Works for me (so far):
map $query_string $bad_query {
"~[^&;]+([&;][^&;]*){1,}" 1; # deny two or more
parameters
"~emailaddress=[^@]+%40[^@]+" 0; # allow Thunderbird autoconf
"~.+=.+"1; # deny any other
query
defau
Hello,
Our local policy demands the rejection of any query; we do this as follows:
if ($is_args) { return 301 /; }
The introduction of Thunderbird autoconfiguration demands an exception to
the above policy, because of
"GET
/.well-known/autoconfig/mail/config-v1.1.xml?emailaddre=uname%40example.
> They are currently struggling with their nginx module,
> allowing a certificate to be automatically installed on nginx.
Would you really use that script?
1. It requires python. --- I do not have python on my server,
and I have no intention to install it. You can kick and scream,
but that wi
#!/bin/ksh -e
#
# The purpose of this script is to prime the OCSP cache of nginx.
#
# Ideally, nginx would prime its worker processes ahead of any client
request.
# There are two events that ought to trigger this behaviour:
# the server start-up, and each time a cache expires.
#
# In reality, n
The files are correct as they are:
ssl_trusted_certificate includes the intermediate and the root ca,
ssl_certificate includes the server's own and the intermediate.
The error was ... in a missing ssl_trusted_certificate directive in one of
the server clauses. A human error, undetected by nginx
Will adjust the files, and see what happens...
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261716,261787#msg-261787
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hold on...
ssl_dhparam [...]/ssl/dh2048.pem;
ssl_certificate_key[...]/ssl/www.key;
ssl_certificate[...]/ssl/www-bundle.pem;
ssl_trusted_certificate [...]/ssl/ca-bundle.pem;
The intermediate and the server's own are in www-bundle.pem.
The local trust store
After all, the root certificate is part of the local trust store
(/etc/ssl/ca-bundle.pem),
and nginx knows it (ssl_trusted_certificate points to it).
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261716,261785#msg-261785
___
nginx mailing l
> Simpliest solution would be to switch off OCSP response verification.
I have just tried it. It takes two hits from a client to fill the cache of
its worker process.
There are two problems with this:
- the other worker processes are not primed on restart, and therefore
clients that
require
I see this:
==> stderr.log <==
2015/09/23 18:33:00 [error] 41509#0: OCSP_basic_verify() failed (SSL:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:Verify error:unable to get local issuer certificate) while requesting
certificate status, responder: ocsp.startssl.com
Poste
Patch applied to zlib...
Zero errors and zero warnings compiling nginx 1.9.5 with clang/llvm 3.7.0.
Well done...
--- inflate.c.orig 2015-09-23 18:22:54.0 +0200
+++ inflate.c 2015-09-23 18:23:45.0 +0200
@@ -1504,9 +1504,10 @@
{
struct inflate_state FAR *state;
-i
Hot from the oven... Thanks!
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261756,261778#msg-261778
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
>From my seat, the CA works and NGINX is not returning the
OCSP response. In fact, I can generate the stapling manually.
Barred the various considerations of what is or is not possible,
I think that a more robust solution is in order, for example,
nginx could (should at this point?) log the sta
> Though not providing an OCSP response isn't a problem at all
> as OCSP stapling is just an optimization, and
Well. it *is* a problem.
Without stapling, each client that hits our server also hits the ocsp
server.
In our case, the ocsp server is overloaded (StartSSL), and therefore we
can help
I hate this editor...
The warning points at the "<< 16" part.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261756,261757#msg-261757
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
inflate.c:1507:61: warning: shifting a negative signed value is undefined
[-Wshift-negative-value]
if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
~~~ ^
Posted at Nginx Forum:
http://forum.ngin
cannot delete - please ignore this thread
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261754,261755#msg-261755
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
inflate.c:1507:61: warning: shifting a negative signed value is undefined
[-Wshift-negative-value]
if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
~~~ ^
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,261754,26175
The purpose of the ssl_stapling_file was to prime the cache. Without that
file, openssl says "OCSP response: no response sent". For nginx to load the
cache by itself, clients have to hit the same worker process a few times. I
currently have 8 worker processes, which means that the server needs at
l
Hello,
nginx is not updating the OCSP response cache.
openssl says:
[...]
Cert Status: good
This Update: Sep 9 09:59:46 2015 GMT
Next Update: Sep 11 09:59:46 2015 GMT
gnutls says "There is a newer OCSP response but was not provided by the
server".
The configuration says:
Hello,
nginx is not updating the ocsp response cache:
This Update: Sep 5 08:36:32 2015 GMT
Next Update: Sep 7 08:36:32 2015 GMT
It is 16:09, so the cache is 8h behind.
How would you diagnose and solve this problem?
A related question is the duration of the cache.
The local server
> This depends on how your certificate is issued. If your certificate is
issued directly by root CA certificate, then you don't need any extra certs
here. If there are some intermediate certs, then you'll have to put them
also.
> When this directive was introduced, almost all certificates were issu
> Note that this isn't really indicate anything: there are two forms of OCSP
requests, POST and GET. And Firefox uses POST, while nginx uses GET. Given
the fact that the responder was completely broken just a few days ago - it's
quite possible that it's still broken for GETs in some cases.
To comp
>When I request http://example.com/?Open, what response do you want to send
me?
301 to /: this would do the canonicalization,
> location = / { if ($is_args) { return 301 /; } }
404: this would correspond to reality,
> location = / { if ($is_args) { return 404; } }
However, if one compiled ng
The last security audit revealed the following:
V:Wed Apr 15 20:58:19 2015 - 200 for GET: /?mod=node&nid=some_thing&op=view
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?Open
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?OpenServer
V:Wed Apr 15 20:59:16 2015 - 200 for GET: /?sql_debug=1
V:Wed Apr 15
Update:
The original error "SSL3_CTX_CTRL:called a function you should not cal" is
no longer on the logs.
The last occurrence dates back to early february:
2015/02/03 20:23:30 [alert] 69020#0: *16 ignoring stale global SSL error
(SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function
"fix" applied.
This is what I see when running ssllabs again:
2015/03/17 18:08:33 [crit] 14508#0: *478 SSL_do_handshake() failed (SSL:
error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL
handshaking, client: 64.41.200.104, server: 0.0.0.0:443
2015/03/17 18:08:34 [crit] 145
The *feeling* that the problem is related to SNI is getting stronger.
This is the error log when running ssllabs.com on the server:
==> stderr.log <==
2015/03/17 17:12:45 [crit] 40733#0: *925 SSL_do_handshake() failed (SSL:
error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while S
Will try it.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,257339#msg-257339
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
I am on nginx 1.7.10 with LibreSSL 2.1.5.
This is what I see in the error log:
2015/02/03 20:23:30 [alert] 69020#0: *16 ignoring stale global SSL error
(SSL: error:14085042:SSL routines:SSL3_CTX_CTRL:called a function you should
not call) while SSL handshaking, client: [...IP...], server: 0.0.0.
premisses
-
nginx version: nginx/1.7.10
TLS SNI support enabled
Serving vhosts
each vhost has own registered certificate
each vhost works as expected
task
-
Obtain 444 from [http|https]://.
case http://
--
configuration:
server {
I am coming precisely from nginx 1.7.9 + libressl 2.1.3, configured as you
mentioned.
As 1.7.9 kept crashing, we downgraded to "stable" 1.6.4.
Chapter closed then. We are back to 1.7.9...
P.S. Did anybody note that the login to the forum does not use https?
Posted at Nginx Forum:
http://for
"no OpenSSL types or functions are exposed."
http://www.openbsd.org/papers/eurobsdcon2014-libressl.html
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256381,256384#msg-256384
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/ma
nginx-1.6.2
>make
[...]
ec/ec_curve.c:2918:2: warning: unused variable '_EC_GOST_2012_Test'
[-Wunused-const-variable]
_EC_GOST_2012_Test = {
^
1 warning generated.
Perhaps its defining block is best moved to the 1.7 branch.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,256383,256
nginx-1.6.2
>make
[...]
src/event/ngx_event_openssl.c:2520:9: error: implicit declaration of
function 'RAND_pseudo_bytes' is invalid in C99
[-Werror,-Wimplicit-function-declaration]
RAND_pseudo_bytes(iv, 16);
^
1 error generated.
patch:
perl -i.bak -0p -e 's|(^#include ).*(type
nginx 1.6.2 + libressl 2.1.3
>tail -f [...]/port-443/*.log
==> stderr.log <==
2015/02/01 01:35:34 [alert] 15134#0: worker process 15139 exited on signal
11
2015/02/01 01:35:34 [alert] 15134#0: shared memory zone "SSL" was locked by
15139
2015/02/01 01:35:42 [alert] 15134#0: worker process 15138 e
Hello,
I seek advice on configuring nginx as a mail proxy.
PREMISSES
The existing system is based upon postfix and dovecot.
The system delivers "n" virtual domains, say, mx.example_1.org,
mx.example_2.org, ..., mx.example_n.org, all behind a single IP.
There is no "shared" (Subject Alterna
37 matches
Mail list logo
