Quantcast
Channel: Nginx Forum
Viewing all 52342 articles
Browse latest View live

nginx as https client

0
0
Добрый день.

Есть необходимость настроить nginx в качестве reverse proxy на
https-сервер, который требует авторизацию по клиентскому сертификату.
Поиск в гугле и в документации ничего не дал. Такое вообще возможно?

--
Denis Kostousov
email: denis.kostousovATgmailDOTcom
jabber: denis.kostousovATgmailDOTcom
fingerprint: D32B A253 F678 9EF1 1079 4F5A 52E1 8EEA FAF9 E1F1

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: nginx as https client

0
0
15.02.2013 20:59, Denis Kostousov пишет:
> Добрый день.
>
> Есть необходимость настроить nginx в качестве reverse proxy на
> https-сервер, который требует авторизацию по клиентскому сертификату.
> Поиск в гугле и в документации ничего не дал. Такое вообще возможно?

Нет, такое невозможно - потому что прокси-сервер не сможет получить
доступ к секретному ключу клиента.

>


--
Best regards,
Andrey Kopeyko <andrey@kopeyko.ru>

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: nginx as https client

0
0
Здравствуйте, Denis.

Вы писали 15 февраля 2013 г., 20:59:03:

> Добрый день.

> Есть необходимость настроить nginx в качестве reverse proxy на
> https-сервер, который требует авторизацию по клиентскому сертификату.
> Поиск в гугле и в документации ничего не дал. Такое вообще возможно?

Простите, а в чем смысл? Картинки энжиком раздавать, боюсь, не
получится. Кэшировать что-то тем более.

--
С уважением,
Dmitry mailto:nginx-ru@sadok.spb.ru

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: nginx as https client

0
0
Да внутренние заморочки. Наш сервис требует авторизацию по ssl. На это
много завязано. А один из клиентов не может у себя это оживить по
техническим причинам. Вот и думаем для него прокси поднять, который
будет все заворачивать в ssl и подключать клиентский сертификат.

16.02.2013 02:56, Dmitry Ivanov пишет:
> Здравствуйте, Denis.
>
> Вы писали 15 февраля 2013 г., 20:59:03:
>
>> Добрый день.
>> Есть необходимость настроить nginx в качестве reverse proxy на
>> https-сервер, который требует авторизацию по клиентскому сертификату.
>> Поиск в гугле и в документации ничего не дал. Такое вообще возможно?
> Простите, а в чем смысл? Картинки энжиком раздавать, боюсь, не
> получится. Кэшировать что-то тем более.
>

--
Denis Kostousov
email: denis.kostousovATgmailDOTcom
jabber: denis.kostousovATgmailDOTcom
fingerprint: D32B A253 F678 9EF1 1079 4F5A 52E1 8EEA FAF9 E1F1

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: nginx as https client

0
0
On Sat, Feb 16, 2013 at 11:43:27AM +0600, Denis Kostousov wrote:
> Да внутренние заморочки. Наш сервис требует авторизацию по ssl. На это
> много завязано. А один из клиентов не может у себя это оживить по
> техническим причинам. Вот и думаем для него прокси поднять, который
> будет все заворачивать в ssl и подключать клиентский сертификат.

stunnel, настроенный в клиентском режиме?

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Upgrade From Fedora 15 to 17: nginx Doesn't Work

0
0
I've tried to fix the "Too many connections problem" following the suggested sites:
http://www.cyberciti.biz/tips/linux-procfs-file-descriptors.html
http://www.cyberciti.biz/faq/linux-unix-nginx-too-many-open-files/#comment-79592

I've ran into other seemingly nonsensical errors.

I have a new unused server here where I’m trying to install/use nginx for php for the first time.

Strange error for unused server?
==
Firstly, it seems strange to me that I would get “Too many open files” for a new unused server. ulimit -Hn/Sn showed 4096/1024 which seemed adequate whie nginx was using only 9/10 acccording to: ls -l /proc//fd | wc -l

Anyhow, I followed the instructions and now I get this error:
==
2013/02/15 16:30:39 [alert] 4785#0: 1024 worker_connections are not enough
2013/02/15 16:30:39 [error] 4785#0: *1021 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 127.0.0.1, server: localhost, request: “GET /info.php HTTP/1.0″, upstream: “http://127.0.0.1:80/info.php”, host: “127.0.0.1″

Tried:
==
I’ve tried increasing the worker_connections to large numbers e.g. 19999 to no avail.

Any tips?

Re: Upgrade From Fedora 15 to 17: nginx Doesn't Work

0
0
I forgot to click "Follow Topic", so I'm posting again just to do that, as I don't see any way to alter my previous post to enable follow.

So please reply after this post or in some other way by which I'll be notified of your reply.

Thanks!

Re: nginx as https client

0
0
Denis Kostousov <denis.kostousov@gmail.com> написал(а):

>Да внутренние заморочки. Наш сервис требует авторизацию по ssl. На это
>много завязано. А один из клиентов не может у себя это оживить по
>техническим причинам. Вот и думаем для него прокси поднять, который
>будет все заворачивать в ssl и подключать клиентский сертификат.
>
>16.02.2013 02:56, Dmitry Ivanov пишет:
>> Здравствуйте, Denis.
>>
>> Вы писали 15 февраля 2013 г., 20:59:03:
>>
>>> Добрый день.
>>> Есть необходимость настроить nginx в качестве reverse proxy на
>>> https-сервер, который требует авторизацию по клиентскому
>сертификату.
>>> Поиск в гугле и в документации ничего не дал. Такое вообще возможно?
>> Простите, а в чем смысл? Картинки энжиком раздавать, боюсь, не
>> получится. Кэшировать что-то тем более.
>>
>
>--
>Denis Kostousov
>email: denis.kostousovATgmailDOTcom
>jabber: denis.kostousovATgmailDOTcom
>fingerprint: D32B A253 F678 9EF1 1079 4F5A 52E1 8EEA FAF9 E1F1
>
>_______________________________________________
>nginx-ru mailing list
>nginx-ru@nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx-ru

Вы странные люди - вы требуете строгой, по сертификатам, аутентификации клиентов, и вы же сами хотите эту аутентификацию профанировать...

ИМХО, вам стоит клиента обучить. Или бросить, если он безнадёжен.
--
Отправлено через К-9 Mail. Извините за краткость, пожалуйста.

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: nginx as https client

0
0
16.02.2013 14:50, Andrey Kopeyko пишет:
> Denis Kostousov <denis.kostousov@gmail.com> написал(а):
>
>> Да внутренние заморочки. Наш сервис требует авторизацию по ssl. На это
>> много завязано. А один из клиентов не может у себя это оживить по
>> техническим причинам. Вот и думаем для него прокси поднять, который
>> будет все заворачивать в ssl и подключать клиентский сертификат.
>>
>> 16.02.2013 02:56, Dmitry Ivanov пишет:
>>> Здравствуйте, Denis.
>>>
>>> Вы писали 15 февраля 2013 г., 20:59:03:
>>>
>>>> Добрый день.
>>>> Есть необходимость настроить nginx в качестве reverse proxy на
>>>> https-сервер, который требует авторизацию по клиентскому
>> сертификату.
>>>> Поиск в гугле и в документации ничего не дал. Такое вообще возможно?
>>> Простите, а в чем смысл? Картинки энжиком раздавать, боюсь, не
>>> получится. Кэшировать что-то тем более.
>>>
>> --
>> Denis Kostousov
>> email: denis.kostousovATgmailDOTcom
>> jabber: denis.kostousovATgmailDOTcom
>> fingerprint: D32B A253 F678 9EF1 1079 4F5A 52E1 8EEA FAF9 E1F1
>>
>> _______________________________________________
>> nginx-ru mailing list
>> nginx-ru@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-ru
> Вы странные люди - вы требуете строгой, по сертификатам, аутентификации клиентов, и вы же сами хотите эту аутентификацию профанировать...
>
> ИМХО, вам стоит клиента обучить. Или бросить, если он безнадёжен.
Таких клиентов не "обучают" а делают почти все по первому требованию ;)
Понятно, что такой подход - не для всякого. Профанации тут нет. Ибо
остальной сонм через эту дырку не полезет. Даже если очень-очень-очень
захочет.
>

--
Denis Kostousov
email: denis.kostousovATgmailDOTcom
jabber: denis.kostousovATgmailDOTcom
fingerprint: D32B A253 F678 9EF1 1079 4F5A 52E1 8EEA FAF9 E1F1

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: Upgrade From Fedora 15 to 17: nginx Doesn't Work

0
0
Hello!

On Sat, Feb 16, 2013 at 03:43:55AM -0500, youreright wrote:

> I've tried to fix the "Too many connections problem" following the suggested
> sites:
> http://www.cyberciti.biz/tips/linux-procfs-file-descriptors.html
> http://www.cyberciti.biz/faq/linux-unix-nginx-too-many-open-files/#comment-79592
>
> I've ran into other seemingly nonsensical errors.
>
> I have a new unused server here where I’m trying to install/use nginx for
> php for the first time.
>
> Strange error for unused server?
> ==
> Firstly, it seems strange to me that I would get “Too many open files” for a
> new unused server. ulimit -Hn/Sn showed 4096/1024 which seemed adequate whie
> nginx was using only 9/10 acccording to: ls -l /proc//fd | wc -l
>
> Anyhow, I followed the instructions and now I get this error:
> ==
> 2013/02/15 16:30:39 [alert] 4785#0: 1024 worker_connections are not enough
> 2013/02/15 16:30:39 [error] 4785#0: *1021 recv() failed (104: Connection
> reset by peer) while reading response header from upstream, client:
> 127.0.0.1, server: localhost, request: “GET /info.php HTTP/1.0″, upstream:
> “http://127.0.0.1:80/info.php”, host: “127.0.0.1″
>
> Tried:
> ==
> I’ve tried increasing the worker_connections to large numbers e.g. 19999 to
> no avail.
>
> Any tips?

Error message (in particular, "127.0.0.1:80" as an upstream, and
"127.0.0.1" as a server) suggests you have proxy loop in your
configuration.

--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

SPDY+CORS not working under Chrome

0
0
Hi,
I've following problem: we are running website with SPDY enabled (nginx
1.3.12 with SPDY patch 62 and OpenSSL 1.0.1e) where we are providing API
interface too. This API is used by other site (mobile interface) and in
order to have this whole thing working I've added following configuration
to nginx in order to have cross-origin requests working (found this
somewhere in the web):

if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';

add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE,
OPTIONS';

add_header 'Access-Control-Allow-Headers'
'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;

return 200;
}

The problem with that is Chrome browser is reporting that OPTIONS failed
when SPDY is enabled - when I turn off SPDY support everything is working
as expected.
Any idea how to workaround this (and maybe it's some bug inside Chrome)?
Cheers,
Paweł
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

RFC: PolarSSL support.

0
0
Hello,

In my (regrettably) copious spare time I have been working on adding
support for PolarSSL[0] as an alternative to OpenSSL. I'm getting close
to the point where I am comfortable with the code and would like to see
if there is interest from the community and developers for this option.

What I have so far:
* src/event/ngx_event_polarssl.[h,c] (and some kludges to the build
system so I can test my code).
* Works in so much that a webserver compiled with my code can serve
https (still needs more testing and code review).

What needs to be done before it's usable:
* Need to implement ngx_ssl_trusted_certificate, just haven't gotten
around to it yet.
* Need to write implementations for ngx_ssl_get_session (and
ngx_ssl_free_session) so that ngx_http_upstream_round_robin works
again. This should be relatively easy but I need to figure out how
the module in question expects these to behave (The OpenSSL versions
are #defines to OpenSSL routines and PolarSSL's internal behavior is
reasonably different here).
* Logging related cleanup.
* PolarSSL supports SNI, but in the interest of keeping my changes
self contained (Currently no functional changes to the nginx code
apart from the addition of my module). I haven't implemented that
yet because it requires modifying the http SSL module.
* Need to figure out the nginx build system properly and integrate
building with PolarSSL properly.
* Need to see if the mail protocol support works.

What I'd like to do after the first revision:
* A few of the modules call OpenSSL routines (Eg:
SSL_CTX_set_cipher_list, X509_verify_cert_error_string). Currently
I provide wrappers for those routines in ngx_event_polarssl.c but
they should be abstracted to ngx_ functions (Eg:
ngx_set_cipher_list).
* I haven't gotten around to making ngx_md5 and ngx_sha1 use PolarSSL
yet. Would be trivial once my module is properly integrated into
the build system.

This post is mostly just trying to see if people would find this a
useful addition before I start on ticking items off the list.

Regards,

--
Yawning Angel

[0]: http://www.polarssl.org

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Upstream и обращение к бекенду по днс имени

0
0
Было бы еще неплохо, что в логах nginx можно было логировать по днс имени, на какой бекенд ушел клиент. Есть такая возможность?

installing nginx on centos should be straightforward

0
0
I have set up a virtual server with a LAMP stack (Centos 6.3) and am now trying to install nginx to use as a proxy server. I have been told to download from sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm and have done so prior to trying to install nginx. However, something was wrong with this because when I tried to install nginx (sudo yum install nginx), there were a number of packages that were skipped due to dependency problems. When I tried to start nginx, it could not find the files.

Given that nginx is a well-used server, this has to be easier than what I am encountering. Does anyone know the correct commands to set this up so that nginx can install?

Thanks.

Re: installing nginx on centos should be straightforward

0
0
On Sat, 2013-02-16 at 17:27 -0500, mottwsc wrote:
> I have set up a virtual server with a LAMP stack (Centos 6.3) and am now
> trying to install nginx to use as a proxy server. I have been told to
> download from sudo rpm -Uvh
> http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm and
> have done so prior to trying to install nginx. However, something was wrong
> with this because when I tried to install nginx (sudo yum install nginx),
> there were a number of packages that were skipped due to dependency
> problems. When I tried to start nginx, it could not find the files.
>
> Given that nginx is a well-used server, this has to be easier than what I am
> encountering. Does anyone know the correct commands to set this up so that
> nginx can install?
>
> Thanks.
It is. If you're going to install nginx from a repo, why not use theirs?

rpm -Uvh
http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6..ngx.noarch.rpm

then

yum install nginx

( next question... why only use it as a proxy server? )

Steve
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Skype: sholdowa
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

convert rule apache to nginx

0
0
RewriteCond %{REQUEST_URI} /(.+?)/pagina-(.+?)/ [NC]
RewriteRule (.*) /%1/?page=%2 [L,QSA,NC]

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: convert rule apache to nginx

0
0
Здравствуйте, Виталий.

> RewriteCond %{REQUEST_URI} /(.+?)/pagina-(.+?)/ [NC]
> RewriteRule (.*) /%1/?page=%2 [L,QSA,NC]

А зачем менять uri? Запрос куда дальше пойдёт? Выглядит так, как будто
потом он будет проксироваться к какому-то бэкенду.

Вы бы описали всю задачу, тогда Вам было бы проще помощь.
--
С уважением,
Михаил mailto:postmaster@softsearch.ru

_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru

Re: installing nginx on centos should be straightforward

0
0
Thanks for the suggestion, Steve. I was working from that angle before based on advice from a person at my hosting company and had used the nginx repo. I am addressing three points in response. Any suggestions/thoughts from you and/or others are appreciated.

(1) Reason for nginx and apache:
The reason I am planning to use nginx on the front end and apache on the back end (instead of nginx for all of it) is that I've read in an article that apache’s power and nginx’s speed are well known. But apache is hard on server memory, and nginx (while great at static files) needs the help of php-fpm or similar modules for dynamic content. The article goes on to recommend that you combine the two web servers, with nginx as static web server front and apache processing the back end. My application has a lot of dynamic content including videos, and makes use of ajax and jquery.

What are your and others thoughts on the nginx / apache / both question?


(2) Your command to get the nginx repo:
when I tried this again with your specific command, I got:
[m@01 ~]$ rpm -Uvh http://nqinx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
Retrieving http://nqinx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
curl: (6) Couldn't resolve host 'nqinx.org'
error: skipping http://nqinx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm - transfer failed


(3) Past attempt at installing nginx in a similar way:
I'm pasting the output from this past attempt in case anyone can see what might be missing or wrong...
[m@01 ~]$ wget http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
--2013-02-17 01:35:23-- http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
Resolving nginx.org... 206.251.255.63
Connecting to nginx.org|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4311 (4.2K) [application/x-redhat-package-manager]
Saving to: `nginx-release-centos-6-0.el6.ngx.noarch.rpm'

100%[======================================>] 4,311 --.-K/s in 0.07s

2013-02-17 01:35:23 (61.7 KB/s) - `nginx-release-centos-6-0.el6.ngx.noarch.rpm' saved [4311/4311]

[m@01 ~]$ rpm -ivh nginx-release-centos-6-0.el6.ngx.noarch.rpm
warning: nginx-release-centos-6-0.el6.ngx.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: NOKEY
error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)
[m@01 ~]$ sudo yum install nginx
[sudo] password for m:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.lga7.us.voxel.net
* epel: epel.mirror.constant.com
* extras: mirror.symnds.com
* updates: mirror.team-cymru.org
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 0:0.8.55-2.el5 will be installed
--> Processing Dependency: perl(:MODULE_COMPAT_5.8.8) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libxslt.so.1()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libssl.so.6()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libgd.so.2()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libexslt.so.0()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libcrypto.so.6()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Processing Dependency: libGeoIP.so.1()(64bit) for package: nginx-0.8.55-2.el5.x86_64
--> Running transaction check
---> Package GeoIP.x86_64 0:1.4.8-1.el5 will be installed
---> Package gd.x86_64 0:2.0.35-10.el6 will be installed
--> Processing Dependency: libpng12.so.0(PNG12_0)(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libpng12.so.0()(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libjpeg.so.62()(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libfreetype.so.6()(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libfontconfig.so.1()(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libXpm.so.4()(64bit) for package: gd-2.0.35-10.el6.x86_64
--> Processing Dependency: libX11.so.6()(64bit) for package: gd-2.0.35-10.el6.x86_64
---> Package libxslt.x86_64 0:1.1.26-2.el6_3.1 will be installed
---> Package nginx.x86_64 0:0.8.55-2.el5 will be installed
--> Processing Dependency: perl(:MODULE_COMPAT_5.8.8) for package: nginx-0.8.55-2.el5.x86_64
---> Package openssl098e.x86_64 0:0.9.8e-17.el6.centos.2 will be installed
--> Running transaction check
---> Package fontconfig.x86_64 0:2.8.0-3.el6 will be installed
---> Package freetype.x86_64 0:2.3.11-14.el6_3.1 will be installed
---> Package libX11.x86_64 0:1.3-2.el6 will be installed
--> Processing Dependency: libX11-common = 1.3-2.el6 for package: libX11-1.3-2.el6.x86_64
--> Processing Dependency: libxcb.so.1()(64bit) for package: libX11-1.3-2.el6.x86_64
---> Package libXpm.x86_64 0:3.5.8-2.el6 will be installed
---> Package libjpeg.x86_64 0:6b-46.el6 will be installed
---> Package libpng.x86_64 2:1.2.49-1.el6_2 will be installed
---> Package nginx.x86_64 0:0.8.55-2.el5 will be installed
--> Processing Dependency: perl(:MODULE_COMPAT_5.8.8) for package: nginx-0.8.55-2.el5.x86_64
--> Running transaction check
---> Package libX11-common.noarch 0:1.3-2.el6 will be installed
---> Package libxcb.x86_64 0:1.5-1.el6 will be installed
--> Processing Dependency: libXau.so.6()(64bit) for package: libxcb-1.5-1.el6.x86_64
---> Package nginx.x86_64 0:0.8.55-2.el5 will be installed
--> Processing Dependency: perl(:MODULE_COMPAT_5.8.8) for package: nginx-0.8.55-2.el5.x86_64
--> Running transaction check
---> Package libXau.x86_64 0:1.0.5-1.el6 will be installed
---> Package nginx.x86_64 0:0.8.55-2.el5 will be installed
--> Processing Dependency: perl(:MODULE_COMPAT_5.8.8) for package: nginx-0.8.55-2.el5.x86_64
--> Finished Dependency Resolution
Error: Package: nginx-0.8.55-2.el5.x86_64 (epel)
Requires: perl(:MODULE_COMPAT_5.8.8)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
[m@01 ~]$ sudo /etc/init.d/nginx start
sudo: /etc/init.d/nginx: command not found

Debugging performance under high load

0
0
Hi all,

I have a reasonably beefy VPS (16gb RAM, 4x vCores) running Ubuntu 12.04 LTS on a 1GigE line that is basically uncontested at the moment. Speed tests on the box show reasonably high bandwidth available up and down (VirtIO isn't on at the moment, but that doesn't seem to be affecting it). When doing a load test on a static object via HTTPS (apachebench on a 100kb image) with a concurrency of 1000 I'm seeing pretty poor performance - 450 requests per second, about 4.5mbps traffic, and an average of about 2.2s per request. Monitoring the server in htop I'm not seeing the memory even twitch above 570mb (out of 16gb) and an overall processor usage of like 25% per core, if that much.

My config is fairly standard - this is a static file, after all, so it's not even touching php-fpm. I have my hard and soft ulimits raised to 100k for the www-data user. I have my worker_processes set to 4, worker_rlimit_nofile set to 100k, and worker_connections set to 2048. multi_accept is on and epoll is on. I have a keepalive timeout of 2. For the purposes of this test I have a self-signed cert on the server, the ssl_protocols are set to SSLv2 SSLv3 TLSv1; and the ssl_ciphers are set to RC4:HIGH:!aNULL:!MD5:!kEDH;. Suggestions? How do I debug the poor performance so I at least know what to fix? Is there a way to step through exactly what is happening in a request under load to see where it's being delayed? I'd like to get it up to at least 1k RPS if not more, and I believe the server and the bandwidth are up to the task.

FP

Re: RFC: PolarSSL support.

0
0
Hello,

The diff containing my first pass implementation is available at:
http://www.schwanenlied.me/yawning/nginx/nginx-1.3.12-polarssl-20130217.diff.gz

Behavioral differences:
* ssl_ciphers_list format is different, though it will accept the
default cipher list setting ("HIGH:!aNULL:!MD5").
For testing purposes I used:
"TLS-RSA-WITH-RC4-128-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256:TLS-RSA-WITH-AES-256-CBC-SHA256:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA".
* ssl_prefer_server_ciphers does not do anything.
* I intentionally did not implement support for PolarSSL's builtin
session cache because it's not very good (It's a linked list).
shared and none should work.
* SSLv2 is not supported by PolarSSL and will never be.
* ECDH is not supported by PolarSSL yet but it is on their roadmap.
* Stapling is not supported by PolarSSL. Not sure if it will be.

Known issues:
* When building with specifying the PolarSSL source directory with
--with-polarssl=[path], the make used needs to be GNU make due to
PolarSSL shipping with GNU make files.
* ngx_http_upstream_roundrobin will not do SSL session reuse, since I
intended for the patch to be minimally intrusive. It's possible to
re-add this functionality, with changes to the module.
* My auto integration does not have support for building on non-U*ix
systems, because I do not have a windows development environment
setup (PolarSSL supports the platform however).
* SNI does not work because I haven't gone and written it yet.
* Clients that send a SSLv2 Client Hello will fail to handshake
(PolarSSL issue. They used to support this backward compatibility
option, but support for it was pulled in v1.2.0, I posted on their
support forums asking about this).
* ngx_md5 and ngx_sha1 integration still not done yet, so on some
systems[0] this may try to link against OpenSSL and have the compile
or link fail. This is a build system issue and not a code issue.

I haven't tested the client functionality (proxy modules) or mail, but I
have no reason to expect that it shouldn't just work.

Most of the code is shamelessly cribbed from ngx_event_openssl.[h,c], so
I feel good about most of the code. The auto stuff wasn't all that
documented so I'm not sure if I did it right (and it still needs work).

Thoughts, comments, feedback appreciated.

Regards,

--
Yawning Angel

[0]: I did the development on FreeBSD which has system MD5 and SHA1.

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Viewing all 52342 articles
Browse latest View live




Latest Images