Tag Archives: Nginx

GeoIP Bypassing for Nginx Proxy

Goal:

  • Proxy content for requests in specific country or region
  • Redirect any requests made outside specific country or region to original URL (to save bandwidth
geoip_country         /usr/share/GeoIP/GeoIPv6.dat;
map $geoip_country_code $proxy_direct_pass {
  default yes;
  CN no;
}

location ~* ^/proxied-content/(.*)$ {
  if ($proxy_direct_pass = yes) {
    return 302 https://original_content/$1$is_args$args;
  }

  proxy_pass https://original_content/$1$is_args$args;
}

Proxying and Caching WebP Images Using the Same URI Based on User Accept Headers with Nginx

Case:

  • The proxied image backend serves WebP images when the client requests support it with Accept headers ($http_accept)
  • The backend also provides the same URI for all WebP requests. That means URI like image.png can also be in WebP format

The solution:

  • Using Nginx map module
  • Apply variables to different cache pools

In nginx.conf:

# Proxy cache pools for image caching
proxy_cache_path        /dev/shm/image_cache
                        keys_zone=image_cache:10m;

proxy_cache_path        /dev/shm/image_cache_webp
                        keys_zone=image_cache_webp:10m;

# Differenate WebP requests
map $http_accept $webp_pool {
  default                 image_cache;
  ~*webp                  image_cache_webp;
}

In your site config:

proxy_cache             $webp_pool;

Allow WordPress Embedded Posts with Global X-Frame-Options for Nginx Servers

The problem: when you enables X-Frame-Options globally. You won’t be able to embed your posts with latest WordPress embed posts method.

The solution: you can simply exclude it in your Nginx configuration. I’ll use Nginx map for better performance:

map $request_uri $x_frame_options_headers {
  default                 SAMEORIGIN;
  # Matching WordPress embed page, ie. https://example.com/my-post/embed#?secret=vLi4CQcWkH
  ~/embed                 "";
}

# Don't allow the browser to render the page inside an frame or iframe
add_header X-Frame-Options $x_frame_options_headers;
Embedding Demo

SELinux policy for nginx and GitLab unix socket in Fedora 19

The installation of GitLab in Fedora 19 went fine. I followed the official installation guide with some deviations where necessary, mostly taken from the CentOS guide in gitlab-recipes. I setup nginx using the ssl config, and poked some holes in iptables. For systemd services I used these files.

Source: SELinux policy for nginx and GitLab unix socket in Fedora 19

Configuring NGINX to accept the PROXY Protocol – NGINX

This article explains how to configure NGINX and NGINX Plus to accept the PROXY protocol. Table of Contents Introduction Using the PROXY protocol with SSL, HTTP/2, SPDY, and WebSocket Using the PROXY protocol with a TCP Stream Complete Example Introduction The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through […]

Source: Configuring NGINX to accept the PROXY Protocol – NGINX

How to Generate SSL Certificate Chain for Nginx

I’m using Comodo Certificate, you will get these files from their email:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  • Intermediate CA Certificate – ComodoUTNSGCCA.crt
  • Intermediate CA Certificate – EssentialSSLCA_2.crt
  • Your EssentialSSL Certificate – www_example_com.crt

Correct order:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – EssentialSSLCA_2.crt
  3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
  4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  5. Root CA Certificate – AddTrustExternalCARoot.crt

You can create a chained certificate required by Nginx:

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

In fact, you can only need the first three certificates: most systems have their root CA.

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

Update Mar 21, 2015:

Comodo updated their certificates filename, so the correct order now is:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  4. Root CA Certificate – AddTrustExternalCARoot.crt
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt