how would one enable gzip compression of responses with Content-Type application/json when the asp.net 5 app is deployed to IIS 8 on Azure? Typically this would've been done using web.config but that's gone now... what's the new approach?
You need to reverse-proxy your kestrel application, then you can tell the reverse-proxy to compress.
In nginx, this goes as follows:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name localhost;
gzip on;
gzip_min_length 1000;
#gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
location /
{
proxy_pass http://127.0.0.1:5004;
}
}
So here nginx will catch incoming requests on port 80, and then forward them to kestrel on the same machine, but on port 5004. Kestrel then sends the response back to nginx. Since gzip is on, nginx will compress the response, and send it to the user. All you need to ensure is that the application on Kestrel does not return HTTP headers, such as HTTP 1.1 chuncked-encoding when outputting for example a file (e.g. when using what used-to-be Response.TransmitFile).
IIS 7.5+ supports reverse proxying.
See here for closer information:
https://serverfault.com/questions/47537/can-iis-be-configure-to-forward-request-to-another-web-server
Related
Recently I am getting "SSL handshake failed" error on my Cloudflare websites.
When I looked at my nginx log I found the following errors:
2021/05/23 02:35:52 [info] 10528#0: *124920510 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 172.68.155.147, server: 0.0.0.0:443
2021/05/23 02:42:57 [info] 10528#0: *124925310 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 172.68.155.147, server: 0.0.0.0:443
2021/05/23 02:50:19 [info] 11633#0: *124929231 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 172.68.155.165, server: 0.0.0.0:443
2021/05/23 02:50:27 [info] 11632#0: *124929281 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 172.68.155.165, server: 0.0.0.0:443
2021/05/23 02:54:18 [info] 11633#0: *124930616 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 172.68.155.161, server: 0.0.0.0:443
Everytime SSL Handshake error occurs, "peer closed connection in SSL handshake" line gets added in the log.
Can you please tell me how can I fix this issue?
Nginx config
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.in;
set $base /home/username/websites/mydomain.in;
root $base/;
# SSL
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/mydomain.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.in/privkey.pem;
# logging
access_log /home/username/nginx/logs/mydomain.in.access.log;
error_log /home/username/nginx/logs/mydomain.in.error.log debug;
# index.php
index index.php;
# index.php fallback
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# handle .php
location ~ \.php$ {
include nginxconfig.io/php7.4_fastcgi.conf;
}
#include nginxconfig.io/general.conf;
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline' worker-src blob:" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# favicon.ico
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
access_log off;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 7d;
access_log off;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
}
Server Ubuntu 18.04
Nginx 1.16
No information can be extracted just based on the provided information on why these specific clients abandoned the TLS handshake. It might be some tests, it might be something else.
If these are normal browsers than a common cause is that the certificate provided by the server can not be verified by the client. This might for example happen with self-signed certificates, certificates issued by a non-public CA, missing intermediate certificates, mismatch of hostname ...
Given that these IP seem to belong to Cloudflare it might still be the a messed up setup of the certificates - simply giving the filenames without the actual content will not help though.
But again, just based on the provided log entries and config one can only do educated guesses and speculations.
i´m have migrated a Drupal site to my server,
the server uses nginx to do ssl-termination and let apache do the rest, e.g nginx works as a proxy.
However, using the Drupal Media-Browser to upload a file, i´m getting a "502 Bad Gateway" error for requesting /file/progress/xyz (i guess it´s the progress-bar) the actual file-upload works though.
this is the nginx server block for the site:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.example.com;
port_in_redirect off;
ssl on;
ssl_certificate /etc/ssl/certs/xyz.crt;
ssl_certificate_key /etc/ssl/certs/xyz.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
location / {
gzip_static on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header HTTPS "on";
include /etc/nginx/proxy.conf;
}
}
server {
listen 80;
listen [::]:80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}
and this is my proxy.conf
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering Off;
proxy_buffers 32 4m;
proxy_busy_buffers_size 25m;
proxy_buffer_size 512k;
proxy_ignore_headers "Cache-Control" "Expires";
proxy_max_temp_file_size 0;
client_max_body_size 1024m;
client_body_buffer_size 4m;
proxy_connect_timeout 75s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
proxy_intercept_errors off;
i also tried adding this to the http block of nginx.conf
fastcgi_temp_file_write_size 10m;
fastcgi_busy_buffers_size 512k;
fastcgi_buffer_size 512k;
fastcgi_buffers 16 512k;
client_max_body_size 50M;
with no success, so i basically tried everything I found on the web regarding this topic with no success, i´m pretty new to nginx though, so maybe i am just overseeing sth?
Nginx logs to error_log:
2019/05/15 08:09:26 [error] 21245#0: *42 upstream prematurely closed connection while reading response header from upstream,
client: 55.10.229.62, server: www.example.com, request: "GET /file/progress/190432132829 HTTP/1.1",
upstream: "http://127.0.0.1:8080/file/progress/190432132829",
host: "www.example.com",
referrer: "https://www.example.com/media/browser?render=media-popup&options=Uusog2IwkXxNr-0EaqD1L6-Y0aBHQVunf-k4J1oUb_U&plugins="
So maybe it´s because upstream is http?
What makes me worry even more is that I get a segfault logged in httpd-error_log
[core:notice] [pid 21277] AH00052: child pid 21280 exit signal Segmentation fault (11)
I have the latest Drupal-7.67 core and all modules are uptodate
using PHP 7.2.17 on a CENTOS7
with nginx 1:1.12.2-2.el7
and httpd 2.4.6-88.el7.centos
i also added this to drupal´s settings.php
$conf['reverse_proxy'] = TRUE;
$conf['reverse_proxy_addresses'] = ['127.0.0.1'];
but it doesn´t seem to have any effect
Update:
for beeing complete on this one, here are the details of the failing request (from chrome network-tab)
Response Headers
Connection: keep-alive
Content-Length: 575
Content-Type: text/html
Date: Wed, 15 May 2019 06:09:26 GMT
Server: nginx/1.12.2
Request Headers
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: _pk_ses.10.9e92=1; has_js=1; cookie-agreed=2; SSESS812a016a321fb8affaf4=pY3nnqqagiCksF61R45R6Zrmi6g6DdMcYRxSPM1HLP0; Drupal.toolbar.collapsed=0; _pk_id.10.9e92=614e315e332df7.1557898005.1.1557900255.1557898005.
Host: www.example.com
Referer: https://www.example.com/media/browser?render=media-popup&options=Uusog2IwkXxNr-0EaqD1L6-Y0aBHQVunf-k4J1oUb_U&plugins=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
X-Requested-With: XMLHttpRequest
when I remove the php pecl-uploadprogress
yum remove php-pecl-uploadprogress.x86_64
the error is gone, but the progress-bar is not working then, even though i have apc. On the Pecl-uploadprogress page they mention that other SAPI implementations, than apache with mod_php only unfortunately still have issues.
I guess i ran into one of these,
however i would highly approchiate to let Apache report the progress.
I'm configuring my backend using nginx as a reverse-proxy for my node/express server, but cannot seem to get it to work.
Right now, if I use curl to ping my site (dcdocs.app) I get the following headers:
curl -I https://dcdocs.app
HTTP/2 200
server: nginx/1.14.0 (Ubuntu)
date: Sat, 24 Nov 2018 03:32:24 GMT
content-type: text/html; charset=UTF-8
content-length: 388
x-powered-by: Express
accept-ranges: bytes
cache-control: public, max-age=0
last-modified: Mon, 19 Nov 2018 15:35:12 GMT
etag: W/"184-1672c9c7c51"
Using curl, the response body also returns my expected index file. However, when I visit this page on a web browser, I don't get any response.
Here's how I currently have my nginx.conf file configured:
user www-data;
worker_processes auto; # Spawn one process per core... To see #, use command nproc
events {
worker_connections 1024; # Number of concurrent requests per worker... To see #, use command ulimit -n
}
http {
include mime.types;
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name dcdocs.app;
index index.html;
ssl_certificate /etc/letsencrypt/live/dcdocs.app/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dcdocs.app/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:3000;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
}
What is causing the problem here? What am I missing that's causing the page to not load in a browser? The browser currently just hangs if you try to visit the site.
Thanks!
Try to turn on Nginx gzip feature to save some bandwidth, but no luck.
Searching for hours still can not make it work.
Nginx is installed by Passenger. Here is the information about Nginx in my server:
nginx version: nginx/1.4.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-cc-opt=-Wno-error --add-module=/home/lijc/.rvm/gems/ruby-1.9.3-p392#rails3.2/gems/passenger-4.0.2/ext/nginx
Nginx.conf:
worker_processes 1;
events {
worker_connections 1024;
}
http {
passenger_root /home/lijc/.rvm/gems/ruby-1.9.3-p392#rails3.2/gems/passenger-4.0.2;
passenger_ruby /home/lijc/.rvm/wrappers/ruby-1.9.3-p392#rails3.2/ruby;
include mime.types;
default_type application/octet-stream;
sendfile on;
client_max_body_size 100m;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_disable "MSIE [1-6]\.";
gzip_http_version 1.1;
gzip_types text/plain text/css application/x-javascript application/xml application/json application/atom+xml application/rss+xml;
gzip_vary on;
server {
listen 80;
server_name localhost;
root /home/lijc/web/rails/jasli2team/evolution/public;
passenger_enabled on;
}
}
Then restart Nginx and Passenger. However with Chrome dev tools. The header return by my site still not including Content-Encoding:gzip
Here is the header return by my site:
Cache-Control:must-revalidate, private, max-age=0
Content-Type:text/html; charset=utf-8
Date:Wed, 05 Jun 2013 02:55:47 GMT
ETag:"f5a1b272c96c5786342ec4bfd9b6e608"
Proxy-Connection:close
Server:nginx/1.4.1 + Phusion Passenger 4.0.2
Status:200 OK
Vary:Accept-Encoding
Via:1.0 localhost.localdomain:1080 (squid/2.6.STABLE16)
X-Cache:MISS from localhost.localdomain
X-Cache-Lookup:MISS from localhost.localdomain:1080
X-Powered-By:Phusion Passenger 4.0.2
X-Rack-Cache:miss
X-Request-Id:8353874387ca7510158dd5bf93b37ab9
X-Runtime:0.042863
X-UA-Compatible:IE=Edge,chrome=1
I have no idea what is wrong or missing. Any help will be appreciated.
Runnning NGINX SSL and the browser continues to timeout.
Here is my NGINX conf file:
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
proxy_next_upstream error;
charset utf-8;
include mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
keepalive_timeout 65;
keepalive_requests 0;
proxy_read_timeout 200;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml
application/x-javascript application/xml
application/atom+xml text/javascript;
server{
### WEB Address ###
server_name mydomain.com;
### SSL log files ###
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
listen 443;
### SSL Certificates ###
ssl on;
ssl_certificate /etc/nginx/unified.crt;
ssl_certificate_key /etc/nginx/ssl.key;
keepalive_timeout 60;
### PROXY TO TORNADO ###
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://127.0.0.1:8889;
}
}
}
The SSL access log and error log is blank.
I've tried restarting NGINX a couple of times. As a side note commenting out SSL and setting listen to 80 works for non-SSL connections.
Any help would be great?
Maybe 443 port is closed on your server? Check this with http://www.yougetsignal.com/tools/open-ports/
I agree with Klen´s answer, and I would add more.
First, go and check that your port 443 is open in http://www.yougetsignal.com/tools/open-ports/
If it´s closed, go to your aws console, select your instance and go to description -> security groups -> launch_wizard-1
Then click on edit -> Add Rule
Select HTTPS from the options and you should see this
There are several things to check out
#1: Check if https is allowed in your ubuntu server
sudo ufw allow https && sudo ufw enable
#2: Check if port 443 is opened
First i checked what is listening on port 443 by this command:
lsof -iTCP -sTCP:LISTEN -P
I saw nginx which was correct
Then i checked whether the 443 is opened by the tool mentioned by klen (http://www.yougetsignal.com/tools/open-ports/)
Port 443 was closed so I had to run
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
to open port 443