Nginx

Bypass X-Frame-Options with Nginx

Bypass X-Frame-Options with Nginx The X-Frame-Options HTTP response header tells the browser whether a page can be displayed inside <frame>, <iframe>, <embed>, or <object>. Sites can prevent clickjacking by ensuring their pages are not embedded elsewhere. By using Nginx as a forward proxy, we can bypass X-Frame-Options and embed a third-party page in our own page. X-Frame-Options has three possible values: deny: the page cannot be displayed in a frame, even on the same origin. sameorigin: the page can be displayed in a frame on the same origin. allow-from uri: the page can be displayed in a frame only from the specified origin. When Chrome tries to load frame content and X-Frame-Options denies it, the console shows an error like: Refuse to display 'http://192.168.20.101:8080' in a frame because it set 'X-Frame-Options' to 'deny'.

Monday, April 26, 2021 Read

Setting up JWT Authentication

Setting up JWT Authentication Nginx 实现 JWT 验证-基于 OpenResty 实现

Friday, April 23, 2021 Read

Nginx SSL/TLS configuration with TLSv1.2 and TLSv1.3 - ECDHE and strong ciphers suite (Openssl 1.1.1)

Nginx SSL/TLS configuration with TLSv1.2 and TLSv1.3 - ECDHE and strong ciphers suite (Openssl 1.1.1) ssl.conf ## # SSL Settings (TLSv1.2 and TLSv1.3) ## ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1 universal-ssl.conf ## # SSL Settings (TLSv1.0 + TLSv1.1 + TLSv1.2 + TLSv1.3) ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESG+AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-S:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;

Friday, January 22, 2021 Read

In 2020, use the latest NGINX ngx_http_geoip2 module to block IPs by country or region

In 2020, the latest NGINX ngx_http_geoip2 module can precisely block IP access by country or region Install GeoIP2 on CentOS 7 and route requests by IP country in nginx Install geoip2 lib cd /usr/local/src rm -f libmaxminddb-1.4.2.tar.gz wget https://github.com/maxmind/libmaxminddb/releases/download/1.4.2/libmaxminddb-1.4.2.tar.gz tar -xzf libmaxminddb-1.4.2.tar.gz cd libmaxminddb-1.4.2 yum install gcc gcc-c++ make -y ./configure make make check sudo make install echo '/usr/local/lib' > /etc/ld.so.conf.d/geoip.conf sudo ldconfig Download ngx_http_geoip2_module cd /usr/local/src wget https://github.com/leev/ngx_http_geoip2_module/archive/3.3.tar.gz tar -xzf 3.3.tar.gz mv ngx_http_geoip2_module-3.3 ngx_http_geoip2_module # nginx集成 cd /usr/local/src wget http://nginx.org/download/nginx-1.16.1.tar.gz tar -zxf nginx-1.16.1.tar.gz cd nginx-1.16.1 useradd -M -s /sbin/nologin www yum install gcc gcc-c++ make pcre-devel zlib-devel openssl-devel -y ./configure --user=www --group=www --prefix=/usr/local/nginx \ --with-ld-opt="-Wl,-rpath -Wl,/usr/local/lib" \ --with-http_sub_module \ --with-http_realip_module \ --with-http_gzip_static_module \ --with-http_ssl_module \ --with-http_v2_module \ --add-module=/usr/local/src/ngx_http_geoip2_module make make install Download geoip2 IP database The latest GeoLite2-City.mmdb for 2020 cannot be downloaded directly. You must register a maxmind account.

Tuesday, October 27, 2020 Read

Nginx HTTPS with Basic Auth reverse proxy for VMware ESXi 6.5 fixed VMRC /screen

Nginx HTTPS with Basic Auth reverse proxy for VMware ESXi 6.5 fixed VMRC /screen server { listen 80; server_name esxi.hackion.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name esxi.hackion.com; ssl_certificate /mycert.crt; ssl_certificate_key /mykey.key; location / { auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Origin ''; proxy_set_header Authorization ''; #Don't pass the Nginx Basic Auth to ESXi or it will break VMRC. proxy_pass_header X-XSRF-TOKEN; proxy_pass https://esxi_server; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; client_max_body_size 1000m; # enables WS support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 443 ssl http2; # ssl_certificate and ssl_certificate_key are required ssl_certificate /etc/letsencrypt/live/myletsencryptdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/myletsencryptdomain/privkey.pem; include /etc/nginx/snippets/ssl-params.conf; # removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange. server_name fqdn.extern; location / { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below # replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } location /websso/SAML2 { proxy_set_header Host fqdn.local; # your actual vcenter's hostname proxy_set_header X-Real-IP $remote_addr; proxy_ssl_verify off; # No need on isolated LAN proxy_pass https://vcenter.ip; # esxi IP Address proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_ssl_session_reuse on; proxy_redirect https://fqdn.local/ https://fqdn.extern/; # read comment below # replace vcenter-hostname with your actual vcenter's hostname, and esxi with your nginx's server_name. } }

Saturday, October 17, 2020 Read

nginx 添加第三方nginx_upstream_check_module 模块实现健康状态检测

nginx 添加第三方 nginx_upstream_check_module 模块实现健康状态检测 nginx_upstream_check_module Health check HTTP servers inside an upstream nginx.conf http { upstream cluster { # simple round-robin server 192.168.0.1:80; server 192.168.0.2:80; check interval=5000 rise=1 fall=3 timeout=4000; #check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello; #check interval=3000 rise=2 fall=5 timeout=1000 type=http; #check_http_send "HEAD / HTTP/1.0\r\n\r\n"; #check_http_expect_alive http_2xx http_3xx; } ... check syntax: *check interval=milliseconds [fall=count] [rise=count] [timeout=milliseconds] [default_down=true|false] [type=tcp|http|ssl_hello|mysql|ajp|fastcgi]* 默认配置：interval=3000 fall=5 rise=2 timeout=1000 default_down=true type=tcp* ... interval：检测间隔 3 秒 fall: 连续检测失败次数 5 次时，认定 relaserver is down rise: 连续检测成功 2 次时，认定 relaserver is up timeout: 超时 1 秒 default_down: 初始状态为 down,只有检测通过后才为 up type: 检测类型方式 tcp tcp :tcp 套接字,不建议使用，后端业务未 100%启动完成,前端已经放开访问的情况 ssl_hello：发送 hello 报文并接收 relaserver 返回的 hello 报文 http: 自定义发送一个请求，判断上游 relaserver 接收并处理 mysql: 连接到 mysql 服务器，判断上游 relaserver 是否还存在 ajp: 发送 AJP Cping 数据包，接收并解析 AJP Cpong 响应以诊断上游 relaserver 是否还存活(AJP tomcat 内置的一种协议) fastcgi: php 程序是否存活 example

Sunday, April 26, 2020 Read

How Does Nginx Defend Against DDoS?

How Does Nginx Defend Against DDoS? Nginx limit module for access rate and max concurrent connections (DDoS protection) ngx_http_limit_req_module limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

Friday, December 20, 2019 Read

Use Nginx and mod_pagespeed to Convert Images to WebP on the Fly

Use Nginx and mod_pagespeed to Convert Images to WebP on the Fly Compile ngx_pagespeed First make sure Nginx is built with --with-compat, so we do not need to rebuild Nginx from scratch. incubator: https://github.com/apache/incubator-pagespeed-ngx.git # Switch to the nginx source directory and configure the build ./configure --with-compat --add-dynamic-module=../incubator-pagespeed-ngx # Build modules make modules # Copy the built module into the nginx modules directory sudo cp objs/ngx_pagespeed.so /etc/nginx/modules/ # Create the cache directory for converted images sudo mkdir -p /var/ngx_pagespeed_cache sudo chown -R www-data:www-data /var/ngx_pagespeed_cache load_module modules/ngx_pagespeed.so; # enable pagespeed module on this server block pagespeed on; # Needs to exist and be writable by nginx. Use tmpfs for best performance. pagespeed FileCachePath /var/ngx_pagespeed_cache; # Ensure requests for pagespeed optimized resources go to the pagespeed handler # and no extraneous headers get set. location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } location ~ "^/pagespeed_static/" { } location ~ "^/ngx_pagespeed_beacon$" { } pagespeed RewriteLevel CoreFilters; The last line (pagespeed RewriteLevel CoreFilters;) specifies the enabled optimizations. It includes basic filters such as:

Monday, October 7, 2019 Read

Force file download with Nginx

Force file download with Nginx add_header Content-Disposition 'attachment;'; server { listen 80; server_name my.domain.com; location ~ ^.*/(?P<request_basename>[^/]+\.(mp3))$ { root /path/to/mp3/ add_header Content-Disposition 'attachment; filename="$request_basename"'; } } { listen 80; server_name backup.baifu-tech.net; root /data/backup/rechargecent-mago; location / { auth_basic "baifu backup center"; auth_basic_user_file /etc/nginx/ssl/htpasswd; autoindex on; autoindex_exact_size off; autoindex_localtime on; } }

Monday, August 19, 2019 Read

Do you understand the Nginx request processing flow?

Do you understand the Nginx request processing flow? 11 processing phases NGX_HTTP_POST_READ_PHASE: A phase after receiving the full HTTP headers. It is before URI rewrite. Very few modules register in this phase, and it is skipped by default. NGX_HTTP_SERVER_REWRITE_PHASE: The phase that modifies the URI before matching the location, used for redirects. This is where rewrite directives in the server block but outside location are executed. While reading request headers, nginx selects the virtual host by host and port.

Thursday, March 7, 2019 Read

Record Millisecond Precision in Nginx Access Logs

Nginx access logs can record millisecond timestamps, but they are milliseconds since EPOCH, for example 1503544071.865. Another variable, $time_local, records a second-level time format, for example 24/Aug/2017:11:07:51 +0800. Under heavy traffic, we need a millisecond-precision format like 24/Aug/2017:11:07:51.865 +0800. This can be done with Lua. First, define a variable named time_millis in nginx.conf and initialize it to empty. This is similar to providing a fallback self-signed certificate when using auto-ssl.

Tuesday, July 24, 2018 Read

Fighting DDoS: nginx, iptables, and fail2ban

Friday, July 20, 2018 Read