ngx_http_find_virtual_server ngx_http_regex_exec DOS
Greetings fellow nginx-devs,
It looks to me as if an attacker could force the server to use up a large
amount of resources doing ngx_http_regex_exec if the server were to be
configured with a relatively large number of regex server_names.
I would appreciate any ideas on the topic, especially suggestions as to how
some form of caching could be implemented for the responses, so that the
server didn't have to execute the ngx_http_regex_exec on subsequent
requests.
2375 for (i = 0; i < virtual_names->nregex; i++) {
2376
2377 n = ngx_http_regex_exec(r, sn[i].regex, host);
2378
2379 if (n == NGX_DECLINED) {
2380 continue;
2381 }
2382
2383 if (n == NGX_OK) {
2384 *cscfp = sn[i].server;
2385 return NGX_OK;
2386 }
2387
2388 return NGX_ERROR;
2389 }
./src/http/ngx_http_request.c
Regards,
Gabriel
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
How can I sync nginx.conf in two keepalived server?
Hi, all. I had just deploy two nginx servers and made them high-available using keepalived. I tested it, and HA works fine. But I had some new questions here: 1st, When I edited the nginx.conf in master server, how to transfer the conf file to backup server immediately? 2nd, And after I edited , I should run 'nginx -s reload' in the master server, how can backup server do the same without manual run? And last, if the config is not correct, after the file transferred to backup, the backup server can not restart correct, will the backup goes down? Thanks. -- from:baalchina ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: How can I sync nginx.conf in two keepalived server?
This may help: https://docs.nginx.com/nginx/admin-guide/high-availability/configuration-sharing/ Regards, Jason On Tue, Jan 30, 2024, 9:04 AM baalchina wrote: > Hi, all. I had just deploy two nginx servers and made them high-available > using keepalived. I tested it, and HA works fine. > > But I had some new questions here: > 1st, When I edited the nginx.conf in master server, how to transfer the > conf file to backup server immediately? > 2nd, And after I edited , I should run 'nginx -s reload' in the master > server, how can backup server do the same without manual run? > And last, if the config is not correct, after the file transferred to > backup, the backup server can not restart correct, will the backup goes > down? > > Thanks. > > > -- > from:baalchina > ___ > nginx mailing list > nginx@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: Managing Static Files
Hello! On Tue, Jan 30, 2024 at 07:36:49AM +, bittn...@gmail.com wrote: > Hi...I read a few articles about managing static files and I'm a > bit confused! > I use Nginx as the main server to host my website > I enabled gzip and brotli > I have also enabled gzip_static and brotli_static > And I have pre-compressed all static files with gzip and brotli > I read in an article that after compressing all files, I should > delete all uncompressed files to save memory and only gzip and > Brotli files remain. > (Of course, I need to create an empty file called index.html for > it to work properly) > Everything works fine now but my problem is when the browser > doesn't support compression and requires uncompressed files. > In another article it was written that if gunzip is enabled for > browsers that do not support the compressed format, it > decompresses the gzip then sends it to the client. > But after doing some testing, I found (I think) that gnuzip only > works if nginx is used as the proxy (between main server and > client) (due to the content encoding header requirement). > Now, if I want to support gzip, brotli and non-compressed files, > do I have to have all three types of files? Is this method > correct? What method do you use? What method is suggested?Thanks The gunzip module works perfectly fine without proxying, though you'll need to ensure that appropriate Content-Encoding is properly set on the response. In particular, if you only have gzipped files, you can do: gzip_static always; gunzip on; In this configuration gzip_static will respond with the compressed version of the file to all requests, and gunzip will uncompress it for clients which does not support gzip (see http://nginx.org/r/gzip_static for the documentation). Not sure about brotli_static, but if the 3rd party module is implemented properly, it should be possible to do "brotli_static on;" in the same configuration to return brotli-compressed files to clients which support brotli. It is not required to delete uncompressed files though. While gunzip module makes it possible, this might be not the best approach available: uncompressing files on the fly certainly consumes additional CPU resources, and also no uncompressed files on disk might be suboptimal for other tasks. Removing uncompressed files usually makes sense only if amount of static files is huge. Hope this helps. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: ngx_http_find_virtual_server ngx_http_regex_exec DOS
Hello! On Tue, Jan 30, 2024 at 10:28:23AM +0200, Clima Gabriel wrote: > Greetings fellow nginx-devs, > It looks to me as if an attacker could force the server to use up a large > amount of resources doing ngx_http_regex_exec if the server were to be > configured with a relatively large number of regex server_names. > I would appreciate any ideas on the topic, especially suggestions as to how > some form of caching could be implemented for the responses, so that the > server didn't have to execute the ngx_http_regex_exec on subsequent > requests. Not using "large number of regex server_names" might be the best solution available here. Requests are not required to be to the same virtual server, and caching won't generally work. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
