Quantcast
Channel: Nginx Forum - How to...
Viewing all 2931 articles
Browse latest View live

access problem (no replies)

November 28, 2017, 10:55 am
$
0
0
Nginx-RTMP setup: something does not allow this HLS stream to be linked by another host then the one it is created on. The HTML at the bottom is on another VPS with another IP. I can play the stream in my browser from the origin server with the HLS addon in Chrome or Firefox anywhere. I can also play the html at the bottom from my local disk, though I can't play the html uploaded on a virtual host. I'm stuck. Below my server setup and the html to play.

server {
listen 80;

location / {
# Disable cache
add_header 'Cache-Control' 'no-cache';

# CORS setup
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length';
add_header X-Frame-Options "ALLOW-FROM https://my.site/";

# allow CORS preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
add_header X-Frame-Options "ALLOW-FROM https://my.site/";
return 204;
}

types {
application/dash+xml mpd;
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}

root /mnt/;
}
}

player (below video js, but same for vlc and clappr setup)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title></title>
</head>
<body>
<video id=example-video width=960 height=540 class="video-js vjs-default-skin" controls>
<source
src="http://77.72.149.125:80/hls/stream.m3u8"
type="application/x-mpegURL">
</video>
<link href="http://vjs.zencdn.net/5.19/video-js.css" rel="stylesheet">
<script src="http://vjs.zencdn.net/ie8/1.1/videojs-ie8.min.js"></script>
<script src="http://vjs.zencdn.net/5.19/video.js"></script>
<script src="https://unpkg.com/videojs-contrib-hls/dist/videojs-contrib-hls.js"></script>
<script>
var player = videojs('example-video');
player.play();
</script>
</body>
</html>
Search

LDAP Authentication (no replies)

November 29, 2017, 8:25 am
$
0
0
Hello,

I'm trying to link authentication from /htpassword from nginx to an Active directory.
I'm a bit lost on how to do it.

First, is it possible to do it for free or I have to pay for 'nginx plus'.

I saw this tuto but not clear enough for me :
https://www.nginx.com/blog/nginx-plus-authenticate-users/

Then, how to proceees as I don't find this module :
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html

Many thanks for your help.
Crapoulou.

HAProxy - Nginx - Wordpress (no replies)

November 29, 2017, 1:52 pm
$
0
0
Hi,

I am replacing httpd by Nginx on my platform (httpd, Nginx and wordpress), but I have a problem blocking.
 
My architecture is as follows:

INTERNET --------https------> HAPROXY (SSL) -------> http ------> NGinx -------> Wordpress.

I have installed / configured haproxy and nginx. Both work and my site is in HTTPS. SSL is managed by HAProxy and Nginx does not do SSL.

Now I downloaded and unzipped wordpress. To follow the installation, I went to the homepage from an internet browser and problems begin.

On the homepage for installing wordpress, CSS and java scripts are not loaded whereas the same architecture works with httpd instead of NGinx.

I think the problem come from NGinx (an option to position ???).

any idea?

My configurations:

#####HAProxy
frontend https-in
bind X.X.X.X:443 ssl crt /etc/pki/certs
mode http
option httplog

acl my_site hdr(host) -i mon.site.fr
use_backend wp if my_site

rspadd Strict-Transport-Security:\ max-age=15768000

backend wp
mode http
option http-server-close
option forwardfor
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server wp_1 X.X.X.X:8080

#####NGinx
server {

listen *:8080;
server_name mon.site.fr;

root /var/www/html/site1;

access_log /var/log/nginx/site1.access.log;
error_log /var/log/nginx/site1.error.log;

location / {

index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}

if (!-e $request_filename) {
rewrite ^.*$ /index.php last;
}

location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
log_not_found off;
access_log off;
allow all;
}

location ~ /\. {
deny all;
}

location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ {
expires max;
log_not_found off;
}

location ~ \.php$ {

try_files $uri =404;
fastcgi_pass unix:/var/run/php70-fpm.mon.site.fr.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

include fastcgi_params;
}

}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

include /etc/nginx/sites-enabled/*.conf;

# Real IP
set_real_ip_from X.X.X.X;
real_ip_header X-Forwarded-For;

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

}

Thanx

Conditional Logging on more than one constraint (1 reply)

November 30, 2017, 12:14 am
$
0
0
Hi,

So the conditional logging example on nginx website is this, which I've tried, and it works as advertised.

-----------
map $status $loggable {
~^[23] 0;
default 1;
}

access_log /path/to/access.log combined if=$loggable;[/quote]
-----------

What happens if I also want to stop logging for clients with the User Agent "Zabbix"? If I try this ...

-----------------
map $status $loggable {
~^[23] 0;
default 1;
}

map $http_user_agent $loggable {
Zabbix 0;
default 1;
}

access_log /path/to/access.log combined if=$loggable;
---------------

... then the first map is superceded by the second, i.e. the $status is ignored and only the $http_user_agent is used to decide what is logged.

Whats the trick for setting $loggable=0 for both cases?

Reverse proxy with SSL (5 replies)

December 6, 2017, 10:41 am
$
0
0
We currently have two application servers on a Linux box in AWS. One is on port 8080 and one is on port 7080. I wanted to know if we could possibly setup a configuration this way:

prefix1.domain.com > applicationserver:8080
prefix2.domain.com > applicationserver:7080

Also, we would specify a UCC SSL cert with both URLs as SANs.

Basically, I want to have nginx route to each application based on which prefix is defined in the request and to also host the SSL communications with a single UCC cert.

One idea I had was setting up two WAN IP's on the server, then setting up a DNS A record to route to either WAN IP based on the prefix. Then, hopefully nginx can listen on either adapter and route.

Does anyone know if this configuration can be setup in nginx, or if there is an easier way to do what I want it to?

Validate Accept-Encoding (no replies)

December 8, 2017, 8:59 am
$
0
0
Hi there. Our origin server's config includes "gzip_vary on", which tells proxy caches to vary on Accept-Encoding of the received response. When an nginx cache later caches the response, it takes into account the Vary Accept-Encoding header:

"If the header includes the “Vary” field with the special value “*”, such a response will not be cached (1.7.7). If the header includes the “Vary” field with another value, such a response will be cached taking into account the corresponding request header fields (1.7.7). "
(taken from http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid )

Now the question is: a client can send any Accept-Encoding, really. Any bogus string like "foo" there would make nginx fetch normal un-encoded content from the upstream as if Accept-Encoding: none was specified, and cache it on disk under a different key which would include "foo" as per Nginx rules. Which is NFG. Is there any way to restrict the allowed Accept-Encoding to gzip, br (Brotli) and none at all?

ASP.NET Angular app running on an Nginx proxy not locating static files (no replies)

December 12, 2017, 2:13 am
$
0
0
I have just created a basic application on Visual Studios and tried to get it running on my Ubuntu server on an Nginx proxy. Once I start it the application runs but the front-end cannot locate the static files and returns a 404/net::ERR_ABORTED on 6 static files (Please see attached screen-grab).

My Nginx proxy looks like this:

location / {
# Proxy for dotnet app
proxy_pass http://localhost:5000; # My app runs on port 5000
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}

And my proxy.conf looks like this (I do include it in my nginx.conf file):

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;

I followed this Microsoft Tutorial on the setup vaguely (https://docs.microsoft.com/en-us/aspnet/core/publishing/linuxproduction?tabs=aspnetcore2x).

How can I resolve the net::ERR_ABORTED on the static files?

P.S. I have posted this question on stackoverflow if anyone wants the points for it:
https://stackoverflow.com/questions/47753715/asp-net-angular-app-running-on-an-nginx-proxy-not-locating-static-files

Redirect issues (no replies)

December 12, 2017, 8:18 am
$
0
0
Currently, I am running JIRA and Confluence on port 8080 and 7080. This is what I would like to happen with my nginx config:

port 80 is set to read let's encrypt challenge, otherwise forward to 443
443 listener reads hostname as either test.domain.com or test1.domain.com
test.domain.com forwards to proxy at 8080
test1.domain.com forwards to proxy at 7080

What I would like to do is also route anything on the outside coming from 8080 or 7080 to 443. Is this possible since there is already a proxy forward to 8080 and 7080 locally?

This is my current setup:

user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;

keepalive_timeout 65;

include /etc/nginx/mime.types;
default_type application/octet-stream;

include /etc/nginx/conf.d/*.conf;

index index.html index.htm;

gzip on;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;

server {
listen 80 default_server;
server_name test.domain.com;

location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
}

server {
listen 80;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
server_name test.domain.com;

location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}

error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;

}

ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;

resolver 8.8.8.8;
}

server {
listen 443 ssl http2;
server_name test1.domain.com;

location / {
proxy_pass http://localhost:7080;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}

error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;

}

ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;


resolver 8.8.8.8;
}


}
Search

Cookies problem (no replies)

December 14, 2017, 5:37 am
$
0
0
Hi

Running latest Nginx on CentOS 7 we are dealing with cookies problem. It looks like server doesn't delete cookies after expiration. After that user can't login again, we need to manually delete cookie from system.
It must be some kind of a setting on nginx config, but can't find it. Can anyone please tell me what can we do to solve this ?

Thank you in advance.
Miha

Reverse proxy to enable Grafana (no replies)

December 14, 2017, 12:10 pm
$
0
0
Hi. I have a server that I do some work on but which is not entirely under my control. So, I'm trying to piece together how it's set up and how to extend its hosting setup. It is currently hosting a Dashing installation (dashing.io). I would like to host an instance of Grafana on the same server as a subdirectory; that is, I would like to go to http://myserver.com/grafana and reach my grafana server, but would like subdirectories, such as http://myserver.com/my_dashing_board01, http://myserver.com/another_dashing_board, etc, to be handled as they currently are. Normally, Grafana is accessed over port 3000, but we are effectively unable to open that port because of an extensive process requirement-- basically, because reasons :-).

Now, it appears that nginx is the handler for port 80 requests:

$ telnet 10.11.12.13 80
Trying 10.11.12.13...
Connected to 10.11.12.13.
Escape character is '^]'.
GET /index.htm HTTP/1.1
host: 10.11.12.13

HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.6 (Ubuntu)
Date: Thu, 14 Dec 2017 17:39:10 GMT
Content-Type: text/html
Content-Length: 193
Connection: keep-alive
Location: https://10.11.12.13/index.htm

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>
Connection closed by foreign host.

So, it seems that nginx would have to handle proxying. In order to get it working, I've added the following to the nginx config file:

upstream grafana {
server grafana:3000;
}

location /grafana/ {
proxy_pass http://grafana:3000;
}

Does it seem like that should work? This is my first work with nginx, so I have to ask that you use small words. :-) I may have made some very basic errors. Thanks in advance.

Proxy Pass to Upstream HTTPS (no replies)

December 17, 2017, 10:56 am
$
0
0
I am using proxy_pass directive to upstream https server. The proxy server is meant for LAN clients. The upstream https server uses letsencrypt. How do I configure SSL verification?

proxy_pass https://upstream.backend
proxy_verify_ssl on;
proxy_ssl_trusted_certificate <which_file_is_supposed_to_be_here>;
proxy_ssl_verify_depth <what_number_here>;


Also is it possible to rewrite http_referer header to https?
example http://192.168.1.5/application/page -> http://upstream.backend/application/page

Authentication fails depending on FQDN entered by end user (no replies)

December 18, 2017, 2:31 am
$
0
0
See attached picture for topology with nginx reverse proxy (fqdn proxy.com) for server with fqdn endpoint.com.
Between internet and LAN is a router forwarding all traffic on port 443 to proxy.com

Internet DNS records for proxy.com and endpoint.com point to Firewall external IP.
LAN DNS records for proxy.com and endpoint.com point to local IP addresses of these hosts.

When user enters proxy.com he is proxied to endpoint.com , he gets login screen of endpoint.com but authentication fails.
When user enters endpoint.com he is proxied to endpoint.com , he gets login screen of endpoint.com and authentication succeeds.

Why is authentication failing when proxy.com is used in the end user's browser?

Here is the nginx config for the proxy:

proxy_pass https://endpoint.com;

more_set_input_headers 'Authorization: $http_authorization';
proxy_set_header Accept-Encoding "";

proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Url-Scheme $scheme;
proxy_redirect off;
proxy_max_temp_file_size 0;

include module in Debian stretch setup (no replies)

December 21, 2017, 1:46 am
$
0
0
Hi all,

I have Debian stretch where nginx was installed with apt-get install the usual way after adding the sources to the sources.list file. nginx is Version 1.13.7

Now I would like to include the following module: ngx_stream_core_module

On the site http://nginx.org/en/docs/stream/ngx_stream_core_module.html there are the following instructions:
This module is not built by default, it should be enabled with the --with-stream configuration parameter.

Unfortunately I have no idea what I need to do exactly.

Can anybody help me and tell me what I need to do to get this work ?

Many thanks.

Issues with multiple port passes and using Let's Encrypt (no replies)

December 27, 2017, 11:37 am
$
0
0
Hello,

We currently use a single host to run a Confluence and JIRA server (Atlassian products) on port 8080 and 7080. We are not using SSL yet, and would like to set this up using Let's Encrypt. Let's Encrypt uses port 80 to renew its certificate once every 60 days or so.

Here is what we are trying to do:
1. All current traffic hitting port 8080 or 7080 gets transferred to HTTPS (443) and handed off to the correct application by reading the URL
2. We still allow port 80 to be open to Let's Encrypt so that it can automatically renew
3. Since JIRA and Confluence used to operate on port 8080 and 7080, we now have to proxy_pass them over to ports 8100 and 7100 respectively

I am running into an issue with the NGINX portion not correctly handing off, and I think there's an issue with my nginx.conf configuration.

Here it is. Please let me know if you notice anything wrong:

---



user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
# tcp_nopush on;
# tcp_nodelay on;

keepalive_timeout 65;
# types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

include /etc/nginx/conf.d/*.conf;

index index.html index.htm;

gzip on;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;

# server_names_hash_bucket_size 128;


# Initial listener to hand off Let's Encrypt renewal
server {
listen 80 default_server;
server_name test.domain.com;

location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
}

#Second listener to redirect all HTTP traffic to HTTPS and over to the correct proxy_pass by reading the FQDN of the request
server {
listen 80;
return 301 https://$host$request_uri;
}

# Listener on port 8080 redirecting JIRA traffic to correct HTTPS handoff
server {
listen 8080;
return https://$host$request_uri;
}

# Listener on port 7080 redirecting Confluence traffic to correct HTTPS handoff
server {
listen 7080;
return https://$host$request_uri;
}

# Listener on 443 with proxy_pass setup to hand it off to port 8100 (new JIRA port)
server {
listen 443 ssl http2;
server_name test.domain.com;

location / {
proxy_pass http://localhost:8100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}

## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;

}

ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;

## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;

# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;

# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;


resolver 8.8.8.8;
}

# Listener on 443 with proxy_pass setup to hand it off to port 7100 (new Confluence port)
server {
listen 443 ssl http2;
server_name test1.domain.com;

location / {
proxy_pass http://localhost:7100;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}

## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;

}

ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;

## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;

# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;

# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;

# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;


resolver 8.8.8.8;
}


}

kevent() reported about an closed connection error (no replies)

December 28, 2017, 3:09 am
$
0
0
Hi,
we are using FreeBSD, nginx, php-fpm in our server for php application. Sometimes "kevent() reported about an closed connection (54: Connection reset by peer) while reading response header from upstream..." occured in log file and i get the "502 Bad Gateway" error. Simple php-fpm restart solves the problem.
Any solution?
Search

Stale Blocking in Proxy Cache (no replies)

December 28, 2017, 4:09 am
$
0
0
Hello everyone, I'm in big trouble. I'm using nginx to do a proxy cache and enabled the directives: proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_cache_background_update on; When the cache expires, the contents of the stale are passed but at the same time the request is blocked until the contents update. The other requests come back with stale - updatating. But this request that hangs is giving me a lot of headache, how to solve this?

DENY ALL ONLY ACCEPT SOME IP (no replies)

December 28, 2017, 11:54 am
$
0
0
Hello,
If it is possible to add some on default.conf that i can deny all from my page and only allow some IP?

Here is my default.conf but I dont know how I need to do...

server {
set $rootpath "/var/www/ipmp";
root $rootpath;
listen 80;

if ($request_uri ~ (/).*) {
rewrite ^ https://$host$request_uri? permanent;
}
if ($request_uri ~ (/mobile/).+) {
rewrite ^ https://$host$request_uri? permanent;
}
if ($request_uri ~ (/interactive/).*) {
rewrite ^ https://$host$request_uri? permanent;
}

include /etc/nginx/part.d/*.part;
}
server {
set $rootpath "/var/www/ipmp";
root $rootpath;
listen 443 ssl;
keepalive_timeout 70;

server_name $host;
ssl_certificate /ha_shared/ipmp/config/certificates/cert.csr;
ssl_certificate_key /ha_shared/ipmp/config/certificates/cert.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

include /etc/nginx/part.d/*.part;
include /etc/nginx/part.d/onlyssl/*.part;
}

Where I need add that deny all? That is my root path: /var/www/ipmp . Hope some can help.

root path custumized (no replies)

December 29, 2017, 8:56 am
$
0
0
Hello, I have configured my DNS CNAME: * .mydomain.com

Is this possible with nginx?

If the url does not have a sub domain use this root: /var/www/mydomain.com
If the url has www redirect to without www (that I already did)
If the url has the subdomain system (system.mydomain.com) use this root: /var/www/system
If the url has any other subdomain (company.mydomain.com or ong.mydomain.com) use this root: /var/www/companies

That's possible?

Thank you

Missing /etc/nginx/sites-available/default (no replies)

December 29, 2017, 9:02 pm
$
0
0
i was following a tutorial to setup nginx on ubuntu 16.04

i am supposed to edit a this file : /etc/nginx/sites-available/default
but its not there , there is no folder like sites-available
what i should do ?

Nginx reverse proxy (no replies)

January 1, 2018, 5:33 pm
$
0
0
Hello,
I am tried to configure my nginx that is installed on Ubuntu 16.10
I have the following infrastructure

wan
|
nginx reverse proxy with domain ssl.example.com
|
web server http.example.com


the http.example.com is point to ssl.example.com ip address

when the client open http://http.example.com it should be redirect to https://http.example.com directly
the client will establish ssl with my reverse proxy ssl.example.com "I already have installed lets encrypt cert"
my reverse proxy should be request the http.example.com -with no ssl -

it's like a cloud flare.

so what the configuration I should be do it ?
also how I can load balance to too web server that is in back of reverse proxy.
thanks.
Viewing all 2931 articles
Browse latest View live
Search