Hello!

up vote
<>
down vote
<>favorite
<http://stackoverflow.com/questions/42380402/how-can-i-use-external-uri-with-the-nginxs-auth-request-module#>
I'm trying to use nginx's ngx_http_auth_request_module in such way:

server {

location / {
auth_request http://external.url;
proxy_pass http://protected.resource;
}
}
It doesn't work, the error is:

2017/02/21 02:45:36 [error] 17917#0: *17 open() "/usr/local/htmlhttp://external.url" failed (2: No such file or directory), ...
Or in this way with named location:

server {

location / {
auth_request @auth;
proxy_pass http://protected.resource;
}

location @auth {
proxy_pass http://external.url;
}
}
In this case the error is almost the same:

2017/02/22 03:13:25 [error] 25476#0: *34 open() "/usr/local/html@auth" failed (2: No such file or directory), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", subrequest: "@auth", host: "127.0.0.1"
I know there is a way like this:

server {

location / {
auth_request /_auth_check;
proxy_pass http://protected.resource;
}

location /_auth_check {
internal;
proxy_pass http://external.url;
}
}
But in this case the http://protected.resource can not use the /_auth_check path.

Is there a way to use an external URI as a parameter for the auth_request directive without overlapping the http://protected.resource routing?

If not, why?
It looks a little bit strange to look for the auth_request's URI through static files (/usr/local/html).


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Hi All,

I have searched the archives in hopes of answering this myself. But no luck.
My html was recently migrated from apache to nginx. It worked fine on
apache.

The html uses image maps, such as:
html v1 style: <br><a href=index.map><img src=index.jpg ISMAP></a>
or newer css style: <img src=index.jpg usemap="#mymap">

Neither seem to work with my nginx-1.10.1 on Fedora (really Amazon Linux).
(I believe this is an entirely different subject than the nginx maps
module.)

The image map looks something like this:
<map name="mymap">
rect /cgi-bin/picview.cgi?london01s.jpg 0,0 99,99
rect /cgi-bin/picview.cgi?london02s.jpg 100,0 199,99
rect /cgi-bin/picview.cgi?london03s.jpg 200,0 299,99
rect /cgi-bin/picview.cgi?london04s.jpg 300,0 399,99
rect /cgi-bin/picview.cgi?london05s.jpg 400,0 499,99
</map>

Any tips appreciated.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Hi all,


I am trying to set-up a reverse proxy with nginx so that based on the
server_name it goes to the correct backend.

I have been looking in to examples but no luck to get it actually working.

So this is want I want to do

when user type xxxx.yyy.be as normal http it redirects to https and then
forwards it to the backend nummer 1

but when user type zzzz.yyy.be also as normal http it redrects it to
https and forwards it to the correct backend (so here it would be
backend nummer 2)

so in sites-enabled i put several files that is being loaded but
nothing is working

so i would like to see an example that works as i can not found a
complete example to work with.

So please advice.


So here is my nginx.conf file

user www;
worker_processes auto;
pid /var/run/nginx.pid;

events {
worker_connections 768;
multi_accept on;
}

http {

##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
more_set_headers "Server: Your_New_Server_Name";
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /opt/local/etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##
#ssl on;
ssl_protocols TLSv1.2;
ssl_ciphers
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128;
ssl_prefer_server_ciphers on;
ssl_certificate /opt/local/etc/nginx/certs/fullchain.pem;
ssl_certificate_key /opt/local/etc/nginx/certs/key.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
## Enable HSTS
add_header Strict-Transport-Security max-age=63072000;

# Do not allow this site to be displayed in iframes
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN" always;
# Do not permit Content-Type sniffing.
add_header X-Content-Type-Options nosniff;
##
# Logging Settings
##
rewrite_log on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

#gzip_vary on;
#gzip_proxied any;
#gzip_comp_level 6;
#gzip_buffers 16 8k;
#gzip_http_version 1.1;
#gzip_types text/plain text/css application/json
application/javascript text/xml application/xml application/xml+rss
text/javascript;

##
# Virtual Host Configs
##

include /opt/local/etc/nginx/sites-enabled/*;
}

and then in sites-enabled there are following files:

owncloud and mattermost

here is the content:

owncloud:

upstream owncloud {
server 192.168.1.51:80;
}




server {
listen 80;
server_name xxxx.yyy.be;
return 301 https://$server_name$request_uri;
#rewrite ^/.*$ https://$host$request_uri? permanent;
more_set_headers "Server: None of Your Business";
server_tokens off;
}
server {
listen 443 ssl http2;
server_name xxxx.yyy.be;
more_set_headers "Server: None of Your Business";
server_tokens off;

location / {
client_max_body_size 0;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache owncloud_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://192.168.1.51;
}
# Lets Encrypt Override
location '/.well-known/acme-challenge' {
root /var/www/proxy;
auth_basic off;
}

}

and mattermost:

server {
listen 80;
server_name zzzz.yyy.be;

location / {
return 301 https://$server_name$request_uri;

}
}
server {
listen 443;
server_name zzzz.yyy.be;

location / {
client_max_body_size 0;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_pass http://192.168.1.95:8065;
}

}


This is working (more or less) but if i start moving the ssl bit into
the owncloud or mattermost its simply is not working any more

getting each time that i type http://zzzz.yyy.be i get 400 bad request
The plain HTTP request was sent to HTTPS port



Thanks

Filip Francis


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

# HG changeset patch
# User othree <othree@gmail.com>
# Date 1487737601 -28800
# Wed Feb 22 12:26:41 2017 +0800
# Node ID 00903b2132edb863e8aed2e84e216817fcc07c90
# Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
Contrib: vim syntax, listen option and SSL/Mail protocol keywords.

diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim
+++ b/contrib/vim/syntax/nginx.vim
@@ -8,17 +8,17 @@ end
setlocal iskeyword+=.
setlocal iskeyword+=/
setlocal iskeyword+=:

syn match ngxVariable '\$\(\w\+\|{\w\+}\)'
syn match ngxVariableBlock '\$\(\w\+\|{\w\+}\)' contained
syn match ngxVariableString '\$\(\w\+\|{\w\+}\)' contained
syn region ngxBlock start=+^+ end=+{+ skip=+\${+ contains=ngxComment,ngxDirectiveBlock,ngxVariableBlock,ngxString oneline
-syn region ngxString start=+\z(["']\)+ end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
+syn region ngxString start=+[^:a-zA-Z>!\\@]\z(["']\)+lc=1 end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
syn match ngxComment ' *#.*$'

syn keyword ngxBoolean on
syn keyword ngxBoolean off

syn keyword ngxDirectiveBlock http contained
syn keyword ngxDirectiveBlock mail contained
syn keyword ngxDirectiveBlock events contained
@@ -32,25 +32,44 @@ syn keyword ngxDirectiveBlock if
syn keyword ngxDirectiveBlock geo contained
syn keyword ngxDirectiveBlock map contained
syn keyword ngxDirectiveBlock split_clients contained

syn keyword ngxDirectiveImportant include
syn keyword ngxDirectiveImportant root
syn keyword ngxDirectiveImportant server
syn keyword ngxDirectiveImportant server_name
-syn keyword ngxDirectiveImportant listen
+syn keyword ngxDirectiveImportant listen contained
+syn region ngxDirectiveImportantListen matchgroup=ngxDirectiveImportant start=+listen+ skip=+\\\\\|\\\;+ end=+;+he=e-1 contains=ngxListenOptions,ngxString
syn keyword ngxDirectiveImportant internal
syn keyword ngxDirectiveImportant proxy_pass
syn keyword ngxDirectiveImportant memcached_pass
syn keyword ngxDirectiveImportant fastcgi_pass
syn keyword ngxDirectiveImportant scgi_pass
syn keyword ngxDirectiveImportant uwsgi_pass
syn keyword ngxDirectiveImportant try_files

+syn keyword ngxListenOptions default_server contained
+syn keyword ngxListenOptions ssl contained
+syn keyword ngxListenOptions http2 contained
+syn keyword ngxListenOptions spdy contained
+syn keyword ngxListenOptions proxy_protocol contained
+syn keyword ngxListenOptions setfib contained
+syn keyword ngxListenOptions fastopen contained
+syn keyword ngxListenOptions backlog contained
+syn keyword ngxListenOptions rcvbuf contained
+syn keyword ngxListenOptions sndbuf contained
+syn keyword ngxListenOptions accept_filter contained
+syn keyword ngxListenOptions deferred contained
+syn keyword ngxListenOptions bind contained
+syn keyword ngxListenOptions ipv6only contained
+syn keyword ngxListenOptions reuseport contained
+syn keyword ngxListenOptions so_keepalive contained
+syn keyword ngxListenOptions keepidle contained
+
syn keyword ngxDirectiveControl break
syn keyword ngxDirectiveControl return
syn keyword ngxDirectiveControl rewrite
syn keyword ngxDirectiveControl set

syn keyword ngxDirectiveError error_page
syn keyword ngxDirectiveError post_action

@@ -262,17 +281,18 @@ syn keyword ngxDirective perl_require
syn keyword ngxDirective perl_set
syn keyword ngxDirective pid
syn keyword ngxDirective pop3_auth
syn keyword ngxDirective pop3_capabilities
syn keyword ngxDirective port_in_redirect
syn keyword ngxDirective post_acceptex
syn keyword ngxDirective postpone_gzipping
syn keyword ngxDirective postpone_output
-syn keyword ngxDirective protocol
+syn keyword ngxDirective protocol nextgroup=ngxMailProtocol skipwhite
+syn keyword ngxMailProtocol imap pop3 smtp contained
syn keyword ngxDirective proxy
syn keyword ngxDirective proxy_bind
syn keyword ngxDirective proxy_buffer
syn keyword ngxDirective proxy_buffer_size
syn keyword ngxDirective proxy_buffering
syn keyword ngxDirective proxy_buffers
syn keyword ngxDirective proxy_busy_buffers_size
syn keyword ngxDirective proxy_cache
@@ -311,17 +331,17 @@ syn keyword ngxDirective proxy_read_time
syn keyword ngxDirective proxy_redirect
syn keyword ngxDirective proxy_send_lowat
syn keyword ngxDirective proxy_send_timeout
syn keyword ngxDirective proxy_set_body
syn keyword ngxDirective proxy_set_header
syn keyword ngxDirective proxy_ssl_ciphers
syn keyword ngxDirective proxy_ssl_crl
syn keyword ngxDirective proxy_ssl_name
-syn keyword ngxDirective proxy_ssl_protocols
+syn keyword ngxDirective proxy_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective proxy_ssl_server_name
syn keyword ngxDirective proxy_ssl_session_reuse
syn keyword ngxDirective proxy_ssl_trusted_certificate
syn keyword ngxDirective proxy_ssl_verify
syn keyword ngxDirective proxy_ssl_verify_depth
syn keyword ngxDirective proxy_store
syn keyword ngxDirective proxy_store_access
syn keyword ngxDirective proxy_temp_file_write_size
@@ -420,17 +440,18 @@ syn keyword ngxDirective ssl_certificate
syn keyword ngxDirective ssl_ciphers
syn keyword ngxDirective ssl_client_certificate
syn keyword ngxDirective ssl_crl
syn keyword ngxDirective ssl_dhparam
syn keyword ngxDirective ssl_ecdh_curve
syn keyword ngxDirective ssl_engine
syn keyword ngxDirective ssl_password_file
syn keyword ngxDirective ssl_prefer_server_ciphers
-syn keyword ngxDirective ssl_protocols
+syn keyword ngxDirective ssl_protocols nextgroup=ngxSSLProtocol skipwhite
+syn keyword ngxSSLProtocol SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 contained nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective ssl_session_cache
syn keyword ngxDirective ssl_session_ticket_key
syn keyword ngxDirective ssl_session_tickets
syn keyword ngxDirective ssl_session_timeout
syn keyword ngxDirective ssl_stapling
syn keyword ngxDirective ssl_stapling_file
syn keyword ngxDirective ssl_stapling_responder
syn keyword ngxDirective ssl_stapling_verify
@@ -495,17 +516,17 @@ syn keyword ngxDirective uwsgi_param
syn keyword ngxDirective uwsgi_pass_header
syn keyword ngxDirective uwsgi_pass_request_body
syn keyword ngxDirective uwsgi_pass_request_headers
syn keyword ngxDirective uwsgi_read_timeout
syn keyword ngxDirective uwsgi_send_timeout
syn keyword ngxDirective uwsgi_ssl_ciphers
syn keyword ngxDirective uwsgi_ssl_crl
syn keyword ngxDirective uwsgi_ssl_name
-syn keyword ngxDirective uwsgi_ssl_protocols
+syn keyword ngxDirective uwsgi_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective uwsgi_ssl_server_name
syn keyword ngxDirective uwsgi_ssl_session_reuse
syn keyword ngxDirective uwsgi_ssl_trusted_certificate
syn keyword ngxDirective uwsgi_ssl_verify
syn keyword ngxDirective uwsgi_ssl_verify_depth
syn keyword ngxDirective uwsgi_store
syn keyword ngxDirective uwsgi_store_access
syn keyword ngxDirective uwsgi_string
@@ -828,9 +849,13 @@ hi link ngxBoolean Boolean
hi link ngxDirectiveBlock Statement
hi link ngxDirectiveImportant Type
hi link ngxDirectiveControl Keyword
hi link ngxDirectiveError Constant
hi link ngxDirectiveDeprecated Error
hi link ngxDirective Identifier
hi link ngxDirectiveThirdParty Special

+hi link ngxListenOptions Keyword
+hi link ngxMailProtocol Keyword
+hi link ngxSSLProtocol Keyword
+
let b:current_syntax = "nginx"
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

On Tue, Feb 21, 2017 at 07:40:23PM -0700, Captain Wiggum wrote:

Hi there,

> The html uses image maps, such as:
> html v1 style: <br><a href=index.map><img src=index.jpg ISMAP></a>
> or newer css style: <img src=index.jpg usemap="#mymap">
>
> Neither seem to work with my nginx-1.10.1 on Fedora (really Amazon Linux).

Can you see which part is failing?

As I understand it, client-side image maps are unrelated to the web
server. The client decides what url to request depending on where in
the image is clicked.

> The image map looks something like this:
> <map name="mymap">
> rect /cgi-bin/picview.cgi?london01s.jpg 0,0 99,99
> rect /cgi-bin/picview.cgi?london02s.jpg 100,0 199,99
> rect /cgi-bin/picview.cgi?london03s.jpg 200,0 299,99
> rect /cgi-bin/picview.cgi?london04s.jpg 300,0 399,99
> rect /cgi-bin/picview.cgi?london05s.jpg 400,0 499,99
> </map>

So - if you see in your access log that the browser is not requesting
/cgi-bin/picview.cgi?london01s.jpg, you probably have a html or client
problem to fix.

If you see that the browser is requesting
/cgi-bin/picview.cgi?london01s.jpg, then you will want to see how you
have configured your nginx to deal with that url.

Note that nginx does not "do" cgi.

So whatever your plan is, it can't be to have nginx "do" cgi itself.

Perhaps it should proxy_pass to a http server; perhaps it should
fastcgi_pass to a fastcgi server that knows how to handle the request.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

# HG changeset patch
# User Evgenii Kliuchnikov <eustas.ru@gmail.com>
# Date 1487764873 -3600
# Wed Feb 22 13:01:13 2017 +0100
# Node ID 81eacab152efa88d1296cc04dfd110a168a6b1fb
# Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
Add brotli static serving module

Brotli static serving module is a copy of gzip static serving module
with "gzip" and derivatives replaced with "brotli" and derivatives.

This module does not add any dependencies.
It allows serving offline-compressed content when browser specifies
that "br" content encoding is supported.

For lower binary overhead ngx_http_gzip_accept_encoding and
ngx_http_gzip_quantity were refactored and to be used both by gzip
and brotli modules.

diff -r 87cf6ddb41c2 -r 81eacab152ef auto/modules
--- a/auto/modules Fri Feb 17 17:01:27 2017 +0300
+++ b/auto/modules Wed Feb 22 13:01:13 2017 +0100
@@ -124,6 +124,7 @@

# the module order is important
# ngx_http_static_module
+# ngx_http_brotli_static_module
# ngx_http_gzip_static_module
# ngx_http_dav_module
# ngx_http_autoindex_module
@@ -160,6 +161,7 @@
HTTP_FILTER_MODULES=

ngx_module_order="ngx_http_static_module \
+ ngx_http_brotli_static_module \
ngx_http_gzip_static_module \
ngx_http_dav_module \
ngx_http_autoindex_module \
@@ -451,6 +453,19 @@
. auto/module
fi

+if [ $HTTP_BROTLI_STATIC = YES ]; then
+ have=NGX_HTTP_BROTLI . auto/have
+
+ ngx_module_name=ngx_http_brotli_static_module
+ ngx_module_incs=
+ ngx_module_deps=
+ ngx_module_srcs=src/http/modules/ngx_http_brotli_static_module.c
+ ngx_module_libs=
+ ngx_module_link=$HTTP_BROTLI_STATIC
+
+ . auto/module
+fi
+
if [ $HTTP_GZIP_STATIC = YES ]; then
have=NGX_HTTP_GZIP . auto/have

diff -r 87cf6ddb41c2 -r 81eacab152ef auto/options
--- a/auto/options Fri Feb 17 17:01:27 2017 +0300
+++ b/auto/options Wed Feb 22 13:01:13 2017 +0100
@@ -96,6 +96,7 @@
HTTP_FLV=NO
HTTP_MP4=NO
HTTP_GUNZIP=NO
+HTTP_BROTLI_STATIC=NO
HTTP_GZIP_STATIC=NO
HTTP_UPSTREAM_HASH=YES
HTTP_UPSTREAM_IP_HASH=YES
@@ -236,6 +237,7 @@
--with-http_flv_module) HTTP_FLV=YES ;;
--with-http_mp4_module) HTTP_MP4=YES ;;
--with-http_gunzip_module) HTTP_GUNZIP=YES ;;
+ --with-http_brotli_static_module) HTTP_BROTLI_STATIC=YES ;;
--with-http_gzip_static_module) HTTP_GZIP_STATIC=YES ;;
--with-http_auth_request_module) HTTP_AUTH_REQUEST=YES ;;
--with-http_random_index_module) HTTP_RANDOM_INDEX=YES ;;
@@ -444,6 +446,7 @@
--with-http_flv_module enable ngx_http_flv_module
--with-http_mp4_module enable ngx_http_mp4_module
--with-http_gunzip_module enable ngx_http_gunzip_module
+ --with-http_brotli_static_module enable ngx_http_brotli_static_module
--with-http_gzip_static_module enable ngx_http_gzip_static_module
--with-http_auth_request_module enable ngx_http_auth_request_module
--with-http_random_index_module enable ngx_http_random_index_module
diff -r 87cf6ddb41c2 -r 81eacab152ef contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Fri Feb 17 17:01:27 2017 +0300
+++ b/contrib/vim/syntax/nginx.vim Wed Feb 22 13:01:13 2017 +0100
@@ -86,6 +86,7 @@
syn keyword ngxDirective autoindex
syn keyword ngxDirective autoindex_exact_size
syn keyword ngxDirective autoindex_localtime
+syn keyword ngxDirective brotli_static
syn keyword ngxDirective charset
syn keyword ngxDirective charset_types
syn keyword ngxDirective chunked_transfer_encoding
diff -r 87cf6ddb41c2 -r 81eacab152ef misc/GNUmakefile
--- a/misc/GNUmakefile Fri Feb 17 17:01:27 2017 +0300
+++ b/misc/GNUmakefile Wed Feb 22 13:01:13 2017 +0100
@@ -74,6 +74,7 @@
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
+ --with-http_brotli_static_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
diff -r 87cf6ddb41c2 -r 81eacab152ef
src/http/modules/ngx_http_brotli_static_module.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/http/modules/ngx_http_brotli_static_module.c Wed Feb 22 13:01:13
2017 +0100
@@ -0,0 +1,331 @@
+
+/*
+ * Copyright (C) Igor Sysoev
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+#include <ngx_http.h>
+
+
+#define NGX_HTTP_BROTLI_STATIC_OFF 0
+#define NGX_HTTP_BROTLI_STATIC_ON 1
+#define NGX_HTTP_BROTLI_STATIC_ALWAYS 2
+
+
+typedef struct {
+ ngx_uint_t enable;
+} ngx_http_brotli_static_conf_t;
+
+
+static ngx_int_t ngx_http_brotli_static_handler(ngx_http_request_t *r);
+static void *ngx_http_brotli_static_create_conf(ngx_conf_t *cf);
+static char *ngx_http_brotli_static_merge_conf(ngx_conf_t *cf, void
*parent,
+ void *child);
+static ngx_int_t ngx_http_brotli_static_init(ngx_conf_t *cf);
+
+
+static ngx_conf_enum_t ngx_http_brotli_static[] = {
+ { ngx_string("off"), NGX_HTTP_BROTLI_STATIC_OFF },
+ { ngx_string("on"), NGX_HTTP_BROTLI_STATIC_ON },
+ { ngx_string("always"), NGX_HTTP_BROTLI_STATIC_ALWAYS },
+ { ngx_null_string, 0 }
+};
+
+
+static ngx_command_t ngx_http_brotli_static_commands[] = {
+
+ { ngx_string("brotli_static"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_brotli_static_conf_t, enable),
+ &ngx_http_brotli_static },
+
+ ngx_null_command
+};
+
+
+ngx_http_module_t ngx_http_brotli_static_module_ctx = {
+ NULL, /* preconfiguration */
+ ngx_http_brotli_static_init, /* postconfiguration */
+
+ NULL, /* create main configuration */
+ NULL, /* init main configuration */
+
+ NULL, /* create server configuration
*/
+ NULL, /* merge server configuration */
+
+ ngx_http_brotli_static_create_conf, /* create location
configuration */
+ ngx_http_brotli_static_merge_conf /* merge location configuration
*/
+};
+
+
+ngx_module_t ngx_http_brotli_static_module = {
+ NGX_MODULE_V1,
+ &ngx_http_brotli_static_module_ctx, /* module context */
+ ngx_http_brotli_static_commands, /* module directives */
+ NGX_HTTP_MODULE, /* module type */
+ NULL, /* init master */
+ NULL, /* init module */
+ NULL, /* init process */
+ NULL, /* init thread */
+ NULL, /* exit thread */
+ NULL, /* exit process */
+ NULL, /* exit master */
+ NGX_MODULE_V1_PADDING
+};
+
+
+static ngx_int_t
+ngx_http_brotli_static_handler(ngx_http_request_t *r)
+{
+ u_char *p;
+ size_t root;
+ ngx_str_t path;
+ ngx_int_t rc;
+ ngx_uint_t level;
+ ngx_log_t *log;
+ ngx_buf_t *b;
+ ngx_chain_t out;
+ ngx_table_elt_t *h;
+ ngx_open_file_info_t of;
+ ngx_http_core_loc_conf_t *clcf;
+ ngx_http_brotli_static_conf_t *bscf;
+
+ if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD))) {
+ return NGX_DECLINED;
+ }
+
+ if (r->uri.data[r->uri.len - 1] == '/') {
+ return NGX_DECLINED;
+ }
+
+ bscf = ngx_http_get_module_loc_conf(r, ngx_http_brotli_static_module);
+
+ if (bscf->enable == NGX_HTTP_BROTLI_STATIC_OFF) {
+ return NGX_DECLINED;
+ }
+
+ if (bscf->enable == NGX_HTTP_BROTLI_STATIC_ON) {
+ rc = ngx_http_brotli_ok(r);
+
+ } else {
+ /* always */
+ rc = NGX_OK;
+ }
+
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (!clcf->gzip_vary && rc != NGX_OK) {
+ return NGX_DECLINED;
+ }
+
+ log = r->connection->log;
+
+ p = ngx_http_map_uri_to_path(r, &path, &root, sizeof(".br") - 1);
+ if (p == NULL) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ *p++ = '.';
+ *p++ = 'b';
+ *p++ = 'r';
+ *p = '\0';
+
+ path.len = p - path.data;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, log, 0,
+ "http filename: \"%s\"", path.data);
+
+ ngx_memzero(&of, sizeof(ngx_open_file_info_t));
+
+ of.read_ahead = clcf->read_ahead;
+ of.directio = clcf->directio;
+ of.valid = clcf->open_file_cache_valid;
+ of.min_uses = clcf->open_file_cache_min_uses;
+ of.errors = clcf->open_file_cache_errors;
+ of.events = clcf->open_file_cache_events;
+
+ if (ngx_http_set_disable_symlinks(r, clcf, &path, &of) != NGX_OK) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (ngx_open_cached_file(clcf->open_file_cache, &path, &of, r->pool)
+ != NGX_OK)
+ {
+ switch (of.err) {
+
+ case 0:
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+
+ case NGX_ENOENT:
+ case NGX_ENOTDIR:
+ case NGX_ENAMETOOLONG:
+
+ return NGX_DECLINED;
+
+ case NGX_EACCES:
+#if (NGX_HAVE_OPENAT)
+ case NGX_EMLINK:
+ case NGX_ELOOP:
+#endif
+
+ level = NGX_LOG_ERR;
+ break;
+
+ default:
+
+ level = NGX_LOG_CRIT;
+ break;
+ }
+
+ ngx_log_error(level, log, of.err,
+ "%s \"%s\" failed", of.failed, path.data);
+
+ return NGX_DECLINED;
+ }
+
+ if (bscf->enable == NGX_HTTP_BROTLI_STATIC_ON) {
+ r->gzip_vary = 1;
+
+ if (rc != NGX_OK) {
+ return NGX_DECLINED;
+ }
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, log, 0, "http static fd: %d",
of.fd);
+
+ if (of.is_dir) {
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, log, 0, "http dir");
+ return NGX_DECLINED;
+ }
+
+#if !(NGX_WIN32) /* the not regular files are probably Unix specific */
+
+ if (!of.is_file) {
+ ngx_log_error(NGX_LOG_CRIT, log, 0,
+ "\"%s\" is not a regular file", path.data);
+
+ return NGX_HTTP_NOT_FOUND;
+ }
+
+#endif
+
+ r->root_tested = !r->error_page;
+
+ rc = ngx_http_discard_request_body(r);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
+
+ log->action = "sending response to client";
+
+ r->headers_out.status = NGX_HTTP_OK;
+ r->headers_out.content_length_n = of.size;
+ r->headers_out.last_modified_time = of.mtime;
+
+ if (ngx_http_set_etag(r) != NGX_OK) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (ngx_http_set_content_type(r) != NGX_OK) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ h = ngx_list_push(&r->headers_out.headers);
+ if (h == NULL) {
+ return NGX_ERROR;
+ }
+
+ h->hash = 1;
+ ngx_str_set(&h->key, "Content-Encoding");
+ ngx_str_set(&h->value, "br");
+ r->headers_out.content_encoding = h;
+
+ /* we need to allocate all before the header would be sent */
+
+ b = ngx_pcalloc(r->pool, sizeof(ngx_buf_t));
+ if (b == NULL) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ b->file = ngx_pcalloc(r->pool, sizeof(ngx_file_t));
+ if (b->file == NULL) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ rc = ngx_http_send_header(r);
+
+ if (rc == NGX_ERROR || rc > NGX_OK || r->header_only) {
+ return rc;
+ }
+
+ b->file_pos = 0;
+ b->file_last = of.size;
+
+ b->in_file = b->file_last ? 1 : 0;
+ b->last_buf = (r == r->main) ? 1 : 0;
+ b->last_in_chain = 1;
+
+ b->file->fd = of.fd;
+ b->file->name = path;
+ b->file->log = log;
+ b->file->directio = of.is_directio;
+
+ out.buf = b;
+ out.next = NULL;
+
+ return ngx_http_output_filter(r, &out);
+}
+
+
+static void *
+ngx_http_brotli_static_create_conf(ngx_conf_t *cf)
+{
+ ngx_http_brotli_static_conf_t *conf;
+
+ conf = ngx_palloc(cf->pool, sizeof(ngx_http_brotli_static_conf_t));
+ if (conf == NULL) {
+ return NULL;
+ }
+
+ conf->enable = NGX_CONF_UNSET_UINT;
+
+ return conf;
+}
+
+
+static char *
+ngx_http_brotli_static_merge_conf(ngx_conf_t *cf, void *parent, void
*child)
+{
+ ngx_http_brotli_static_conf_t *prev = parent;
+ ngx_http_brotli_static_conf_t *conf = child;
+
+ ngx_conf_merge_uint_value(conf->enable, prev->enable,
+ NGX_HTTP_BROTLI_STATIC_OFF);
+
+ return NGX_CONF_OK;
+}
+
+
+static ngx_int_t
+ngx_http_brotli_static_init(ngx_conf_t *cf)
+{
+ ngx_http_handler_pt *h;
+ ngx_http_core_main_conf_t *cmcf;
+
+ cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
+
+ h = ngx_array_push(&cmcf->phases[NGX_HTTP_CONTENT_PHASE].handlers);
+ if (h == NULL) {
+ return NGX_ERROR;
+ }
+
+ *h = ngx_http_brotli_static_handler;
+
+ return NGX_OK;
+}
diff -r 87cf6ddb41c2 -r 81eacab152ef src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Fri Feb 17 17:01:27 2017 +0300
+++ b/src/http/ngx_http_core_module.c Wed Feb 22 13:01:13 2017 +0100
@@ -73,9 +73,11 @@
void *conf);
static char *ngx_http_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+#if (NGX_HTTP_BROTLI || NGX_HTTP_GZIP)
+static ngx_int_t ngx_http_accept_encoding(ngx_str_t *ae, char *e, size_t
n);
+static ngx_uint_t ngx_http_encoding_quantity(u_char *p, u_char *last);
+#endif
#if (NGX_HTTP_GZIP)
-static ngx_int_t ngx_http_gzip_accept_encoding(ngx_str_t *ae);
-static ngx_uint_t ngx_http_gzip_quantity(u_char *p, u_char *last);
static char *ngx_http_gzip_disable(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
#endif
@@ -2170,7 +2172,7 @@
*/

if (ngx_memcmp(ae->value.data, "gzip,", 5) != 0
- && ngx_http_gzip_accept_encoding(&ae->value) != NGX_OK)
+ && ngx_http_accept_encoding(&ae->value, "gzip", 4) != NGX_OK)
{
return NGX_DECLINED;
}
@@ -2296,16 +2298,20 @@
return NGX_OK;
}

+#endif
+
+
+#if (NGX_HTTP_BROTLI || NGX_HTTP_GZIP)

/*
- * gzip is enabled for the following quantities:
+ * encoding is enabled for the following quantities:
* "gzip; q=0.001" ... "gzip; q=1.000"
- * gzip is disabled for the following quantities:
- * "gzip; q=0" ... "gzip; q=0.000", and for any invalid cases
+ * encoding is disabled for the following quantities:
+ * "br; q=0" ... "br; q=0.000", and for any invalid cases
*/

static ngx_int_t
-ngx_http_gzip_accept_encoding(ngx_str_t *ae)
+ngx_http_accept_encoding(ngx_str_t *ae, char *e, size_t n)
{
u_char *p, *start, *last;

@@ -2313,7 +2319,7 @@
last = start + ae->len;

for ( ;; ) {
- p = ngx_strcasestrn(start, "gzip", 4 - 1);
+ p = ngx_strcasestrn(start, e, n - 1);
if (p == NULL) {
return NGX_DECLINED;
}
@@ -2322,10 +2328,10 @@
break;
}

- start = p + 4;
- }
-
- p += 4;
+ start = p + n;
+ }
+
+ p += n;

while (p < last) {
switch (*p++) {
@@ -2364,7 +2370,7 @@
return NGX_DECLINED;
}

- if (ngx_http_gzip_quantity(p, last) == 0) {
+ if (ngx_http_encoding_quantity(p, last) == 0) {
return NGX_DECLINED;
}

@@ -2373,7 +2379,7 @@


static ngx_uint_t
-ngx_http_gzip_quantity(u_char *p, u_char *last)
+ngx_http_encoding_quantity(u_char *p, u_char *last)
{
u_char c;
ngx_uint_t n, q;
@@ -2428,6 +2434,37 @@
#endif


+#if (NGX_HTTP_BROTLI)
+
+ngx_int_t
+ngx_http_brotli_ok(ngx_http_request_t *r)
+{
+ ngx_table_elt_t *ae;
+
+ if (r != r->main) {
+ return NGX_DECLINED;
+ }
+
+ ae = r->headers_in.accept_encoding;
+ if (ae == NULL) {
+ return NGX_DECLINED;
+ }
+
+ if (ae->value.len < sizeof("br") - 1) {
+ return NGX_DECLINED;
+ }
+
+ if (ngx_http_accept_encoding(&ae->value, "br", 2) != NGX_OK)
+ {
+ return NGX_DECLINED;
+ }
+
+ return NGX_OK;
+}
+
+#endif
+
+
ngx_int_t
ngx_http_subrequest(ngx_http_request_t *r,
ngx_str_t *uri, ngx_str_t *args, ngx_http_request_t **psr,
diff -r 87cf6ddb41c2 -r 81eacab152ef src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Fri Feb 17 17:01:27 2017 +0300
+++ b/src/http/ngx_http_core_module.h Wed Feb 22 13:01:13 2017 +0100
@@ -506,6 +506,9 @@
ngx_int_t ngx_http_gzip_ok(ngx_http_request_t *r);
#endif

+#if (NGX_HTTP_BROTLI)
+ngx_int_t ngx_http_brotli_ok(ngx_http_request_t *r);
+#endif

ngx_int_t ngx_http_subrequest(ngx_http_request_t *r,
ngx_str_t *uri, ngx_str_t *args, ngx_http_request_t **sr,


--
С наилучшими пожеланиями, Евгений Ключников
WBR, Eugene Kluchnikov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

# HG changeset patch
# User Chris Branch <cbranch@cloudflare.com>
# Date 1487773385 0
# Wed Feb 22 14:23:05 2017 +0000
# Node ID 2d050c8c2e688c26f4796a09c728c85678c611b4
# Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
HTTP/2: Make $scheme variable return :scheme pseudo-header value.

This is relevant for plaintext HTTP/2 as well as HTTP/2 over TLS using
opportunistic security, as described in:
https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption

diff -r 87cf6ddb41c2 -r 2d050c8c2e68 src/http/ngx_http_variables.c
--- a/src/http/ngx_http_variables.c Fri Feb 17 17:01:27 2017 +0300
+++ b/src/http/ngx_http_variables.c Wed Feb 22 14:23:05 2017 +0000
@@ -1386,6 +1386,16 @@
ngx_http_variable_scheme(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
+ if (r->schema_start) {
+ v->len = r->schema_end - r->schema_start;
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+ v->data = r->schema_start;
+
+ return NGX_OK;
+ }
+
#if (NGX_HTTP_SSL)

if (r->connection->ssl) {
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

On Wednesday 22 February 2017 13:58:57 Eugene Kluchnikov wrote:
> # HG changeset patch
> # User Evgenii Kliuchnikov <eustas.ru@gmail.com>
> # Date 1487764873 -3600
> # Wed Feb 22 13:01:13 2017 +0100
> # Node ID 81eacab152efa88d1296cc04dfd110a168a6b1fb
> # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
> Add brotli static serving module
>
> Brotli static serving module is a copy of gzip static serving module
> with "gzip" and derivatives replaced with "brotli" and derivatives.
[..]

At the first glance, the differences are really small and
such functionality can be combined in one module.

wbr, Valentin V. Bartenev

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

On Wednesday 22 February 2017 14:30:21 Chris Branch via nginx-devel wrote:
> # HG changeset patch
> # User Chris Branch <cbranch@cloudflare.com>
> # Date 1487773385 0
> # Wed Feb 22 14:23:05 2017 +0000
> # Node ID 2d050c8c2e688c26f4796a09c728c85678c611b4
> # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
> HTTP/2: Make $scheme variable return :scheme pseudo-header value.
>
> This is relevant for plaintext HTTP/2 as well as HTTP/2 over TLS using
> opportunistic security, as described in:
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption
>
[..]

This patch creates inconsistency in behavior of the $scheme variable for
HTTP/1.x and HTTP/2. Potentially, it can also break some existing setups.

IMHO, it's better to introduce another variable.

wbr, Valentin V. Bartenev

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

If you are SSL on the frontend (server directive) why would you want to proxy between ssl/non-ssl on the upstreams? Can they not be the same? I don't get what you are trying to solve?

From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Kilian Ries
Sent: Wednesday, February 22, 2017 9:55 AM
To: nginx@nginx.org
Subject: Nginx multiple upstream with different protocols


Hi,



i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.



The config should look like this:



upstream proxy_backend {

server xxx.xx.188.53;

server xxx.xx.188.53:443;

}



server {

listen 443 ssl;

...

location / {

proxy_pass http://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=;

#proxy_pass https://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=;

}

}





The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.



So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?



Thanks

Greets

Kilian

________________________________

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Hi,


i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.


The config should look like this:


upstream proxy_backend {

server xxx.xx.188.53;

server xxx.xx.188.53:443;

}


server {

listen 443 ssl;

...

location / {

proxy_pass http://proxy_backend;

#proxy_pass https://proxy_backend;

}

}



The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.


So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?


Thanks

Greets

Kilian
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Yup. Going to try to create a "combined" module soon =)

On 22 February 2017 at 15:40, Valentin V. Bartenev <vbart@nginx.com> wrote:

> On Wednesday 22 February 2017 13:58:57 Eugene Kluchnikov wrote:
> > # HG changeset patch
> > # User Evgenii Kliuchnikov <eustas.ru@gmail.com>
> > # Date 1487764873 -3600
> > # Wed Feb 22 13:01:13 2017 +0100
> > # Node ID 81eacab152efa88d1296cc04dfd110a168a6b1fb
> > # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
> > Add brotli static serving module
> >
> > Brotli static serving module is a copy of gzip static serving module
> > with "gzip" and derivatives replaced with "brotli" and derivatives.
> [..]
>
> At the first glance, the differences are really small and
> such functionality can be combined in one module.
>
> wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>



--
С наилучшими пожеланиями, Евгений Ключников
WBR, Eugene Kluchnikov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hi Francis

You're right I have overseen the ^~ for the location.

So for others, the solution to "force" the location directives is..


location ^~ /thumbs/embedded {
add_header X-Served-By "IDENT1";
add_header Cache-Control public;
add_header Pragma 'public';
add_header X-Cache-Status $upstream_cache_status;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
error_page 404 = /image404.php;
proxy_pass http://127.0.0.1:9001;
}

##Match what's not in above location directive
location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
#access_log on;
#log_not_found on;
aio on;
sendfile on;
expires max;
add_header Cache-Control public;
add_header Pragma 'public';
add_header X-Served-By "IDENT2";
#add_header X-Frame-Options SAMEORIGIN;
error_page 404 = /image404.php;
}


The quick view is that
location /thumbs/embedded {

change into

location ^~ /thumbs/embedded {

Pretty cool actually :)

No they cannot be the same (sadly) because i dont't know how the upstream is serving the content. Think of a situation where i am not in control of the upstream backends and they may change from http to https over time.

________________________________
Von: nginx <nginx-bounces@nginx.org> im Auftrag von Cox, Eric S <eric.cox@kroger.com>
Gesendet: Mittwoch, 22. Februar 2017 15:58:26
An: nginx@nginx.org
Betreff: RE: Nginx multiple upstream with different protocols

If you are SSL on the frontend (server directive) why would you want to proxy between ssl/non-ssl on the upstreams? Can they not be the same? I don't get what you are trying to solve?

From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Kilian Ries
Sent: Wednesday, February 22, 2017 9:55 AM
To: nginx@nginx.org
Subject: Nginx multiple upstream with different protocols


Hi,



i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.



The config should look like this:



upstream proxy_backend {

server xxx.xx.188.53;

server xxx.xx.188.53:443;

}



server {

listen 443 ssl;

...

location / {

proxy_pass http://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=;

#proxy_pass https://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=;

}

}





The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.



So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?



Thanks

Greets

Kilian

________________________________

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

I'm working on doing a secure Drupal install on a LEMP stack and am getting php files, info.php or index.php downloading instead of displaying. I see no errors in the logs at all. php-fpm seems to be running ok. I've looked over several discussion groups and it seems to be a common issue when first configuring nginx on a linux box, with MySql (MariaDB) and PHP. I've tried this on an Ubuntu build and a CentOS. I've gotten the server setup to the point of installing drupal and the php processor is failing.

Everyone also seems to think, oh it's just a tweak to the default.conf file/nginx config.
so far I've tried at least a dozen different suggestions and nothing seems to get php files to display properly.

Does anyone know of a link to a tried and true set of tweaks or config suggestions?

Thanks,

details: http://hg.nginx.org/nginx/rev/00903b2132ed
branches:
changeset: 6918:00903b2132ed
user: othree <othree@gmail.com>
date: Wed Feb 22 12:26:41 2017 +0800
description:
Contrib: vim syntax, listen option and SSL/Mail protocol keywords.

diffstat:

contrib/vim/syntax/nginx.vim | 37 +++++++++++++++++++++++++++++++------
1 files changed, 31 insertions(+), 6 deletions(-)

diffs (94 lines):

diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim
+++ b/contrib/vim/syntax/nginx.vim
@@ -13,7 +13,7 @@ syn match ngxVariable '\$\(\w\+\|{\w\+}\
syn match ngxVariableBlock '\$\(\w\+\|{\w\+}\)' contained
syn match ngxVariableString '\$\(\w\+\|{\w\+}\)' contained
syn region ngxBlock start=+^+ end=+{+ skip=+\${+ contains=ngxComment,ngxDirectiveBlock,ngxVariableBlock,ngxString oneline
-syn region ngxString start=+\z(["']\)+ end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
+syn region ngxString start=+[^:a-zA-Z>!\\@]\z(["']\)+lc=1 end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
syn match ngxComment ' *#.*$'

syn keyword ngxBoolean on
@@ -37,7 +37,8 @@ syn keyword ngxDirectiveImportant includ
syn keyword ngxDirectiveImportant root
syn keyword ngxDirectiveImportant server
syn keyword ngxDirectiveImportant server_name
-syn keyword ngxDirectiveImportant listen
+syn keyword ngxDirectiveImportant listen contained
+syn region ngxDirectiveImportantListen matchgroup=ngxDirectiveImportant start=+listen+ skip=+\\\\\|\\\;+ end=+;+he=e-1 contains=ngxListenOptions,ngxString
syn keyword ngxDirectiveImportant internal
syn keyword ngxDirectiveImportant proxy_pass
syn keyword ngxDirectiveImportant memcached_pass
@@ -46,6 +47,24 @@ syn keyword ngxDirectiveImportant scgi_p
syn keyword ngxDirectiveImportant uwsgi_pass
syn keyword ngxDirectiveImportant try_files

+syn keyword ngxListenOptions default_server contained
+syn keyword ngxListenOptions ssl contained
+syn keyword ngxListenOptions http2 contained
+syn keyword ngxListenOptions spdy contained
+syn keyword ngxListenOptions proxy_protocol contained
+syn keyword ngxListenOptions setfib contained
+syn keyword ngxListenOptions fastopen contained
+syn keyword ngxListenOptions backlog contained
+syn keyword ngxListenOptions rcvbuf contained
+syn keyword ngxListenOptions sndbuf contained
+syn keyword ngxListenOptions accept_filter contained
+syn keyword ngxListenOptions deferred contained
+syn keyword ngxListenOptions bind contained
+syn keyword ngxListenOptions ipv6only contained
+syn keyword ngxListenOptions reuseport contained
+syn keyword ngxListenOptions so_keepalive contained
+syn keyword ngxListenOptions keepidle contained
+
syn keyword ngxDirectiveControl break
syn keyword ngxDirectiveControl return
syn keyword ngxDirectiveControl rewrite
@@ -267,7 +286,8 @@ syn keyword ngxDirective port_in_redirec
syn keyword ngxDirective post_acceptex
syn keyword ngxDirective postpone_gzipping
syn keyword ngxDirective postpone_output
-syn keyword ngxDirective protocol
+syn keyword ngxDirective protocol nextgroup=ngxMailProtocol skipwhite
+syn keyword ngxMailProtocol imap pop3 smtp contained
syn keyword ngxDirective proxy
syn keyword ngxDirective proxy_bind
syn keyword ngxDirective proxy_buffer
@@ -316,7 +336,7 @@ syn keyword ngxDirective proxy_set_heade
syn keyword ngxDirective proxy_ssl_ciphers
syn keyword ngxDirective proxy_ssl_crl
syn keyword ngxDirective proxy_ssl_name
-syn keyword ngxDirective proxy_ssl_protocols
+syn keyword ngxDirective proxy_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective proxy_ssl_server_name
syn keyword ngxDirective proxy_ssl_session_reuse
syn keyword ngxDirective proxy_ssl_trusted_certificate
@@ -425,7 +445,8 @@ syn keyword ngxDirective ssl_ecdh_curve
syn keyword ngxDirective ssl_engine
syn keyword ngxDirective ssl_password_file
syn keyword ngxDirective ssl_prefer_server_ciphers
-syn keyword ngxDirective ssl_protocols
+syn keyword ngxDirective ssl_protocols nextgroup=ngxSSLProtocol skipwhite
+syn keyword ngxSSLProtocol SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 contained nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective ssl_session_cache
syn keyword ngxDirective ssl_session_ticket_key
syn keyword ngxDirective ssl_session_tickets
@@ -500,7 +521,7 @@ syn keyword ngxDirective uwsgi_send_time
syn keyword ngxDirective uwsgi_ssl_ciphers
syn keyword ngxDirective uwsgi_ssl_crl
syn keyword ngxDirective uwsgi_ssl_name
-syn keyword ngxDirective uwsgi_ssl_protocols
+syn keyword ngxDirective uwsgi_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective uwsgi_ssl_server_name
syn keyword ngxDirective uwsgi_ssl_session_reuse
syn keyword ngxDirective uwsgi_ssl_trusted_certificate
@@ -833,4 +854,8 @@ hi link ngxDirectiveDeprecated Error
hi link ngxDirective Identifier
hi link ngxDirectiveThirdParty Special

+hi link ngxListenOptions Keyword
+hi link ngxMailProtocol Keyword
+hi link ngxSSLProtocol Keyword
+
let b:current_syntax = "nginx"
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hello!

On Wed, Feb 22, 2017 at 02:16:59PM +0800, othree wrote:

> # HG changeset patch
> # User othree <othree@gmail.com>
> # Date 1487737601 -28800
> # Wed Feb 22 12:26:41 2017 +0800
> # Node ID 00903b2132edb863e8aed2e84e216817fcc07c90
> # Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
> Contrib: vim syntax, listen option and SSL/Mail protocol keywords.
>
> diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
> --- a/contrib/vim/syntax/nginx.vim
> +++ b/contrib/vim/syntax/nginx.vim
> @@ -8,17 +8,17 @@ end
> setlocal iskeyword+=.
> setlocal iskeyword+=/
> setlocal iskeyword+=:
>
> syn match ngxVariable '\$\(\w\+\|{\w\+}\)'
> syn match ngxVariableBlock '\$\(\w\+\|{\w\+}\)' contained
> syn match ngxVariableString '\$\(\w\+\|{\w\+}\)' contained
> syn region ngxBlock start=+^+ end=+{+ skip=+\${+ contains=ngxComment,ngxDirectiveBlock,ngxVariableBlock,ngxString oneline
> -syn region ngxString start=+\z(["']\)+ end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
> +syn region ngxString start=+[^:a-zA-Z>!\\@]\z(["']\)+lc=1 end=+\z1+ skip=+\\\\\|\\\z1+ contains=ngxVariableString
> syn match ngxComment ' *#.*$'

[...]

Committed, thanks.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Thanks again for detailed reply. Yeah it would have been good to have this feature in nginx upstream module.

Its an important feature, will try out your suggestions and will share.

Thanks a lot for sharing inputs!

Cheers,
Kaustubh

I suggest you proxy traffic to an upstream group, and then use
failure/timeout parameters there with proper tuning to retry requests on
the second upstream in case the first in the list fails.
​It will have an overhead if the 1st entry of the upstream group is invalid
on initial connection, but hopefully the 'down' status will help limiting
that overhead on average.​
---
*B. R.*

On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <mail@kilian-ries.de> wrote:

> No they cannot be the same (sadly) because i dont't know how the upstream
> is serving the content. Think of a situation where i am not in control of
> the upstream backends and they may change from http to https over time.
> ------------------------------
> *Von:* nginx <nginx-bounces@nginx.org> im Auftrag von Cox, Eric S <
> eric.cox@kroger.com>
> *Gesendet:* Mittwoch, 22. Februar 2017 15:58:26
> *An:* nginx@nginx.org
> *Betreff:* RE: Nginx multiple upstream with different protocols
>
>
> If you are SSL on the frontend (server directive) why would you want to
> proxy between ssl/non-ssl on the upstreams? Can they not be the same? I
> don’t get what you are trying to solve?
>
>
>
> *From:* nginx [mailto:nginx-bounces@nginx.org] *On Behalf Of *Kilian Ries
> *Sent:* Wednesday, February 22, 2017 9:55 AM
> *To:* nginx@nginx.org
> *Subject:* Nginx multiple upstream with different protocols
>
>
>
> Hi,
>
>
>
> i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS)
> and the proxy_pass module should decide which of the upstreams is serving
> "valid" content.
>
>
>
> The config should look like this:
>
>
>
> upstream proxy_backend {
>
> server xxx.xx.188.53;
>
> server xxx.xx.188.53:443;
>
> }
>
>
>
> server {
>
> listen 443 ssl;
>
> ...
>
> location / {
>
> proxy_pass http://proxy_backend
> https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=
> ;
>
> #proxy_pass https://proxy_backend
> https://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=
> ;
>
> }
>
> }
>
>
>
>
>
> The Problem is that i don't know if the upstream is serving the content
> via http or https. Is there any possibility to tell nginx to change the
> protocol from the proxy_pass directive? Because if i set proxy_pass to
> https, i get an error (502 / 400) if the upstream website is running on
> http and vice versa.
>
>
>
> So i'm searching for a way to let Nginx decide if he should proxy_pass via
> http or https. Can anybody help me with that configuration?
>
>
>
> Thanks
>
> Greets
>
> Kilian
>
> ------------------------------
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Hello All,

I have another "bind() to 0.0.0.0:80 failed (98: Address already in use)" issue.

I am working on a minimal system including nginx only. System startup time, and readiness time are important points. Whilte testing I figured out sometime system boots up within 500ms and sometimes it takes around 3 second. On further probing I find out nginx is taking different time to start up which costs me extra 2.5 Seconds. So I tested and figured out that error in those cases is "bind() to 0.0.0.0:80 failed (98: Address already in use).

Few of my observation here are,
1. No other process is using that port, there is no other web server or application running on the system.
2. The case is not only limited to nginx restart, where nginx might not be shutdown correctly and itself might be using that port. Nginx even fails during system start, in cases where it has caused longer boot time.
3. I use customized kernels, but that kernel shouldn't be culprit either because sometimes it works on that kernel as well. Another point here is failure in customized kernel is more often as compared to stock kernel. The ratio of failure in stock kernel is around 30% and in customized is 70% but system works on both and fails on both.
4. Start/Stop scripts always exit with success status "0".
5. I tested nginx in a restart loop, with a 1 second sleep before and after start and stop. Failure is random.
6. Worse, nginx is actually running even though error said bind failed. I can connect to it, access default web page, and it is listed in netstat as listening as well.

Output of netstat -ntl is at: http://pastebin.com/26b6KNAZ

Error Log is at: http://pastebin.com/w0y8aa9p

This is one of the customized system, a derivative of debian, I am working on. System wise, everything is consistent. I use same kernel, same system image with same parameters and it works sometime and fails otherwise.

nginx -t gives
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
So configuration shouldn't be a problem.

configuration file is default and available at:
http://pastebin.com/iRFfW3UE

Process listing after nginx startup: http://pastebin.com/0vB19rLq
Process listing after nginx stop: http://pastebin.com/iQafxjiF

Any pointer to debug the issue would be very helpful.

Regards,
sum-it