Hi, Aleks, The result of nginx -V is as follow: nginx version: nginx/1.11.1 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-http_spdy_module --with-stream --with-stream_ssl_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.30 --add-module=/tmp/build/nginx-module-vts-0.1.9 --add-module=/tmp/build/lua-nginx-module-0.10.5 --add-module=/tmp/build/headers-more-nginx-module-0.30 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-c78b7dd79d0d --add-module=/tmp/build/nginx-http-auth-digest-f85f5d6fdcc06002ff879f5cbce930999c287011 --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.05
The nginx conf is: daemon off; worker_processes 2; pid /run/nginx.pid; worker_rlimit_nofile 131072; pcre_jit on; events { multi_accept on; worker_connections 16384; use epoll; } http { lua_shared_dict server_sessioncnt_dict 20k; lua_shared_dict server_dict 20k; lua_shared_dict server_acceptnewconn_dict 20k; lua_shared_dict sessionid_server_dict 100k; real_ip_header X-Forwarded-For; set_real_ip_from 0.0.0.0/0; real_ip_recursive on; geoip_country /etc/nginx/GeoIP.dat; geoip_city /etc/nginx/GeoLiteCity.dat; geoip_proxy_recursive on; vhost_traffic_status_zone shared:vhost_traffic_status:10m; vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; # lua section to return proper error codes when custom pages are used lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-lrucache/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-core/lib/?.lua;/etc/nginx/lua/vendor/lua-resty-balancer/lib/?.lua;'; init_by_lua_file /etc/nginx/lua/init_by_lua.lua; sendfile on; aio threads; tcp_nopush on; tcp_nodelay on; log_subrequest on; reset_timedout_connection on; keepalive_timeout 75s; types_hash_max_size 2048; server_names_hash_max_size 512; server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type text/html; gzip on; gzip_comp_level 5; gzip_http_version 1.1; gzip_min_length 256; gzip_types application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; gzip_proxied any; client_max_body_size "64m"; log_format upstreaminfo '$remote_addr - ' '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' '$request_length $request_time $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; map $request $loggable { default 1; } access_log /var/log/nginx/access.log upstreaminfo if=$loggable; error_log /var/log/nginx/error.log notice; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # trust http_x_forwarded_proto headers correctly indicate ssl offloading map $http_x_forwarded_proto $pass_access_scheme { default $http_x_forwarded_proto; '' $scheme; } # Map a response error watching the header Content-Type map $http_accept $httpAccept { default html; application/json json; application/xml xml; text/plain text; } map $httpAccept $httpReturnType { default text/html; json application/json; xml application/xml; text text/plain; } server_name_in_redirect off; port_in_redirect off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # turn on session caching to drastically improve performance ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 10m; # allow configuring ssl session tickets ssl_session_tickets on; # slightly reduce the time-to-first-byte ssl_buffer_size 4k; # allow configuring custom ssl ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; upstream liupeng-sm-rte-svc-13080 { server 172.77.69.10:13080; server 172.77.87.9:13080; balancer_by_lua_file /etc/nginx/lua/balancer_by_lua.lua; } server { server_name _; listen 80; listen 443 ssl spdy http2; # PEM sha: aad58c371e57f3c243a7c8143c17762c67a0f18a ssl_certificate /etc/nginx-ssl/system-snake-oil-certificate.pem; ssl_certificate_key /etc/nginx-ssl/system-snake-oil-certificate.pem; more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /SM/ui { proxy_set_header Host $host; # Pass Real IP proxy_set_header X-Real-IP $remote_addr; # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection ""; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_redirect off; proxy_buffering off; proxy_http_version 1.1; proxy_pass http://liupeng-sm-rte-svc-13080; rewrite_by_lua_file /etc/nginx/lua/rewrite_by_lua.lua; header_filter_by_lua_file /etc/nginx/lua/header_filter_by_lua.lua; } } } ----- 原始邮件 ----- 发件人:Aleksandar Lazic <al-ng...@none.at> 收件人:t...@sina.com 抄送人:nginx <nginx@nginx.org> 主题:Re:_回复:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? 日期:2017年03月07日 15点39分 Hi Liu Peng. We still don't know your nginx version nor your config! Cite from below: > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? regards aleks Am 07-03-2017 02:37, schrieb t...@sina.com: > Hi, Alexks, > > I try your proposal and it doesn't work. Actually my issue is the same > as this one > http://stackoverflow.com/questions/5100971/nginx-and-proxy-pass-send-connection-close-headers. > > 1. I add "keeplive_request 0". The result is that the "Connection: > close" header is sent to client for every response. That does not match > my requirement. Our application decides whether to finish the > application session using this header. > > 2. I add "proxy_pass_header Connection". Nginx keeps sending > "Connection: keep-alive" header to client even the header is > "Connection: close" from upstream server. > > Seems Nginx has some special handling for the Connection header in > response. The openresty author suggests that the only way for changing > response header change the nginx C code for this issue. See this issue: > https://github.com/openresty/headers-more-nginx-module/issues/22#issuecomment-31585052. > > Thanks > Liu Peng > > ----- 原始邮件 ----- > 发件人:Aleksandar Lazic <al-ng...@none.at> > 收件人:t...@sina.com > 抄送人:nginx <nginx@nginx.org> > 主题:Re:_回复:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? > 日期:2017年03月04日 17点22分 > > Hi Liu Peng. > Am 04-03-2017 09:12, schrieb t...@sina.com: >> >> Hi, Alexks, >> >> I don't want to hide the header. >> My problem is that Nginx change the "Connection: close" header in the >> reponse from upstream server to "Connction: keep-alive" and send to >> client. I want to keep the original "Connection: close" header. > Ah that's a clear question. > It took us only 3 rounds to get to this clear question ;-) > So now the standard Questions from me: > What's the output of nginx -V ? > What's your config? > Maybe you have set 'keepalive' in the upstream config > http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive > or > 'proxy_http_version 1.1;' > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version > as a last resort you can just pass the header with > 'proxy_pass_header Connection;'. > http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header > Choose the solution which fit's to your demand. > I can only guess due to the fact that we don't know your config. > May I ask you to take a look into this document, which exists in > several > languages, thank you very much. > http://www.catb.org/~esr/faqs/smart-questions.html > Best regards > Aleks >> Thanks >> Liu Peng >> >> ----- 原始邮件 ----- >> 发件人:Aleksandar Lazic <al-ng...@none.at> >> 收件人:t...@sina.com >> 抄送人:nginx <nginx@nginx.org> >> 主题:Re:_回复:Re:_Issue_about_nginx_removing_the_header_"Connection"_in_HTTP_response? >> 日期:2017年03月03日 16点19分 >> Hi. >> >> then one directive upward. >> >> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header >> >> Cheers >> >> aleks >> >> Am 03-03-2017 06:00, schrieb t...@sina.com: >> >>> Hi, >>> >>> What I mention is the header in response from backend server. Your >>> answer about proxy_set_header is the "Connection" header in request. >>> >>> Thanks >>> Liu Peng >>> >>> ----- 原始邮件 ----- >>> 发件人:Aleksandar Lazic <al-ng...@none.at> >>> 收件人:nginx@nginx.org >>> 抄送人:t...@sina.com >>> 主题:Re: Issue about nginx removing the header "Connection" in HTTP >>> response? >>> 日期:2017年03月03日 06点25分 >>> >>> Hi. >>> Am 01-03-2017 08:29, schrieb t...@sina.com: >>>> Hi, nginx guy, >>>> >>>> In our system, for some special requests, the upstream server will >>>> return a response which the header includes "Connection: Close". >>>> According to HTTP protocol, "Connection" is one-hop header. >>>> So, nginx will remove this header and the client can't do the >>>> business >>>> logic correctly. >>>> >>>> How to handle this scenario? >>> you mean something like this? >>> http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header >>> If the value of a header field is an empty string then this field >>> will >>> not be passed to a proxied server: >>> proxy_set_header Connection ""; >>>> Thanks >>>> Liu Peng >>>> _______________________________________________ >>>> nginx mailing list >>>> nginx@nginx.org >>>> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx