Re: Nginx as reverse proxy - proxy_ssl_x questions
Hello Mr. Maxim, thank you very much for your reply.
Things are much clearer now, thanks!
One, last question;
I have implemented nginx as a reverse proxy with TLS termination in my
FreeBSD host machine, and another nginx instance running in my jail, in;
10.10.10.2.
So, the host machine does the reverse proxying and SSL.
Before I open my website to public and production (a Wordpress website),
could you please kindly have a look at my reverse proxy configuration here;
http://paste.nginx.org/b8
So that you might wish to add some suggestions, or perhaps I still have a
misconfigured/unneeded directive there?
Thanks once again,
Regards.
Mark.
Maxim Dounin , 19 Kas 2023 Paz, 03:05 tarihinde şunu
yazdı:
> Hello!
>
> On Sat, Nov 18, 2023 at 01:54:21PM +0300, Mark wrote:
>
> > Hello there.
> >
> > Having a proxy directive like;
> >
> > location / {
> > proxy_pass http://10.10.10.4:4020;
> > ...
> >
> > I wonder when using proxy_pass http://... (not httpS),
> > are these directives effective, under the proxy_pass?
> >
> > proxy_ssl_name $host;
> > proxy_ssl_server_name on;
> > proxy_ssl_session_reuse off;
> >
> > Or they would work ONLY if proxy_pass is pointed to an "https://";?
>
> The "proxy_ssl_*" directives define configuration for SSL
> proxying. That is, corresponding values are only used when
> proxy_pass is used with the "https" scheme.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> ___
> nginx mailing list
> nginx@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
RE: Limiting number of client TLS connections
> sudden surge of requests, existing connections can get enough share of CPU > to be served properly, while excessive connections are rejected While you can't limit the connections (before the TLS handshake) there is a module to limit the requests per client/ip https://nginx.org/en/docs/http/ngx_http_limit_req_module.html (and with limit_req_status 444; you can effectively close the connection without returning any response). rr ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: Nginx as reverse proxy - proxy_ssl_x questions
Hello! On Sun, Nov 19, 2023 at 12:41:11PM +0300, Mark wrote: > Hello Mr. Maxim, thank you very much for your reply. > > Things are much clearer now, thanks! > > One, last question; > > I have implemented nginx as a reverse proxy with TLS termination in my > FreeBSD host machine, and another nginx instance running in my jail, in; > 10.10.10.2. > > So, the host machine does the reverse proxying and SSL. > > Before I open my website to public and production (a Wordpress website), > could you please kindly have a look at my reverse proxy configuration here; > > http://paste.nginx.org/b8 > > So that you might wish to add some suggestions, or perhaps I still have a > misconfigured/unneeded directive there? Here are some comments: > proxy_cache_bypass $http_upgrade; You don't need proxy_cache_bypass if you aren't using cache. > proxy_buffering off; I don't really recommend switching off buffering unless you have reasons to. And if the reason is to avoid disk buffering, consider "proxy_max_temp_file_size 0;" instead, see http://nginx.org/r/proxy_max_temp_file_size for details. > proxy_set_header Referer $scheme://$host; This looks simply wrong. > proxy_set_header X-Scheme https; > proxy_set_header X-Forwarded-Proto https; > proxy_set_header X-Scheme https; > proxy_set_header X-Forwarded-Ssl on; This looks a bit too many of custom headers to let backend know that https is being used. > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "upgrade"; This shouldn't be used unless you intentionally configuring WebSocket proxying. > proxy_set_header Early-Data $ssl_early_data; This is certainly not needed unless you are using TLSv1.3 Early Data (http://nginx.org/r/ssl_early_data), and you aren't. Hope this helps. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: Limiting number of client TLS connections
Hello, A self contained solution would be to double proxy, first through nginx stream server and then locally back to nginx http server (with proxy_pass via unix socket, or to localhost on a different port). You can implement your own custom rate limiting logic in the stream server with NJS (js_access) and use the new js_shared_dict_zone (which is shared between workers) for persistently storing rate calculations. You'd have additional overhead from the stream tcp proxy and the njs, but it shouldn't be too great (at least compared to overhead of TLS handshakes). Regards, Jordan Carter. From: nginx on behalf of Zero King Sent: Saturday, November 18, 2023 6:44 AM To: nginx@nginx.org Subject: Limiting number of client TLS connections Hi all, I want Nginx to limit the rate of new TLS connections and the total (or per-worker) number of all client-facing connections, so that under a sudden surge of requests, existing connections can get enough share of CPU to be served properly, while excessive connections are rejected and retried against other servers in the cluster. I am running Nginx on a managed Kubernetes cluster, so tuning kernel parameters or configuring layer 4 firewall is not an option. To serve existing connections well, worker_connections can not be used, because it also affects connections with proxied servers. Is there a way to implement these measures in Nginx configuration? ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
