Quantcast
Channel: Nginx Forum - How to...
Viewing all 2931 articles
Browse latest View live

Help wtih CORS configuration... (no replies)

March 14, 2018, 6:26 am
$
0
0
Hi everybody...

I have this configuration applied to my server

in domain.nginx.conf file

location ~* \.(eot|otf|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
}

location / {
include /home/domain/conf/web/cors.conf;
try_files $uri $uri/ /index.php?$args;

if (!-e $request_filename)
{
rewrite ^(.+)$ /index.php?q=$1 last;
}

location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}

include /home/domain/web/domain.com/public_html/nginx.conf;
}


and the file cors.conf have this

if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}


I am using a wordpress with a especial configuration for admin area...

I have the principal domain with domain.com and www.domain.com and the admin area are with edicion.domain.com/wp-admin, and the site is function perfect (previusly I was installed in a apache server but now I am using nginx for perfomance)

but now in nginx I receive some error for some font resources like this

Access to Font at 'http://edicion.domaincom/nagos2015/wp-content/themes/motors/assets/fonts/service-fonts/stm-service-default.ttf?vcgqsx' from origin 'http://www.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.domain.com' is therefore not allowed access.

and this is affecting the visual aspect of my site...

could you help me with this config...

maybe I am wrong with something....


tks....
Search

How to limit requests per second per host (domain)? (no replies)

March 15, 2018, 8:33 am
$
0
0
Hi there!
I have nginx serving several different domains.
I've already applied requests limits **per IP**, in order to protect against some types of attacks.

However, that limits are about the traffic coming from one IP.
Now I would like to apply allow no more than X requests per second **to a domain**.

Why would I want to do that in the first place? Well, my server runs several websites with nginx (uwsgi is in the background). I want to prevent uwsgi or nginx slowing down, timing out or going completely down due to a sudden and huge spike on traffic. It has happened in the past, and I'm already tunning my uwsgi application to make it more fast and scalable.

However, in the meanwhile, I would like to apply some security limits, to allow not more than X requests per second to a domain.
I've found an example on the web, but I'm not sure if this would work. I've tested locally and it does, but I want to be sure, that's why I'm making this post.


Is the following approach correct to limit requests per second to a domain?
In this example, if it's correct, I would be limitting to 10 requests per second the traffic to siteA.com and siteB.com, and 50 requests per second the traffic to the siteC.com.
Notice the variable "$host" used as the key to create two different zones, one more restrictive than the other.

http {
limit_req_zone $host zone=restrictive:10m rate=10r/s;
limit_req_zone $host zone=powerful:10m rate=50r/s;

server {
server_name siteA.com;
location / {
limit_req zone=restrictive;
}
}

server {
server_name siteB.com;
location / {
limit_req zone=restrictive;
}
}

server {
server_name siteC.com;
location / {
limit_req zone=powerful;
}
}
}



What do you think?
Thanks in advance.

nginx git configuration (3 replies)

March 18, 2018, 2:57 pm
$
0
0
Hi to all,

I tryed to configure nginx to forward request auth to my git repository , that i ve setup with ssh key authentication.
I ve try this solution but that not works fine for me .

My nginx server has a public ip and i have to set proxypass auth to my git repo that reside in other location that is reacheble with private address. i need that that the public url with /location, forward the authetication with ssh key at port 22
the proxypass auth must works with gitbush or throw git bush .
how i can do that ?

anyone have do that configuration in our environment ?
_________________________________________________________________________

location /git {
proxy_pass http://172.16.10.12:22/gitrepos;}

# fcgiwrap is set up to listen on this host:port
fastcgi_pass localhost:9001;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-beckend;
# export all repositories under GIT_PROJECT_ROOT
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /home/git/gitrepo/;
fastcgi_param PATH_INFO $1;
____________________________________________________________________________

How to Verifiy Nginx Source Tarball with GPG on Ubuntu Server (no replies)

March 19, 2018, 5:48 am
$
0
0
Hi, I am new to Nginx and to PGP/GPG. I am learning how to compile Nginx Open Source from source on Ubuntu server, and want to verify the source tarball file with the PGP signature provided.

The first step is to download the latest version of Nginx Open Source and its PGP signature.

I went to the Nginx downloads page https://nginx.org/en/download.html to find the URLs of the source tarball and PGP signature for the latest stable version. I downloaded them using the wget command as follows:

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz

$ wget https://nginx.org/download/nginx-1.12.2.tar.gz.asc

I started following this tutorial on how to verify tarball PGP signatures: https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/

Next, I attempted to verify the signature of the tarball by using the gpg command:

$ gpg nginx-1.12.2.tar.gz.asc

The command gives this output:

gpg: Signature made Tue 21 Apr 2015 02:14:01 PM UTC using RSA key ID A1C052F8
gpg: Can't check signature: public key not found

The check fails because I do not have the public key of the signer.
I did a web search for 'nginx pgp keys' and found this page: https://nginx.org/en/pgp_keys.html where I found "nginx public key (used for signing packages and repositories)".
I downloaded this public key using wget, and then imported it:

$ gpg --import nginx_signing.key

However, when I attempted to verify the tarball signature again, I got the same error as before.

Finally, I found a tutorial (https://www.linode.com/docs/web-servers/nginx/installing-nginx-on-ubuntu-12-04-lts-precise-pangolin/) which happened to show the same RSA key ID A1C052F8. The tutorial also showed the successful output:

gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"
...

which is how I was able to determine that I needed Maxim Dounin’s PGP public key from the Nginx PGP keys page.

I downloaded and imported this signature, and now the verification check shows the "Good signature..." message, followed by a warning that there is no indication the signature belongs to the owner. To proceed from here, I would have to enter the web of trust as explained in the "How Do I Build Trust?" section at the end of the nixCraft tutorial linked above.

The problem I have with all this is that I was extremely lucky to find the linode tutorial showing the PGP public key I needed, and otherwise I would not have known which of the Nginx PGP public keys to import.

Am I missing something? Is there a better way to do this? How would I have known which public key to import?

Thank you,

noob13

Add virtual path for a site (no replies)

March 22, 2018, 7:30 am
$
0
0
Hello,
I'm trying to add virtual path to a site and redirect it to the same content as the root.
This is the config I have at the moment:

server {
listen 80;
listen [::]:80;

server_name url.example.com;

root /var/www/url.example.com/path1/path2;
index index.html;

location / {
try_files $uri $uri/ =404;
}
}

I like to make it when the user using the url url.example.com/foo/bar/ it will display the same website as in /

I've tried several options I saw online, but none worked.

Any idea how can I get there?

Thanks!!

sites-available default overriding other files (no replies)

March 22, 2018, 7:34 pm
$
0
0
I had Nginx working for about a week except I couldn't get curl to work. Then, while troubleshooting that I had Nginx and php break so started over (reinstalled both). I want to use a domain name (grouperads.com) to access it only locally. And I want to use SSL. Like I said, I had it all working but now nothing seems to get it back.

After the new install, localhost works. And I did get a basic example.com site to also work. As soon as I tried anything with grouperads.com whether http or https nothing. Right now , localhost and http://grouperads.com/ both open the same page in /var/www/html/index.html
I can't tell if the default page is wrong and overriding grouperads.com or vice-versa. Or maybe something else?
running Ubuntu 16.04 PHP7.3 Latest repo version of Nginx
Thanks!

Here are my two sites-available files:
1st default

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
# listen 80 default_server;
# listen [::]:80 default_server;

# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# proxy_pass http://localhost:8080;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_set_header Host $host;
# proxy_cache_bypass $http_upgrade;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

______________________________________________________________________________________________
Now grouperads.com

server {

listen 80 ;
listen [::]:80;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

root /var/www/grouperads.com/html;
server_name grouperads.com www.grouperads.com;
#access_log /var/www/grouperads.com/html/logs/.access.log;
#error_log /var/www/logs/.error.log error;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;

index index.php index.html index.htm index.nginx-debian.html;
location / {

try_files $uri $uri/ /index.php?$args ;
}

#Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}


location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

location ~ /\.ht {
deny all;
}
}

Reverse proxy for ssh (no replies)

March 22, 2018, 10:11 pm
$
0
0
Hello !

Need to make my nginx server listen to a specific domain address on port 80 and to pass it to my ssh linux server.

Of course I could do it with my router, but I have to many servers to do it with the router.

I think this is possible with last version, but how??

Thanks for your help

Nginx - How do yo sync data across web servers? (no replies)

March 26, 2018, 7:00 am
$
0
0
Hello,

I am in the process of designing the underlying infrastructure for a Joomla CMS that will operate on top of NGINX. The site needs to be resilient so that in the event of an outage the site can remain live.

I had planned on having 2 web servers and 2 database servers that would be split between our two datacentres and load balanced via Citrix Netscalers. My question is, where should I keep the site data and how would I replicate it?

I have looked into NFS Servers that are clustered or perhaps keeping the site data on the web front ends and using a tool like csync to replicate and synchronise. Does NGINX provide any features that can do this?

Any advice would be appreciated.

Thanks,
Search

rewrite + proxy_pass in named location? (no replies)

March 27, 2018, 1:30 pm
$
0
0
Hi,

I have a named location where I'm trying to perform a proxy_pass, but of course I can't have a URI in the proxy_pass itself so I'm trying to use rewrite with proxy_pass. However, i've tried so many different things that don't seem to work.

Essentially, I want my proxy_pass URI to be "https://ph-service/authentication/token".

This is what I have so far and it's not working.

location @token {
rewrite ^ /$1/authentication/token break;
proxy_pass https://ph-service;
}

Thanks for the help!

'Redirect' POST request when path to the service changes (no replies)

March 28, 2018, 12:09 pm
$
0
0
Hey guys,

I'm not an expert on NGINX and am struggling with the redirection (if we can call it this way) of POST requests.
The thing is a service changed from, let's say, 'https://ip-address/app-label/rest/my-operation' to 'https://ip-address/new-app-label/rest/my-operation'
As you can see, the identification of the app changed and the rest of the URI is preserved.

To the old path, I used to have a NGINX location (the rule uses a regex, ^/app-label(/.*)$) and I only changed that to use the 'new-app-label' instead. It works.
But, at least temporarily, I need to keep the old path working (there are clients around using it).
So, my idea was to create another location still using the old label, and 'forwarding' the requests to the new location (preserving, naturally, the POST data).

In the beginning, I tried duplicating the location and playing with both labels, and both locations were pointing (and I'm using proxy_pass here) to the same upstream (the application properly said, in practical terms). But, because the app label (a.k.a. context path) changed, I also had to change the app context in the app setup. So, I believe I need to, somehow, modify (rewrite) the original request, replacing the old 'context path' by the new one, yet preserving the POST data, before I actually use proxy_pass to send it to the application. Makes sense to you? If it does, how'd you do it? I tried many combinations, but couldn't make it work yet.

If more info is required to clarify the issue, let me know. I hope I was able to explain the scenario.

Thanks so much for any help, in advance.

Cheers,
Pedro

Serve Image files only (no replies)

April 1, 2018, 6:30 pm
$
0
0
I am trying to serve images files only in this location block.

location /image \.(png|jpg)
{
alias /site/;
}

But I keep receiving errors. What is the correct way to serve only png and jpg matching /images.

Nginx - Multiple reverse proxied sites with relative content (no replies)

April 2, 2018, 8:42 am
$
0
0
I am trying to set up Nginx to work as a reverse proxy for multiple web apps running on the same server, however I have an issue where relative paths for content (CSS & JS) aren't looking in the correct location and thus returning 404 errors.

My Nginx config is set up like so:

server {
listen 80 default_server;
listen [::]:80 default_server;

location / {
proxy_pass http://localhost:5000;
}

location /app/firstapp/
{
proxy_pass http://localhost:5100/;
}

location /app/secondapp/
{
proxy_pass http://localhost:5200/;
}
}

When I go to localhost/app/firstapp in a browser, the html loads, but then the CSS and JS on that page are referenced with a relative path, so it tries to look at localhost/css/basecss.css rather than localhost/app/firstapp/css/basecss.css.

I can't use sub domains to resolve this, as I need the device this is running on to be accessible through it's own domain, and through a LAN network with it's own hostname.

I looked at http_sub_module, but as the JS on each app with perform AJAX requests with a relative path "/api/...." I can't replace the path in the JS as i'm unused as to where it will be defined.

Also, I am working under the assumption that I don't have control over the content of the two apps, so I can't change the paths to content eg. href=/css to href=http://localhost/app/firstapp/css.

The closest I got was using the $http_referer to redirect requests for the CSS and JS. This worked, however, the CSS file also has a reference to another file with a relative path, and this request uses the CSS file as the referrer, so looking for /app/firstapp in the referral doesn't catch this second request.

I'm struggling as to how to do this implementation, if at all possible? Any advice would be greatly appreciated.

Disable TLS1.1 with NGINX & Tengine (no replies)

April 3, 2018, 12:02 am
$
0
0
Hi,

We use the NGINX server with tengine version tengine-2.1.0 & openresty version - ngx_openresty-1.7.2.1 .

On the NGINX conf the ssl supported protocols have been restricted to use only TLS1.2. However the server is still accepting the TLS1.1.

Could you please suggest what changes are required to disable TLS1.1

nginx as reverse proxy with client ssl authentication (2 replies)

April 5, 2018, 5:43 am
$
0
0
Hi,

I am using nginx 1.13.11 on Windows 10
I am trying to set up a reverse proxy for a HTTPS backend requiring client ssl authentication.

Tried this with the following config

---
worker_processes 1;


error_log logs/error.log debug;

events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;



sendfile on;

keepalive_timeout 65;

server {
listen 443 ssl;
server_name localhost;

ssl_certificate C:/data/nginx-1.13.11/conf/crt;
ssl_certificate_key C:/data/nginx-1.13.11/conf/key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location /path {
proxy_pass https://backend
proxy_ssl_certificate C:/data/nginx-1.13.11/conf/backend.crt;
proxy_ssl_certificate_key C:/data/nginx-1.13.11/conf/backend.key;
}

}

}
---

This does not work. Debug log of a request can be found in the attached file.

When accessing the backend directly with importing the backend cert+key into Firefox works out of the box.

I do not know what software the backend is using.

Using an own apache with client authentication as a backend for my nginx reverse proxy, this given config works.

I have no clue how to solve this. Maybe its an SSL Problem between the nginx and the backend?

Does anyone has a hint how to get it work or how to analyse the reason of not working?

no www in host header (no replies)

April 9, 2018, 4:29 am
$
0
0
Hi there,

I have an http/ https config in place which works but there is one issue our marketing team have asked about regarding no www in the URL. when users navigate to example.com the stanza redirects them to https://www.example.com fine but if they type in https://example.com the site loads but there is now www. This is apparently messing with SEO stats, etc.

I have pasted config below. I am not entirely sure why it does this I'd appreciate any thoughts.

server {
listen 443 ssl http2;

server_name .example.com;

ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_trusted_certificate /etc/ssl/certs/ca.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;

location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass "http://127.0.0.1:3000";

}

}

server {
listen 80;
server_name .example.com;
return 301 https://www.example.com$request_uri;

}
Search

connection timed out (110: Connection timed out) while proxying connection (no replies)

April 10, 2018, 12:20 pm
$
0
0
My config looks likes this:

stream {
server {
listen 9999 ssl;
tcp_nodelay on;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl_protocols TLSv1.2;
ssl_session_cache shared:TLS:2m;
proxy_pass xxx.xxx.xxx.xxx:8888;
}
}

Under heavy traffic, things look fine. Under low traffic, I get lots of:

2018/04/10 19:10:47 [info] 8856#8856: *1 connection timed out (110: Connection timed out) while proxying connection, client: yyy.yyy.yyy.yyy, server: 0.0.0.0:9999, upstream: "xxx.xxx.xxx.xxx:8888", bytes from/to client:11417/75978, bytes from/to upstream:75978/11417

Why? How do I fix that?

Site note: I use to use stunnel which had some TCP keepalive related settings. I was wondering whether I need something like this with nginx. Is there a way to send TCP keep alives to xxx.xxx.xxx.xxx:8888 ?

How to redirect web service URLS using nginxfrom internal to the URL (no replies)

April 11, 2018, 4:09 am
$
0
0
Hi,

Hoping someone is able to provide some assistance or recommendations here.

We are wanting to make API calls from an internal network URL and have it automatically redirect to the a cloud app URL.

The redirection works seemlessly on the browser level as there is a user proxy which manages it, however when trying to make a call outside the browser such as postman/soapui it won't connect.

The idea is to be able to maintain the old URL that interface calls go to such as:

https://interfaces.companyname.com/api/table/flash

and it translates to

https://companyname.vendorcompany-now.com/api/table/flash

Any suggestions will be greatly appreciated!



Thanks!

Is it possible to get the whole client certificate chain as a variable value? (no replies)

April 11, 2018, 11:34 am
$
0
0
In case of a certificate hierarchy "CA -> Interm1 -> Interm2 -> a client certificate", after a successful SSL handshake the ssl_client_cert variable contains the client certificate but not the whole chain up to the CA certificate. Is there a variable/way to get the chain to put it into a header of a proxy_pass request?

how to tell nginx not to cache fastcgi (no replies)

April 12, 2018, 8:47 am
$
0
0
how to tell nginx not to cache fastcgi if response/content size is less than some bytes?

Getting NGINX SSL working (no replies)

April 18, 2018, 8:14 am
$
0
0
I am in need of some assistance getting NGINX working with SSL. I used CertBot to get a free SSL Certificate, and in the process of doing this it told me that my server wasn't found in the server variable or some message like that. It downloaded the certificate but did not auto install like it was supposed to.

I have tried to follow directions on several sites to manually install the certs with no luck..

I need help either getting NGINX setup correctly so that certbot can do the work, or to manually setup my server or both!!!!

HELP!!!
Viewing all 2931 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>