Am 20.07.23 um 15:18 schrieb Saint Michael:
I get a timeout error when doing this
git clone git://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
this isn't what I would use. I tried
- git clone
https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git
- git clone
Am 18.04.23 um 14:58 schrieb mailingl...@unix-solution.de:
nginx is 1.1.18
Whats wrong there?
released in March 2012
couldn't you use a "not so historic" version?
Andreas
___
nginx mailing list
nginx@nginx.org
Am 04.12.22 um 08:04 schrieb blason:
Yes - He is right; everything is revolves around DNS and even my error is
with DNS resolving as it was not able to resolve the ocsp.godaddy.com hence
please troubelshoot from DNS perspetive.
Hello List,
To avoid this problems I prefer
Am 20.10.22 um 22:30 schrieb Maxim Dounin:
Now for automatic ticket keys rotation it is enough to configure
"ssl_session_cache shared:...", something you likely already have
configured anyway. Everything else will be done by nginx: it will
rotate keys every ssl_session_timeout.
so it's
Am 19.10.22 um 14:10 schrieb Maxim Dounin:
Changes with nginx 1.23.219 Oct 2022
*) Feature: TLS session tickets encryption keys are now automatically
rotated when using shared memory in the "ssl_session_cache"
directive.
Hello,
Am 24.02.22 um 19:06 schrieb wordlesswind via nginx:
> I enabled OCSP Must-Staple, then I found that after restarting nginx, I
> always get "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING" error when
> visiting my website for the first time.
Hi,
this is known behavior (reference welcome).
Am 03.01.21 um 23:17 schrieb Maxim Dounin:
> This is a result of how nginx-auth-ldap is written. Or, more
> strictly, how it adds itself into nginx request processing
> pipeline - it simply adds itself as an HTTP module, and ends up
> called before the access module.
>
> It is relatively
Hello & happy new year!
my goal is to configure nginx to deny access from most client-ip but allow
access from special ip's
for authenticated users. This work for basic_authentication as expect but
behave different with auth_ldap
I use https://github.com/kvspb/nginx-auth-ldap.
simplified
Hello,
I run a nginx instance handling only TLS1.2 and TLS1.3.
Now I noticed an remote client hammering (Ok, once per second) with an SSLv2
connection an thus filling the log:
2020/11/24 17:37:08 [info] 383#0: *11 SSL_do_handshake() failed (SSL:
error:14209102:SSL
Am 25.10.20 um 12:20 schrieb Francis Daly:
> map $remote_addr $this_transport_is {
> ~: IPv6;
> default IPv4;
> }
>
> and then use $this_transport_is where you want it.
>
> (Note: I have tested this with
>
> return 200 "Transport: $this_transport_is\n";
>
> but I have not
Hello,
I like to display (using ssi) if a client's remote address is ipv4 or ipv6
Is there a variable available that indicate the current transport protocol?
Any hint is appreciated!
Thanks,
Andreas
___
nginx mailing list
nginx@nginx.org
Am 14.04.20 um 16:34 schrieb Maxim Dounin:
> Changes with nginx 1.17.10 14 Apr 2020
>
> *) Feature: the "auth_delay" directive.
Hello nginx developers,
I'm searching for more information about this specific change and other changes
in general.
The
James Read:
Hi,
how do I customise the 404 page? http://wotstory.com/doesnotexist I don't
want to advertise to the world what web server is running and what
operating system is running,
see https://nginx.org/r/error_page
___
nginx mailing list
Am 07.06.19 um 16:22 schrieb Peter Booth via nginx:
> Do you know of any large, high traffic sites that are using HSTS today?
echo "debian.org
ietf.org
web.de
gmx.net
posteo.de
mailbox.org
andreasschulze.de
paypal.com" \
| while read -r
Am 05.06.19 um 14:54 schrieb Sathish Kumar:
> Hi Team,
>
> We would like to fix the HTTPS pinning vulnerability on our Nginx and Mobile
> application Android/iOS. If I enable on Nginx, do we need to add the pinning
> keys on our application and have to rotate the pinning keys everytime when
Am 05.05.19 um 07:14 schrieb PGNet Dev:
> Dropping back to 1.15 branch, all's working again -- with the var.
For example, the diff between 1.15.12 and 1.16.0 is *only* the changed version
number.
So, be precise about which 1.15 version is working for you.
Andreas
Am 26.03.19 um 17:50 schrieb Maxim Dounin:
> The difference is that in 1.15.10 you can put a certificate itself
> into a variable. Quoting docs:
>
> : The value data:$variable can be specified instead of the file
> : (1.15.10), which loads a certificate from a variable without using
> :
Am 11.02.19 um 16:16 schrieb rick_pri:
> As such I wanted to put the feelers out to see if anyone else
> had tried to work with large numbers of vhosts and any issues which they may
> have come across.
Hello
we're running nginx (latest) with ~5k domains + 5k www.domain
without issues.
Am 01.01.19 um 17:10 schrieb ѽ҉ᶬḳ℠:
> Hi,
>
> would appreciate to get this (weird) error sorted/resolved. Having looked up
> public sources I could not find a remedy and thus placing my hope on this
> list.
>
> ssl_stapling_file foo.bar.der;
> ssl_stapling on;
>
> nginx -t then produces:
Am 03.11.18 um 19:14 schrieb Bogdan via nginx:
> Hello, everyone.
>
> I am stuck with a fresh installation which runs absolutely fine except it
> doesn't offer TLS1.3 which is the the biggest reason for updating the server.
>
> Below is some info about my config.
>
> Distribution: Ubuntu
Bernardo Donadio:
Hi.
I've noticed that OCSP stapling was broken by 1.15.4, as you may see below:
-- nginx 1.15.4 with OpenSSL 1.1.1 final
$ openssl s_client -connect bcdonadio.com:443 -tlsextdebug -status
CONNECTED(0003)
TLS server extension "renegotiation info"
Am 28.09.18 um 10:56 schrieb Alex Zhang:
> It seems that OpenSSL has changed the way TLSv1.3 cipher suites are
> configured.
> According to the document
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html, the
> function SSL_CTX_set_cipher_list isn’t suitable for
Am 17.04.2018 um 17:17 schrieb Tim Smith:
> ssl_ciphers
>
Frank Liu:
Can I use different listen parameters for virtual hosts using the same
port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
ssl h2;”
no, that's impossible (I think...)
https://nginx.org/r/listen
...
The listen directive can have several additional parameters
Sophie Loewenthal:
ssl_ecdh_curvesecp521r1;
I never used that curve, If there's no specific reason for secp521r1,
try secp384r1 or leave it empty.
ans see what whill happen.
Andreas
___
nginx mailing list
nginx@nginx.org
meteor8488:
Hi All,
If I use
server {
listen 443 accept_filter=dataready ssl http2;
}
server {
listen 443 http2 sndbuf=512k;
}
I'll get error
duplicate listen options for 0.0.0.0:443
I know it's caused by http2 in server 2.
probably you're wrong.
Hello,
experiments with nginx-ct ¹) show that I need a tool to submit a certificate to
some public logs.
cts-submit ²) seems useful. But it require me to install php on every host :-/
I know there are also python implementations. but
is anybody aware of an implementation in *plain posix shell +
Am 25.10.2017 um 17:30 schrieb Gregory Edigarov:
> hello,
>
> I have an app under /var/www/admin/dist:
>
> index.html
>
> bundle.js
>
> static/
>
> and a bunch of files under static/
>
> i need nginx to get these files when I access https://somesite.net/admin/,
> not files from /admin.
Grzegorz Kulewski:
Hello,
Is resolver in nginx still needed for OCSP stapling?
I am getting a warning from nginx if resolver is not supplied but at
the same time both Qualys and openssl s_client output suggest OCSP
stapling is working. Strange
There are two options
- let nginx fetch
Fabio Ancona:
I set the "--with-ld-opt=" in this way
I hope that it's OK also in your point of view (without introducing
other issues).
if it works for you, it's fine.
For me that didn't work months/versions ago because my openssl library
use the same path but other library names.
I'm
on/platform I never will build for and modifiy
"ngx_feature", "ngx_feature_path" and "ngx_feature_libs"
Description: find my openssl libraries with nodefault names
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.deb
Am 09.07.2017 um 19:43 schrieb Johan Andersson:
> Actually I was flushing each response, so I expected each "hello world"
> message to appear one after the other, with one second pause between them.
You may have a look at https://github.com/openresty/echo-nginx-module
As far as I know they
B.R. via nginx:
nginx configuration is parsed/analyzed by nginx master process by design.
Moreover, TLS configuration is kept at this level if I recall well.
Thus, the user your master process use needs to have the rights to access
the specified file.
To reload nginx configuration, you will
Hello,
https://nginx.org/r/ssl_session_ticket_key mention session ticket key rotation.
Which process read these files? master or worker?
Must it be readable for root only or nginx-user?
Must I signal nginx processes the rotation? If yes, how? via SIGHUP?
thanks for clarification,
Andreas
hello
by buildsystem warn about a minor glitch in nginx.8
patch attached
Andreas
Description: fix minor manpage errors
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: nginx-1.11.13/man/nginx.8
Am 01.02.2016 um 23:53 schrieb Yichun Zhang (agentzh):
> Hello!
>
> On Fri, Jan 29, 2016 at 8:40 PM, Kurt Cancemi wrote:
>> I was doing some debugging and though I haven't found a fix. The problem is
>> in the ngx_http_echo_client_request_headers_variable() function c->buffer is
>> NULL when
Nomad Worker:
I read the code of ssl module, the directive ssl_session_timeout seems only
used for ssl session cache, not for ssl session ticket.
the document describes the directive as 'Specifies a time during which a
client may reuse the session parameters.' Is it not exactly?
Is there any
Vladimir Homutov:
You may try the following patch:
diff --git a/src/stream/ngx_stream_proxy_module.c
b/src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -1564,6 +1564,7 @@ ngx_stream_proxy_process(ngx_stream_sess
Hello,
last days I setup a server to encapsulate DNS over TLS.
- DNS-Server @localhost, Port 53 TCP
- NGINX Stream module on public IP, Port 853 TCP, SSL enabled.
That work so far.
Now I thought to scan this setup using ssllabs.com
I shutdown my HTTPS webserver an let nginx stream
lists:
Nginx has a reverse DNS module:
https://github.com/flant/nginx-http-rdns
for an older version from 20140411 I have a patch. That version works
without problems.
--- nginx-1.10.1.orig/nginx-http-rdns-20140411/ngx_http_rdns_module.c
+++
Am 12.09.2016 um 21:33 schrieb Joshua Schaeffer:
Any chance anybody has played around with Kerberos auth? Currently my SSO
environment uses GSSAPI for most authentication.
I compile also the module
https://github.com/stnoonan/spnego-http-auth-nginx-module
but I've no time to configure /
Am 12.09.2016 um 21:04 schrieb Joshua Schaeffer:
- https://github.com/kvspb/nginx-auth-ldap
I'm using that one to authenticate my users.
auth_ldap_cache_enabled on;
ldap_server my_ldap_server {
url
ldaps://ldap.example.org/dc=users,dc=mybase?uid?sub;
Grant:
Has anyone experimented with displaying a more informative message
than "503 Service Temporarily Unavailable" when someone exceeds the
limit-req?
maybe https://tools.ietf.org/html/rfc6585#section-4 ?
Andreas
___
nginx mailing list
John Griessen:
I checked and my configuration had:
DEFAULT_URL_PATTERN = 'http://%s/mailman/'
shouldn't that say "httpS:// ..." ?
Andreas
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hello,
I'm using horde and observe similar errors since some weeks.
Unsure if the same problem would be the reason.
Maxim Konovalov:
It was fixed in 1.11.0 two weeks ago.
I found one patch 'preread_buffer.patch" attachtd to
https://trac.nginx.org/nginx/ticket/959
That patch looks not
you could also include one file at all relevant places.
nginx.conf:
server {
# settings for server1
include /path/to/include.file;
}
server {
# settings for server2
include /path/to/include.file;
}
/path/to/include.file:
allow from ip1;
allow from cidr2;
deny all;
kostbad:
Every time i run it, my nginx server (ssl terminator) crashes and i have to
restart it.
I get the following error in my nginx logs:
*734 SSL_do_handshake() failed (SSL: error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback) while SSL
handshaking, client:
Max Clements:
Depending on the versions of Windows and what you are trying to do, it
may be possible to use Kerberos via Nginx, rather than NTLM.
that's what I mean saying "I don't care if it's named NTLM or ugly_voodoo"
You name it "Kerberos" - fine.
Now I came up with two questions:
-
Maxim Dounin:
Just a side note: NTLM auth is broken by design and violates HTTP
basic rules. Avoid using it if you can.
to be clear: I don't care if it's named NTLM or ugly_voodoo
The goal is a nginx accesses by a IE/edge browser. Users should not be
bothered with authentication
as they
Hello,
currently we run web applications on nginx accessible from MS clients
part of a Windows Domain.
the users are requested to authenticate via Basic-Auth (via HTTPS)
which nginx validate against the
domain activ directory using https://github.com/kvspb/nginx-auth-ldap
But I think the
j.o.l:
I am using Nginx to serve a website that hosts a .Net application. The file
a user needs to download and that triggers installation is a *.application
file, and an MS Internet Information Server associates that with the mime
type application/x-ms-application. However that file never
B.R.:
I want to have details about the status nginx' validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it goes
wrong.
we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.
Thierry:
Nginx: front end - reverse proxy
Apache2: Back end - web server
hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS request.
without rproxy I have this in /etc/nginx/sites-enabled/example.org
A. Schulze:
The attached patch solve at least the compile error.
now also verified the module work with nginx-1.9.11
Andreas
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
is version)
Andreas
Description: fix minor manpage errors
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: nginx-1.9.11/man/nginx.8
===
--- nginx-1.9.11.orig/man/nginx.8
+++ nginx-1.9.11/m
Roman Arutyunyan:
On Tue, Feb 09, 2016 at 08:59:42PM +0100, A. Schulze wrote:
Maxim Dounin:
>Changes with nginx 1.9.11
09 Feb 2016
>
>*) Feature: TCP support in resolver.
the rDNS module (https://www.nginx.com/resources/wiki/mod
Alex Samad:
Is it possible with nginx to do this
https://www.abc.com
/
/noclientcert/
/clientcert/
so you can get to / with no client cert, but /clientcert/ you need a
cert, but for /noclientcert/ you don't need a cert.
as far as I learned it's not possible and the usual answer
to such
Yichun Zhang (agentzh):
Yeah, the ngx_echo module does not support the HTTP/2 mode yet (as the
maintainer, I've never tested it anyway). Patches welcome and
volunteers welcome :)
thanks,
I could not support with patches but would do some beta testing.
Just to have ask:
disabling http2 for
Nikolai Lusan:
In theory ipv6 shouldn't make a difference, and it sure as heck
doesn't make a
difference to the ipv4 configuration.
Maybe not what you expect/like to hear:
Why does my head hurt if I run against a wall?
-> simply don't do that.
IPv6 is more then IPv4 with longer
59 matches
Mail list logo