I assume Liferay is throwing exceptions. Are these timeouts or indications of broken connections? A typical problem with the Elasticsearch Native Protocol is that it does not like third-party tear-downs of connections it uses (e.g., by NGINX or some load balancer).by j94305 - Nginx Mailing List - English
The key requirement you mentioned now: the user needs to be logged in. So, the next question is: how do we know the user is logged in. It can't be just a simple cookie because that could be faked (I could add "LOGGED_IN=1" without the site authorizing this), and therefore there is no security at all. Maybe added obscurity :-) What you need to do is issue a cookie that can only haveby j94305 - Nginx Mailing List - English
I would generally say this is not possible in the way you describe it. There are two ways, however, this could be implemented: 1. You use one-time links to content files: all content retrieval URLs will get a parameter expires=X (how long the link should be valid) and a signature (e.g., an HMAC with a secret only known to the NGINX server). Retrieval won't go through mere file access, but a hanby j94305 - Nginx Mailing List - English
What is keeping you from having a location with a pattern parsing {localip}[/{localpath}] and proxy that to http://{localip}/{localpath}? If your NGINX is reachable on its public IP address, but actually runs in a private IP address range inside your local network, you only have to make sure that nobody has the glorious idea of specifying the NGINX local IP address as a proxy destination. --by j94305 - Ideas and Feature Requests
Optimizing for production is not simply an optimization of one component, e.g., NGINX. This is also about your security model, the application architecture and scaling abilities. If you simply have static files to be served, place them into a memory-based file system and you'll serve them blindingly fast - in theory. Actual performance will depend on the locations of your clients, with theirby j94305 - Nginx Mailing List - English
The symlink is interpreted inside the container, not on the host system. The modules referred to should be compatible with the version of the operating system inside the container and have to refer to a valid location there. I assume /usr/share/nginx is the location on the Docker host system. Another comment: I would also map /var/log/nginx into the container, so logs won't be lost when the conby j94305 - Migration from Other Servers
Hi Danny, two comments: 1) Don't forget about $is_args$args to also pass any arguments supplied with the URL. 2) You cannot redirect requests with a request body, most importantly POST and PUT, so your rule is only applicable for GET/HEAD requests. I have no idea what you are really struggling with as you don't mention the actual challenge. Regarding your server block: - "by j94305 - Nginx Mailing List - English
The point of having nginx in any kind of scenario is to be able to talk to it, so even if this should have to be a random port, you would like to know which one it is. Therefore, you're free to have a script determining a random port in a given range, e.g,. between 8000/tcp and 8999/tcp, and substitute that with a bit of sed in your nginx.conf.template to produce an actual nginx.conf (or some sby j94305 - How to...
Have a look at the proxy_redirect directive. Does this help? --j.by j94305 - How to...
It sounds to me like one of these things fail (1) The public IP address of your home network changes because of DSL/whatever reconnects, but this is not reflected in the A record of your DNS entry for the domain. => check dynamic DNS options to reflect changes in the home network public IP address in the DNS record. (2) There is a problem with port forwarding from your NAT router to yourby j94305 - How to...
It's a bit hard to understand what you are really trying to do. I am guessing it may be something along the lines of this: map $realURI $handler { "~*/sess.*[.]php$" "_php"; "~*/sess.*[.](jpg,gif,png,svg)$" "_images"; "~*/sess.*$" "_static"; default "_session"; } location ~ "^/(?<sessionID>sess+)(?<realUby j94305 - How to...
That's reassuring in a way :-) It sounds to me you are trying with HTTP/1.1 something you would normally do with HTTP/2. When the server sends a response (and a status code), NGINX may rightfully stop sending more stuff to the server. Can you tell Jetty to send its reply (including the status code) only AFTER all data has been received? If a final status code is delivered (probably with a Cby j94305 - How to...
Out of curiosity, I set up a minimal scenario to reproduce your effect. I put this segment into my http section of nginx.conf: server { listen 127.0.0.1:8080; client_body_temp_path /tmp/nginx; client_body_in_file_only clean; client_body_buffer_size 1m; client_max_body_size 0; location = /send { proxy_http_version 1.1; proxyby j94305 - How to...
First of all, whether something issues redirections or actually proxies some other site is easy to tell by hitting F12 in your favourite browser and checking the network requests. With your configuration, I would doubt there is a 301 coming from NGINX. Second, why do you think this will be caching anything if there is no proxy_cache directive? You should add something like proxy_cache websitby j94305 - How to...
PS: If, like you mentioned in the other reply message, want to create environments dynamically, you could use the map directive with an include file that is dynamically updated by the deployment process of such an environment (and then do nginx -s reload), but even more elegant would be the replacement of the (static) map by a (dynamic) keyval map. The keyval mappings can be maintained via the NGIby j94305 - Nginx Mailing List - English
You simply have to switch the NGINX endpoint to 443 and the proper SSL configuration. The part between NGINX and Apache stays the same (proxy_pass to port 80 of Apache). If you also want to secure the connection between NGINX and Apache, you'd need a client certificate for NGINX and a second server certificate for Apache. NGINX will use a proxy_pass via SSL and with a client certificate towardsby j94305 - How to...
Try something like this: map $urlprefix $urlproxy { "foo" "https://foohost.foo.com"; "bar" "http://barhost.blah.com"; "fie" "https://fie.special.domain.com/blubb"; default "https://standard.com"; } [...] location ~ "^/(?<urlprefix>[^/]+)(?<urlsuffix>/.*)$" { [...] proxy_pass &by j94305 - Nginx Mailing List - English
Robots exclusion is generally quite unreliable. Exclusions based on user agents are also not really reliable. You can try all of the options for robots exclusion and may still get undesired crawlers on your site. The only way you can keep robots out is to require authentication for those parts you don't want to have crawled. --j.by j94305 - Nginx Mailing List - English
I did. They said it works as designed as keyval maps with type=ip have no option to retrieve the status of entries other than by supplying IP addresses. Values cannot be retrieved anymore if the key needs to be a CIDR block. I am doing a workaround now. --j.by j94305 - Nginx Mailing List - English
Ok, then let's start with the usual suspects: did you set client_max_body_size?by j94305 - How to...
It's an old jetty. The current version is 9.4.20, so you may consider upgrading. In any case, however, Jetty limits the size of uploads by default. You will have to adjust this parameter to accomodate whatever makes sense. https://www.eclipse.org/jetty/documentation/current/setting-form-size.html Depending on which framework is used for the application on the Jetty side, there may be addiby j94305 - How to...
In order to redirect http to https, you have to define a listener rule in the ALB that redirects all traffic on port 80 to port 443 (of the ALB) with the original path and query parameters. The status code should be a 301 (permanent redirection). That's the context between the client and the ALB. The certificate for the domain(s) will be installed in the ALB. The target group for the ALB wouby j94305 - Nginx Mailing List - English
Hi Lewis, no, that won't cause double requests. /myapp/current/blah.html 307 => /myapp/releases/1.2.0/blah.html and from thereon (as we did not redirect internally, but rather externally), any further accesses will happen unter the true "releases" path (ideally, as relative URLs). That's only one redirection overhead in the beginning. The redirection will forward any pathby j94305 - Nginx Mailing List - English
Hi Lewis, the idea is to have a deployment process that places apps or whatever artifacts always in a certain distinct place that is determined once at deployment time. This will determine the address where you can reach the app in the namespace of NGINX. So, if the convention is to place an app in a directory {webroot}/{app}/releases/{version}/... served as https://{server}/{app}/releby j94305 - Nginx Mailing List - English
A little correction to my earlier message: IPv6 addresses also seem to work. In my test, I was checking for a dot in the key, and that excluded IPv6 addresses. However, CIDR ranges still fail.by j94305 - Nginx Mailing List - English
The new R19 introduces "type=ip" keyval maps. Posting IP addresses (e.g., 1.2.3.4) seems to work from both, the API 5 REST calls and from Javascript, except IPv6 addresses are not accepted. Posting CIDR blocks (e.g., 1.2.3.0/24) works fine via the API 5 REST calls but not via Javascript. CIDR entries will not show up in the map at all. I am trying to feed a banlist into a map whby j94305 - Nginx Mailing List - English
I'm a big fan of throw-away certificates, i.e., self-signed certificates you may dispose of any time. It seems, the generation of proper certificates is still a mystery to some, so let me briefly include a recipe how to create them: Create a cert-client.conf of the following form: ---------------------snip-----snip------------------------ # Client certificate request [ req ] default_bitby j94305 - Nginx Mailing List - English
I've been following this, and I would take a slightly different approach. 1. Serve all apps under /{app}/releases/{version}/{path} as you have them organized in the deployment structure in the file system. 2. Forget about symbolic links and other makeshift versioning/defaulting in the file system. 3. Use a keyval mapping to handle redirections (307) of /{app}/current/{stuff} to /{app}/relby j94305 - Nginx Mailing List - English
Hallo! proxy_pass http://$apache$request_uri; sollte helfen, wenn $apache der DNS-Name oder die IP-Adresse des Apache-Servers ist. Beste Grüße, --j.by j94305 - German Forum
And as I had to find out myself just now, this suggestion I made does not work because you cannot enumerate the elements of the special objects r.variables and r.headersIn. It does work if you want to write a bit of code for a new module :-) Sorry, --j.by j94305 - How to...