Re: Allow internal redirect to URI x, but deny external request for x?

On Fri, Aug 30, 2019 at 04:59:36PM -0500, J. Lewis Muir wrote: Hi there, > I was wishing for a way to specify a new root but with a modified > request URI. So, I tried the alias directive, and I assumed that > $document_root and $realpath_root would refer to the aliased document > root, but obvi

Re: ssl client auth trouble

I'm a big fan of throw-away certificates, i.e., self-signed certificates you may dispose of any time. It seems, the generation of proper certificates is still a mystery to some, so let me briefly include a recipe how to create them: Create a cert-client.conf of the following form: ---

Re: Allow internal redirect to URI x, but deny external request for x?

I've been following this, and I would take a slightly different approach. 1. Serve all apps under /{app}/releases/{version}/{path} as you have them organized in the deployment structure in the file system. 2. Forget about symbolic links and other makeshift versioning/defaulting in the file system

Re: Allow internal redirect to URI x, but deny external request for x?

On 08/30, Francis Daly wrote: > On Fri, Aug 30, 2019 at 01:58:23PM -0500, J. Lewis Muir wrote: > > Hi there, > > > location ~ ^/my-app/(.*?[^/]\.php(?:/.*|$)) { > > alias /srv/www/my-app/current/$1; > > fastcgi_split_path_info ^(.+?\.php)(/.*)$; > > return 200 "realpath_root: $realp

Re: Allow internal redirect to URI x, but deny external request for x?

I've been following this thread not really out of need but rather that it is really interesting. That said, I don't think for security you want to "escape" the web root. The risk is that might aid a traversal attack.   Original Message   From: hobso...@gmail.com Sent: August 30

Re: Allow internal redirect to URI x, but deny external request for x?

On Fri, Aug 30, 2019 at 01:58:23PM -0500, J. Lewis Muir wrote: Hi there, > location ~ ^/my-app/(.*?[^/]\.php(?:/.*|$)) { > alias /srv/www/my-app/current/$1; > fastcgi_split_path_info ^(.+?\.php)(/.*)$; > return 200 "realpath_root: $realpath_root\nfastcgi_script_name: > $fastcgi_scr

Re: Allow internal redirect to URI x, but deny external request for x?

On Fri, Aug 30, 2019 at 12:33:17PM -0500, J. Lewis Muir wrote: Hi there, > I'm wishing to be able to do an internal redirect > in nginx to URL x, but deny an external request to the same URL x so > that I don't serve the same content at more than one URL. Is there a > way to do that? > > For ex

Re: proxy_set_header on HTTP or Server level

On Fri, Aug 30, 2019 at 01:03:57PM -0400, stmx38 wrote: Hi there, > As per documentation - > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header: > Context: http, server, location > > > These directives are inherited from the previous level if and only if > there are n

Re: Reverse proxy 404 error help!

On Thu, Aug 29, 2019 at 10:54:33PM -0400, Soon Hyouk Lee wrote: Hi there, some web services are not set up to be friendly to be reverse-proxied at a different part of the local url hierarchy than they know about. Perhaps this is one of them. If you can configure the back-end server to believe t

Re: stream server name question

On Mon, Aug 26, 2019 at 08:55:31PM -0400, Louis Garcia wrote: Hi there, > I am able to use $ssl_preread_server_name to get the server name. This is > with https requests. Is there a corresponding embedded variable for http > requests? No. "stream" does not know about http or https. "stream" kn

Re: proxy_pass redirect for address without trailing slash disregards Host port

On Sat, Aug 24, 2019 at 11:17:34AM +0200, Nuno Gonçalves wrote: Hi there, > That's not correct, the server is taking the Host domain part from the > client Host header. It's just not taking the port part. > > This inconsistency is why I believe it's a bug. Before "absolute_redirect", I would ha

RE: ssl client auth trouble

> I will search for this. Not sure how to add this info to my logs, or > whether it logs failures too? $ssl_client_verify - contains the verification status You have to define a custom log_format (http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format ) For example: log_format cli

Re: ssl client auth trouble

On 8/30/2019 12:33 PM, Reinis Rozitis wrote: When this is all done, and I import the p12 client certificate on my Windows PCs (tested 2) Chrome and Firefox show me the "400 Bad Request\n No required SSL certificate was sent". The very strange thing is IE11 on one of the two PCs, actually prom

Re: Allow internal redirect to URI x, but deny external request for x?

Hi Lewis, On 30/08/19 18:33, J. Lewis Muir wrote: Hello! I'm using nginx 1.12.2 on RHEL 7, and I've got a FastCGI web app that uses a deployment structure which uses an atomic symlink change for an atomic app deploy, and I'm wishing to be able to do an internal redirect in nginx to URL x, but d

Re: Allow internal redirect to URI x, but deny external request for x?

On 08/30, J. Lewis Muir wrote: > On 08/30, J. Lewis Muir wrote: > > I'm wondering if the fastcgi_split_path_info function or the if > > directive is what's emitting the file op message in the error log which > > would mean that one or both of $realpath_root or $fastcgi_script_name > > are not set t

Re: Allow internal redirect to URI x, but deny external request for x?

On 08/30, J. Lewis Muir wrote: > I'm wondering if the fastcgi_split_path_info function or the if > directive is what's emitting the file op message in the error log which > would mean that one or both of $realpath_root or $fastcgi_script_name > are not set to what I expect. (?) Adding return 20

Fwd: confirm 5f9be349e631f958ba756da43c02aa760f8cc2e3

Begin forwarded message: From: nginx-requ...@nginx.org Subject: confirm 5f9be349e631f958ba756da43c02aa760f8cc2e3 Date: 30 August 2019 at 19:24:24 BST To: rough...@hotmail.co.uk Reply-To: nginx-requ...@nginx.org

Re: Allow internal redirect to URI x, but deny external request for x?

On 08/30, J. Lewis Muir wrote: > I initially tried using the alias directive which I thought was a better > fit for what I wanted to do > > location /my-app/ { > alias /srv/www/my-app/current/; > index index.php; > } > > location /my-app/current/ { > return 404; > } > > loc

Allow internal redirect to URI x, but deny external request for x?

Hello! I'm using nginx 1.12.2 on RHEL 7, and I've got a FastCGI web app that uses a deployment structure which uses an atomic symlink change for an atomic app deploy, and I'm wishing to be able to do an internal redirect in nginx to URL x, but deny an external request to the same URL x so that I d

proxy_set_header on HTTP or Server level

Hello, We recently made some order in our configuration to make it cleaner and readable. We have moved all reverse proxy related parameters on the HTTP level from the vhosts locations: proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X

RE: ssl client auth trouble

> When this is all done, and I import the p12 client certificate on my Windows > PCs (tested 2) Chrome and Firefox show me the "400 Bad Request\n No required > SSL certificate was sent". The very strange thing is IE11 on one of the two > PCs, actually prompts me to use my newly-installed cert t

ssl client auth trouble

I have been trying to configure client certificates (really just one cert for now) for two days on CentOS 7, Nginx 1.16.1, and have had very limited success. I have tried various online guides and they are mostly the same - but all have resulted in the same exact scenario.  One such guide is h

RE: How to add Multiple sites with ipv6 and SSL on Nginx ?

> The problem is comming when I try to test both Django sites with ssllabs.com > > >Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI > The error what I see is "Alternative nameswpexample.org > www.wpexample.org > MISMATCH" It is normal for clients which don't support SNI (server name indi

How to add Multiple sites with ipv6 and SSL on Nginx ?

I have three websites on one Linode IP and I want to add ipv6 with SSL 1. Wordpress 2. Django1 3. Django2 All of them have SSL certificates from Letsencrypt and I have test them and they working. In testing of SSL I have an error with Mismatch and in Debugging error Curl error: 51 (SSL_PEER_CERT