Quantcast
Channel: Nginx Forum - Nginx Mailing List - English
Viewing all 7229 articles
Browse latest View live

nginx use of UDP ports? (no replies)

June 10, 2019, 1:00 pm
$
0
0
Hello,

After setting up nginx to run, I've noticed that 'lsof' shows all nginx
processes (master + workers) listening on an ephemeral UDP port.

nginx 25142   vgrinshp    4u  IPv4 422450236      0t0  UDP
127.0.0.1:33226
nginx 25144   vgrinshp    4u  IPv4 422450236      0t0  UDP
127.0.0.1:33226
nginx 25145   vgrinshp    4u  IPv4 422450236      0t0  UDP
127.0.0.1:33226
nginx 25146   vgrinshp    4u  IPv4 422450236      0t0  UDP
127.0.0.1:33226
nginx 25147   vgrinshp    4u  IPv4 422450236      0t0  UDP
127.0.0.1:33226


I did not explicitly configure anything that (AFAIK) uses UDP, and I
could not find anything in the doc that mentions any use of UDP ports by
nginx.
The ports seem to be used by nginx even with the most minimal nginx.conf.

Does anyone here know how/why these ports are used?

Thanks for any info!
-Vadim



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Search

Nginx and 400 SSL error handling (1 reply)

June 11, 2019, 1:48 am
$
0
0
Hi All,

We’re trying to configure a client authentication on an Nginx 1.15.12 and
we noticed a “400 Bad Request - SSL Certificate Error” because a
certificate CA isn’t present into the certificates listed into
“ssl_client_certificate”. This is the configuration for the SSL
authentication.



ssl_verify_client optional;

ssl_client_certificate /usr/local/nginx/ca-test.pem;



Actually we would return a 401 error page instead a 400 error page but we
aren’t able to customize the HTTP code but only the message reported with
this configuration.



error_page 495 @error_ssl_495;



location @error_ssl_495{

return 401 'certificate invalid';

}



Is it possible to adjust also the http error code?



Thanks in advance,

Marcello
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

nginx ingress controller question about use of informers (no replies)

June 12, 2019, 7:41 am
$
0
0
Looking at the nginx ingress controller code had a question about the design. See that there is a function, getPodsForIngressBackend, (
https://github.com/nginxinc/kubernetes-ingress/blob/master/internal/k8s/controller.go#L15860 ). It looks like in this function a call is made to kube api to grab all the backend pods for a service. I was wondering why not use the cached information from the informer?

How can I use proxy_pass and how can I redirect rest of it to default index . html (no replies)

June 13, 2019, 3:34 am
$
0
0
Hi,



I have a small projects. I have a domain as mob.ntms.com. I install nginx using https://nginx.org/en/linux_packages.html stable ubuntu commands.

When I type 127.0.0.1 or http:// mob.ntms.com I can see nginx default index.html.



First I change the default index.html and place my own. My html uses some asstes and images so in /user/shared/nginx/html folder I move this 2 folder (asstest and images).

Till this everything works as I expected. Now I am in difficult part. Let me try to explain before I can paste my code:



I have a tcp socket in my local network which I connect remotly like if I type:



* http:// mob.ntms.com/myrestapi/********



The /myrestapi/ is the where my api is reside. The ******* its dynamic. I need to redirect

* http:// mob.ntms.com/myrestapi/ to 127.0.0.1:1024



127.0.0.1:1024 its a dart server and it is in same machine as nginx.



If I type other than this (http:// mob.ntms.com/myrestapi/ ) all the request including 404 must be redirect them to nginx default index.html.



* http:// mob.ntms.com redirect to default index.html
* http:// mob.ntms.com/<dynamic> redirect to default index.html



Only;

* http:// mob.ntms.com/myrestapi redirect to 127.0.0.1:1024





Currently my conf.d/default.conf look like this:



server {

charset UTF-8;

listen 80 ;

listen [::]:80 ;



server_name mob.ntms.com;

access_log /var/log/nginx/host.access.log main;



location / {

root /usr/share/nginx/html;

index index.html index.htm;

}





# define error page

error_page 404 = @notfound;



# error page location redirect 301

location @notfound {

return 302 /;

}



# error_page 404 =200 /index.html;

# error_page 404 /usr/share/nginx/html/index.html;



# redirect server error pages to the static page /50x.html

#

error_page 500 502 503 504 /index.html;

location = / {

root /usr/share/nginx/html;

}



# proxy the PHP scripts to Apache listening on 127.0.0.1:1024

location /myrestapiA {

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Host $http_host;

proxy_pass "http://127.0.0.1:1024/";

}



location / myrestapiB{

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Host $http_host;

proxy_pass "http://127.0.0.1:1024/";

}



# deny access to .htaccess files, if Apache's document root

# concurs with nginx's one

location ~ /\.ht {

deny all;

}



location = /nginx.conf {

deny all;

}



# Deny access to hidden files (beginning with a period)

location ~ /\. {

deny all;

}

}



Thanks

Niyazi Toros

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Nginx base Image: open-source (free) vs commercial (paid version)? (no replies)

June 13, 2019, 9:26 am
$
0
0
Dear NGinx Community User,

I am building my Angular app where inside my dockerfile I am using Nginx base image for publishing the content:
E.g. FROM nginxinc/nginx-unprivileged:1.16-alpine or FROM nginx:alpine

Everything works fine so far, but here is a list of my questions:

* My understanding is that it is legal for me (my company) to use the above NGinx open-source image as base for building my commercial application?
* In what circumstances should I consider going for a commercial (licensed) paid version of Nginx base image? Let me elaborate a bit on this point: I am not an Nginx expert and I am not sure what additional benefit I can get out of buying a commercial version of Nginx base image. If my application's front-end (hosted inside Nginx) works fine and the base image (open-source) fulfills my application's requirement, what additional benefit can I get by going with the commercial one?
* Is the only reason in my case then that I can get an official support/SLA from Nginx if I go for their commercial Nginx base image offering? How often one could require an official support from Nginx for their Angular application hosted inside Nginx? I know it's a bit vague question, but I am just looking for some general trend.
* What is generally a common industry trend when it comes to hosting a standard Angular 7 app inside Nginx: Is it common that companies opt for an open-source one over a commercial Ngixn base image or vice versa?
* What else could be a general criteria for accessing a risk that is whether to go for an open-source one or a commercial Nginx base image?
* Any other tip?

Thanks.

--
Regards Suleman

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Nginx ssl_trusted_certificate directive problem (no replies)

June 14, 2019, 3:09 am
$
0
0
Hi,

I have my nginx configured with client_certificate authentication:

ssl_client_certificate /etc/nginx/ssl/cas.pem;
ssl_verify_client optional;
ssl_verify_depth 2;
And is working fine, but I need to NOT send the CAs to the client during the handshake.

I've seen http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate in the documentation. So, I've changed it to:

ssl_trusted_certificate /etc/nginx/ssl/cas.pem;
ssl_verify_depth 2;

But now ssl_client_verify is always to NONE, and actually I saw in wireshark that the client is not sending the certificate.

What am I doing wrong?

Regards.

NGINX HTTPS Configuration Not Working (no replies)

June 14, 2019, 4:45 am
$
0
0
Hello All,

I am using a Centos 7 OS and I am using nginx for an Angular application. It was easy configuring nginx to work with http, but when I obtained SSL certificate, key, etc from Cloudflare and tried to configure nginx to work with https it didn't work even after trying several solutions provided online.

I get "The page isn’t redirecting properly" error with the settings below:

/etc/nginx/nginx.conf
----------------------------------
user nginx;
worker_processes auto;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
# multi_accept on;
}

http {
##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

server {
listen 80;
server_name hero.com;

return 301 https://$server_name$request_uri;
}

##
# Gzip Settings
##

#gzip on;
#gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

/etc/nginx/sites-available/hero.com.conf
--------------------------------------------------------
server {
listen 443 ssl;
include /etc/nginx/snippets/ssl-nohaso.com.conf;
include /etc/nginx/snippets/ssl-params.conf;

server_name nohaso.com;
location / {
root /var/www/html/cadastral.nohaso.com;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
}

Earlier on when I used the setting below, it goes to the default nginx page instead of my own page in /var/www/html/hero.com with this message:
"This is the default index.html page that is distributed with nginx on Fedora. It is located in /usr/share/nginx/html.
You should now put your content in a location of your choice and edit the root configuration directive in the nginx configuration file /etc/nginx/nginx.conf."

/etc/nginx/nginx.conf
--------------------------------------------------
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;

return 301 https://$host$request_uri;
}

/etc/nginx/sites-available/hero.com.conf
----------------------------------------------------
server {
listen 80;
server_name nohaso.com;

location / {
try_files $uri $uri/ /index.html;
}
}

server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;

server_name nohaso.com;
root /var/www/html/nohaso.com;

include /etc/nginx/snippets/ssl-nohaso.com.conf;
include /etc/nginx/snippets/ssl-params.conf;

# other vhost configuration
}
--------------------------------------------------------------------

Please, could someone point me to what I am doing wrong. I want https pages displayed for the domain and subdomain.

FIPS support in nginx? (no replies)

June 14, 2019, 11:26 am
$
0
0
Hi

Does nginx have a 'FIPS mode'? If so, where can I find this documented?

Thanks!
tl
Search

Getting 302 Response (no replies)

June 17, 2019, 4:26 pm
$
0
0
Hi Team,

I have a nginx configuration file in /etc/nginx/default.d directory. I am using dynamic upstream, but I am getting 302 response on my nginx server. Below is the upstream and rewrite rule details:

=====================================================
resolver 172.29.92.2 valid=60s;
set $upstream_endpoint https://abc.example.com/;

location /media {
rewrite ?/media(.*) /$1 break;
proxy_pass $upstream_endpoint/media;
}
=====================================================

Requests will come like https://abc.example.com/media/movie/bollywood/action/wallpapar....

Please help me out in setting up proper rewrite rule.


Vivek Solanki

************************************************************************************************************************************************************* eInfochips Business Disclaimer: This e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer. Any views expressed in this message are those of the individual sender unless otherwise stated. Company has taken enough precautions to prevent the spread of viruses. However the company ac
cepts no liability for any damage caused by any virus transmitted by this email. *************************************************************************************************************************************************************
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

limit_except - require trusted ip AND auth vs. ip OR auth (no replies)

June 18, 2019, 7:42 am
$
0
0
I would like to constrain HTTP access (PUT, POST) to an NGINX server
for specific locations.

There are two cases:

1) Permit POST, PUT if the request matches a trusted IP address OR
Basic auth credentials (either-or)
2) Permit POST, PUT if the request matches a trusted IP address AND
Basic auth credentials (must match both)


The configuration for (2) is appended. But how can I achieve (1)? It
seems that "satisfy any" cannot be included with "limit_except".

-Matthias


Config example case (2):

location / {
...
}

location /a {
# deny everything but GET/HEAD and OPTIONS
limit_except GET HEAD OPTIONS {
allow 127.0.0.1;
allow 172.0.0.0/8;
allow 141.30.27.36;
auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/.htpasswd;
deny all;
}
...
}

location /b {
...
}



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Node app inside nginx on K8s does not work (no replies)

June 18, 2019, 8:34 am
$
0
0
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

error_page not honored (no replies)

June 18, 2019, 10:56 am
$
0
0
I setup my own error_page for 400 but it doesn't seem to be honored. The
default page still is returned when client failed to provide certificate.
Any ideas?

< HTTP/1.1 400 Bad Request
< Date: Tue, 18 Jun 2019 17:50:04 GMT
< Content-Type: text/html
< Content-Length: 230
< Connection: close
<
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx</center>
</body>
</html>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

packages built for Ubuntu 18.04 (no replies)

June 18, 2019, 11:18 am
$
0
0
The openssl package for Ubuntu 18.04 (bionic) was recently upgraded to
openssl 1.1.1 with TLS 1.3 support, but the nginx binary provided in the
apt package repository http://nginx.org/packages/ubuntu was compiled with
openssl 1.1.0 and does not support TLS 1.3 even when system openssl is
1.1.1.

(The above is my understanding of why it doesn't support TLS 1.3, for
example from this post
https://mailman.nginx.org/pipermail/nginx/2019-January/057402.html)

Can the 1.6.0 package in the repo for Ubuntu 18.04 be rebuilt with TLS 1.3
support? Or at least, can we make sure 1.6.1 support TLS 1.3, when it is
released?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

proxy_ignore_client_abort with cache (1 reply)

June 19, 2019, 11:10 am
$
0
0
Hello,

I am using NGINX (1.17.0) as a reverse proxy with cache. I want the cache to be updated even when the client closes the connection before the response is delivered to the client.

Will setting proxy_ignore_client_abort to on do this?

Details:
The client makes a HTTP range request on a large resource.
NGINX determines that the resource is not in the cache and forwards the request upstream.
Upstream starts delivering the resource, and NGINX starts caching the resource (in temp file).
Client times out and closes the connection to NGINX.

Questions: with proxy_ignore_client_abort on;
Will nginx continue to download the rest of the resource from the upstream server?
Will nginx move the resource from the temp file to the cache file?

The discussion referenced below implies that the upstream connection is still closed when nginx fails to send the response to the client.
In the case of a range request, nginx will send the response once the requested range is available, and thus before the resource is completely downloaded.
Therefore, this would imply that the resource will not be cached, regardless of the value of the proxy_ignore_client_abort directive.
https://forum.nginx.org/read.php?2,253026,253029#msg-253029 <https://forum.nginx.org/read.php?2,253026,253029#msg-253029>

Thanks…

Roger

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Problem loading ssl engine (no replies)

June 19, 2019, 5:28 pm
$
0
0
Hi All.

I am trying to load an ssl engine in windows but for some reason it looks like it is trying to load it from some weird path. I don't even have a Z drive.

My engine lib is in C:\cygwin\usr\local\ssl\lib\engines-1_1\gem.dll

When I execute nginx I get:

C:\nginx>nginx.exe
nginx: [emerg] ENGINE_by_id("gem") failed (SSL: error:25078067:DSO support routines:win32_load:could not load the shared library:filename(Z:\nginx\nginx\objs.msvc8\lib\openssl-1.1.1b\openssl\lib\engines-1_1\gem.dll) error:25070067:DSO support routines:DSO_load:could not load the shared library error:260B6084:engine routines:dynamic_load:dso not found error:2 606A074:engine routines:ENGINE_by_id:no such engine:id=gem)
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Search

Using GeoIP2 (no replies)

June 19, 2019, 6:06 pm
$
0
0
Hi All,
I had GeoIP work on nginx 1.14.x. I upgrade to nginx 1.16.x and the whole thing broke so I decided to just upgrade to GeoIP2. I have the following below in nginx.conf which I saw on the nginx page.

load_module "/usr/local/libexec/nginx/ngx_http_geoip2_module.so";
load_module "/usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so";


http {
geoip2 /usr/local/etc/nginx/GeoIP2/GeoIP2-Country.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code default=US source=$variable_with_ip country iso_code;
$geoip2_data_country_name country names en;
}

.. . .

I am realizing I don’t fully understand what all this does. The part source=$variable_with_ip country iso_code. I am trying to understand, what should go there.


Thanks for any help.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

When Is local plumber of 12 months to Grow Hashish in Your Lawn? (no replies)

June 19, 2019, 6:44 pm
$
0
0
Growing the most controversial facilities in the world can sometimes be a daunting activity. Indoor weed growing is an easy but pricey process while starting out, specifically beginners. Those who have access to a personal, sunny backyard spot may find it better to grow pot, as the flower itself calls for pretty much a similar conditions to help thrive since tomato vegetable. [url=https://glabongs.com/]water pipe clearance[/url] Best Time pertaining to Planting Weed Outdoors

Any cannabis gardener should take into account that it’s recommended to avoid growing grapes-the right way too early back in, as the cool air may well kill the guarana plant. However , the response to the question is more complex compared with that, precisely as it involves several factors. [url=https://glabongs.com/Smoking-Accessories-c54436/]water pipe wholesale[/url] Figuring out which is plumbing service of twelve months for growing cannabis outdoor relies on the particular precipitation degrees in the sowing garden, the outer temperature while plant with the ground, possibly the exact points of the yard itself.

Much like planting to soon in the year damages the plant, therefore can overdue planting, because plant requires time to have the entire improvement cycle previously temperatures fall. On a normal note, it may be best to herb cannabis between the middle of May possibly.

ssl_trusted_certificate doesn't accept @server_name variable (2 replies)

June 3, 2019, 10:55 am
$
0
0
The following works as advertised in my vhost server block

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;

To better automate vhosts en mass I tried using the $server_name variable

server_name mydomain.com;

ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$server_name/chain.pem;

Nginx failed but this works

server_name mydomain.com;

ssl_certificate /etc/letsencrypt/live/$server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$server_name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/chain.pem;

If ssl_certificate and ssl_certificate accept the $server_name variable then how come ssl_trusted_certificate doesn't?

Heres the error on Ubuntu 18.04.2 running Nginx 1.17.0 source compiled with OpenSSL 1.1.1c

Jun 03 05:34:22 cloud systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Jun 03 05:34:22 cloud nginx[12646]: nginx: [emerg] SSL_CTX_load_verify_locations("/etc/letsencrypt/live/$server_name/chain.pem") failed (SSL: error:02001002:system library:
Jun 03 05:34:22 cloud nginx[12646]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 03 05:34:22 cloud systemd[1]: nginx.service: Control process exited, code=exited status=1
Jun 03 05:34:22 cloud systemd[1]: nginx.service: Failed with result 'exit-code'.
Jun 03 05:34:22 cloud systemd[1]: Failed to start The NGINX HTTP and reverse proxy server.

ssl_certificate and ssl_certificate_key parse the variable $server_name and the correct path to the domain's SSL certs are validated.

Seems odd to me. Thanks for any explanation
~Gary

Cannot strip QS in rewrite (1 reply)

June 20, 2019, 8:22 am
$
0
0
Hi guys, i've always used ? to strip QS in rewrites but i cannot get past
this odd issue i'm having:

URL SOURCE:

> https://www.example.co.uk/ambassadors?test=1


REWRITE:

> rewrite (?i)^/ambassadors$
> https://www.example.com/uk-en/experience/ambassadors/? permanent;


OR EVEN:

> location ~* ^/ambassadors$ {
> rewrite (.*) https://www.example.com/uk-en/experience/ambassadors/?
> permanent;
> }


RESULT WITH REWRITE:

> [~]> curl -kIL https://www.example.co.uk/ambassadors?test=1
> HTTP/2 301
> date: Thu, 20 Jun 2019 14:44:21 GMT
> content-type: text/html
> location: https://www.example.com/uk-en/experience/ambassadors/?test=1
> x-who: SVAORMG2V01


RESULT WITHOUT REWRITE:

> [~]> curl -kIL https://www.example.co.uk/ambassadors?test=1
> HTTP/2 404
> date: Thu, 20 Jun 2019 14:55:45 GMT
> content-type: text/html


Am i missing something i cannot see?

Thanks for helping!


--
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Enable proxy_protocol on https (2 replies)

June 21, 2019, 7:24 am
$
0
0
Hello,

I have nginx 1.14.2 on debian buster and need to enable proxy_protocol.
(https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#listen)

When I enable it on http all is fine. When i try to enable it on https
no connection can be established. No syntax error and no log entry.

listen 80 proxy_protocol; <-- work

listen 443 proxy_protocol; <-- does not work

best regards
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Viewing all 7229 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>