Nginx [nginx-announce] nginx-1.15.4

eva2000 · Sep 26, 2018

Changes with nginx 1.15.4 25 Sep 2018

*) Feature: now the "ssl_early_data" directive can be used with OpenSSL.

*) Bugfix: in the ngx_http_uwsgi_module.
Thanks to Chris Caputo.

*) Bugfix: connections with some gRPC backends might not be cached when
using the "keepalive" directive.

*) Bugfix: a socket leak might occur when using the "error_page"
directive to redirect early request processing errors, notably errors
with code 400.

*) Bugfix: the "return" directive did not change the response code when
returning errors if the request was redirected by the "error_page"
directive.

*) Bugfix: standard error pages and responses of the
ngx_http_autoindex_module module used the "bgcolor" attribute, and
might be displayed incorrectly when using custom color settings in
browsers.
Thanks to Nova DasSarma.

*) Change: the logging level of the "no suitable key share" and "no
suitable signature algorithm" SSL errors has been lowered from "crit"
to "info".

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-announce mailing list
nginx-announce@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-announce

Continue reading...

eva2000 · Sep 26, 2018

Looks good so far with nginx 1.15.4 with TLS 1.3 early data 0-RTT code supported and OpenSSL 1.1.1 TLS 1.3 RFC final + dual RSA 2048bit + ECDSA 256bit SSL certificate support

Nginx ssl_early_data directive
Syntax: ssl_early_data on | off;
Default:
ssl_early_data off;

Context: http, server
This directive appeared in version 1.15.3.

Enables or disables TLS 1.3 early data.

Requests sent within early data are subject to replay attacks. To protect against such attacks at the application layer, the $ssl_early_data variable should be used.
Code (Text):
proxy_set_header Early-Data $ssl_early_data;
The directive is supported only when using the BoringSSL library.
Click to expand...
$ssl_early_data
returns “1” if TLS 1.3 early data is used and the handshake is not complete, otherwise “” (1.15.3).The variable is supported only when using the BoringSSL library.
Click to expand...

The last part about only supported in BoringSSL is only true for Nginx 1.15.3. Nginx 1.15.4 adds ssl_early_data directive support for OpenSSL 1.1.1+ built Nginx web servers.

nginx config test works with TLS 1.3 0-RTT via ssl_early_data on directive set in nginx vhost instead of warning that ssl_early_data directive not supported when used with Nginx 1.15.4
Code (Text):
nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Nginx 1.15.3 config test would report such error
Code (Text):
nginx -t
nginx: [warn] "ssl_early_data" is not supported on this platform, ignored
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
nginx -V
nginx version: nginx/1.15.4 (250918-185756)
built by gcc 8.2.1 20180921 (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=250918-185756 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module --add-module=../nginx-rtmp-module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_slice_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Click to expand...

Similar to BoringSSL TLS 1.3 0-RTT Early Data test with Nginx 1.15.4 master branch - notice the line with 'Early data was accepted'

Nginx directives set in Nginx vhost
Code (Text):
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;
Test Early Data session resumption (TLS 1.3 0-RTT) via 2 commands
Code (Text):
/opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_out session.pem
Code (Text):
echo -n | /opt/openssl/bin/openssl s_client -connect domain.com:443 -sess_in session.pem -early_data /tmp/https.txt
output from 2nd command
Code (Text):
---
Server certificate
-----BEGIN CERTIFICATE-----
snipped....
-----END CERTIFICATE-----
subject=CN = domain.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 245 bytes and written 805 bytes
Verification error: unable to get local issuer certificate
---
Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was accepted
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7207998AB9AABA8DDD19E3F31E02552EDCB3816BC962EF7CF3438C25DA38065C
    Session-ID-ctx:
    Resumption PSK: 5D273A9DA0D1286681344FC666AFC4045B2E13A0ECC21E38163C1B574EB0DB43900D7F973C9D8E194CD3CED1F62A260D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - snipped

    Start Time: 1537907164
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 16384
---
read R BLOCK
DONE
Look for the lines in output for
Code (Text):
Early data was accepted
and
Code (Text):
    Max Early Data: 16384
contents of /tmp/https.txt
Code (Text):
GET / HTTP/1.1
Host: domain.com:443
dev.ssllabs.com now supports testing TLS 1.3 RFC final as well SSL Server Test (Powered by Qualys SSL Labs). Just waiting on Chrome 70 and Firefox 63 next month to support TLS 1.3 RFC final now

Note: right now it can be security risk in enabling TLS 1.3 0-RTT with early data directive due to replay attacks as you'd need logic in your web apps to determine what/when to accept such requests. Nginx recommends having the following set
Code (Text):
proxy_set_header Early-Data $ssl_early_data;
Cloudflare's implementation of TLS 1.3 0-RTT has such logic baked in so slightly different.

buik · Sep 26, 2018

@eva2000 could you test the patch below: kn007/patch
Hopefully it will work fine and so on enables the OpenSSL 1.1.1 feature: SSL_OP_PRIORITIZE_CHACHA

If not. I consider to port my "ChaCha only if it is prioritized by the client" patch to OpenSSL 1.1.1

Thanks.

eva2000 · Sep 26, 2018

bassie said: ↑

@eva2000 could you test the patch below: kn007/patch
Hopefully it will work fine and so on enables the OpenSSL 1.1.1 feature: SSL_OP_PRIORITIZE_CHACHA

If not. I consider to port my "ChaCha only if it is prioritized by the client" patch to OpenSSL 1.1.1

Thanks.
Click to expand...

did a quick test setting persistent config file /etc/centminmod/custom_config.inc variable that I added for
Code (Text):
NGINX_PRIORITIZECHACHA='y'
then ran centmin.sh menu option 4 to recompile Nginx 1.15.4 version via private updated 123.09beta01 code (haven't committed it to public 123.09beta01 branch yet)

resulting Nginx 1.15.4 build

nginx -V
nginx version: nginx/1.15.4 (250918-221202)
built by gcc 8.2.1 20180921 (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=250918-221202 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module --add-module=../nginx-rtmp-module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_slice_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Click to expand...

build logs
Code (Text):
log files saved at /root/centminlogs
-rw-r--r--  1 root root  1.8K Sep 25 22:10 patch_opensslpatches_250918-221028.log
-rw-r--r--  1 root root    44 Sep 25 22:11 centminmod_opensslinstalltime_250918-221028.log
-rw-r--r--  1 root root   641 Sep 25 22:11 patch_patchnginx_250918-221028.log
-rw-r--r--  1 root root  8.3K Sep 25 22:12 nginx-configure-250918-221028.log
-rw-r--r--  1 root root   28K Sep 25 22:13 nginx_autoconf.err.250918-221028.log
-rw-r--r--  1 root root  2.4M Sep 25 22:13 centminmod_123.09beta01.b059_250918-221028_nginx_upgrade.log
patch_patchnginx_*.log log
Code (Text):
cat /root/centminlogs/patch_patchnginx_250918-221028.log
1015004
1015004
1015004
/svr-setup/nginx-1.15.4 /svr-setup/nginx-1.15.4
patching nginx for prioritizing chacha20 with OpenSSL 1.1.1 https://github.com/kn007/patch/issues/2
patch -p01 < /usr/local/src/centminmod/patches/nginx-prioritize-chacha20/nginx-1.15.4-reprioritize-chacha-openssl-1.1.1.patch
patching file src/event/ngx_event_openssl.c
Hunk #1 succeeded at 350 with fuzz 1 (offset 20 lines).

patching nginx for prioritizing chacha20 with OpenSSL 1.1.1
/svr-setup/nginx-1.15.4
1015004
/usr/local/src/centminmod
15
18
/svr-setup/redis2-nginx-module-0.15/src
/svr-setup/memc-nginx-module-0.18/src
1015004
current OpenSSL 1.1.1 patch_opensslpatches log
Code (Text):
cat /root/centminlogs/patch_opensslpatches_250918-221028.log

######################################################################
Patching OpenSSL 1.1.1
######################################################################
Fix OpenSSL 1.1.1 broken SNI handshake patch
https://github.com/openssl/openssl/issues/7244
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-sni-fix-delay-sig-algs.patch
patching file ssl/statem/statem_srvr.c
patching file test/sslapitest.c
patching file test/ssltestlib.c
patching file test/sslapitest.c
/svr-setup/openssl-1.1.1


######################################################################
Patching OpenSSL 1.1.1
######################################################################
Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version() patch
https://github.com/openssl/openssl/issues/7226
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-reset-tls1.3-ciphers-SSL_CTX_set_ssl_version.patch
patching file ssl/ssl_lib.c
/svr-setup/openssl-1.1.1


######################################################################
Patching OpenSSL 1.1.1
######################################################################
Fix the max psk len for TLSv1.3 patch
https://github.com/openssl/openssl/issues/7261
######################################################################
/svr-setup/openssl-1.1.1 /svr-setup/openssl-1.1.1
patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL-1.1.1-tls13-fix-max-psk-len.patch
patching file ssl/ssl_locl.h
/svr-setup/openssl-1.1.1
Not seeing any change in ChaCha20 priority for Android 7 though depends on the client device preferences

this is on dev.ssllabs.com

buik · Sep 26, 2018

Indeed. Seems to be not working, after analyzing your test results.
Perhaps a patch with Bassie's Openssl 1.1.1 pre backport bits is useful.

I have to check if I continue with BoringSSL.
As our favorite developer left a project un-maintained again.
I consider returning to OpenSSL with patches.

Because Nginx Bazel (compiled with BoringSSL) is quite useless now.

eva2000 · Sep 26, 2018

But it is really not working ? as

SSL_OP_PRIORITIZE_CHACHA

When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher list if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere in the server cipher list; but still allows other clients to use AES and other ciphers. Requires SSL_OP_CIPHER_SERVER_PREFERENCE.
Click to expand...

Suggests ChaCha20-Poly1305 cipher needs to be at the top of the client's cipher list. Is it always on top in Android 7 ? The assumption for ssllabs client tests is we are looking for ChaCha20 cipher for Android 7. But could some Android 7 devices not have it at top of their client cipher list ?

buik · Sep 26, 2018

eva2000 said: ↑

But could some Android 7 devices not have it at top of their client cipher list ?
Click to expand...

Yup. Android x86 devices for example.
Android 7 ARM does have chacha as top cipher.

Pre-Android 7 is old-chacha or draft-chacha as top cipher if available.
But we all know that old-chacha has been phased out.

Consider that with SSLtest, Android is tested with the Android vanilla browser and not Chrome. And that the top-client cipher list partially depends on what the server supports / allows.

eva2000 · Sep 26, 2018

bassie said: ↑

Consider that with SSLtest, Android is tested with the Android vanilla browser and not Chrome. And that the top-client cipher list partially depends on what the server supports / allows.
Click to expand...

Indeed this is the ssllabs Android 7 client profile Qualys SSL Labs - Projects / User Agent Capabilities: Android 7.0

looks like Chacha20 new cipher is at top of client preferred list so yup that prioritize chacha20 patch isn't working as dev.ssllabs.com Android 7 client should report connecting via chacha20 cipher instead of AES128 GCM SHA256

eva2000 · Sep 26, 2018

FYI, folks enabling the Nginx Dynamic TLS patch when persistent config file /etc/centminmod/custom_config.inc is set with NGINX_DYNAMICTLS='y' may run into incompatibility compile error from nginx patch log after failed centmin.sh menu option 4 nginx recompile
Code (Text):
cat /root/centminlogs/patch_patchnginx_260918-001948.log

######################################################################
Patching Nginx for Dynamic TLS Size Support
######################################################################
Cloudflare Nginx Dynamic TLS patch
https://github.com/cloudflare/sslconfig/raw/master/patches/nginx__dynamic_tls_records.patch
######################################################################
patch -p1 < /usr/local/src/centminmod/patches/cloudflare/nginx__dynamic_tls_records_1011005.patch
patching file src/event/ngx_event_openssl.c
Hunk #1 succeeded at 1267 (offset 136 lines).
Hunk #2 succeeded at 2116 (offset 446 lines).
Hunk #3 succeeded at 2258 (offset 452 lines).
patching file src/event/ngx_event_openssl.h
Hunk #1 succeeded at 64 with fuzz 1 (offset 10 lines).
Hunk #2 FAILED at 89.
Hunk #3 succeeded at 116 (offset 18 lines).
1 out of 3 hunks FAILED -- saving rejects to file src/event/ngx_event_openssl.h.rej
patching file src/http/modules/ngx_http_ssl_module.c
Hunk #1 succeeded at 246 with fuzz 1 (offset 13 lines).
Hunk #2 succeeded at 611 (offset 43 lines).
Hunk #3 succeeded at 683 (offset 45 lines).
Hunk #4 succeeded at 881 with fuzz 1 (offset 49 lines).
patching file src/http/modules/ngx_http_ssl_module.h
Hunk #1 succeeded at 58 (offset 1 line).
1015004
1015004
1015004
/usr/local/src/centminmod
15
18
/svr-setup/redis2-nginx-module-0.15/src
/svr-setup/memc-nginx-module-0.18/src
1015004
I've just updated Centmin Mod 123.09beta01 to disable Nginx dynamic TLS patch when Nginx 1.15.4 is detected until I can add an updated Nginx dynamic TLS patch.

So best practice is to update centmin mod code via = cmupdate command before running centmin.sh menu option 4 (which is what i do always)
Code (Text):
cmupdate
cmdir
./centmin.sh
edit: updated Centmin Mod 123.09beta01 just now with Nginx dynamic TLS patch for Nginx 1.15.4 located at Refresh nginx__dynamic_tls_records.patch for nginx 1.15.4 by leonklingele · Pull Request #100 · cloudflare/sslconfig

nginx -V
nginx version: nginx/1.15.4 (260918-005257)
built by gcc 8.2.1 20180921 (GCC)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=260918-005257 --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-http_flv_module --with-http_mp4_module --add-module=../nginx-rtmp-module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_slice_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Click to expand...
Code (Text):
cat /root/centminlogs/patch_patchnginx_260918-005125.log
                                                                 
######################################################################
Patching Nginx for Dynamic TLS Size Support
######################################################################
Cloudflare Nginx Dynamic TLS patch
https://github.com/cloudflare/sslconfig/raw/master/patches/nginx__dynamic_tls_records.patch
######################################################################
patch -p1 < /usr/local/src/centminmod/patches/cloudflare/nginx__dynamic_tls_records_1015004.patch
patching file src/event/ngx_event_openssl.c
patching file src/event/ngx_event_openssl.h
patching file src/http/modules/ngx_http_ssl_module.c
patching file src/http/modules/ngx_http_ssl_module.h
1015004
1015004
1015004
/usr/local/src/centminmod
15
18
/svr-setup/redis2-nginx-module-0.15/src
/svr-setup/memc-nginx-module-0.18/src
1015004

buik · Sep 26, 2018

Hmm as written before Nginx Bazel seems to be a dead end.
As BoringSSL is kind of a rolling release, it takes to many time to maintain Nginx with BoringSSL. Given the fact that the Bazel benefits fall away and patches need to be rewritten time over time as rolling release code.

I am considering a return to Nginx 1.15.4 with OpenSSL 1.1.1.
OpenSUSE build service seems to be nice to build one and another without maintaining own build systems and therefore save time. EL linux is supported by OpenSUSE build service.

eva2000 · Sep 26, 2018

Is the problem Bazel routine usage falling behind for building Nginx or you mean BoringSSL ? I don't use Bazel, I just compile normal way for Nginx + BoringSSL for Nginx - Enabling BoringSSL TLS v1.3 with Centmin Mod Nginx HTTP/2 HTTPS Server. Nginx 1.15.3+ compiles natively with BoringSSL fine.

buik · Sep 26, 2018

eva2000 said: ↑

Is the problem Bazel routine usage falling behind for building Nginx or you mean BoringSSL ?
Click to expand...

Nope. It's Nginx maintained by Google developers which has not been updated in any time. As it is maintained by Google developers it used Bazel by Google.
Thats it.

eva2000 · Sep 26, 2018

Ah you mean the nginx version maintained at https://nginx.googlesource.com/nginx !

buik · Sep 26, 2018

eva2000 said: ↑

Ah you mean the nginx version maintained at https://nginx.googlesource.com/nginx !
Click to expand...

Yup also known as Nginx Bazel (first hit Google) or firebase Nginx.

JJC84 · Sep 26, 2018

Up and running!

rdan · Sep 27, 2018

Code:
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;
On every domain SSL/443 vhost?

eva2000 · Sep 27, 2018

can be at server context level or http context level Module ngx_http_ssl_module

but i wouldn't enable early data for live/production sites until you fully understand the 0-RTT replay attack and mitigation steps

rdan · Sep 27, 2018

Upgrading from 1.15.3 to 1.15.4 cause a downtime for my Site.
(Reason: Socket timeout, unable to connect to server)
Only resolve itself after upgrade was done and it takes 200 seconds :/.

rdan · Sep 27, 2018

eva2000 said: ↑

can be at server context level or http context level Module ngx_http_ssl_module

but i wouldn't enable early data for live/production sites until you fully understand the 0-RTT replay attack and mitigation steps
Click to expand...

I'll put it under HTTP block then .

eva2000 · Sep 27, 2018

rdan said: ↑

Upgrading from 1.15.3 to 1.15.4 cause a downtime for my Site.
(Reason: Socket timeout, unable to connect to server)
Only resolve itself after upgrade was done and it takes 200 seconds :/.
Click to expand...

1st time this happened or happens each time you upgrade nginx ? nginx usually isn't stopped/restarted until end of upgrade routine

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Nginx [nginx-announce] nginx-1.15.4

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

JJC84 Ad astra per aspera

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Nginx [nginx-announce] nginx-1.15.4

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

JJC84 Ad astra per aspera

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.