We Keep Coding

How to inject location directive into Kong

I'm trying to inject a nginx location directive into kong but it's not working as expected
In kong.conf I have
nginx_proxy_include = /u01/nginx/custom-nginx.conf
In custom-nginx.conf I have location /doc { alias /some/path; }
Yet it's not being injected into nginx-kong.conf which remains untouched:
# .......
# injected nginx_admin_* directives
location / {
default_type application/json;
content_by_lua_block {
Kong.admin_content()
}
header_filter_by_lua_block {
Kong.admin_header_filter()
}
}
location /nginx_status {
internal;
access_log off;
stub_status;
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}

Unable to disable TLSv1 on Nginx

I've spent the last 3 hours trying everything to disable TLSv1 on Nginx. I've scoured the web and tried everything mentioned but to no avail.
Things I've tried include:
reordering "default_server" to be before ssl in the server tab
removed preferred ciphers
commenting out vast amounts of "ssl_" configs to see if that helps
At all times, I tested the domain using "openssl s_client -connect example.com:443 -tlsv1" after restarting the nginx service
Here is my /etc/nginx/nginx.conf file:
user example www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
pid /run/nginx.pid;
events {
worker_connections 2048;
multi_accept on;
}
http {
index index.php;
include /etc/nginx/mime.types;
default_type application/octet-stream;
real_ip_header X-Forwarded-For;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_id';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
keepalive_timeout 5;
autoindex off;
server_tokens off;
port_in_redirect off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 64m;
client_body_buffer_size 128k;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
limit_req_zone $binary_remote_addr zone=goeasy:35m rate=1r/s;
open_file_cache max=35000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types application/javascript application/x-javascript application/rss+xml text/javascript text/css text/plain image/x-icon image/svg+xml;
gzip_buffers 4 16k;
gzip_comp_level 6;
map_hash_max_size 262144;
map_hash_bucket_size 262144;
map $status $writelog {
444 0;
default 1;
}
map $http_user_agent $bad_client {
default 0;
~*(360Spider) 1;
~*(aiHitBot|AhrefsBot) 1;
~*(betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG) 1;
~*(CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo) 1;
~*(Default|DIIbot|DISCo|discobot) 1;
~*(Exabot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE) 1;
~*(FlashGet|Findxbot) 1;
~*(GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|GuzzleHttp) 1;
~*(heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack) 1;
~*(ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot) 1;
~*(JetCar) 1;
~*(larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|LinkpadBot|lwp-trivial|ltx71) 1;
~*(Maxthon$|Mail.RU_Bot|MegaIndex.ru|meanpathbot|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage) 1;
~*(Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch) 1;
~*(Octopus) 1;
~*(PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|Pi-Monster|PHPCrawl|PleaseCrawl|psbot|prijsbest|python-requests) 1;
~*(Qwantify) 1;
~*(RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler) 1;
~*(SBIder|Scrapy|Screaming|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|SemrushBot|sitecheck.internetseer.com|SiteSnagger) 1;
~*(SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap) 1;
~*(tAkeOut|Teleport|Toata|TwengaBot|Typhoeus) 1;
~*(URI::Fetch|User-Agent|UserAgent) 1;
~*(voltron|Vagabondo|VoidEYE|Visbot) 1;
~*(webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WhatsApp) 1;
~*(WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE) 1;
~*(zermelo|Zeus|Zeus.*Webster|ZyBorg) 1;
}
map $uri $redirected_url {
default "none";
include /etc/nginx/redirects.conf;
}
server {
listen 80;
listen [::]:80;
server_name www.example.co.uk example.co.uk;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
return 302 https://www.example.co.uk$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.co.uk;
ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
return 302 https://www.example.co.uk$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name www.example.co.uk;
ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff always;
add_header X-Xss-Protection "1; mode=block" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;
if ($redirected_url != "none") {
rewrite ^ $redirected_url permanent;
}
root /var/www/current;
access_log /var/log/nginx/access.log main if=$writelog;
error_log /var/log/nginx/error.log error;
if ($bad_client) {
return 444;
}
location = /js/index.php/x.js {
rewrite ^(.*\.php)/ $1 last;
}
location / {
try_files $uri $uri/ #rewrite;
}
location ~ /(app|var|downloader|includes|pkginfo)/ {
deny all;
}
location ~ rss/(order|catalog) {
deny all;
}
location ~ ^/([^/])+\.(sh|pl|py|lua|inc|swp|phar|php_|log|ini|md|sql|conf|yml|zip|tar|.+gz)$ {
deny all;
}
location ~ /\.(svn|git|hg|htpasswd|bash|ssh) {
deny all;
}
location ~ /(dev/tests/|errors/local.xml|cron\.php) {
deny all;
}
location ~* /(tmp|lib|media|shell|skin)/.*\.php$ {
deny all;
}
location ~ ^/(wishlist|customer|catalogsearch|newsletter|tag/product/list|sales/guest/view|contacts/index/post|review/product/(view|list|post)|(fire|one.+)?checkout)/ {
limit_req zone=goeasy burst=5;
limit_req_status 429;
if ($http_user_agent ~* "Baiduspider|AdsBot-Google|Googlebot|bingbot|Yahoo|Yandex") {
return 410;
}
try_files $uri $uri/ #rewrite;
}
if ($request_uri !~ "/insights/") {
set $no_index_php A;
}
if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
set $no_index_php "${no_index_php}B";
}
if ($no_index_php = AB) {
return 301 $1$3;
}
if ($args ~ ^(brand|cat|color|dir|from|limit|price|type|mode|size|manufacturer)=.+) {
set $filters A;
}
if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|Yandex") {
set $filters "${filters}B";
}
if ($filters = AB) {
return 410;
}
location ~ /jbwp/wp-config\.php {
deny all;
}
location ~ /jbwp/wp-includes/(.*)\.php {
deny all;
}
location ~ /jbwp/wp-admin/includes(.*)$ {
deny all;
}
location ~ /jbwp/xmlrpc\.php {
deny all;
}
location ~ /jbwp/wp-content/uploads/(.*)\.php(.?) {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
}
location ~* \.(swf|eot|ttf|otf|woff|woff2)$ {
expires max;
log_not_found off;
access_log off;
add_header ETag "";
add_header Access-Control-Allow-Origin "example.co.uk, www.example.co.uk";
add_header Cache-Control "public";
}
location #rewrite {
rewrite / /index.php;
}
location ~ \.php$ {
try_files $uri =404;
add_header X-Request-Time $request_time always;
add_header X-Request-ID $request_id always;
add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;
include fastcgi_params;
fastcgi_read_timeout 600;
fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS 'on';
fastcgi_param DEBUG_MODE 'false';
fastcgi_param MAINTENANCE_MODE 'false';
fastcgi_keep_conn on;
}
}
}

I managed to find out that the issue was not caused by the Nginx configuration file but instead was down to a Cloudflare setting (https://community.cloudflare.com/t/how-do-i-disable-tls-1-0/2670/10).
I used this repo to find out that the server was not at fault (testing the servers ip_address:port) - https://github.com/drwetter/testssl.sh
The command I used was "/bin/bash testssl.sh 256.98.767.762:443" (not my servers real ip)

NGINX Redirct All traffic www and non-www http TO https://example.com?

my problem is i want to redirect all traffic https and http , www and non-www TO https://example.com but if I go to my website at https://example.com I get 'your connection is insecure'.
I followed this answer NGINX: redirect non-www https to https://www but it redirects only from http to https and non www to www !
How do I redirect all to https://?
server
{
listen :80;
server_name example.com www.example.com ;
access_log /var/log/nginx/domains/example.com.log;
access_log /var/log/nginx/domains/example.com.bytes bytes;
error_log /var/log/nginx/domains/example.com.error.log;
root /home/admin/domains/example.com/public_html;
index index.php index.html index.htm;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.conf;
return 301 https://$host$request_uri;
}
server
{
listen :443 ssl http2;
server_name example.com www.example.com ;
access_log /var/log/nginx/domains/example.com.log;
access_log /var/log/nginx/domains/example.com.bytes bytes;
error_log /var/log/nginx/domains/example.com.error.log;
root /home/admin/domains/example.com/private_html;
index index.php index.html index.htm;
ssl_certificate
/usr/local/directadmin/data/users/admin/domains/example.com.cert.combined;
ssl_certificate_key
/usr/local/directadmin/data/users/admin/domains/example.com.key;
include /usr/local/directadmin/data/users/admin/nginx_php.conf;
include /etc/nginx/webapps.ssl.conf;
add_header Strict-Transport-Security "max-age=3411" always;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_header_timeout 3m;
client_body_timeout 10;
send_timeout 2;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-
javascript application/json application/xml;
gzip_disable msie6;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
send_lowat 12000;
keepalive_timeout 65;
keepalive_requests 100000;
reset_timedout_connection on;
server_tokens off;
client_body_buffer_size 128k;
client_max_body_size 10m;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ {
return 403;
}
location ~ ^/sites/.*/private/ {
return 403;
}
location ~ ^/sites/[^/]+/files/.*\.php$ {
deny all;
}
location ~* ^/.well-known/ {
allow all;
}
location ~ (^|/)\. {
return 403;
}
location / {
try_files $uri /index.php?$query_string; # For Drupal >= 7
if ($allowed_country = no) {
return 443;
}
}
location #rewrite {
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ /vendor/.*\.php$ {
deny all;
return 404;
}
location ~ '\.php$|^/update.php' {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_intercept_errors on;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
try_files $uri #rewrite;
}
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
try_files $uri /index.php?$query_string;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
try_files $uri #rewrite;
expires max;
log_not_found off;
}
}

you're redirects looks fine but are you sure you have valid ssl certificate for example.com and it is installed properly on your host? the 'your connection is insecure' message usually does not have anything to do with the redirects it is because of certificate problems.

instead of using this:
return 301 https://$host$request_uri;
use:
return 301 https://$server_name$request_uri;

Varnish HTTP 503 - backend sick - apache static files not cached

We have varnish configured as below:
we have probe validation with apache host and port, but using a context to a backend (application server / mod jk).
we are not using cluster and load balance configuration.
backend default {
.host = "127.0.0.1";
.port = "80";
.max_connections = 300;
.probe = {
.url = "/webapp-context/healthcheck";
.interval = 60s;
.timeout = 20s;
.window = 5;
.threshold = 3;
}
.first_byte_timeout = 5s;
.connect_timeout = 5s;
.between_bytes_timeout = 1s;
}
we have varnish cache only for specific contexts
we dont have varnish cache for staticfiles (www.domain.com/staticfiles/*), because all static files are on DocumentRoot (Apache).
sub vcl_recv {
// do not cache static files
if ( req.url ~ "^(/staticfiles)" ) {
return(pass);
}
// create cache
if ( req.url ~ "^(/content/)" ) {
unset req.http.Cookie;
return(hash);
}
...
...
}
So, my problem is: we have configured varnish to do "pass" for the static files context. And now, when our backend is sick after a probe validation, all staticfiles context is getting HTTP 503 error, but the html pages are still ok on Varnish cache, but without staticfiles.
Are there any way to configure Varnish to keep serving all static files from Apache, even that the application server is down?

You can setup additional backend definition that will not have health check specified. So your VCL will include something like this:
backend static {
.host = "127.0.0.1";
.port = "80";
.max_connections = 300;
}
# .. your default backend with probe here
sub vcl_recv {
# ...
// do not cache static files
if ( req.url ~ "^(/staticfiles)" ) {
set req.backend_hint = static;
return(pass);
}
# ,,,
}

Nginx separate Access Log for each domain

I use Nginx in combination with Typo3. My Typo3 installation has about 8 domains. Everything works like a charm. Now I have the problem that I want to use AWStats working for each domain but I don't know how can I separate the Access Log for every domain. In the following you can see how my configuration is actually running:
Config file inside sites-available:
server {
listen 127.0.0.1:80;
server_name www.domain1.de
www.domain2.de
www.domain3.de
root "/var/www/oz/htdocs/";
disable_symlinks if_not_owner;
location ~ /\.ht {
deny all;
}
location ~ ^/cgi-bin/ {
deny all;
}
# PHP is enabled
index index.php index.html index.htm;
location ~ \.php(/|$) {
try_files $fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include /etc/nginx/fastcgi_params;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass unix:/var/www/oz/conf/sockets/nginx-php-fcgi.sock;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
}
location = / {
error_page 403 /.errorFiles/coming-soon.html;
}
location /.errorFiles/ {
alias /usr/share/liveconfig/html/;
}
#### NGINX Typo3 Config - Start #####
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
client_max_body_size 200M;
location ~ /\.(js|css)$ {
expires 604800s;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
if (!-e $request_filename){
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
location ~* ^/fileadmin/(.*/)?_recycler_/ {
deny all;
}
location ~* ^/fileadmin/templates/.*(\.txt|\.ts)$ {
deny all;
}
location ~* ^/typo3conf/ext/[^/]+/Resources/Private/ {
deny all;
}
location ~* ^/(typo3/|fileadmin/|typo3conf/|typo3temp/|uploads/|favicon\.ico) {
}
location / {
if ($query_string ~ ".+") {
return 405;
}
if ($http_cookie ~ 'nc_staticfilecache|be_typo_user|fe_typo_user' ) {
return 405;
} # pass POST requests to PHP
if ($request_method !~ ^(GET|HEAD)$ ) {
return 405;
}
if ($http_pragma = 'no-cache') {
return 405;
}
if ($http_cache_control = 'no-cache') {
return 405;
}
error_page 405 = #nocache;
try_files /typo3temp/tx_ncstaticfilecache/$host${request_uri}index.html #nocache;
}
location #nocache {
try_files $uri $uri/ /index.php$is_args$args;
}
#### NGINX Typo3 Config - End #####
}
server {
listen 127.0.0.1:80;
server_name domain1.de;
rewrite ^/(.*)$ "http://www.domain1.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain2.de;
rewrite ^/(.*)$ "http://www.domain2.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain3.de;
rewrite ^/(.*)$ "http://www.domain3.de/$1" permanent;
}
nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 5000;
multi_accept on;
use epoll;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
# ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
I tried to separate it inside the server-blocks. But I don't get it working. Anybody here who can help me or have some hints?

Each server can override it's own access log location:
server {
listen 127.0.0.1:80;
server_name domain1.de;
access_log /var/log/nginx/domain1-access.log;
error_log /var/log/nginx/domain1-error.log;
rewrite ^/(.*)$ "http://www.domain1.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain2.de;
access_log /var/log/nginx/domain2-access.log;
error_log /var/log/nginx/domain2-error.log;
rewrite ^/(.*)$ "http://www.domain2.de/$1" permanent;
}
server {
listen 127.0.0.1:80;
server_name domain3.de;
access_log /var/log/nginx/domain3-access.log;
error_log /var/log/nginx/domain3-error.log;
rewrite ^/(.*)$ "http://www.domain3.de/$1" permanent;
}