Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

Re: auth_request and fastcgi_pass can't use var? And what should I do ?

May 3, 2018, 4:08 am
$
0
0
I've solved this with

location ~ '^/el/(?<tk>.+)/(?<tail>php/\d/[\w+/\.-=_]+)?$' {
set $auth_request_uri "http://127.0.0.1:10101/auth/$tk";
auth_request /auth;
autoindex on;
alias /var/ftp/pub/centos/php/$tail;

}

location /auth {
internal;
proxy_pass $auth_request_uri;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
Search

nginx phishing, clon web

May 5, 2018, 3:24 am
$
0
0
Hi, I can not solve a problem.
They are phishing me with my server.
My website: https://www.bitspiele.de/spiele/simple-search

Use Nginx and php 7.2 with plesk updated all ...
The fact is that I cloned the web in real time and changed some parameters with some script
phishing web example ->
https://www.swedpaperp.tk/spiele/simple-search
how do they do that?
I try to block it with variables in nginx like $ host $ host_name and I have tried everything, but it replaces these variables of its domain with mine and it is impossible. In PHP I also put $ _SERVER variables and also replace my host name with mine.
I do not know what to do, any help?
Thank you.

Connection through Vpn

May 5, 2018, 1:58 pm
$
0
0
Hi, Ive been pulling my hair out with this so thought i might ask around. Ive also not been able to find much by googleing . So does anybody know how to access services through nginx reverse proxy when connected to a vpn provider. Openvpn client does this out of the box but i want to connect through the ikev2 adapter on Windows. Problem is when i do all remote connectivity is lost to my services.

Nginx valid_referers with "none" option disable hotlinking protection

May 8, 2018, 4:39 am
$
0
0
This is my code:

valid_referers none blocked *.alloweddomain.com;
if ($invalid_referer){
return 403;
}
}

The hotlinking doesnt work. But this works fine:

valid_referers blocked *.alloweddomain.com;
if ($invalid_referer){
return 403;
}
}

Why **none** option cause the code not work?

Reference: http://nginxlibrary.com/hotlink-protection/

Re: nginx phishing, clon web

May 9, 2018, 4:50 am

Stuck with Proxy_Pass - help needed

May 9, 2018, 7:38 am
$
0
0
Hello

I have setup a proxy pass to point a URL to an internal web server which uses a self signed certificate.

I have a DNS entry point my URL "wifi.example.com" to my nGINX server 172.28.6.131

I have setup a config entry in sites-avaliable so that when someone surfs to wifi.example.com it will redirect to https://172.28.8.249:8443

Problem is I get wifi.example.com sent an invalid response and ERR_SSL_PROTOCOL_ERROR

The config on NGINX is as follows

server {
listen 443;
server_name wifi.example;

location / {
proxy_pass https://172.28.8.249:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_session_reuse off;
}
}

I can confirm the configuration is redirecting as I have other configurations pointing to other internal servers but only using HTTP and they are all working just fine. I seem to be stuck when it comes to HTTPS. The server it is redirecting is only a self signed certificate.

Can anyone assist?

Ross

Proxy_pass redirect suffix

May 11, 2018, 4:15 am
$
0
0
Good Morning.
I have a problem to use the reverse proxy in nginx.
I need it to work this way:
test.example.com -> proxy_pass localhost: 8080 / test
test1.example.com -> proxy_pass localhost: 8080 / teste1
So, in the url, it would be, test.example.com/test, test1.example.com/test1, however, the user would type only test.example.com and nginx would automatically fill in the suffix.
I need to have the suffix because the applications are with hard url.

Thank you

React / Kestrel settings for admin folder

May 14, 2018, 2:22 am
$
0
0
Hello,

I'm trying to setup new location rule for the "admin" folder for my reactjs SPA application. It uses Kestrel as a web server and Nginx as a proxy.

I have already one configuration, which is working fine with redirection all requests to the index.html file, which contains necessary javascript logic:

location /favicon.ico {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
}

location ~ ^/(fonts|img|js|lib|script|style)/ {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
}

location / {
try_files $uri /index.html;
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
}

Now I need to add rule for /admin/ folder which will route all requests to the /admin/index.html, once /admin/ is a part of the path, but the following is not work:

location /admin/ {
try_files /index.html $uri;
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
}

What I'm doing wrong?

Thanks,
Anton
Search

Reverse proxy, tls mutual authentication client list

May 15, 2018, 11:39 am
$
0
0
Hi

We plan to use nginx to control access from IoT devices connecting to a server HTTP(S)/REST interface over TLS.

We want to use client certificates stored on the IoT devices to do TLS mutual authentication and found that nginx seems to support this application very well in reverse-proxy configuration.

We use the following nginx configuration to validate the client certificates:

ssl_client_certificate trustedClients.pem;
ssl_verify_client on;

, with trustedClients.pem containing a concatenation of all trusted client certificates.

This works very well, only clients with certificates in trustedClients.pem are allowed access.

We wonder if this is the preferred method if the trusted client list contains hundreds of clients? And if so, does some tool exists to manage the list of clients certificates in a certificate bundle?

We appriciate any assistance you can provide on this.

Best regards
Christian

custom log_format not inherited by server block

May 17, 2018, 2:54 pm
$
0
0
Hello. I am compiling Nginx 1.14.0 from source with a view to compiling ipscrub as a dynamic module.

My compile completes without error, my nginx.conf validates, Nginx runs as expected, yet my server block throws an error about an unknown log format.

If my `log_format` directive appears after the `access_log` directive in nginx.conf, it will not validate, stating:

nginx: [emerg] unknown log format "ipscrubbed" in /etc/nginx/nginx.conf:15

If my `log_format` directive appears before the `access_log` directive in nginx.conf, it validates.

If my `log_format` directive appears before the `access_log` directive in nginx.conf, the default server block will not validate, stating:

nginx: [emerg] unknown log format "ipscrubbed" in /etc/nginx/sites-enabled/default:2

…implying that although my custom `log_format` is valid, the default server block is not inheriting it. Which has completely thrown me. Do I need to reposition the `access_log` directive to a later point in the server block? Or is there something else fundamental that I'm overlooking?

I would very much appreciate an additional pair of eyes on this, if your interest, time and attention permits.

Thank you in advance.




My compile script: https://gist.github.com/petecooper/95b532b343372f707876161ee338b870

My nginx.conf: https://gist.github.com/petecooper/29fcf66f1fad0279b157201c8f233c59

My server block: https://gist.github.com/petecooper/b3fa68a165afd03fdaca3ba32545f49e

Re: nginx as reverse proxy with client ssl authentication

May 18, 2018, 6:24 am
$
0
0
maybe if you're interested in the solution:

theres really nothing helpful in this logs.

After doing a traffic capture together with the backend provider, following was figured out.

Our Client Cert was signed by an intermediate certificate. The Backend checked against the root ca certificat.

So we need to send the intermediate certificat together with the client cert in a file included by proxy_ssl_certificate.

Just put both certificates together like

cat client.cert intermediate.cert > client+intermediate.cert

Than it worked.

exception in location

May 19, 2018, 6:46 am
$
0
0
I use this to deny access to wp-login.php

location ~ /wp-login.php$ { deny all; }

However, I want to add an exception and allow it only if it contains "itsec-hb-token", I.e.

wp-login.php?itsec-hb-token=wplogin

where wplogin can be any username

Basic question about single entry point - why my solution actually *works*?

May 19, 2018, 8:45 pm
$
0
0
Hi. I'm a newbie - started playing with nginx in the last days.

I'm trying to make a front controller (single entry point), i.e. . all the requests to non existing files/dirs should be forwarded to index.php, passing "stuff". My host is "http://point1.local" and I want http://point1.local/foo to be forwarded to http://point1.local/index.php (because 'foo' doesn't exist).

I have this right now (and it seems to work): https://paste.ngx.cc/03

That is (shortened):

server {
listen 80 default_server;
server_name point1.local;
index index.php;
root /var/www/html/point/point1;

location / {
try_files $uri $uri/ /index.php$is_args$args;
}

location ~ \.php$ {
try_files $uri =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

include fastcgi.conf;

fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}

But my question is - I've have read in at least two places, that only ONE 'location' catches, i.e. is "considered". For example here:
http://blog.martinfjordvald.com/2010/07/nginx-primer/ says "The most important things to note (...) and only one location block will ever be run."

Then... how this works? Because it clearly not only does the 'try_files' thing (first location block) , but it *is* also handled then by PHP engine (second location block).

Is it because the first one directs to index.php file and then, in contrast to the information I found, the second location block kicks in?

Re: Basic question about single entry point - why my solution actually *works*?

May 21, 2018, 11:30 am
$
0
0
Well, I'll answer myself.

It seems that the sentence "and only one location block will ever be run" is a bit not precise, because nginx obviously can run more locations if we do any kind of 'rewrite', which try_files does (kind of). The same author in the same article even mentions this (this is related to a different example in the article):

(...) The one try files line means that it will first try accessing the full URI, which means that a static file request will end here. Secondly it will try the full URI plus a slash, thus looking for a directory. Finally, if none of these are found it will send the request to /index.php **and perform a new location match**, which will of course hit our PHP location and fastcgi_pass the request

static file server recursively redirect to index.html

May 22, 2018, 12:27 am
$
0
0
nginx version: nginx/1.0.15

I have configed a static file server.
conf:

location /strategy/ {
root /www;
}

under the directory /www/strategy, there is a file named date.txt. which content is:
Tue May 22 11:23:47 CST 2018

I can get the right response with curl:

curl http://localhost/strategy/date.txt

but when i visit the URL(http://localhost/strategy/date.txt) in chrome, it was redirected to http://localhost/strategy/date.txt/
and then to http://localhost/strategy/date.txt/index.html,
then http://localhost/strategy/date.txt/index.html,
then http://localhost/strategy/date.txt/index.html/index.html,
then http://localhost/strategy/date.txt/index.html/index.html/index.html,
...
and so on.

Can anybody explain why? Thanks in advance!
Search

Set FastCGI response header in logs

May 22, 2018, 5:51 am
$
0
0
Hello,
I'va a FastCGI application that authenticates users and set username in a "Lm-Remote-User" header. I'm trying to set username in nginx logs:

log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ...;
access_log conf/nginx.log lm_combined;
...
server {
...
location ~ .*\.psgi)(?:$|/) {
set $lmremote_user $http_lm_remote_user;
...
}
}

Logs never contains usernames and debug shows says that $lmremote_user isn't initializated (I verified that header is set).
Is ther a way to catch response header and set it in logs ?

Regards,
Xavier

Re: Set FastCGI response header in logs

May 22, 2018, 5:54 am
$
0
0
Note that I tried also $upstream_lm_remote_user and $upstream_http_lm_remote_user

Re: Set FastCGI response header in logs

May 22, 2018, 6:29 am
$
0
0
Succeed using directly it :

log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local]...

Access Proxmox containers via Nginx proxy_pass

May 22, 2018, 8:45 am
$
0
0
Hello,
I have three Proxmox containers, one of them is nginx to act as redirection to other two containers. http redirection to both containers works fine. I'm stuck with https (openssl). Now I have generated cert and key only on nginx side, not on proxmox container side. This is one of two server blocks I've tried so far

server {
listen 443 ssl;
server_name example.ddns. net;
access_log /var/log/nginx/example_access.log;
error_log /var/log/nginx/example_error.log;

ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
proxy_redirect off;

location / {
proxy_pass https: //192.168.178.100;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

This shows 502 bad gateway when accessing through https: //example.ddns.net. On 192.168.178.100 is apache2 running with http configured and port 8080 is listening.

2018/05/20 19:04:48 [error] 882#882: *1 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: [public_ip_here], server: example.ddns. net, request: "GET / HTTP/1.1", upstream: "https: //192.168.178.100:443/", host: "example.ddns. net"

Should I have also configure SSL on proxmox container ? Where I have apache actually. Thanks for any explanation.

Issue with the TCP Load Balancing

May 25, 2018, 1:04 am
$
0
0
Dear all,

I am the beginner with NGINX load balancing and i am facing with the problem.

In detail, I set the upstream servers as the Mosquitto service which is running on port 6677 . There are 2 mosquitto servers in the upstream server. One is the master, the other is backup.

After that,I run the command "kill -SIGSTOP PID" to hang the mosquitto service in the master server.
The issue is the Nginx load balancing does not switch the mosquitto connection to the backup server so that i can not get data as expected.

Please help for this case. I hope that if the service is hang in the master server, the connect will be switched to the backup server.

Thanks for your help and sorry about my poor english.

Here is my configuration:
upstream backend {
server 192.168.50.14:6677;
server 192.168.50.15:6677 backup;
}
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>