Quantcast
Channel: Nginx Forum - Nginx Mailing List - English
Viewing all 7229 articles
Browse latest View live

Nginx auth users (no replies)

January 17, 2015, 8:23 am
$
0
0
Hello i am slowly migrating from apache to Nginx

So far everything is running smoothly and i have to say from all the benchmark tests Nginx has improved performance by 60% that is incredible and i havent even drived into performance tuning.

Anyway we have numerous websites that require a list of specific users to be able to access, normally we handle this with a htpasswd file and require user on apache.

We have hundreds of different users, and based on the other solutions i have seen such as having separate files for each website with those users in those files.

This seems highly impracticable to me as some users have access to multiple websites so these users would have to be duplicated within each of these separate user files.

So i was wondering is there another work around? where i dont have to strip every user out of the htpasswd file and enter them into separate files, sure i can script this in perl but there must be an easier option and just sticking with one user file.

Any response would be appreciated

Thank you for your time in reading this post.
Search

[ANN] Windows nginx 1.7.10.1 Gryphon (no replies)

January 17, 2015, 10:27 am
$
0
0
19:14 17-1-2015 nginx 1.7.10.1 Gryphon

Based on nginx 1.7.10 (15-1-2015, last changeset 5964:0a198a517eaf) with;
+ reverted changeset 5962:727177743c3c (causing segfaults)
+ set-misc-nginx-module v0.27 (upgraded 14-1-2015)
+ HttpSubsModule v0.6.4 (upgraded 14-1-2015)
+ lua-nginx-module v0.9.13 (upgraded 14-1-2015)
+ prove05.zip (onsite), a Windows Test_Suite (updated 16-1-2015)
+ See http://nginx-win.ecsds.eu/devtest/EBLB_upstream_dev1.zip for a partly
working example of managing backends
+ reverted changesets 5960:e9effef98874 and 5959:f7584d7c0ccb (breaks too many
things, needs re-engineering)
+ Openssl-1.0.1l (CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572,
CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570)
+ cache_purge v2.3 (upgraded 30-12-2014)
+ Naxsi WAF v0.53-3 (upgraded 30-12-2014)
+ ngx_signal_process, http://forum.nginx.org/read.php?29,255612
+ Source changes back ported
+ Source changes add-on's back ported
+ Changes for nginx_basic: Source changes back ported
* Scheduled release: yes
* Additional specifications: see 'Feature list'

Builds can be found here:
http://nginx-win.ecsds.eu/
Follow releases https://twitter.com/nginx4Windows

strange behavior for cache manager (no replies)

January 17, 2015, 8:15 pm
$
0
0
Hi,
we are current running nginx version 1.7.6, we use nginx primarily as a reverse proxy on linux.
we have encountered a strange behavior for nginx cache manager,
everything is fine after restart nginx, the cache manage periodically spawn new process to check the meta data and honor the max cache size we are setting.
but after running for like 6 hours, it stopped honor the max cache size we are setting and started to go over it and eventually reach full disk size. no matter what we do (reduce the cache size to half of disk, reduce the active time for the cache) as long as it go over it, it will just keep growing.
i did some strace to the cache manager, and it just showing some normal epoll_wait, but nothing will even get unlinked. the process spawn cache manager perfectly fine.

PS. each time i restart nginx, after cache loader process completed, strace to cache manage will show it starts to unlink file, and everything goes back to normal. cache manage also starts to control cache and keep total cache size under max cache size we set. after certain period of time. it will fail again.

What could potentially cause this?

udp log graylog (1 reply)

January 18, 2015, 8:57 am
$
0
0
Hi,

I'm setting up logging from my Nginx server to a Graylog server.

I folow this short guide https://www.graylog2.org/content-packs/547b5021e4b0a06d87eea01e .
But nothing works...

My iptables are all accept policies, and when I make a udp tcpdump both on nginx server and graylog nothing appear...

Ant idea?

This is what i change on http section of /etc/nginx.conf

log_format graylog2_format '$remote_addr - $remote_user [$time_local] $

# replace the hostnames with the IP or hostname of your Graylog2 server
access_log syslog:server=192.168.15.225:12301 graylog2_format;
error_log syslog:server=192.168.15.225:12302;
# access_log /var/log/nginx/access.log;
# error_log /var/log/nginx/error.log;

types {
text/plain log;
}


Regards,

Perl Fastcgi on Solaris 11 (no replies)

January 19, 2015, 1:22 am
$
0
0
Has anyone been able to get perl fastcgi working on the Solairs 11 OS

if so can you point me in the right direction

Running Remote using Perl CGI (1 reply)

January 19, 2015, 1:58 am
$
0
0
Hello All,

I have Perl CGI Script which is running the command on the Remote command and display output on the webpage.Script is failing with below error.....

cannot connect to filer 192.168.xxx.xxx at /var/www/cgi-bin/export.cgi line 14.

Same Script works fine when i run the script from the command prompt...

Apache running with the "deamon" user.As we have standard apache configuration,It's not possible for me change the apache configuration(apache user,path change).
I need to run the similar command on 1000+ storages.already ssh keys enabled for the root user.So i would like use "root" user to run the remote commands.

I have given the complete script below..

use CGI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use Net::OpenSSH;
my $hostname="192.168.xxx.xxx";
my %opts = (
user => "root",
key_path => "/root/.ssh/id_rsa",
strict_mode => 0
);
$obj=new CGI;
my $ssh=Net::OpenSSH->new($hostname,%opts);
$ssh->error and die "cannot connect to filer $hostname ";
$test=$ssh->capture("version");
print $obj->header(),
$obj->start_html(-title=>'Export Script'),
$obj->center($obj->h2('Export list')),
$obj->start_html(-title=>'Export Script'),
$obj->center($obj->h2('Export Script')),
$obj->i("$test"),
$obj->end_html();

it's completly blocking my work.Please help me asap.

How to adjust Cache-Control for SSI-including entities (4 replies)

January 20, 2015, 2:50 am
$
0
0
Hi,

[apologies if this has been asked lots of times before, but searches really did not turn up anything]

I am using nginx with SSI enabled to assemble pages and page-fragments from upstream servers.

upstream U1 produces the main page (the one containing SSI include directives) and wants nginx to cache its response (the page with the unresolved SSI include directives). Thus U1 sends the main page with Cache-Control: max-age=60.

The includes come from upstream U2 and are also cacheable from the POV of U2, hence U2 adds a max-age for those. The max-age could be less than 60 or more than 60.

What I want nginx to do is to cache the upstream response for the main page and also cache the upstream responses for the includes - which nginx does as the debug log suggests.

In addition I of course want nginx to strip/adjust the Cache-Control / max-age when the assembled page is sent to the client.

Unfortunately nginx seems to simply copy the max-age of the main page upstream response and send it to the client - which is obviously misleading information since the cacheabilty of the response is unknown or the lowest max-age of all includes.

Can anyone help me on how I get nginx to at least remove the misleading Cache-Control header?

ssi_last_modified is related and yields the correct default behavior: http://nginx.org/en/docs/http/ngx_http_ssi_module.html#ssi_last_modified

Jan
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

phpBB3.1 not working with oauth under nginx (no replies)

January 19, 2015, 2:40 pm
$
0
0
Hi,

I wonder if anyone is running phpBB3.1 with php56?

Currently I am trying to setup oauth to work with Google and Facebook,
but getting a white screen response after authentication.

The logs show this:

2015/01/19 22:32:08 [error] 28354#0: *3 FastCGI sent in stderr: "PHP
message: PHP Fatal error: Uncaught exception
'OAuth\Common\Http\Exception\TokenResponseException' with message
'Failed to request resource.' in
/usr/local/www/dxb_users_forum/vendor/lusitanian/oauth/src/OAuth/Common/Http/Client/StreamClient.php:54
Stack trace:
#0
/usr/local/www/dxb_users_forum/vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/AbstractService.php(97):
OAuth\Common\Http\Client\StreamClient->retrieveResponse(Object(OAuth\Common\Http\Uri\Uri),
Array, Array)
#1
/usr/local/www/dxb_users_forum/phpbb/auth/provider/oauth/service/facebook.php(69):
OAuth\OAuth2\Service\AbstractService->requestAccessToken('AQDzs7GN9ZIsOLX...')
#2
/usr/local/www/dxb_users_forum/phpbb/auth/provider/oauth/oauth.php(198):
phpbb\auth\provider\oauth\service\facebook->perform_auth_login()
#3 /usr/local/www/dxb_users_forum/phpbb/auth/auth.php(937):
phpbb\auth\provider\oauth\oauth->login('', '')
#4 /usr/local/www/dxb_users_forum/includes/functions.php(2831):
phpbb\auth\auth->login('', '', false, 1, 0)
#5 /usr/local/www/dx" while reading response header from upstream,
client: <IP>, server: <forum>, request: "GET
/ucp.php?mode=login&login=external&oauth_service=facebook&code=AQDzs7GN9ZIsOLXkg5X8t_UwrQf8aI2tysLgBesvkM_53e4PalEtToIEWwhPGYAGCJutxDSAsrc2GqFACPcPqY0BmJkRFzJiZPISxSj6Et2EsaTZ0BOTGv4nmqNTI_ZHNzG6HqV6cp_uhiRgKA-qSmF0g-XnlBz2WsYJ1PZB6V5E95AZkt9TIrrNETlZkzD4FHRUAHyDUlxJUD_cYOhT8A4QIk5pgxLwwNSUS2YKVsTdq76EXKIOVt4sgVw9vAaiM-gtqfKfro27JBRYFhlqIRH3vDgtzZSIT9E-zwMzzwck8RlUdbiYTm3np1hQQU2QZsG9-tZBN6WuhZopv77yFpgT
HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "<forum>",
referrer:
"http://<forum>/ucp.php?mode=login&sid=bb0c84259129a944fa4e78cab45e31c2"

I am not sure where the issue is related to; is php, nginx, or simply
phpBB3??

The sample nginx.conf was taken from here:

https://raw.githubusercontent.com/phpbb/phpbb3/master/phpBB/docs/nginx.sample.conf

and modified to my needs.

If anyone has any experience in using phpBB3 under nginx would you be
able to help or suggest something?

Many thanks!


Regards,


Kaya

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Search

how to limit the total header size of a request? (no replies)

January 19, 2015, 6:46 pm
$
0
0
Hi guys,

I'm looking for a configuration to limit the summarized size for the
request line and all header fields in a request? It looks "
*client_header_buffer_size* *size"* is to limit the single header field.


Thanks!
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Geoip issue with nginx in front of varnish and apache ! (2 replies)

January 20, 2015, 12:06 pm
$
0
0
Hi,

We've compile varnish with geoip module in order to cache country based
hashes, so far varnish<-> apache structure is working fine with geoip
module and caching requests based on countries but when we add another
Nginx proxy layer in front of varnish i.e nginx -> varnish - apache, the
geoip module stop tracking Country hashes and varnish shows following logs :

TxHeader b X-GeoIP: Unknown

nginx : port 80
Varnish : port 6081
Apache : port 7172

So far, nginx is forwarding client ips to varnish but it looks like varnish
sessionstart value in varnishlog still showing ip : 127.0.0.1 due to which
it is unable to track client's country. Only if someone can point me to
right direction.

varnishlog :

15 BackendOpen b default 127.0.0.1 45806 127.0.0.1 7172
15 BackendXID b 1609403517
15 TxRequest b GET
15 TxURL b
/video/5708047/jeena-jeena-video-song-badlapur-atif-aslam
15 TxProtocol b HTTP/1.1
15 TxHeader b Referer: http://beta2.domain.com/videos/
15 TxHeader b X-Real-IP: 39.49.89.134
15 TxHeader b X-Forwarded-Host: beta2.domain.com
15 TxHeader b X-Forwarded-Server: beta2.domain.com
15 TxHeader b Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
15 TxHeader b User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
15 TxHeader b Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
15 TxHeader b X-Forwarded-For: 39.49.89.134, 127.0.0.1
15 TxHeader b host: default
15 TxHeader b X-GeoIP: Unknown
15 TxHeader b X-Varnish: 1609403517
15 TxHeader b Accept-Encoding: gzip
15 RxProtocol b HTTP/1.1
15 RxStatus b 200
15 RxResponse b OK
15 RxHeader b Date: Tue, 20 Jan 2015 18:26:06 GMT
15 RxHeader b Server: Apache
15 RxHeader b Set-Cookie: PHPSESSID=pcl9rkh58s39fgjti139bgn6n1;
expires=Wed, 21-Jan-2015 18:26:06 GMT; path=/
15 RxHeader b Expires: Thu, 19 Nov 1981 08:52:00 GMT
15 RxHeader b Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
15 RxHeader b Pragma: no-cache
15 RxHeader b Set-Cookie:
fb_239452059417627_state=42cba63d4821f3964426e14b2833e8d0; expires=Tue,
20-Jan-2015 19:26:06 GMT; path=/
15 RxHeader b Set-Cookie:
pageredir=http%3A%2F%2Fbeta2.domain.com%2Fvideo%2F5708047%2Fjeena-jeena-video-song-badlapur-atif-aslam;
expires=Tue, 20-Jan-2015 20:26:06 GMT; path=/
15 RxHeader b Connection: close
15 RxHeader b Transfer-Encoding: chunked
15 RxHeader b Content-Type: text/html; charset=utf-8
15 Fetch_Body b 3(chunked) cls 0 mklen 1
15 Length b 127024
15 BackendClose b default
12 SessionOpen c 127.0.0.1 51675 :6081
12 ReqStart c 127.0.0.1 51675 1609403517
12 RxRequest c GET
12 RxURL c
/video/5708047/jeena-jeena-video-song-badlapur-atif-aslam
12 RxProtocol c HTTP/1.0
12 RxHeader c Referer: http://beta2.domain.com/videos/
12 RxHeader c Host: beta2.domain.com
12 RxHeader c Cookie: __qca=P0-993092579-1421436407272;
__qca=P0-1309575897-1421485050924;
__utma=198843324.254214983.1421436407.1421439435.1421777481.2;
__utmb=198843324.5.10.1421777481; __utmc=198843324;
__utmz=198843324.1421439435.1.1.utmcsr=(direct)|utmccn=(direct)
12 RxHeader c X-Real-IP: 39.49.89.134
12 RxHeader c X-Forwarded-Host: beta2.domain.com
12 RxHeader c X-Forwarded-Server: beta2.domain.com
12 RxHeader c X-Forwarded-For: 39.49.89.134
12 RxHeader c Connection: close
12 RxHeader c Cache-Control: max-age=0
12 RxHeader c Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
12 RxHeader c User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
12 RxHeader c Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
12 VCL_call c recv lookup
12 VCL_call c hash
12 Hash c
/video/5708047/jeena-jeena-video-song-badlapur-atif-aslam
12 Hash c default
12 Hash c Unknown
12 VCL_return c hash
12 VCL_call c miss fetch
12 Backend c 15 default default
12 TTL c 1609403517 RFC 0 -1 -1 1421778367 0 1421778366
375007920 0
12 VCL_call c fetch
12 TTL c 1609403517 VCL 3600 -1 -1 1421778367 -0
12 VCL_return c deliver
12 ObjProtocol c HTTP/1.1
12 ObjResponse c OK
12 ObjHeader c Date: Tue, 20 Jan 2015 18:26:06 GMT
12 ObjHeader c Server: Apache
12 ObjHeader c Set-Cookie: PHPSESSID=pcl9rkh58s39fgjti139bgn6n1;
expires=Wed, 21-Jan-2015 18:26:06 GMT; path=/
12 ObjHeader c Expires: Thu, 19 Nov 1981 08:52:00 GMT
12 ObjHeader c Pragma: no-cache
12 ObjHeader c Set-Cookie:
fb_239452059417627_state=42cba63d4821f3964426e14b2833e8d0; expires=Tue,
20-Jan-2015 19:26:06 GMT; path=/
12 ObjHeader c Set-Cookie:
pageredir=http%3A%2F%2Fbeta2.domain.com%2Fvideo%2F5708047%2Fjeena-jeena-video-song-badlapur-atif-aslam;
expires=Tue, 20-Jan-2015 20:26:06 GMT; path=/
12 ObjHeader c Content-Type: text/html; charset=utf-8
12 VCL_call c deliver deliver
12 TxProtocol c HTTP/1.1
12 TxStatus c 200
12 TxResponse c OK
12 TxHeader c Set-Cookie: PHPSESSID=pcl9rkh58s39fgjti139bgn6n1;
expires=Wed, 21-Jan-2015 18:26:06 GMT; path=/
12 TxHeader c Expires: Thu, 19 Nov 1981 08:52:00 GMT
12 TxHeader c Pragma: no-cache
12 TxHeader c Set-Cookie:
fb_239452059417627_state=42cba63d4821f3964426e14b2833e8d0; expires=Tue,
20-Jan-2015 19:26:06 GMT; path=/
12 TxHeader c Set-Cookie:
pageredir=http%3A%2F%2Fbeta2.domain.com%2Fvideo%2F5708047%2Fjeena-jeena-video-song-badlapur-atif-aslam;
expires=Tue, 20-Jan-2015 20:26:06 GMT; path=/
12 TxHeader c Content-Type: text/html; charset=utf-8
12 TxHeader c Content-Length: 127024
12 TxHeader c Accept-Ranges: bytes
12 TxHeader c Date: Tue, 20 Jan 2015 18:26:06 GMT
12 TxHeader c Age: 0
12 TxHeader c Connection: close
12 Length c 127024
12 ReqEnd c 1609403517 1421778366.722367764 1421778366.841626406
0.000178814 0.119145393 0.000113249
12 SessionClose c Connection: close
12 StatSess c 127.0.0.1 51675 0 1 1 0 0 1 602 127024
0 CLI - Rd ping
0 CLI - Wr 200 19 PONG 1421778367 1.0
15 BackendOpen b default 127.0.0.1 45814 127.0.0.1 7172

Nginx proxy.inc :

proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

As you can see from proxy.inc file that nginx is forwarding client's real
ip to varnish but still varnish is unable to track client's GeoIP. Maybe i
am missing some nginx settings because varnish:80 <-> apache:7172 structure
working fine but nginx -> varnish is not.

Regards.
Shahzaib
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Need best practice on GeoIP/GeoDNS (no replies)

January 20, 2015, 4:40 pm
$
0
0
Hi,

I have project that will be used multilocation webserver, but still
confuse about implementing GeoDNS or GeoIP. Which method are powerfull?
I want to separate user between Country A to WebServer A, Country B to
Webserver B.

Each webserver are located on each country.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

How to disable creating tmpfile when using nginx as a cache (no replies)

January 21, 2015, 1:52 am
$
0
0
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Modify request body before sending to upstream (no replies)

January 21, 2015, 2:47 am
$
0
0
Hi,

I am new to nginx module development and I'm working on my first ever module. I've read up Evan Miller's post besides others, and I've experimented tweaking some simple modules.

From what I understand, proxy_pass module is a handler and we can effectively have just one handler run on a request. What I need is to do some work with the content before I send a request to the upstream servers. I have been able to achieve the reverse via filter modules, but not this. Is there an way to achieve this without touching proxy_pass?

The requirement comes from a server rewrite we are doing to improve performance. We have nginx load balancing requests to a bunch of servers running python. We decided to rewrite some of the python pre-processing in C/C++ and write an nginx module to wrap around it.

Please lead me the right way :).

Abhishek

issues with nginx-gridfs 3rd party module (1 reply)

January 21, 2015, 6:03 am
$
0
0
Hi,

I've compiled and installed nginx with gridfs module as given by the
instuctions and it got installed successfully. But then when I configure
the nginx.conf with gridfs directive and restart the nginx server it fails
giving the error as 'nginx: [emerg] unknown directive "gridfs" in
/etc/nginx/nginx.conf:76' . Anyone who can help me fix this issue?

environment: ubuntu 14.04, nginx version-1.4.6

Thanks,
Swarna
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

How to pass fastcgi custom variables in C? (no replies)

January 21, 2015, 4:30 pm
$
0
0
Hi, I would like to have the auth_request fastcgi auth server to send some custom variables to the fastcgi back-end server. For example, the Radius server returned some parameters which the fastcgi auth server needs to send to the fastcgi back-end server.

locate / {
auth_request /auth;
fastcgi_pass <back-end server>; <--- would like this server to see the custom param variable
}

locate /auth {
fastcgi_param CUSTOM_PARAM custom_param;
fastcgi_pass <auth server>; <---- returns a custom param value to be used by the back-end server
}

Could someone give me a pointer on how to this in the nginx.conf and the auth and back-end servers in C? I saw many examples for PHP but none for C.
In the auth server app, I defined "int custom_param=100" for example, and would like the back-end server to see get this variable and value. Thanks!
Search

Modify subrequest header (no replies)

January 21, 2015, 10:59 pm
$
0
0
I am trying to use ngx_http_subrequest in my customize nginx module. I can see from the code that the subrequest share the same request header with the main request(sr->headers_in = r->headers_in). Is there a way to modify, add or delete request header for subrequest without affecting the request header of the main request?

I tried ngx_list_init(&sr->headers_in.headers and use ngx_list_push to push new header in. And it is giving me a runtime error. Can someone point me to the right direction?

Thanks

smtps mail proxy (1 reply)

January 24, 2015, 6:02 am
$
0
0
Hello,

I seek advice on configuring nginx as a mail proxy.

PREMISSES

The existing system is based upon postfix and dovecot.
The system delivers "n" virtual domains, say, mx.example_1.org,
mx.example_2.org, ..., mx.example_n.org, all behind a single IP.

There is no "shared" (Subject Alternative Name) certificate, because adding
or releasing a domain would require a new shared certificate, revoquing the
old one, and taxing the other domains for the novelty.---I refer to SAN certs
as "condocerts" (condominium certificates): feel free to use the term yourself.---
We are not a condo, and therefore, each domain carries its own set of TLS
certificates, managed autonomously.

Dovecot manages nicely its side of things, with
- per-domain "mail_location",
- per-domain password database,
- per-domain TLS certificates,
- SNI [http://wiki2.dovecot.org/SSL/SNIClientSupport].

Client authentication is entirely delegated to dovecot;
postfix uses SASL to dovecot's unix socket.

PROBLEM

Postfix does not support SNI.

OUR AIM

Our aim is to add SNI to port 465 (postfix) using nginx as transparent mail proxy.

The following is a mock-up configuration.

mail {

proxy on;
proxy_pass_error_message on;
proxy_buffer 4k; # 4k|8k
proxy_timeout 24h;
xclient on; # http://www.postfix.org/XCLIENT_README.html

ssl_dhparam /etc/vmail/dh2048;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # SNI supported
ssl_ciphers DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:MAIL:10m;
#ssl_session_timeout =

#smtp_capabilities ...; # pass through wanted <-------
#smtp_auth ...; # pass through wanted <-------

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_1.org;
#ssl_password_file /etc/vmail/example_1.org/passdb_keys; # to read .key certificates
ssl_certificate /etc/vmail/example_1.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_1.org/ssl/mx.key;
}

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_2.org;
#ssl_password_file /etc/vmail/example_2.org/passdb_keys;
ssl_certificate /etc/vmail/example_2.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_2.org/ssl/mx.key;
}

# ...

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_n.org;
#ssl_password_file /etc/vmail/example_n.org/passdb_keys;
ssl_certificate /etc/vmail/example_n.com/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_n.com/ssl/mx.key;
}

}


OPEN QUESTIONS

1. It is not clear how nginx would talk to postfix. One would expect the proxy to serve
on port, say, 4650, being the port exposed by the router, masking postfix on port 465,
but nginx does not seem to have a relevant configuration clause.

2. Nginx refuses to start-up, demanding "auth_http". However, we do not need to move
authentication to nginx. What we need is a transparent proxy: nginx should listen to
dovecot's unix socket, just like postfix does.

Thank you for your advice, if any.

Redirect problem (1 reply)

January 24, 2015, 5:32 am
$
0
0
I've a problem with a redirect http https and using non-www

Can you tell me what is wrong? sometimes i have redirect loop.

server {
listen 80;
listen [::1]:80;
server_name domain.com;
return 301 https://www.domain.com$request_uri;
}

server {
listen 80;
listen [::1]:80;
server_name www.domain.com;
return 301 https://www.domain.com$request_uri;
}


server {
listen 443 ssl spdy;
listen [::1]:443 ssl spdy;
server_name www.domain.com;
......
}

Thanks.

Danger to Nginx from raw unicode in paths? (1 reply)

January 26, 2015, 6:44 am
$
0
0
I was recently wondering if I should filter URL's by characters to only
allow what is standard in applications.

Words, Numbers, and couple characters [.-_/\]. We know the list of
supported URL's and Domains is really just a subset of ASCII
http://perishablepress.com/stop-using-unsafe-characters-in-urls/.

However, I'm not totally sure what nginx does when I pass "µ" to it.

I came up with a simple regular expression to match something that isn't
one of those:

location ~* "(*UTF8)([^\p{L}\p{N}/\.\-\%\\\]+)" ) {
if ($uri ~* "(*UTF8)([^\p{L}\p{N}/\.\-\%\\\]+)" ) {

However, I'm wondering if I actually need to use the UTF-8 matching since
clients should default to URL encoding (%20) or hex encoding (\x23) the
bytes and the actual transfer should be binary anyway.

Here is an example test where I piped almost all 65,000 unicode points to
nginx via curl:

https://gist.github.com/Xeoncross/acca3f09c5aeddac8c9f

For example: $ curl -v http://localhost/与

Basically, is there any point to watching URL's for non-standard sequences
looking for possible attacks?

( FYI: I posted more details that led to this question here:
http://stackoverflow.com/questions/28055909/does-nginx-support-raw-unicode-in-paths
)
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Behavior of security headers (5 replies)

January 26, 2015, 8:06 am
$
0
0
Hi,

I've a question regarding the different security headers (Content-Security-Policy, etc.) which can be set via add_header.
In the docs it is mentioned that "add_header" can be set on every level (http, server, location). So i tried to set some security related header in the server block related to one domain. But this did not work as expected - in detail it did not work at all. Even the "Strict-Transport-Security" header did not work on server level...

My first guess was that the used nginx version (1.6.2 stable) may have some problems.. So I've updated to 1.7.9 from mainline repo. But nothing changed...

After some resultless googling for this problem I tried a lot of combinations and found that all headers work on only on location level - which confused me. In my opinion these headers shall work on server level as well or do I misunderstand something in these mechanisms?


config of my first try (NOT working)
server {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
...
location / ....
}

config of confused last try (WORKS)
server {
...
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
}
}

And btw. yes - I've restarted nginx after each config change and also emptied my browser cache before inspecting the headers.

Thanks for help and enlightenment :-)
Oliver
Viewing all 7229 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>