--- Original message
From: Jeffrey Walton
Date: 3/15/24 14:24 (GMT-05:00)
To: nginx@nginx.org
Cc: Thomas Ward
Subject: Re: No SNI support on multisite installation
On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx wrote:
>
> If you only have one IP, then you cannot fix thi
If you only have one IP, then you cannot fix this. SNI is what determines
which certificate to serve for the request. The only solution would be
individual IPs for each domain, thus not needing SNI to get the correct cert
for each domain.
Sent from my Galaxy
Original message ---
Rereading from my computer, and sorry for the partial snippet/quote,
your entire path is being prepended with `C:\nginx/conf/` so your
setting that triggers this of `conf/ssl/...` is not proper. Your
configuration root is `C:\nginx\conf` already, so either change your
configuration lines to j
I misread. NGINX doesnt see the certs exist meaning whatever user is running
it doesnt have permissions. Make sure your user running NGINX has access down
the whole folder chain.
Sent from my Galaxy
Original message
From: Victor Oppenheimer
Date: 2/11/24 17:17 (GMT-05:0
your SSL listen commands are commented out and so are your cert declarations.
Uncomment them and restart your nginx and see if that fixes it
Sent from my Galaxy
Original message
From: Victor Oppenheimer
Date: 2/11/24 17:17 (GMT-05:00)
To: Jeremy Cocks via nginx
Subject: S
whether they really want to take on
the "manually recompile from source every patch" burden, and also that
their security concerns are mitigated because the webdav methods are
disabled by default.
Thomas
---
Thomas Ward
IT Security Professional
NGINX Package Maintainer, Debian
N
Shashi, et. al:
This is the nginx oss community lists. There is no dedicated support SLA here,
nor is there a "can we get together for a call or discussion".
Maxim indicated there would be an off-list reply to you. There is no need to
continue emailing the public mailing list asking for any k
I would not consider NGINX a proxy in the form you're looking for - it's not
designed to work as a "proxy" server in the sense of what you're looking for,
and VPN + internal proxy is the better solution for access to resources
subscribed to a company (but that's outside the scope of NGINX and is
headers remain
default-hidden from the backend - I don't believe Content-Length was ever one
of them.
Sent from my Galaxy
Original message
From: Jesse Stimpson
Date: 4/19/23 09:09 (GMT-05:00)
To: Thomas Ward
Cc: nginx@nginx.org
Subject: Re: Duplicate Content-Length he
This sounds like your backend and nginx are both generating the header. NGINX
hasn't changed to the point it would create two headers, but if your backend is
adding the header as well as nginx then there's your problem.
Sent from my Galaxy
Original message
From: Jesse Sti
As Francis said, NGINX does not speak proxy protocols.
NGINX is the wrong tool for this job.
Sent from my Galaxy
Original message
From: Francis Daly
Date: 2/25/23 15:31 (GMT-05:00)
To: nginx@nginx.org
Subject: Re: Connecting a reverse proxy to an http proxy service
On Sat
Jon,
I'm not 100% sure if you understand NGINX properly, but I think you're
confusing "multi-instance" and "multi-site" when it comes to NGINX.
Multi-instance NGINX requires multiple individual NGINX instances each
running completely different configuration stacks, and not the default
nginx.
If you're on Ubuntu you have some tradeoffs by doing this yourself.
You can surely uninstall the packages of nginx from Ubuntu and then
compile and install it yourself on each system. However, you will then
need to redo this compiling and patch software yourself. This is why
the packaging ex
Is this on a VPS? They might have and additional firewall on the hosting side
you need to adjust.
If this is behind a routwer and you are outside the network make sure to
port-forward port 443.
Sent from my Galaxy
Original message
From: Brian Carey
Date: 9/4/22 19:55 (G
Correct me if I'm wrong, but isnt 8673 an experimental protocol and not a
standard, as that rfc even says in its text? If so, then I doubt support for
this is likely to land in nginx.
Sent from my Galaxy
Original message
From: 박규철
Date: 7/12/22 04:02 (GMT-05:00)
To: ngin
m
so, every time somebody opens Chrome and goes to https://belloingcat.oneye.us
somewhere in my definition I need to fire a bash script (or any
script) with some parameters to record the address.
I cannot believe that was not considered.
Thanks for the help.
On Mon, Jul 11, 2022 at 3:49 PM Thomas
Ideally you would have your reverse proxy hand off to an application
that does this. I don't think there's an inbuilt way to execute a given
script every time someone connects via Bash. This is something your
backend application should really be handling.
On 7/11/22 15:13, Saint Michael wrot
It is my understanding that a stable release is consudered unsupported when a
new stable release is cut from the mainline branch which happens yearly.
I would also surmise that 1.14 which is *years* old at this point is beyond its
lifespan.
Sent from my Galaxy
Original message ---
This isnt an nginx question. Ask chromium developers why they chose that
approach.
Sent from my Galaxy
Original message
From: wordlesswind via nginx
Date: 5/21/22 14:56 (GMT-05:00)
To: nginx@nginx.org
Cc: wordlesswind
Subject: Why do newer versions of Chromium favor RSA
Which NGINX are you attempting to compile? Last I checked only the
1.21.x branch (Mainline) has support for PRCE2, unless I missed a stable
branch release note...
Thomas
On 1/11/22 15:45, Jeffrey Walton wrote:
On Tue, Jan 11, 2022 at 8:27 AM Maxim Dounin wrote:
Hello!
On Mon, Jan 10, 20
The Lua module is a third party module, part of the Open Resty variant of
nginx. It will not be in the nginx.org repos and only in the OpenResty nginx
repos unless you compile it and its dependencies alongside nginx directly.
(not including libs that get installed via apt or packages, I mean -
I misread your version sorry. This needs a bug filed in Ubuntu as I think the
Lua module being 'loaded' doesnt necessarily mean it works. Unless someone has
an easy fix for you, its possible this is a bug in that nginx version/lua
module in the reposSent from my T-Mobile 5G Device
Ori
nginx upstream has nothing to do with the NGINX packages in Ubuntu.The Lua
module in Ubuntu was removed and dropped by the Server Team's decision that
supporting it requires excess work into the future that they were not willing
to support as well as additional modules like resty core just to ma
A stock install of NGINX using that link and the repositories for
mainline on 20.04 clean doesn't return this issue. Did you attempt to
start the service first before that, or did you install nginx from the
Ubuntu repositories and then tried to install the nginx.org packages
overtop those repo
A stock install of NGINX using that link and the repositories for
mainline on 20.04 clean doesn't return this issue. Did you attempt to
start the service first before that, or did you install nginx from the
Ubuntu repositories and then tried to install the nginx.org packages
overtop those repo
Why not build your C++ backend to have a web listener that you can
handle responses directly with? Typically speaking, a lot of REST APIs
I see are designed to accept HTTP and then have nginx or similar
reverse_proxy requests to them to the API is (indirectly) exposed to
port 80 (HTTP) or 443
This has nothing to do with NGINX. NGINX has nothing to do with Flyxtrade.
You will need your local law enforcement to help you with lost money.
Original Message
From: "Hưng Vĩnh"
Sent: Mon Jul 05 03:36:02 EDT 2021
To: nginx@nginx.org
Subject: I have a question from a websit
Unless you need to specify an alternative engine I would suggest not trying to
manually configure things this way.Is there a reason you don't want to just use
ssl_certificate and ssl_certificate_key?Sent from my T-Mobile 5G Device
Original message From: vishwaskn
Date: 7/4/21
Based on your configuration snippet there doesn't appear to be anything
wrong.
Except for the fact that
"/etc/nginx/html/_upload/article/files/d7/c2.xlsx" doesn't seem to exist
on system. Which means either your document root is set wrong for your
server block, or you actually don't have a f
rote:
Thomas,
Thank you for that explanation.
It must be the poster.exe program adding that as a default header.
I did not create the poster.exe application, it precedes my employment.
Again Thank you for the information and thank you to this list .
-Benn
*From:* Thomas Ward
*Sent:* Thur
m3u file (the client must wait for the next chunk) .
Thank you , Please I need your help
Fatma.
Le jeu. 3 juin 2021 à 22:02, Thomas Ward <mailto:tew...@thomas-ward.net>> a écrit :
Let's dissect an HTTP request that is sent to your NGINX server.
Assume for a moment it&
Let's dissect an HTTP request that is sent to your NGINX server.
Assume for a moment it's '/cr-bin/mp.exe' that's the request but there's
extra headers. The full HTTP request looks like this (CURL format
output, but also what NGINX spits in debug mode):
POST /cr-bin/mp.exe
referer: example.c
More than likely you'll have to compile the module yourself - I don't
know of any distribution that currently ships the njs module.
Thomas
On 6/2/21 3:15 PM, bouvierh wrote:
Hello,
How do I install the javascript module on Alpine? I have tried: "apk add
nginx-module-njs" but that module is
The error is self explanatory. You have two default_server entries that end up
listening on port 80 on all IPs.
listen 80 default_server;
listen [::]:80 default_server;
As configured this ends up listening on every port 80 on all IPs. Remove one
of these to resolve the error.
Get BlueMail f
The Mozilla configuration tool for ciphers is generally the best source
for cipher information, they update it regularly as things change in
terms of "best ciphers to utilize" and security issues crop up.
All of those ciphers, in my opinion, are fine. The discussion of
whether these ciphers a
I dont think limit_req works on CIDR rather individual IPs. At least per the
description of the module for limiting requests, it works on a single IP level
not on a CIDR range level and I don't immediately see a way to make that happen
- whether IPv4 or IPv6.Sent from my T-Mobile 4G LTE Device
A white screen indicates some failure in the PHP processor. That is not an
nginx error, rather a problem with PHP that caused a fatal processing error.
Check your PHP logs or enable error reporting to the page in PHP so that it
spits out the error data you need to understand why it fauled proc
TLS 1.2.
POSSIBLY they're using an older set of OpenSSL or similar libraries that
don't have TLS 1.3 yet, but it's also just possible it's disabled - TLS
1.3 isn't exactly the most 'accepted' protocol yet by certain policies
and standards, so that's a considera
So, I don't run the NGINX webserver, but I am pretty sure this is on the
remote server to serve the protocol right. SSLLabs test shows that TLS
1.3 is just not offered.
https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest
There's three other IPs (one IPv4 and two IP
proxy_ignore_headers Cache-Control;
Get BlueMail for Android
Original Message
From: Vincent Blondel
Sent: Sat Jan 16 13:11:54 EST 2021
To: nginx@nginx.org
Subject: Howto Remove the Cache-Control request header.
Hello,
We want nginx to remove the request header Cache-Contro
g for. One last question: the `nginx -T` options...I'll add
those to the ./configure command, yes?
On Wed, Jan 6, 2021 at 10:55 PM Thomas Ward <mailto:tew...@thomas-ward.net>> wrote:
This is where **manually compiling by hand** is the problem. You
would do the c
and *not* the one compiled via
Step 2)
B. The compile in Step 2 will use the "same libraries" that DNF used?
In the DNF version of life I didn't pick any libraries manually...DNF
found what was on my system. Will the manual compile not do the same?
Many thanks!
On Wed, Jan 6,
I'm fairly familiar with the 'compiling process' for dynamic modules -
the process is the same for NGINX Open Source as wel as NGINX Plus.
You would need to compile the modules alongside NGINX and then harvest
the compiled .so files and put them into corresponding locations on the
system you w
Hi, Grzegorz. I'm with the Ubuntu Server Team and can answer this directly.
The NGINX upstream repository does NOT follow the structure of the
package as it is in Ubuntu and Debian. The snippets directory and
sites-available and sites-enabled directories and includes as part of
the default c
We had this problem in Ubuntu's repos until we rebuilt against newer OpenSSL
and the TLS 1.3 variables were exposed to NGINX at build time - then you could
turn it off in ssl_protocols by not specifying TLSv1.3.However, your case
indicates that you are linked (compiled) against older LibreSSL th
Is your nginx system a Linux one? If so, then you can do something like
this:
`openssl s_client -connect localhost:443`
from the nginx box and see what handshake errors you're getting.
Thomas
On 11/19/20 2:03 PM, sachingp wrote:
Hi Thomas - We are using digicert, I don't have access to the
Provide SSL logs from the client side - if you can, using OpenSSL and
its `s_connect` framework or similar to get the actual SSL handshake
errors/logs. Chances are something's wrong with the handshake or your
cert. (since I can't scan your infra directly yourself, you'll have to
get detailed
On 11/9/20 3:48 PM, meniem wrote:
> Thanks Maxim for your feedback.
>
> Yeah, I believe it's an issue with the intermediate certificates. So, can
> you please let me know how can I obtain this intermediate certificates so
> that I can append it to the certificate itself.
You will need to reach ou
>From what I can tell the config as is is fine, and shouldn't need to
have anything else exposed. Since that's basically their nginx snippet
in a nutshell.
Their warning is more if you attempt to use something that doesn't have
a predefined example set - like lighttpd - where you'd then have to
c
Your PHP backend is the problem. The PHP side of things is triggering a
warning that it's executing too slowly, and that requires you to alter
your PHP settings (which is not an NGINX thing) to accept a longer
execution time on your scripts.
Thomas
On 9/24/20 12:46 PM, Kaushal Shriyan wrote:
>
part I've seen both used interchangeably for basic setups,
it's more if you need the advanced stuff or brand new things available
in Mainline but not Stable, in my opinion, that drives which you use.
Thomas
On 9/24/20 10:35 AM, Kaushal Shriyan wrote:
>
> On Thu, Sep 24, 2020 a
Depending on your needs, I'd favor STable over Mainline.
Stable is just that - the current release of NGINX that is considered
'stable' and doesn't have many new feature changes to it or new things
that Mainline will have.
Mainline is closer to 'cutting edge' than 'stable' NGINX. While you can
u
Bad Gateway indicates the backend you are sending to is not valid in some way -
check the nginx error.log output to see what happened when trying to send it to
your proxypass'd backend
Get BlueMail for Android
Original Message
From: ravansh
Sent: Sun Sep 06 10:15:28 EDT 2
Do you actually use NCHAN for anything? If you are not actively using
nchan, you should consider simply removing `libnginx-mod-nchan`
Note also this is a third party module, so it's not necessarily
'endorsed' by NGINX Upstream per se. Also, Debian is *ancient* with its
nginx version and modules,
You said this is "shared hosting" - when you say "shared hosting" do you
mean this is *not* a dedicated machine but one machine out of many in a
shared environment?
Have you tested briefly by disabling your firewall just to see if that
fixes the issue?
What is the backend? You're passing everyth
301 Redirects don't work for full system paths because they are returned to the
client saying "go here instead". It then interprets your path as a URI which
doesn't exist inside your site docroot.
You might have meant to use `root` instead of `return 301` here to serve the
data directly from t
it {
> return 404;
> }
>
> location ~ /\.(?!well-known).* {
> deny all;
> access_log off;
> log_not_found off;
> }
> }
>
> Result is, that http://example.com/test/.git/config is accessible.
>
> On 09.06.20 17:16, Thomas Ward wrote:
>> server {
&g
server {
listen 80 default_server;
server_name _;
...
}
The above should do what you're after. Specifies a default-server
listener on port 80 and it matches that special catch-all that accepts
all server_name results. (though, default_server will match anything
that doesn't match a
That's a pretty self-explanatory error actually:
Jun 06 18:18:19 proxy-lb02.srvmail.ma.gov.br nginx[52777]: nginx: [emerg]
"stream" directive is not allowed here in
/etc/nginx/email/balanceador.conf:1
Your mail configuration file is imported inside a mail block. That won't work.
Stream operates
How did you generate your certificate at
/etc/nginx/ssl/dfwelectronicsrecycling.com/dfwelectronicsrecycling.crt ?
Is it a self-signed certificate or generated by LetsEncrypt or some
other mechanism? IF it's self-signed this is Normal Behavior, you can
override it with the `-k` flag/argument to Cu
On 4/30/20 3:20 PM, MarcoI wrote:
> Hi Thomas,
> thank you for your kind help.
>
> ...
>
> How can I check if the backend has the capacity to handle the requested
> path?
This is where you need to expand the knowledge into other tools such as
`curl`. On the system where nginx and your webapp run
On 4/30/20 2:09 PM, MarcoI wrote:
> This is the nginx configuration in Ubuntu 18.04 :
>
> server {
> listen 443 ssl http2 default_server;
> server_name ggc.world;
>
> ...
>
> location / {
> proxy_pass http://127.0.0.1:8080;
If I'm reading your config directl
You can specify different auth_basic configurations per server or per
location match.
Refer to the documentation -
http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html - which
shows that the auth_basic config options can be at the http, server,
location, or limit_except levels of the conf
The dhparam file cam be whichever you want it to be **provided that**
you configure it per server block.
Refer to the config documentation -
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam - and
the 'context' being 'http' or 'server' - you can define different
dhparam files for
64 matches
Mail list logo
