Keepalive not working with upstream tcp server (2 replies)

April 2, 2014, 9:46 am

≫ Next: What is better location regex or map regex? (1 reply)

≪ Previous: Transfering url arguments to different location (4 replies)

I am trying to use nginx to proxy my requests to a custom tcp backend server that I have. I am following the same model as the default memcached module with in the nginx code base (1.5.10) , the relevant config file attached. Tried with most of the keepalive options but I still see new connections getting created to upstream server. (rather I do see the connection getting closed by nginx in strace)

Do I need to specifically compile nginx with http upstream keepalive module, thought it was default enabled but the code doesn't seem to go through it looking in gdb. Is there any other specific module or setting I need to use for the upstream tcp persistent connection usecase.

Thanks in advance,
Jayadev

--- nginx.conf------

http {
    default_type application/octet-stream;
    keepalive_timeout 100;
    proxy_http_version 1.1;

    upstream my_backend {
            server 127.0.0.1:1111;
            keepalive 100;
    }

    server {
         listen       4080;
         keepalive_timeout 100;
         keepalive_requests 100000;
         proxy_http_version 1.1;
         proxy_set_header Connection keepalive;

         location / {
                 root   html;
                 index index.html index.htm;
                 my_pass my_backend;
         }
    }_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

What is better location regex or map regex? (1 reply)

April 2, 2014, 6:24 am

≫ Next: nginx upload module compile the problem. (1 reply)

≪ Previous: Keepalive not working with upstream tcp server (2 replies)

Hi.

I try to transform the pligg htaccess rules to nginx.

https://github.com/Pligg/pligg-cms/blob/master/htaccess.default

There is one from 2010

http://www.edwardawebb.com/web-development/running-pligg-nginx-rewrite-rules

this transformation have some optimization potential, imho ;-).

I would use

location / {
rewrite $uri $dest last;
try_files $uri /index.php;
}

instead of

if (!-e $request_filename){
.....
}

and

map $uri $dest {
'~^/advanced-search/?$' '/advancedsearch.php';
'~^/profile/?' '/profile.php';
....
'~^/([^/]+)/?$' '/index.php?category=$1';
'~^/([^/]+)/page/([^/]+)/?$' '/index.php?category=$1&page=$2';
}

or

location ~ ^/advanced-search/?$ {
rewrite ^/advanced-search/?$ /advancedsearch.php last;
}

location ~ ^/profile/? {
rewrite ^/profile/? /profile.php last;
}
....

What is your suggestion for the fastest and smallest solution.

thanks aleks

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

nginx upload module compile the problem. (1 reply)

April 2, 2014, 4:26 am

≫ Next: problem with echo_before when proxying a server which sends gzipped content (1 reply)

≪ Previous: What is better location regex or map regex? (1 reply)

hi friends,

nginx version 1.4.7
upload module version 2.0.12

--
Sincerely,
Batuhan Göksu
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

problem with echo_before when proxying a server which sends gzipped content (1 reply)

April 2, 2014, 6:48 am

≫ Next: how to use keepalive with Nginx revers proxy? (1 reply)

≪ Previous: nginx upload module compile the problem. (1 reply)

Hi everyone,
currently I'm, trying to configure NGINX as a proxy for JSON from the iTunes API.
It's for a small game, iTunes is slow sometimes and the data for the game is mostly the same for a good length of time, anyway.
The JSON from iTunes is to be padded with the original requests callback parameters. For this there are many good posts out on the net, but I can't seem to get the basic echo_* to work.

I boiled my configuration of nginx down to the point where I just use echo_before or echo_after and proxy_pass.

If I append something with echo_after it works fine in browsers and in jQuery.
If I prepend anything with echo_before the answer can't be read by browsers, "curl --compressed" throws "curl: (23) Error while processing content unencoding: invalid block type".

If I configure Firefox with "about:config" to "network.http.accept-encoding:true" it fixes fixes display in Firefox.

When I look in the network tab of chrome console I see that requesting ".../echo-after/" closes the request after 2Xms.
Requesting ".../echo-before" also gets 200 ok but never arrives fully, is shown as "pending" indefinitely.

My best bet is, that it has something to do with gzip-compressed answer from iTunes but I can't find any solution or even hint for my level of understanding of the inner workings of nginx.

One more info: I tried many different combinations of "gzip on|off" and other directives, basically I indiscriminately tried everything I found mentioned somewhere. But, nothing changed the behavior much as far as I could see, so I stripped it out of the configuration again for readability.

<nginx configuration for testing>
# Proxy iTunes for bug hunting
# test by accessing http://json.musiguess.com/itunes/[raw|echo-after|echo-before]/

location /itunes/raw/ {
# suppress proxying for testing completely
proxy_cache off;
# getting a json containing N current top albums from itunes
proxy_pass http://itunes.apple.com/de/rss/topalbums/limit=2/explicit=true/json;
}
location /itunes/echo-after/ {
proxy_cache off;
proxy_pass http://itunes.apple.com/de/rss/topalbums/limit=2/explicit=true/json;
# echo something after body
echo_after_body ");";
}
location /itunes/echo-before/ {
proxy_cache off;
# echo something before body
echo_before_body -n "abc(";
proxy_pass http://itunes.apple.com/de/rss/topalbums/limit=2/explicit=true/json;
}
location /itunes/echo-beforeNafter/ {
proxy_cache off;
echo_before_body -n "abc(";
proxy_pass http://itunes.apple.com/de/rss/topalbums/limit=2/explicit=true/json;
echo_after_body ");";
}
</nginx configuration for testing>

You are very welcome to access http://json.musiguess.com/itunes/... if it may help you assess my problem.

<info about my installation>
~# nginx -V
nginx version: nginx/1.5.10
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --add-module=/var/cache/nginx/nginx-1.5.10/src/echo --with-mail --with-mail_ssl_module --with-file-aio --w
ith-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6

Echo v0.51
</info about my installation>

Any help is greatly appreciated!
Cheers /Carsten

---
Carsten Germer
Creative Director
intolabs GmbH
http://www.intolabs.net/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

how to use keepalive with Nginx revers proxy? (1 reply)

April 2, 2014, 7:02 am

≫ Next: More Descriptive 502 Errors (no replies)

≪ Previous: problem with echo_before when proxying a server which sends gzipped content (1 reply)

Hi,

Can some one provide me an example to set keep alive connection between
Nginx(reverse proxy) and backend server?

I can not use upstream module as my backend IP is dynamic based on
variable. So I can not use keepalive directive of upstream.

I have used below directive in location block.
proxy_pass http://$IP ;

Thanks,
Makaikol
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

More Descriptive 502 Errors (no replies)

April 2, 2014, 12:44 pm

≫ Next: multiple CAs in ssl_client_certificate does not work for me (no replies)

≪ Previous: how to use keepalive with Nginx revers proxy? (1 reply)

Every so often I see a handful of errors in my error log, such as:

connect() failed (113: No route to host)
upstream timed out (110: Connection timed out)
upstream sent too big header while reading response header from upstream

etc.

in each case, when I log the $status variable in nginx, each just shows as a 502 error. Is there any way to retrieve what the actual error is (via variable?) without having to check the error log or is that the only source for this information?

Thanks!

↧

multiple CAs in ssl_client_certificate does not work for me (no replies)

April 3, 2014, 4:10 am

≫ Next: PCRE named captures sill counted in numerical variables list (2 replies)

≪ Previous: More Descriptive 502 Errors (no replies)

Hello,

I've seen from the doc and from this post (http://forum.nginx.org/read.php?2,229129,229132#msg-229132) that it is possible to specify multiple CAs in ssl_client_certificate directive.

I have nginx version 1.1.19.

here is my config:

server {
listen 443;
server_name mydomain.com;

root /usr/share/nginx/www;
ssl on;
ssl_certificate /etc/ssl/selfsigned/myssl.crt;
ssl_certificate_key /etc/ssl/selfsigned/myssl.key;

ssl_client_certificate /etc/ssl/ca.pem;
ssl_verify_depth 3;

ssl_verify_client on;

ssl_ciphers ALL:!ADH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}

}

The ca.pem file contains 2 certificates:
# cat ca.pem
-----BEGIN CERTIFICATE-----
<content of 1st certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<content of 2nd certificate>
-----END CERTIFICATE-----
#

As far as I can see, the first certificate is checked, but apparently the 2nd isn't.

Any idea how I can troubleshoot that ?

Thanks,
bruno

↧

PCRE named captures sill counted in numerical variables list (2 replies)

April 3, 2014, 6:44 am

≫ Next: SSL renegotiation probelm using nginx as reverse proxy to apache (2 replies)

≪ Previous: multiple CAs in ssl_client_certificate does not work for me (no replies)

I tried to configure the following location with something like:

location ~*
"^/([[:alpha:]]{1,8}(?<subtag>-[[:alpha:]]{1,8})?)(/.*[^/])?/?$" {
try_files $uri $uri/ $2/?lang=$1&$args;
}

However, the $2 variable does not catch the last part of the URI as
expected (either it catches the named capture or nothing at all, that I do
not know nor care).

Using $3 instead of $2 does the job.

I thought that using named captures allowed for those capture not to be
counted in numerical variable
.

Am I wrong expecting that?
---
*B. R.*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

SSL renegotiation probelm using nginx as reverse proxy to apache (2 replies)

April 4, 2014, 2:02 pm

≫ Next: testssl.sh - script to test your ssl-setup from cli (2 replies)

≪ Previous: PCRE named captures sill counted in numerical variables list (2 replies)

My goal is end-to-end encryption of multiple domains using nginx as a reverse proxy to load balance to multiple backends. Both nginx and apache use the same wildcard cert, eg *.domain.com.

The first request to https://abc.domain.com/ works as expected, but a call to https://xyz.domain.com produces the following debug output in the apache logs:

[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client 10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client 10.0.0.115] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation handshake failed: Not accepted by client!?

with the following in the nginx log:

2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1", upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive connection

My nginx config looks like this:

http {

# Header settings - Keep as much original as possible
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;

upstream svhostcluster {
server web1.domain.com:443 max_fails=5 fail_timeout=10s;
server web2.domain.com:443 max_fails=5 fail_timeout=10s;
least_conn;
}
include /etc/nginx/conf.d/*.conf;
}

and /etc/nginx/conf.d/servers.conf

ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;

ssl on;

location / {
proxy_pass https://svhostcluster;
}
}

server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;

ssl on;

location / {
proxy_pass https://svhostcluster;
}
}

on the apache side, here is the ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot "/var/www/abc/html"

LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory "/var/www/abc/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot "/var/www/xyz/html"

LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory "/var/www/xyz/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

I'm not sure I understand why apache wants to renegotiate with nginx, nor why nginx doesn't seem to want to do it (despite apache thinking it can.) Can anyone help?

↧

testssl.sh - script to test your ssl-setup from cli (2 replies)

April 4, 2014, 8:28 am

≫ Next: NginX on Ubuntu 12.04 (2 replies)

≪ Previous: SSL renegotiation probelm using nginx as reverse proxy to apache (2 replies)

web: https://testssl.sh/
repo: https://bitbucket.org/nginx-goodies/testssl.sh

testssl.sh is a free Unix command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.

It's designed to provide clear output for a "is this good or bad" decision.

It is working on every Linux distribution which has OpenSSL installed. As for security reasons some distributors outphase the buggy stuff – and this is exactly you want to check for – it's recommended to compile OpenSSL by yourself or check out the OpenSSL binaries below (Linux). You will get a warning though if your OpenSSL client cannot perform a specific check, see below.

testssl.sh is portable, it is supposed to work on any other Unix system (preferably with GNU tools) and on cygwin, supposed it can find the OpenSSL binary.

disclaimer: i'm not the cretator of that script; i'm just maintaing the repo. owner & contact might be found on the webpage https://testssl.sh/

regards,

mex

↧

NginX on Ubuntu 12.04 (2 replies)

April 4, 2014, 1:36 pm

≫ Next: Windows | Nginx Mapped Hard Drive | Network Sharing (15 replies)

≪ Previous: testssl.sh - script to test your ssl-setup from cli (2 replies)

I am attempting to install NginX on Ubuntu 12.04 using instructions found
from the following link:

http://wiki.nginx.org/Install

but I am getting various error messages.

Does anyone have updated instructions for 12.04?

Thanks.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Windows | Nginx Mapped Hard Drive | Network Sharing (15 replies)

April 4, 2014, 4:28 pm

≫ Next: Web GUI (1 reply)

≪ Previous: NginX on Ubuntu 12.04 (2 replies)

http://stackoverflow.com/questions/22870814/nginx-mapped-hard-drive-network-sharing

So i tried sharing my hard drives on windows and serving the content on them from nginx but nginx returns a 404 not found error every time. _______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Web GUI (1 reply)

April 4, 2014, 4:16 pm

≫ Next: How to limit POST request per ip ? (1 reply)

≪ Previous: Windows | Nginx Mapped Hard Drive | Network Sharing (15 replies)

I just got NginX installed on Ubuntu and was wondering if there is a Web
GUI built-in that can be called from the local IP address with some port
number?

Thanks again for your help.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

How to limit POST request per ip ? (1 reply)

April 5, 2014, 3:10 pm

≫ Next: [ANN] Windows nginx 1.5.13.1 Snowman (no replies)

≪ Previous: Web GUI (1 reply)

How to limit POST request per ip ?

Need some of:

limit_except POST {
limit_req zone=postlimit burst=10 nodelay;
}

↧

[ANN] Windows nginx 1.5.13.1 Snowman (no replies)

April 5, 2014, 12:24 pm

≫ Next: Do I need nginx in the web application host? (no replies)

≪ Previous: How to limit POST request per ip ? (1 reply)

0:18 5-4-2014 nginx 1.5.13.1 Snowman

.-= This Is Snowman =-.
Here's a little snowman fast and fat, here's it's power as fast as a cat
When you run Windows you can hear it shout, take me in try me out!
The nginx Snowman release is here!

Based on nginx 1.5.13 (3-4-2014) with;
+ A fix for ssl_session_cache via trac ticket #528, thanks to Maxim!
+ Stability fixes, more performance tuning
+ multiple workers now use an api (efficiency and control)
+ Streaming with nginx-rtmp-module, v1.1.4 (upgraded 3-4-2014)
+ Naxsi WAF v0.53-1 (upgraded 3-4-2014, conf\naxsi_core.rules id 15+16)
+ LuaJIT-2.0.3 (upgraded 31-3-2014) Tnx to Mike Pall for his hard work!
+ lua51.dll (upgraded 31-3-2014) DO NOT FORGET TO REPLACE THIS FILE !
+ lua-nginx-module v0.9.7 (upgraded 3-4-2014)
+ FAQ included in archive
+ Source changes back ported
+ Source changes add-on's back ported
+ Changes for nginx_basic: Source changes back ported
* Additional specifications are like 20:29 18-3-2014 nginx 1.5.12.2 Cheshire

Builds can be found here:
http://nginx-win.ecsds.eu/

↧

Do I need nginx in the web application host? (no replies)

April 6, 2014, 2:53 pm

≫ Next: Nodejs websocket 502 bad gateway (1 reply)

≪ Previous: [ANN] Windows nginx 1.5.13.1 Snowman (no replies)

If I have a host witn nginx (load balancing and SSL termination), do i need nginx inside the host of each of my webapps? (Assuming I will use cdn for static assets).

Thanks!

↧

Nodejs websocket 502 bad gateway (1 reply)

April 7, 2014, 4:54 am

≫ Next: Strange nginx issue (4 replies)

≪ Previous: Do I need nginx in the web application host? (no replies)

I'm trying to make work nginx 1.4.7 with nodejs websockets
but I'm getting 502 bad gateway

NGINX Error:
[error] 2394#0: *1 upstream prematurely closed connection while reading response header from upstream, client: 127.0.0.1, server: xxx.cz, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8090/", host: "xxx.cz"

my conf:
upstream xxx {
server 127.0.0.1:8090;
}

# the nginx server instance
server {
listen 8085;
server_name xxx.cz xxx;
ssl on;
#ssl_certificate /etc/ssl/xxx/xxx.cz.pem;
ssl_certificate /etc/ssl/xxx/xxx.cz.crt;
ssl_certificate_key /etc/ssl/xxx/xxx.cz.key;

access_log /var/log/nginx/xxx.log;

# pass the request two the node.js server with the correct headers and much more can be added, see nginx config options
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;

#WEBSOCKET
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

proxy_pass http://xxx;
proxy_redirect off;
}
}

THIS IS CURL cmd what I'm using
If I use curl directly without nginx it's working fine.
curl -i -N -vv -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: xxx.cz" -H "Origin: https://xxx.cz" -k https://127.0.0.1:8085

RESULT:
* About to connect() to 127.0.0.1 port 8085 (#0)
* Trying 127.0.0.1... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: serialNumber=aCFUcgALEf6y9h5BHsbSHjMYomt-k6ZQ; OU=GT30082937; OU=See www.rapidssl.com/resources/cps (c)13; OU=Domain Control Validated - RapidSSL(R); CN=xxx.cz
* start date: 2013-09-30 06:29:47 GMT
* expire date: 2014-10-03 05:32:07 GMT
* issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Connection: Upgrade
> Upgrade: websocket
> Host: xxx.cz
> Origin: https://xxx.cz
>
< HTTP/1.1 502 Bad Gateway
HTTP/1.1 502 Bad Gateway
< Server: nginx/1.4.7
Server: nginx/1.4.7
< Date: Mon, 07 Apr 2014 11:19:01 GMT
Date: Mon, 07 Apr 2014 11:19:01 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 172
Content-Length: 172
< Connection: keep-alive
Connection: keep-alive

<
<html>
<head><title>502 Bad Gateway</title></head>
<body bgcolor="white">
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.4.7</center>
</body>
</html>
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

↧

Strange nginx issue (4 replies)

April 7, 2014, 11:34 am

≫ Next: Adding custom protocol data while creating new keepalive connections (no replies)

≪ Previous: Nodejs websocket 502 bad gateway (1 reply)

We are facing a strange issue on our servers. We have servers with 1GB RAM
and some drupal sites are running on it.

Generally all sites are loading fine but sometimes we are unable to access
any sites. After waiting for 10mts we are getting a 502 gateway timeout
error. In middle when we restart either nginx or php5-fpm it will load.

Our configurations are as follows:

/etc/nginx/nginx.conf:

user www-data;

worker_processes 1;

pid /run/nginx.pid;

worker_rlimit_nofile 400000;

events {

worker_connections 10000;

multi_accept on;

use epoll;

}

http {

access_log off;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 2;

types_hash_max_size 2048;

server_tokens off;

keepalive_requests 100000;

reset_timedout_connection on;

port_in_redirect off;

client_max_body_size 10m;

proxy_connect_timeout 600s;

proxy_send_timeout 600s;

proxy_read_timeout 600s;

fastcgi_send_timeout 600s;

fastcgi_read_timeout 600s;

open_file_cache max=200000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

/etc/php5/fpm/pool.d/www.conf

pm.max_children = 5

pm.start_servers = 2

pm.min_spare_servers = 1

pm.max_spare_servers = 3

;pm.process_idle_timeout = 10s;

;pm.max_requests = 200

request_terminate_timeout = 300s

And please see the added contents in /etc/sysctl.conf

##########################

fs.file-max = 150000

net.core.netdev_max_backlog=32768

net.core.optmem_max=20480

#net.core.rmem_default=65536

#net.core.rmem_max=16777216

net.core.somaxconn=50000

#net.core.wmem_default=65536

#net.core.wmem_max=16777216

net.ipv4.tcp_fin_timeout=120

#net.ipv4.tcp_keepalive_intvl=30

#net.ipv4.tcp_keepalive_probes=3

#net.ipv4.tcp_keepalive_time=120

net.ipv4.tcp_max_orphans=262144

net.ipv4.tcp_max_syn_backlog=524288

net.ipv4.tcp_max_tw_buckets=524288

#net.ipv4.tcp_mem=1048576 1048576 2097152

#net.ipv4.tcp_no_metrics_save=1

net.ipv4.tcp_orphan_retries=0

#net.ipv4.tcp_rmem=4096 16384 16777216

#net.ipv4.tcp_synack_retries=2

net.ipv4.tcp_syncookies=1

#net.ipv4.tcp_syn_retries=2

#net.ipv4.tcp_wmem=4096 32768 16777216

##########################

Can anyone please help us on it.

Thanks

Geo
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Adding custom protocol data while creating new keepalive connections (no replies)

April 7, 2014, 7:50 am

≫ Next: limit_conn_zone Nginx Unknow error (4 replies)

≪ Previous: Strange nginx issue (4 replies)

Nginx is proxying requests to my custom tcp server. I have my proxy handler to create the right request format and process headers etc.

The trouble started when I started using keepalive handler. I have to add a custom protocol header bytes for every new keepalive connection and skip the header bytes if nginx is using an existing cached one. Currently create_request is called before getting an upstream connection (from default round robin handler) and there seems to be no callback to my module once the connection is selected/created.

Any bright ideas ? Should I provide my one connection handlers to do this or my own keepalive handler itself ?

Jai
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

limit_conn_zone Nginx Unknow error (4 replies)

April 7, 2014, 10:18 am

≫ Next: Upstream Keepalive Questions (no replies)

≪ Previous: Adding custom protocol data while creating new keepalive connections (no replies)

What am I doing wrong here?

http {
limit_conn_zone $binary_remote_addr zone=one:63m;

server {
location /downloads/ {
limit_conn one 10;}

[root@batman1 ~]# service nginx configtest
nginx: [emerg] the size 66060288 of shared memory zone "one" conflicts
with already declared size 0 in /etc/nginx/nginx.conf:60
nginx: configuration file /etc/nginx/nginx.conf test failed

I read the nginx manual online, and it look well. I hope that someone have
a tip.

--
Un abrazo!

*Raúl Hugo http://twitter.com/raulhugo*

*Miembro Asociadohttp://apesol.org.pe http://apesol.org.pe/SysAdmin Cel.
#961-710-096 Linux Registered User #482081 - http://counter.li.org/
http://counter.li.org/P Antes de imprimir este e-mail piense bien si es
necesario hacerlo*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

↧

Latest Images