On Wed, Feb 22, 2017 at 03:55:48AM +0200, Litichevskij Vova wrote:

Hi there,

> Or in this way with named location:
>
> server {
>
> location / {
> auth_request @auth;
> proxy_pass http://protected.resource;
> }
>
> location @auth {
> proxy_pass http://external.url;
> }
> }
> In this case the error is almost the same:
>
> 2017/02/22 03:13:25 [error] 25476#0: *34 open() "/usr/local/html@auth" failed (2: No such file or directory), client: 127.0.0.1, server: , request: "GET / HTTP/1.1", subrequest: "@auth", host: "127.0.0.1"

I would (naively?) have expected the named location to Just Work. But
clearly it doesn't.

> I know there is a way like this:
>
> server {
>
> location / {
> auth_request /_auth_check;
> proxy_pass http://protected.resource;
> }
>
> location /_auth_check {
> internal;
> proxy_pass http://external.url;
> }
> }
> But in this case the http://protected.resource can not use the /_auth_check path.

You can instead use "location = /_auth_check" if you are happy to reserve
exactly one url for internal use. (You'ld probably want to add a uri
part to the hostname in the proxy_pass directive.)

Or you could play games, and use a location which looks like it is a
named location, but actually is not, and is just a location that is
unlikely to be accessed directly, such as "location = @auth".

> Is there a way to use an external URI as a parameter for the auth_request directive without overlapping the http://protected.resource routing?

auth_request takes an argument which is a local uri.

> It looks a little bit strange to look for the auth_request's URI through static files (/usr/local/html).

It does whatever you configured nginx to do with that uri. (Apart from
the "@named" piece, which I'm not sure about.)

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Hi,

I'm have following configuration.
nginx 1.10.3 installed on ubuntu 16.04

one upstream


upstream backend {
server app01.local.net:81;
server app02.local.net:81;
server app03.local.net:81;
}


one vhost that dose proxy_pass http://backend;

i also have a old nginx setup that was done some time ago, on every request its add a header X-Backend:app01, depending on with backed the request is sent.
i tried to reproduce the setup with no success, i checked all files but did not find any configuration that is setting X-Backend on the nginx side.

can someone help me with this issue.

Thanks.

Vuko

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

On Wed, Feb 22, 2017 at 06:29:56AM +0100, Filip Francis wrote:

Hi there,

I haven't tested any of this, but...

> I am trying to set-up a reverse proxy with nginx so that based on
> the server_name it goes to the correct backend.

That should be straightforward; and it looks to me like you almost have
it working.

> when user type xxxx.yyy.be as normal http it redirects to https and
> then forwards it to the backend nummer 1

It may be worth being explicit there:

http://xxxx.yyy.be is redirected to https://xxxx.yyy.be
https://xxxx.yyy.be is proxy_pass'ed to backend1

> but when user type zzzz.yyy.be also as normal http it redrects it to
> https and forwards it to the correct backend (so here it would be
> backend nummer 2)

And the same for zzzz.yyy.be, but eventually to backend2.

> so in sites-enabled i put several files that is being loaded but
> nothing is working

Does "nothing is working" include "curl -v http://xxxx.yyy.be" getting
something other than a 301 redirect to https://xxxx.yyy.be ?

If so - what does it get instead?

> include /opt/local/etc/nginx/sites-enabled/*;

> here is the content:
>
> owncloud:

> server {
> listen 443 ssl http2;

ssl is on, but there is no "default_server" set explicitly here.

> and mattermost:

> server {
> listen 443;

ssl is not on, and there is no "default_server" set explicitly here.

Alphabetically, I think that this server{} will be the default for any
connections to port 443, and I'm not sure what will happen when "ssl"
is not set here but is set elsewhere on a port 443 listener.

> This is working (more or less) but if i start moving the ssl bit
> into the owncloud or mattermost its simply is not working any more

I don't understand what you mean by this, I'm afraid.

The config you show does work, but a config you do not show does not
work? Or something else?

> getting each time that i type http://zzzz.yyy.be i get 400 bad
> request The plain HTTP request was sent to HTTPS port

If the problem is "missing ssl on the mattermost listen directive",
then I would expect a https request to be going to a http port.

http request to a https port looks like it would need your upstream
(192.168.1.95:8065) to be listening for https.

Just for clarity, could you show the responses you get for a "curl -v"
request to the first http:// address, and then to the (presumably)
returned 301 Location?

That may make it more obvious what is happening, compared to what should
be happening; and may make the solution clear to somebody.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

I have htpasswd Authentication working for some directorys. In the htpasswd File, i have several Accounts. I want to use the same htpasswd File for all Directorys with the same file. But for some directorys, i want to allow only one specific User from this htpasswd file. But, if i use a construct like:

location ~ ^/somedir/ {
auth_basic "Restricted Directory";
auth_basic_user_file /etc/nginx/.htpasswd;

if ($remote_user != "adminuser")
{
return 403;
}
}

im allways denied to access the directory. No Credential Request is shown.

What can i do?

depending on the version you may want to look
for /etc/nginx/conf.d/default.conf, when i have been building servers (i
use salt for configuration management) i have in my state file that
includes

file.absent:
- /etc/nginx/conf.d/default.conf

which will ensure the file does not exist immediately after install, and
when i startup my virtual hosts all is well.

Based on your statements that may/not be your issue, but something that bit
me and regardless...something is listening on port 80, when you get that
what does `sudo netstat -nap | grep LISTEN` show

HTH
Jeff

On Wed, Feb 22, 2017 at 1:36 PM, sum-it <nginx-forum@forum.nginx.org> wrote:

> Hello All,
>
> I have another "bind() to 0.0.0.0:80 failed (98: Address already in use)"
> issue.
>
> I am working on a minimal system including nginx only. System startup time,
> and readiness time are important points. Whilte testing I figured out
> sometime system boots up within 500ms and sometimes it takes around 3
> second. On further probing I find out nginx is taking different time to
> start up which costs me extra 2.5 Seconds. So I tested and figured out that
> error in those cases is "bind() to 0.0.0.0:80 failed (98: Address already
> in
> use).
>
> Few of my observation here are,
> 1. No other process is using that port, there is no other web server or
> application running on the system.
> 2. The case is not only limited to nginx restart, where nginx might not be
> shutdown correctly and itself might be using that port. Nginx even fails
> during system start, in cases where it has caused longer boot time.
> 3. I use customized kernels, but that kernel shouldn't be culprit either
> because sometimes it works on that kernel as well. Another point here is
> failure in customized kernel is more often as compared to stock kernel. The
> ratio of failure in stock kernel is around 30% and in customized is 70% but
> system works on both and fails on both.
> 4. Start/Stop scripts always exit with success status "0".
> 5. I tested nginx in a restart loop, with a 1 second sleep before and after
> start and stop. Failure is random.
> 6. Worse, nginx is actually running even though error said bind failed. I
> can connect to it, access default web page, and it is listed in netstat as
> listening as well.
>
> Output of netstat -ntl is at: http://pastebin.com/26b6KNAZ
>
> Error Log is at: http://pastebin.com/w0y8aa9p
>
> This is one of the customized system, a derivative of debian, I am working
> on. System wise, everything is consistent. I use same kernel, same system
> image with same parameters and it works sometime and fails otherwise.
>
> nginx -t gives
> nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
> nginx: configuration file /etc/nginx/nginx.conf test is successful
> So configuration shouldn't be a problem.
>
> configuration file is default and available at:
> http://pastebin.com/iRFfW3UE
>
> Process listing after nginx startup: http://pastebin.com/0vB19rLq
> Process listing after nginx stop: http://pastebin.com/iQafxjiF
>
> Any pointer to debug the issue would be very helpful.
>
> Regards,
> sum-it
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,272570,272570#msg-272570
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

I can confirm I see the same thing.

If you use set_real_ip_from, real_ip_header, etc then it wipes out the $server_port value.

Is there any work around to this?

Hi everyone,
I am looking for a module which does the authentication/access control for reverse proxy (preferable `nginx`). This module should do:

    1. user authentication using credential stored in database (such as postgres)
    2. Monitoring the ongoing connection and take action if certain access credential is met. For example, time is expired
    3. open source (allow customization) and nginx, ruby(rails) preferable.

It seems that [`OpenResty`][1] with `nginx` can do the job. Here is an [article][2] talking about access control with `Lua` on `nginx`. Here is an example (`nginx and Lua`) giving me impression that a snippet of file could executed for access (`access_by_lua_file`):

    server {
        listen 8080;
   
        location / {
          auth_basic           "Protected Elasticsearch";
          auth_basic_user_file passwords;
   
          access_by_lua_file '.../authorize.lua';  #<<<=====
   
          proxy_pass http://elasticsearch;
          proxy_redirect off;
        }
   
      }

I am new to access control with reverse proxy. Any thought is appreciated.


  [1]: https://github.com/openresty/lua-nginx-module
  [2]: Playing HTTP Tricks with Nginx


|
|
|
| | |

|

|
|
| |
Playing HTTP Tricks with Nginx
Update November 2, 2015: If you're interested in advanced access control configuration or other security fea... | |

|

|


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hi,

you can use "auth_request" (see
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)

that can take full authorization control you wanted, e. g. authorize via
your own internal location to some backend (ruby, etc.), additionally
you can use there all features nginx supported, for example you can use
nginx-caching (by credential as key) in this location to control the
time expiration, etc.

Regards,
sebres.

Am 22.02.2017 23:16, schrieb Jun Chen via nginx-devel:

> Hi everyone,
>
> I am looking for a module which does the authentication/access control
> for reverse proxy (preferable `nginx`). This module should do:
>
> 1. user authentication using credential stored in database (such as
> postgres)
> 2. Monitoring the ongoing connection and take action if certain access
> credential is met. For example, time is expired
> 3. open source (allow customization) and nginx, ruby(rails) preferable.
>
> It seems that [`OpenResty`][1] with `nginx` can do the job. Here is an
> [article][2] talking about access control with `Lua` on `nginx`. Here
> is an example (`nginx and Lua`) giving me impression that a snippet of
> file could executed for access (`access_by_lua_file`):
>
> server {
> listen 8080;
>
> location / {
> auth_basic "Protected Elasticsearch";
> auth_basic_user_file passwords;
>
> access_by_lua_file '../authorize.lua'; #<<<=====
>
> proxy_pass http://elasticsearch;
> proxy_redirect off;
> }
>
> }
>
> I am new to access control with reverse proxy. Any thought is
> appreciated.
>
> [1]: https://github.com/openresty/lua-nginx-module
> [2]: Playing HTTP Tricks with Nginx [1]


Links:
------
[1] https://www.elastic.co/blog/playing-http-tricks-nginx
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Attempt #2 - have removed previously-proposed ssl_client_s_cn and ssl_client_email vars as these are now satisfied, as advised, by map constructs.

# HG changeset patch
# User Dave Bevan <dave.bevan@bbc.co.uk>
# Date 1487806316 0
# Wed Feb 22 23:31:56 2017 +0000
# Node ID e0a82e49175e9092b63fb7d86054a698d8fc3085
# Parent 00903b2132edb863e8aed2e84e216817fcc07c90
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).

Retrieved from a client cert, this identity string is used in corporate
environments as a primary key when interacting with Active Directory.

Commonly used to set REMOTE_USER param. Brings equivalence with
Apache 2.4.17 which introduced access to the same data:

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

Changes with Apache 2.4.17

*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
Kaspar Brand]

diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.c Wed Feb 22 23:31:56 2017 +0000
@@ -4081,6 +4081,60 @@
}


+ngx_int_t
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ int i;
+ BIO *bio;
+ X509 *cert;
+ GENERAL_NAME *altname;
+ STACK_OF(GENERAL_NAME) *altnames;
+
+ s->len = 0;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ return NGX_OK;
+ }
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ X509_free(cert);
+ return NGX_ERROR;
+ }
+
+ altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+ if (altnames) {
+ for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
+ altname = sk_GENERAL_NAME_value(altnames, i);
+
+ if (altname->type != GEN_OTHERNAME) {
+ continue;
+ }
+
+ if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {
+ continue;
+ }
+
+ BIO_printf(bio, "%s",
+ (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));
+ break;
+ }
+ }
+
+ s->len = BIO_pending(bio);
+ s->data = ngx_pnalloc(pool, s->len);
+
+ BIO_read(bio, s->data, s->len);
+ BIO_free(bio);
+ X509_free(cert);
+ GENERAL_NAMES_free(altnames);
+
+ return NGX_OK;
+}
+
+
static time_t
ngx_ssl_parse_time(
#if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.h Wed Feb 22 23:31:56 2017 +0000
@@ -226,6 +226,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);


ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 00903b2132ed -r e0a82e49175e src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 23:31:56 2017 +0000
@@ -328,6 +328,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};

diff -r 00903b2132ed -r e0a82e49175e src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/stream/ngx_stream_ssl_module.c Wed Feb 22 23:31:56 2017 +0000
@@ -272,6 +272,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};


Rgds,
--
Dave Bevan
Senior Broadcast Systems Developer
News Labs, BBC Design & Engineering

bbchttp://bbcnewslabs.co.uk/newslabs.co.ukhttp://bbcnewslabs.co.uk/ bbc.co.uk/newshttp://bbc.co.uk/news/



----------------------------

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

---------------------
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hi,

Did you read this nice article on the topic:
https://www.nginx.com/blog/nginx-plus-authenticate-users/
?


On 23 February 2017 at 01:16, Jun Chen via nginx-devel <
nginx-devel@nginx.org> wrote:

> Hi everyone,
>
> I am looking for a module which does the authentication/access control for
> reverse proxy (preferable `nginx`).
>
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

On 23 February 2017 at 02:35, Dave Bevan <dave.bevan@bbc.co.uk> wrote:
> + s->data = ngx_pnalloc(pool, s->len);

Errr... No error check?
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hey,

> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1476859139 25200
> # Tue Oct 18 23:38:59 2016 -0700
> # Node ID 1eec5355ef1e4a8b0aecebdec84c744734c0d36e
> # Parent 8081e1f3ab8b9ccb4e2d7f9240cbfb8e404a3c95
> HTTP: add support for "429 Too Many Requests" response (RFC6585).
>
> This change adds reason phrase in status line and pretty response body
> when "429" status code is used in "return", "limit_conn_status" and/or
> "limit_req_status" directives.
>
> It also adds "http_429" parameter to "proxy_next_upstream" for retrying
> rate-limited requests, and to "proxy_cache_use_stale" for serving stale
> cached responses after being rate-limited.

Ping...

Best regards,
Piotr Sikora
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

# HG changeset patch
# User othree <othree@gmail.com>
# Date 1487824289 -28800
# Thu Feb 23 12:31:29 2017 +0800
# Node ID d5a7953a10d9730ee1a42f9931218425b4eca1be
# Parent 00903b2132edb863e8aed2e84e216817fcc07c90
Contrib: vim syntax, update core module directives

diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim
+++ b/contrib/vim/syntax/nginx.vim
@@ -77,40 +77,47 @@ syn keyword ngxDirectiveDeprecated conne
syn keyword ngxDirectiveDeprecated imap
syn keyword ngxDirectiveDeprecated limit_zone
syn keyword ngxDirectiveDeprecated mysql_test
syn keyword ngxDirectiveDeprecated open_file_cache_retest
syn keyword ngxDirectiveDeprecated optimize_server_names
syn keyword ngxDirectiveDeprecated satisfy_any
syn keyword ngxDirectiveDeprecated so_keepalive

+syn keyword ngxDirective absolute_redirect
syn keyword ngxDirective accept_mutex
syn keyword ngxDirective accept_mutex_delay
syn keyword ngxDirective acceptex_read
syn keyword ngxDirective access_log
syn keyword ngxDirective add_after_body
syn keyword ngxDirective add_before_body
syn keyword ngxDirective add_header
syn keyword ngxDirective addition_types
syn keyword ngxDirective aio
+syn keyword ngxDirective aio_write
syn keyword ngxDirective alias
syn keyword ngxDirective allow
syn keyword ngxDirective ancient_browser
syn keyword ngxDirective ancient_browser_value
syn keyword ngxDirective auth_basic
syn keyword ngxDirective auth_basic_user_file
syn keyword ngxDirective auth_http
syn keyword ngxDirective auth_http_header
+syn keyword ngxDirective auth_http_pass_client_cert
syn keyword ngxDirective auth_http_timeout
+syn keyword ngxDirective auth_jwt
+syn keyword ngxDirective auth_jwt_key_file
syn keyword ngxDirective auth_request
syn keyword ngxDirective auth_request_set
syn keyword ngxDirective autoindex
syn keyword ngxDirective autoindex_exact_size
+syn keyword ngxDirective autoindex_format
syn keyword ngxDirective autoindex_localtime
syn keyword ngxDirective charset
+syn keyword ngxDirective charset_map
syn keyword ngxDirective charset_types
syn keyword ngxDirective chunked_transfer_encoding
syn keyword ngxDirective client_body_buffer_size
syn keyword ngxDirective client_body_in_file_only
syn keyword ngxDirective client_body_in_single_buffer
syn keyword ngxDirective client_body_temp_path
syn keyword ngxDirective client_body_timeout
syn keyword ngxDirective client_header_buffer_size
@@ -134,51 +141,58 @@ syn keyword ngxDirective directio_alignm
syn keyword ngxDirective disable_symlinks
syn keyword ngxDirective empty_gif
syn keyword ngxDirective env
syn keyword ngxDirective epoll_events
syn keyword ngxDirective error_log
syn keyword ngxDirective etag
syn keyword ngxDirective eventport_events
syn keyword ngxDirective expires
+syn keyword ngxDirective f4f
+syn keyword ngxDirective f4f_buffer_size
syn keyword ngxDirective fastcgi_bind
syn keyword ngxDirective fastcgi_buffer_size
syn keyword ngxDirective fastcgi_buffering
syn keyword ngxDirective fastcgi_buffers
syn keyword ngxDirective fastcgi_busy_buffers_size
syn keyword ngxDirective fastcgi_cache
syn keyword ngxDirective fastcgi_cache_bypass
syn keyword ngxDirective fastcgi_cache_key
syn keyword ngxDirective fastcgi_cache_lock
+syn keyword ngxDirective fastcgi_cache_lock_age
syn keyword ngxDirective fastcgi_cache_lock_timeout
+syn keyword ngxDirective fastcgi_cache_max_range_offset
syn keyword ngxDirective fastcgi_cache_methods
syn keyword ngxDirective fastcgi_cache_min_uses
syn keyword ngxDirective fastcgi_cache_path
+syn keyword ngxDirective fastcgi_cache_purge
syn keyword ngxDirective fastcgi_cache_revalidate
syn keyword ngxDirective fastcgi_cache_use_stale
syn keyword ngxDirective fastcgi_cache_valid
syn keyword ngxDirective fastcgi_catch_stderr
syn keyword ngxDirective fastcgi_connect_timeout
syn keyword ngxDirective fastcgi_force_ranges
syn keyword ngxDirective fastcgi_hide_header
syn keyword ngxDirective fastcgi_ignore_client_abort
syn keyword ngxDirective fastcgi_ignore_headers
syn keyword ngxDirective fastcgi_index
syn keyword ngxDirective fastcgi_intercept_errors
syn keyword ngxDirective fastcgi_keep_conn
+syn keyword ngxDirective fastcgi_limit_rate
syn keyword ngxDirective fastcgi_max_temp_file_size
syn keyword ngxDirective fastcgi_next_upstream
syn keyword ngxDirective fastcgi_next_upstream_timeout
syn keyword ngxDirective fastcgi_next_upstream_tries
syn keyword ngxDirective fastcgi_no_cache
syn keyword ngxDirective fastcgi_param
syn keyword ngxDirective fastcgi_pass_header
syn keyword ngxDirective fastcgi_pass_request_body
syn keyword ngxDirective fastcgi_pass_request_headers
syn keyword ngxDirective fastcgi_read_timeout
+syn keyword ngxDirective fastcgi_request_buffering
syn keyword ngxDirective fastcgi_send_lowat
syn keyword ngxDirective fastcgi_send_timeout
syn keyword ngxDirective fastcgi_split_path_info
syn keyword ngxDirective fastcgi_store
syn keyword ngxDirective fastcgi_store_access
syn keyword ngxDirective fastcgi_temp_file_write_size
syn keyword ngxDirective fastcgi_temp_path
syn keyword ngxDirective flv
@@ -199,78 +213,109 @@ syn keyword ngxDirective gzip_http_versi
syn keyword ngxDirective gzip_min_length
syn keyword ngxDirective gzip_no_buffer
syn keyword ngxDirective gzip_proxied
syn keyword ngxDirective gzip_static
syn keyword ngxDirective gzip_types
syn keyword ngxDirective gzip_vary
syn keyword ngxDirective gzip_window
syn keyword ngxDirective hash
+syn keyword ngxDirective health_check
+syn keyword ngxDirective health_check_timeout
+syn keyword ngxDirective hls
+syn keyword ngxDirective hls_buffers
+syn keyword ngxDirective hls_forward_args
+syn keyword ngxDirective hls_fragment
+syn keyword ngxDirective hls_mp4_buffer_size
+syn keyword ngxDirective hls_mp4_max_buffer_size
+syn keyword ngxDirective http2_chunk_size
+syn keyword ngxDirective http2_body_preread_size
+syn keyword ngxDirective http2_idle_timeout
+syn keyword ngxDirective http2_max_concurrent_streams
+syn keyword ngxDirective http2_max_field_size
+syn keyword ngxDirective http2_max_header_size
+syn keyword ngxDirective http2_max_requests
+syn keyword ngxDirective http2_recv_buffer_size
+syn keyword ngxDirective http2_recv_timeout
syn keyword ngxDirective if_modified_since
syn keyword ngxDirective ignore_invalid_headers
syn keyword ngxDirective image_filter
syn keyword ngxDirective image_filter_buffer
syn keyword ngxDirective image_filter_interlace
syn keyword ngxDirective image_filter_jpeg_quality
syn keyword ngxDirective image_filter_sharpen
syn keyword ngxDirective image_filter_transparency
+syn keyword ngxDirective image_filter_webp_quality
syn keyword ngxDirective imap_auth
syn keyword ngxDirective imap_capabilities
syn keyword ngxDirective imap_client_buffer
syn keyword ngxDirective index
syn keyword ngxDirective iocp_threads
syn keyword ngxDirective ip_hash
+syn keyword ngxDirective js_access
+syn keyword ngxDirective js_content
+syn keyword ngxDirective js_filter
+syn keyword ngxDirective js_include
+syn keyword ngxDirective js_preread
+syn keyword ngxDirective js_set
syn keyword ngxDirective keepalive
syn keyword ngxDirective keepalive_disable
syn keyword ngxDirective keepalive_requests
syn keyword ngxDirective keepalive_timeout
syn keyword ngxDirective kqueue_changes
syn keyword ngxDirective kqueue_events
syn keyword ngxDirective large_client_header_buffers
syn keyword ngxDirective least_conn
+syn keyword ngxDirective least_time
syn keyword ngxDirective limit_conn
syn keyword ngxDirective limit_conn_log_level
syn keyword ngxDirective limit_conn_status
syn keyword ngxDirective limit_conn_zone
syn keyword ngxDirective limit_rate
syn keyword ngxDirective limit_rate_after
syn keyword ngxDirective limit_req
syn keyword ngxDirective limit_req_log_level
syn keyword ngxDirective limit_req_status
syn keyword ngxDirective limit_req_zone
syn keyword ngxDirective lingering_close
syn keyword ngxDirective lingering_time
syn keyword ngxDirective lingering_timeout
+syn keyword ngxDirective load_module
syn keyword ngxDirective lock_file
syn keyword ngxDirective log_format
syn keyword ngxDirective log_not_found
syn keyword ngxDirective log_subrequest
syn keyword ngxDirective map_hash_bucket_size
syn keyword ngxDirective map_hash_max_size
+syn keyword ngxDirective match
syn keyword ngxDirective master_process
syn keyword ngxDirective max_ranges
syn keyword ngxDirective memcached_bind
syn keyword ngxDirective memcached_buffer_size
syn keyword ngxDirective memcached_connect_timeout
+syn keyword ngxDirective memcached_force_ranges
syn keyword ngxDirective memcached_gzip_flag
syn keyword ngxDirective memcached_next_upstream
syn keyword ngxDirective memcached_next_upstream_timeout
syn keyword ngxDirective memcached_next_upstream_tries
syn keyword ngxDirective memcached_read_timeout
syn keyword ngxDirective memcached_send_timeout
syn keyword ngxDirective merge_slashes
syn keyword ngxDirective min_delete_depth
syn keyword ngxDirective modern_browser
syn keyword ngxDirective modern_browser_value
syn keyword ngxDirective mp4
syn keyword ngxDirective mp4_buffer_size
syn keyword ngxDirective mp4_max_buffer_size
+syn keyword ngxDirective mp4_limit_rate
+syn keyword ngxDirective mp4_limit_rate_after
syn keyword ngxDirective msie_padding
syn keyword ngxDirective msie_refresh
syn keyword ngxDirective multi_accept
+syn keyword ngxDirective ntlm
syn keyword ngxDirective open_file_cache
syn keyword ngxDirective open_file_cache_errors
syn keyword ngxDirective open_file_cache_events
syn keyword ngxDirective open_file_cache_min_uses
syn keyword ngxDirective open_file_cache_valid
syn keyword ngxDirective open_log_file_cache
syn keyword ngxDirective output_buffers
syn keyword ngxDirective override_charset
@@ -281,77 +326,94 @@ syn keyword ngxDirective perl_require
syn keyword ngxDirective perl_set
syn keyword ngxDirective pid
syn keyword ngxDirective pop3_auth
syn keyword ngxDirective pop3_capabilities
syn keyword ngxDirective port_in_redirect
syn keyword ngxDirective post_acceptex
syn keyword ngxDirective postpone_gzipping
syn keyword ngxDirective postpone_output
+syn keyword ngxDirective preread_buffer_size
+syn keyword ngxDirective preread_timeout
syn keyword ngxDirective protocol nextgroup=ngxMailProtocol skipwhite
syn keyword ngxMailProtocol imap pop3 smtp contained
syn keyword ngxDirective proxy
syn keyword ngxDirective proxy_bind
syn keyword ngxDirective proxy_buffer
syn keyword ngxDirective proxy_buffer_size
syn keyword ngxDirective proxy_buffering
syn keyword ngxDirective proxy_buffers
syn keyword ngxDirective proxy_busy_buffers_size
syn keyword ngxDirective proxy_cache
syn keyword ngxDirective proxy_cache_bypass
+syn keyword ngxDirective proxy_cache_convert_head
syn keyword ngxDirective proxy_cache_key
syn keyword ngxDirective proxy_cache_lock
+syn keyword ngxDirective proxy_cache_lock_age
syn keyword ngxDirective proxy_cache_lock_timeout
+syn keyword ngxDirective proxy_cache_max_range_offset
syn keyword ngxDirective proxy_cache_methods
syn keyword ngxDirective proxy_cache_min_uses
syn keyword ngxDirective proxy_cache_path
+syn keyword ngxDirective proxy_cache_purge
syn keyword ngxDirective proxy_cache_revalidate
syn keyword ngxDirective proxy_cache_use_stale
syn keyword ngxDirective proxy_cache_valid
syn keyword ngxDirective proxy_connect_timeout
syn keyword ngxDirective proxy_cookie_domain
syn keyword ngxDirective proxy_cookie_path
+syn keyword ngxDirective proxy_download_rate
syn keyword ngxDirective proxy_force_ranges
syn keyword ngxDirective proxy_headers_hash_bucket_size
syn keyword ngxDirective proxy_headers_hash_max_size
syn keyword ngxDirective proxy_hide_header
syn keyword ngxDirective proxy_http_version
syn keyword ngxDirective proxy_ignore_client_abort
syn keyword ngxDirective proxy_ignore_headers
syn keyword ngxDirective proxy_intercept_errors
+syn keyword ngxDirective proxy_limit_rate
syn keyword ngxDirective proxy_max_temp_file_size
syn keyword ngxDirective proxy_method
syn keyword ngxDirective proxy_next_upstream
syn keyword ngxDirective proxy_next_upstream_timeout
syn keyword ngxDirective proxy_next_upstream_tries
syn keyword ngxDirective proxy_no_cache
syn keyword ngxDirective proxy_pass_error_message
syn keyword ngxDirective proxy_pass_header
syn keyword ngxDirective proxy_pass_request_body
syn keyword ngxDirective proxy_pass_request_headers
+syn keyword ngxDirective proxy_protocol
+syn keyword ngxDirective proxy_protocol_timeout
syn keyword ngxDirective proxy_read_timeout
syn keyword ngxDirective proxy_redirect
+syn keyword ngxDirective proxy_request_buffering
+syn keyword ngxDirective proxy_responses
syn keyword ngxDirective proxy_send_lowat
syn keyword ngxDirective proxy_send_timeout
syn keyword ngxDirective proxy_set_body
syn keyword ngxDirective proxy_set_header
+syn keyword ngxDirective proxy_ssl_certificate
+syn keyword ngxDirective proxy_ssl_certificate_key
syn keyword ngxDirective proxy_ssl_ciphers
syn keyword ngxDirective proxy_ssl_crl
syn keyword ngxDirective proxy_ssl_name
+syn keyword ngxDirective proxy_ssl_password_file
syn keyword ngxDirective proxy_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective proxy_ssl_server_name
syn keyword ngxDirective proxy_ssl_session_reuse
syn keyword ngxDirective proxy_ssl_trusted_certificate
syn keyword ngxDirective proxy_ssl_verify
syn keyword ngxDirective proxy_ssl_verify_depth
syn keyword ngxDirective proxy_store
syn keyword ngxDirective proxy_store_access
syn keyword ngxDirective proxy_temp_file_write_size
syn keyword ngxDirective proxy_temp_path
syn keyword ngxDirective proxy_timeout
+syn keyword ngxDirective proxy_upload_rate
+syn keyword ngxDirective queue
syn keyword ngxDirective random_index
syn keyword ngxDirective read_ahead
syn keyword ngxDirective real_ip_header
syn keyword ngxDirective real_ip_recursive
syn keyword ngxDirective recursive_error_pages
syn keyword ngxDirective referer_hash_bucket_size
syn keyword ngxDirective referer_hash_max_size
syn keyword ngxDirective request_pool_size
@@ -368,56 +430,65 @@ syn keyword ngxDirective scgi_bind
syn keyword ngxDirective scgi_buffer_size
syn keyword ngxDirective scgi_buffering
syn keyword ngxDirective scgi_buffers
syn keyword ngxDirective scgi_busy_buffers_size
syn keyword ngxDirective scgi_cache
syn keyword ngxDirective scgi_cache_bypass
syn keyword ngxDirective scgi_cache_key
syn keyword ngxDirective scgi_cache_lock
+syn keyword ngxDirective scgi_cache_lock_age
syn keyword ngxDirective scgi_cache_lock_timeout
+syn keyword ngxDirective scgi_cache_max_range_offset
syn keyword ngxDirective scgi_cache_methods
syn keyword ngxDirective scgi_cache_min_uses
syn keyword ngxDirective scgi_cache_path
+syn keyword ngxDirective scgi_cache_purge
syn keyword ngxDirective scgi_cache_revalidate
syn keyword ngxDirective scgi_cache_use_stale
syn keyword ngxDirective scgi_cache_valid
syn keyword ngxDirective scgi_connect_timeout
syn keyword ngxDirective scgi_force_ranges
syn keyword ngxDirective scgi_hide_header
syn keyword ngxDirective scgi_ignore_client_abort
syn keyword ngxDirective scgi_ignore_headers
syn keyword ngxDirective scgi_intercept_errors
+syn keyword ngxDirective scgi_limit_rate
syn keyword ngxDirective scgi_max_temp_file_size
syn keyword ngxDirective scgi_next_upstream
syn keyword ngxDirective scgi_next_upstream_timeout
syn keyword ngxDirective scgi_next_upstream_tries
syn keyword ngxDirective scgi_no_cache
syn keyword ngxDirective scgi_param
syn keyword ngxDirective scgi_pass_header
syn keyword ngxDirective scgi_pass_request_body
syn keyword ngxDirective scgi_pass_request_headers
syn keyword ngxDirective scgi_read_timeout
+syn keyword ngxDirective scgi_request_buffering
syn keyword ngxDirective scgi_send_timeout
syn keyword ngxDirective scgi_store
syn keyword ngxDirective scgi_store_access
syn keyword ngxDirective scgi_temp_file_write_size
syn keyword ngxDirective scgi_temp_path
syn keyword ngxDirective secure_link
syn keyword ngxDirective secure_link_md5
syn keyword ngxDirective secure_link_secret
syn keyword ngxDirective send_lowat
syn keyword ngxDirective send_timeout
syn keyword ngxDirective sendfile
syn keyword ngxDirective sendfile_max_chunk
syn keyword ngxDirective server_name_in_redirect
syn keyword ngxDirective server_names_hash_bucket_size
syn keyword ngxDirective server_names_hash_max_size
syn keyword ngxDirective server_tokens
+syn keyword ngxDirective session_log
+syn keyword ngxDirective session_log_format
+syn keyword ngxDirective session_log_zone
syn keyword ngxDirective set_real_ip_from
+syn keyword ngxDirective slice
syn keyword ngxDirective smtp_auth
syn keyword ngxDirective smtp_capabilities
syn keyword ngxDirective smtp_client_buffer
syn keyword ngxDirective smtp_greeting_delay
syn keyword ngxDirective source_charset
syn keyword ngxDirective spdy_chunk_size
syn keyword ngxDirective spdy_headers_comp
syn keyword ngxDirective spdy_keepalive_timeout
@@ -438,46 +509,56 @@ syn keyword ngxDirective ssl_buffer_size
syn keyword ngxDirective ssl_certificate
syn keyword ngxDirective ssl_certificate_key
syn keyword ngxDirective ssl_ciphers
syn keyword ngxDirective ssl_client_certificate
syn keyword ngxDirective ssl_crl
syn keyword ngxDirective ssl_dhparam
syn keyword ngxDirective ssl_ecdh_curve
syn keyword ngxDirective ssl_engine
+syn keyword ngxDirective ssl_handshake_timeout
syn keyword ngxDirective ssl_password_file
syn keyword ngxDirective ssl_prefer_server_ciphers
+syn keyword ngxDirective ssl_preread
syn keyword ngxDirective ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxSSLProtocol SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 contained nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective ssl_session_cache
syn keyword ngxDirective ssl_session_ticket_key
syn keyword ngxDirective ssl_session_tickets
syn keyword ngxDirective ssl_session_timeout
syn keyword ngxDirective ssl_stapling
syn keyword ngxDirective ssl_stapling_file
syn keyword ngxDirective ssl_stapling_responder
syn keyword ngxDirective ssl_stapling_verify
syn keyword ngxDirective ssl_trusted_certificate
syn keyword ngxDirective ssl_verify_client
syn keyword ngxDirective ssl_verify_depth
syn keyword ngxDirective starttls
+syn keyword ngxDirective state
+syn keyword ngxDirective status
+syn keyword ngxDirective status_format
+syn keyword ngxDirective status_zone
+syn keyword ngxDirective sticky
+syn keyword ngxDirective sticky_cookie_insert
syn keyword ngxDirective stub_status
syn keyword ngxDirective sub_filter
syn keyword ngxDirective sub_filter_last_modified
syn keyword ngxDirective sub_filter_once
syn keyword ngxDirective sub_filter_types
syn keyword ngxDirective tcp_nodelay
syn keyword ngxDirective tcp_nopush
+syn keyword ngxDirective thread_pool
syn keyword ngxDirective thread_stack_size
syn keyword ngxDirective timeout
syn keyword ngxDirective timer_resolution
syn keyword ngxDirective types_hash_bucket_size
syn keyword ngxDirective types_hash_max_size
syn keyword ngxDirective underscores_in_headers
syn keyword ngxDirective uninitialized_variable_warn
+syn keyword ngxDirective upstream_conf
syn keyword ngxDirective use
syn keyword ngxDirective user
syn keyword ngxDirective userid
syn keyword ngxDirective userid_domain
syn keyword ngxDirective userid_expires
syn keyword ngxDirective userid_mark
syn keyword ngxDirective userid_name
syn keyword ngxDirective userid_p3p
@@ -487,45 +568,53 @@ syn keyword ngxDirective uwsgi_bind
syn keyword ngxDirective uwsgi_buffer_size
syn keyword ngxDirective uwsgi_buffering
syn keyword ngxDirective uwsgi_buffers
syn keyword ngxDirective uwsgi_busy_buffers_size
syn keyword ngxDirective uwsgi_cache
syn keyword ngxDirective uwsgi_cache_bypass
syn keyword ngxDirective uwsgi_cache_key
syn keyword ngxDirective uwsgi_cache_lock
+syn keyword ngxDirective uwsgi_cache_lock_age
syn keyword ngxDirective uwsgi_cache_lock_timeout
syn keyword ngxDirective uwsgi_cache_methods
syn keyword ngxDirective uwsgi_cache_min_uses
syn keyword ngxDirective uwsgi_cache_path
+syn keyword ngxDirective uwsgi_cache_purge
syn keyword ngxDirective uwsgi_cache_revalidate
syn keyword ngxDirective uwsgi_cache_use_stale
syn keyword ngxDirective uwsgi_cache_valid
syn keyword ngxDirective uwsgi_connect_timeout
syn keyword ngxDirective uwsgi_force_ranges
syn keyword ngxDirective uwsgi_hide_header
syn keyword ngxDirective uwsgi_ignore_client_abort
syn keyword ngxDirective uwsgi_ignore_headers
syn keyword ngxDirective uwsgi_intercept_errors
+syn keyword ngxDirective uwsgi_limit_rate
syn keyword ngxDirective uwsgi_max_temp_file_size
syn keyword ngxDirective uwsgi_modifier1
syn keyword ngxDirective uwsgi_modifier2
syn keyword ngxDirective uwsgi_next_upstream
syn keyword ngxDirective uwsgi_next_upstream_timeout
syn keyword ngxDirective uwsgi_next_upstream_tries
syn keyword ngxDirective uwsgi_no_cache
syn keyword ngxDirective uwsgi_param
+syn keyword ngxDirective uwsgi_pass
syn keyword ngxDirective uwsgi_pass_header
syn keyword ngxDirective uwsgi_pass_request_body
syn keyword ngxDirective uwsgi_pass_request_headers
syn keyword ngxDirective uwsgi_read_timeout
+syn keyword ngxDirective uwsgi_request_buffering
syn keyword ngxDirective uwsgi_send_timeout
+syn keyword ngxDirective uwsgi_ssl_certificate
+syn keyword ngxDirective uwsgi_ssl_certificate_key
syn keyword ngxDirective uwsgi_ssl_ciphers
syn keyword ngxDirective uwsgi_ssl_crl
syn keyword ngxDirective uwsgi_ssl_name
+syn keyword ngxDirective uwsgi_ssl_password_file
syn keyword ngxDirective uwsgi_ssl_protocols nextgroup=ngxSSLProtocol skipwhite
syn keyword ngxDirective uwsgi_ssl_server_name
syn keyword ngxDirective uwsgi_ssl_session_reuse
syn keyword ngxDirective uwsgi_ssl_trusted_certificate
syn keyword ngxDirective uwsgi_ssl_verify
syn keyword ngxDirective uwsgi_ssl_verify_depth
syn keyword ngxDirective uwsgi_store
syn keyword ngxDirective uwsgi_store_access
@@ -547,16 +636,17 @@ syn keyword ngxDirective worker_threads
syn keyword ngxDirective working_directory
syn keyword ngxDirective xclient
syn keyword ngxDirective xml_entities
syn keyword ngxDirective xslt_last_modified
syn keyword ngxDirective xslt_param
syn keyword ngxDirective xslt_string_param
syn keyword ngxDirective xslt_stylesheet
syn keyword ngxDirective xslt_types
+syn keyword ngxDirective zone

" 3rd party module list:
" http://wiki.nginx.org/Nginx3rdPartyModules

" Accept Language Module http://wiki.nginx.org/NginxAcceptLanguageModule
" Parses the Accept-Language header and gives the most suitable locale from a list of supported locales.
syn keyword ngxDirectiveThirdParty set_from_accept_language

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Hi

How to make Nginx access log to print the whole header request in it ?

Hi

How to make Nginx access log to print the whole header request in it ?

I think i already tried what you suggested, but that doesn't work because i have to set a specific protocol in the proxy_pass command (http or https). If i have a mixed upstream group like

upstream proxy_backend {
server xxx.xx.188.53;
server xxx.xx.188.53:443;

}

i always get protocol errors like 502 or 400 because i cannot switch between http and https in the proxy_pass command
________________________________
Von: nginx <nginx-bounces@nginx.org> im Auftrag von B.R. via nginx <nginx@nginx.org>
Gesendet: Mittwoch, 22. Februar 2017 18:52:00
An: nginx ML
Cc: B.R.
Betreff: Re: Nginx multiple upstream with different protocols

I suggest you proxy traffic to an upstream group, and then use failure/timeout parameters there with proper tuning to retry requests on the second upstream in case the first in the list fails.
?It will have an overhead if the 1st entry of the upstream group is invalid on initial connection, but hopefully the 'down' status will help limiting that overhead on average.?
---
B. R.

On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <mail@kilian-ries.de<mailto:mail@kilian-ries.de>> wrote:

No they cannot be the same (sadly) because i dont't know how the upstream is serving the content. Think of a situation where i am not in control of the upstream backends and they may change from http to https over time.

________________________________
Von: nginx <nginx-bounces@nginx.org<mailto:nginx-bounces@nginx.org>> im Auftrag von Cox, Eric S <eric.cox@kroger.com<mailto:eric.cox@kroger.com>>
Gesendet: Mittwoch, 22. Februar 2017 15:58:26
An: nginx@nginx.org<mailto:nginx@nginx.org>
Betreff: RE: Nginx multiple upstream with different protocols

If you are SSL on the frontend (server directive) why would you want to proxy between ssl/non-ssl on the upstreams? Can they not be the same? I don't get what you are trying to solve?

From: nginx [mailto:nginx-bounces@nginx.org<mailto:nginx-bounces@nginx.org>] On Behalf Of Kilian Ries
Sent: Wednesday, February 22, 2017 9:55 AM
To: nginx@nginx.org<mailto:nginx@nginx.org>
Subject: Nginx multiple upstream with different protocols


Hi,



i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.



The config should look like this:



upstream proxy_backend {

server xxx.xx.188.53;

server xxx.xx.188.53:443;

}



server {

listen 443 ssl;

...

location / {

proxy_pass http://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=;

#proxy_pass https://proxy_backendhttps://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=;

}

}





The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.



So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?



Thanks

Greets

Kilian

________________________________

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

_______________________________________________
nginx mailing list
nginx@nginx.org<mailto:nginx@nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

I suggest splitting your upstreams by protocol, then proxying requests
depending on HTTPS headers to the apropriate group. There's an example on
how to detect HTTPs at
http://serverfault.com/questions/527780/nginx-detect-https-connection-using-a-header

On Thu, Feb 23, 2017 at 4:38 AM, Kilian Ries <mail@kilian-ries.de> wrote:

> I think i already tried what you suggested, but that doesn't work because
> i have to set a specific protocol in the proxy_pass command (http or
> https). If i have a mixed upstream group like
>
> upstream proxy_backend {
> server xxx.xx.188.53;
> server xxx.xx.188.53:443;
>
> }
>
> i always get protocol errors like 502 or 400 because i cannot switch
> between http and https in the proxy_pass command
> ------------------------------
> *Von:* nginx <nginx-bounces@nginx.org> im Auftrag von B.R. via nginx <
> nginx@nginx.org>
> *Gesendet:* Mittwoch, 22. Februar 2017 18:52:00
> *An:* nginx ML
> *Cc:* B.R.
> *Betreff:* Re: Nginx multiple upstream with different protocols
>
> I suggest you proxy traffic to an upstream group, and then use
> failure/timeout parameters there with proper tuning to retry requests on
> the second upstream in case the first in the list fails.
> ​It will have an overhead if the 1st entry of the upstream group is
> invalid on initial connection, but hopefully the 'down' status will help
> limiting that overhead on average.​
> ---
> *B. R.*
>
> On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <mail@kilian-ries.de> wrote:
>
>> No they cannot be the same (sadly) because i dont't know how the upstream
>> is serving the content. Think of a situation where i am not in control of
>> the upstream backends and they may change from http to https over time.
>> ------------------------------
>> *Von:* nginx <nginx-bounces@nginx.org> im Auftrag von Cox, Eric S <
>> eric.cox@kroger.com>
>> *Gesendet:* Mittwoch, 22. Februar 2017 15:58:26
>> *An:* nginx@nginx.org
>> *Betreff:* RE: Nginx multiple upstream with different protocols
>>
>>
>> If you are SSL on the frontend (server directive) why would you want to
>> proxy between ssl/non-ssl on the upstreams? Can they not be the same? I
>> don’t get what you are trying to solve?
>>
>>
>>
>> *From:* nginx [mailto:nginx-bounces@nginx.org] *On Behalf Of *Kilian Ries
>> *Sent:* Wednesday, February 22, 2017 9:55 AM
>> *To:* nginx@nginx.org
>> *Subject:* Nginx multiple upstream with different protocols
>>
>>
>>
>> Hi,
>>
>>
>>
>> i'm trying to setup two Nginx upstreams (one with HTTP and one with
>> HTTPS) and the proxy_pass module should decide which of the upstreams is
>> serving "valid" content.
>>
>>
>>
>> The config should look like this:
>>
>>
>>
>> upstream proxy_backend {
>>
>> server xxx.xx.188.53;
>>
>> server xxx.xx.188.53:443;
>>
>> }
>>
>>
>>
>> server {
>>
>> listen 443 ssl;
>>
>> ...
>>
>> location / {
>>
>> proxy_pass http://proxy_backend
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=
>> ;
>>
>> #proxy_pass https://proxy_backend
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=
>> ;
>>
>> }
>>
>> }
>>
>>
>>
>>
>>
>> The Problem is that i don't know if the upstream is serving the content
>> via http or https. Is there any possibility to tell nginx to change the
>> protocol from the proxy_pass directive? Because if i set proxy_pass to
>> https, i get an error (502 / 400) if the upstream website is running on
>> http and vice versa.
>>
>>
>>
>> So i'm searching for a way to let Nginx decide if he should proxy_pass
>> via http or https. Can anybody help me with that configuration?
>>
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>> ------------------------------
>>
>> This e-mail message, including any attachments, is for the sole use of
>> the intended recipient(s) and may contain information that is confidential
>> and protected by law from unauthorized disclosure. Any unauthorized review,
>> use, disclosure or distribution is prohibited. If you are not the intended
>> recipient, please contact the sender by reply e-mail and destroy all copies
>> of the original message.
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

# HG changeset patch
# User Evgenii Kliuchnikov <eustas.ru@gmail.com>
# Date 1487764873 -3600
# Wed Feb 22 13:01:13 2017 +0100
# Node ID 96939e63f30579f2f32e843d217bd46fa6086bb4
# Parent 87cf6ddb41c216876d13cffa5e637a61b159362c
Add brotli static serving support.

Both .gz and .br static content is served by
ngx_http_gzip_static_modile, but have separate configuration.

diff -r 87cf6ddb41c2 -r 96939e63f305 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Fri Feb 17 17:01:27 2017 +0300
+++ b/contrib/vim/syntax/nginx.vim Wed Feb 22 13:01:13 2017 +0100
@@ -86,6 +86,7 @@
syn keyword ngxDirective autoindex
syn keyword ngxDirective autoindex_exact_size
syn keyword ngxDirective autoindex_localtime
+syn keyword ngxDirective brotli_static
syn keyword ngxDirective charset
syn keyword ngxDirective charset_types
syn keyword ngxDirective chunked_transfer_encoding
diff -r 87cf6ddb41c2 -r 96939e63f305
src/http/modules/ngx_http_gzip_static_module.c
--- a/src/http/modules/ngx_http_gzip_static_module.c Fri Feb 17 17:01:27
2017 +0300
+++ b/src/http/modules/ngx_http_gzip_static_module.c Wed Feb 22 13:01:13
2017 +0100
@@ -16,10 +16,14 @@


typedef struct {
- ngx_uint_t enable;
+ ngx_uint_t enable_gzip;
+ ngx_uint_t enable_brotli;
} ngx_http_gzip_static_conf_t;


+static ngx_int_t ngx_http_gzip_static_serve_file(ngx_http_request_t *r,
+ ngx_uint_t enable, ngx_uint_t ok, ngx_http_core_loc_conf_t *clcf,
+ ngx_str_t *encoding);
static ngx_int_t ngx_http_gzip_static_handler(ngx_http_request_t *r);
static void *ngx_http_gzip_static_create_conf(ngx_conf_t *cf);
static char *ngx_http_gzip_static_merge_conf(ngx_conf_t *cf, void *parent,
@@ -41,7 +45,14 @@

NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_enum_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_gzip_static_conf_t, enable),
+ offsetof(ngx_http_gzip_static_conf_t, enable_gzip),
+ &ngx_http_gzip_static },
+
+ { ngx_string("brotli_static"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_gzip_static_conf_t, enable_brotli),
&ngx_http_gzip_static },

ngx_null_command
@@ -79,19 +90,13 @@
};


+static ngx_str_t encoding_gzip = ngx_string("gzip");
+static ngx_str_t encoding_brotli = ngx_string("brotli");
+
static ngx_int_t
ngx_http_gzip_static_handler(ngx_http_request_t *r)
{
- u_char *p;
- size_t root;
- ngx_str_t path;
ngx_int_t rc;
- ngx_uint_t level;
- ngx_log_t *log;
- ngx_buf_t *b;
- ngx_chain_t out;
- ngx_table_elt_t *h;
- ngx_open_file_info_t of;
ngx_http_core_loc_conf_t *clcf;
ngx_http_gzip_static_conf_t *gzcf;

@@ -105,19 +110,56 @@

gzcf = ngx_http_get_module_loc_conf(r, ngx_http_gzip_static_module);

- if (gzcf->enable == NGX_HTTP_GZIP_STATIC_OFF) {
+ if (gzcf->enable_gzip == NGX_HTTP_GZIP_STATIC_OFF &&
+ gzcf->enable_brotli == NGX_HTTP_GZIP_STATIC_OFF) {
return NGX_DECLINED;
}

- if (gzcf->enable == NGX_HTTP_GZIP_STATIC_ON) {
- rc = ngx_http_gzip_ok(r);
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

- } else {
- /* always */
- rc = NGX_OK;
+ rc = NGX_DECLINED;
+ if (gzcf->enable_gzip != NGX_HTTP_GZIP_STATIC_OFF) {
+ if (gzcf->enable_gzip == NGX_HTTP_GZIP_STATIC_ON) {
+ rc = ngx_http_gzip_ok(r);
+ } else {
+ /* always */
+ rc = NGX_OK;
+ }
+ rc = ngx_http_gzip_static_serve_file(r, gzcf->enable_gzip, rc,
clcf,
+ &encoding_gzip);
}

- clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+ if (gzcf->enable_brotli != NGX_HTTP_GZIP_STATIC_OFF && rc ==
NGX_DECLINED) {
+ if (gzcf->enable_gzip == NGX_HTTP_GZIP_STATIC_ON) {
+ rc = ngx_http_gzip_ok(r);
+ } else {
+ /* always */
+ rc = NGX_OK;
+ }
+ rc = ngx_http_gzip_static_serve_file(r, gzcf->enable_brotli, rc,
clcf,
+ &encoding_brotli);
+ }
+
+ return rc;
+}
+
+
+static ngx_int_t
+ngx_http_gzip_static_serve_file(ngx_http_request_t *r, ngx_uint_t enable,
+ ngx_uint_t ok, ngx_http_core_loc_conf_t *clcf, ngx_str_t *encoding)
+{
+ u_char *p;
+ size_t root;
+ ngx_str_t path;
+ ngx_int_t rc;
+ ngx_uint_t level;
+ ngx_log_t *log;
+ ngx_buf_t *b;
+ ngx_chain_t out;
+ ngx_table_elt_t *h;
+ ngx_open_file_info_t of;
+
+ rc = ok;

if (!clcf->gzip_vary && rc != NGX_OK) {
return NGX_DECLINED;
@@ -125,14 +167,14 @@

log = r->connection->log;

- p = ngx_http_map_uri_to_path(r, &path, &root, sizeof(".gz") - 1);
+ p = ngx_http_map_uri_to_path(r, &path, &root, 4 - 1);
if (p == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}

*p++ = '.';
- *p++ = 'g';
- *p++ = 'z';
+ *p++ = encoding->data[0];
+ *p++ = encoding->data[1];
*p = '\0';

path.len = p - path.data;
@@ -188,7 +230,7 @@
return NGX_DECLINED;
}

- if (gzcf->enable == NGX_HTTP_GZIP_STATIC_ON) {
+ if (enable == NGX_HTTP_GZIP_STATIC_ON) {
r->gzip_vary = 1;

if (rc != NGX_OK) {
@@ -243,7 +285,7 @@

h->hash = 1;
ngx_str_set(&h->key, "Content-Encoding");
- ngx_str_set(&h->value, "gzip");
+ h->value = *encoding;
r->headers_out.content_encoding = h;

/* we need to allocate all before the header would be sent */
@@ -293,7 +335,8 @@
return NULL;
}

- conf->enable = NGX_CONF_UNSET_UINT;
+ conf->enable_gzip = NGX_CONF_UNSET_UINT;
+ conf->enable_brotli = NGX_CONF_UNSET_UINT;

return conf;
}
@@ -305,7 +348,9 @@
ngx_http_gzip_static_conf_t *prev = parent;
ngx_http_gzip_static_conf_t *conf = child;

- ngx_conf_merge_uint_value(conf->enable, prev->enable,
+ ngx_conf_merge_uint_value(conf->enable_gzip, prev->enable_gzip,
+ NGX_HTTP_GZIP_STATIC_OFF);
+ ngx_conf_merge_uint_value(conf->enable_brotli, prev->enable_brotli,
NGX_HTTP_GZIP_STATIC_OFF);

return NGX_CONF_OK;
diff -r 87cf6ddb41c2 -r 96939e63f305 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Fri Feb 17 17:01:27 2017 +0300
+++ b/src/http/ngx_http_core_module.c Wed Feb 22 13:01:13 2017 +0100
@@ -74,8 +74,8 @@
static char *ngx_http_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
#if (NGX_HTTP_GZIP)
-static ngx_int_t ngx_http_gzip_accept_encoding(ngx_str_t *ae);
-static ngx_uint_t ngx_http_gzip_quantity(u_char *p, u_char *last);
+static ngx_int_t ngx_http_accept_encoding(ngx_str_t *ae, char *e, size_t
n);
+static ngx_uint_t ngx_http_encoding_quantity(u_char *p, u_char *last);
static char *ngx_http_gzip_disable(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
#endif
@@ -2170,7 +2170,7 @@
*/

if (ngx_memcmp(ae->value.data, "gzip,", 5) != 0
- && ngx_http_gzip_accept_encoding(&ae->value) != NGX_OK)
+ && ngx_http_accept_encoding(&ae->value, "gzip", 4) != NGX_OK)
{
return NGX_DECLINED;
}
@@ -2297,15 +2297,42 @@
}


+ngx_int_t
+ngx_http_brotli_ok(ngx_http_request_t *r)
+{
+ ngx_table_elt_t *ae;
+
+ if (r != r->main) {
+ return NGX_DECLINED;
+ }
+
+ ae = r->headers_in.accept_encoding;
+ if (ae == NULL) {
+ return NGX_DECLINED;
+ }
+
+ if (ae->value.len < sizeof("br") - 1) {
+ return NGX_DECLINED;
+ }
+
+ if (ngx_http_accept_encoding(&ae->value, "br", 2) != NGX_OK)
+ {
+ return NGX_DECLINED;
+ }
+
+ return NGX_OK;
+}
+
+
/*
- * gzip is enabled for the following quantities:
+ * encoding is enabled for the following quantities:
* "gzip; q=0.001" ... "gzip; q=1.000"
- * gzip is disabled for the following quantities:
- * "gzip; q=0" ... "gzip; q=0.000", and for any invalid cases
+ * encoding is disabled for the following quantities:
+ * "br; q=0" ... "br; q=0.000", and for any invalid cases
*/

static ngx_int_t
-ngx_http_gzip_accept_encoding(ngx_str_t *ae)
+ngx_http_accept_encoding(ngx_str_t *ae, char *e, size_t n)
{
u_char *p, *start, *last;

@@ -2313,7 +2340,7 @@
last = start + ae->len;

for ( ;; ) {
- p = ngx_strcasestrn(start, "gzip", 4 - 1);
+ p = ngx_strcasestrn(start, e, n - 1);
if (p == NULL) {
return NGX_DECLINED;
}
@@ -2322,10 +2349,10 @@
break;
}

- start = p + 4;
- }
-
- p += 4;
+ start = p + n;
+ }
+
+ p += n;

while (p < last) {
switch (*p++) {
@@ -2364,7 +2391,7 @@
return NGX_DECLINED;
}

- if (ngx_http_gzip_quantity(p, last) == 0) {
+ if (ngx_http_encoding_quantity(p, last) == 0) {
return NGX_DECLINED;
}

@@ -2373,7 +2400,7 @@


static ngx_uint_t
-ngx_http_gzip_quantity(u_char *p, u_char *last)
+ngx_http_encoding_quantity(u_char *p, u_char *last)
{
u_char c;
ngx_uint_t n, q;
diff -r 87cf6ddb41c2 -r 96939e63f305 src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Fri Feb 17 17:01:27 2017 +0300
+++ b/src/http/ngx_http_core_module.h Wed Feb 22 13:01:13 2017 +0100
@@ -504,6 +504,7 @@
ngx_int_t ngx_http_auth_basic_user(ngx_http_request_t *r);
#if (NGX_HTTP_GZIP)
ngx_int_t ngx_http_gzip_ok(ngx_http_request_t *r);
+ngx_int_t ngx_http_brotli_ok(ngx_http_request_t *r);
#endif






Take 2 - modify ngx_http_gzip_static_modile to serve both .gz and .br.


On 22 February 2017 at 16:10, Eugene Kluchnikov <eustas.ru@gmail.com> wrote:

> Yup. Going to try to create a "combined" module soon =)
>
> On 22 February 2017 at 15:40, Valentin V. Bartenev <vbart@nginx.com>
> wrote:
>>
>> At the first glance, the differences are really small and
>> such functionality can be combined in one module.
>>
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

For a server {} that you want to make both universally compatible with both http port 80 and https port 443 ssl requests.

This was my solution for my own sites.

#inside http block
upstream proxy_web_rack { #port 80 unsecured requests
server 172.16.0.1:80;
}
upstream proxy_web_rack_ssl { #port 443 secured requests
server 172.16.0.1:443;
}
#end http block


#Server block
server {
listen 80;
listen 443 ssl;

location / {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
if ($scheme = "http") {
proxy_pass $scheme://proxy_web_rack; #if scheme was http send to port 80
}
if ($scheme = "https") {
proxy_pass $scheme://proxy_web_rack_ssl; #if scheme was https send to port 443
}

} #end location

}
#end server block


That way if the recieved request from client is a https secured one proxy_pass will make sure that it goes over port 443 and remains secured.

anyone, please?