I believe NGINX rate limit applicable at context level.. Is there any way to exempt rate limit for cache HIT ?
↧
NGINX Rate limit -- How to exclude cache hit
↧
Re: nginx for Windows log file
Nevermind, you just have to add;
access_log off;
error_log off;
access_log off;
error_log off;
↧
↧
Header problem after upgrade from 1.6 to 1.10
Hi !
I used to run nginx v1.6 with this configuration :
location / {
alias /some/path/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header uuid $uuid;
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_';
if ($request_method = 'OPTIONS') {
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
Since my upgrade to nginx v1.10.x, "more_set_headers" isn't working anymore, and I've changed it by add_header 'blablabla' always;
It now looks like this :
location / {
alias /some/path/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header uuid $uuid;
add_header 'Access-Control-Allow-Origin: $http_origin' always;
add_header 'Access-Control-Allow-Credentials: true' always;
add_header 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_' always;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin: $http_origin' always;
add_header 'Access-Control-Allow-Credentials: true' always;
add_header 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_' always;
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
However, when I now go on the website, I have this error :
"Failed to load https://mywebsite/auth/login: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '$http_origin: always', but only one is allowed. Origin 'https://mywebsite' is therefore not allowed access."
What should I change to make it work ? I'm a bit stuck there.
I used to run nginx v1.6 with this configuration :
location / {
alias /some/path/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header uuid $uuid;
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_';
if ($request_method = 'OPTIONS') {
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
Since my upgrade to nginx v1.10.x, "more_set_headers" isn't working anymore, and I've changed it by add_header 'blablabla' always;
It now looks like this :
location / {
alias /some/path/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header uuid $uuid;
add_header 'Access-Control-Allow-Origin: $http_origin' always;
add_header 'Access-Control-Allow-Credentials: true' always;
add_header 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_' always;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin: $http_origin' always;
add_header 'Access-Control-Allow-Credentials: true' always;
add_header 'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,access_token,__setXHR_' always;
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
}
However, when I now go on the website, I have this error :
"Failed to load https://mywebsite/auth/login: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '$http_origin: always', but only one is allowed. Origin 'https://mywebsite' is therefore not allowed access."
What should I change to make it work ? I'm a bit stuck there.
↧
Passing thru Nginx into the FTP server
Hi Team,
Questions
i had a ftp server in local server and trying to publish out site of our network, i edit the conf file as below, but its not working for it.
I can telnet upto the nginx server from outsite of the network, but its not passing thru.
#------------------------------------
# FTP Server Open 221
#---------------
server {
listen 221;
server_name vhome.abct.com;
location / {
proxy_pass ftp://192.168.100.42;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Any help please
Questions
i had a ftp server in local server and trying to publish out site of our network, i edit the conf file as below, but its not working for it.
I can telnet upto the nginx server from outsite of the network, but its not passing thru.
#------------------------------------
# FTP Server Open 221
#---------------
server {
listen 221;
server_name vhome.abct.com;
location / {
proxy_pass ftp://192.168.100.42;
proxy_redirect default;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Any help please
↧
two virtual hosts with same domain name but different ports?
Hi,
I have a virtual host running fine, say:
sample.com
server {
listen 80;
server_name sample.com;
...
}
now I need to set up another virtual host but same name, say:
sample.com:3000
I put the new conf file:
server {
listen 3000;
server_name sample.com;
...
}
but http://sample.com:3000 always goes back to sample.com, any idea how to make it work? Thanks
Chen
I have a virtual host running fine, say:
sample.com
server {
listen 80;
server_name sample.com;
...
}
now I need to set up another virtual host but same name, say:
sample.com:3000
I put the new conf file:
server {
listen 3000;
server_name sample.com;
...
}
but http://sample.com:3000 always goes back to sample.com, any idea how to make it work? Thanks
Chen
↧
↧
Is NGINX messing up my network?
I used to access my internal services like example.com:6868 and bar.example.com:6969. I had or two sudomains like fubar.example.com and foobar.example.com. But with the wonders of nginx, I was able to proxy everything so I could stop using ports.
All was well until suddenly I couldn't access any sites from **inside** my network. I could access it outside. I could ping the ip and the FQDN. But I couldn't browse to it. A reboot of the router and the problem went away. But it came back a few hours later. And again. And again.
I complained to eero (the router mfg) but now that I think about it, nginx is probably the culprit as things were running well until it's introduction several days ago. I suspect that **something** is happening on a schedule that is causing the problem. If I were to catch the second the problem started, are there log files of everything that is going on at that instant?
All was well until suddenly I couldn't access any sites from **inside** my network. I could access it outside. I could ping the ip and the FQDN. But I couldn't browse to it. A reboot of the router and the problem went away. But it came back a few hours later. And again. And again.
I complained to eero (the router mfg) but now that I think about it, nginx is probably the culprit as things were running well until it's introduction several days ago. I suspect that **something** is happening on a schedule that is causing the problem. If I were to catch the second the problem started, are there log files of everything that is going on at that instant?
↧
Proxy http site without access log?
(Please excuse my English. The domain names used in this post are examples, not real ones)
I opened websites " https://my.server.com " and homepage " https://my.server.com/index.html "
with a nginx server.The problem is the homepage index.html contains a iframe, who's source
url is " http://www.example.com ".
As many one knows, nowaday web browsers strictly prohibit https site to access to http site.
So, the index.html cannot display the iframe properly.
To solve this problem, I added another https server block(port 2424) in my nginx.conf, to proxy
the http://www.example.com site.
server {
server_name my.server.com;
listen 2424 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 60m;
location / {
sendfile off;
tcp_nopush off;
tcp_nodelay on;
#location ~ \.(ico|png|gif)$ { # commented out
# access_log off;
#}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_pass http://www.example.com;
}
}
The above code is the added proxy server block. My nginx server operated well with the above proxy server block.
But the problem occured when I uncommented the below location block. The location block is often used
so that *.ico, *.png and *.gif files do not leave access log.
location ~ \.(ico|png|gif)$ {
access_log off;
}
When I uncommented the location block, my proxy server could not transfer *.ico, *.png and *.gif files from
http://www.example.com.
How can I transfer the *.ico, *.png and *.gif files from http://www.example.com without access log?
Additionally, I am not good at proxy server setting. If there are no good settings in my proxy server block,
Please leave comments.
I opened websites " https://my.server.com " and homepage " https://my.server.com/index.html "
with a nginx server.The problem is the homepage index.html contains a iframe, who's source
url is " http://www.example.com ".
As many one knows, nowaday web browsers strictly prohibit https site to access to http site.
So, the index.html cannot display the iframe properly.
To solve this problem, I added another https server block(port 2424) in my nginx.conf, to proxy
the http://www.example.com site.
server {
server_name my.server.com;
listen 2424 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 60m;
location / {
sendfile off;
tcp_nopush off;
tcp_nodelay on;
#location ~ \.(ico|png|gif)$ { # commented out
# access_log off;
#}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_pass http://www.example.com;
}
}
The above code is the added proxy server block. My nginx server operated well with the above proxy server block.
But the problem occured when I uncommented the below location block. The location block is often used
so that *.ico, *.png and *.gif files do not leave access log.
location ~ \.(ico|png|gif)$ {
access_log off;
}
When I uncommented the location block, my proxy server could not transfer *.ico, *.png and *.gif files from
http://www.example.com.
How can I transfer the *.ico, *.png and *.gif files from http://www.example.com without access log?
Additionally, I am not good at proxy server setting. If there are no good settings in my proxy server block,
Please leave comments.
↧
Re: two virtual hosts with same domain name but different ports?
Hi,
I am done with my following configuration and it works,
make sure your firewall allows those ports
server {
listen 80;
location / {
proxy_pass "http://IP_AppServer:80";
proxy_set_header X-proxy IP_Nginx;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_set_header X-Client-IP $remote_addr;
}
}
server {
listen 8080;
location / {
proxy_pass "http://IP_AppServer:8080";
proxy_set_header X-proxy IP_Nginx;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_set_header X-Client-IP $remote_addr;
}
}
I am done with my following configuration and it works,
make sure your firewall allows those ports
server {
listen 80;
location / {
proxy_pass "http://IP_AppServer:80";
proxy_set_header X-proxy IP_Nginx;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_set_header X-Client-IP $remote_addr;
}
}
server {
listen 8080;
location / {
proxy_pass "http://IP_AppServer:8080";
proxy_set_header X-proxy IP_Nginx;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_set_header X-Client-IP $remote_addr;
}
}
↧
Help with location match regex for encoded / unencoded url
Hi all, I really hope someone can assist me as I am out of ideas to get a regex working for this location match.
I need a location regex to match the following requests and redirect them to the correct location but regex has me totally stumped on this one.
The unencoded URL string is:
/historical-rainfall-trends-south-africa-1921–2015.pdf
The encoded URL string is:
/historical-rainfall-trends-south-africa-1921%C3%A2%E2%82%AC%E2%80%9C2015.pdf
How can I get a location match for these? It's literally only one pdf file that got uploaded with a messed up filename and now I am unable to redirect search engines to the correct file.
I need a location regex to match the following requests and redirect them to the correct location but regex has me totally stumped on this one.
The unencoded URL string is:
/historical-rainfall-trends-south-africa-1921–2015.pdf
The encoded URL string is:
/historical-rainfall-trends-south-africa-1921%C3%A2%E2%82%AC%E2%80%9C2015.pdf
How can I get a location match for these? It's literally only one pdf file that got uploaded with a messed up filename and now I am unable to redirect search engines to the correct file.
↧
↧
Magento2 and Fishpig wordpress integration
Hello,
I have a wordpress blog into magento by the fishpig's module.
Wordpress is in magento2-root/pub/wp
but in magento settings is set to The front of blog is showing 404, wordpress admin is working fine
I have set in wordpress >> settings >> general
WordPress Address (URL) : magentoUrl/wp
Site Address (URL) : magentoUrl/blog
What is the setup for fixing this in nginx?
I am using magento-cloud
Thanks,
I have a wordpress blog into magento by the fishpig's module.
Wordpress is in magento2-root/pub/wp
but in magento settings is set to The front of blog is showing 404, wordpress admin is working fine
I have set in wordpress >> settings >> general
WordPress Address (URL) : magentoUrl/wp
Site Address (URL) : magentoUrl/blog
What is the setup for fixing this in nginx?
I am using magento-cloud
Thanks,
↧
Re: Help with location match regex for encoded / unencoded url
I get a match with this regex here - https://regex101.com/r/3Lk2zr/3
but then using this
location ~ /.*[^\x00-\x7F]+.* {
return 444;
}
still gives me a 404 and not a 444
Likewise I get a match with this - https://regex101.com/r/80KWJ8/1
But then
location ~ /.*([^?]*)\%(.*)$ {
return 444;
}
Gives 404 and not 444 ???? I might just add my regex sucks
but then using this
location ~ /.*[^\x00-\x7F]+.* {
return 444;
}
still gives me a 404 and not a 444
Likewise I get a match with this - https://regex101.com/r/80KWJ8/1
But then
location ~ /.*([^?]*)\%(.*)$ {
return 444;
}
Gives 404 and not 444 ???? I might just add my regex sucks
↧
Re: Help with location match regex for encoded / unencoded url
SOLVED with this.
location /resources {
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
if ($request_uri ~ .*%.*) { return 301 https://example.com/resources/weather-documents/historical-rainfall-trends-south-africa_1921_2015.pdf; }
if ($request_uri ~ .*[^\x00-\x7F]+.*) { return 301 https://example.com/resources/weather-documents/historical-rainfall-trends-south-africa_1921_2015.pdf; }
}
See: https://stackoverflow.com/questions/51747175/nginx-location-match-regex-for-special-characters-and-encoded-url-characters
location /resources {
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
if ($request_uri ~ .*%.*) { return 301 https://example.com/resources/weather-documents/historical-rainfall-trends-south-africa_1921_2015.pdf; }
if ($request_uri ~ .*[^\x00-\x7F]+.*) { return 301 https://example.com/resources/weather-documents/historical-rainfall-trends-south-africa_1921_2015.pdf; }
}
See: https://stackoverflow.com/questions/51747175/nginx-location-match-regex-for-special-characters-and-encoded-url-characters
↧
Loosing all of my (residual) hair on an access problem
Dear friends,
I almost burned my eyes but have to call it quits. Hope you can help.
I have an nginx server setup on a raspberry box to power an rtorrent/rutorrent seedbox.
I get the /rutorrent page just fine from any local LAN client.
From my cellphone/iPad when NOT connected via WiFi but via cellular data (hence clients NOT on my local LAN) I cannot load the /rutorrent page nor the / page.
What is making me crazy is that ONCE I saw the damn page but now not anymore. Sometimes I see nothing at all, some other times despite using a http://xxx.yyy.www.zzz static IP public address the cellular browsers get a "secure connection failed" error.
FWIW sudo nginx -t succeeds while running nginx -t without root privileges quite understandably gives:
bob@rpi2b:/etc/nginx/sites-available $ nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2018/08/11 18:06:47 [warn] 21893#21893: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2018/08/11 18:06:47 [emerg] 21893#21893: SSL_CTX_use_PrivateKey_file("/etc/ssl/private/ruweb.key") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/ruweb.key','r') error:20074002:BIO routines:file_ctrl:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
Here follows the related data. Thank you for any help.
default available-sites:
server {
listen 80;
root /var/www;
index index.html index.php index.htm;
#Below enter IP address or block to allow, eg LAN and/or VPN blocks
allow all;
error_page 403 = @denied;
location @denied {
return 301 https://$host$request_uri;
}
location / {
try_files $uri $uri/ =404;
}
location /rutorrent {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
include /etc/nginx/conf.d/php;
include /etc/nginx/conf.d/cache;
}
#include /etc/nginx/sites-available/dload-loc;
location ~ /\.ht {
deny all;
}
}
server {
listen 443 ssl;
root /var/www;
index index.html index.php index.htm;
client_max_body_size 40m;
ssl_certificate /etc/ssl/ruweb.crt;
ssl_certificate_key /etc/ssl/private/ruweb.key;
ssl_session_timeout 5m;
location / {
try_files $uri $uri/ =404;
}
location /rutorrent {
client_max_body_size 40m;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
include /etc/nginx/conf.d/php;
include /etc/nginx/conf.d/cache;
}
#include /etc/nginx/sites-available/dload-loc;
location ~ /\.ht {
deny all;
}
}
I almost burned my eyes but have to call it quits. Hope you can help.
I have an nginx server setup on a raspberry box to power an rtorrent/rutorrent seedbox.
I get the /rutorrent page just fine from any local LAN client.
From my cellphone/iPad when NOT connected via WiFi but via cellular data (hence clients NOT on my local LAN) I cannot load the /rutorrent page nor the / page.
What is making me crazy is that ONCE I saw the damn page but now not anymore. Sometimes I see nothing at all, some other times despite using a http://xxx.yyy.www.zzz static IP public address the cellular browsers get a "secure connection failed" error.
FWIW sudo nginx -t succeeds while running nginx -t without root privileges quite understandably gives:
bob@rpi2b:/etc/nginx/sites-available $ nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2018/08/11 18:06:47 [warn] 21893#21893: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2018/08/11 18:06:47 [emerg] 21893#21893: SSL_CTX_use_PrivateKey_file("/etc/ssl/private/ruweb.key") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/ruweb.key','r') error:20074002:BIO routines:file_ctrl:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
Here follows the related data. Thank you for any help.
default available-sites:
server {
listen 80;
root /var/www;
index index.html index.php index.htm;
#Below enter IP address or block to allow, eg LAN and/or VPN blocks
allow all;
error_page 403 = @denied;
location @denied {
return 301 https://$host$request_uri;
}
location / {
try_files $uri $uri/ =404;
}
location /rutorrent {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
include /etc/nginx/conf.d/php;
include /etc/nginx/conf.d/cache;
}
#include /etc/nginx/sites-available/dload-loc;
location ~ /\.ht {
deny all;
}
}
server {
listen 443 ssl;
root /var/www;
index index.html index.php index.htm;
client_max_body_size 40m;
ssl_certificate /etc/ssl/ruweb.crt;
ssl_certificate_key /etc/ssl/private/ruweb.key;
ssl_session_timeout 5m;
location / {
try_files $uri $uri/ =404;
}
location /rutorrent {
client_max_body_size 40m;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
include /etc/nginx/conf.d/php;
include /etc/nginx/conf.d/cache;
}
#include /etc/nginx/sites-available/dload-loc;
location ~ /\.ht {
deny all;
}
}
↧
↧
Help obfuscating access.log GET request parameters on AWS Elastic Beanstalk
I am trying to obfuscate a sensitive parameter that appears on some GET requests. These requests are encrypted, but are appearing in the access.log files in plain text.
I found this Stack Overflow question, which solves my issue... except that I don't configure nginx myself.
https://stackoverflow.com/questions/19265766/how-to-not-log-a-get-request-parameter-in-the-nginx-access-logs
I use AWS Elastic Beanstalk, which creates an EC2 instance running nginx. I have done literally 0 configuration of nginx myself, it uses default settings, including the default log_format.
I know that I have a file, `./ebextensions/nginx.config`, but currently it's contents are just this, to change the max body size of a request so that it's large enough to accept full res images from mobile devices:
```
files:
/etc/nginx/conf.d/proxy.conf:
content: |
client_max_body_size 5M;
```
I think I would be able to SSH into my instance to update this, but that would be overwritten with each deployment, and any new instance that gets spun up would still be using the defaults, so I think I need to figure out how to modify this from the file I posted above. However, I can hardly find any information on how to utilize this file.
Any help would be greatly appreciated!
I found this Stack Overflow question, which solves my issue... except that I don't configure nginx myself.
https://stackoverflow.com/questions/19265766/how-to-not-log-a-get-request-parameter-in-the-nginx-access-logs
I use AWS Elastic Beanstalk, which creates an EC2 instance running nginx. I have done literally 0 configuration of nginx myself, it uses default settings, including the default log_format.
I know that I have a file, `./ebextensions/nginx.config`, but currently it's contents are just this, to change the max body size of a request so that it's large enough to accept full res images from mobile devices:
```
files:
/etc/nginx/conf.d/proxy.conf:
content: |
client_max_body_size 5M;
```
I think I would be able to SSH into my instance to update this, but that would be overwritten with each deployment, and any new instance that gets spun up would still be using the defaults, so I think I need to figure out how to modify this from the file I posted above. However, I can hardly find any information on how to utilize this file.
Any help would be greatly appreciated!
↧
Re: Help obfuscating access.log GET request parameters on AWS Elastic Beanstalk
Here's where I'm at so far.
EB extensions allow you to add files, similar to what I did above. The default nginx.config looks like this:
```
# Elastic Beanstalk Managed
# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf
# Elastic_Beanstalk
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
port_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# Elastic Beanstalk Modification(EB_INCLUDE)
log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';
include /etc/nginx/conf.d/*.conf;
# End Modification
}
```
Note at the end, `include /etc/nginx/conf.d/*.conf;`, which will include other .conf files, like the one I posted in my question that just sets the max body size.
AWS EB also has a default file that gets included, autogenerated by EB: etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
```
# Elastic Beanstalk Managed
# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf
upstream nodejs {
server 127.0.0.1:8081;
keepalive 256;
}
server {
listen 8080;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
}
```
Of note is the sloppy indenting, that's literally copied from AWS' own file...
Anyway, it seems that this file is where I would have to do what the Stack Overflow answer I posted suggests, since it's where the Server { } configuration is.
The comments at the top of each file mention you can modfiy nginx.config through container commands, but I do not believe that will help me, since nginx.config doesn't contain the Server call. However, I've got to imagine these container commands could also be used to update this file, no? Here is a link discussing container commands: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-container-commands
So now it looks like what I need is a command that will copy the existing `00_elastic_beanstalk_proxy.conf` and inject the following:
```
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
#....
#inside server block
location /my/sensitive/route {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=*****$2
}
access_log /var/log/nginx/access.log filter;
}
```
So at this point, I'm thinking I literally need to include a bash script with my source code that takes an input file, adds a new line at the beginning of the file `log_format filter '$remote_addr - $remote_user [$time_local] ''"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';`, since this file is all encapsulated within the http directive, then find the line with `server{` || `server {`, and add the location block below it....
Can anybody tell me that I'm completely wrong before I go ahead and do this?
EB extensions allow you to add files, similar to what I did above. The default nginx.config looks like this:
```
# Elastic Beanstalk Managed
# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf
# Elastic_Beanstalk
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
port_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# Elastic Beanstalk Modification(EB_INCLUDE)
log_format healthd '$msec"$uri"'
'$status"$request_time"$upstream_response_time"'
'$http_x_forwarded_for';
include /etc/nginx/conf.d/*.conf;
# End Modification
}
```
Note at the end, `include /etc/nginx/conf.d/*.conf;`, which will include other .conf files, like the one I posted in my question that just sets the max body size.
AWS EB also has a default file that gets included, autogenerated by EB: etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf
```
# Elastic Beanstalk Managed
# Elastic Beanstalk managed configuration file
# Some configuration of nginx can be by placing files in /etc/nginx/conf.d
# using Configuration Files.
# http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/customize-containers.html
#
# Modifications of nginx.conf can be performed using container_commands to modify the staged version
# located in /tmp/deployment/config/etc#nginx#nginx.conf
upstream nodejs {
server 127.0.0.1:8081;
keepalive 256;
}
server {
listen 8080;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
set $hour $4;
}
access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;
access_log /var/log/nginx/access.log main;
location / {
proxy_pass http://nodejs;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
gzip on;
gzip_comp_level 4;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
}
```
Of note is the sloppy indenting, that's literally copied from AWS' own file...
Anyway, it seems that this file is where I would have to do what the Stack Overflow answer I posted suggests, since it's where the Server { } configuration is.
The comments at the top of each file mention you can modfiy nginx.config through container commands, but I do not believe that will help me, since nginx.config doesn't contain the Server call. However, I've got to imagine these container commands could also be used to update this file, no? Here is a link discussing container commands: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-container-commands
So now it looks like what I need is a command that will copy the existing `00_elastic_beanstalk_proxy.conf` and inject the following:
```
log_format filter '$remote_addr - $remote_user [$time_local] '
'"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
#....
#inside server block
location /my/sensitive/route {
set $temp $request;
if ($temp ~ (.*)password=[^&]*(.*)) {
set $temp $1password=*****$2
}
access_log /var/log/nginx/access.log filter;
}
```
So at this point, I'm thinking I literally need to include a bash script with my source code that takes an input file, adds a new line at the beginning of the file `log_format filter '$remote_addr - $remote_user [$time_local] ''"$temp" $status $body_bytes_sent "$http_referer" "$http_user_agent"';`, since this file is all encapsulated within the http directive, then find the line with `server{` || `server {`, and add the location block below it....
Can anybody tell me that I'm completely wrong before I go ahead and do this?
↧
Reverse proxy to backend servers - single public IP
Hi, im after a little help.
I have a setup where I require my single public IP to serve 3 websites hosted on virtual servers. I am running NGINX on a 4th VM, this is where I am pointing all my port forwards. When I load the external IP, it comes up with the nginx default page.
What I need is to reverse proxy subdomain.mydomain.com.au to vmserver 1, subdomain2.mydomain.com.au to vmserver 2 and subdomain3.mydomain.com.au to vmserver 3
.
I have tried to set up reverse proxy with what I understand to be the config (sites-available/mydomain) with server and proxy pass, but I cannot get it to forward requests. I am also wanting it to listen on both 80 and 443 for each of these servers.
Is there someone out there that is willing to help? I know it wont be a hard fix, but I am not great a ubuntu server and very new to nginx.
Look forward to hearing from someone....
I have a setup where I require my single public IP to serve 3 websites hosted on virtual servers. I am running NGINX on a 4th VM, this is where I am pointing all my port forwards. When I load the external IP, it comes up with the nginx default page.
What I need is to reverse proxy subdomain.mydomain.com.au to vmserver 1, subdomain2.mydomain.com.au to vmserver 2 and subdomain3.mydomain.com.au to vmserver 3
.
I have tried to set up reverse proxy with what I understand to be the config (sites-available/mydomain) with server and proxy pass, but I cannot get it to forward requests. I am also wanting it to listen on both 80 and 443 for each of these servers.
Is there someone out there that is willing to help? I know it wont be a hard fix, but I am not great a ubuntu server and very new to nginx.
Look forward to hearing from someone....
↧
Reverse proxy using x-forwarded-for to back-end server with single visitor real wan IP
Hello all,
We are using Nginx to be a reverse proxy server to backend web server.
since need to log the visitor real wan IP address.
<pre> X-Forwarded-For: client, proxy1, proxy2</pre>
We only want to log the client wan IP and not pass the proxy1 , proxy2 ip address to backend web server
We tried configure as below, but not working.
proxy_set_header Forwarded $http_x_forwarded_for;
Any suggestion?
We are using Nginx to be a reverse proxy server to backend web server.
since need to log the visitor real wan IP address.
<pre> X-Forwarded-For: client, proxy1, proxy2</pre>
We only want to log the client wan IP and not pass the proxy1 , proxy2 ip address to backend web server
We tried configure as below, but not working.
proxy_set_header Forwarded $http_x_forwarded_for;
Any suggestion?
↧
↧
Re: Preserving Source IP using SSL Preread + OpenVPN
Thank you for sharing this solution. I will try it out.
↧
Https Redirect Issue with NGINX
I have a rather bizarre problem here.
I have several sites on the same server running with Nginx; only one has HTTPS certificate and the other does not. The problem is that if a client enters the site without the certificate and places HTTPS in it, the site is redirected to the domain that owns HTTPS.
It seems to me that some default setting is doing the redirect to the HTTPS site and I can not figure out the problem.
Can someone help me???
I have several sites on the same server running with Nginx; only one has HTTPS certificate and the other does not. The problem is that if a client enters the site without the certificate and places HTTPS in it, the site is redirected to the domain that owns HTTPS.
It seems to me that some default setting is doing the redirect to the HTTPS site and I can not figure out the problem.
Can someone help me???
↧
NGINX to Exchange 2010
Hello,
Really hoping someone can help!
Having issues with autodiscover through nginx. If i manually navigate to the autodiscover URL (https://autodiscover.domain.com/autodiscover/autodiscover.xml) I am prompted for credentials, but all login attempts fail.
Navigating to the autodiscover.xml URL on a different domain on the same CAS but not through nginx also prompts for credentials although login attempts are successful and return the XML.
Exchange 2010
Config:
server {
listen 80;
server_name autodiscover.domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate /linktocerts;
ssl_certificate_key /linotocerts;
server_name autodiscover.domain.com;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass_request_headers on;
proxy_set_header Host $host;
more_set_input_headers 'Authorization: $http_authorization';
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection "Keep-Alive";
location / {
proxy_pass https://mail.eurogarages.com;
proxy_http_version 1.1;
}
# location ~* ^/owa {proxy_pass https://internaladdress;}
# location ~* ^/ecp {proxy_pass https://internaladdress;}
# location ~* ^/rpc {proxy_pass https://internaladdress;}
# location ~* ^/autodiscover {proxy_pass https://internaladdress}
}
Really hoping someone can help!
Having issues with autodiscover through nginx. If i manually navigate to the autodiscover URL (https://autodiscover.domain.com/autodiscover/autodiscover.xml) I am prompted for credentials, but all login attempts fail.
Navigating to the autodiscover.xml URL on a different domain on the same CAS but not through nginx also prompts for credentials although login attempts are successful and return the XML.
Exchange 2010
Config:
server {
listen 80;
server_name autodiscover.domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate /linktocerts;
ssl_certificate_key /linotocerts;
server_name autodiscover.domain.com;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_pass_request_headers on;
proxy_set_header Host $host;
more_set_input_headers 'Authorization: $http_authorization';
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection "Keep-Alive";
location / {
proxy_pass https://mail.eurogarages.com;
proxy_http_version 1.1;
}
# location ~* ^/owa {proxy_pass https://internaladdress;}
# location ~* ^/ecp {proxy_pass https://internaladdress;}
# location ~* ^/rpc {proxy_pass https://internaladdress;}
# location ~* ^/autodiscover {proxy_pass https://internaladdress}
}
↧