Apparently our web application server is sending an older version of the upgrade-insecure-request header which causes a brief "page cannot be displayed" in Chrome, but not Firefox or Safari.. We use Nginx as a reverse proxy to our application servers, can I intercept this header and just remove it? Specifically, it looks like I can fix this by just stripping the "HTTPS:1" heby mevans336 - Nginx Mailing List - English
Kemp can do it: https://www.tech-coffee.net/deploy-windows-admin-center-in-ha-through-kemp-load-balancer/ I can give the stream module a shot also. Would this be a basic config to get me started? stream { listen 443 proxy_pass https://192.168.1.0:6516/ proxy_ssl_verify off; }by mevans336 - Nginx Mailing List - English
I am trying to set up a reverse proxy to the Windows Admin Center (WAC). The WAC requires the use of a client certificate for authentication. When I log into the WAC via https://localhost:6516 or https://192.168.0.100:6516 I am prompted for the certificate and everything works fine. If I attempt to log in from outside my network across the WAN, I simply receive a 403 without being prompted for theby mevans336 - Nginx Mailing List - English
I figured it out. I just needed to add the proxy+pass in the new location block.by mevans336 - Nginx Mailing List - English
For security purposes, we utilize the Cache-Control "no-cache, no-store, must-revalidate" add_header parameter in our root location block. However, I'd like to tweak this to allow the following file types to be cached: jpg|jpeg|png|gif|ico|js|css|html I added this above my root location / block, but it breaks all images and our css as well. location ~* \.(jpg|jpeg|png|giby mevans336 - Nginx Mailing List - English
We've noticed that if we flip the order of the backend servers, the server the user is directed to flips. upstream prodtemp { ip_hash; server 10.0.0.107:8080 max_fails=1 fail_timeout=5s; server 10.0.0.106:8080 max_fails=1 fail_timeout=5s; keepalive 50; } That results in the user being sent to server2. This is Nginx 1.10.2 FYI.by mevans336 - Nginx Mailing List - English
We are experiencing an issue where we have Nginx configured as a reverse proxy. SSL terminates with Nginx also. On the back end are two Wildfly servers. If a session is bound to server 2 (via Nginx ip_hash) after 30 minutes the user is redirected back to server 1 and the following is logged in Nginx. We can also recreate by stopping server1 and forcing all requests to server2, then restarting servby mevans336 - Nginx Mailing List - English
Actually, I think this may have been because after upgrading Nginx, it reinstalled the default.conf file. I've removed it, left the config above, restarted Nginx, and the internal IP doesn't seem to be leaking any longer.by mevans336 - Nginx Mailing List - English
Hello - we have been dinged on our network penetration test because one of our Nginx web servers is returning the internal IP in the HTTP location response header. This is our only Nginx server that is not acting as a reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning the Internal IP? Here is the bulk of our config: server { listenby mevans336 - Nginx Mailing List - English
I figured out what it was. I had an error_page directive in another location block in the same server.conf that was apparently overriding the proxy_next_upstream. I commented it out and now the upstream throwing the 404 is being skipped. I'm just going to remove 404 from the error_page directive.by mevans336 - Nginx Mailing List - English
We have a backend server throwing a 404 error, so I added the directive proxy_next_upstream error timeout http_404; but that seems to have no effect. Nginx is still performing round robin connections to the working backend server and the backend server throwing a 404. Is there another directive I need for this to work properly?by mevans336 - Nginx Mailing List - English
That seems like a very elegant way to handle the problem. I'll give it a shot. Thanks!by mevans336 - Nginx Mailing List - English
We currently use the following method to perform an http to https rewrite. rewrite ^ https://$server_name$request_uri permanent; I am planning to change it to the preferred method of: return 301 https://$server_name$request_uri; However, we'd like to also make sure any requests for domain.com are sent to www.domain.com, whether someone tries to access domain.com via http or https. Hby mevans336 - Nginx Mailing List - English
Sorry, I got a little ahead of myself. If I only want to display all files named "the_nginx_mailing_list_guys_are_genuises*" - can I do that?by mevans336 - Nginx Mailing List - English
Is there a way to have autoindex only display certain files? If I only want to display a file named "the_nginx_mailing_list_guys_are_genuises*" - can I do that?by mevans336 - Nginx Mailing List - English
richardm Wrote: ------------------------------------------------------- > [...]Someone in RH decided > to make the nginx webserver follow the same SELinux policy rules as > Apache. Thanks for following up on this Richard. Undisclosed changes like this drive me crazy ... why make changes like this and then not disclose them in the release notes? *shakes fist at Red Hat* :)by mevans336 - Nginx Mailing List - English
Thank you Richard. I have shared your post in my thread in the CentOS forums. For now, to work around the issue, CentOS forum user sercan has provided the following commands to create a new SELinux policy for Nginx. I've tested it on two of my servers and it works. - Make sure you have the policycoreutils-python package installed (yum install policycoreutils-python), then run the following 3by mevans336 - Nginx Mailing List - English
Then that is something that is different with respect to CentOS 6.6, because the default.conf was just dropped when I re-installed it from the Nginx yum repository. -rw-r--r--. root root system_u:object_r:httpd_config_t:s0 default.conf -rw-r--r--. root root unconfined_u:object_r:httpd_config_t:s0 default.conf.orig The default.conf above was dropped by a fresh install of the nginx package.by mevans336 - Nginx Mailing List - English
That's the thing, I've never needed to set an SELinux policy. These are single purpose servers, they run Nginx and that's it. I've always installed Nginx, configured the .conf files for Nginx, and off it went. I've never needed to disable SELinux and actually, since I perform a minimal install of SELinux, the policy control tools aren't even installed. If it were a policy issue, why doesn't a rby mevans336 - Nginx Mailing List - English
We have been successfully running Nginx installed from the official Nginx CentOS repositories for ages. Last night I upgraded two of my Nginx 1.6.0 servers from CentOS 6.5 to CentOS 6.6 and SELinux immediately broke just about everything with Nginx. At first it wouldn't let it read the SSL certs, then it wouldn't allow it to read the proxy upstream server. The only way I can get it working is to dby mevans336 - Nginx Mailing List - English
Bingo, I issued a -USR2 but a ps shows both the old and new master processes listening. Thanks Maxim.by mevans336 - Nginx Mailing List - English
Hello Everyone, We have been running SPDY/2 for months and months without issue and recently upgraded to 1.5.10 for SPDY/3.1 support. However, we are having an issue where sometimes our site reports SPDY/2 and sometimes it reports SPDY/3.1 in Chrome's net-internals and the Chrome spdy extension. We use Nginx in reverse proxy mode and have 4 servers blocks - 2 for HTTP which redirect to 2 for HTby mevans336 - Nginx Mailing List - English
Bingo. Now Chrome is reporting spdy/3. Thanks!by mevans336 - Nginx Mailing List - English
I upgraded my Nginx reverse proxy to 1.5.10 using the official Ubuntu Precise Nginx packages, but my site is still reporting SPDY/2 in Chrome. Do I need to do something more drastic than issuing a kill -HUP on the master process to load the new Nginx binary? Or am I missing something else?by mevans336 - Nginx Mailing List - English
Hello Gurus, It's been several years since I've revisited anything but the most basic changes to our Nginx reverse-proxy front-end. I'm wondering if there have been any new tweaks or security related configuration changes that should be implemented on Nginx when acting as a reverse-proxy for JBoss? We use SPDY and of course tweak SSL to stay up-to-date, but otherwise our configs have remained sby mevans336 - Nginx Mailing List - English
I didn't even think about rejecting the traffic rather than dropping it! Great idea! Would that allow the client connection (Browser to Nginx) to fail over to the backend server that is up rather than simply timing out?by mevans336 - Nginx Mailing List - English
Oops, here is the relevant error.log entry from Nginx as well: 013/05/06 01:46:03 2063#0: *294659 upstream timed out (110: Connection timed out) while connecting to upstream, client: ip.address, server: amywebsite.com, request: "GET /home HTTP/1.1", upstream: "http://192.168.1.12:8080/home", host: "www.mywebsite.com"by mevans336 - Nginx Mailing List - English
Hi Mex, We shut them down one-by-one, 45 minutes apart. The issue only seems to occur when the first server listed is blocked however. We don't see the read timeouts if I leave the iptables rules enabled on the second server. I think that may be a false symptom related to ip_hash binding clients to the first server. Here are the iptables rules: Drop rule: iptables -I INPUT -s 192.168.1.0/by mevans336 - Nginx Mailing List - English
Hello, Each night we take our backend servers offline at specific times for maintenance. When the application servers restart they immediately begin answering HTTP requests from Nginx, but we want to keep them out of the upstream pool for about 30 minutes while they cache information from our data providers. To do this, I created iptables rules in cron on the application servers to block all coby mevans336 - Nginx Mailing List - English
I resolved this by simply using an internal style sheet.by mevans336 - Nginx Mailing List - English