After upgrading my router, Nginx stops working

September 10, 2017, 12:39 pm

≫ Next: Re: After upgrading my router, Nginx stops working

≪ Previous: redirect all invalid SSL reguest to http in Nginx SSL termination

I'm fairly new to NGINX but absolutely love this functionality. I set this up inside a FreeNAS Jail and its been working for months without an issue. I decided to upgrade my router for various reasons from a Cisco Small Business Router RV220W (a 5 year old router) to the new Netgear Nighthawk X10 AD7200 Smart WiFi Router. After the new router was installed, I saw two things happen. First, my Internet speeds doubled for my clients, and my IP address from Comcast changed for the first time in almost 3 years.

I manually recreated all the port forward settings from the Cisco to the Nighthawk and these are working fine. I was able to test the Nginx certificate by using the "SSL Server Test" at the URL below and it can connect and can verify the SSL certificate is working properly and remains secure. The SSL test reflect the new IP address and verifies the site with an "A" overall rating.

https://www.ssllabs.com/ssltest/index.html

What is not happening is the reverse proxy to the 3 insecure internal websites which was previously secured by Ngnix with the Cisco router. I've made no changes to the Ngnix server config files since they worked fine with the Cisco router. All of my servers, FreeNAS Jails, VM's and clients have all retained the same IP addresses or DHCP to the same IP subnet on my internal network. All my internal port addresses are also the same. The only thing I can think of is that my external DNS "A" record was updated to reflect my new IP address and maybe this invalidated my SSL certificate installed into the Ngnix reverse proxy configuration.

Before I make any changes, I wanted to see if anyone running the Ngnix remote proxy configurations who may have experienced similar issues and what they did to correct the problem. Any suggestions and feedback would be greatly appreciated. If you need me to post any logs, please let me know and I'll post them here to debug. Here are a few logs snips covering todays quick test.

My router is setup that all incoming HTTPS traffic on port 443 is forwarded to the NGNIX server.

Here are the log entries for my most recent test connecting to https://kv.heronet.net/nzbhydra
/var/log/nginx/nginx_err.log
2017/09/10 12:01:21 [crit] 53238#105268: *569 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
2017/09/10 12:01:21 [crit] 53238#105268: *570 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443

Here are the access logs covering the same timeframe, which looks like only the SSL test server event.
/var/log/nginx/access.log
64.41.200.108 - - [10/Sep/2017:12:00:49 -0700] "GET / HTTP/1.1" 401 195 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
64.41.200.108 - - [10/Sep/2017:12:00:51 -0700] "GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0" 400 0 "-" "SSL Labs (https://www.ssllabs.com/about/assessment.html)"

↧

Re: After upgrading my router, Nginx stops working

September 13, 2017, 4:08 pm

≫ Next: DirectAcces from microsoft through nginx

≪ Previous: After upgrading my router, Nginx stops working

Fixed.

There was a typo in the nginx.conf file where one letter was changed in the domain name. No idea how this happened, but it was next to unnoticeable, until a friend pointed it out. Fresh eyes fixed this one.

↧

DirectAcces from microsoft through nginx

September 18, 2017, 6:27 am

≫ Next: Nginx Location Redirection

≪ Previous: Re: After upgrading my router, Nginx stops working

Iam use Nginx to use exchange and try also get direct access to work any ideas how to because aim not getting this to work ...

DirectAccess is a vpn that works on ssl and use httpsip.

Any one that that get this work with nginx

↧

Nginx Location Redirection

October 6, 2017, 12:09 am

≫ Next: Server block configuration files affect other

≪ Previous: DirectAcces from microsoft through nginx

Hi,

I am using a PHP application which is used on Nginx. Now the url looks like ip/public/xxx...
I would like the url if it would be like ip/helpdesk/....
What can i do it for making this url works. I tried many things in nginx conf now confused what to do for this situation.

↧

Server block configuration files affect other

October 23, 2017, 11:41 pm

≫ Next: routines:ssl3_check_cert_and_algorithm:dh key too small

≪ Previous: Nginx Location Redirection

Im new to Nginx and setting up a reverse proxy that forward traffic based on domain name to internal backbone webserver, both apache and iis. The basics works alright, i managed to get it to work with a wordpress on the apache internaly running on port 80 to the nginx reverse proxy and then with a certbot created ssl connection from the nginx proxy to the internet. So far so good. Now for the problem.

At the moment it only works with SSL 443, even if change one server block to listen for port 80 and remove the SSL-certificats from that block. The server still blocks the port. " You cannot visit mytestsite.se right now because the website uses HSTS"
First i did put all ssl and hsts parameters in the nginx.conf file which would explain this, but now i moved it away from there as i wanted some servers to be able to connect as http. So i moved all my SSL and HSTS into the server block itself which also is working fine i still get an A+ rating.

Shouldnt the serverblock set the settings for the specific website ? Now the server block seem to affect each other in a way i dont like. Is it possible to isolate them better? Or am i doing something else wrong?

One more exampel i had a bad SSL certifact on one of my sites yesterday, but as long as that site was enabled none of the other sites was responding. Still there was no problem to restart the nginx.service. Can anything be done to make this better?

/grungeman

↧

routines:ssl3_check_cert_and_algorithm:dh key too small

October 26, 2017, 8:47 pm

≫ Next: nginx settings

≪ Previous: Server block configuration files affect other

Hi,

I'm using Nginx as reverse proxy, recently upgraded the OpenSSL package on Nginx server, post that application is not working. Getting Bad Gateway and in the log I'm getting the below error. Can someone help me what would be the issue.

nginx version: nginx/1.12.0

openssl-1.0.2k-8.0.1.el7.x86_64

=========
SSL_do_handshake() failed (SSL: error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small) while SSL handshaking to upstream
=========

Thanks,
SK

↧

nginx settings

October 31, 2017, 9:24 am

≫ Next: NGINX & OpenResty

≪ Previous: routines:ssl3_check_cert_and_algorithm:dh key too small

Hello Team, I need a favour.. I would like to optimise nginx setting due to high traffic , How many file limit I can put on 8 core AWS machine .

↧

NGINX & OpenResty

November 7, 2017, 8:14 pm

≫ Next: Setting NGINX for two website

≪ Previous: nginx settings

Hi all,

I have been helping my friend to set up a new server which is the same configuration with the old server. I login to the older server then type the command "nginx -v" Then the output is "nginx version: openresty/1.11.2.2".

It's a bit strange because if you install nginx only, the ouput will show "nginx version: nginx/1.11.2.2". Or if you install OpenResty, the command should be "resty -v" then output will show "nginx version: openresty/1.11.2.2".

I'm a bit curious because how can they configure/install nginx/openresty then use command "nginx -v "to show output like "nginx version: openresty/1.11.2.2".

Please advise.
Thanks.

↧

Setting NGINX for two website

December 3, 2017, 5:23 pm

≫ Next: Settings NGinx for Load_Balancing

≪ Previous: NGINX & OpenResty

Hello,
Hi, I have a problem. I need to configure nginx including 3 websites. 2 of these websites, do not have context root and I can not add it for various reasons. How can I solve?

server {
listen 8080;
location /{
proxy_pass http://localhost:8080;
}

location /{
proxy_pass http://localhost:8080;
}

location /users/{
proxy_pass http://localhost:8080/users/;
}
}

if I put a location, I have trouble getting the correct site. thank you very much for helping

↧

Settings NGinx for Load_Balancing

December 15, 2017, 3:38 am

≫ Next: Use regex in location to iis web application

≪ Previous: Setting NGINX for two website

Hi there,

I recently got a trouble for configuring my Nginx Load balancer.

How to ? I followed lot of videos and guide but still doesn't work.

Is it works with dockers ? I got 1 VM and 2 dockers for making the load balancing.

I make my folder, I don't know where the problem can happend.

(I apologize my bad english)

Kindest Regards

↧

Use regex in location to iis web application

February 21, 2018, 6:58 pm

≫ Next: Transcode - Package - NGINX Origin

≪ Previous: Settings NGinx for Load_Balancing

Hello,
I have try to config nginx as reverse proxy to my IIS web application, I have a lot of web application in IIS.
I can do as below config

location /directory/ {
proxy_pass https://thcom2.thaicom.net/directory/;
}

It not work when user type /Directory. I have try to use regex, but it error.

location ~* /directory/ {
proxy_pass https://thcom2.thaicom.net/directory/;
}

error is nginx: [emerg] "proxy_pass" cannot have URI part in location given by regular expression,

Please advise me.

↧

Transcode - Package - NGINX Origin

February 27, 2018, 6:47 am

≫ Next: Upstream conenction timeout error in nginx(Urgent help needed)

≪ Previous: Use regex in location to iis web application

Hi friends,

I have a transcoder and my intention is to stream VOD ad Live stream coming through the transcoder to be delivered in Intranet using NGINX.

Here Do I need Wowza kind of packager in between the transcoder and nginx for live stream delivery.

Regards

VJ

↧

Upstream conenction timeout error in nginx(Urgent help needed)

February 27, 2018, 10:41 am

≫ Next: Error log file encoding

≪ Previous: Transcode - Package - NGINX Origin

Hi,

We have nginx configured as reverse proxy for our application servers. It also loadbalances connections to the two tomcat application servers using an upstream.

Below is our upstream configuration:

---------------------------
upstream prod {

sticky name=prodx path=/pc;
server 10.x.x.x:8084 ;
server 10.x.x.x:8084 ;
}
----------------------------

We are noticing frequent connection timed out errors in the debug error log and also our users are getting session time outs.

Below are the errors we noted in the logs:

--------------------------------------------------------------------------------------------------------------------------------------
2018/02/27 13:13:01 [debug] 25552#0: *1365757 input buf 0000555555AB40C0 4096
2018/02/27 13:13:01 [debug] 25552#0: *1365757 malloc: 0000555555AB50D0:4096
2018/02/27 13:13:01 [debug] 25552#0: *1365757 readv: 1, last:4096
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe recv chain: 325
2018/02/27 13:13:01 [debug] 25552#0: *1365757 readv: 1, last:3771
2018/02/27 13:13:01 [debug] 25552#0: *1365757 readv() not ready (11: Resource temporarily unavailable)
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe recv chain: -2
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe buf in s:1 t:1 f:0 0000555555B435C0, pos 0000555555B43703, size: 3773 file: 0, size: 0
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe buf in s:1 t:1 f:0 0000555555AB40C0, pos 0000555555AB40C0, size: 4096 file: 0, size: 0
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe buf free s:0 t:1 f:0 0000555555AB50D0, pos 0000555555AB50D0, size: 325 file: 0, size: 0
2018/02/27 13:13:01 [debug] 25552#0: *1365757 pipe length: 327
.
.
.
.
2018/02/27 13:27:15 [debug] 25553#0: *1398223 SSL_read: -1
2018/02/27 13:27:15 [debug] 25553#0: *1398223 SSL_get_error: 2
2018/02/27 13:27:15 [debug] 25553#0: *1398223 free: 0000555555B4FE00
2018/02/27 13:27:15 [debug] 25552#0: *1404063 event timer del: 31: 1519756035496
2018/02/27 13:27:15 [debug] 25552#0: *1404063 http wait request handler
2018/02/27 13:27:15 [info] 25552#0: *1404063 client timed out (110: Connection timed out) while waiting for request, client: 108.254.97.167, server: 0.0.0.0:443
2018/02/27 13:27:15 [debug] 25552#0: *1404063 close http connection: 31
2018/02/27 13:27:15 [debug] 25552#0: *1404063 SSL_shutdown: 1
2018/02/27 13:27:15 [debug] 25552#0: *1404063 reusable connection: 0
2018/02/27 13:27:15 [debug] 25552#0: *1404063 free: 0000000000000000
2018/02/27 13:27:15 [debug] 25552#0: *1404063 free: 0000555555B17DD0, unused: 16

2018/02/25 15:39:55 [error] 3640#0: *5271942 upstream timed out (110: Connection timed out) while connecting to upstream, client: X.X.X.X, server: Testtemp.com, request: "GET /mediawiki-1.16.0beta2/skins/common/quickbar.css HTTP/1.1", upstream: "http://x.x.x.x:80/mediawiki-1.16.0beta2/skins/common/quickbar.css", host: "x.x.x.x"

2018/02/25 15:39:55 [error] 3639#0: *5271969 upstream timed out (110: Connection timed out) while connecting to upstream, client: x.x.x.x, server: Testtemp.com, request: "GET /phpnuke-5.4/moin_static186/classic/css/projection.css HTTP/1.1", upstream: "http://x.x.x.x:80/phpnuke-5.4/moin_static186/classic/css/projection.css", host: "x.x.x.x"

-------------------------------------------------------------------------------------------------------------------------------

Any suggestions in the nginx configuration to remediate this issue will be greatly appreciated.

Thanks in advance.

↧

Error log file encoding

March 5, 2018, 11:41 am

≫ Next: Relationship of Proxy_Read_timeout, keep alive and proxy connection

≪ Previous: Upstream conenction timeout error in nginx(Urgent help needed)

I'm running Fail2Ban 0.10.1 on FreeBSD 11.1-RELEASE with Nginx running inside a jail. I have Fail2Ban check the Nginx error log file for suspicious activity but the Fail2Ban log file shows a message saying it can't parse some of the lines in the Nginx log file because they're not encoded correctly. This is the type of message I'm getting:

WARNING Error decoding line from 'var/log/nginx/error.log' with 'utf-8'. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail. Continuing to process line ignoring invalid characters: '2018/03/03 14:34:39 [info] 95523#100097: *89 client sent invalid method while reading client request line, client: 174.5.4.14, server: , request: "\x16\x03\x01\x01"\x01\x00\x01\x1e\x03\x03\xb9\xaer\xab\xc8J\xf0\x8eFr\xf3\xdd\x00\x00\x88\xc00\xc0,\xc0(\xc0$\xc0\x14\xc0"\n'

The error.log file shows up as "application/octet-stream; charset=binary" when I run the file command on it.

I tried setting up the Fail2Ban config file with utf-8 (as a default and in the Fail2Ban jail like the warning suggested) but that didn't work, I also tried to create a new error.log file and set it's encoding to ascii but it changed back to data after a while.

I don't know if this is a FreeBSD, Fail2Ban or Nginx issue that's why I'm posting here. Thanks

↧

Relationship of Proxy_Read_timeout, keep alive and proxy connection

March 23, 2018, 9:32 pm

≫ Next: Content-Length and really sent bytes sometimes mismatch

≪ Previous: Error log file encoding

Hi All,

I'm a newbie to the nginx and I have configured a nginx reverse proxy to communicate with apache server. Recently I got an error like
"""""""""""""""
2018/03/24 00:11:58 [error] 19840#0: *2902980 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 82.132.236.172, server: ~^[A-Za-z0-9,-]*\.orangehrmlive\.com$, request: "POST /auth/validateCredentials HTTP/1.1", upstream: "https://[::1]:9191/auth/validateCredentials", host: "******", referrer: "******"

"""""""""""""""
After going through several articles I found out that increasing the proxy_read_timeout will resolve the problem. My current nginx timeout configurations :
fastcgi_read_timeout 300;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
keepalive_timeout 65;

My concern is while having keep_alive_timeout as 65 seconds, Why do I need to increase proxy_read_timeout again? Please, can you explain me the relationship between those directives so that I can understand the scenario? Any advice or guidance would be highly appreciated.

Thanks.

↧

Content-Length and really sent bytes sometimes mismatch

March 27, 2018, 4:53 am

≫ Next: Re: Content-Length and really sent bytes sometimes mismatch

≪ Previous: Relationship of Proxy_Read_timeout, keep alive and proxy connection

Hello,

I'm facing a major issue with nginx, about bytes sent in the HTTPS Response that are sometimes different with the Content-Length header. It especially occurs on CSS files, and as a result my website is seen by my visitors as a very unprofessional one ...

Such issue is further illustrated with the screenshot in attachement. As you can clearly see, nginx in reverse proxy mode, sometimes truncates my contents, as shown in the firefox web console. In the example with a CSS file, the content-length is about 222000 bytes (and the real file too is), however nginx randomly returns only less than 15800 bytes. As a result, the CSS can't be loaded. In chrome console, I have the "Failed to load resource: net::ERR_CONTENT_LENGTH_MISMATCH" error for each nginx length mismatch.

More in depth, my distribution is Debian 9 (stretch) in the lastest version. The nginx version is nginx/1.10.3, the lastest available in the Debian stable world, and configuration files are mainly turned to Debian/Nginx defaults. I have a first Debian server with nginx and php-fpm, that contains the statics and dynamic pages. I have a second Debian server with nginx alone, that act as ssl reverse proxy from the internet to the first server. The content-length mismatch seems to occurs when the reverse proxy is used, but I can't guarantee that. When reverse proxy is used, I can however guarantee that it occurs either on statics files (served by nginx) or dynamic pages served by PHP/FPM, so it is not a FPM issue.

There are a lot of people that go crazy with this major issue, and I can cite some related threads on it :
https://stackoverflow.com/questions/25993826/err-content-length-mismatch-on-nginx-and-proxy-on-chrome-when-loading-large-file
https://serverfault.com/questions/783218/nginx-in-reverse-proxy-content-length-mismatch-for-bigger-css-files
https://github.com/owncloud/client/issues/5706

I endup with theses unprofessional settings (like weird timeouts) found on the internet for the nginx reverse :
proxy_temp_file_write_size 64k;
proxy_connect_timeout 10080s;
proxy_send_timeout 10080;
proxy_read_timeout 10080;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_redirect off;
proxy_request_buffering off;
proxy_buffering off;

... and the issue sill appears ...

I also try to add the following to the fastcgi fpm config :
fastcgi_buffering off;

... and the issue sill appears ...

And to disable buffering at the FPM level (output_buffering = off)

... and the issue sill appears ...

To conclude, I'm very surprised that nginx that is usually associated to quality software, seems to suffers such major issues in stable repos. Could an engineer from the NGINX Inc. could help on this issue and bring a professional fix for that ? Thanks !

↧

Re: Content-Length and really sent bytes sometimes mismatch

March 30, 2018, 1:44 pm

≫ Next: Re: Content-Length and really sent bytes sometimes mismatch

≪ Previous: Content-Length and really sent bytes sometimes mismatch

still occurs with nginx/1.13.10 (current mainline) ..

↧

Re: Content-Length and really sent bytes sometimes mismatch

April 7, 2018, 12:39 pm

≫ Next: How is the memory calculated for Nginx dashboard

≪ Previous: Re: Content-Length and really sent bytes sometimes mismatch

still occurs..

↧

How is the memory calculated for Nginx dashboard

May 3, 2018, 7:34 am

≫ Next: A question about "cache loader process"

≪ Previous: Re: Content-Length and really sent bytes sometimes mismatch

I am trying to understand the nginx plus dashboard metrics(status.html). I am seeing the memory usage is shown as 100%, but when I tried to run the free -m in Linux OS I could see the memory usage is not 100%. Also I tried to check the aws cloud metrics, i do not see the graph touching 100%. Is Nginx dashboard counting the swap memory usage also?

↧

A question about "cache loader process"

May 4, 2018, 5:41 am

≫ Next: No shared cipher

≪ Previous: How is the memory calculated for Nginx dashboard

Hi everybody,

I am using nginx 1.12.2. I have a cache disk that include small files about 10TB. I saw that, when i start nginx, cache loader process begin to work but when i reload nginx it disappeared. Is this normal or not?

↧