Quantcast
Channel: Nginx Forum - How to...
Viewing all 4759 articles
Browse latest View live

How to use nginx to inspect body before sending response to client GET request

January 24, 2019, 6:33 am
$
0
0
Hi,
I am looking for a way to use nginx in order to inspect a response body and then return the response to the client's GET request based on the result of inspection.
I have investigated the sub module filter http://nginx.org/en/docs/http/ngx_http_sub_module.html, but the pattern implemented cannot be reused for my purpose.
I also investigated the example module https://www.nginx.com/resources/wiki/extending/examples/body_filter/, but I was not able to get this module to work. Returning an error code from the body filter is too late and the request gets stuck after the 200 header was already sent.

What I want to achieve is the following:
- Block a client request and perform the following inspection handler (could be an asynch handler)
- Receive the response header (do not forward it yet)
- Receive and inspect/parse the response body
- Depending on the result of the inspection: pass/fail
+ pass:
* send the response header to the client,
* send the response body buffers to the client
+ fail:
* send an error code response header to the client,
* discard the response body buffers

Thanks in advance
Search

Cache Invalidation

January 26, 2019, 7:20 am
$
0
0
When a user visits a webpage the HTML/CSS/JS normally gets cached on the device.

This is fine but when one of those files is updated on the server how is the device supposed to know to download the new version? I believe this is done through configuring "cache invalidation" on nginx however I'm not sure where or how to set that.

Any idea?

Reverse Proxy for a tp-link router redirects 192.168.0.1

January 27, 2019, 5:45 am
$
0
0
I'm trying to transform http requests from my home router to secure my home network

i've already routed http requests for transmission server to https

I tried to do same with my AP, but it redirects to the only http://192.168.0.1/

what can i do for now?

thanks in advance for any help.

location /router {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Referer http://192.168.0.1/;

proxy_pass http://192.168.0.1;
proxy_read_timeout 90;
proxy_redirect http://192.168.0.1 https://mysite.com/router/;
}

More Detailed Error logging on Failure to use PHP GD Library Function

January 29, 2019, 3:33 pm
$
0
0
Been posting about it here https://github.com/Intervention/image/issues/926 . I am using Laradock with PHP-FPM and Nginx. Each time I use the GD library to manipulate images with Laravel and Image Intervention I get an error 500 before or on start of using a resize method.

I get no other useful errors at all besides that error 500. According to php info and some other checks the GD Library is up and running. And there do not seem to be permission issues as I can manipulate images with Imagemagick and as the first step (storing original and basic thumbnail) do work.

Here is my currently using default.conf

server {

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

# For https
listen 443 ssl default_server;
listen [::]:443 ssl default_server ipv6only=on;
ssl_certificate /etc/nginx/ssl/default.crt;
ssl_certificate_key /etc/nginx/ssl/default.key;

server_name localhost;
root /var/www/public;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ /index.php$is_args$args;
}

location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass php-upstream;
fastcgi_index index.php;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fixes timeouts
fastcgi_read_timeout 600;
include fastcgi_params;
}

location ~ /\.ht {
deny all;
}

location /.well-known/acme-challenge/ {
root /var/www/letsencrypt/;
log_not_found off;
}
}

It the one included by https://laradock.io/ and works fine locally as well as on a test server.

How can I make this error 500 on posting the image become more useful so I can debug this issue? Is there a way to get a more useful error message using Nginx than error 500? Can PHP-FPM send over some more details somehow?

Re: More Detailed Error logging on Failure to use PHP GD Library Function

January 30, 2019, 1:10 am
$
0
0
Well, I found out it was a lack of memory and or execution or time out time. So now laravel.ini has

date.timezone=UTC
display_errors=Off
log_errors=On

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 512M
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 40M
; Sets max size of post data allowed.
; http://php.net/post-max-size
post_max_size = 40M
max_execution_time=1200
default_socket_timeout=3600
request_terminate_timeout=1200


My question still remains though. How can I let PHP FPM let Nginx and or me know there is a lack of memory or execution time? A bare error 500 does not help out at all.

Re: More Detailed Error logging on Failure to use PHP GD Library Function

January 30, 2019, 3:55 am
$
0
0
Realized GD was still not processing. Had it on imagemagick post memory update. So issue not solved and better logging still needed. Also error 500 with Imagick with larger images by the way. So the question how to let PHP FPM show better errors or get nginx to display useful data still stands.

Dinamyc ip based reverse proxy

January 31, 2019, 6:53 am
$
0
0
Hi guys, Im new using nginx , I would like to try the reverse proxy feature.
I need to achieve this:
Lets supose my nginx server is at 10.1.1.254 , I would like to forward my request according to url data , for example:

If I request http://10.1.1.254/192.168.100.1. The reverse proxy should bring http://192.168.100.1.

So far I build some server block , according to some readings but it is not working.
This is what I have:

server {
listen 80;
server_name localhost;

location ~ /\b(?:\d{1,3}\.){3}\d{1,3}\b/ {
proxy_pass http://$1;
}

}

Note:
the regexp : /\b(?:\d{1,3}\.){3}\d{1,3}\b/ has succesfully been tested with pcretest:

re> /\b(?:\d{1,3}\.){3}\d{1,3}\b/
data> 192.168.100.2
0: 192.168.100.2

But:
Nginx claims that can not compile filter:
[emerg] 7659#7659: pcre_compile() failed: missing ) in "\b(?:\d" in>e

Ok ... Any idea would be wellcome,
Leandro.

Re: Dinamyc ip based reverse proxy

January 31, 2019, 11:24 am
$
0
0
I make some improvements: using following server block:

server {
listen 8888;
server_name modem;

location ~ /(.*) {
proxy_pass http://$1;
}

}

It seems to be working but something is missing.
I can see that my browser is receiving data , and set the tab tittle but it can not complete all the web page.
In other cases it prints part of the page.
I dont know if the problem is related to javascript , routing ...

Any idea is wellcome.
Leandro.
Search

Mail reverse proxy with SSL/TLS

February 1, 2019, 2:48 am
$
0
0
I have several small local HTTP services running.
To access them from outside I have a nginx reverse proxy running which adds SSL(TLS) to these services, so they can only be accessed via HTTPS (certificate from letsencrypt) from outside. In addition there is an HTTP authentication.

But now I also have a local mail server (davmail). It runs locally without encrypted access.
Now i have the wish that this mail server can be reached just like the HTTP services via the nginx reverse proxy from outside and that the reverse proxy "enriches" the access to it with SSL/TLS. So in the end i want to access the mail server (imap and smtp) from outside via Thunderbird for example with transport encryption only.

The following is my last essential configuration status:

[...]
mail {
server_name my.domain.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

# IMAP reverse proxy
# should listen to 993 and serve the imap-data from 192.168.0.6 with transport encryption
server {
lists 993 ssl;
protocol imap;
proxy on;

# dummy authentification (see http-block below)
auth_http localhost:8008/auth-imap;
}
}

http {
[...]

# dummy authentification server
server {
lists 8008;
server_name localhost;

location /auth-imap {
add_header Auth status OK;
add_header Auth server 192.168.0.6; # backend ip
add_header Auth port 1143; # backend port (yes 1143 is correct for my configuration!)
return 204;
}
}


# example http ssl encryption proxy server
server {
server_name my.domain.com;
lists 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

[...]

location /example {
proxy_pass http://192.168.0.99/admin
proxy_buffering off;
}
}

}

Unfortunately I can't get the mails from a mail program with this configuration.
I would be very grateful for tips about my mistakes and how to do it correctly.

P.S: If Mail Reverse Proxy Transport encryption is possible with nginx - is it also possible to enrich maybe caldav or carddav with SSL/TLS?

Re: Dinamyc ip based reverse proxy

February 1, 2019, 11:05 am
$
0
0
Other thing ...
It works if I use a hardcoded ip, like this :

server {
listen 8888;
server_name tozed;

location / {
proxy_pass http://100.65.36.95;
}

}

And in the broser I do:
http:8888/tozed

It brings all the web content ...

Regards.

Nginx set via certbot is not working

February 3, 2019, 1:47 am
$
0
0
I install Nginx with certbot lets encrypt ssl. most of the configuration done by certbot. I use https://www.ssllabs.com/ssltest/ to check my ssl and its working. I am having problem that my domain cannot make proxy pass. the sudo nginx -t working correctly.

I am new and I don't know where I am having a problem.

**The nginx nginx.conf**

user www-data;
worker_processes auto;

events {
worker_connections 1024;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
#tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75;
types_hash_max_size 2048;
server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_certificate /etc/letsencrypt/live/mobile.niyazi.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/mobile.niyazi.com/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#ssl_stapling on;
ssl_stapling_verify on;
##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

#gzip on;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}



**The nginx/conf.d/default.conf**


server {
charset UTF-8;
listen 80 ;
listen [::]:80 ;

server_name mobile.niyazi.com; # managed by Certbot

root /var/www/html;
index index.html index.htm index.nginx-debian.html;

if ($host = mobile.niyazi.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
# return 404; # managed by Certbot
}

server {
charset UTF-8;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
server_name mobile.niyazi.com; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/mobile.niyazi.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mobile.niyazi.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
proxy_pass http://127.0.0.1:8888/;
}
}

Re: Nginx set via certbot is not working

February 3, 2019, 2:01 am
$
0
0
When I test with /etc/nginx/conf.d$ curl -I mobile.niyazi.com

I get error as shown below:

curl: (7) Failed to connect to mobile.niyazi.com port 80: Connection timed out

Re: Nginx set via certbot is not working

February 3, 2019, 2:06 am
$
0
0
Also my /etc/host shows this:
127.0.0.1 localhost
127.0.1.1 niyazi-virtual-machine

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Problem setting up a simple reverse proxy

February 3, 2019, 9:07 am
$
0
0
I'm a Nginx noob and trying to set up just a simple reverse proxy to secure my IP camera which doesn't support SSH natively. I have installed Nginx in my Raspberry Pi (Raspbian OS) and Nginx seems to run just fine.

I have deployed Raspberry in my camera network which is separated from other sub-nets and has access to Internet only. I have set Raspberry static IP and it is able to connect to Internet fine.

For testing purposes I try to set Nginx to listen to port 123. Camera's current port is 1234. I have made necessary port forwardings from my firewall and router to Raspberry and to both of these ports currently (after Nginx works, I won't need the port forwarding to camera's current port 1234).

Command: 'systemctl status nginx.service' tells Nginx status is "active (running)" and I'm able to see the default Nginx web page with browser. So Nginx and default setting seems to work okay.

Problem occurs when I try to follow instructions found on various sites of how to set up reverse proxy in front of IP camera.

Firstly I'd like try to see if Nginx proxy simply works by testing basic HTTP traffic.
If I have understood various instructions correctly, setting up basic HTTP reverse proxy should be very simple and script I have tried to use is below:

server {
listen 123; #Port I try to set up for Nginx to listen to and forward.
location / {
proxy_pass http://192.168.0.123:1234; #IP and port my camera currently has.
}
}

To my understanding, when this script is pasted into correct configuration file and in correct place it should be enough. I have tried to include the script always at the beginning of the file. Problem is that I am unsure where to save the script and I have tried various places with no success. Whenever I edit files found in different instructions and then try to access the camera afterwards in desired reverse proxy port, I am unable to.

Instructions found in here: https://security.stackexchange.com/questions/56779/securing-remotely-accessible-ip-cameras-that-do-not-support-https
tells to edit configuration file found in here: /etc/nginx/conf.d/default.conf

Problem is that there is no default.conf file found in that path. I can of course create it, and I actually also did, but it did nothing.

One config file can be found from path: /etc/nginx/nginx.conf
I tried to edit that file as well and paste the script into that, but it still does nothing.

Instructions found in here: https://www.raspberrypi.org/forums/viewtopic.php?t=34291
suggest to edit the config file found in here: /etc/nginx/sites-enabled/default

I also tried to edit that file and include the script at the beginning of the file, but still no success. I also tried to create a new text file with the previous script in that particular path, but still no success.

After each saved command I have rebooted Nginx and verified that status has returned to "active (running)". Still no success. I've ran out of ideas and could really need some help. Could someone please help a guy out? It's probably not a big problem at all. Thanks a lot.

Nginx is not working in Docker 18.09.1 as reverse proxy

February 4, 2019, 1:29 pm
$
0
0
Hello! I am trying to deploy Rocket.Chat in Docker 18.09.1 UCP 3.1.2 env. I am deploying in a stack. I wrote the compose file and run it in other envs before with no issues. In the compose file I am using nginx(reverse proxy), rocket.chat, and mongodb images. When I run the stack all services go green but website does not work. When I go into the nginx container and type nginx I get this error

[emerg] bind() to 0.0.0.0_8443 failed (98_ Address in use)

which does not make sense to me. Has anyone else had this issue. I am using layer 7.

I am running the nginx:apline docker image in Docker 18.09.1, UCP 3.1.2. I am trying to deploy Rocket.Chat. My compose has nginx(reverse proxy), rocket.chat, mongodb. When I deploy the compose all services go green. I am running all of these commands inside nginx container and the status is active / green. This all inside the container

When run nginx i get

nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use) ```

When I run nginx -t i get
```/ # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful```

When I run netstat -tulpn i get
```/ # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:33291 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1/nginx: master pro
udp 0 0 127.0.0.11:46370 0.0.0.0:* -```
Why am I having this issue? I have never ran into this issue.
Search

Best VPN for Nginx, Your Opnion

February 8, 2019, 6:38 am
$
0
0
Hello, everyone does anyone know which VPN will really work with Nginx. I just checked the review about ExpressVPN here: https://www.allbestvpn.com/expressvpn-review/ seems one of the best and fast VPN providing good features. But does it work for Nginx? Your guidance will really helpful for me

nginx proxy_passing http requests to a https only minio server that has bucket subdirectory as a uri

February 8, 2019, 7:03 am
$
0
0
CONFIG: https://paste.ngx.cc/d2

does NOT work. no matter what I am doing. have re-studied all the official docs, nobody on freenode NGINX was able to give any suggestions, stackoverflow, rest google stuff. nothing, that helps!

bucket MINIO name: UPLOAD (policy: read & write)

http://crm.domain.local/upload/5a3375b043eb3.pdf LOADS! just fine, but it seems to be taken from local /upload/. WHY? no idea
http://crm.domain.local/upload/documents/TOaeOxyhWeoCgXoeXV0ZK7qxgdHMLdDb6Xs8u2cM.jpeg returns 404

DIRECTLY from nginx host:
# curl -I https://minio1.domain.local:9000/upload/documents/TOaeOxyhWeoCgXoeXV0ZK7qxgdHMLdDb6Xs8u2cM.jpeg
HTTP/1.1 200 OK

through haproxy & NGINX from nginx host:
# curl -I http://crm.domain.local/upload/documents/TOaeOxyhWeoCgXoeXV0ZK7qxgdHMLdDb6Xs8u2cM.jpeg
HTTP/1.1 404 Not Found

/upload/img.jpeg returns 200 either way

????????????????????????????????????????????????????????????????????????

A way to include request id in error log?

February 9, 2019, 11:25 pm
$
0
0
Greetings, All! I'm looking for a way to include request id in error log message text. This way I'll be able to correlate access log with error log (access log uses custom format and already includes request id). I'm using syslog target for error log, BTW. Does anyone know how to do that? Is it possible to customise error log messages at all?

Thanks!

Multiple OCS responders

February 10, 2019, 11:36 pm
$
0
0
Hi!

I use two-way SSL in my Nginx server and have three different chains of trusted client certificates. All client certificate chains have own OCSP responder. How can I configure multiple OCSP responders using ssl_stapling_responder directive?

Thanks,

UV

Re: Multiple OCSP responders

February 11, 2019, 6:23 am
$
0
0
uv Wrote:
-------------------------------------------------------
> Hi!
>
> I use two-way SSL in my Nginx server and have three different chains
> of trusted client certificates. All client certificate chains have own
> OCSP responder. How can I configure multiple OCSP responders using
> ssl_stapling_responder directive?
>
> Thanks,
>
> UV
Viewing all 4759 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>