Quantcast
Channel: Nginx Forum - Nginx Mailing List - English
Viewing all 7229 articles
Browse latest View live

Re: IPv6 to IPv4 (no replies)

December 11, 2019, 3:36 pm
$
0
0
Hi Rhys,

hope you're doing well.

Yes, it's definitely possible. The following code snippet does the show:

server {
listen [::]:80 default ipv6only=on;
location / { proxy_pass http://127.0.0.1:8081; }
}

server {
listen 127.0.0.1:8081;
location / { return 200 "OK, 127.0.0.1:8081\n"; }
}


% curl 127.0.0.1:8081
OK, 127.0.0.1:8081
% curl -g -6 "http://[::1]/"
OK, 127.0.0.1:8081

On Wed, Dec 11, 2019 at 11:52:42AM -1000, Rhys Ferris wrote:
> Not sure if this is possible. I am trying to enable dual stack for my server, which also proxies several other internal services. Nginx is receiving requests on IPv6 fine, but some of my services are IPv4 only. Can Nginx receive the request on IPv6, retrieve the content from IPv4 internally, and the. Serve the context over IPv6?
>
> Thanks
>
> Rhys Ferris
> ??? 808-257-2252
> ???? 757-848-7278
> ???? rhys.j.ferris@gmail.com
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Search

How to customise 404 page (no replies)

December 14, 2019, 9:40 am
$
0
0
Hi,

how do I customise the 404 page? http://wotstory.com/doesnotexist I don't
want to advertise to the world what web server is running and what
operating system is running,

James
http://wotstory.com/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Does stream module have support to negotiate ALPN when terminating TLS? (no replies)

December 14, 2019, 11:20 pm
$
0
0
Is there support for forwarding to backends when clients are sending ALPN? I would like to use the stream module if possible. The following nginx config works successfully with a Go client but not with the Ruby client. This is similar to the problem with AWS ELB https://github.com/grpc/grpc/issues/18710


stream {
upstream stream_backend_1 {
server mygrpcservice:8080;
}
server {
listen 443 ssl;
proxy_pass stream_backend_1;
ssl_certificate /etc/ssl/test_cert.pem;
ssl_certificate_key /etc/ssl/test_key.pem;
ssl_preread on;
}
}

With preread on and nginx-debug I got the following in the logs and so the client is sending ALPN data
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols "grpc-exp"
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols "grpc-exp,h2"

but the Handshake fails in the grpc library because Server does not set the negotiated ALPN??
D1214 23:00:44.714269000 123145438679040 security_handshaker.cc:186] Security handshake failed: {"created":"@1576393244.714255000","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":118}


Also fails with openssl

$ openssl s_client -connect test00.net:443 -alpn h2 | grep alpn
verify return:1
No ALPN negotiated

-s

flood detected with file uploads over http2 (1 reply)

December 17, 2019, 1:14 am
$
0
0
We are having intermittent problems uploading files via nginx to a
flask backend over http2:

2019/12/16 16:07:08 [debug] 27658#27658: *1 event timer: 3, old:
1576512608187, new: 1576512608301
2019/12/16 16:07:08 [debug] 27658#27658: *1 http2 idle handler
2019/12/16 16:07:08 [info] 27658#27658: *1 http2 flood detected while
processing HTTP/2 connection, client: x.x.x.x, server: 0.0.0.0:443
2019/12/16 16:07:08 [debug] 27658#27658: *1 http2 send GOAWAY frame, status:0
2019/12/16 16:07:08 [debug] 27658#27658: *1 posix_memalign:
0000563642B8EE20:512 @16
2019/12/16 16:07:08 [debug] 27658#27658: *1 http2 frame out:
0000563642B8EE40 sid:0 bl:0 len:8
2019/12/16 16:07:08 [debug] 27658#27658: *1 malloc: 0000563642D0A870:16384
2019/12/16 16:07:08 [debug] 27658#27658: *1 SSL buf copy: 17
2019/12/16 16:07:08 [debug] 27658#27658: *1 SSL to write: 17

Is there anyway of getting information on what might be triggering this?

We've changed some defaults:

client_max_body_size 10m;
http2_body_preread_size 256k;
http2_recv_buffer_size 1m;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;

Client is Chrome:

Version 78.0.3904.97 (Developer Build) built on Debian 10.1, running
on Debian 10.2 (64-bit)

openssl:

OpenSSL 1.1.0l 10 Sep 2019

nginx:

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0k 28 May 2019 (running with OpenSSL 1.1.0l
10 Sep 2019)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2
-fdebug-prefix-map=/build/nginx-DhOtPd/nginx-1.10.3=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
--modules-path=/usr/lib/nginx/modules
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
--with-pcre-jit --with-ipv6 --with-http_ssl_module
--with-http_stub_status_module --with-http_realip_module
--with-http_auth_request_module --with-http_v2_module
--with-http_dav_module --with-http_slice_module --with-threads
--with-http_addition_module --with-http_flv_module
--with-http_geoip_module=dynamic --with-http_gunzip_module
--with-http_gzip_static_module --with-http_image_filter_module=dynamic
--with-http_mp4_module --with-http_perl_module=dynamic
--with-http_random_index_module --with-http_secure_link_module
--with-http_sub_module --with-http_xslt_module=dynamic
--with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic
--with-stream_ssl_module
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/headers-more-nginx-module
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-auth-pam
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-cache-purge
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-dav-ext-module
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-development-kit
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-echo
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/ngx-fancyindex
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nchan
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-lua
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-upload-progress
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/nginx-upstream-fair
--add-dynamic-module=/build/nginx-DhOtPd/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

--
Your hydrogen & fuel cell partner
Arcola Energy Ltd, 24 Ashwin Street,
London E8 3DL. www.arcolaenergy.com https://www.arcolaenergy.com/ / +44
20 7503 1386
Registered in England and Wales, Company Number 7257863, VAT
Number 110085273. Copyright 2019. Confidential and Proprietary. Not to be
disseminated or copied in full or in part.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Authorization identity for IMAP proxy (no replies)

December 17, 2019, 2:08 am
$
0
0
Hi list,

IMAP servers (dovecot, cyrus...) rely on SASL authentication.

The SASL specs let the client requests a different identity than the one
used for authentication.

RFC 3501 says : The authorization identity passed from the client to the
server during the authentication exchange is interpreted by the server as
the user name whose privileges the client is requesting.

Dovecot proxy and Cyrus frontends in murder architecture use this to
authenticate with an admin account and request a user identity. It's very
useful to authenticate via proxies without to know the user's password.

Is there a way to let NGINX use different identification and authentication
ids to authenticate to the remote imap server ? I can't figure out what to
put in the AUTH-* headers to do that.

Regards,
Sam
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

proxy module handling early responses (no replies)

December 17, 2019, 6:40 pm
$
0
0
Hi,

When using nginx as a reverse proxy, in case of a large POST payload, what
does nginx do when upstream server sends response before nginx finishes
posting the full payload?

One use case is upstream enforces some payload limit and sends a HTTP/413
response when the payload read reaches certain limit. Will nginx catch this
error, stop sending further, and return the 413 to client?

I see a stackoverflow discussion
https://stackoverflow.com/questions/14250991/is-it-acceptable-for-a-server-to-send-a-http-response-before-the-entire-request
for a different use case, not sure how nginx behaves.

Regards,
Frank
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

nginx reverse proxy proxy_pass weirdness (1 reply)

December 18, 2019, 2:40 am
$
0
0
I have a nginx reverse proxy to forward requests to various Apache websites behind it. This all seems to work fine unless I remove one of the proxy_pass configurations from nginx. Even though I remove it, nginx still fowards the requests back to Apache to a seemingly random website this time.

I can't seem to get it to stop doing that. Any idea what's going on?

NGINX SMTP! (no replies)

December 18, 2019, 12:10 pm
$
0
0
Hi,

We want to achieve following with nginx smtp, please let me know if that's
possible and can you help me with that ?

1) Our software will connect to NGinx on port 25 and will authenticate with
the NGinx in the same manner as it would to SMTP Server.
3) NGinx should then authenticate against an internal UserID and Password
and not our Internal SMTP Server.
4) If authenticated it should either accept the email from the software, or
it should pass through the connection to the internal mail server with
authentication that is on our internal mail server so the emails will be
captured in the mailbox created for the software to allow for email
tracking.

===========================

I am more concerned about 3rd step, is there some authentication that i can
use to verify request within nginx before it can forward it to internal
mail server?

Thanks in advance.

Regards.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Search

DNS Over HTTPS Module (no replies)

December 19, 2019, 1:23 pm
$
0
0
Hello all,

I don't know if this is the right place to post this, but I've written a simple DNS over HTTPS module that's been working for me so I thought I would post a link here in case anyone else was interested in that sort of thing.

https://github.com/themagister/Nginx-DOH-Module

Regards,
C. Taylor

Nginx SMTP relay access denied! (no replies)

December 20, 2019, 3:30 am
$
0
0
Hi,

We've setup NGINX SMTP proxy in front of postfix. When i try to telnet to
nginx smtp on port 25 it shows the "relay access denied" message.:

https://pastebin.com/JF4TVqBw

Here is the config of nginx:

mail {
server_name mail.domain.com;

auth_http localhost:80/auth.php;
proxy_pass_error_message on;
server {
listen 25;
protocol smtp;
timeout 300s;
proxy on;
xclient off;
smtp_auth none plain;
# auth_http_header HTTP_AUTH_USER Auth-User;
# auth_http_header HTTP_AUTH_PASS Auth-Pass;
smtp_capabilities "AUTH PLAIN";

}

Following is the content of auth.php that we're using :

https://pastebin.com/q49EC67N

What we want is that, any user tries to connect to Nginx SMTP proxy to send
email should be authenticated to backend. Is that possible?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Wordpress not able to display theme properly - FastCGI sent in stderr: "Primary script unknown" (no replies)

December 20, 2019, 3:32 am
$
0
0
I have installed Wordpress in a subdirectory - /var/www/html/stage

I am getting the following error in the error log. I think the filename being passed has the subdirectory name prepended, which should not happen.

-----

2019/12/20 15:34:00 [error] 22393#22393: *10 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 110.227.251.142, server: mywebsite.com, request: "GET /stage/%20https://mywebsite.com/stage/wp-content/uploads/2019/11/hp_slider_bg-1500x797.jpg HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "fp-academy.in", referrer: "https://fp-academy.in/stage/"
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 01
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 06
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 00
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 01
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 00
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 51
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 07
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record byte: 00
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi record length: 81
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi parser: 0
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi header: "Status: 404 Not Found"
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi parser: 0
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi header: "Content-type: text/html; charset=UTF-8"
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi parser: 1
2019/12/20 15:34:00 [debug] 22393#22393: *10 http fastcgi header done
2019/12/20 15:34:00 [debug] 22393#22393: *10 HTTP/1.1 404 Not Found



---/etc/nginx/sites-enabled/default looks like this

server { # We're deliberately leaving this as-is to avoid conflict at the moment

root /var/www/html;
server_name mywebsite.com www.mywebsite.com;
# rewrite ^/moodle/(.*\.php)(/)(.*)$ /moodle/$1?file=/$3 last;
# rewrite ^(..php)(/)(.)$ $1?file=/$3 last;
index index.php index.html index.htm login.php;
# if you get errors enable the line below and find out errors in the log file.
# error_log /var/log/nginx/error.log notice;

location / {
index index.php index.html index.htm login.php;
try_files $uri /index.php?$args;
}

location ~ \.php$ {
try_files $uri /index.php?$args;
try_files $uri $script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}

location /fpelms {
root /var/www/html;
index index.php index.html index.htm login.php;
}

location /stage {
root /var/www/html;
index index.php;

if (!-e $request_filename) {
rewrite ^(.*)$ /stage/index.php?q=$1 last;
}
}


location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}

location ~/\.ht {
deny all;
}


location /remotech.html {
proxy_pass https://outsidedomain.com/;
}

location /static {
proxy_pass https://outsidedomain.com/static/;
}

location /api/ {
proxy_pass https://outsidedomain.com/api/;
}

location /firebase-messaging-sw.js{
proxy_pass https://outsidedomain.com/firebase-messaging-sw.js;
}

location /manifest.json{
proxy_pass https://outsidedomain.com/manifest.json;
}

location /plugins {
proxy_pass https://outsidedomain.com/plugins/;
}

location /scripts {
proxy_pass https://outsidedomain.com/scripts/;
}

location /styles {
proxy_pass https://outsidedomain.com/styles/;
}


location /assets {
proxy_pass https://outsidedomain.com/assets/;
}

location /fonts {
proxy_pass https://outsidedomain.com/fonts/;
}


listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}



server {
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
} # managed by Certbot


listen 80;
server_name mywebsite.com www.mywebsite.com;
return 404; # managed by Certbot


}

----------

Nginx 1.17.6 ignores kill -HUP (2 replies)

December 20, 2019, 9:32 am
$
0
0
I have an istallation of nginx in a FreeBSD PPC64 server (running
11.3 RELEASE) which seems to ignore kill -HUP: it doesn't reload
configuration and doesn't log the fact that kill has reached it, even
if I set the debug level in error_log to "debug".

nginx -V says:

nginx version: nginx/1.17.6
built by gcc 9.2.0 (FreeBSD Ports Collection)
built with OpenSSL 1.0.2t 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx_pool/nginx.pid --user=httpd --group=nagcmd
--with-cc=/usr/local/bin/gcc9 --with-cpp=/usr/local/bin/cpp9
--with-cpu-opt=ppc64 --with-http_dav_module --with-http_ssl_module
--with-http_realip_module --with-http_addition_module --with-http_xslt_module
--with-http_image_filter_module --with-http_geoip_module --with-http_sub_module
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_auth_request_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_degradation_module --with-http_stub_status_module
--with-http_perl_module --with-http_v2_module --with-google_perftools_module
--with-mail --with-mail_ssl_module

Have I missed something?
where should I look to see what happens?

Thanks in advance,

Luciano.
--
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy)
\ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
X AGAINST HTML MAIL / E-MAIL: posthamster@sublink.sublink.ORG
/ \ AND POSTINGS / WWW: http://www.lesassaie.IT/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Multiple server_name directives in same server block? (no replies)

December 20, 2019, 5:26 pm
$
0
0
Hello,

is it possible to have multiple server_name directives in the same server block?

I.e. is the following possible?

server {
listen 1.2.3.4:443 ssl;
server_name *.site1.org *.site2.org;
server_name ~^app1.*\.site3\.org$;
….

Or do I need to create a second server block?

Thanks…

Roger

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Wordpress not able to display theme properly - FastCGI sent in stderr: "Primary script unknown" (2 replies)

December 21, 2019, 12:38 pm
$
0
0
On Fri, Dec 20, 2019 at 06:32:58AM -0500, vikask wrote:

Hi there,

> I am getting the following error in the error log. I think the filename
> being passed has the subdirectory name prepended, which should not happen.

The http request that is logged looks strange to me. Is the "referrer"
value reliable? If so, check the html returned there to see what the
"img src" looks like there.

> client: 110.227.251.142, server: mywebsite.com, request: "GET
> /stage/%20https://mywebsite.com/stage/wp-content/uploads/2019/11/hp_slider_bg-1500x797.jpg
> HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host:
> "fp-academy.in", referrer: "https://fp-academy.in/stage/"

(This does not address any of the nginx config; but it's simplest to
fix one thing at a time. Maybe there is only one thing that needs fixing!)

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Nginx converts 409 from upstream to 502 (no replies)

December 21, 2019, 4:49 am
$
0
0
Hi,

Our request flow looks like this:

client --> nginx --> haproxy --> tomcat

Put requests with large bodies are used to upload files. Sometimes due to some application logic, tomcat may reject an upload early and return 409, tomcat does not drain the input stream, we do not want to read the input stream and rather reject early.

When tomcat rejects a PUT request early with 409, tomcat access logs show 409. The haproxy fronting tomcats also log a 409 in access logs, but nginx logs a 502 and sends a 502 to the clients. It looks like nginx does not like that request is rejected and a 409 is sent without reading the full request by the upstream.

What can we do to make sure client receives the correct response code i.e. 409

Thanks
Sachin
Search

auth_http - Password always different (1 reply)

December 23, 2019, 4:42 am
$
0
0
Hello,

I'm trying to use "auth_http" to handle the authentication for SMTP.
The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):

if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
{
// User or Password are NOT set.
fail("Invalid user or password");
}

$username = $_SERVER["HTTP_AUTH_USER"];
$userpass = $_SERVER["HTTP_AUTH_PASS"];
$protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];

$fd=fopen('php_mail.log', 'a');
fputs($fd, "User: [".$username."] Protocol: [".$protocol."] Pass: [".$userpass."]\n");
fclose($fd);


However, the passwords I see in the log are different all the time for the same user.
Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.

For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.

Is there a problem with my understanding or do I miss something?

Thanks,

Thomas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

NGINX is shutting down immediately in windows (no replies)

December 23, 2019, 6:51 am
$
0
0
Hi Team,

When I am running NGINX on windows directly(not from service), the process is shutting down immediately. The log says "[alert] 82540#89652: the event "ngx_master_82540" was not signaled for 5s".

When we run with master_process off; NGINX is running properly but the problem is making master_process off; is not preferable as per documentation and one more problem is configuration cannot be reloaded.

Can you please suggest me the way to proceed further as I am stuck and not able to use NGINX in windows at all.

Thanks In Advance

nginx-1.17.7 (no replies)

December 24, 2019, 7:16 am
$
0
0
Changes with nginx 1.17.7 24 Dec 2019

*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "rewrite" directive with an empty replacement
string was used in the configuration.

*) Bugfix: a segmentation fault might occur in a worker process if the
"break" directive was used with the "alias" directive or with the
"proxy_pass" directive with a URI.

*) Bugfix: the "Location" response header line might contain garbage if
the request URI was rewritten to the one containing a null character.

*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.

*) Bugfix: socket leak when using HTTP/2.

*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.

*) Bugfix: in the ngx_http_dav_module.


--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

301/302 XSS vulnerability (no replies)

December 26, 2019, 4:45 am
$
0
0
Hello,

We detected XSS vulnerability when we use 301 or 302 redirections.

How to reproduce?

curl -I -k "http://example.com/test'""'>><svg/onload=alert\`ayman\`>" > ayman.html

open ayman.html and you will get the popup!

I tried the below redirections and it's valid on all cases:

- return 301 https://www.exampl.com$request_uri;

- rewrite ^/(.*) https://www.example.com/$1 permanent;

Nginx version: 1.14.2

Is there a fix/workaround for this?

Thanks

Unit 1.14.0 release (no replies)

December 27, 2019, 5:40 am
$
0
0
Hi,

I'm glad to announce a new release of NGINX Unit.

Besides improving the request routing abilities, this release simplifies
operations concerning the Go module. Now it can also be installed with
the "go get" command:

go get unit.nginx.org/go

Mind, however, that it requires the "unit-dev" package.

Great effort went into improving the efficiency and avoiding memory bloat in
cases where an application generates gigabytes of response body. Now Unit can
deal with that without much hassle. We will continue improving the performance
and increasing efficiency, as this is one of our primary priorities.


Changes with Unit 1.14.0 26 Dec 2019

*) Change: the Go package import name changed to "unit.nginx.org/go".

*) Change: Go package now links to libunit instead of including library
sources.

*) Feature: ability to change user and group for isolated applications
when Unit daemon runs as an unprivileged user.

*) Feature: request routing by source and destination addresses and
ports.

*) Bugfix: memory bloat on large responses.


We also updated our Docker images and switched them from Debian 9 to 10
as the base, so the language module versions have been updated respectively.

- https://unit.nginx.org/installation/#docker-images

Python 3.6 module packages were added to CentOS and RHEL 7 repositories,
and Python 3.7 package was added to Amazon Linux 2 LTS. Please note that
the name of Python 2.7 package in these repositories was changed from
"unit-python" to "unit-python27".

The Go package now has the same name "unit-go" across all our repositories
and depends on "unit-dev".

This is the last release of 2019, so I'll use this opportunity to wish
a Happy New Year to our strong community. Thank you for your requests,
bug reports, ideas, and suggestions. Everything that we do, we primarily
do for you, our users.

This year, we made 8 releases, with 427 commits to the repository, where 65242
lines were added and 8219 removed. The biggest features of the year are:

- Support for Java Servlet Containers, which means that now Unit supports
7 languages

- Advanced internal request routing that allows to filter requests by various
parameters, including: URI, header fields, arguments, cookies, addresses,
and ports

- Built-in WebSocket server offloading for Node.js and Java

- Isolation of application processes

- Serving of static files

- Reverse proxying

These features establish a firm basis for further development of Unit as a
general-purpose web server that is able to perform absolutely any task related
to handling and processing web protocols in the most efficient way. This is
our ultimate goal, and we are eager to achieve it over the coming years.

I'd like to thank everyone who worked hard with me on Unit through the year:

- Andrei Belov - system engineer, who maintained repositories and prepared
packages

- Andrei Zeliankou - QA engineer, who wrote functional tests and ran fuzzing

- Artem Konev - technical writer, who wrote documentation and blog posts,
improved the website, and sometimes helped us to arrange
words in sentences the right way

- Axel Duch - junior developer, who improved request routing

- Igor Sysoev - senior developer and architect, who worked on request routing,
proxying, and many internal aspects

- Konstantin Pavlov - system engineer, who prepared Docker images and packages

- Maxim Romanov - senior developer, who worked on Java, WebSockets,
and internal IPC

- Tiago Natel de Moura - senior developer, who worked on isolation features

Thank you guys, I'm happy to work with you.

wbr, Valentin V. Bartenev

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Viewing all 7229 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>