Nginx + Lua Anti-DDoS Script Authentication page like Cloudflare Bitmitigate sucuri etc

authentication puzzle for those who have seen Cloudflares I am under attack mode! you know what this will do :) You no longer need the third party services like cloudflare you can now protect your own Nginx servers with it. https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS I was inspired by Cloudflare

Nginx access log query string params per line.

So with the following. logformat qs "$remote_addr $args"; server { server_name NAME; access_log /path/to/log qs; location / { root /path/to/root; } } If i go to url /index.php?query1=param1=param2 The access.log file shows

Nginx Lua Caching and removing unwanted Arguements for higher HIT ratio issue

So my issue is mostly directed towards Yichun Zhang (agentzh) if he is still active here. I hope so. My problem is I am trying to increase my Cache HIT ratio by removing arguments from the URL that are fake / unwanted and order the arguments in a alphabetical (same order every time) for a higher

Re: nginx on Windows

itpp2012 Wrote: --- > Have a look here http://nginx-win.ecsds.eu/ Best Nginx for windows builds around :) love itpp2012's work. He also fixed the concurrent connection limitations and continuously ads modules like Lua for Nginx into his builds

Re: Nginx Cache | @ prefix example

ay something corresponding to "Thu Jan 1 00:00:00 UTC 1970". Should it look like yours or Nginx will read and understand it in the format PHP is outputting it as ? Francis Daly Wrote: --- > On Sat, May 12, 2018 at 12:05:51AM -040

Re: Debugging Nginx Cache Misses: Hitting high number of MISS despite high proxy valid

You know you can DoS sites with Cache MISS via switching up URL params and arguements. Examples : HIT : index.php?var1=one=two MISS : index.php?var2=two=one MISS : index.php?random=1 index.php?random=2 index.php?random=3 etc etc Inserting random arguements to URL's will cause cache misses and

Nginx Cache | @ prefix example

So it says this on the docs : http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid The “X-Accel-Expires” header field sets caching time of a response in seconds. The zero value disables caching for a response. If the value starts with the @ prefix, it sets an absolute time

Re: Nginx Proxy/FastCGI Caching X-Accel-Expires 0 or Off ?

Sergey Kandaurov Wrote: --- > > On 11 May 2018, at 04:30, c0nw0nk <nginx-fo...@forum.nginx.org> > wrote: > > > > So in order for my web application to tell Nginx not to cache a page > what > > header respo

Nginx Proxy/FastCGI Caching X-Accel-Expires 0 or Off ?

So in order for my web application to tell Nginx not to cache a page what header response should I be sending ? X-Accel-Expires: 0 X-Accel-Expires: Off I read here it should be "OFF" https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/#x-accel-expires But it does not mention if

Nginx fastcgi_cache_background_update Issue/Question

http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_background_update How can I switch between an On and a Off version of this function within a Nginx server { set $var 1; if ($var) { fastcgi_cache_background_update On; } Is there a way to do this even with Nginx + Lua

Re: FASTCGI_CACHE | How many keys (cached files) can a 100m zone store

Maxim Dounin Wrote: --- > Hello! > > On Tue, Apr 24, 2018 at 01:06:48PM -0400, c0nw0nk wrote: > > > As it says on the Nginx docs for limit_req > > > > One megabyte zone can keep about 16 thousand 64-byte states

FASTCGI_CACHE | How many keys (cached files) can a 100m zone store

As it says on the Nginx docs for limit_req One megabyte zone can keep about 16 thousand 64-byte states or about 8 thousand 128-byte states. What can a 100m zone for the fastcgi_cache store ? depending on the length of the fastcgi_cache_key and how many variables that contains i am sure could

Re: Nginx not respecting locations execution ordering

Igor Sysoev Wrote: --- > > On 18 Apr 2018, at 01:35, c0nw0nk <nginx-fo...@forum.nginx.org> > wrote: > > > > Thank you for the help :) > > > > A new dilemma has occurred from this. > > > > I

Re: RE: Nginx not respecting locations execution ordering

Thank you for the help :) A new dilemma has occurred from this. I add a location like so. location ^~/media/files/ { add_header X-Location-Order First; } location ~ \.mp4$ { add_header X-Location-MP4 Served-from-MP4-location; } location ~*

Nginx not respecting locations execution ordering

So I have a location setup like this. location /media/files/ { add_header X-Location-Order First; } location ~* \.(ico|png|jpg|jpeg|gif|flv|mp4|avi|m4v|mov|divx|webm|ogg|mp3|mpeg|mpg|swf|css|js)$ { add_header X-Location-Order Second; } When I access URL :

Nginx optimal speed in limit_rate for video streams

So when dealing with mp4 etc video streams what is the best speed to send / transfer files to people that does not cause delays in latency / lagging on the video due etc. My current : location /video/ { mp4; limit_rate_after 1m; limit_rate 1m; } On other sites when i download /

Nginx Listen directive with reuseport; SO_REUSEPORT

So on each server you can add to your listen directive. listen 8181 default bind reuseport; Cloudflare use it and posted in on their blog and github here (benchmark stats included) GitHub : https://github.com/cloudflare/cloudflare-blog/tree/master/2017-10-accept-balancing Cloudflare Blog :

Re: disable request body buffering for file upload

garyc Wrote: --- > Please ignore the last message, having learned a bit more about > probing the file system we can now see that it is PHP that is caching > the file to the system default location (hence rootfs) a small change > to the PHP

Re: Content Spoofing vulnerability

blason Wrote: --- > Hi Guys, > > We have multiple webservers behind Nginx Reverse Proxy and at one of > the server we have discovered Content spoofing, the vulnerability is > patched on Apache but also needs to be patchef on Nginx server. > >

Re: Get rid of args from $request_uri

why don't you use $uri $is_args $args This will build the URL like. index.php ? arguement=value=morevalue $request_uri will always output the full URL. Not individual segments of it. If you want the first part of the url only just use $uri on its own.

Re: Secure Link Md5 Implementation

Like i said before c0nw0nk Wrote: --- > Update your web application for example (PHP) first then how ever many > hours later when all caches for your web application have cleared > restart your Nginx so it only accepts secure links.

A Nginx Upstream DDoS Blackhole how does it work ?

So I was looking at a upstream that has been flooded from multiple locations and read that you can create what is called a blackhole within the upstream what helps with the DDoS scenario. Here Is My upstream config : upstream web_rack { server 127.0.0.1:9000 weight=1 fail_timeout=4; server

Re: Secure Link Md5 Implementation

Update your web application for example (PHP) first then how ever many hours later when all caches for your web application have cleared restart your Nginx so it only accepts secure links. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275668,275669#msg-275669

Re: Nginx allowed characters inside full URL / URI and ARGS

Yes but characters in args like = & and ? are allowed and its when they insert more than one occurance of them nginx accepts them and they bypass any caches that you have. =value | Cache : HIT &&===value | Cache : MISS And when they want to DoS you they will do something like the following.

Nginx allowed characters inside full URL / URI and ARGS

So I have been using Lua to iron out a few dilemmas and problems lately. Does anyone know what characters Nginx accepts inside URL's I am achieving a higher cache HIT ratio by modifying the URL's with Lua but it also helps in preventing unwanted forms of DoS. Here is my code : local function

Re: nginx security advisory (CVE-2017-7529)

Couldn't you use max_ranges 0; To disable byte range support completely. Also won't setting the value of ranges to max_ranges 1; break pseudo streaming in HTML5 video apps etc. ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275424,275437#msg-275437

Nginx Auth Module auth_basic and Flooding/DoS/DDoS

Here is my config : http { limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; server { location /secured/ { auth_basic "secured area"; auth_basic_user_file conf/htpasswd; limit_req zone=one burst=5; limit_conn addr 1; } } My

Re: WordPress pingback mitigation

no > apparent reason. Case in point, I had a referral from the al Aqsa > Martyrs Brigade. ‎ Terrorists! And numerous porn sites, all > irrelevant. So Naxsi alone isn't sufficient.  > >   Original Message   > From: c0nw0nk > Sent: Saturday, May 20, 2017 3:36 AM > To: nginx@nginx.org

Re: WordPress pingback mitigation

I take it you don't use a WAF of any kind i also think you should add it to a MAP at least instead of using IF. The WAF I use for these same rules is found here. https://github.com/nbs-system/naxsi The rules for wordpress and other content management systems are found here.

Re: Not having resume ability on secure links

Use Nginx built in secure link module the link you provided is being generated and served by PHP. ".com/vfm-admin/vfm-downloader.php?q=" Nginx's secure link module will resume downloads and support pseudo streaming etc but you will find it is PHP that does not. Change your setup and modify your

Re: No referrer header on leacher's site !!

Dmitry S. Polyakov Wrote: --- > On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq > wrote: > > > >>With the controls sites have over the referrer header, it's not > very > > effective as an access control mechanism. You can use

Nginx cookie map regex remove + character

So this is my map map $http_cookie $session_id_value { default ''; "~^.*[0-9a-f]{32}\=(?[\w]{1,}+).*$" $session_value; } The cookie name = a MD5 sum the full / complete value of the cookie seems to cut of at a plus + symbol What would the correct regex to be to ignore / remove + symbols from

Re: http/2 for Windows

fixed for us anytime soon ? Igal @ Lucee.org Wrote: --- > Hi, > > On 3/21/2017 7:10 AM, c0nw0nk wrote: > > I have used his builds you can download them for free... > I didn't see a download link at http://nginx-win.ecs

Re: http/2 for Windows

Those are itpp2012's windows builds I believe he is a admin on the mailing list. https://forum.nginx.org/profile.php?11,7488 Under all his posts it says he is a admin. I have used his builds you can download them for free... Just like nginx mainline builds from nginx.org But specific custom

Re: Nginx Map how to check value if empty

ing it goes to the next header for the realip, If the next header is missing it goes to the next until no more potential realip headers exist so we set their IP as their connection $remote_addr. Be nice if the realip module did this but lucky we don't need the realip module this shows and can do so with map's

Re: Nginx Map how to check value if empty

Wrote: --- > On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote: > > Hi there, > > good that you've found some more answers. > > There's still some to be worked on, though, I suspect. > > > So to explain how

Re: Nginx Map how to check value if empty

t helps > validating there is no real value, ​differentating this case from a > bogus > 'empty' which would be a sign of a bug. > --- > *B. R.* > > On Sun, Mar 5, 2017 at 10:50 PM, c0nw0nk <nginx-fo...@forum.nginx.org> > wrote: > > > Thank's for the info

Re: Nginx Map how to check value if empty

ick > look > at the log line. > > Your 'empty' variables are actually showing the value '-' in this log > line. > It probably does not help debugging to have static '-' mixed in the > format > of your log lines where you put them. > --- > *B. R.* > > On Sun, Mar

Re: Nginx Map how to check value if empty

Francis Daly Wrote: --- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > &

Re: Nginx Map how to check value if empty

Thank's Francis much appreciated it seems to be working good :) Francis Daly Wrote: --- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_fro

Nginx Map how to check value if empty

So I have the following Map map $http_cf_connecting_ip $client_ip_from_cf { default $http_cf_connecting_ip; } How can I make it so if the client did not send that $http_ header it makes $client_ip_from_cf variable value = $binary_remote_addr Not sure how to check in a map if that http header is

Re: Hiding PHP's WSOD with Nginx

You should view http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_catch_stderr Might be what you seek for a empty blank page output or specific text that would be a Fatal error etc. CJ Ess Wrote: --- > My employer uses Nginx in

Nginx limit_conn and limit_req for static .js (javascript) .css (stylesheets) images

So in the documentation and from what I see online everyone is limiting requests to prevent flooding on dynamic pages and video streams etc. But when you visit a HTML page the HTML page loads up allot of various different elements like .css .js .png .ico .jpg files. To prevent those elements

Re: Nginx proxy_pass HTTPS/SSL/HTTP2 keepalive

I think from my understanding the proxy_http_version 1.1; is ignored over https since everything works and that directive does what it states proxy_HTTP_version for unsecured requests only it will be version 1.1 so i don't think it has any negative impact on HTTP2/SSL. Posted at Nginx Forum:

Nginx proxy_pass HTTPS/SSL/HTTP2 keepalive

So the Nginx documentation says this http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive For HTTP, the proxy_http_version directive should be set to “1.1” and the “Connection” header field should be cleared: upstream http_backend { server 127.0.0.1:8080;

Re: AW: Nginx multiple upstream with different protocols

For a server {} that you want to make both universally compatible with both http port 80 and https port 443 ssl requests. This was my solution for my own sites. #inside http block upstream proxy_web_rack { #port 80 unsecured requests server 172.16.0.1:80; } upstream proxy_web_rack_ssl { #port

Re: Naxsi Nginx High performance WAF

mex Wrote: --- > grey rules means they are deactivated > > > i'm gonna write a blog on how we use spike + doxi-rules in our > setup, but it will take some time. That's cool look forward to it also the rules on spike I think need updating with

Re: Naxsi Nginx High performance WAF

mex Wrote: --- > Hi c0nw0nk, > > mex here, inital creator of http://spike.nginx-goodies.com/rules/ > and maintainer of Doxi-Rules > https://bitbucket.org/lazy_dogtown/doxi-rules/overview > (this us where the rules live we

Naxsi Nginx High performance WAF

So I recently got hooked on Naxsi and I am loving it to bits <3 thanks to itpp2012 :) https://github.com/nbs-system/naxsi I found the following Rule sets here. http://spike.nginx-goodies.com/rules/ But I am curious does anyone have Naxsi written rules that would be the same as/on Cloudflare's

Re: nginx.conf

Provide your full config please. Also this error log. [emerg] "if" directive is not allowed here That means you put the code I provided in a invalid area I would assume not between location {} or server {} tags as I said. Posted at Nginx Forum:

Re: nginx.conf

xstation Wrote: --- > eneted this in the conf file under http > > SetEnvIfNoCase User-Agent "^Baiduspider" block_bot > Order Allow,Deny > Allow from All > Deny from env=block_bot > > > but on restart got a error message > > Job for

Re: limit_req per subnet?

That is why you cache the request. DoS or in your case DDoS since multiple are involved Caching backend responses and having Nginx serve a cached response even for 1 second that cached response can be valid for it will save your day. Posted at Nginx Forum:

Re: limit_req per subnet?

gariac Wrote: --- > This is an interesting bit of code. However if you are being ddos-ed, > this just eliminates nginx from replying. It isn't like nginx is > isolated from the attack. I would still rather block the IP at the > firewall and

Re: limit_req per subnet?

proxy_cache / fastcgi_cache the pages output will help. Flood all you want Nginx handles flooding and lots of connections fine your back end is your weakness / bottleneck that is allowing them to be successful in effecting your service. You could also use the secure_link module to help on your

Re: limit_req per subnet?

I am curious what is the request uri they was hitting. Was it a dynamic page or file or a static one. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,271483,271494#msg-271494 ___ nginx mailing list nginx@nginx.org

Re: Make nginx treat another extension as mp4

I think you could modify the conf/mime.types video/mp4 mp4 gifv; Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270812,270813#msg-270813 ___ nginx mailing list nginx@nginx.org

Re: AW: AW: Nginx Kodi User Agent secure_link blocking / banning

Well I do use Nginx with Lua I was planning on writing up a little Lua to replace body_contents outputs and include some JavaScript to append src links. For example in HTML : I would use Lua to obtain the link between the quotation and replace it with "" (Making it empty) and then use Lua to

Re: AW: Nginx Kodi User Agent secure_link blocking / banning

Lukas Tribus Wrote: --- > I have a question: secure_link is correctly blocking those requests so > its not generating any traffic. > > Why does it bother you then, if it is already blocked? > > ___ >

Re: Nginx Kodi User Agent secure_link blocking / banning

I wouldn't mind those using app's like Kodi if they did not just hotlink and steal my links. If my adverts was still there and I am being reimbursed for my work and content and bandwidth they are consuming. Then I wouldn't mind but I bet Kodi is not the only app with plugins doing this. The only

Re: Nginx Kodi User Agent secure_link blocking / banning

Yes I see after looking at the various plugins on GitHub it seems they replace the ampersand string with & when they pull contents from the HTML. They also fake / spoof referrers and can change user-agents etc but they do it properly not like the person who has ended up in my logs. As you said

Re: Nginx Kodi User Agent secure_link blocking / banning

gariac Wrote: --- > ‎Apparently there is a scheme to feed urls to kodi.  > > ‎https://m.reddit.com/r/kodi/comments/3lz84g/how_do_you_open_a_youtube > _video_from_the_shell/ > > Block/ban as you see fit. ;-) These people are edge users of Kodi. 

Re: Nginx Kodi User Agent secure_link blocking / banning

gariac Wrote: --- > Kodi is the renamed xbmc. I use it myself, but I never "aimed" it at a > website. I just view my own videos or use the kodi plug-ins. You can > install it yourself on a PC and see it is intended to be just a media > player. It

Nginx Kodi User Agent secure_link blocking / banning

So with Nginx my access.logs show allot of Kodi user agents from what I look up online Kodi is a app that runs on Phones, TV sticks, Mac, PC etc and it is used for watching live TV I reckon its a pretty abusive app or service since there is allot going around about IPTV and how illegal it is. The

Re: Nginx Proxy KeepAlive and FastCGI KeepAlive

Thanks :) I thought the more servers I have within my upstream location would mean I should also increase my keepalive to suit for best performance etc. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269997,270001#msg-270001 ___ nginx

Nginx Proxy KeepAlive and FastCGI KeepAlive

FastCGI : upstream fastcgi_backend { server 127.0.0.1:9000; keepalive 8; } server { ... location /fastcgi/ { fastcgi_pass fastcgi_backend; fastcgi_keep_conn on; ... } } Proxy : upstream http_backend { server 127.0.0.1:80; keepalive 16; }

location /robots.txt conflict / issue

So this is one of those issues it is most likely a bad configuration but my robots.txt file is returning a 404 because of another location because I am disallowing people to access any text files but I do want to allow only the robots.txt to be accessed. location /robots.txt { root

Re: 444 return code and rate limiting

What I would say to do is write IP's from your toolkit or what ever you are using for reading your access.log and those that trigger and spam the 503 error within milliseconds or what ever range it is you can do an API call and add those IP's to be blocked at a router level. With CloudFlare you

Re: 444 return code and rate limiting

It is a response by the time the 444 is served it is to late a true DDoS is not about what the server outputs its about what it can receive you can't expect incoming traffic that amounts to 600Gbps to be prevented by a 1Gbps port it does not work like that Nginx is an Application preventing any

Recommended limit_req and limit_conn for location ~ \.php$ {}

So to prevent flooding / spam by bots especially since some bots are just brutal when they crawl by within milliseconds jumping to every single page they can get. I am going to apply limit's to my PHP block limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_conn_zone

Re: performance hit in using too many if's

Anoop Alias Wrote: --- > Ok .. reiterating my original question. > > Is the usage of if / map in nginx config more efficient than say > naxsi ( > or libmodsecurity ) for something like blocking SQL injection ? > > For example, >

Nginx Serving Large Static Files >=2GB

So I want to find the best optimal settings for serving large static files with Nginx. >=2GB I read that "output_buffers" is the key. Would also like to know if it should be defined per location {} that the static file is served from or across the entire server via http {} and any other settings

Re: (Semi-OT) Clickjacking countermeasure

If you read the OWASP page it will also mention about header stripping etc and proxies that will remove the X-Frames headers there is no real way to stop proxies framing your site but the X-Frame-Options combined with that JavaScript is a good way to start it will stop the majority. Also break

Re: (Semi-OT) Clickjacking countermeasure

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet Inside your tags. body{display:none !important;} if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else {

Re: access_log format $remote_user anonymous question

Thanks for the information so based of what that resource says and from what I understand surely that field should only say "anonymous" or "username" if on those files / folders in my Nginx config I use "auth_basic" ? http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html The fact they

access_log format $remote_user anonymous question

So in my access logs all my other logs the $remote_user is empty. But for only this one single IP that keeps making requests the $remote_user has a value. CF-Real-IP: 176.57.129.88 - CF-Server: 10.108.22.151 - anonymous [21/Sep/2016:18:54:52 +0100] "GET

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Il test further with it but it definitely did not work with the following using nginx_basic.exe (it was blocking the cloudflare server IP's from connecting) http { #Inside http real_ip_header CF-Connecting-IP; limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; limit_conn_zone

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 Wrote: --- > c0nw0nk Wrote: > > Yes I can't test it at the moment unfortunately with the realip > module > > due to the fact i use "itpp2012" Nginx builds > > http://nginx-win.ecsds.eu/ They do n

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 Wrote: --- > c0nw0nk Wrote: > > Yes I can't test it at the moment unfortunately with the realip > module > > due to the fact i use "itpp2012" Nginx builds > > http://nginx-win.ecsds.eu/ They do n

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

emory > and why using as little data per client is highly advised in > limit_req_zone > <http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_re > q_zone> > directive docs as you do not seem to know what you are doing... > --- > *B. R.* > > On Tue, S

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis Wrote: --- > > But that book says it is to reduce the memory footprint ? > > Correct, but that is for that specific varible. > > You can't take $http_cf_connecting_ip which is a HTTP header comming > from > Cloudflare and

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis Wrote: --- > > I just found the following : > > > https://books.google.co.uk/books?id=ZO09CgAAQBAJ=PA96=PA96=$ > binary_ > > > limit_req_zone $binary_http_cf_connecting_ip zone=one:10m > rate=30r/m; > > limit_conn_zone

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis Wrote: --- > > I just found the following : > > > https://books.google.co.uk/books?id=ZO09CgAAQBAJ=PA96=PA96=$ > binary_ > > > limit_req_zone $binary_http_cf_connecting_ip zone=one:10m > rate=30r/m; > > limit_conn_zone

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

I just found the following : https://books.google.co.uk/books?id=ZO09CgAAQBAJ=PA96=PA96=$binary_ To conserve the space occupied by the key we use $binary_remote_addr It evaluates into a binary value of the remote IP address So it seems I should be doing this instead to keep the key in memory for

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac Wrote: --- > ‎I'm assuming at this point if cookies are too much, then logins or > captcha aren't going to happen.  > > How about just blocking the offending websites at the firewall? I'm > assuming you see the proxy and not the eyeballs

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

> gariac Wrote: > --- > > ‎What about Roboo? It requires a cookie on the website before the > > download takes place. (My usual warning this is my understanding of > > how it works, but I have no first hand knowledge.) I presume the > hot > >

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

ledge.) I presume the hot > linkers won't have the cookie. > > https://github.com/yuri-gushin/Roboo > >   Original Message   > From: c0nw0nk > Sent: Tuesday, September 13, 2016 1:09 AM > To: nginx@nginx.org > Reply To: nginx@nginx.org > Subject: Keeping your Nginx limit_* Anti-D

Re: limit-req and greedy UAs

gariac Wrote: --- > ‎This page has all the secret sauce, including how to limit the number > of connections.  > > https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-ngin > x-plus/ > > I set up the firewall with a higher number as

Re: add_header Set-Cookie The difference between Max-Age and Expires

0, 2016 at 2:46 PM, c0nw0nk <nginx-fo...@forum.nginx.org> > wrote: > > > Just fixed my problem completely now :) > > > > For anyone who also uses Lua and wants to overcome this cross > browser > > compatibility issue with expires and max-age cookie vars. >

Re: add_header Set-Cookie The difference between Max-Age and Expires

Just fixed my problem completely now :) For anyone who also uses Lua and wants to overcome this cross browser compatibility issue with expires and max-age cookie vars. if ($host ~* www(.*)) { set $host_without_www $1; } set_by_lua $expires_time 'return ngx.cookie_time(ngx.time()+2592000)';

Re: add_header Set-Cookie The difference between Max-Age and Expires

Can you provide a example also I seem to have a new issue with my code above it is overwriting all my other set-cookie headers how can i have it set that cookie but not overwrite / remove the others it seems to be a unwanted / unexpected side effect. Posted at Nginx Forum:

Re: add_header Set-Cookie The difference between Max-Age and Expires

Solved it now i forgot in lua i declare vars from nginx different. header_filter_by_lua ' ngx.header["Set-Cookie"] = "value=1; path=/; domain=" .. ngx.var.host_without_www .. "; Expires=" .. ngx.cookie_time(ngx.time()+2592000) -- +1 month 30 days '; Posted at Nginx Forum:

Re: add_header Set-Cookie The difference between Max-Age and Expires

if ($host ~* www(.*)) { set $host_without_www $1; } header_filter_by_lua ' ngx.header["Set-Cookie"] = "value=1; path=/; domain=$host_without_www; Expires=" .. ngx.cookie_time(ngx.time()+2592000) -- +1 month 30 days '; So i added this to my config but does not work for me :( Posted at

add_header Set-Cookie The difference between Max-Age and Expires

So i read that IE8 and older browsers do not support "Max-Age" inside of set-cookie headers. (but all browsers and modern support expires) add_header Set-Cookie "value=1;Domain=.networkflare.com;Path=/;Max-Age=2592000"; #+1 month 30 days Apprently they support "expires" though so i changed the

Re: Nginx multiple upstream map conditions

c0nw0nk Wrote: --- > Francis Daly Wrote: > --- > > On Wed, Aug 31, 2016 at 01:30:30PM -0400, c0nw0nk wrote: > > > > Hi there, > > > > > Thanks works

Re: Nginx multiple upstream map conditions

Francis Daly Wrote: --- > On Wed, Aug 31, 2016 at 01:30:30PM -0400, c0nw0nk wrote: > > Hi there, > > > Thanks works a treat is it possible or allowed to do the following > in a > > nginx upstream map ? and if s

Re: Nginx multiple upstream map conditions

Thanks works a treat is it possible or allowed to do the following in a nginx upstream map ? and if so how i can't figure it out. I cache with the following key. fastcgi_cache_key "$session_id_value$scheme$host$request_uri$request_method"; if the upstream_cookie_logged_in value is not equal to

Nginx multiple upstream map conditions

So this is a fun one. As allot of people probably already know you can't use "IF" on upstream values since if conditions are executed before any "$upstream_" conditions. But with a map directive it might just be possible to combine 2 upstream maps together and have a output based on the

Re: disable .php files uploads using php (php-fpm)

Christos Chatzaras Wrote: --- > Is any way to get the body of a php post upload to match using regex > the filename of a php upload? I want to block file uploads with .php > extension. I found that I can do it with nasxi but I want to see if I >

Re: Nginx | fastcgi_cache_valid dynamic based on request

It works by adding a X-Accel-Expires header to my php output what the fastcgi_cache will follow what also then means if i use proxy_cache it would follow it too :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269212,269219#msg-269219 ___

Re: Nginx | fastcgi_cache_valid dynamic based on request

Maxim Dounin Wrote: --- > Hello! > > On Fri, Aug 26, 2016 at 11:01:05AM -0400, c0nw0nk wrote: > > > So I have been trying to make the fastcgi_cache_valid value based on > user > > request. > > > >

  1   2   >