Re: Blocking tens of thousands of IP's

How do you transfer metrics from nginx to your pfsense? mayak Wrote: --- > We are blocking 2.2 million addresses, however, we do it at the > firewall/router (pfsense pfBlocker). > > Ultra fast. > > HTH > > Mayak > >

Re: Bloking Bad bots

You could also look at the nginx module naxsi : https://github.com/nbs-system/naxsi More flexibility with regex and actions -- StackStar Managed Hosting Services : https://www.stackstar.com Shift8 Web Design in Toronto : https://www.shift8web.ca On Mon, Nov 14, 2016 at 10:04 AM, debilish99

Re: Is this a valid request?

Dont see any traversal or injection attempt, but not knowing what is a "legitimate" request or the application architecture, its difficult to comment further. -- StackStar Managed Hosting Services : https://www.stackstar.com Shift8 Web Design in Toronto : https://www.shift8web.ca On Mon, Nov

Re: Hide a request cookie in proxy_pass

Oops: this is the correct link: https://regex101.com/r/RZltB6/1 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270942#msg-270942 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx

Re: Hide a request cookie in proxy_pass

Hi, Thanks for this; it is pretty close to what I need. I just tried it out in the regex101.com editor and I think there might be a vulnerability: https://regex101.com/delete/ypHV2Yw6o3wHqGDQTHRPZw3r The client could include the same cookie name in twice. This regexp would only strip out one of

Re: Bloking Bad bots

I use nginx maps which depending on user agent either block, rate limit or whitelist https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/ as the list gets large nginx maps just make it easier to manage Posted at Nginx Forum:

Re: Bloking Bad bots

Hi there ! so I do, with 2 different ways : == if ($http_user_agent ~* MJ12bot|SemrushBot) { return 403; } if ($http_user_agent ~* bot|crawl|spider|tools|java) { rewrite ^

Re: Bloking Bad bots

fwiw, I use the map approach discussed here. I've a list of a hundred or so 'bad bots'. I reply with a 444. Screw 'em. IMO, the performance hit of blocking them is far less than the performance havoc they wreak if allowed to (try to) scan your site, &/or the inevitable flood of crap from

Re: Bloking Bad bots

Comparing strings is CS101. If map is a  linear search, that should be something to improve.I'm assuming you read the code 

Re: Bloking Bad bots

I'd be shocked if the map function doesn't use a smart search scheme rather than check every item.  

Re: x-accel-redirect to @location and empty $upstream_http_some_header

On Mon, Nov 14, 2016 at 3:45 PM, Maxim Dounin wrote: > Hello! > > On Mon, Nov 14, 2016 at 02:13:18PM +0300, Руслан Закиров wrote: > > > One URL redirects to @streams location: > > > > HTTP/1.0 200 OK > > expires: 0 > > cache-control: no-cache, no-store, must-revalidate > >

Re: Bloking Bad bots

I had asked the same question once and got no to the point response. So here is what I infer: the if causes nginx to check the header for each request against the list of patterns you have configured and return a 403 if found . So the processing slows down on each request to for the if

Internal IP in HTTP Location Header Response?

Hello - we have been dinged on our network penetration test because one of our Nginx web servers is returning the internal IP in the HTTP location response header. This is our only Nginx server that is not acting as a reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning the

Re: Bloking Bad bots

You can block some of those bots at the firewall permanently.   I use the nginx map feature in a similar manner, but I don't know if map is more efficient than your code. ‎I started out blocking similar to your scheme, but the map feature looks clear to me in the conf file. Majestic and Sogou

Bloking Bad bots

Hello, I have a server with several domains, in the configuration file of each domain I have a line like this to block bad bots. If ($ http_user_agent ~ * (zealbot|MJ12bot|AhrefsBot|sogou|PaperLiBot|uipbot|DotBot|GetIntent|Cliqzbot|YandexBot|Nutch|TurnitinBot|IndeedBot) Return 403; } This works

[nginx] Upstream: handling of upstream SSL handshake timeouts.

details: http://hg.nginx.org/nginx/rev/d8d037f20484 branches: changeset: 6799:d8d037f20484 user: Maxim Dounin date: Mon Nov 14 17:21:06 2016 +0300 description: Upstream: handling of upstream SSL handshake timeouts. Previously SSL handshake timeouts were not

Re: AW: AW: AW: RE: slow https performance compared to http

Lukas Tribus Wrote: --- > > 4 threads and 4 CPU (both for apache and nginx) with 100% CPU load > on test > > So, what's the answer now about the http/https (4600/550) ratio for > the > > specific case I presented? > > It should perform the same

Re: [PATCH] Follow OpenSSL's switch from AES128 to AES256 for session tickets

Hello! On Mon, Nov 07, 2016 at 12:09:40AM +0100, Christian Klinger via nginx-devel wrote: > # HG changeset patch > # User Christian Klinger > # Date 1478473338 -3600 > # Node ID 36f66e94771dd39e8948ba1023e5ca0677655840 > # Parent 92ad1c92bcf93310bf59447dd581cac37af87adb >

Re: custom logic after connection is closed

Hi Maxim, Maxim Dounin Wrote: --- > Hello! > > On Mon, Nov 14, 2016 at 05:08:33AM -0500, nemster wrote: > > > Hi! > > Is it possible to write a plugin that does some additional stuff > after a TLS > > (http/1.1, http/2.0) TCP connection. > >

Re: x-accel-redirect to @location and empty $upstream_http_some_header

Hello! On Mon, Nov 14, 2016 at 02:13:18PM +0300, Руслан Закиров wrote: > One URL redirects to @streams location: > > HTTP/1.0 200 OK > expires: 0 > cache-control: no-cache, no-store, must-revalidate > x-accel-redirect: @streams > Content-Type: text/html; charset=utf-8 > Status: 200 >

Re: custom logic after connection is closed

Hello! On Mon, Nov 14, 2016 at 05:08:33AM -0500, nemster wrote: > Hi! > Is it possible to write a plugin that does some additional stuff after a TLS > (http/1.1, http/2.0) TCP connection. > I would want to keep some extra struct for each TLS connection and > manipulated it with every request,

x-accel-redirect to @location and empty $upstream_http_some_header

Hi, One URL redirects to @streams location: HTTP/1.0 200 OK expires: 0 cache-control: no-cache, no-store, must-revalidate x-accel-redirect: @streams Content-Type: text/html; charset=utf-8 Status: 200 x-real-location: /stream/?user_id=153847603=RU pragma: no-cache @streams Location looks like

AW: AW: AW: RE: slow https performance compared to http

> 4 threads and 4 CPU (both for apache and nginx) with 100% CPU load on test > So, what's the answer now about the http/https (4600/550) ratio for the > specific case I presented? It should perform the same as Apache in this case. ___ nginx mailing list

Is this a valid request?

I keep my nginx server set up dumb. (Don't need anything fancy at the moment). Is this request below possibly valid? I flag anything with a question mark in it as hacking, but maybe IOS makes some requests that some websites will process, and others would just ignore after the question mark. 444

custom logic after connection is closed

Hi! Is it possible to write a plugin that does some additional stuff after a TLS (http/1.1, http/2.0) TCP connection. I would want to keep some extra struct for each TLS connection and manipulated it with every request, then once the TLS (or TCP) connection closes i would want to do some

Re: does not work on any request on windows

update information. This is the result of ngx_http_wait_request_handler after c->recv(c, b->last, size). The normal response has been successfully responded to the user request. Abnormal does not respond to user requests.

Re: AW: AW: RE: slow https performance compared to http

Lukas Tribus Wrote: --- > That depends: how many nginx workers do you have compared to > how many apache threads and how does your per-core CPU load > look like when benchmarking? > ___ > nginx mailing

AW: AW: RE: slow https performance compared to http

> I agree but I think that separate/different simultaneous users won't use a > common connection so for this very specific scenario keep-alive won't > matter. Of course for every individual user keep-alive will matter but this > aspect for the moment I won't to ignore in testing. It does matter,