I want to use nginx as internet out proxy.
So, I try to connect to http://mirror01.org/google.com, but cache files were not created.
If I delete rewrite rule and replace proxy_pass to http://google.come cache files will be created.
Where did I go wrong?
Trace using curl
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.20.2
Date: Tue, 08 Mar 2022 15:44:42 GMT
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: http://google.com
HTTP/1.1 301 Moved Permanently
Location: http://www.google.com/
Content-Type: text/html; charset=UTF-8
Date: Tue, 08 Mar 2022 15:44:42 GMT
Expires: Thu, 07 Apr 2022 15:44:42 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Tue, 08 Mar 2022 15:44:43 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Expires: Tue, 08 Mar 2022 15:44:43 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2022-03-08-15; expires=Thu, 07-Apr-2022 15:44:43 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=511=21PQ3ziwDTFTppHDMUoAVReBsFB6oGkVHqT38eqJO25UQkP3SJSEleOsHhefVDR_TgKSK6DpcTmBewjKC-kazv8mWRrfW10NUJevh16H5MZtKrKCJxllfI4r; expires=Wed, 07-Sep-2022 15:44:43 GMT; path=/; domain=.google.com; HttpOnly
Nginx conf:
access_log /opt/nginx/log/access.log main;
error_log /opt/nginx/log/error.log crit;
proxy_cache_path /opt/nginx/cache levels=1:2 keys_zone=default_cache:10m max_size=2g
inactive=120m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid any 60m;
server {
listen 80;
server_name mirror01.org;
location / {
proxy_cache default_cache;
proxy_buffering on;
proxy_ignore_headers Expires;
proxy_ignore_headers X-Accel-Expires;
proxy_ignore_headers Cache-Control;
proxy_ignore_headers Set-Cookie;
proxy_hide_header X-Accel-Expires;
proxy_hide_header Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Pragma;
add_header X-Proxy-Cache $upstream_cache_status;
rewrite ^/(.*)$ http://$request_uri? break;
proxy_pass $request_uri;
}
}
Related
Help with ACME HTTP01 Let's Encrypt challenge please.
i'm trying to get certificate for domain behind proxy.
my config:
upstream kube-ingress-https {
# The least number of active connections
least_conn;
server 172.22.16.3:443 max_fails=1 fail_timeout=300;
}
server {
listen 443;
proxy_protocol on;
proxy_pass kube-ingress-https;
}
my scheme: WORLD ====> NGINX (reverse proxy) ==============> K8S ingress(cert manager)
cert-manager shows: Waiting for HTTP-01 challenge propagation: wrong status code '502', expected '200'
curl -I -k https://k8s-dash.domain.kz/.well-known/acme-challenge/pXy1kENDkrXpGNKLeyCc8huIfgUILzjErxiYhj80mxI
HTTP/2 502
date: Fri, 21 Oct 2022 06:55:51 GMT
content-type: text/html
content-length: 150
strict-transport-security: max-age=15724800; includeSubDomains
access-control-allow-origin: *
access-control-allow-credentials: true
curl -I -k https://k8s-dash.mydomain.kz
HTTP/2 200
date: Fri, 21 Oct 2022 06:55:58 GMT
content-type: text/html; charset=utf-8
content-length: 1338
accept-ranges: bytes
cache-control: no-cache, no-store, must-revalidate
last-modified: Fri, 15 Oct 2021 07:41:12 GMT
strict-transport-security: max-age=15724800; includeSubDomains
access-control-allow-origin: *
access-control-allow-credentials: true
i've found a solution:
i've delete ingress annotation: acme.cert-manager.io/http01-edit-in-place: "true"
I'm trying to make a https proxy on nginx engine. And when I test it on different sites - I always get two HTTP codes - 302 - redirect to https scheme and 400 after connect
proxy config
server {
error_log /var/log/nginx/nginx.err;
access_log /var/log/nginx/nginx.acc;
resolver 127.0.0.53;
listen 80; #default_server;
listen 443 ssl default_server;
server_name proxy;
ssl_certificate /etc/letsencrypt/live/proxy/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/proxy/chain.pem;
proxy_ssl_certificate /etc/letsencrypt/live/proxy/fullchain.pem;
proxy_ssl_certificate_key /etc/letsencrypt/live/proxy/privkey.pem;
proxy_ssl_trusted_certificate /etc/letsencrypt/live/proxy/chain.pem;
large_client_header_buffers 1 128k;
proxy_ssl_verify on;
proxy_ssl_session_reuse off;
ssl_verify_client off;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Access-Control-Allow-Origin *;
proxy_buffering on;
proxy_buffers 8 16k;
proxy_buffer_size 16k;
proxy_pass http://$host$request_uri;
proxy_read_timeout 1800;
}
}
curl -x localhost:80 goo.gl -I -L output (goo.gl - for example, but I have this issue for every site)
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 10 Sep 2021 12:32:42 GMT
Content-Type: application/binary
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Location: https://goo.gl/
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
HTTP/1.1 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 10 Sep 2021 12:32:42 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
same curl output with -v
* Trying ::1:80...
* TCP_NODELAY set
* connect to ::1 port 80 failed: Connection refused
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> HEAD http://goo.gl/ HTTP/1.1
> Host: goo.gl
> User-Agent: curl/7.68.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Sep 2021 12:34:02 GMT
Date: Fri, 10 Sep 2021 12:34:02 GMT
< Content-Type: application/binary
Content-Type: application/binary
< Content-Length: 0
Content-Length: 0
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Location: https://goo.gl/
Location: https://goo.gl/
< X-XSS-Protection: 0
X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
<
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'https://goo.gl/'
* Hostname localhost was found in DNS cache
* Trying ::1:80...
* TCP_NODELAY set
* connect to ::1 port 80 failed: Connection refused
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#1)
* allocate connect buffer!
* Establish HTTP proxy tunnel to goo.gl:443
> CONNECT goo.gl:443 HTTP/1.1
> Host: goo.gl:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx/1.18.0 (Ubuntu)
Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 10 Sep 2021 12:34:02 GMT
Date: Fri, 10 Sep 2021 12:34:02 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 166
Content-Length: 166
< Connection: close
Connection: close
<
* Received HTTP code 400 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 1
curl: (56) Received HTTP code 400 from proxy after CONNECT
If I do curl without a proxy, then it will contain messages with successful TLS handshakes
I'm desperately trying to figure out a way to set an expiry date on fonts in nginx to optimize on mobile.
I'm interested for ttf fonts.
I have mime.types as fallows:
application/font-woff woff;
application/vnd.ms-fontobject eot;
application/x-font-ttf ttc ttf;
font/opentype otf;
image/svg+xml svg svgz;
And on Nginx I have tried every solution I found on the web to no avail:
Try #1:
location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
access_log off;
log_not_found off;
expires 365d;
add_header Cache-Control "public";
add_header Access-Control-Allow-Origin *;
types {font/truetype ttf;}
}
Fail NO Expiry:
Request URL: http://localhost:3001/static/media/Poppins-Regular.8081832f.ttf
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:3001
Referrer Policy: strict-origin-when-cross-origin
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/x-font-ttf
Date: Thu, 01 Apr 2021 18:33:55 GMT
ETag: W/"60660e52-269f0"
Last-Modified: Thu, 01 Apr 2021 18:17:54 GMT
Server: nginx/1.15.2
Transfer-Encoding: chunked
Vary: Accept-Encoding
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Host: localhost:3001
Origin: http://localhost:3001
Referer: http://localhost:3001/static/css/main.06159cd9.chunk.css
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-GPC: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36
Try #2:
location ~* \.(woff|ttf|otf|woff2|eot)$ {
expires 365d;
access_log off;
add_header Pragma public;
add_header Cache-Control "public, max-age=86400";
add_header X-Asset "yes";
}
Failed: Same result
Try: 3
https://io.24hoursmedia.com/tech-notes/nginx-send-browser-cache-headers-for-static-files
Failed: Same result
Try: 4
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
expires 1M;
add_header Cache-Control "public";
}
Failed: Same result
What I am missing? Please help.
Keep it simple. My NGINX looks like:
location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf)$ {
....
expires max;
add_header Cache-Control "public, no-transform";
}
And the response:
cache-control: max-age=315360000
cache-control: public, no-transform
content-length: 84508
content-type: font/woff2
date: Mon, 05 Apr 2021 19:08:55 GMT
etag: "603562a6-14a1c"
expires: Thu, 31 Dec 2037 23:55:55 GMT
last-modified: Tue, 23 Feb 2021 20:16:38 GMT
server: nginx
I have two different configurations for my fonts ...
types { application/x-font-ttf ttf}
AND
types {font/ttf ttf}
The second one is based on the new font standard released back in 2017.
https://www.iana.org/assignments/media-types/media-types.xhtml#font
... but I haven't seen font/truetype.
More Information: http://nginx.org/en/docs/http/ngx_http_core_module.html#types
If you want to fine-tune your expires value take a look here:
https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
{
map $sent_http_content_type $expires {
default off;
application/pdf 42d;
~image/ max;
}
server {
...
location ~*\.(woff|woff2...)$ {
...
expires $expires;
}
}
}
i have set up the following in my nginx site config:
server {
...
add_header Referrer-Policy "no-referrer" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1; mode=block" always;
...
}
but if i have a look at my side i only see two of five headders
HTTP/2 200
server: nginx
date: Fri, 06 Apr 2018 08:58:49 GMT
content-type: text/html; charset=utf-8
content-length: 114649
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
last-modified: Fri, 06 Apr 2018 08:58:49 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: private, no-cache, max-age=0
set-cookie: __Secure-anzah_csrf=Fmv0S0-WCZwP5fy5; path=/; secure
set-cookie: __Secure-anzah_session=IxXVlychxqE2F4lXUwW79gKwrxiTlhuQ; path=/; secure; HttpOnly
cache-control: private, no-cache, max-age=0
does anyone know what could be the cause?
I'm trying to use nginx to redirect my main page (www.domain.com) to a subdirectory (www.domain.com/store). I have the redirect working, but whenever I use the domain name it will redirect me to the ip address (www.IP.com/store). This is my server nginx config. Thank you in advance for any help!
server {
listen 80 default_server;
server_name *.domain.com;
location / {
index index.php index.html index.htm;
}
location = / {
rewrite ^/store permanent;
}
root /usr/local/www/nginx;
}
You missed a space. rewrite ^/store permanent; will try to match '/store' at the beginning of the uri path (thanks to the ^) and if it matches, it will rewrite it to 'permanent'. Since this is inside location = /, it will never succeed. Instead, you need:
rewrite ^ /store permanent;
Hm, I can't fit this in your post so I figured I should put it here. Is this good practice for stackoverflow? I tried "curl -l" and it just returned the "not found" that I get when it's not redirected. But I used "curl -liL domain.com" and this is what came out.
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:01 GMT
Content-Type: text/html
Content-Length: 184
Location: http://domain.com/store
Connection: keep-alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:01 GMT
Content-Type: text/html
Content-Length: 184
Location: http://domain.com/store/
Connection: keep-alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Jul 2012 17:30:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NON CURa ADMa DEVa TAIa CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Set-Cookie: xid_1f463=9cc017ff6c74884850d5bdfba1bfd5ae; path=/store; domain=IP; httponly
Location: http://IP/store/?xid_1f463=9cc017ff6c74884850d5bdfba1bfd5ae
HTTP/1.1 302 Found
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Jul 2012 17:30:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NON CURa ADMa DEVa TAIa CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Set-Cookie: xid_1f463=9cc017ff6c74884850d5bdfba1bfd5ae; path=/store; domain=IP; httponly
Location: http://IP/store/?xid_1f463=9cc017ff6c74884850d5bdfba1bfd5ae
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Jul 2012 17:30:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NON CURa ADMa DEVa TAIa CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Set-Cookie: xid_1f463=9cc017ff6c74884850d5bdfba1bfd5ae; path=/store; domain=IP; httponly
Location: /store/home.php
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Jul 2012 17:30:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 05 Jul 2012 17:30:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NON CURa ADMa DEVa TAIa CONi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Set-Cookie: xid_1f463=e7d9abf146153d7a49e3f08bda47c008; path=/store; domain=IP; httponly
Set-Cookie: RefererCookie=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/store; domain=IP; httponly
Set-Cookie: store_language=en; expires=Fri, 05-Jul-2013 17:30:01 GMT; path=/store; domain=IP