguments: --add-module=/root/incubator-pagespeed-ngx-latest-stable
root@xyz:~# sudo /usr/local/nginx/sbin/nginx restart
nginx: invalid option: "restart"
root@xyz:~# sudo service nginx restart
Failed to restart nginx.service: Unit nginx.service not found.
root@xyz:~# sudo systemctl restart nginx
Failed to restart nginx.service: Unit nginx.service not found.
root@xyz:~# sudo service nginx restart
Failed to restart nginx.service: Unit nginx.service not found.
root@xyz:~# /usr/local/nginx/sbin/nginx -s reload
nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)
root@xyz:~# /usr/local/nginx/sbin/nginx start
nginx: invalid option: "start"
root@xyz:~# ps aux | grep nginx
root 20012 0.0 0.1 12944 1084 pts/0 S+ 06:50 0:00 grep --color=auto nginx


also i get only this when finding nginx

sudo find / -type f -name "nginx"
/usr/local/nginx/sbin/nginx
/root/nginx-1.13.9/objs/nginx



AFter Searching a lot on google finally i found that i need init script but still not sure which one to use
https://www.nginx.com/resources/wiki/start/topics/examples/initscripts/
linux init.d or upstart or systemd
and what i need to edit in those scripts

First time i have compiled nginx from source , so dont know much. earlier was using installing using apt-get

stream based on hostname

March 9, 2018, 1:54 pm

≫ Next: Nginx as reverse web proxy changes all to apache default page.

≪ Previous: Init script on Custom built nginx

$

0

0

Hello!
here is my example of not working config

stream {
map $hostname $stream_destination {
hostname.com ip_address_1;
hostname2.com ip_address_2;
}
server {
listen 8080;
proxy_pass $stream_destination:8080;

}
}



i need to route tcp traffic based on hostname, help me to find out this please.

Nginx as reverse web proxy changes all to apache default page.

March 12, 2018, 11:11 am

≫ Next: Nginx phpmyadmin redirecting to homepage

≪ Previous: stream based on hostname

$

0

0

I'm very confused. I am using Nginx as a reverse web proxy in VM environment with 4 VM web servers. I have 4 conf files directing to each site. The last 2 mornings I have found that all 4 sites are defaulted to an apache start page. There is no apache on the Nginx machine so I assume it's showing the apache page from one of the 4 servers, I'm assuming it's the one listed as default in the conf files.

I have to reboot my router and the Nginx machine to get it to come back. I am using an IPCOP open source router.

Any ideas why this is happening?

Nginx phpmyadmin redirecting to homepage

March 12, 2018, 12:32 pm

≫ Next: nginx: [emerg] could not build test_types_hash

≪ Previous: Nginx as reverse web proxy changes all to apache default page.

$

0

0

Hello, I have been struggling to find a solution to this and could uses some help please. I created a webserver using wordpress and added phpmyadmin. I am able to login to phpmyadmin and created a symbolic link however, it redirects me to the main page. This is a website that I made to try and learn about web development. (If you see anything else wrong with the config file, please point it out.)

The address bar displays: https://example.com/?token=a token is here.

The address I need to access is https://example.com/newsymboliclink or
https://example.com/newsymboliclink/?token=a token is here. or
https://example.com/newsymboliclink/index.php?token=a token is here.
(Im not sure which one is the best one to use).

Ive been trying to due try_files and returns but can figure that out. Hoping someone can help.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The nginx configuration is:

# HTTP SERVER

server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request;
}

server {
listen 443 ssl http2;
server_name example.com www.example.com;
root /var/www/example.com/html;
index index.php;

access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;

# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then $
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forwar$
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESG$

# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.or$
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
# also https://hstspreload.org/
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as$
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

# WORDPRESS PERMALINKS
location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm-giga.sock;
}

# HTACCESS DENY ALL RULE

location ~/\.ht {
deny all;
}
}

nginx: [emerg] could not build test_types_hash

March 13, 2018, 2:34 am

≫ Next: Help wtih CORS configuration...

≪ Previous: Nginx phpmyadmin redirecting to homepage

$

0

0

Hi,

I am using nginx on CentOs7. When I am using gzip with "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" MIME type, it is giving me below error:

Mar 13 14:57:47 localhost.localdomain nginx[17289]: nginx: [emerg] could not build test_types_hash, you should increase test_types_hash_bucket_size: 64
Mar 13 14:57:47 localhost.localdomain nginx[17289]: nginx: configuration file /etc/nginx/nginx.conf test failed

Attached is my nginx conf:

Help wtih CORS configuration...

March 14, 2018, 6:26 am

≫ Next: How to limit requests per second per host (domain)?

≪ Previous: nginx: [emerg] could not build test_types_hash

$

0

0

Hi everybody...

I have this configuration applied to my server

in domain.nginx.conf file

location ~* \.(eot|otf|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
}

location / {
include /home/domain/conf/web/cors.conf;
try_files $uri $uri/ /index.php?$args;

if (!-e $request_filename)
{
rewrite ^(.+)$ /index.php?q=$1 last;
}

location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}

include /home/domain/web/domain.com/public_html/nginx.conf;
}


and the file cors.conf have this

if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}


I am using a wordpress with a especial configuration for admin area...

I have the principal domain with domain.com and www.domain.com and the admin area are with edicion.domain.com/wp-admin, and the site is function perfect (previusly I was installed in a apache server but now I am using nginx for perfomance)

but now in nginx I receive some error for some font resources like this

Access to Font at 'http://edicion.domaincom/nagos2015/wp-content/themes/motors/assets/fonts/service-fonts/stm-service-default.ttf?vcgqsx' from origin 'http://www.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.domain.com' is therefore not allowed access.

and this is affecting the visual aspect of my site...

could you help me with this config...

maybe I am wrong with something....


tks....

How to limit requests per second per host (domain)?

March 15, 2018, 8:33 am

≫ Next: nginx git configuration

≪ Previous: Help wtih CORS configuration...

$

0

0

Hi there!
I have nginx serving several different domains.
I've already applied requests limits **per IP**, in order to protect against some types of attacks.

However, that limits are about the traffic coming from one IP.
Now I would like to apply allow no more than X requests per second **to a domain**.

Why would I want to do that in the first place? Well, my server runs several websites with nginx (uwsgi is in the background). I want to prevent uwsgi or nginx slowing down, timing out or going completely down due to a sudden and huge spike on traffic. It has happened in the past, and I'm already tunning my uwsgi application to make it more fast and scalable.

However, in the meanwhile, I would like to apply some security limits, to allow not more than X requests per second to a domain.
I've found an example on the web, but I'm not sure if this would work. I've tested locally and it does, but I want to be sure, that's why I'm making this post.


Is the following approach correct to limit requests per second to a domain?
In this example, if it's correct, I would be limitting to 10 requests per second the traffic to siteA.com and siteB.com, and 50 requests per second the traffic to the siteC.com.
Notice the variable "$host" used as the key to create two different zones, one more restrictive than the other.

http {
limit_req_zone $host zone=restrictive:10m rate=10r/s;
limit_req_zone $host zone=powerful:10m rate=50r/s;

server {
server_name siteA.com;
location / {
limit_req zone=restrictive;
}
}

server {
server_name siteB.com;
location / {
limit_req zone=restrictive;
}
}

server {
server_name siteC.com;
location / {
limit_req zone=powerful;
}
}
}



What do you think?
Thanks in advance.

---

nginx git configuration

March 18, 2018, 11:25 am

≫ Next: Re: nginx git configuration

≪ Previous: How to limit requests per second per host (domain)?

$

0

0

Hi to all,

I tryed to configure nginx to forward request auth to my git repository , that i ve setup with ssh key authentication.
I ve try this solution but that not works fine for me .

My nginx server has a public ip and i have to set proxypass auth to my git repo that reside in other location that is reacheble with private address. i need that that the public url with /location, forward the authetication with ssh key at port 22
the proxypass auth must works with gitbush or throw git bush .
how i can do that ?

anyone have do that configuration in our environment ?
_________________________________________________________________________

location /git {
proxy_pass http://172.16.10.12:22/gitrepos;}

# fcgiwrap is set up to listen on this host:port
fastcgi_pass localhost:9001;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-beckend;
# export all repositories under GIT_PROJECT_ROOT
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /home/git/gitrepo/;
fastcgi_param PATH_INFO $1;
____________________________________________________________________________

Re: nginx git configuration

March 18, 2018, 11:45 am

≫ Next: Re: nginx git configuration

≪ Previous: nginx git configuration

$

0

0

ssh <> http, so why are you trying to pass the ssh protocol via http ?

Re: nginx git configuration

March 18, 2018, 11:54 am

≫ Next: Re: nginx git configuration

≪ Previous: Re: nginx git configuration

$

0

0

YES

simple http to ssh protocol, but that not works for me. why ?

i ve to pass also the auth with ssh key than example

git clone git@(httpNginxarress/repository

Re: nginx git configuration

March 18, 2018, 2:57 pm

≫ Next: How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server

≪ Previous: Re: nginx git configuration

$

0

0

I ve nginx on Windows frontend and git repository on Linux vm in the backend side. How i can configure that??

How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server

March 19, 2018, 5:48 am

≫ Next: Re: nginx git configuration

≪ Previous: Re: nginx git configuration

$

0

0

Hi, I am new to Nginx and to PGP/GPG. I am learning how to compile Nginx Open Source from source on Ubuntu server, and want to verify the source tarball file with the PGP signature provided.

The first step is to download the latest version of Nginx Open Source and its PGP signature.

I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc

I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/

Next, I attempted to verify the signature of the tarball by using the gpg command:

$ gpg nginx-1.12.2.tar.gz.asc

The command gives this output:

gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found

The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:

$ gpg --import nginx_signing.key

However, when I attempted to verify the tarball signature again, I got the same error as before.

Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:

gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...

which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.

I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.

The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.

Am I missing something? Is there a better way to do this? How would I have known which public key to import?

Thank you,

noob13