Dmitry S. Polyakov Wrote: ------------------------------------------------------- > On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <shahzaib.cb@gmail.com> > wrote: > > > >>With the controls sites have over the referrer header, it's not > very > > effective as an access control mechanism. You can use something like > > http://nginx.org/en/docs/http/ngby c0nw0nk - Nginx Mailing List - English
Hello There, I had this same issue and fixed it by the following method. For example in HTML : <source src="file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353" type="video/mp4" /> That is what your media stream link would look like. But if you use JavaScript like the following example : <script type="text/javascript"> window.oby c0nw0nk - Nginx Mailing List - English
So this is my map map $http_cookie $session_id_value { default ''; "~^.*[0-9a-f]{32}\=(?<session_value>[\w]{1,}+).*$" $session_value; } The cookie name = a MD5 sum the full / complete value of the cookie seems to cut of at a plus + symbol What would the correct regex to be to ignore / remove + symbols from "session_value"by c0nw0nk - Nginx Mailing List - English
Yeah I also notice the free builds are not exactly the most visible on their webpage. This is where you find them : http://i.imgur.com/byJ53VW.png But the free builds come compiled with all the free Nginx addons you can find on Github and other places. nginx, nginx doc, Lua, Naxsi, Rtmp, HttpSubsModule, echo-nginx, lower_upper_case, headers-more, auth_ldap, set-misc, lua-upstream, encby c0nw0nk - Nginx Mailing List - English
Those are itpp2012's windows builds I believe he is a admin on the mailing list. https://forum.nginx.org/profile.php?11,7488 Under all his posts it says he is a admin. I have used his builds you can download them for free... Just like nginx mainline builds from nginx.org But specific custom features cost money just like you would have to pay for Nginx+ https://www.nginx.com/ But this iby c0nw0nk - Nginx Mailing List - English
Hey again, So I modified my config to this as to prevent client's IP spoofing. map $http_x_forwarded_for $client_ip_x_forwarded_for { "" $remote_addr; #if this header missing set remote_addr as real ip default $http_x_forwarded_for; } map $http_cf_connecting_ip $client_ip_from_cf { "" $client_ip_x_forwarded_for; #if this header missing set x-forwarded-for as real iby c0nw0nk - Nginx Mailing List - English
Hey, I was just looking at the realip module but that module does not seem to support fallback methods like I demonstrated I was in need of. (If it does support multiple headers and fallback conditions can someone provide a demonstration) If real_ip_header CF-Connecting-IP; is missing then fallback to real_ip_header X-Forwarded-For; and if that header is missing use $binary_remote_addr; Iby c0nw0nk - Nginx Mailing List - English
So I figured out the problem is a bit of a dynamic one. My Nginx accepts some connections via cloudflare's proxy and other's via their DNS only and other connections go through a load balancing ip that sets a x-forwarded-for header containing the real IP, While others can avoid all of that and connect to a specific origin servers IP (remote_addr is the real IP for these connections). So to eby c0nw0nk - Nginx Mailing List - English
Thank's for the info :) But why is $remote_addr outputting a hyphen instead of the users IP... I still expect to see the client's IP address. B.R. via nginx Wrote: ------------------------------------------------------- > That is because it is not: your eyes deceived you having a too quick > look > at the log line. > > Your 'empty' variables are actually showing theby c0nw0nk - Nginx Mailing List - English
Francis Daly Wrote: ------------------------------------------------------- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > > How can I make it so if the client did not send that $http_ header > it makes > >by c0nw0nk - Nginx Mailing List - English
Thank's Francis much appreciated it seems to be working good :) Francis Daly Wrote: ------------------------------------------------------- > On Fri, Mar 03, 2017 at 10:47:26AM -0500, c0nw0nk wrote: > > Hi there, > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > > How can I make it so if tby c0nw0nk - Nginx Mailing List - English
So I have the following Map map $http_cf_connecting_ip $client_ip_from_cf { default $http_cf_connecting_ip; } How can I make it so if the client did not send that $http_ header it makes $client_ip_from_cf variable value = $binary_remote_addr Not sure how to check in a map if that http header is present.by c0nw0nk - Nginx Mailing List - English
You should view http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_catch_stderr Might be what you seek for a empty blank page output or specific text that would be a Fatal error etc. CJ Ess Wrote: ------------------------------------------------------- > My employer uses Nginx in front of PHP-FPM to generate their web > content. > They have PHP's error reporting shby c0nw0nk - Nginx Mailing List - English
So in the documentation and from what I see online everyone is limiting requests to prevent flooding on dynamic pages and video streams etc. But when you visit a HTML page the HTML page loads up allot of various different elements like .css .js .png .ico .jpg files. To prevent those elements also being flooded by bots or malicious traffic. I was going to to the following. #In http blocby c0nw0nk - Nginx Mailing List - English
I think from my understanding the proxy_http_version 1.1; is ignored over https since everything works and that directive does what it states proxy_HTTP_version for unsecured requests only it will be version 1.1 so i don't think it has any negative impact on HTTP2/SSL.by c0nw0nk - Nginx Mailing List - English
So the Nginx documentation says this http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive For HTTP, the proxy_http_version directive should be set to “1.1” and the “Connection” header field should be cleared: upstream http_backend { server 127.0.0.1:8080; keepalive 16; } server { ... location /http/ {by c0nw0nk - Nginx Mailing List - English
For a server {} that you want to make both universally compatible with both http port 80 and https port 443 ssl requests. This was my solution for my own sites. #inside http block upstream proxy_web_rack { #port 80 unsecured requests server 172.16.0.1:80; } upstream proxy_web_rack_ssl { #port 443 secured requests server 172.16.0.1:443; } #end http block #Server block server {by c0nw0nk - Nginx Mailing List - English
mex Wrote: ------------------------------------------------------- > grey rules means they are deactivated > > > i'm gonna write a blog on how we use spike + doxi-rules in our > setup, but it will take some time. That's cool look forward to it also the rules on spike I think need updating with the bitbucket page since the rules are the same but allot on the bitbucket chanby c0nw0nk - Nginx Mailing List - English
mex Wrote: ------------------------------------------------------- > Hi c0nw0nk, > > mex here, inital creator of http://spike.nginx-goodies.com/rules/ > and maintainer of Doxi-Rules > https://bitbucket.org/lazy_dogtown/doxi-rules/overview > (this us where the rules live we create with spike :) > > the doxi-rules in its current state are inspired by emerging threby c0nw0nk - Nginx Mailing List - English
So I recently got hooked on Naxsi and I am loving it to bits <3 thanks to itpp2012 :) https://github.com/nbs-system/naxsi I found the following Rule sets here. http://spike.nginx-goodies.com/rules/ But I am curious does anyone have Naxsi written rules that would be the same as/on Cloudflare's WAF ? These to be exact : Package: OWASP ModSecurity Core Rule Set : Covers OWASP Topby c0nw0nk - Nginx Mailing List - English
Provide your full config please. Also this error log. "if" directive is not allowed here That means you put the code I provided in a invalid area I would assume not between location {} or server {} tags as I said.by c0nw0nk - Nginx Mailing List - English
xstation Wrote: ------------------------------------------------------- > eneted this in the conf file under http > > SetEnvIfNoCase User-Agent "^Baiduspider" block_bot > Order Allow,Deny > Allow from All > Deny from env=block_bot > > > but on restart got a error message > > Job for nginx.service failed. See 'systemctl status nginx.servicby c0nw0nk - Nginx Mailing List - English
That is why you cache the request. DoS or in your case DDoS since multiple are involved Caching backend responses and having Nginx serve a cached response even for 1 second that cached response can be valid for it will save your day.by c0nw0nk - Nginx Mailing List - English
gariac Wrote: ------------------------------------------------------- > This is an interesting bit of code. However if you are being ddos-ed, > this just eliminates nginx from replying. It isn't like nginx is > isolated from the attack. I would still rather block the IP at the > firewall and prevent nginx from doing any action. > > The use of $bot_agent opens up a loby c0nw0nk - Nginx Mailing List - English
proxy_cache / fastcgi_cache the pages output will help. Flood all you want Nginx handles flooding and lots of connections fine your back end is your weakness / bottleneck that is allowing them to be successful in effecting your service. You could also use the secure_link module to help on your index.php or .html what ever it is you have going on that generates the link they are attacking, You cby c0nw0nk - Nginx Mailing List - English
I am curious what is the request uri they was hitting. Was it a dynamic page or file or a static one.by c0nw0nk - Nginx Mailing List - English
I think you could modify the conf/mime.types video/mp4 mp4 gifv;by c0nw0nk - Nginx Mailing List - English
Well I do use Nginx with Lua I was planning on writing up a little Lua to replace body_contents outputs and include some JavaScript to append src links. For example in HTML : <source src="file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353" type="video/mp4" /> I would use Lua to obtain the link between the quotation and replace it with "" (Makby c0nw0nk - Nginx Mailing List - English
Lukas Tribus Wrote: ------------------------------------------------------- > I have a question: secure_link is correctly blocking those requests so > its not generating any traffic. > > Why does it bother you then, if it is already blocked? > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mby c0nw0nk - Nginx Mailing List - English
I wouldn't mind those using app's like Kodi if they did not just hotlink and steal my links. If my adverts was still there and I am being reimbursed for my work and content and bandwidth they are consuming. Then I wouldn't mind but I bet Kodi is not the only app with plugins doing this. The only solution I can think of is to lock the site to paid accounts only. So only registered users who payby c0nw0nk - Nginx Mailing List - English