Balancing NGINX reverse proxy (1 reply)

March 2, 2017, 2:08 pm

≪ Previous: Support for TLS extended master secret extension (1 reply)

Hi,

I have been reading the documentation and also searching this forum for a while, but could not find an answer to my question.
Currently, I have a 2 NGINX nodes acting as a reverse proxy (in a failover setup using keepalived). The revproxy injects an authentication header, for an online website (transport is https).

As the number of users grows, the load on the current machine starts to get uncomfortably high and I would like to be able to spread the load over both nodes.

What would be the best way to set this up?

I already tried adding both IP addresses to the DNS. But this, rather predictably, only sent a handful of users to the secondary node.
I now plan about setting up an NGINX node in front of these revproxy nodes, acting as a round-robin load balancer. Will this work? Given the fact that traffic is over HTTPS, terminating the request will probably put all the load on the load balancer and therefore does not solve my issue.

Your advice and help is greatly appreciated.

↧

MySQL Access w/ Nginx (1 reply)

March 2, 2017, 12:40 pm

≫ Next: Hiding PHP's WSOD with Nginx (no replies)

≪ Previous: Balancing NGINX reverse proxy (1 reply)

Dear Nginx Community:

Do you think NGinx is a viable and advisable solution for providing MySQL
server access to my application ? The basic requirements and goals of the
application are described below.

Although, NGinx is classified as a Web Server which can act as a
Reverse Proxy or Load Balancer, my application does not need exactly
that kind of functionality in the short term. The short term need is
to allow mobile platforms to access a single MySQL server. Eventually,
there will be multiple MySQL servers and load balancing and failure
fallback will be issues, and perahs caching. That means the basic
architecture
is as follows.

| Mobile | <--> Internet <--> | NGinx | <--> | MySQL | <--> | MySQL |
| System | (TCP/IP) | Backend | | Server|

Initially NGinx, the MySQL Backend, and MySQL Server will all be on the same
Linux host. My main concern is how the MySQL Backend fits and operates
within
that architecture. (i.e. I am not sure about the correct terminology for the
MySQL Backend.) I assume, but am not sure, it can interact with the NGinx
without additional components, such as Drupal.

The basic requirement is the ability to perform remote MySQL queries and
operations
with syntax and semantics which are virtually the same as the
corresponding manual
operations. However, the remote system does not need to use the same
syntax and semantics
as the module that performs MySQL operations. Also, smooth interaction
with LAMP PHP
and MySQL components is a requirement. (i.e. I think Apache is not an
issue.)
Note that application clients will put a large volume of data into the
MySQL database
and interaction with a Web Server is not an issue at this point.

The priority is to allow a mobile system such as an Android, and
eventually an Apple,
to access an MySQL server on a Unix/Linux system securely. However, the
priority
for the same functionality in a conventional Internet host is almost as
high.

The essential connection and authentication requirements are as follows.

* SSL encryption/authentication
* MySQL authentication
* No passwords etc. are transmitted in the open.
* Support for multiple concurrent connections from the same or multiple
systems.
* Each remote MySQL user must perform SSL authentication separately and
there
is 1-1 relationship between the SSL and MySQL authentication data.

Best Regards,

Paul R.

--

Paul Romero
-----------
RCOM Communications Software
EMAIL: paulr@rcom-software.com
PHONE: (510)482-2769

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Hiding PHP's WSOD with Nginx (no replies)

March 2, 2017, 4:40 pm

≫ Next: 回复：Re: Issue about nginx removing the header "Connection" in HTTP response? (no replies)

≪ Previous: MySQL Access w/ Nginx (1 reply)

My employer uses Nginx in front of PHP-FPM to generate their web content.
They have PHP's error reporting shut off in production so when something
does go wrong in their PHP scripts they end up with a "White Screen Of
Death". From a protocol level the white screen of death is a 200 response
with no content. They were wondering if there was a way to detect the WSOD
within Nginx and substitute their 500 error page.

PHP-FPM typically uses chunked encoding so I don't think the content-length
header is going to help me.

Does anyone have any suggestions how I might best accomplish this?

I looked around with Google but all of the hits were people wanting to turn
on error reporting, or looking help getting php-fpm working with Nginx to
begin with.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

回复：Re: Issue about nginx removing the header "Connection" in HTTP response? (no replies)

March 2, 2017, 9:02 pm

≫ Next: Nginx configuration Issue (no replies)

≪ Previous: Hiding PHP's WSOD with Nginx (no replies)

Hi,

What I mention is the header in response from backend server. Your answer about proxy_set_header is the "Connection" header in request.

Thanks
Liu Peng
----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：nginx@nginx.org
抄送人：tjlp@sina.com
主题：Re: Issue about nginx removing the header "Connection" in HTTP response?
日期：2017年03月03日 06点25分

Hi.
Am 01-03-2017 08:29, schrieb tjlp@sina.com:
> Hi, nginx guy,
>
> In our system, for some special requests, the upstream server will
> return a response which the header includes "Connection: Close".
> According to HTTP protocol, "Connection" is one-hop header.
> So, nginx will remove this header and the client can't do the business
> logic correctly.
>
> How to handle this scenario?
you mean something like this?
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
If the value of a header field is an empty string then this field will
not be passed to a proxied server:
proxy_set_header Connection "";
> Thanks
> Liu Peng
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Nginx configuration Issue (no replies)

March 3, 2017, 1:15 am

≫ Next: Nginx Map how to check value if empty (no replies)

≪ Previous: 回复：Re: Issue about nginx removing the header "Connection" in HTTP response? (no replies)

I am using nginx-1.10.3 as a load balancer. In my architecture, I have two servers-

Hostname - sal15062hkb152, IP Address - 172.15.54.116
Hostname - sal15062hkb184, IP Address - 172.15.54.105
I want both should work in active-passive mode with nginx. My application is running on both servers and client can access my application using URL -

https://sal15062hkb152/views or https://sal15062hkb184/views

My nginx.conf is -

#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;

server {
listen 80;
server_name sal15062hkb152;

#http://sal15062hkb152/oneview/;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root html;
index index.html index.htm;
}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}

# HTTPS server
#
server {

listen 443 ssl;
server_name sal15062hkb152;

#ssl_certificate cert.pem;
#ssl_certificate_key cert.key;

ssl_certificate iperspective.crt;
ssl_certificate_key iperspective.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
root http://oneview;
index index.html index.htm;
}
}

}

I am trying to access https://sal15062hkb152/views but I am getting "404 Not Found" in browser. I believe, my nginx.conf file configuration is not correct. Please let me know proper configuration for my nginx.conf file. Thanks

↧

Nginx Map how to check value if empty (no replies)

March 3, 2017, 7:47 am

≫ Next: 回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (1 reply)

≪ Previous: Nginx configuration Issue (no replies)

So I have the following Map

map $http_cf_connecting_ip $client_ip_from_cf {
default $http_cf_connecting_ip;
}

How can I make it so if the client did not send that $http_ header it makes $client_ip_from_cf variable value = $binary_remote_addr

Not sure how to check in a map if that http header is present.

↧

回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (1 reply)

March 4, 2017, 1:24 am

≫ Next: 回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

≪ Previous: Nginx Map how to check value if empty (no replies)

Hi, Alexks,

I don't want to hide the header. My problem is that Nginx change the "Connection: close" header in the reponse from upstream server to "Connction: keep-alive" and send to client. I want to keep the original "Connection: close" header.

Thanks
Liu Peng
----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月03日 16点19分

Hi.
then one directive upward.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
Cheers
aleks
Am 03-03-2017 06:00, schrieb tjlp@sina.com:

Hi,

What I mention is the header in response from backend server. Your answer about proxy_set_header is the "Connection" header in request.

Thanks
Liu Peng

----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：nginx@nginx.org
抄送人：tjlp@sina.com
主题：Re: Issue about nginx removing the header "Connection" in HTTP response?
日期：2017年03月03日 06点25分

Hi.
Am 01-03-2017 08:29, schrieb tjlp@sina.com:
> Hi, nginx guy,
>
> In our system, for some special requests, the upstream server will
> return a response which the header includes "Connection: Close".
> According to HTTP protocol, "Connection" is one-hop header.
> So, nginx will remove this header and the client can't do the business
> logic correctly.
>
> How to handle this scenario?
you mean something like this?
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
If the value of a header field is an empty string then this field will
not be passed to a proxied server:
proxy_set_header Connection "";
> Thanks
> Liu Peng
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

March 4, 2017, 7:58 am

≫ Next: conditional expression (no replies)

≪ Previous: 回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (1 reply)

Hi, Aleks,

Actually I read what you mention. The document about "proxy_pass_header" just pass the headers listed in "proxy_hide_header" which do not include "Connection", so I think it might doesn't work. I will try this.

BTW, this module ngx_http_upstream_module should be built by default right, because the directive proxy_pass is supported by this module. My output of "nginx -V" doesn't not include this module.

Thanks
Liu Peng

----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月04日 17点22分

Hi Liu Peng.
Am 04-03-2017 09:12, schrieb tjlp@sina.com:
>
> Hi, Alexks,
>
> I don't want to hide the header.
> My problem is that Nginx change the "Connection: close" header in the
> reponse from upstream server to "Connction: keep-alive" and send to
> client. I want to keep the original "Connection: close" header.
Ah that's a clear question.
It took us only 3 rounds to get to this clear question ;-)
So now the standard Questions from me:
What's the output of nginx -V ?
What's your config?
Maybe you have set 'keepalive' in the upstream config
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
or
'proxy_http_version 1.1;'
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
as a last resort you can just pass the header with
'proxy_pass_header Connection;'.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
Choose the solution which fit's to your demand.
I can only guess due to the fact that we don't know your config.
May I ask you to take a look into this document, which exists in several
languages, thank you very much.
http://www.catb.org/~esr/faqs/smart-questions.html
Best regards
Aleks
> Thanks
> Liu Peng
>
> ----- 原始邮件 -----
> 发件人：Aleksandar Lazic <al-nginx@none.at>
> 收件人：tjlp@sina.com
> 抄送人：nginx <nginx@nginx.org>
> 主题：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期：2017年03月03日 16点19分
> Hi.
>
> then one directive upward.
>
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>
> Cheers
>
> aleks
>
> Am 03-03-2017 06:00, schrieb tjlp@sina.com:
>
>> Hi,
>>
>> What I mention is the header in response from backend server. Your
>> answer about proxy_set_header is the "Connection" header in request.
>>
>> Thanks
>> Liu Peng
>>
>> ----- 原始邮件 -----
>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>> 收件人：nginx@nginx.org
>> 抄送人：tjlp@sina.com
>> 主题：Re: Issue about nginx removing the header "Connection" in HTTP
>> response?
>> 日期：2017年03月03日 06点25分
>>
>> Hi.
>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:
>>> Hi, nginx guy,
>>>
>>> In our system, for some special requests, the upstream server will
>>> return a response which the header includes "Connection: Close".
>>> According to HTTP protocol, "Connection" is one-hop header.
>>> So, nginx will remove this header and the client can't do the
>>> business
>>> logic correctly.
>>>
>>> How to handle this scenario?
>> you mean something like this?
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>> If the value of a header field is an empty string then this field will
>> not be passed to a proxied server:
>> proxy_set_header Connection "";
>>> Thanks
>>> Liu Peng
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

conditional expression (no replies)

March 4, 2017, 1:52 pm

≫ Next: questions on module developer (no replies)

≪ Previous: 回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

Hello,

Our local policy demands the rejection of any query; we do this as follows: if ($is_args) { return 301 /; }

The introduction of Thunderbird autoconfiguration demands an exception to the above policy, because of
"GET /.well-known/autoconfig/mail/config-v1.1.xml?emailaddre=uname%40example.com".

The resulting rule would be

if (($is_args) && ($args !~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { return 301 /; }

The rule does not work, because nginx does not parse the AND condition.

Of course, you cannot just remove $is_args, because $args is usually empty.

The alternative would be if ($args ~ emailaddress=.+%40[a-zA-Z0-9\.\-]+)) { allow all; } else { return 301 /; },
but nginx does not parse if-then-else statements.

Are we stuck in the cage?

↧

questions on module developer (no replies)

March 4, 2017, 10:00 pm

≫ Next: stale-while-revalidate and stale-if-error implementation (no replies)

≪ Previous: conditional expression (no replies)

Anybody here can tell me when these twe function
init_process(), and exit_process() in a module (ngx_module_t)

be called? init_process being called once when nginx starts

or when a query matched with a location defined in nginx.conf

is received? When would the exit_process() gets called? At process
exits or never gets called as long as nginx is alive?

Thanks,
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

stale-while-revalidate and stale-if-error implementation (no replies)

March 5, 2017, 3:32 am

≫ Next: ssl_session_timeout issues (1 reply)

≪ Previous: questions on module developer (no replies)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

I tried to use "stale-if-error=864000" and
"stale-while-revalidate=864000" co-exist with "expires max;"
directive. Is it possible? My configurations looks like :

.... snip ...
expires max;
add_header Cache-Control "stale-while-revalidate=864000,
stale-if-error=864000";
.... snip ...

And header response return :

cache-control:max-age=315360000
cache-control:stale-while-revalidate=864000, stale-if-error=864000

Is it ok and acceptable in major modern browser?

Or, should I changes the header to :

add_header Cache-Control "max-age=315360000,
stale-while-revalidate=864000, stale-if-error=864000";

Any feedbacks and helps would be appreciated.
Thanks in advance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJYu/avGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcDy+D/0Vt2QvGF9RES6ZbWsyMdKiaQOWo11uU73ZDjqJNCTFbrlA6DgF
XYBdqugrcrLn6zlMP95KRmRgyNHHDsrbnVya5Sj0PhNno61k7i56nZZpt2AQ7fii
HaZ12PFIWB7RCa+Wbx4efj8PN5orhXVhg6R/bnOu5aN1ht0MLlcO0Y2mywQnSTZ1
kUsRWQZQRvH5gel/DewVYitvZ+a+FePLN2O/BgO6FoW0HNRmtySfTgKtHGARn+Zn
itPXSsM6gNYteNWFeWWC+2NrCTMBcPtlP9IzSS43Htmnmlkih7nEpSwSPNGAiTsf
3d3h6yl27URmbP1P33P7ef8ohKdoa3CXBlvETLCMEct+LApuAlY8bqhpGoeI4tHX
HfPo5g+cdI7l60bUQeQNQKTCe4NnfVXfKzp29Lj2WsHYlLfaaG46mbccUma4g665
dNk4ETWnk9ea3XPuFEx6x66j8JNW/+PBOJPvONZoiIWGp0fNmOiBhjMqIEEYGkI+
mFmqTQwmm2U7iRCM0umWvhnnqaSidjCviRYq/oeEH4sVULinM3SbUL5JSosa9+T2
xaAtqibqzCI9wnHQM7QFRdxY+E+h8EI3d8NFZrrfB9c0Y5CQMLX4GCCLQe6fHYCn
AAqWshuqWo1FckQO83cbQwRDOolPF8TOi6WYzrNzJjKIKGz5mbbhivTnkw==
=9/H5
-----END PGP SIGNATURE-----
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

ssl_session_timeout issues (1 reply)

March 6, 2017, 3:42 am

≫ Next: Reverse proxy problem with an application (no replies)

≪ Previous: stale-while-revalidate and stale-if-error implementation (no replies)

I read the code of ssl module, the directive ssl_session_timeout seems only used for ssl session cache, not for ssl session ticket.
the document describes the directive as 'Specifies a time during which a client may reuse the session parameters.' Is it not exactly?
Is there any timeout for ssl session ticket ?

↧

Reverse proxy problem with an application (no replies)

March 6, 2017, 1:36 pm

≫ Next: 回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

≪ Previous: ssl_session_timeout issues (1 reply)

Hello,
I have run an application behind a nginx reverse proxy and I can't make it to work
a) if I access this application using https://1.1.1.1:443 it works (certificate warning)b) if I access this application using https://myapp.mydomain.org, I get access to the login page    location ^~ / {
        proxy_pass        https://1.1.1.1:443;
        proxy_redirect    off;
        proxy_set_header Host             $http_host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_hide_header X-Frame-Options;        proxy_hide_header X-Content-Security-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-WebKit-CSP;
        proxy_hide_header content-security-policy;
        proxy_hide_header x-xss-protection;
        proxy_set_header X-NginX-Proxy true;
        proxy_ssl_session_reuse off;
    }
c) I log in in the page and after some time (2/3 seconds) the application logs me out
When I log in directly case a) I notice that I have (firebug)
CookieSaveStateCookie=root; APPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled
Whereas when I log in in case c) I haveAPPSESSIONID=070ABC6AE433D2CAEDCFFB1E43074416; testcookieenabled

So I feel there's a problem with the session or something like that.PS: There is only one backend server and I can't run plain http (disable https)

Does anyone has an idea ?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

March 6, 2017, 5:40 pm

≫ Next: 回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

≪ Previous: Reverse proxy problem with an application (no replies)

Hi, Alexks,

I try your proposal and it doesn't work. Actually my issue is the same as this one http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.

1. I add "keeplive_request 0". The result is that the "Connection: close" header is sent to client for every response. That does not match my requirement. Our application decides whether to finish the application session using this header.

2. I add "proxy_pass_header Connection". Nginx keeps sending "Connection: keep-alive" header to client even the header is "Connection: close" from upstream server.

Seems Nginx has some special handling for the Connection header in response. The openresty author suggests that the only way for changing response header change the nginx C code for this issue. See this issue: https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.

Thanks
Liu Peng
----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月04日 17点22分

Hi Liu Peng.
Am 04-03-2017 09:12, schrieb tjlp@sina.com:
>
> Hi, Alexks,
>
> I don't want to hide the header.
> My problem is that Nginx change the "Connection: close" header in the
> reponse from upstream server to "Connction: keep-alive" and send to
> client. I want to keep the original "Connection: close" header.
Ah that's a clear question.
It took us only 3 rounds to get to this clear question ;-)
So now the standard Questions from me:
What's the output of nginx -V ?
What's your config?
Maybe you have set 'keepalive' in the upstream config
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
or
'proxy_http_version 1.1;'
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
as a last resort you can just pass the header with
'proxy_pass_header Connection;'.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
Choose the solution which fit's to your demand.
I can only guess due to the fact that we don't know your config.
May I ask you to take a look into this document, which exists in several
languages, thank you very much.
http://www.catb.org/~esr/faqs/smart-questions.html
Best regards
Aleks
> Thanks
> Liu Peng
>
> ----- 原始邮件 -----
> 发件人：Aleksandar Lazic <al-nginx@none.at>
> 收件人：tjlp@sina.com
> 抄送人：nginx <nginx@nginx.org>
> 主题：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期：2017年03月03日 16点19分
> Hi.
>
> then one directive upward.
>
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>
> Cheers
>
> aleks
>
> Am 03-03-2017 06:00, schrieb tjlp@sina.com:
>
>> Hi,
>>
>> What I mention is the header in response from backend server. Your
>> answer about proxy_set_header is the "Connection" header in request.
>>
>> Thanks
>> Liu Peng
>>
>> ----- 原始邮件 -----
>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>> 收件人：nginx@nginx.org
>> 抄送人：tjlp@sina.com
>> 主题：Re: Issue about nginx removing the header "Connection" in HTTP
>> response?
>> 日期：2017年03月03日 06点25分
>>
>> Hi.
>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:
>>> Hi, nginx guy,
>>>
>>> In our system, for some special requests, the upstream server will
>>> return a response which the header includes "Connection: Close".
>>> According to HTTP protocol, "Connection" is one-hop header.
>>> So, nginx will remove this header and the client can't do the
>>> business
>>> logic correctly.
>>>
>>> How to handle this scenario?
>> you mean something like this?
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>> If the value of a header field is an empty string then this field will
>> not be passed to a proxied server:
>> proxy_set_header Connection "";
>>> Thanks
>>> Liu Peng
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

March 7, 2017, 1:50 am

≫ Next: Can NGINX Forward the 401 Response to Upstream server to Destroy Temp User data (no replies)

≪ Previous: 回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

Hi, Aleks,

The result of nginx -V is as follow:
nginx version: nginx/1.11.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05

The nginx conf is:

daemon off;

worker_processes 2;

pid /run/nginx.pid;

worker_rlimit_nofile 131072;

pcre_jit on;

events {
multi_accept on;
worker_connections 16384;
use epoll;
}

http {

lua_shared_dict server_sessioncnt_dict 20k;
lua_shared_dict server_dict 20k;
lua_shared_dict server_acceptnewconn_dict 20k;
lua_shared_dict sessionid_server_dict 100k;

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
real_ip_recursive on;

geoip_country /etc/nginx/GeoIP.dat;
geoip_city /etc/nginx/GeoLiteCity.dat;
geoip_proxy_recursive on;
vhost_traffic_status_zone shared:vhost_traffic_status:10m;
vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;
# lua section to return proper error codes when custom pages are used
lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';

init_by_lua_file /etc/nginx/lua/init_by_lua.lua;

sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;

log_subrequest on;

reset_timedout_connection on;

keepalive_timeout 75s;

types_hash_max_size 2048;
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;

include /etc/nginx/mime.types;
default_type text/html;
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
gzip_proxied any;

client_max_body_size "64m";

log_format upstreaminfo '$remote_addr - '
'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';

map $request $loggable {
default 1;
}

access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
error_log /var/log/nginx/error.log notice;

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}

# Map a response error watching the header Content-Type
map $http_accept $httpAccept {
default html;
application/json json;
application/xml xml;
text/plain text;
}

map $httpAccept $httpReturnType {
default text/html;
json application/json;
xml application/xml;
text text/plain;
}

server_name_in_redirect off;
port_in_redirect off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# turn on session caching to drastically improve performance

ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;

# allow configuring ssl session tickets
ssl_session_tickets on;

# slightly reduce the time-to-first-byte
ssl_buffer_size 4k;

# allow configuring custom ssl ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;

upstream liupeng-sm-rte-svc-13080 {
server 172.77.69.10:13080;
server 172.77.87.9:13080;

balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;

}

server {
server_name _;
listen 80;
listen 443 ssl spdy http2;

# PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a
ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;
ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;

more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";

vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;

location /SM/ui {

proxy_set_header Host $host;

# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;

# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "";

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;

# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";

proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

proxy_redirect off;

proxy_buffering off;

proxy_http_version 1.1;

proxy_pass http://liupeng-sm-rte-svc-13080;

rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;

header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;

}

}
}

----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月07日 15点39分

Hi Liu Peng.
We still don't know your nginx version nor your config!
Cite from below:
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
regards
aleks
Am 07-03-2017 02:37, schrieb tjlp@sina.com:
> Hi, Alexks,
>
> I try your proposal and it doesn't work. Actually my issue is the same
> as this one
> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.
>
> 1. I add "keeplive_request 0". The result is that the "Connection:
> close" header is sent to client for every response. That does not match
> my requirement. Our application decides whether to finish the
> application session using this header.
>
> 2. I add "proxy_pass_header Connection". Nginx keeps sending
> "Connection: keep-alive" header to client even the header is
> "Connection: close" from upstream server.
>
> Seems Nginx has some special handling for the Connection header in
> response. The openresty author suggests that the only way for changing
> response header change the nginx C code for this issue. See this issue:
> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.
>
> Thanks
> Liu Peng
>
> ----- 原始邮件 -----
> 发件人：Aleksandar Lazic <al-nginx@none.at>
> 收件人：tjlp@sina.com
> 抄送人：nginx <nginx@nginx.org>
> 主题：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期：2017年03月04日 17点22分
>
> Hi Liu Peng.
> Am 04-03-2017 09:12, schrieb tjlp@sina.com:
>>
>> Hi, Alexks,
>>
>> I don't want to hide the header.
>> My problem is that Nginx change the "Connection: close" header in the
>> reponse from upstream server to "Connction: keep-alive" and send to
>> client. I want to keep the original "Connection: close" header.
> Ah that's a clear question.
> It took us only 3 rounds to get to this clear question ;-)
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
> Maybe you have set 'keepalive' in the upstream config
> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
> or
> 'proxy_http_version 1.1;'
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
> as a last resort you can just pass the header with
> 'proxy_pass_header Connection;'.
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
> Choose the solution which fit's to your demand.
> I can only guess due to the fact that we don't know your config.
> May I ask you to take a look into this document, which exists in
> several
> languages, thank you very much.
> http://www.catb.org/~esr/faqs/smart-questions.html
> Best regards
> Aleks
>> Thanks
>> Liu Peng
>>
>> ----- 原始邮件 -----
>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>> 收件人：tjlp@sina.com
>> 抄送人：nginx <nginx@nginx.org>
>> 主题：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
>> 日期：2017年03月03日 16点19分
>> Hi.
>>
>> then one directive upward.
>>
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>>
>> Cheers
>>
>> aleks
>>
>> Am 03-03-2017 06:00, schrieb tjlp@sina.com:
>>
>>> Hi,
>>>
>>> What I mention is the header in response from backend server. Your
>>> answer about proxy_set_header is the "Connection" header in request.
>>>
>>> Thanks
>>> Liu Peng
>>>
>>> ----- 原始邮件 -----
>>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>>> 收件人：nginx@nginx.org
>>> 抄送人：tjlp@sina.com
>>> 主题：Re: Issue about nginx removing the header "Connection" in HTTP
>>> response?
>>> 日期：2017年03月03日 06点25分
>>>
>>> Hi.
>>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:
>>>> Hi, nginx guy,
>>>>
>>>> In our system, for some special requests, the upstream server will
>>>> return a response which the header includes "Connection: Close".
>>>> According to HTTP protocol, "Connection" is one-hop header.
>>>> So, nginx will remove this header and the client can't do the
>>>> business
>>>> logic correctly.
>>>>
>>>> How to handle this scenario?
>>> you mean something like this?
>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>>> If the value of a header field is an empty string then this field
>>> will
>>> not be passed to a proxied server:
>>> proxy_set_header Connection "";
>>>> Thanks
>>>> Liu Peng
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Can NGINX Forward the 401 Response to Upstream server to Destroy Temp User data (no replies)

March 7, 2017, 4:33 am

≫ Next: Reverse Proxy with 500k connections (7 replies)

≪ Previous: 回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

I have and NGINX reverse proxy and upstream server. NGINX authenticates the incoming request and forwards the request to upstream server, which also authenticates the request first and then creates a session for the user.

I want to know if the user session gets expired in NGINX, will NGINX forward the request to upstream server to also destroy the user session

OR

NGINX will just destroy the session in its authentication service and will not inform the upstream server to destroy the session ?

↧

Reverse Proxy with 500k connections (7 replies)

March 8, 2017, 3:20 am

≫ Next: Nginx reverse proxy for TFTP UDP port 69 traffic (2 replies)

≪ Previous: Can NGINX Forward the 401 Response to Upstream server to Destroy Temp User data (no replies)

Hi,

we are operating native nginx 1.8.1 on RHEL as a reverse proxy.
The nginx routes requests to a backend server that can be reached from the proxy via a single internal IP address.
We have to support a large number of concurrent websocket connections - say 100k to 500k.

As we don't want to increase the number of proxy instances (with different IPs) and we cannot use the "proxy_bind transarent" option (was introduced in a later nginx release, upgrade is not possible) we wanted to configure the nginx to use different source IPs then routing to the backend. Thus, we want nginx to select an available source ip + source port when a connection is established with the backend.

For that we assigned ten internal IPs to the proxy server and used the proxy_bind directive bound to 0.0.0.0.
But this approach seems not to work. The nginx instance seems always use the first IP as source IP.
Using multiple proxy_bind's is not possible.

So my question is: How can I configure nginx to select from a pool of source IPs? Or generally: to overcome the 64k problem?

Best Regards
Lars

------- extract from config

upstream backend {
server 192.168.1.21:443;
}

server {
listen 443 ssl;
proxy_bind 0.0.0.0;

location /service {
proxy_pass https://backend;
...
}
}

↧

Nginx reverse proxy for TFTP UDP port 69 traffic (2 replies)

March 7, 2017, 2:56 pm

≫ Next: Passing $upstream_response_time in a header (1 reply)

≪ Previous: Reverse Proxy with 500k connections (7 replies)

I’m trying to use Nginx to reverse proxy TFTP UDP port 69 traffic and I”m having a problem with getting files through the nginx reverse proxy.

My configuration is simple, I’m running TFTP on one Centos 6.x server and the Nginx reserve proxy on another Centos 6.x server with the latest Nginx mainline 1.11.10 from the nginx.org http://nginx.org/ repository.

TFTP connections to the TFTP server directly work. Using the same commands through the Nginx reverse proxy, connects, but will not download or upload a file through it.

If you have any suggestions, I’d appreciate a nudge in the right direction. I’m assuming it’s something I’m missing.

Eric Feldhusen

My configuration is below. The TFTP server is at 192.168.1.11 and the Nginx reverse proxy is at 192.168.1.145. No firewalls on either server.

stream {
upstream staging_tftp_servers {
server 192.168.1.70:69;
}

server {
listen 69 udp; #udp
proxy_pass staging_tftp_servers;
error_log /var/log/nginx/tftp.log info;
}
}

I’m seeing these in the tftp.log

2017/03/06 14:34:44 [info] 32676#32676: *554 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36
2017/03/06 14:34:46 [info] 32676#32676: *556 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36
2017/03/06 14:34:47 [info] 32676#32676: *1439 udp client 10.1.0.14:2277 connected to 0.0.0.0:69
2017/03/06 14:34:47 [info] 32676#32676: *1439 udp proxy 192.168.1.145:37961 connected to 192.168.1.11:69
2017/03/06 14:34:48 [info] 32676#32676: *558 udp upstream disconnected, bytes from/to client:23/0, bytes from/to upstream:0/23
2017/03/06 14:34:48 [info] 32676#32676: *560 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36
2017/03/06 14:34:49 [info] 32676#32676: *1441 udp client 10.1.0.15:1090 connected to 0.0.0.0:69
2017/03/06 14:34:49 [info] 32676#32676: *1441 udp proxy 192.168.1.145:38526 connected to 192.168.1.11:69
2017/03/06 14:34:50 [info] 32676#32676: *562 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36
2017/03/06 14:34:53 [info] 32676#32676: *1443 udp client 10.1.0.14:2277 connected to 0.0.0.0:69
2017/03/06 14:34:53 [info] 32676#32676: *1443 udp proxy 192.168.1.145:38689 connected to 192.168.1.11:69
2017/03/06 14:34:56 [info] 32676#32676: *564 udp upstream disconnected, bytes from/to client:23/0, bytes from/to upstream:0/23
2017/03/06 14:34:56 [info] 32676#32676: *566 udp upstream disconnected, bytes from/to client:36/0, bytes from/to upstream:0/36_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Passing $upstream_response_time in a header (1 reply)

March 7, 2017, 2:46 pm

≫ Next: 回复：Re:_回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

≪ Previous: Nginx reverse proxy for TFTP UDP port 69 traffic (2 replies)

Hello,

I have an nginx server that runs as reverse proxy and I would like to pass
the $upstream_response_time value in a header. I find that when I do the
value is actually a linux timestamp with millisecond resolution instead of
a value of seconds with millisecond resolution. Apparently this is
automatically converted when written to the logs. Is there a way to trigger
the conversion for passing in a header?

Thank you,
~Jonathan

--
Jonathan Simowitz | Jigsaw | Software Engineer | simowitz@google.com |
631-223-8608
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

回复：Re:_回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? (no replies)

March 7, 2017, 5:00 pm

≫ Next: keepalive_requests default 100 (1 reply)

≪ Previous: Passing $upstream_response_time in a header (1 reply)

Hi, Aleks,

This nginx conf is generated by Kubernetes nginx ingress controller. We use the Nginx in the kubernetes cluster. So many modules are there.

The lua script is supported by the open sourced OpenResty. You can google it to find how and why use it. We use it for our special load balancing.

For the log, I am not sure what you need.

Thanks
----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月08日 06点26分

Hi.
Well that's a lot modules and lua stuff there.
What's in the '*by_lua_file's ?
Can you run from a specific IP the debug log to see what's happen in nginx?
http://nginx.org/en/docs/debugging_log.html
regards
aleks
Am 07-03-2017 10:49, schrieb tjlp@sina.com:

Hi, Aleks,

The result of nginx -V is as follow:
nginx version: nginx/1.11.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05

The nginx conf is:

daemon off;

worker_processes 2;

pid /run/nginx.pid;

worker_rlimit_nofile 131072;

pcre_jit on;

events {
multi_accept on;
worker_connections 16384;
use epoll;
}

http {

lua_shared_dict server_sessioncnt_dict 20k;
lua_shared_dict server_dict 20k;
lua_shared_dict server_acceptnewconn_dict 20k;
lua_shared_dict sessionid_server_dict 100k;

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
real_ip_recursive on;

geoip_country /etc/nginx/GeoIP.dat;
geoip_city /etc/nginx/GeoLiteCity.dat;
geoip_proxy_recursive on;
vhost_traffic_status_zone shared:vhost_traffic_status:10m;
vhost_traffic_status_filter_by_set_key $geoip_country_code country::*;
# lua section to return proper error codes when custom pages are used
lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;';

init_by_lua_file /etc/nginx/lua/init_by_lua.lua;

sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;

log_subrequest on;

reset_timedout_connection on;

keepalive_timeout 75s;

types_hash_max_size 2048;
server_names_hash_max_size 512;
server_names_hash_bucket_size 64;

include /etc/nginx/mime.types;
default_type text/html;
gzip on;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
gzip_proxied any;

client_max_body_size "64m";

log_format upstreaminfo '$remote_addr - '
'[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';

map $request $loggable {
default 1;
}

access_log /var/log/nginx/access.log upstreaminfo if=$loggable;
error_log /var/log/nginx/error.log notice;

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

# trust http_x_forwarded_proto headers correctly indicate ssl offloading
map $http_x_forwarded_proto $pass_access_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}

# Map a response error watching the header Content-Type
map $http_accept $httpAccept {
default html;
application/json json;
application/xml xml;
text/plain text;
}

map $httpAccept $httpReturnType {
default text/html;
json application/json;
xml application/xml;
text text/plain;
}

server_name_in_redirect off;
port_in_redirect off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# turn on session caching to drastically improve performance

ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 10m;

# allow configuring ssl session tickets
ssl_session_tickets on;

# slightly reduce the time-to-first-byte
ssl_buffer_size 4k;

# allow configuring custom ssl ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;

upstream liupeng-sm-rte-svc-13080 {
server 172.77.69.10:13080;
server 172.77.87.9:13080;

balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua;

}

server {
server_name _;
listen 80;
listen 443 ssl spdy http2;

# PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a
ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem;
ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem;

more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload";

vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;

location /SM/ui {

proxy_set_header Host $host;

# Pass Real IP
proxy_set_header X-Real-IP $remote_addr;

# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "";

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;

# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";

proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

proxy_redirect off;

proxy_buffering off;

proxy_http_version 1.1;

proxy_pass http://liupeng-sm-rte-svc-13080;

rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua;

header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua;

}

}
}

----- 原始邮件 -----
发件人：Aleksandar Lazic <al-nginx@none.at>
收件人：tjlp@sina.com
抄送人：nginx <nginx@nginx.org>
主题：Re:_回复：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
日期：2017年03月07日 15点39分

Hi Liu Peng.
We still don't know your nginx version nor your config!
Cite from below:
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
regards
aleks
Am 07-03-2017 02:37, schrieb tjlp@sina.com:
> Hi, Alexks,
>
> I try your proposal and it doesn't work. Actually my issue is the same
> as this one
> http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers.
>
> 1. I add "keeplive_request 0". The result is that the "Connection:
> close" header is sent to client for every response. That does not match
> my requirement. Our application decides whether to finish the
> application session using this header.
>
> 2. I add "proxy_pass_header Connection". Nginx keeps sending
> "Connection: keep-alive" header to client even the header is
> "Connection: close" from upstream server.
>
> Seems Nginx has some special handling for the Connection header in
> response. The openresty author suggests that the only way for changing
> response header change the nginx C code for this issue. See this issue:
> https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052.
>
> Thanks
> Liu Peng
>
> ----- 原始邮件 -----
> 发件人：Aleksandar Lazic <al-nginx@none.at>
> 收件人：tjlp@sina.com
> 抄送人：nginx <nginx@nginx.org>
> 主题：Re:_回复：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
> 日期：2017年03月04日 17点22分
>
> Hi Liu Peng.
> Am 04-03-2017 09:12, schrieb tjlp@sina.com:
>>
>> Hi, Alexks,
>>
>> I don't want to hide the header.
>> My problem is that Nginx change the "Connection: close" header in the
>> reponse from upstream server to "Connction: keep-alive" and send to
>> client. I want to keep the original "Connection: close" header.
> Ah that's a clear question.
> It took us only 3 rounds to get to this clear question ;-)
> So now the standard Questions from me:
> What's the output of nginx -V ?
> What's your config?
> Maybe you have set 'keepalive' in the upstream config
> http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
> or
> 'proxy_http_version 1.1;'
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
> as a last resort you can just pass the header with
> 'proxy_pass_header Connection;'.
> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header
> Choose the solution which fit's to your demand.
> I can only guess due to the fact that we don't know your config.
> May I ask you to take a look into this document, which exists in
> several
> languages, thank you very much.
> http://www.catb.org/~esr/faqs/smart-questions.html
> Best regards
> Aleks
>> Thanks
>> Liu Peng
>>
>> ----- 原始邮件 -----
>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>> 收件人：tjlp@sina.com
>> 抄送人：nginx <nginx@nginx.org>
>> 主题：Re:_回复：Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response?
>> 日期：2017年03月03日 16点19分
>> Hi.
>>
>> then one directive upward.
>>
>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header
>>
>> Cheers
>>
>> aleks
>>
>> Am 03-03-2017 06:00, schrieb tjlp@sina.com:
>>
>>> Hi,
>>>
>>> What I mention is the header in response from backend server. Your
>>> answer about proxy_set_header is the "Connection" header in request.
>>>
>>> Thanks
>>> Liu Peng
>>>
>>> ----- 原始邮件 -----
>>> 发件人：Aleksandar Lazic <al-nginx@none.at>
>>> 收件人：nginx@nginx.org
>>> 抄送人：tjlp@sina.com
>>> 主题：Re: Issue about nginx removing the header "Connection" in HTTP
>>> response?
>>> 日期：2017年03月03日 06点25分
>>>
>>> Hi.
>>> Am 01-03-2017 08:29, schrieb tjlp@sina.com:
>>>> Hi, nginx guy,
>>>>
>>>> In our system, for some special requests, the upstream server will
>>>> return a response which the header includes "Connection: Close".
>>>> According to HTTP protocol, "Connection" is one-hop header.
>>>> So, nginx will remove this header and the client can't do the
>>>> business
>>>> logic correctly.
>>>>
>>>> How to handle this scenario?
>>> you mean something like this?
>>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
>>> If the value of a header field is an empty string then this field
>>> will
>>> not be passed to a proxied server:
>>> proxy_set_header Connection "";
>>>> Thanks
>>>> Liu Peng
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧