Show all posts by user
A portal to and from the mailing list.
Nginx + Lua Anti-DDoS Script Authentication page like Cloudflare Bitmitigate sucuri etc - 4 years ago
So i thought i would share this here to get some feedback help bring to light some improvements and bugs and to get the ball rolling on how we can make this script better :) I made this because I like the way Cloudflare, BitMitigate and such sites protect their backends with a HTML, Javascript authentication puzzle for those who have seen Cloudflares I am under attack mode! you know what this wby c0nw0nk - Nginx Mailing List - English
Nginx access log query string params per line. - 4 years ago
So with the following. logformat qs "$remote_addr $args"; server { server_name NAME; access_log /path/to/log qs; location / { root /path/to/root; } } If i go to url /index.php?query1=param1&query2=param2 The access.log file shows query1=param1&query2=param2 All on the same line isit possibleby c0nw0nk - Nginx Mailing List - English
Nginx Lua Caching and removing unwanted Arguements for higher HIT ratio issue - 5 years ago
So my issue is mostly directed towards Yichun Zhang (agentzh) if he is still active here. I hope so. My problem is I am trying to increase my Cache HIT ratio by removing arguments from the URL that are fake / unwanted and order the arguments in a alphabetical (same order every time) for a higher Cache HIT ratio. Here is my code. location ~ \.php$ { ##within the PHP location block ##by c0nw0nk - Nginx Mailing List - English
Re: nginx on Windows - 5 years ago
itpp2012 Wrote: ------------------------------------------------------- > Have a look here http://nginx-win.ecsds.eu/ Best Nginx for windows builds around :) love itpp2012's work. He also fixed the concurrent connection limitations and continuously ads modules like Lua for Nginx into his builds what are stable and production ready. Nginx.org should make him the maintainer and dev fby c0nw0nk - Nginx Mailing List - English
Re: Nginx Cache | @ prefix example - 5 years ago
Thank you for the response and useful information Francis incredibly helpful. I am using the following function with this : http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_background_update proxy_cache_background_update on; My webapp outputting the X-Accel-Expires header is PHP like so. CODE: <?php echo(gmdate('D, d M Y H:i:s', 0) . ' GMT'); ?> OUTPby c0nw0nk - Nginx Mailing List - English
Re: Debugging Nginx Cache Misses: Hitting high number of MISS despite high proxy valid - 5 years ago
You know you can DoS sites with Cache MISS via switching up URL params and arguements. Examples : HIT : index.php?var1=one&var2=two MISS : index.php?var2=two&var1=one MISS : index.php?random=1 index.php?random=2 index.php?random=3 etc etc Inserting random arguements to URL's will cause cache misses and changing the order of existing valid URL arguements will also cause mby c0nw0nk - Nginx Mailing List - English
Nginx Cache | @ prefix example - 5 years ago
So it says this on the docs : http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid The “X-Accel-Expires” header field sets caching time of a response in seconds. The zero value disables caching for a response. If the value starts with the @ prefix, it sets an absolute time in seconds since Epoch, up to which the response may be cached. Can someone give an example oby c0nw0nk - Nginx Mailing List - English
Re: Nginx Proxy/FastCGI Caching X-Accel-Expires 0 or Off ? - 5 years ago
Sergey Kandaurov Wrote: ------------------------------------------------------- > > On 11 May 2018, at 04:30, c0nw0nk <nginx-forum@forum.nginx.org> > wrote: > > > > So in order for my web application to tell Nginx not to cache a page > what > > header response should I be sending ? > > > > X-Accel-Expires: 0 > > X-Accel-Expires: Offby c0nw0nk - Nginx Mailing List - English
Nginx Proxy/FastCGI Caching X-Accel-Expires 0 or Off ? - 5 years ago
So in order for my web application to tell Nginx not to cache a page what header response should I be sending ? X-Accel-Expires: 0 X-Accel-Expires: Off I read here it should be "OFF" https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/#x-accel-expires But it does not mention if numeric value "0" has the same effect Nor does it mention if the "off&qby c0nw0nk - Nginx Mailing List - English
Nginx fastcgi_cache_background_update Issue/Question - 5 years ago
http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_cache_background_update How can I switch between an On and a Off version of this function within a Nginx server { set $var 1; if ($var) { fastcgi_cache_background_update On; } Is there a way to do this even with Nginx + Lua i can't figure out a solution that will allow me to toggle / switch between a On and Offby c0nw0nk - Nginx Mailing List - English
Re: FASTCGI_CACHE | How many keys (cached files) can a 100m zone store - 5 years ago
Maxim Dounin Wrote: ------------------------------------------------------- > Hello! > > On Tue, Apr 24, 2018 at 01:06:48PM -0400, c0nw0nk wrote: > > > As it says on the Nginx docs for limit_req > > > > One megabyte zone can keep about 16 thousand 64-byte states or about > 8 > > thousand 128-byte states. > > > > > > What cby c0nw0nk - Nginx Mailing List - English
FASTCGI_CACHE | How many keys (cached files) can a 100m zone store - 5 years ago
As it says on the Nginx docs for limit_req One megabyte zone can keep about 16 thousand 64-byte states or about 8 thousand 128-byte states. What can a 100m zone for the fastcgi_cache store ? depending on the length of the fastcgi_cache_key and how many variables that contains i am sure could affect it but be nice to have a example for better understanding of how many file paths are expby c0nw0nk - Nginx Mailing List - English
Re: Nginx not respecting locations execution ordering - 5 years ago
Igor Sysoev Wrote: ------------------------------------------------------- > > On 18 Apr 2018, at 01:35, c0nw0nk <nginx-forum@forum.nginx.org> > wrote: > > > > Thank you for the help :) > > > > A new dilemma has occurred from this. > > > > I add a location like so. > > > > location ^~/media/files/ { > > add_headerby c0nw0nk - Nginx Mailing List - English
Re: RE: Nginx not respecting locations execution ordering - 5 years ago
Thank you for the help :) A new dilemma has occurred from this. I add a location like so. location ^~/media/files/ { add_header X-Location-Order First; } location ~ \.mp4$ { add_header X-Location-MP4 Served-from-MP4-location; } location ~* \.(ico|png|jpg|jpeg|gif|flv|mp4|avi|m4v|mov|divx|webm|ogg|mp3|mpeg|mpg|swf|css|js)$ { add_header X-Location-Order Second; } How can i makeby c0nw0nk - Nginx Mailing List - English
Nginx not respecting locations execution ordering - 5 years ago
So I have a location setup like this. location /media/files/ { add_header X-Location-Order First; } location ~* \.(ico|png|jpg|jpeg|gif|flv|mp4|avi|m4v|mov|divx|webm|ogg|mp3|mpeg|mpg|swf|css|js)$ { add_header X-Location-Order Second; } When I access URL : domain_name_dot_com/media/files/image.jpg The Header response is X-Location-Order: Second I want it to be using the first lby c0nw0nk - Nginx Mailing List - English
Nginx optimal speed in limit_rate for video streams - 5 years ago
So when dealing with mp4 etc video streams what is the best speed to send / transfer files to people that does not cause delays in latency / lagging on the video due etc. My current : location /video/ { mp4; limit_rate_after 1m; limit_rate 1m; } On other sites when i download / watch videos it seems they transfer files at speeds of 200k/s Should I lower my rates ?by c0nw0nk - Nginx Mailing List - English
Nginx Listen directive with reuseport; SO_REUSEPORT - 5 years ago
So on each server you can add to your listen directive. listen 8181 default bind reuseport; Cloudflare use it and posted in on their blog and github here (benchmark stats included) GitHub : https://github.com/cloudflare/cloudflare-blog/tree/master/2017-10-accept-balancing Cloudflare Blog : https://blog.cloudflare.com/the-sad-state-of-linux-socket-balancing/ I question if it is iby c0nw0nk - Nginx Mailing List - English
Re: disable request body buffering for file upload - 6 years ago
garyc Wrote: ------------------------------------------------------- > Please ignore the last message, having learned a bit more about > probing the file system we can now see that it is PHP that is caching > the file to the system default location (hence rootfs) a small change > to the PHP configuration has sorted this. > > Thanks to everyone for your help > > Gby c0nw0nk - Nginx Mailing List - English
Re: Content Spoofing vulnerability - 6 years ago
blason Wrote: ------------------------------------------------------- > Hi Guys, > > We have multiple webservers behind Nginx Reverse Proxy and at one of > the server we have discovered Content spoofing, the vulnerability is > patched on Apache but also needs to be patchef on Nginx server. > > I googled a lot but unable to find a relevant information. Can someone &by c0nw0nk - Nginx Mailing List - English
Re: Get rid of args from $request_uri - 6 years ago
why don't you use $uri $is_args $args This will build the URL like. index.php ? arguement=value&moreargs=morevalue $request_uri will always output the full URL. Not individual segments of it. If you want the first part of the url only just use $uri on its own. http://nginx.org/en/docs/http/ngx_http_core_module.html#var_uriby c0nw0nk - Nginx Mailing List - English
Re: Secure Link Md5 Implementation - 6 years ago
Like i said before c0nw0nk Wrote: ------------------------------------------------------- > Update your web application for example (PHP) first then how ever many > hours later when all caches for your web application have cleared > restart your Nginx so it only accepts secure links. Update your app first so your app outputs secured links. Then when all caches and users areby c0nw0nk - Nginx Mailing List - English
A Nginx Upstream DDoS Blackhole how does it work ? - 6 years ago
So I was looking at a upstream that has been flooded from multiple locations and read that you can create what is called a blackhole within the upstream what helps with the DDoS scenario. Here Is My upstream config : upstream web_rack { server 127.0.0.1:9000 weight=1 fail_timeout=4; server 127.0.0.1:9001 weight=1 fail_timeout=4; server 127.0.0.1:9002 weight=1 fail_timeout=4; server 127.0by c0nw0nk - Nginx Mailing List - English
Re: Secure Link Md5 Implementation - 6 years ago
Update your web application for example (PHP) first then how ever many hours later when all caches for your web application have cleared restart your Nginx so it only accepts secure links.by c0nw0nk - Nginx Mailing List - English
Re: Nginx allowed characters inside full URL / URI and ARGS - 6 years ago
Yes but characters in args like = & and ? are allowed and its when they insert more than one occurance of them nginx accepts them and they bypass any caches that you have. &argument=value | Cache : HIT &&&arguement===value | Cache : MISS And when they want to DoS you they will do something like the following. ?random=1 ?random=2 ?random=3 etc etc It is easby c0nw0nk - Nginx Mailing List - English
Nginx allowed characters inside full URL / URI and ARGS - 6 years ago
So I have been using Lua to iron out a few dilemmas and problems lately. Does anyone know what characters Nginx accepts inside URL's I am achieving a higher cache HIT ratio by modifying the URL's with Lua but it also helps in preventing unwanted forms of DoS. Here is my code : local function fix_url(str) return str:gsub("[+/=]", {["+"] = "+", ["/by c0nw0nk - Nginx Mailing List - English
Re: nginx security advisory (CVE-2017-7529) - 6 years ago
Couldn't you use max_ranges 0; To disable byte range support completely. Also won't setting the value of ranges to max_ranges 1; break pseudo streaming in HTML5 video apps etc. ?by c0nw0nk - Nginx Mailing List - English
Nginx Auth Module auth_basic and Flooding/DoS/DDoS - 6 years ago
Here is my config : http { limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; server { location /secured/ { auth_basic "secured area"; auth_basic_user_file conf/htpasswd; limit_req zone=one burst=5; limit_conn addr 1; } } My question is with the nginx auth module should i still need to protby c0nw0nk - Nginx Mailing List - English
Re: WordPress pingback mitigation - 6 years ago
gariac Wrote: ------------------------------------------------------- > I had run Naxsi with Doxi. Trouble is when it cause problems, it was > really hard to figure out what rule was the problem. I suppose if you > knew what each rule did, Naxsi would be fine. > > That said, my websites are so unsophisticated that it is far easier > for me just to use maps. > &gby c0nw0nk - Nginx Mailing List - English
Re: WordPress pingback mitigation - 6 years ago
I take it you don't use a WAF of any kind i also think you should add it to a MAP at least instead of using IF. The WAF I use for these same rules is found here. https://github.com/nbs-system/naxsi The rules for wordpress and other content management systems are found here. http://spike.nginx-goodies.com/rules/ ( a downloadable list they use https://bitbucket.org/lazy_dogtown/doxi-ruleby c0nw0nk - Nginx Mailing List - English
Re: Not having resume ability on secure links - 6 years ago
Use Nginx built in secure link module the link you provided is being generated and served by PHP. ".com/vfm-admin/vfm-downloader.php?q=" Nginx's secure link module will resume downloads and support pseudo streaming etc but you will find it is PHP that does not. Change your setup and modify your PHP code to not push the download through PHP but generate a link with a salted hash sby c0nw0nk - Nginx Mailing List - English
 |
 |
 |
 |
|