neusoftsecurity / senginx Goto Github PK

Security-Enhanced nginx by Neusoft corporation.

License: BSD 2-Clause "Simplified" License

Shell 0.18% Nginx 0.05% Perl 9.00% Python 0.03% HTML 1.94% C 87.52% C++ 0.28% Makefile 0.01% XS 0.39% Objective-C 0.02% Vim Script 0.58%

senginx's People

Stargazers

Watchers

senginx's Issues

Possible change to 'auto/install' - for 'rpmbuild' against sed -i 's#data_dir=.*#data_dir=\$(DESTDIR)

May I suggest a patch for those Centos / Redhat / Fedora builders that create RPM packages; and build / add modules via 'rpmbuild -bb file.spec' (using filename.tar.gz additions + add-ons - for Nginx modules):

        test -d '\$(DESTDIR)$NGX_PREFIX/html' \
                || cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX'

        test -d '\$(DESTDIR)$NGX_PREFIX/naxsi' || mkdir -p '\$(DESTDIR)$NGX_PREFIX/naxsi'
        cp -R naxsi/nx_util '\$(DESTDIR)$NGX_PREFIX/naxsi/'
        cp -R naxsi/naxsi_config '\$(DESTDIR)$NGX_PREFIX/naxsi/'
-       sed -i 's#naxsi_core_rules=.*#naxsi_core_rules=\$(DESTDIR)$NGX_PREFIX/naxsi/naxsi_config/naxsi_core.rules#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
+       sed -i 's#naxsi_core_rules=.*#naxsi_core_rules=$NGX_PREFIX/naxsi/naxsi_config/naxsi_core.rules#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
-       sed -i 's#data_dir=.*#data_dir=\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_datas#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
+       sed -i 's#data_dir=.*#data_dir=$NGX_PREFIX/naxsi/nx_util/nx_datas#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
END

Otherwise a 'rpmbuild' shows errors against using "$(DESTDIR)" for the 'sed -i 's#data_dir=...'

where is document ( docs of modules configure demo )

目前遇到一个问题（搜索引擎找过了）——文档较少，官网已经无法访问了。涉及到好多modules，希望能参看官网给的modules的配置例子。能否分享下目前哪里可以找到senginx的文档？

robot_mitigation

robot_mitigation_challenge_ajax
语法 robot_mitigation_challenge_ajax on/off;
默认值 off
上下文 Location
有效版本 1.5.5及以后版本

默认是off，但merge时，却是on;
ngx_conf_merge_value(conf->pass_ajax, prev->pass_ajax, 1);

nginx -t时出现错误

senginx/1.6.0 参照 http://www.senginx.org/cn/index.php/ModSecurity 安装
nginx -t 做测试的时候，提示以下错误。
nginx: [emerg] ModSecurityConfig in /usr/local/senginx/conf/nginx.conf:68: Syntax error in config file /usr/local/senginx/conf/modsecurity.conf, line 218: Could not open unicode map file "/usr/local/senginx/conf/unicode.mapping": No such file or directory
nginx: configuration file /usr/local/senginx/conf/nginx.conf test failed
问题大不大，我建立一个空白的unicode.mapping可以通过。
谢谢！

Possible 'hijack' content showing on the related http://www.senginx.org/ support site

I note some strange content showing @ http://www.senginx.org/

What I have seen exists:

http://www.senginx.org/en/index.php/HTTP_Robot_Mitigation

 HTTP Robot Mitigation
Jump to: navigation, search

This enlightening article offers some of the most good a long time to make split lists of them actions., <a href="http://www.casinowsw.co.uk/">free online casino games win real money no deposit</a>, [url=http://www.casinowsw.co.uk/]free online casino games win real money no deposit[/url], 157649,

http://www.senginx.org/en/index.php/Fastest_Load_Balancing

 Fastest Load Balancing
Jump to: navigation, search

hfznttfohjoy, <a href="http://www.hintdlnhfx.com/">wgmidzjrpb</a> , [url=http://www.ftdljyuxdg.com/]hkshcxghbt[/url], http://www.bciqyipoxa.com/ wgmidzjrpb

http://www.senginx.org/en/index.php/Configuration_Examples

 Configuration Examples
Jump to: navigation, search

In this page, we provide some configuration examples of the functionality in SEnginx.

In such circumstances, there's not enough., <a href="http://paydayzabc.co.uk">Payday Loan UK</a>, lau,

http://www.senginx.org/en/index.php/NetEye_Security_Layer

 NetEye Security Layer
Jump to: navigation, search

of money for various short term purposes enlisted below., <a href="http://www.casinolbx.co.uk/">casino online</a>, [url=http://www.casinolbx.co.uk/]casino online[/url], pxkab, <a href="http://www.bcproject.org.uk/">casino online</a>, [url=http://www.bcproject.org.uk/]casino online[/url], 029789,

http://www.senginx.org/en/index.php/Integrated_Naxsi

 Integrated Naxsi
Jump to: navigation, search

comment2, http://gowithmoviesonline6un.comunidades.net/index.php?pagina=1031523477 Watch CBGB 2013 free movie online - watch movie here, 4102, http://amendwatchmoviessck.deviantart.com/journal/Jobs-2013-download-movie-online-Full-length-free-437690387 Watch Jobs 2013 movie online free, 608358, http://disproportionatefss.comunidades.net/index.php?pagina=1765365329 Watch Oldboy 2013 movie online free, czosri, http://www.schoolrack.com/jamesese/download-mademoiselle-populaire-2012-movie-putlock/ Watch Mademoiselle Populaire 2012 free movie online, 8-]]], http://gowithmoviesonline6u.deviantart.com/journal/The-Lifeguard-2013-download-movie-online-Full-len-437696279 The Lifeguard 2013 full length free movie online, uvzck, http://blankwatchmovies.comunidades.net/index.php?pagina=1593839823 Watch Dhoom: 3 2013 movie, 54784, http://www.schoolrack.com/nealon/download-terms-and-conditions-may-apply-2013-movie/ Watch Terms And Conditions May Apply 2013 movie online free - watch movie here, mjskoi, http://www.schoolrack.com/nealonn/watch-the-smurfs-2-2013-movie-online-free/ Download The Smurfs 2 2013 free movie full length - download movie here,  %OOO, http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=335083 Watch Inside Llewyn Davis 2013 free movie online, 4516, http://disproportionatefis.deviantart.com/journal/Watch-Muscle-Shoals-2013-movie-online-free-Downlo-437722885 Download Muscle Shoals 2013 free movie,  %-[[, http://disproportionatefss.comunidades.net/index.php?pagina=1765414709 Download Charlie Countryman 2013 movie - download movie here, =), http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=335034 Download Gori Tere Pyaar Mein 2013 movie - download movie here, 118746, http://amendwatchmoviesscktt.comunidades.net/index.php?pagina=1347999822 Watch The Fifth Estate 2013 movie online free, xbrotq, http://gowithmoviesonline6u.deviantart.com/journal/Watch-Salinger-2013-movie-online-for-free-Full-le-437696601 Watch Salinger 2013 movie online free - watch movie here, nmmx, http://www.schoolrack.com/chestertonon/download-we-are-what-we-are-2013-movie-putlocker-s/ Watch We Are What We Are 2013 movie, =-OO, http://gowithmoviesonline6un.comunidades.net/index.php?pagina=1031486442 The Blacklist 2013 full length free movie online, unil, http://amendwatchmoviessck.deviantart.com/journal/Elysium-2013-download-mp4-movie-online-Watch-Elys-437689804 Watch Elysium 2013 movie, pwbef, http://disproportionatefss.comunidades.net/index.php?pagina=1765427054 Watch Dear Mr. Watterson 2013 movie - watch movie here, 807, http://disproportionatefis.deviantart.com/journal/Enough-Said-2013-movie-watch-online-free-Download-437721989 Download Enough Said 2013 free movie full length,  %OO, http://amendwatchmoviessck.deviantart.com/journal/Download-The-Butler-2013-movie-Putlocker-socksha-437690285 Download The Butler 2013 free movie, 064120, http://www.schoolrack.com/chestertonon/watch-runner-runner-2013-movie-online-free-downloa/ Watch Runner Runner 2013 movie - watch movie here, 649521, http://cuddlewatchanddowwww.deviantart.com/journal/Watch-All-Is-Bright-2013-movie-online-free-437729742 Download All Is Bright 2013 movie online, 894923, http://cuddlewatchanddownn.comunidades.net/index.php?pagina=1841285733 Download Anchorman 2: The Legend Continues 2013 movie - download movie here, 8[, http://cuddlewatchanddowwww.deviantart.com/journal/Bad-Milo-2013-movie-watch-online-free-Download-437730461 Watch Bad Milo 2013 movie - watch movie here, >:-]], http://www.schoolrack.com/albertsones/the-grandmaster-2013-download-mp4-movie-online-wat/ The Grandmaster 2013 full length free movie online - watch movie here, =-D, http://www.schoolrack.com/nealon/the-deep-2012-download-movie-online-full-length-fr/ Watch The Deep 2012 free movie online, wpxq, http://cuddlewatchanddownn.comunidades.net/index.php?pagina=1841310423 Saving Mr. Banks 2013 full length free movie online, jin, http://amendwatchmoviessck.deviantart.com/journal/Download-Percy-Jackson-Sea-Of-Monsters-2013-movie-437689926 Download Percy Jackson: Sea Of Monsters 2013 free movie full length, 8[[[, http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=335004 Download Dracula 2013 free movie, zptkq, http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=335520 Watch Liv & Ingmar 2012 movie, bvrcd, http://www.schoolrack.com/albertsonese/random-2013-download-mp4-movie-online-watch-random/ Random 2013 full length free movie online, wch, http://blankwatchmovieshk.deviantart.com/journal/Watch-Dallas-Buyers-Club-2013-movie-online-for-fre-437737114 Download Dallas Buyers Club 2013 movie online, 846, http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=335054 Watch Homefront 2013 movie online free, 21484, http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=330319 Download Muscle Shoals 2013 free movie full length, 8OOO, http://www.schoolrack.com/jamesese/download-das-m-dchen-wadjda-2012-movie-online-free/ Watch Das Madchen Wadjda 2012 free movie online, hcgrr, http://disproportionatefss.comunidades.net/index.php?pagina=1765402364 Transformers: Age Of Extinction 2014 full length free movie online - watch movie here, kqnw, http://disproportionatefss.comunidades.net/index.php?pagina=1765340639 Nebraska 2013 full length free movie online, 04407, http://gowithmoviesonline6u.deviantart.com/journal/Passion-2012-download-movie-online-Full-length-fr-437696155 Watch Passion 2012 movie online free - watch movie here, >:-]]], http://www.schoolrack.com/nealonn/the-spectacular-now-2013-download-movie-online-wat/ Download The Spectacular Now 2013 free movie, 157, http://www.schoolrack.com/nevillse/download-cbgb-2013-movie-online-free/ Download CBGB 2013 movie - download movie here,  :]]], http://www.linamia.com/xe/index.php?mid=board_MRWb50&document_srl=334364 Download Diana 2013 free movie, haqd,

I am sure this is not what you or I expect for a secure site dealing with SEnginx?

Cannot allocate memory

Hello,

I got error when using senginx:

13:51:11 [alert] 845779#0: mmap(MAP_ANON|MAP_SHARED, 524288000) failed (12: Cannot allocate memory)
14:10:05 [alert] 858815#0: mmap(MAP_ANON|MAP_SHARED, 524288000) failed (12: Cannot allocate memory)
14:37:55 [alert] 860460#0: mmap(MAP_ANON|MAP_SHARED, 524288000) failed (12: Cannot allocate memory)

My server have 32G RAM (50% free) with 600 nginx virtualhost (each virtualhost are configured limit request), . I was tried increase memory limit at limit_req_zone but not resolve problem.

limit_req_zone $binary_remote_addr $request_uri zone=abc:500m rate=xr/s

kernel shmmax:

kernel.shmmax = 68719476736

Thanks!

Regards.

dynamic resolve not honoring proxy_next_upstream, and other error

Here's our config:

upstream consumer {
  server upstream_dns;
}

server {
    listen 443 ssl;
    server_name example.com;

    location / {
        proxy_next_upstream off;
        proxy_set_header    Host    $host;
        proxy_set_header    True-Client-IP $remote_addr;
        proxy_set_header    X-Forwarded-Protocol    https;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_pass consumer dynamic_resolve dynamic_fail_timeout=30s dynamic_fallback=stale;
    }
}

We saw this in the access log:

<remote ip> - - [15/Aug/2014:17:11:38 -0400] "<host>" "GET /jsi18n/" 502 568 "<host>/video/noflash_videoupload/" "<user agent>" | <upstream ip>:443, consumer -, 0.000

And this is the error log:

2014/08/15 17:11:38 [error] 4416#0: *1145287 upstream prematurely closed connection while reading response header from upstream, client: <remote ip>, server: <server name>, request: "GET /jsi18n/ HTTP/1.1", upstream: "https://<upstream ip>:443/jsi18n/", host: "<host>", referrer: "https://<host>/video/noflash_videoupload/"
2014/08/15 17:11:38 [error] 4416#0: *1145287 no live upstreams while connecting to upstream, client: <remote ip>, server: <server name>, request: "GET /jsi18n/ HTTP/1.1", upstream: "https://consumer/jsi18n/", host: "<host>", referrer: "https://<host>/video/noflash_videoupload/"

It appears that:

For some reason it's trying what it thinks is the next upstream
the next upstream is getting resolved as the name of the upstream specified.

Unsure if it makes any difference but the upstream_dns resolves to 2 IP addresses.

Compile nginx config files to binary in compilation process (do not store them on drive anymore)

Hey.

Sometimes bad things happen and bad guy can break security and get to nginx configs. Nginx configs is an important part of modern infrastructure of most of websites. As well as all background technologies is usually hidden, it's important to keep that information hidden even in case of server hack. It can contain for example some configs to prevent requests to pass and if there are some REGEX there may be easily visible mistakes which can help an attacker. If an attacker got in system, he reads the configs and can use it to compromise even other servers (they use same or similar configs, usually). At the moment nginx configs are just raw files on disk. There are no way to hide them.

I think, we need to change something in this part. I have two ideas about it, do you have more?

Make nginx configs the part of compilation process. Do not store then on-disk anymore. Compile it once in nginx compilation process directly to binary. In binary, there should be strong encryption of that data. There should be few levels of encryption. First is a passphrase or key which is used when you talk to binary passing as a parameter to binary. Second is passphrase used to encode it one more time, it should be generated randomly at compile time. Third is pasphrase to encode it one more time at nginx start time. This at least will make an attacker need to decrypt that and he(she) may not success :)
Make module "selfsecurity" - it should basically used to make nginx more secured in case when an attacked is already in the system. As a first idea of what it should do: When someone talks to binary - Make HTTP request to some URL (domain or IP [better IP]) (not more than once a minute to prevent big number of queries) and if this URL will return some concrete result (e.g. "no") - nginx should create new file in it's directory (some random name) with content to wait 5 seconds and remove nginx binary (forcefully). After creating of this file nginx should run it and execute "stop" action on itself.
So you can control the return of URL to be anything except the "concerete result" when you work with nginx. And when you don't work with nginx you need to set this URL to return "no" (or anything else which will be a needed result).
This way even if an attacker will attempt to decrypt the configs in memory or just touch the binary with some commands - it will delete itself, so an attacker will not have the binary and will not able to decrypt configs.

Possible?

src rpm for senginx 1.6.0?

Hi,
Where can I get a src rpm for senginx 1.6.0? I'm trying to build it on my Centos 6.5 32bit machine.

I tried to build the rpm using the senginx.spec in the rpm folder of the source, but the build failed with error:

sed -i 's#data_dir=.*#data_dir=/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/nx_util/nx_datas#' '/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/nx_util/nx_util.conf'
test -d '/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/logs' || mkdir -p '/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/logs'
make[1]: Leaving directory `/home/langzi/rpmbuild/BUILD/senginx-1.6.0'

install -p -D -m 0755 /home/langzi/rpmbuild/SOURCES/senginx.init /home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/rc.d/init.d/senginx
install: cannot stat `/home/langzi/rpmbuild/SOURCES/senginx.init': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.4TTp0a (%install)

Looks like it can't find the file "senginx.init". So I copied the file from source tar ball etc folder to "SOURCE" and run rpmbuild again. This time I got another error:

cpio: senginx-1.6.0/http_response_parser.rl: Cannot stat: No such file or directory
cpio: senginx-1.6.0/smtp_response_parser.c: Cannot stat: No such file or directory
cpio: senginx-1.6.0/smtp_response_parser.rl: Cannot stat: No such file or directory
8357 blocks

/usr/lib/rpm/check-buildroot
/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/nx_util/nx_util.conf:data_dir=/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/nx_util/nx_datas
/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/nx_util/nx_util.conf:naxsi_core_rules=/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386/etc/senginx/naxsi/naxsi_config/naxsi_core.rules
Found '/home/langzi/rpmbuild/BUILDROOT/senginx-1.6.0-0.el6.i386' in installed files; aborting
error: Bad exit status from /var/tmp/rpm-tmp.7aarvj (%install)

So, I figured if you could just provide the src rpm, I can build it from there.

Thanks!

SEnginx 1.5.11configuration bug for 'ngx_http_neteye_security' [optional module]

Please add this patch for src/http/ngx_http.c

        case NGX_HTTP_CONTENT_PHASE:
            checker = ngx_http_core_content_phase;
            break;

+#if (NGX_HTTP_NETEYE_SECURITY)
        case NGX_HTTP_NETEYE_SECURITY_PHASE:
            if (cmcf->phase_engine.neteye_security_index == (ngx_uint_t) -1) {
                cmcf->phase_engine.neteye_security_index = n;
            }
            checker = ngx_http_core_generic_phase;

            break;
+#endif

        default:
            checker = ngx_http_core_generic_phase;

Otherwise, the compile will fail - if the optional 'ngx_http_neteye_security' is not selected by choice.

Feature request: reuseport

Hello,
nginx 1.9.1 announced new feature reuseport.
It would be great if feature can be implemented into SEnginx.
More info at:
http://nginx.com/blog/socket-sharding-nginx-release-1-9-1/
https://lwn.net/Articles/542629/

query: Is it possible to have SEnginx 'ngx_http_core_module' support proxy_request_buffering on|off and fastcgi_request_buffering on|off

@InfoHunter

I note that Tengine's "ngx_http_core_module" adds extra proxy support for:

A) proxy_request_buffering on | off;
B) fastcgi_request_buffering on | off;

both the above have; Default: on, Context: http, server, location

See: http://tengine.taobao.org/document/http_core.html

Is there merit for SEnginx to feature this?

I do find it helpful on some special classes of proxy upstream use.

query: In SEnginx 'ngx_http_upstream_fastest' what factors determine 'selection'?

@InfoHunter

Using say upstream pool { fastest; server 10.5.1.145; server 10.5.1.146; server 10.5.1.147; }
What determines the target candidate, is it purely the response time, or does it also metric fair use / round robin?

query: In SEnginx what is the default state for the 'persistence' extension

@InfoHunter

Is it possible / correct to use persistence off; or perhaps persistence ""; ?

The Wiki at http://www.senginx.org/en/index.php/HTTP_Persistence does not advise on it's default state.

Syntax persistence mode [cookie_name=name] [monitor_cookie=name] [timeout=timeout]

Question is: "how does one disable 'persistence' for a given 'server' or 'location' need?

I ask this as I note it shows up in SEnginx debug logs - for upstream locations that have no 'persistence' setting.

See abbreviated log below:

2014/05/08 16:37:24 [debug] 55770#0: *3 init keepalive peer
2014/05/08 16:37:24 [debug] 55770#0: *3 init least conn peer
2014/05/08 16:37:24 [debug] 55770#0: *3 get keepalive peer
2014/05/08 16:37:24 [debug] 55770#0: *3 get least conn peer, try: 3
2014/05/08 16:37:24 [debug] 55770#0: *3 persistence get not set

2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 get least conn peer, many
2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 get least_conn peer, check_index: 18446744073709551615
2014/05/08 16:37:24 [debug] 55770#0: *3 persistence set not set

Notes: Why do my 3 Unix sockets upstream proxy's all use the same ID (18446744073709551615)?

Feedback: some benchmark experiences with and without "ngx_http_neteye_security" framework used within SEnginx

@InfoHunter

As a result of looking through my current SEnginx 'debug' logs and the 'proxy' Upstream 'cold start' timings, I tried the following two SEnginx "core" code changes and a some client side http benchmarks (as before and after):

Code changes were:

Removed 'ngx_http_neteye_security' and the associated "neteye" code embedded in the following SEnginx files: A) src/http/ngx_http.c B) src/http/ngx_http_core_module.cand C) src/http/ngx_http_core_module.h.
Removed all "neteye" SEnginx modules except for the following requisites: A) ngx_http_upstream_fastest, B) ngx_http_upstream_persistence, and C) ngx_http_if_extend.

Test Results: The tested 'cold start' upstream proxy [3 streams as Unix sockets] load times went from ~3 seconds [cold] to 295ms on a cold start (with the above changes). The warm [valid] cache upstream load times did not change much [good], but the cache 'invalid' times were [also] improved as much as the cold start times [as above]. Notes: The three proxy upstream, as Unix sockets, pull static assets (only) for a local CDN - which are store (optimized) using nginx's "proxy_store" (on 1st pull).

This report is intended as 'basic user' feedback on the possible overheads of utilizing the current "ngx_http_neteye_security" framework API's - as placed into SEnginx core and the associated 'neteye' security modules.

I accept I could have some configuration issues to follow through on :)

I wish I could offer you a better stream of hard data and numbers, but it is a production server that I use SEnginx on, so my change window is always brief... :)

nginx module?

hi, would be nice if you also had nginx modules instead of a custom nginx version..

so we can stay up to date with nginx

one feature i miss in nginx is dynamically blocking ips, robot detection (testcookie works).

Latest SEnginx master causes 'segfault's - but older SEnginx V1.5.13 is fine

@InfoHunter

Pulling the latest SEnginx, I notice regular 'segfault's showing in the system logs:

May  3 21:03:10 server1 kernel: [83732.093146] nginx[37442]: segfault at 45555d ip 000000000045e8b1 sp 00007fff63554bc0 error 7 in nginx[400000+849000]
May  3 21:03:10 server1 kernel: nginx[37442]: segfault at 45555d ip 000000000045e8b1 sp 00007fff63554bc0 error 7 in nginx[400000+849000]
May  3 21:03:41 server1 kernel: [83762.969395] nginx[37448]: segfault at 45555d ip 000000000045e8b1 sp 00007fff63554bc0 error 7 in nginx[400000+849000]
May  3 21:03:41 server1 kernel: nginx[37448]: segfault at 45555d ip 000000000045e8b1 sp 00007fff63554bc0 error 7 in nginx[400000+849000]

Reverting to the older SEnginx v1.5.13 + changes [@4e896e9], no event errors or issues are seen.
Notes: The older SEnginx results in clean logs and no 'faults' for days.... [14 days on last run and using SEnginx v1.5.13].

Notes: the older SEnginx v1.5.13 fallback includes the older essential 'modules' within "neusoft". The only extra 'third-party' modules used on both test cases were: 1) ngx_pagespeed, 2) ngx-cache-purge-2.1 and 3) nginx-upload-progress-module-0.9

Sorry I have not done a full SEnginx debug analysis and report here, but my system is a live production server. My web client's do not like the server with broken data streams - for long periods.

old path issue in https://github.com/NeusoftSecurity/SEnginx/blob/master/auto/init

@InfoHunter At SEnginx trunk, auto/init has a path to the older 3rd-party/ngx_http_robot_mitigation/ngx_http_robot_mitigation_tpl.c prior to the changes made at [@4e896e9]

# Copyright (C) Igor Sysoev
# Copyright (C) Nginx, Inc.


NGX_MAKEFILE=$NGX_OBJS/Makefile
NGX_MODULES_C=$NGX_OBJS/ngx_modules.c

NGX_AUTO_HEADERS_H=$NGX_OBJS/ngx_auto_headers.h
NGX_AUTO_CONFIG_H=$NGX_OBJS/ngx_auto_config.h

NGX_AUTOTEST=$NGX_OBJS/autotest
NGX_AUTOCONF_ERR=$NGX_OBJS/autoconf.err

# STUBs
NGX_ERR=$NGX_OBJS/autoconf.err
MAKEFILE=$NGX_OBJS/Makefile


NGX_PCH=
NGX_USE_PCH=


# check the echo's "-n" option and "\c" capability

if echo "test\c" | grep c >/dev/null; then

    if echo -n test | grep n >/dev/null; then
        ngx_n=
        ngx_c=

    else
        ngx_n=-n
        ngx_c=
    fi

else
    ngx_n=
    ngx_c='\c'
fi


# create Makefile

cat << END > Makefile

default: build

clean:
rm -rf Makefile $NGX_OBJS
rm -f 3rd-party/ngx_http_robot_mitigation/ngx_http_robot_mitigation_tpl.c
END

the line with rm -f 3rd-party/ngx_http_robot_mitigation/ngx_http_robot_mitigation_tpl.c is likely meant as rm -f neusoft/ngx_http_robot_mitigation/ngx_http_robot_mitigation_tpl.c

www.senginx.org

Hello,

looks like domain/website takeover:

www.senginx.org - > https://www.fd8777.com/home/reg.html?att=262

alexus@mbp ~ % curl -Iv www.senginx.org
*   Trying 23.27.242.165...
* TCP_NODELAY set
* Connected to www.senginx.org (23.27.242.165) port 80 (#0)
> HEAD / HTTP/1.1
> Host: www.senginx.org
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: nginx
Server: nginx
< Date: Thu, 01 Apr 2021 20:08:20 GMT
Date: Thu, 01 Apr 2021 20:08:20 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< location: https://www.fd8777.com/home/reg.html?att=262
location: https://www.fd8777.com/home/reg.html?att=262

< 
* Connection #0 to host www.senginx.org left intact
* Closing connection 0
alexus@mbp ~ %

Robot Mitigation, IP blacklist and set_real_ip problem

There seems to be an issue with the IP blacklist and the http_realip_module I think.

I have a setup where I use senginx as a reverse proxy in front of some webservers. The machine is furthermore placed behind Cloudflare.

Cloudflare -> senginx -> webservers

My build info is as follows

./se-configure.sh --with-http_realip_module --with-ipv6

Giving me:

nginx version: senginx/1.6.2
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) 
TLS SNI support enabled
configure arguments: --with-http_realip_module --with-ipv6  .....

Tailing the logs while doing an ab (Apache Bench) towards the server to trigger the robot_mitigation_blacklist failed_count gives me the correct IP of my test machine (1.1.1.1):

==> ../logs/proxy.log <==
1.1.1.1 - - [26/May/2015:16:31:47 +0200] "GET / HTTP/1.1" 000 0 "-" "ApacheBench/2.3"

And after a while the IP is blacklisted:

==> ../logs/error.log <==
2015/05/26 16:31:47 [error] 1573#0: *6 ip_blacklist: Blocked IP address: "1.1.1.1", mode: local, while running ip_blacklist, client: 1.1.1.1, server: my-server.com, request: "GET / HTTP/1.1", host: "www.my-server.com"

However after the IP is blacklisted I suddenly get requests that are not being resolved correctly by the http_realip_module. 141.101.104.34 is a Cloudflare server.

In my nginx.conf file I have the following config to get the correct IP from Cloudflare of the client accessing the site.

    ##
    # Cloudflare
    ##

    set_real_ip_from   199.27.128.0/21;
    set_real_ip_from   173.245.48.0/20;
    set_real_ip_from   103.21.244.0/22;
    set_real_ip_from   103.22.200.0/22;
    set_real_ip_from   103.31.4.0/22;
    set_real_ip_from   141.101.64.0/18;
    set_real_ip_from   108.162.192.0/18;
    set_real_ip_from   190.93.240.0/20;
    set_real_ip_from   188.114.96.0/20;   
    set_real_ip_from   197.234.240.0/22;
    set_real_ip_from   198.41.128.0/17;
    set_real_ip_from   162.158.0.0/15;
    set_real_ip_from   104.16.0.0/12;
    set_real_ip_from   2400:cb00::/32;
    set_real_ip_from   2606:4700::/32;
    set_real_ip_from   2803:f800::/32;
    set_real_ip_from   2405:b500::/32;
    set_real_ip_from   2405:8100::/32;
    real_ip_header     CF-Connecting-IP;

The logs now appear as:

==> ../logs/access.log <==
141.101.104.34 www.my-server.com - [26/May/2015:16:31:47 +0200] "GET / HTTP/1.1" 000 0 "-" "ApacheBench/2.3" "-"

Another problem is that it seems to take a lot of concurrent requests to the senginx machine to actually trigger the blacklist - seems like you have to do at least robot_mitigation_blacklist per second in order to get blacklisted?

New support lua language

I am very pleased to see that SEnginx have added 3rd party support for 'agentzh's' lua language module. This is a very extensive language to have within nginx.

However, I see [currently @ 26/03/2014] that the default SEnginx file 'se-configure.sh' has not yet been edited / updated to add this new 'lua' module feature.

dyn resolver 的超时问题

学习了哥的代码实现. 发现如果dns服务器出现问题, 每次请求都要等resolver_timeout超时, 并且如果是 proxy_pass www.xxx.com dynamic_resolve; 这种形式, 就会导致服务失败了. 不知道理解的对不

我加了一个 proxy_dyn_resolve_fail_timeout 的变量, 在dns失败之后,这段时间就走原来的逻辑, 直接用启动时获取的ip地址, 这样在dns出问题的时候可以尽量提供服务..
哥帮忙review看下, 是否SEnginx加入类似容错机制
taoyuanyuan/tengine@1b801de

thx

SEnginx + req_limit issue + ModSecurity

Hi, I'm new to SEnginx and I just setted it up on a test server last release 1.6.2 .
After installation I added in the nginx.conf file a rule for limit requests as explained here:
http://www.senginx.org/en/index.php/Condition_Limit_Req
so I have:
http {
# Create a global request accounting pool - DOS prevention -
limit_req_zone $binary_remote_addr $request_uri zone=antidos:10m rate=10r/s;
.....
.....
server {
location / {
limit_req zone=antidos burst=1 forbid_action=@process;
}
location @process {
return 503;
}
}
I tested it and it works fine (also if, as you can see, I removed condition=$cond).
Then I configured, enabled and tested modsecurity and it also works fine ( checked it with many tools from Kali Linux).
The issue is that, with modsecurity enabled, requests are no longer limited while, if I disable it, requests are limited.
Please, can you point me on how can I solve this?
Maybe by enabling modsecurity, I have to use another kind of rule to achieve the same result?

This is the config that doesn't work:
http {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;

    # Create a global request accounting pool - DOS prevention -
    limit_req_zone $binary_remote_addr $request_uri zone=antidos:10m rate=10r/s;
            .....
            .....
    server {
    location / {
        limit_req zone=antidos burst=1 forbid_action=@process;
    }
    location @process {
        return 503;
    }

}
Thanks for your help,
Best Regards
Frank_sz

robot_mitigation off 无效

我有一个海外代理节点，将所有海外的请求转发到国内，国内使用的是SENginx，许多这个ip上的请求到了国内，都返回 408 错误。怀疑是被DDOS模块拦截了。

设置了 robot_mitigation off 并没有效果

想知道有没有什么方式将某个ip地址设为白名单。文档上描述的 ua 白名单，和 dns_resolver 貌似不是针对ip地址的白名单。

confusion / conflict with main nginx branch ssl_* changes

Hi @InfoHunter @PaulYang,

I am trapped by the over-lap / variances of this SEnginx to the main nginx branch.
If you look at trunk nginx changes here:

You can see a overlap on ssl_* handling.
As SEnginx is lagging behind upstream, I am in confusion which 'branch' [SEnginx @ v1.5.13 or mainstream trunk @ V1.7.1

I once could merge the differences between SEnginx and Nginx, but this possible ssl_* over-lap makes such practice tricky.

为什么你们不考虑做一个RPM包呢？

我这有个现成的可参考：
http://files.cnblogs.com/higkoo/senginx-1.5.2-1.el6.nosrc.rpm.zip
稍改改放到源码包里就能直接编译了：

Vulnerabilities in resolver

Could you implement the fixes for vulnerabilities in resolver (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747) which released in nginx-1.8.1 stable version?

Coredump on googlebot while using resolver

senginx 1.6.2
Using resolver causes crash.

Config lines:
...
resolver 127.0.0.1 valid=48h;
resolver_timeout 5s;

# searchengines hostnames detected by reversed DNS lookup
whitelist_ua $ua_searchengines
{
      "google" ".*\.google\.com";
      "googlebot" ".*\.googlebot\.com";
}

...

coredump info:

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/senginx/sbin/senginx...done.
[New LWP 13063]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `nginx: worker process '.
Program terminated with signal 11, Segmentation fault.
#0 ngx_palloc (pool=0x0, size=size@entry=88) at src/core/ngx_palloc.c:125

125 if (size <= pool->max) {
(gdb) bt
#0 ngx_palloc (pool=0x0, size=size@entry=88) at src/core/ngx_palloc.c:125
#1 0x000000000040a0d7 in ngx_pcalloc (pool=, size=size@entry=88) at src/core/ngx_palloc.c:304
#2 0x0000000000470044 in ngx_http_rewrite_handler (r=0xdb8af0) at src/http/modules/ngx_http_rewrite_module.c:187
#3 0x0000000000437f2f in ngx_http_core_rewrite_phase (r=0xdb8af0, ph=0xdcfc70) at src/http/ngx_http_core_module.c:967
#4 0x0000000000433da3 in ngx_http_core_run_phases (r=r@entry=0xdb8af0) at src/http/ngx_http_core_module.c:913
#5 0x00000000004b5dc1 in ngx_http_wl_resolve_addr_handler (ctx=0xda00d0) at /usr/local/src/senginx-1.6.2/neusoft/ngx_http_whitelist/ngx_http_whitelist.c:464
#6 0x000000000041c2ec in ngx_resolver_process_ptr (nan=, code=0, ident=, n=26, buf=0x7fff788bad20 "cā\200", r=0xc73580)

at src/core/ngx_resolver.c:2243

#7 ngx_resolver_process_response (n=26, buf=0x7fff788bad20 "cā\200", r=0xc73580) at src/core/ngx_resolver.c:1377
#8 ngx_resolver_read_response (rev=0xdd5870) at src/core/ngx_resolver.c:1240
#9 0x0000000000429933 in ngx_epoll_process_events (cycle=0xc551b0, timer=, flags=) at src/event/modules/ngx_epoll_module.c:691
#10 0x000000000042046a in ngx_process_events_and_timers (cycle=cycle@entry=0xc551b0) at src/event/ngx_event.c:248
#11 0x00000000004279dd in ngx_worker_process_cycle (cycle=cycle@entry=0xc551b0, data=data@entry=0x1) at src/os/unix/ngx_process_cycle.c:851
#12 0x0000000000425f4b in ngx_spawn_process (cycle=cycle@entry=0xc551b0, proc=proc@entry=0x4278ee <ngx_worker_process_cycle>, data=data@entry=0x1,

name=name@entry=0x4c706b "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198

#13 0x0000000000426ca5 in ngx_start_worker_processes (cycle=cycle@entry=0xc551b0, n=4, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:398
#14 0x0000000000428806 in ngx_master_process_cycle (cycle=cycle@entry=0xc551b0) at src/os/unix/ngx_process_cycle.c:160
#15 0x0000000000408a3f in main (argc=, argv=) at src/core/nginx.c:407

(gdb) backtrace full
#0 ngx_palloc (pool=0x0, size=size@entry=88) at src/core/ngx_palloc.c:125

    m = <optimized out>
    p = <optimized out>

#1 0x000000000040a0d7 in ngx_pcalloc (pool=, size=size@entry=88) at src/core/ngx_palloc.c:304

    p = <optimized out>

#2 0x0000000000470044 in ngx_http_rewrite_handler (r=0xdb8af0) at src/http/modules/ngx_http_rewrite_module.c:187

    index = <optimized out>
    code = <optimized out>
    e = <optimized out>
    cscf = <optimized out>
    cmcf = <optimized out>
    rlcf = 0xc7fa18

#3 0x0000000000437f2f in ngx_http_core_rewrite_phase (r=0xdb8af0, ph=0xdcfc70) at src/http/ngx_http_core_module.c:967

    rc = <optimized out>

#4 0x0000000000433da3 in ngx_http_core_run_phases (r=r@entry=0xdb8af0) at src/http/ngx_http_core_module.c:913

    rc = <optimized out>
    ph = 0xdcfbe0
    cmcf = <optimized out>

#5 0x00000000004b5dc1 in ngx_http_wl_resolve_addr_handler (ctx=0xda00d0) at /usr/local/src/senginx-1.6.2/neusoft/ngx_http_whitelist/ngx_http_whitelist.c:464

    r = 0xdb8af0
    node = <optimized out>
    hash = 3742699198

#6 0x000000000041c2ec in ngx_resolver_process_ptr (nan=, code=0, ident=, n=26, buf=0x7fff788bad20 "cā\200", r=0xc73580)

at src/core/ngx_resolver.c:2243
    err = <optimized out>
    addr = 2822830402
    an = 0x7fff788bad4e
    next = 0x0
    tree = 0xc73610
    text = "66.249.64.168\177\000\000\000\000\000\000\000\000\000\000|\255\213x\377\177\000\000\020\066\307\000\000\000\000\000\200\066\307\000\000\000\000\000Д\305\000\000\000\000\000\000\000\000\000\005\377\316\301!\000\000\000\000\000\000\000\020\035\332\000\000\000\000\000\065.255.206.193\177\000\000\000\000\000\000\000\000\000\000g\236@\000\000\000\000", <incomplete sequence \360>
    ttl = 83550
    octet = <optimized out>
    name = {len = 33, data = 0xc5c560 "crawl-66-249-64-168.googlebot.com"}
    i = 56
    mask = <optimized out>
    qident = <optimized out>
    ctx = <optimized out>
    len = <optimized out>
    class = <optimized out>
    expire_queue = 0xc73680
    rn = 0xdafe80

#7 ngx_resolver_process_response (n=26, buf=0x7fff788bad20 "cā\200", r=0xc73580) at src/core/ngx_resolver.c:1377

    q = <optimized out>
    err = <optimized out>
    times = <optimized out>
    nqs = <optimized out>
    qtype = <optimized out>
    qs = <optimized out>
    i = <optimized out>
    ident = <optimized out>
    qident = <optimized out>
    flags = 0
    code = 0
    response = 0x7fff788bad20
    nan = 140735215808010
    qclass = 13055504
    rn = <optimized out>

#8 ngx_resolver_read_response (rev=0xdd5870) at src/core/ngx_resolver.c:1240

    n = 26
    c = 0x7f4fd9bd6880
    buf = "cā\200\000\001\000\001\000\004\000\004\003\061\066\070\002\066\064\003\062\064\071\002\066\066\ain-addr\004arpa\000\000\f\000\001\300\f\000\f\000\001\000\001F^\000#\023crawl-66-249-64-168\tgooglebot\003com\000\300\020\000\002\000\001\000\001D\367\000\r\003ns3\006google\300V\300\020\000\002\000\001\000\001D\367\000\006\003ns1\300k\300\020\000\002\000\001\000\001D\367\000\006\003ns4\300k\300\020\000\002\000\001\000\001D\367\000\006\003ns2\300k\300\200\000\001\000\001\000\005\071w\000\004\330\357 \n\300\244\000\001\000\001\000\005\071w\000\004\330\357\"\n\300g\000\001\000\001\000\005\071w\000\004\330\357$\n\300\222\000\001\000\001\000\005\071w"...

#9 0x0000000000429933 in ngx_epoll_process_events (cycle=0xc551b0, timer=, flags=) at src/event/modules/ngx_epoll_module.c:691

    events = 1
    revents = 1
    instance = <optimized out>
    i = <optimized out>
    level = <optimized out>
    err = <optimized out>
    rev = 0xdd5870
    wev = <optimized out>
    queue = <optimized out>
    c = 0x7f4fd9bd6880

#10 0x000000000042046a in ngx_process_events_and_timers (cycle=cycle@entry=0xc551b0) at src/event/ngx_event.c:248

    flags = 1
    timer = 57
    delta = 1465305138955

#11 0x00000000004279dd in ngx_worker_process_cycle (cycle=cycle@entry=0xc551b0, data=data@entry=0x1) at src/os/unix/ngx_process_cycle.c:851

    worker = 1
    i = <optimized out>
    c = <optimized out>

#12 0x0000000000425f4b in ngx_spawn_process (cycle=cycle@entry=0xc551b0, proc=proc@entry=0x4278ee <ngx_worker_process_cycle>, data=data@entry=0x1,

---Type to continue, or q to quit---
name=name@entry=0x4c706b "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
on = 1
pid = 0
s = 1
#13 0x0000000000426ca5 in ngx_start_worker_processes (cycle=cycle@entry=0xc551b0, n=4, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:398

    i = <optimized out>
    ch = {command = 1, pid = 13062, slot = 0, fd = 3}

#14 0x0000000000428806 in ngx_master_process_cycle (cycle=cycle@entry=0xc551b0) at src/os/unix/ngx_process_cycle.c:160

    title = 0xdd23ec "master process /usr/local/senginx/sbin/senginx -c /usr/local/senginx/conf/nginx.conf"
    p = <optimized out>
    size = <optimized out>
    i = <optimized out>
    n = <optimized out>
    sigio = <optimized out>
    set = {__val = {0 <repeats 16 times>}}
    itv = {it_interval = {tv_sec = 12936662, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
    live = <optimized out>
    delay = <optimized out>
    ls = <optimized out>
    ccf = 0xc562f0

#15 0x0000000000408a3f in main (argc=, argv=) at src/core/nginx.c:407

    i = <optimized out>
    log = 0x730440
    cycle = 0xc551b0
    init_cycle = {conf_ctx = 0x0, pool = 0xc54c20, log = 0x730440, new_log = {log_level = 0, file = 0x0, connection = 0, handler = 0, data = 0x0, writer = 0,
        wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, reusable_connections_queue = {
        prev = 0x0, next = 0x0}, listening = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0,
        pool = 0x0}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {
          elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0,
      write_events = 0x0, old_cycle = 0x0, conf_file = {len = 34, data = 0x7fff788bcf49 ""}, conf_param = {len = 0, data = 0x0}, conf_prefix = {len = 24,
        data = 0x7fff788bcf49 ""}, prefix = {len = 19, data = 0x4c2493 "/usr/local/senginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0,
        data = 0x0}, session_callback = 0, ip_blacklist_callback = 0, session_enabled = 0 '\000', ip_blacklist_enabled = 0 '\000'}
    ccf = <optimized out>

(gdb)

ip_blacklist not working

Hello,
Installed SEnginx and configured ip_blacklist module but nothing blocked. What wrong, can you help?

$conf
ip_blacklist on;
ip_blacklist_size 10240;
ip_blacklist_timeout 3600;
ip_blacklist_log on;
ip_blacklist_mode sys;
ip_blacklist_syscmd "sudo /sbin/pfctl -t ddos -T add %V";

$log
2014/10/20 18:25:29 [error] 83966#0: 1715706 ip_blacklist: Blocked IP address: "94.243.68.13", mode: sys, while running ip_blacklist, client: 94.243.68.13, server: *.ru, request: "GET /images/el/new_4/c2fc51495709c457943273d671547ef3_XL.jpg HTTP/1.1", host: ".ru", referrer: "http://*.ru/"

$proc
www 83876 0.0 0.0 116208 7240 - S 6:16PM 0:00.05 nginx: IP blacklist manager process (nginx)

$sudoers
%www ALL = (ALL) NOPASSWD: /sbin/pfctl
www ALL = (ALL) NOPASSWD: /sbin/pfctl

$dmesg
pid 84227 (nginx), uid 80: exited on signal 11
pid 84228 (nginx), uid 80: exited on signal 11

$os
10.0-RELEASE FreeBSD 10.0-RELEASE #1: Fri Sep 19 20:32:25 EEST 2014

$senginx
nginx version: senginx/1.6.1
built by clang 3.3 (tags/RELEASE_33/final 183502) 20130610
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --add-module=/root/senginx/neusoft/ngx_http_neteye_security --add-module=/root/senginx/3rd-party/naxsi/naxsi_src --add-module=/root/senginx/3rd-party/nginx-upstream-fair --add-module=/root/senginx/3rd-party/headers-more-nginx-module --add-module=/root/senginx/3rd-party/ngx_http_substitutions_filter_module --add-module=/root/senginx/3rd-party/nginx_tcp_proxy_module --add-module=/root/senginx/neusoft/ngx_http_upstream_fastest --add-module=/root/senginx/neusoft/ngx_http_upstream_persistence --add-module=/root/senginx/neusoft/ngx_http_session --add-module=/root/senginx/neusoft/ngx_http_robot_mitigation --add-module=/root/senginx/neusoft/ngx_http_status_page --add-module=/root/senginx/neusoft/ngx_http_if_extend --add-module=/root/senginx/neusoft/ngx_http_cache_extend --add-module=/root/senginx/neusoft/ngx_http_cookie_poisoning --add-module=/root/senginx/neusoft/ngx_http_web_defacement --add-module=/root/senginx/neusoft/ngx_http_ip_blacklist --add-module=/root/senginx/neusoft/ngx_http_ip_behavior --add-module=/root/senginx/neusoft/ngx_http_whitelist --add-module=/root/senginx/neusoft/ngx_http_statistics --add-module=/root/senginx/3rd-party/ngx_cache_purge-1.3

Feature request: set $Roboo_secret

Hello,
We currently using roboo.pm on cluster (4 servers). Each server assigned same IP's via BGP so we have round-robin (wo session support) load balancing and using static secret (same on each server).
Few days ago I found SEnginx and really impressed functionality.
Thank for great product but we need to set same sercret on each server to eliminate the key mismatch problems.

Cookie value on cluster configuration

Hello.
We currently using senginx with HTTP Robot Mitigation on second cluster (4 servers). Our first cluster using perl Roboo on 5 server. Load balancing via BGP (yes, Its a dummy balancing w/o session support but its working and easy to use) so one request (ex /) can be routed via 3-4-5 servers (ex / via 1-st server, some images via 2-nd server, some css/js via 3-rd server...).

robot_mitigation_secret static and same on each server.
So now we have next issue:
After rechallenge client getting different cookie value, but it can be rechallenged not at all cluster servers.
Ex. - clear cache and cookie value changed (robot_mitigation_secret static).

On first cluster with perl Roboo this not happens, after rechallenge (clear cache, timeout...) cookie value is same until secret changed, using Roboo_secret static too.

dynamic_resolve and keepalive segfault

This appears to be related to issue #11

This is with senginx 1.6.0

Our configuration looks like this:

resolver 127.0.0.1:53 valid=10;
resolver_timeout 1s;

upstream consumer_upstream {
    server example.com:443;
    keepalive 8;
}

server {
    location / {
        proxy_pass https://consumer_upstream dynamic_resolve dynamic_fail_timeout=30s dynamic_fallback=stale;
    }
}

With the keepalive option there we get the following segfault, if we remove it things appear to run as expected.

*** glibc detected *** nginx: worker process: double free or corruption (!prev): 0x000000000184c380 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x76166)[0x7f3c6a3f9166]
/lib64/libc.so.6(+0x78ca3)[0x7f3c6a3fbca3]
nginx: worker process[0x408d15]
nginx: worker process[0x44bd9e]
nginx: worker process[0x44d870]
nginx: worker process[0x44da5d]
nginx: worker process[0x437e79]
nginx: worker process[0x426f37]
nginx: worker process[0x41e063]
nginx: worker process[0x42500e]
nginx: worker process[0x42362c]
nginx: worker process[0x42431a]
nginx: worker process[0x425634]
nginx: worker process[0x40801b]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f3c6a3a1d1d]
nginx: worker process[0x406819]
======= Memory map: ========
00400000-00507000 r-xp 00000000 ca:40 14432                              /usr/sbin/senginx
00707000-0071f000 rw-p 00107000 ca:40 14432                              /usr/sbin/senginx
0071f000-0072e000 rw-p 00000000 00:00 0
01408000-017ca000 rw-p 00000000 00:00 0
017ca000-01951000 rw-p 00000000 00:00 0
7f3c66839000-7f3c6684f000 r-xp 00000000 ca:40 393613                     /lib64/libgcc_s-4.4.7-20120601.so.1
7f3c6684f000-7f3c66a4e000 ---p 00016000 ca:40 393613                     /lib64/libgcc_s-4.4.7-20120601.so.1
7f3c66a4e000-7f3c66a4f000 rw-p 00015000 ca:40 393613                     /lib64/libgcc_s-4.4.7-20120601.so.1
7f3c66a4f000-7f3c66a56000 r-xp 00000000 ca:40 394420                     /lib64/libnss_sss.so.2
7f3c66a56000-7f3c66c56000 ---p 00007000 ca:40 394420                     /lib64/libnss_sss.so.2
7f3c66c56000-7f3c66c57000 rw-p 00007000 ca:40 394420                     /lib64/libnss_sss.so.2
7f3c66c57000-7f3c67657000 rw-s 00000000 00:04 5439307                    /dev/zero (deleted)
7f3c67657000-7f3c68057000 rw-s 00000000 00:04 5439306                    /dev/zero (deleted)
7f3c68057000-7f3c68a57000 rw-s 00000000 00:04 5439305                    /dev/zero (deleted)
7f3c68a57000-7f3c68b57000 rw-s 00000000 00:04 5439304                    /dev/zero (deleted)
7f3c68b57000-7f3c68b5c000 r-xp 00000000 ca:40 393924                     /lib64/libnss_dns-2.12.so
7f3c68b5c000-7f3c68d5b000 ---p 00005000 ca:40 393924                     /lib64/libnss_dns-2.12.so
7f3c68d5b000-7f3c68d5c000 r--p 00004000 ca:40 393924                     /lib64/libnss_dns-2.12.so
7f3c68d5c000-7f3c68d5d000 rw-p 00005000 ca:40 393924                     /lib64/libnss_dns-2.12.so
7f3c68d5d000-7f3c68d69000 r-xp 00000000 ca:40 394339                     /lib64/libnss_files-2.12.so
7f3c68d69000-7f3c68f69000 ---p 0000c000 ca:40 394339                     /lib64/libnss_files-2.12.so
7f3c68f69000-7f3c68f6a000 r--p 0000c000 ca:40 394339                     /lib64/libnss_files-2.12.so
7f3c68f6a000-7f3c68f6b000 rw-p 0000d000 ca:40 394339                     /lib64/libnss_files-2.12.so
7f3c68f6b000-7f3c68f88000 r-xp 00000000 ca:40 394424                     /lib64/libselinux.so.1
7f3c68f88000-7f3c69187000 ---p 0001d000 ca:40 394424                     /lib64/libselinux.so.1
7f3c69187000-7f3c69188000 r--p 0001c000 ca:40 394424                     /lib64/libselinux.so.1
7f3c69188000-7f3c69189000 rw-p 0001d000 ca:40 394424                     /lib64/libselinux.so.1
7f3c69189000-7f3c6918a000 rw-p 00000000 00:00 0
7f3c6918a000-7f3c691a0000 r-xp 00000000 ca:40 394346                     /lib64/libresolv-2.12.so
7f3c691a0000-7f3c693a0000 ---p 00016000 ca:40 394346                     /lib64/libresolv-2.12.so
7f3c693a0000-7f3c693a1000 r--p 00016000 ca:40 394346                     /lib64/libresolv-2.12.so
7f3c693a1000-7f3c693a2000 rw-p 00017000 ca:40 394346                     /lib64/libresolv-2.12.so
7f3c693a2000-7f3c693a4000 rw-p 00000000 00:00 0
7f3c693a4000-7f3c693a6000 r-xp 00000000 ca:40 394388                     /lib64/libkeyutils.so.1.3
7f3c693a6000-7f3c695a5000 ---p 00002000 ca:40 394388                     /lib64/libkeyutils.so.1.3
7f3c695a5000-7f3c695a6000 r--p 00001000 ca:40 394388                     /lib64/libkeyutils.so.1.3
7f3c695a6000-7f3c695a7000 rw-p 00002000 ca:40 394388                     /lib64/libkeyutils.so.1.3
7f3c695a7000-7f3c695b1000 r-xp 00000000 ca:40 393962                     /lib64/libkrb5support.so.0.1
7f3c695b1000-7f3c697b0000 ---p 0000a000 ca:40 393962                     /lib64/libkrb5support.so.0.1
7f3c697b0000-7f3c697b1000 r--p 00009000 ca:40 393962                     /lib64/libkrb5support.so.0.1
7f3c697b1000-7f3c697b2000 rw-p 0000a000 ca:40 393962                     /lib64/libkrb5support.so.0.1
7f3c697b2000-7f3c697db000 r-xp 00000000 ca:40 393958                     /lib64/libk5crypto.so.3.1
7f3c697db000-7f3c699db000 ---p 00029000 ca:40 393958                     /lib64/libk5crypto.so.3.1
7f3c699db000-7f3c699dc000 r--p 00029000 ca:40 393958                     /lib64/libk5crypto.so.3.1
7f3c699dc000-7f3c699dd000 rw-p 0002a000 ca:40 393958                     /lib64/libk5crypto.so.3.1
7f3c699dd000-7f3c699de000 rw-p 00000000 00:00 0
7f3c699de000-7f3c699e1000 r-xp 00000000 ca:40 393952                     /lib64/libcom_err.so.2.1
7f3c699e1000-7f3c69be0000 ---p 00003000 ca:40 393952                     /lib64/libcom_err.so.2.1
7f3c69be0000-7f3c69be1000 r--p 00002000 ca:40 393952                     /lib64/libcom_err.so.2.1
7f3c69be1000-7f3c69be2000 rw-p 00003000 ca:40 393952                     /lib64/libcom_err.so.2.1
7f3c69be2000-7f3c69cbd000 r-xp 00000000 ca:40 393960                     /lib64/libkrb5.so.3.3
7f3c69cbd000-7f3c69ebc000 ---p 000db000 ca:40 393960                     /lib64/libkrb5.so.3.3
7f3c69ebc000-7f3c69ec6000 r--p 000da000 ca:40 393960                     /lib64/libkrb5.so.3.3
7f3c69ec6000-7f3c69ec8000 rw-p 000e4000 ca:40 393960                     /lib64/libkrb5.so.3.3
7f3c69ec8000-7f3c69f09000 r-xp 00000000 ca:40 393585                     /lib64/libgssapi_krb5.so.2.2
7f3c69f09000-7f3c6a109000 ---p 00041000 ca:40 393585                     /lib64/libgssapi_krb5.so.2.2
7f3c6a109000-7f3c6a10a000 r--p 00041000 ca:40 393585                     /lib64/libgssapi_krb5.so.2.2
7f3c6a10a000-7f3c6a10c000 rw-p 00042000 ca:40 393585                     /lib64/libgssapi_krb5.so.2.2
7f3c6a10c000-7f3c6a17d000 r-xp 00000000 ca:40 393611                     /lib64/libfreebl3.so
7f3c6a17d000-7f3c6a37c000 ---p 00071000 ca:40 393611                     /lib64/libfreebl3.so
7f3c6a37c000-7f3c6a37e000 r--p 00070000 ca:40 393611                     /lib64/libfreebl3.so
7f3c6a37e000-7f3c6a37f000 rw-p 00072000 ca:40 393611                     /lib64/libfreebl3.so
7f3c6a37f000-7f3c6a383000 rw-p 00000000 00:00 0
7f3c6a383000-7f3c6a50e000 r-xp 00000000 ca:40 393910                     /lib64/libc-2.12.so
7f3c6a50e000-7f3c6a70d000 ---p 0018b000 ca:40 393910                     /lib64/libc-2.12.so
7f3c6a70d000-7f3c6a711000 r--p 0018a000 ca:40 393910                     /lib64/libc-2.12.so
7f3c6a711000-7f3c6a712000 rw-p 0018e000 ca:40 393910                     /lib64/libc-2.12.so
7f3c6a712000-7f3c6a717000 rw-p 00000000 00:00 0
7f3c6a717000-7f3c6a72c000 r-xp 00000000 ca:40 394434                     /lib64/libz.so.1.2.3
7f3c6a72c000-7f3c6a92b000 ---p 00015000 ca:40 394434                     /lib64/libz.so.1.2.3
7f3c6a92b000-7f3c6a92c000 r--p 00014000 ca:40 394434                     /lib64/libz.so.1.2.3
7f3c6a92c000-7f3c6a92d000 rw-p 00015000 ca:40 394434                     /lib64/libz.so.1.2.3
7f3c6a92d000-7f3c6a92f000 r-xp 00000000 ca:40 394321                     /lib64/libdl-2.12.so
7f3c6a92f000-7f3c6ab2f000 ---p 00002000 ca:40 394321                     /lib64/libdl-2.12.so
7f3c6ab2f000-7f3c6ab30000 r--p 00002000 ca:40 394321                     /lib64/libdl-2.12.so
7f3c6ab30000-7f3c6ab31000 rw-p 00003000 ca:40 394321                     /lib64/libdl-2.12.so
7f3c6ab31000-7f3c6ace6000 r-xp 00000000 ca:40 10319                      /usr/lib64/libcrypto.so.1.0.1e
7f3c6ace6000-7f3c6aee6000 ---p 001b5000 ca:40 10319                      /usr/lib64/libcrypto.so.1.0.1e
7f3c6aee6000-7f3c6af01000 r--p 001b5000 ca:40 10319                      /usr/lib64/libcrypto.so.1.0.1e
7f3c6af01000-7f3c6af0d000 rw-p 001d0000 ca:40 10319                      /usr/lib64/libcrypto.so.1.0.1e
7f3c6af0d000-7f3c6af11000 rw-p 00000000 00:00 0
7f3c6af11000-7f3c6af72000 r-xp 00000000 ca:40 10320                      /usr/lib64/libssl.so.1.0.1e
7f3c6af72000-7f3c6b172000 ---p 00061000 ca:40 10320                      /usr/lib64/libssl.so.1.0.1e
7f3c6b172000-7f3c6b176000 r--p 00061000 ca:40 10320                      /usr/lib64/libssl.so.1.0.1e
7f3c6b176000-7f3c6b17d000 rw-p 00065000 ca:40 10320                      /usr/lib64/libssl.so.1.0.1e
7f3c6b17d000-7f3c6b1a9000 r-xp 00000000 ca:40 394413                     /lib64/libpcre.so.0.0.1
7f3c6b1a9000-7f3c6b3a8000 ---p 0002c000 ca:40 394413                     /lib64/libpcre.so.0.0.1
7f3c6b3a8000-7f3c6b3a9000 rw-p 0002b000 ca:40 394413                     /lib64/libpcre.so.0.0.1
7f3c6b3a9000-7f3c6b3b0000 r-xp 00000000 ca:40 393914                     /lib64/libcrypt-2.12.so
7f3c6b3b0000-7f3c6b5b0000 ---p 00007000 ca:40 393914                     /lib64/libcrypt-2.12.so
7f3c6b5b0000-7f3c6b5b1000 r--p 00007000 ca:40 393914                     /lib64/libcrypt-2.12.so
7f3c6b5b1000-7f3c6b5b2000 rw-p 00008000 ca:40 393914                     /lib64/libcrypt-2.12.so
7f3c6b5b2000-7f3c6b5e0000 rw-p 00000000 00:00 0
7f3c6b5e0000-7f3c6b5f7000 r-xp 00000000 ca:40 393934                     /lib64/libpthread-2.12.so
7f3c6b5f7000-7f3c6b7f7000 ---p 00017000 ca:40 393934                     /lib64/libpthread-2.12.so
7f3c6b7f7000-7f3c6b7f8000 r--p 00017000 ca:40 393934                     /lib64/libpthread-2.12.so
7f3c6b7f8000-7f3c6b7f9000 rw-p 00018000 ca:40 393934                     /lib64/libpthread-2.12.so
7f3c6b7f9000-7f3c6b7fd000 rw-p 00000000 00:00 0
7f3c6b7fd000-7f3c6b81d000 r-xp 00000000 ca:40 393572                     /lib64/ld-2.12.so
7f3c6b90b000-7f3c6ba0b000 rw-s 00000000 00:04 5439303                    /dev/zero (deleted)
7f3c6ba0b000-7f3c6ba14000 rw-p 00000000 00:00 0
7f3c6ba19000-7f3c6ba1a000 rw-p 00000000 00:00 0
7f3c6ba1a000-7f3c6ba1b000 rw-s 00000000 00:04 5439310                    /dev/zero (deleted)
7f3c6ba1b000-7f3c6ba1c000 rw-p 00000000 00:00 0
7f3c6ba1c000-7f3c6ba1d000 r--p 0001f000 ca:40 393572                     /lib64/ld-2.12.so
7f3c6ba1d000-7f3c6ba1e000 rw-p 00020000 ca:40 393572                     /lib64/ld-2.12.so
7f3c6ba1e000-7f3c6ba1f000 rw-p 00000000 00:00 0
7fff7ef15000-7fff7ef2a000 rw-p 00000000 00:00 0                          [stack]
7fff7efff000-7fff7f000000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
2014/05/29 16:38:02 [alert] 30380#0: worker process 30382 exited on signal 6

mass ssl sni hosting - possibly feature request

Hello!

Is it possible to dynamically load certificates/keys for ssl/tls? I would like to avoid reloading configuration on every change. Frontend nginx using custom dns servers maps vhost to backend server it works fine for http, but I would like to use it also for https.

something like ssl_certificate /etc/nginx/ssl/$http_host.pem

Number of writing connections rise

Nginx stub status module (ngx_http_stub_status_module) shows continiously growing number of the connections in the "writing" status.
This metric grows not so quickly but it grows all the time untill nginx reboot.
Old versions of SEnginx perhaps affected.

coredump in proxy module

Bugfix: coredump in proxy module
if an upstream block is placed after a proxy_pass direcitve, a coredump will happen.
我下载了最新的源码（标注已经修复了coredump BUG），编译替换了原来的 senginx 1.6.1 版本。
但使用中发现错误日志中依旧会出现 coredump
2014/12/23 16:09:06 [alert] 25598#0: worker process 25600 exited on signal 11 (core dumped)
2014/12/23 19:22:52 [alert] 25598#0: worker process 25604 exited on signal 11 (core dumped)
2014/12/23 19:22:58 [alert] 25598#0: worker process 25602 exited on signal 11 (core dumped)
2014/12/23 21:59:25 [alert] 25598#0: worker process 25605 exited on signal 11 (core dumped)
2014/12/23 21:59:26 [alert] 25598#0: worker process 25820 exited on signal 11 (core dumped)
2014/12/24 01:32:20 [alert] 25598#0: worker process 25694 exited on signal 11 (core dumped)
2014/12/24 01:32:20 [alert] 25598#0: worker process 25919 exited on signal 11 (core dumped)
我nginx.conf 文件中使用了 include proxy/*.conf，proxy目录下多个配置文件，每个配置文件中都包含一个
upstream 和 server 字段，每个server 字段中包含 proxy_pass
希望能尽快修复这个bug ，还有就是能升级到 nginx 1.7.8 版本。
因为现在版本中存在 header already sent 的BUG,nginx 新版已经修复此BUG
2014/12/24 01:32:30 [alert] 25823#0: *286349 header already sent, client: 66.249.75.163, server: _, request: "GET /includes/templates/nike/jscript/jscript_jquery-1.4.2.min.js HTTP/1.1", host: "www.nikeoutlet.net"

Is the use of spacekicker.pl documented?

@InfoHunter

Is there documentation for spacekicker.pl?

动态ip黑名单，工作模式为sys，执行失败

我的环境是Linux ubuntu 3.13.0-32-generic，编译完SEngix, 用Robot Mitigation模块和动态IP黑名单实现动态黑名单功能，当动态ip黑名单工作模式为sys时候，配置命令为 ip_blacklist_syscmd "sudo /sbin/iptables -A INPUT -s %V -j DROP"; 用gdb调试的时候，发现在ngx_http_ip_blacklist.c:ngx_http_ip_blacklist_update()函数，执行到1013行，ret = system((char *)imcf->buf);不管ret返回256还是0，配置里面的命令都没有执行成功，紧急求助！！！

Request: Dependency tree [map] structure on "ngx_http_neteye_security" and its children

@InfoHunter

When you have some time, could you 'draw' a dependency tree map on the SEnginx code involved on the "ngx_http_neteye_security" framework used within SEnginx.

What I am earnestly 'seeking' is the SEnginx "dependents" needing the actual "ngx_http_neteye_security" code framework. (it is not so apparent on my long term study)...

I find it hard not seeing the code layout [map] without resorting to trial and error in production use compiling and testing module inclusiveness.

This likely sounds like my older request at #2 [now closed].

SEnginx 1.5.11 configuration bug for '/naxsi/naxsi_src' [optional module]

Please consider this patch for auto/install to overcome a compile error if the '/naxsi/naxsi_src' [optional module] is not enabled.

The patch is for the file /auto/install

        test -d '\$(DESTDIR)$NGX_PREFIX/html' \
                || cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX'

-        test -d '\$(DESTDIR)$NGX_PREFIX/naxsi' || mkdir -p '\$(DESTDIR)$NGX_PREFIX/naxsi'
-        cp -R 3rd-party/naxsi/nx_util '\$(DESTDIR)$NGX_PREFIX/naxsi/'
-        cp -R 3rd-party/naxsi/naxsi_config '\$(DESTDIR)$NGX_PREFIX/naxsi/'
-        sed -i 's#naxsi_core_rules=.*#naxsi_core_rules=\$(DESTDIR)$NGX_PREFIX/naxsi/naxsi_config/naxsi_core.rules#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
-        sed -i 's#data_dir=.*#data_dir=\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_datas#' '\$(DESTDIR)$NGX_PREFIX/naxsi/nx_util/nx_util.conf'
END


if test -n "$NGX_ERROR_LOG_PATH"; then
    cat << END                                                >> $NGX_MAKEFILE

        test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' || \
                mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`'
END

fi

Otherwise, without the optional '/naxsi/naxsi_src' module compiling will fail with this error:

test -d '/root/rpmbuild/BUILDROOT/nginx-1.5.12-1.fc20.x86_64/usr/share/nginx/naxsi' || mkdir -p '/root/rpmbuild/BUILDROOT/nginx-1.5.12-1.fc20.x86_64/usr/share/nginx/naxsi'
cp -R 3rd-party/naxsi/nx_util '/root/rpmbuild/BUILDROOT/nginx-1.5.12-1.fc20.x86_64/usr/share/nginx/naxsi/'
cp: cannot stat '3rd-party/naxsi/nx_util': No such file or directory
make[1]: *** [install] Error 1

Query: proxy cache extend: match content types

@InfoHunter

Looking through the debug log for SEnginx, I noted entries with: "proxy cache extend: match content types, caching" (this occurred for a html asset => a 'fastcgi' http upstream request: "/index.php?q=". I note this 'cache_extend' occurred on a 'fastcgi' and not a 'proxy' upstream....

Checking the 'proxy cache extend' notes at the SEnginx Wiki: http://www.senginx.org/en/index.php/Cache_Extend it 'reads' as being only for use with "NGINX Proxy module"

So I assume (by virtue of the debug logs) that 'proxy cache extend' can be applied to both 1) "ngx_http_fastcgi_module" and 2) "ngx_http_proxy_module".

Sorry for the 'noise' - just need to understand the SEnginx "Cache Extend" better.

Please update site documentation for changes HTTP Persistence module in SEnginx 1.5.11

By trial and error, I found that the online documentation for the 'HTTP Persistence' module is incorrect; it states the use of 'http_cookie' - which fails.

Error looks like this: "[emerg] 52376#0: "persistence" directive config error in /etc/nginx/nginx.conf:364"

See: http://www.senginx.org/en/index.php/HTTP_Persistence

The latest 'CHANGES.senginx' file states this; "http_cookie is now changed to insert_cookie"

That works fine!

Feature request: set $Roboo_challenge_hash_input

Hello,
As I saw in sources cookie value is based on $remote_addr only.
Can we get "set $Roboo_challenge_hash_input" for prevent issues behind NAT users (actually we already have client with similar issues but now Im not sured abut this).
In perl Roboo we using next:

set $Roboo_challenge_hash_input $remote_addr$http_user_agent;

stream upstream health check

can senginx support stream upstream health check?

neusoftsecurity / senginx Goto Github PK

senginx's People

Stargazers

Watchers

Forkers

senginx's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs