Quantcast
Channel: Nginx Forum - How to...
Viewing all 2931 articles
Browse latest View live

Setting up IMAP proxy balancer and SSL offloading (5 replies)

January 12, 2016, 5:14 am
$
0
0
Hi forum,

I need to setting up a Nginx server according to this two statements:

- IMAP proxy balancer.
- SSL offloading.

I have no problems with ssl offloading and proxy but it does not work when I add upstream section in order to get balanced traffic.

Is this possible? Or is not possible setting up with this two conditions?

Best regards.
Francisco
Search

Bypass Web NTLM2 Authentication (no replies)

January 13, 2016, 9:05 am
$
0
0
Hi Guys Im trying to use NGINX as a reverse proxy and is working

But it pop up a banner that ask me with the NTLM2 Authentication , and I dont need that pop up to apear there .

A way of doing this is by enter www.foo.com\HomePage.do?SkipNV2Filter=true

There is any way of bypassing of avoid the pop banner that ask the NTLM2 credentials?

Cheers.

CORS multiple domains (no replies)

January 14, 2016, 12:15 pm
$
0
0
I am hoping to get some guidance on sending Access-Control-Allow-Origin for multiple domains. The answer I have temporarily settled on is this:

location /somelocation/ {
try_files $uri $uri/ @rewrite;
expires 1h;
if ($http_origin ~ "^(https://www.cors.domain1.com|https://www.cors.domain2.com)") {
add_header 'Access-Control-Allow-Origin' $http_origin;
}
add_header 'Access-Control-Allow-Origin' 'https://www.cors.domain1.com';
}


(There are some more options but that information is not really relevant to my question)
I was reading that if statements can be a bad thing in a Location Block and a co-worker said that he thought this would get processed for EVERY call (even if it doesn't match the location). This seems like a common use case to me and I was wondering if this was the correct way to handle it or if there is a better/correct way to do it.

Thanks.

Deny if uri contains specific word (1 reply)

January 15, 2016, 1:19 am
$
0
0
Hello.

I need some help with configuring nginx to struggle HTTP flood attack.
My web server recieves a lot of non existing URLs requests for a couple of days already. Some hundreds of thousands. I'm collecting IP address and user agents from access log and deny them using 'deny' command.

But there are a lot of new IPs with the same requests. So I'd like to add a rule for denying them all.
These requests look like:
GET /?v_browser=Amigo%2F45.0.2454.107&v_chrome=45.0.2454.107&v_extension=25.0.46&rfr=blackbear3&aid=CD97F7BB-F5D3-4889-B781-C53695C5D4A1&id_extension=diciddlabejpoaofdnmoamebeohoiobg HTTP/1.1

GET /?&ts=1452855523947&s=e7b8e05c1048b23f20eacb77e90b59638ad898c1&appId=com.outfit7.mytalkingtomfree&appVersion=3.1.1&platform=ANDROID&lv=2.6.3&lc=ru&osv=4.4.2&dm=SM-T210&advertisingId=41a6a6c0-276b-4aad-affc-4d68dc5a7783&advertisingOptOut=false&wifi=2&jb=false

GET /?&ts=1452837410833&s=3c50dd07af0c72e47d5bc03f268652c5032e2329&appId=com.outfit7.mytalkingtomfree&appVersion=3.0.1&platform=ANDROID&lv=2.5.14&lc=ru&osv=4.4.2&dm=SM-T230&advertisingId=9c733111-f6e2-49e7-9932-ebb9bc3b330d&advertisingOptOut=false&wifi=2&jb=false

GET /?ccode=-1&model=TAB708&atime=1452841234&count=5&mcc=&osv=4.4.4&cell=&pid=1&net=WIFI&nmnc=&cid=0&lac=&pos=101&appv=5.11.5&v=2&pf=android&page=1&lan=ru_RU&brand=rockchip&nmcc=&mnc=&ch=null%23null%23null&uuid=695f4e57065676c4&

GET /?os=win&arch=x86&nacl_arch=x86-32&prod=chromiumcrx&prodchannel=unknown&prodversion=45.0.2454.103&lang=ru&x=id%3Dmhjmblbdnpeeginmmnedceemmlikpimp%26v%3D0.1.13%26uc

GET /?s=00000000&client=DynGate&rnd=282161415&p=10000001

GET /?screen_h=800&android_id=8c859e8805aad7ce&wifi=34:cd:be:6d:a2:a1,-73&cellid=401,01,12572,3117,-93&model=Lenovo+A319&gzip=&screen_w=480&clid=1866854&manufacturer=LENOVO&app_version=171&app_platform=android&uuid=0b24642dee695eca04ada776e06b13c8&os_version=4.4.2

And so on.

So may I make up any rule which would combine all of these requests? I don't have any similar parameters needed for my site. I've tried this one at / location:

if ($uri ~* '^/(\?s=|\?os=|\?imei=|\?&ts=|\?tk=|\?tm=|\?ptl=|\?act=|\?p=|\?callback=|\?v_browser=|\?ids=|\?root=|\?appkey=|\?ak=|\?alpha=|\?a=|\?method=|\?user_id=|\?v=|\?adnum=|\?app_signature=|\?osv=|\?getchannel=|\?param=|\?sensor=|\?ids=)$') {
deny all;
}

But it didn't work.

Thanks in adnvance for any help.

ngx_http_rewrite_module issue (no replies)

January 15, 2016, 5:32 am
$
0
0
Hi
I insstalled nginx 1.7 using yum. Now want to implement rewrite rules. nginx -V commands show no ngx_http_rewrite_module is present. How can I enable ngx_http_rewrite_module. Please reply thanks

possible to restream http stream (no replies)

January 18, 2016, 3:52 am
$
0
0
possible to re stream http stream with nginx and turn it into a RTMP stream?

Also will it effect the stream source quality and does it use much cpu?

SOAP error with PHP (no replies)

January 18, 2016, 8:01 am
$
0
0
I have setup NGINX as load balancer for our 4 server IIS webservers. All 4 servers use the same code. However one of the webservers will return an error when in the load balancer array.

SoapFault exception: [WSDL] SOAP-ERROR: Parsing Schema: element '<ellement>' already defined in <test php file>

To test this we created a small php script (see below) and random we get this error.

What has been tested:
When in array with other 3 servers: sometimes an error
When in array with just 2 other servers: Always an error
Direct connection to the server (hosts file): no error
Load balancer array only this one server: no errors
Load balancer array with all but this server: no errors

This is our nginx.conf:

user nginx;
worker_processes 4;


error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}
http {
upstream backend {
server 192.168.100.87 max_fails=3 fail_timeout=30s;
server 192.168.100.187 max_fails=3 fail_timeout=30s;
server 192.168.100.197 max_fails=3 fail_timeout=30s;
# server 192.168.100.198 max_fails=3 fail_timeout=30s;
}
server {
listen 80;
listen 443 ssl;
server_name <domain>.com;
ssl_certificate /etc/ssl/private/<domain>_com.pem;
ssl_certificate_key /etc/ssl/private/<domain>_com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://backend;
}
}
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 75;
client_header_timeout 3000;
client_body_timeout 3000;
proxy_read_timeout 6000;

#gzip on;

include /etc/nginx/conf.d/*.conf;
}

Test.php
<?php
for ($x = 0; $x <= 10; $x++) {
echo "The number is: $x <br>";
try
{
$wsdl = 'http://domain.com/Corporate/Product.svc?wsdl';
$client = new SoapClient($wsdl, array("trace" => 1));
}
catch (Exception $e)
{
echo $e;
echo "<br>";
}
}
?>

Can anybody help me out here? I am at a loss.

Thanks for reading.

server section applying where it is not expected to (1 reply)

January 21, 2016, 9:04 am
$
0
0
Hi.

I have set up a server section for a mailman list using

server {
listen xx.xx.xx.xx:80;
server_name lists.example.org;
location = / { rewrite ^ /mailman/listinfo permanent; }
location / { rewrite ^ /mailman$uri; }
}
[...]
}

as I found examples on the web, e.g. https://mywushublog.com/2012/05/mailman-with-nginx-on-freebsd/.

Now, using some other subdomain like http://test.example.org/, the URL gets rewritten to /mailman/listinfo too, and so I suspect that this lists.example.org server section also applies to test.example.org -- which I didn't expect. Of course, the IP address is the same for all these domains and sundomains.

Has one of you guys and gals seen such a behaviour before? Does that ring some kind of bell?

Thanks for your time,
w6g
Search

Proxy protocol wrapped inside of SSL packet (no replies)

January 22, 2016, 12:23 pm
$
0
0
Hopefully someone can shed some light on this for me. I have been trying to get it working all morning, and am finally throwing in the towel for now.

So the situation is, we are using AWS ELB with SSL. There is SSL termination on the load balancer however we also forward the traffic down via SSL. We have proxy protocol enabled on the ELB, so after the ELB terminates the SSL it attaches the proxy protocol header to the packet then re encoded the entire packet. Once the packet arrives at NGINX if I have the following config line

listen 443 ssl proxy_protocol;

NGINX attempts to read the proxy protocol header and fails. This seems reasonable to me, I understand. However what I want to do is terminate the SSL here then handle the proxy protocol header and continue forwarding the data with the proxy protocol info appended as x-forwarded-for headers. Unfortunately, when I remove proxy_protocol from the listen NGINX then throws the following error

client sent invalid request while reading client request line, client: ZZ.ZZ.ZZ.ZZ, server: , request: "PROXY TCP4 XX.XX.XX.XX YY.YY.YY.YY 49225 443"

Again, this does make sense. I understand why it is happening but can not figure out a workaround, if there is one.

Any suggestions? Thanks in advance!

EDIT: I was going to try and compile with the stream module, then set 'proxy_protocol on' for the upstream but my fear is that it will still fail or try to add a second proxy protocol header.

1.8.1 rewrite changes (1 reply)

January 28, 2016, 8:49 am
$
0
0
I don't know if this is the new "right" behaviour mentioned in the changelog, but our rewrites stopped working after the upgrade to 1.8.1

I have an URL:
"http://mysite.com/css/main-responsive.v203.css"
Which should point to the file:
"/home/mysite/www/css/main-responsive.css"

The config, that works on 1.8.0 and not on 1.8.1 (returns 404) is this:

server {

listen 80;

server_name mysite.cz;
root /home/mysite/www/;
expires 100d;

location ^~ / {
access_log off;

location /css/ {
alias /home/mysite/www/css/;

location ~ /(.*)\.v[0-9]+\.(css) {
add_header Cache-Control public;
try_files $uri $uri/ /$1.$2;
}

location /css/fonts/ {
add_header Access-Control-Allow-Origin *;
}
}

location /js/ {
alias /home/mysite/www/js/;

location ~ /(.*)\.v[0-9]+\.(js) {
add_header Cache-Control public;
try_files $uri $uri/ /$1.$2;
}
}

location ^~ /img/ {
..........
}

.......
}

Could you please tell me, how exactly did the rewriting change in the 1.8.1 release? Thank you

Config issue for rewrite / redirect (no replies)

January 26, 2016, 1:40 pm
$
0
0
I just want to setup a simple redirect or rewrite between subdomain and domain but I am quite new to this so I can't figure it out. I have 3 things in my mind (not sure if all 3 is possible at same time)

1-) Redirect or rewrite http://api.domain.com/api?t=... request as http://domain.com/api?t=...
2-) Shouldn't change URL at addressbar
3-) Would be great if it gives 200 status instead of 301 or 302.

I tried rewrite but because they are not on same domain, nginx changes the URL.

Any help is appreciated!

configure document root directory for gitlab mattermost (no replies)

January 27, 2016, 4:15 pm
$
0
0
Hi,

I'm trying to set up Let's Encrypt for Gitlab Mattermost. The configuration script for Let's Encrypt needs to put a temporary file in mattermost.example.com/.well-known/some_random_string. The configuration currently allows me to access

/opt/gitlab/embedded/service/mattermost/web/static/

but not things inside the actual document root directory, which is just

/opt/gitlab/embedded/service/mattermost/web/

Any ideas as to how I can enable read access for files in the root directory?

Here is some information about Gitlab Mattermost and how it configures nginx

https://github.com/gitlabhq/omnibus-gitlab/blob/master/doc/settings/nginx.md


Thanks

ssl_session_tickets not working (3 replies)

January 29, 2016, 1:40 am
$
0
0
Hi all

I have a project i'm working on which i want to use ssl_session_tickets on, but i can't get it to work. My project is a caching proxy so it's not serving local content. Config (relevant part) is:

listen 443;
ssl on;
ssl_certificate /etc/nginx/current/tls/certs/xxx.crt;
ssl_certificate_key /etc/nginx/current/tls/private/xxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers !NULL:!SSLv2:!EXP:!MD5:!aNULL:!PSK:!kEDH:!KRB5:!ADH:!DES:!RC4:!CAMELLIA:AES128:HIGH:3DES;
ssl_ecdh_curve prime256v1;
ssl_buffer_size 4k;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:global_ssl_cache:128m;
ssl_stapling off;
ssl_stapling_verify off;
ssl_session_timeout 20m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/current/tls/session/tkt.key;
ssl_dhparam /etc/nginx/current/tls/private/dh.param;
keepalive_timeout 300;

I log the $ssl_session_reused variable in my access logs and with the above, i always see a "." (session not reused).

I'm on nginx 1.9.10, compiled from source with opensll 1.0.2e on centos 7 on AWS.

Does anyone know why session reuse isnt working? My main thoughts are, could it be due to:

* the requests being proxied, not locally served files
* perhaps my choice of ciphers is an issue

Does anyone have any suggestions? i have a test instance so i can try literally anything.

Thanks in advance!
Neil

Properly setup of limit_req (no replies)

January 28, 2016, 6:01 am
$
0
0
Hello, first of all I would like to mention that I read many items on the forum and outsite it, but I still can't completely understand the way this module work and that's the reason why I ask you here and thank you in advance if you help me.

1. I want to limit requests to vhosts per IP so if one Ip flood the vhost, the other visitors ot be ok and not banned. From my tests until now this not happens. Whe other ip flood the vhost I can't open the vhost's site too. This happens with the following configuration:

limit_req_zone $binary_remote_addr zone=perip:10m rate=100r/s;
limit_req zone=perip burst=100 nodelay;

How can I limit the vhost per ip so the other visitors to not have a problem? Also i would like to have another restriction that will limit the requests to vhosts not per ip, but for example 200 requests to one vhost from all visitors,another 200 requests limit to other vhost and so on.

2. I can't understand if burst limit and req_zone limit must be the same value? I want to set limit 200 requests from ip for example and on the 201 requests the ip to be denied with 503? Does the module can work on this way and how can I achieve this? One value to req_zone, but other to burst or what?

3. Why every next time I run apache bench mark the failed requests number is different, but not equal as the server limit is not changed in nginx?

How to run wordpress on Gentoo/Linux? (no replies)

January 31, 2016, 12:02 pm
$
0
0
Hi,

I have just installed nginx&mysql&php&wordpress on my Gentoo/Linux machine -
I want to build a webserver for the first time at home.
Looks that nginx&mysql&php run ok but do not know how to run wordpress?
I did not find any tutorial for Gentoo with this setup -
please advise any link for how to configure nginx in order to have wordpress.
Search

How to configure nginx to process subdomains (no replies)

February 2, 2016, 12:14 am
$
0
0
First, I will apologize if this has already been posted, but I have scoured google and this site for hours and can´t figure it out.

Here is my problem.
I have nginx 1.9.10 on Ubuntu 15.10 server.
I have a domain set up and have the wildcard * option set on the DNS.

In my root server directory, I am running wordpress network.

I am running multiple sites on the wordpress network, and accessing them by subdomain is working flawlessly.

What I am TRYING to do is add additional programs, ie: owncloud, moodle, a photo gallery, mail, etc. by installing them in subdirectories of my www root.

I want to be able to access them and load the appropriate index.php or index.htm either by typing:

http(s)://domain.com/subdirectory

or

subdomain.domain.com

The intent is that for example, if I type: moodle.domain.com OR domain.com/moodle, the program will launch.

I´ve tried
--"enabling" multiple virutual hosts using symbolic links for each in the sites-enabled directory
----this results in errors loading nginx saying that it is listening on port XXX multiple times.

--having only a www file "enabled" as above, and adding "location" tags in that file.
----the result is:
-----nginx starts but I get either a 404 page not found or 403 restricted error if I try accessing any of the programs that are installed in the subdirectories.

--creating a symbolic link for the index.php file for the program in the subdirectory
----(I know that this is very unlikely to be of any use, but I tried it anyway)
-----result: nothing loads

I have been afraid to play around with the php.ini in php5-fpm and the .htaccess files, because the last time I did that it was a disaster.

Could someone please post an example of how to make this work?
If it is going to involve editing config files, please be specific as to which one(s) and the syntax. I am a novice with this process--as is clearly evident.

Here is a copy of my current site-enabled file that is working: (I have edited out the actual domain and directories, but if you need this, I can give it to you).
------------------------------------------------------------------------

server {

server_name domain.com *.domain.com;
index index.php index.html index.htm;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!Anull:!md5;

listen 80 default_server;
listen [::]:80 default_server;

# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;



root /media/xxxx/xxxxx;

#=========================Locations=============================

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

#===================PHP=================
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

}
------------------------------------------------------------------------

Thanks for any help you can give.

Reverse Proxy Forward (no replies)

February 4, 2016, 3:27 am
$
0
0
Hi all,

I have Nginx running and being used primarily as a reverse proxy. So far all is running well for web services, but I am having a problem proxying requests from/to an internal service running for Sophos message relaying. This service uses ports 8192-8194. I allowed these through the firewall on my box (Centos) and then setup the usual server blocks in my reverseproxy config which sends them on to the internal server. An example is below.

server {
listen 8192;
server_name My_Server;

access_log /etc/nginx/logs/sophos_relay_ports/access.log;
error_log /etc/nginx/logs/sophos_relay_ports/error.log debug;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://My_Internal_Server:8192;
proxy_read_timeout 150;
proxy_buffering off;
proxy_redirect off;

}
}

I can;'t seem to figure out why the traffic is not reaching the destination. Does anyone have a suggestion?

Thanks.

Regards,
R

hiding php parameters (no replies)

February 5, 2016, 4:41 pm
$
0
0
Hello everyone.

I have a website with this kind of adresses:

https://www.mydomain.com/user/userprofile/[userprofile1]?r=[login]&w=[encryptedpassword]

ie:

https://www.mydomain.com/user/userprofile/toto?r=reqqfdvca&w=skvlsqmg
https://www.mydomain.com/user/userprofile/titi?r=re45a&w=slkvldfgmg
https://www.mydomain.com/user/userprofile/tutu?r=reqq0krgca&w=s46893ls
etc...

the parameters are important because there are credentials to access the website but I would like my adresses to look like:

https://www.mydomain.com/user/userprofile/toto
https://www.mydomain.com/user/userprofile/titi
https://www.mydomain.com/user/userprofile/tutu
etc...

I'm new with nginx, and my english is not perfect so please excuse my mistakes, but does anyone have an idea on how to do that?

thanks

404 on wordpress multisite with permalinks (no replies)

February 7, 2016, 9:47 am
$
0
0
Hi,
I installed a wordpress multisite on nginx (basic configuration by webuzo) everything seem to work except when I activate permalinks. Then 404 Error appears except for homepage and backend.
Someone can help understand?
I'm a nginix absolute beginner.
Thanks,
Francesco

How to enable login wordpress to LAN users? (no replies)

February 8, 2016, 2:14 pm
$
0
0
Hi,I just installed wordpress with nginx/mysql/php on Gentoo/Linux OS, as localhost at home.
I can edit wordpress web site only from local computer (where web server is installed).
I want to enable editing web site from other computers through LAN.
I can access web site through LAN, however can not login wordpress.
I get 'error_connection_refused' instead of login dialog box.
Please advise how enable web administration interfaces to LAN users?
Viewing all 2931 articles
Browse latest View live
Search