ot;ssl_client_certificate" directive is not required
for client SSL certificates verification.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Changes with nginx 1.26.214 Aug 2024
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
--
Sergey Kandaurov
handler is not mandatory.
*) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
worker processes.
Thanks to Kasei Wang.
*) Bugfixes in HTTP/3.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https
.
The issues affect nginx 1.25.0-1.25.5, 1.26.0.
The issues are fixed in nginx 1.27.0, 1.26.1.
Thanks to Nils Bars of CISPA.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
uot;, or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
option was used.
Thanks to Edgar Bonet.
*) Bugfix: in HTTP/3.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
te"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
n pure C programs.
Someday they will hopefully fix that, meanwhile you may want to:
- switch to C++ linker as described in the revision;
- build libssl as a shared library (see BUILDING.md in sources);
- use some other workarounds when linking with BoringSSL statically,
such as explicit linkin
with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen" directive
is used in a configuration file.
The issue affects nginx 1.25.0 - 1.25.3.
The issue is fixed in nginx 1.25.4.
--
Sergey Kandaurov
__
h code 415 were redirected with the "error_page" directive.
*) Bugfixes and improvements in HTTP/3.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
ules/ngx_http_uwsgi_module.c
> @@ -1381,7 +1381,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
> }
>
> u->headers_in.status_n = status;
> -u->headers_in.status_line = *status_line;
> +
> +if (status_line->len > 3) {
> +u->headers_in.status_line = *status_line;
> +}
>
> } else if (u->headers_in.location) {
> u->headers_in.status_n = 302;
>
>
After discussion in the adjacent thread,
I think the change is fine.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
> On 31 Aug 2023, at 14:28, Maxim Dounin wrote:
>
> Hello!
>
> On Wed, Aug 30, 2023 at 04:20:15PM +0400, Sergey Kandaurov wrote:
>
>>> On 29 Aug 2023, at 08:33, Maxim Dounin wrote:
>>>
>>> On Mon, Aug 28, 2023 at 08:59:28PM +0400, Sergey Kandaur
> On 29 Aug 2023, at 08:33, Maxim Dounin wrote:
>
> Hello!
>
> On Mon, Aug 28, 2023 at 08:59:28PM +0400, Sergey Kandaurov wrote:
>
>>
>>> On 26 Aug 2023, at 18:21, Jérémy Lal wrote:
>>>
>>> Hi,
>>>
>>> https://bugs.d
a special treatment to preserve SP before empty reason
phrase. The below patch should help; although it doesn't look
efficient and can be polished, I think this is quite enough for
valid use cases.
# HG changeset patch
# User Sergey Kandaurov
# Date 169323
rypted ClientHello: no
Cert subject: CN = localhost
Cert issuer: CN = localhost
HTTP/1.1 200 OK
Server: nginx/1.25.2
Date: Mon, 21 Aug 2023 14:58:40 GMT
Content-Type: text/plain
Content-Length: 23
Connection: close
X25519Kyber768Draft00
--
Sergey Kandaurov
_
1 && alloc % 512 != 0 && alloc < 8192) {
> -
> +if (items == 1 && alloc % 512 != 0 && alloc < 8192
> +&& !ctx->state_allocated)
> +{
> /*
> * The zlib deflate_state allocation, it takes about 6K,
>
instructions:
https://quic.nginx.org/packages.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
On Tue, Nov 01, 2022 at 05:02:51PM +0400, Roman Arutyunyan wrote:
[..]
> # HG changeset patch
> # User Roman Arutyunyan
> # Date 1667307635 -14400
> # Tue Nov 01 17:00:35 2022 +0400
> # Branch quic
> # Node ID 40777e329eea363001186c4bf609d2ef0682bcee
> # Parent 598cbf105892bf9d7acc0fc3278b
> On 28 Sep 2022, at 01:04, Maxim Dounin wrote:
>
> Hello!
>
> On Tue, Sep 27, 2022 at 04:05:54PM +0400, Sergey Kandaurov wrote:
>
>>> On 27 Sep 2022, at 14:11, João Sousa Andrade
>>> wrote:
>>>
>>> Thank you for the clarification Serg
ing next available client Connection ID,
but there were no any, as seen in the above error.
Hope that helps.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
/ngx_event_quic_transport.h:314:49: error: field ‘level’ has
> incomplete type
> 314 | enum ssl_encryption_level_t level;
> | ^
Make sure to provide correct OpenSSL path(s).
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
further updates of this code, including features,
potential changes in behaviour, bug fixes, and refactoring.
There are still rough edges but basically it works.
> Can anyone help me with that? If this goes forward, we'll be happy to share
> anything useful we find on our side as we
.1 on insecure.example.com?
>
> Is this an OpenSSL 3 issue? Does it work with OpenSSL 1.1.1?
>
TLS 1.0 and 1.1 are de-facto disabled by default in OpenSSL 3.0+.
See for more details: https://trac.nginx.org/nginx/ticket/2250
--
Sergey Kandaurov
___
of standard support
of the relevant Linux distribution.
For details on Ubuntu, you can check https://wiki.ubuntu.com/Releases
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
t;
> In my ngx_http_form_read, I have the following:
> {
>#if defined(ngx_version) && nginx_version >= 8011
>r->main->count--;
>#endif
>
> //form parsing data
> // no return, this is a void?
>
> }
>
I see numerous issues in your c
>
> Thank you.
>
It's roughly 500 bytes per upstream server in a simple case.
The exact numbers depend on nginx version and configuration.
Also, currently upstream zone cannot be configured to be less
than 8 page sizes.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
ake sure you have no the "http2" option on a particular IP:1443 elsewhere,
as "http2" attributes to all virtual servers sharing such IP:PORT.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
ated for a given locale,
overwritten by intermediaries, or discarded
So it should be fine to have it absent.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
> On 6 May 2022, at 03:54, Alan Jackson wrote:
>
> Hi,
>
> I'm trying to use rate limiting on an nginx mail proxy->nginx fastcgi backend
> to restrict the number of concurrent connections from a client's IP.
> Unfortunately, I can't use proxy_protocol on the mail proxy side due to the
> ngi
s
> simply unavailable with udp?
>
> Thanks
>
I believe there's no such option for UDP with passive checks.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
ror while reading back
from upstream. This means no next upstream logic for UDP.
The waiting time can be shortened, if the peer reports
back with the ICMP error, such as "port unreachable".
In this case, it is seen as recv() error immediately,
without waiting for connection timeout.
Any wa
CLIBSSL \
> --with-http_realip_module \
> --with-http_auth_request_module \
> --with-http_gzip_static_module \
> --with-http_v2_module \
> --with-http_sub_module \
> --with-libatomic \
> --with-file-aio \
> --with-http_xslt_module \
> --with-http_flv_module \
> --with-
t specify OpenSSL version, so I assume this
belongs to https://trac.nginx.org/nginx/ticket/2071#comment:1
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
ne is applied.
To specify several values: --with-openssl-opt="opt1 opt2"
It's also useful to know the actually negotiated ciphersuite.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
ons KTLS;
>..
> }
> #
> What am I doing wrong?
>
Make sure you have enabled sendfile in configuration.
Note that Linux 4.18 as distributed with Centos8
implements no KTLS for TLSv1.3 ciphers,
and quite limited number of ciphers for TLSv1.2.
--
Sergey Kandaurov
___
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
> On 5 Dec 2021, at 18:24, wordlesswind wrote:
>
> Hello,
>
>
> I noticed that the certificate of quic.nginx.org has expired.
>
It should be fixed now.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mail
file or
> directory:fopen('/etc/letsencrypt/live/$host/fullchain.pem','r')
> error:2006D080:BIO routines:BIO_new_file:no such file)
The error suggests you have too old nginx version.
Variables support in the "ssl_certificate"
run/php/php-fpm.iserv-helloworld.sock;
>}
>
> }
>
> [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=53332
> [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=57087
> [6] https://bugs.php.net/bug.php?id=60826
> [7] https://trac.nginx.org/nginx/ticket/1344
> [8] h
ation timed out) while sending response to client"
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
CERTIFICATE) while SSL handshaking, client: 127.0.0.1, server:
> 0.0.0.0:19099
The error indicates an empty value.
This is because "set" variables are not yet handled while SSL handshaking.
You might want to replace it with e.g. geo or map that use global context.
T
nd.
As of now, nginx-quic supports QUIC and HTTP/3 termination only,
it doesn't support communicating to a QUIC (and thus - HTTP/3) backend.
[..]
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
t; If nginx doesn't support bootstrapping WebSockets with HTTP/2, what should
> I do?
Are you actually using HTTP/2 ?
What if you try disabling http2 in the listen directive, to be sure.
"Unexpected response code: 403" could mean misconfigu
s/http-bind";));
>
> to websocket:
>
>let [conn, setConn] = React.useState(new
> Strophe.Connection("wss://grasp.deals/xmpp-websocket"));
>
> I get this error:
>
>WebSocket connection to 'wss://grasp.deals/xmpp-websocket' failed: Error
> during
ng.
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
quot; 404 555 "-"
> "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/89.0.4389.72 Safari/537.36" "-" "h3-29"
>
It using HTTP/1.1 (for whatever reasons).
Usually that means a failure to negotiate HTTP/3.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
coming HTTP/3) the limit also applies to the actually
processed request body chunks in the corresponding protocols,
if the "Content-Length" request header was not specified in a request.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
0
>
> VERSION-rtmp= 1.2.1
> @@ -122,6 +122,8 @@ SUBST_VARS= NGINX_DIR
> .for i in ${MODULE_PACKAGES}
> PREFIX$i= ${NGINX_DIR}/modules
> .endfor
> +
> +CFLAGS+= -DTLS1_3_VERSION=0x0304
>
That is a culprit.
It hijacks an established API expected in ng
so http://nginx.org/en/docs/http/websocket.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
x_rtmp_eval, so that I can contact them to fix the source
> code?
>
nginx-rtmp-module is a third-party nginx module.
You may want to report about a build issue to the module author(s).
This is a new error reported in recent gcc versions,
that's why it may not trigg
g log:
http://nginx.org/en/docs/debugging_log.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ng by curl
> command propely. I also tried to enable the proxy_ssl_server_name, but
> didn't help.
I'd check what's actually sent in SNI (upstream SSL server name).
You may want to explore debug messages for further insights.
http://nginx.org/en/docs/debugging_log.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
using kqueue but not so with epoll.
Please try this patch.
# HG changeset patch
# User Sergey Kandaurov
# Date 1602503831 -3600
# Mon Oct 12 12:57:11 2020 +0100
# Branch quic
# Node ID d791f11d1625d6f99d0d0c3272fd4c98d4816f21
# Parent d14e15c33548a4432b682b9bbb4b6ba8df82c0b3
QU
relevant configuration details. How to obtain debug log:
http://nginx.org/en/docs/debugging_log.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> On 7 Oct 2020, at 10:33, Sergey Kandaurov wrote:
>
>>
>> On 7 Oct 2020, at 06:02, Ryan Gould wrote:
>>
>> hello all you amazing developers,
>>
>> i found some old 2013 references to this error relating to SPDY, but have
>> not seen any
nt clients such as ngtcp2 or kwik.
It should also be explicitly enabled on server with "ssl_early_data on".
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
if it is something
from Microsoft, then I heard that it still prefers to use TLSv1.
Then you might want to look at this thread as somewhat related:
http://mailman.nginx.org/pipermail/nginx/2018-November/057154.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> On 26 Aug 2020, at 11:57, Xu Yang wrote:
>
> Hi all,
>This is a patch for HTTP/2 GOAWAY frame process, please refer to the
> detail.
> thanks.
Please see a more complete patch below.
# HG changeset patch
# User Sergey Kandaurov
# Date 1598889483 -10800
# Mon Au
> On 22 Aug 2020, at 01:30, Maxim Dounin wrote:
>
> Hello!
>
> On Thu, Aug 20, 2020 at 11:47:08PM +0300, Sergey Kandaurov wrote:
>
>>
>>> On 20 Aug 2020, at 22:16, Maxim Dounin wrote:
>>>
>>> Hello!
>>>
>>> On Thu, A
:00 [debug] 1374#0: kevent timer: 3000, changes: 1
2020/08/20 23:32:02 [debug] 1374#0: kevent events: 1
2020/08/20 23:32:02 [debug] 1374#0: kevent: 7: ft:-2 fl:0025 ff:
d:49039 ud:62F0E538
2020/08/20 23:32:02 [debug] 1374#0: *1 SSL shutdown handler
2020/08/20 23:32:02 [debug] 1374#0: *1 SSL_shutdown: -1
2020/08/20 23:32:02 [debug] 1374#0: *1 SSL_get_error: 1
2020/08/20 23:32:02 [crit] 1374#0: *1 SSL_shutdown() failed (SSL:
error:1409F07F:SSL routines:ssl3_write_pending:bad write retry) while
processing HTTP/2 connection, client: 127.0.0.1, server: 127.0.0.1:8080
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
quot;grpcs://Z.Z.Z.Z:PORT", host: "fqdn1:PORT"
"error 2" means that backend responded with RST_STREAM(INTERNAL_ERROR),
that is, effectively rejected processing request.
You may want to consult with backend error log to find out the reason.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
LS, and if a server_name extension is
sent, then the extension SHOULD contain the same name that was
negotiated in the application protocol. If the server_name is
established in the TLS session handshake, the client SHOULD NOT
attempt to request a different server nam
tes
$ ./objs/nginx -V
nginx version: nginx/0.7.65
TLS SNI support enabled
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
/2 connection
> [crit] ... SSL_read() failed (SSL: error:14191044:SSL
> routines:tls1_enc:internal error) while processing HTTP/2 connection
There was a TLS record decryption error for some reason.
Not much details.
--
Sergey Kandaurov
___
nginx m
?
I'd replicate this check in ngx_ssl_handshake().
And probably for SSL_read_early_data, SSL_shutdown, SSL_peak,
(ok, we don't use SSL_peak), but this is a moot point.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
T, c->log, 0,
"peer shutdown SSL cleanly");
return NGX_DONE;
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ebugging purpose
(you might want to decrypt it first).
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ile client already closed and server stay in CLOSE_WAIT.
Hello.
This is a known issue. It would be nice if
you could try and report back if this patch helped you.
# HG changeset patch
# User Sergey Kandaurov
# Date 1534236841 -10800
# Tue Aug 14 11:54:01 2018 +0300
# Node ID b71df78c7dd
ficate_key /etc/letsencrypt/live/domain.net/privkey.pem; #
> managed by Certbot
>
>
> And on the off chance you need it, heres proxy.conf
>
> client_max_body_size 10m;
> client_body_buffer_size 128k;
> proxy_bind $server_addr;
Try removing this directive, that's lik
e off by
> default, so why does nginx care about that certificate?
That's opposite: nginx received a certificate_unknown alert message
from a client for some reason while in handshake.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
gt; error_log /var/log/nginx/website-error.log;
>
> Because I use 404 for doing url rewriting and so they are not errors...
>
> error_page 404 = /url_rewriting.php;
>
http://nginx.org/r/log_not_found
--
Sergey Kandaurov
___
nginx
with the response.
Instead, you may want to disable range processing on backend,
by removing the Range request header while proxying requests:
proxy_set_header Range "";
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> On 22 Aug 2019, at 15:05, aiaa5505 wrote:
>
> [error] 8#8: *256283 upstream rejected request with error 0 while reading
> response header from upstream, HTTP/2.0
>
It is not something nginx gRPC proxy currently supports.
See https://trac.nginx.org/nginx/ticket/1792 for details and proposed
> On 3 May 2019, at 02:12, jarstewa wrote:
>
> Is there an equivalent of max_fails
> (http://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) if
> I'm using proxy_pass without an upstream block?
>
Not that I'm awa
h
> case it gives a standard nginx 502 error page rather than a custom page.
Hello,
you may want to try recursive error pages in location / {}
with error_page 502 in @server_b.
See for details: http://nginx.org/r/recursive_error_pages
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
after 1000 requests been processed,
> nginx will close the tcp connection, because I can find `TIME_WAIT` on the
> nginx side.
> - then gRPC client will report tens of thousands of `TransientFailure` at
> same time
>
See http://ng
ug] 36109#0: *10 http finalize request: 408,
> "/utoProto.idProduce.IdProduce/getUniqueIds?" a:1, c:1
the request is finalized with "408 Request Time-out"
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http terminate request count:1
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http terminate cleanup count:1
> blk:0
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http posted request:
> "/utoProto.idProduce.IdProduce/getUniqueIds?"
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http terminate handler count:1
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http request count:1 blk:0
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http2 close stream 1, queued 0,
> processing 1, pushing 0
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http2 send RST_STREAM frame sid:1,
> status:1
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http close request
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http log handler
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2E802400
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2D837800
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2E02EA00, unused: 0
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2E800400, unused: 0
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2E00A600, unused:
> 2778
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2E02E600, unused:
> 711
> 2019/01/24 10:50:53 [debug] 36109#0: *10 post event 7FBA2F01A938
> 2019/01/24 10:50:53 [debug] 36109#0: posted event 7FBA2F01A938
> 2019/01/24 10:50:53 [debug] 36109#0: *10 delete posted event
> 7FBA2F01A938
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http2 handle connection handler
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http2 frame out: 7FBA2F003268
> sid:0 bl:0 len:4
> 2019/01/24 10:50:53 [debug] 36109#0: *10 writev: 13 of 13
> 2019/01/24 10:50:53 [debug] 36109#0: *10 http2 frame sent: 7FBA2F003268
> sid:0 bl:0 len:4
> 2019/01/24 10:50:53 [debug] 36109#0: *10 free: 7FBA2F003000, unused:
> 2760
> 2019/01/24 10:50:53 [debug] 36109#0: *10 reusable connection: 1
> 2019/01/24 10:50:53 [debug] 36109#0: *10 event timer add: 3:
> 18:267073812
> 2019/01/24 10:50:53 [debug] 36109#0: worker cycle
> 2019/01/24 10:50:53 [debug] 36109#0: kevent timer: 18, changes: 0
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> On 23 Jan 2019, at 05:37, Roar wrote:
>
> Thanks Sergey Kandaurov.
> The second problem is that I set grpc_read_timeout and grpc_send_timeout but
> it seems does not take effect. I tested many times and found that if the
> read_timeout less than default 60s, then it wo
dule,
that is, specified in the upstream{} block. See for details:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ngx_http_ssl_module);
-if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
+if (ngx_ssl_create_connection(&sscf->ssl, c, 0)
!= NGX_OK)
{
ngx_http_close_connection(c);
--
Sergey Kandaurov
___
re a way (i mean a configurable way) to tell NGINX to write just the
> headers, so that header goes out in a single TLS record?
Yes, there's a way to send headers separately.
See http://nginx.org/r/postpone_output for details.
--
Sergey Kandaurov
___
includes the ssl handshake
> time?
No.
> If not, is there any method to get the duration of ssl handshake in Nginx?
I'm not aware of.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
> On 26 Nov 2018, at 01:20, hmac wrote:
>
> Ohh forgot to add. It does actually load, it just takes around 60 secs what
> normally takes 4 seconds
>
And what if you try to re-run with "worker_processes 1;" ?
--
Sergey Kandaurov
1.0, it is used there as install prefix. ==> This
> may be an after effect of this
As previously noted. You can also find this note in CHANGES:
*) The INSTALL_PREFIX Makefile variable has been renamed to
DESTDIR. That makes for less confusion on what this variable
is for. Also,
.1/.openssl/
>
> The make DESTDIR=/opt/test install works fine in nginx 1.13.x with OpenSSL
> 1.0.2p
> I am not sure the change is caused by nginx 1.15.3 or openssl-1.1.1 to be
> honest
What effect do you expect from DESTDIR?
Starting from OpenSSL 1.1.0, it is used there as instal
lhost",
all of them will be used in a round-robin fashion.
See for details:
http://nginx.org/r/proxy_pass
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ybe OpenSSL source has to be
> edited?
This may be caused by TLSv1.3 version draft mismatch as found
in CH supported_versions. You may want to update OpenSSL.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
eading client request headers,
>
> Is there anyway to ignore the time check?
No way, but you may want to try “optional_no_ca” if it’s also not trusted.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
og_format`, the entry in the
> access_log is always 0. As far as I can tell, a lot of data went through the
> websocket, so clearly `$body_bytes_sent` does not include data sent over a
> websocket.
>
> [..]
Make sure to run a recent enough version of nginx, at
ot always
contain up-to-date and correct information.
See reference documentation:
http://nginx.org/r/proxy_cache_valid
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
l error:SSL alert number 80) while reading response header from
> upstream”
>
You received an “internal_error” TLS alert from the peer.
You may want to check error logs on upstream side.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
ted 5a3ab1b5804b, 46ddff109e72, and 924b6ef942bf and they have the
> same problem.
>
> Configuration is pretty much default with HTTPS and HTTP/2 server blocks.
Please check if reverting 12cadc4669a7 helps.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
solver
OTOH, if that name is used within fastcgi_pass literally,
it would be resolved at startup by system resolver instead.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
eived early) while SSL
> handshaking, client: 10.210.128.122, server: 0.0.0.0:443
>
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
ample.com {
:server 10.0.0.76:9000;
:}
:server {
:listen 443;
:
:proxy_pass $ssl_preread_server_name;
:}
OTOH, you may still want map{} to provide a default value,
if client didn’t sent SNI, or something, e.g.:
:map $ssl_preread_server_name $name {
:
irst;
~\Q192.0.2.2:8000\E$ second;
}
proxy_ssl_name $name;
Note well that $upstream_addr may contain multiple addresses, use it
with a special care. See for details: http://nginx.org/r/$upstream_addr
--
Sergey Kandaurov
___
nginx
force Nginx to verify the upstream ssl
> certificate against the server hostnames provided in the upstream server
> block, instead of the pattern present in the proxy_pass directive?
Use the proxy_ssl_name directive to override.
See for more details: http://nginx.org/r/proxy_ssl_name
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
arallel’ SSL mode, what’s the correct usage for
> ‘ssl_trusted_certificate'?
>
The directive specifies a file with trusted CA certificates.
See for details:
http://nginx.org/r/ssl_trusted_certificate.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On 12.12.2015 18:05, chi...@gmail.com wrote:
A exciting feature for ngx_http_slice_module, I test it,but too many
upsteam connections,could I limit the count of connection?
You could cache upstream connections. See for details:
http://nginx.org/r/keepalive
___
x_http_v2_prefix(3);
+prefix = ngx_http_v2_prefix(4);
}
value = ngx_http_v2_parse_int(h2c, &pos, end, prefix);
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
cgi parser: 0
> http fastcgi header: ":: "
So, the header field name output as generated with php
(and previously guessed by Valentin),
is invalid as per 7230, which is in turn referenced in 7540.
: field-name = token
: token = 1*tchar
: tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
:"^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
Not much to discuss.
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
origin fetches were actually done.
Depending on fastcgi_cache_revalidate setting, EXPIRED is either
simply due to an outdated cached response, or a failed revalidation.
In either way, a full response is served from an upstream (origin) server.
--
Sergey Kandaurov
__
1 - 100 of 109 matches
Mail list logo
