I'm trying to change the settings for Nginx ssl_protocols, but the changes don't reflect on the server.
At first I thought it was because we were using Ubuntu 12.04, but now we're updated to 14.04.
Nginx version:
nginx version: nginx/1.10.1
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module
Openssl version:
OpenSSL 1.0.1f 6 Jan 2014
Ngnix.conf:
http {
include /usr/local/nginx/conf/mime.types;
default_type application/octet-stream;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay off;
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log debug;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
client_body_timeout 10;
client_header_timeout 10;
sendfile on;
# output compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_types text/plain text/html text/css text/js application/x-javascript application/javascript application/json;
# include config for each site here
include /etc/nginx/sites/*;
/etc/nginx/sites/site.conf:
server {
listen 443 ssl;
server_name server_name;
root /home/deploy/server_name/current/public;
access_log /var/log/nginx/server_name.access.log main;
ssl_certificate /usr/local/nginx/conf/ssl/wildcard.server_name.com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/wildcard.server_name.com.key.unsecure;
ssl_client_certificate /usr/local/nginx/conf/ssl/geotrust.crt;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
location ~ ^/assets/ {
expires max;
add_header Cache-Control public;
add_header ETag "";
break;
}
location / {
try_files $uri #server_name;
proxy_set_header X-Forwarded-Proto https;
}
location #server_name {
include proxy.conf;
proxy_pass http://server_name;
proxy_set_header X-Forwarded-Proto https;
}
# stats url
location /nginx_stats {
stub_status on;
access_log off;
}
}
The config files get loaded properly and are both being used as intended. If it has any relevance the server is running Ruby on Rails with Unicorn.
Does anyone have an idea what could be wrong?
Description
I had a similar problem. My changes would be applied (nginx -t would warn about duplicate and invalid values), but TLSv1.0 and TLSv1.1 would still be accepted. My line in my sites-enabled/ file reads
ssl_protocols TLSv1.2 TLSv1.3;.
I ran grep -R 'protocol' /etc/nginx/* to find other mentions ssl_protocols, but I only found the main configuration file /etc/nginx/nginx.conf and my own site config.
Underlying problem
The problem was caused by a file included by certbot/letsencrypt, at /etc/letsencrypt/options-ssl-nginx.conf. In certbot 0.31.0 (certbot --version) the file includes this line:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This somewhat sneakily enabled these versions of TLS.
I was tipped off by Libre Software.
0.31.0 is the most up-to-date version I was able to get for Ubuntu 18.04 LTS
Solution
TLS versions <1.2 were disabled by default in the certbot nginx config starting from certbot v0.37.0 (thank you mnordhoff). I copied the file from there into the letsencrypt config (options-ssl-nginx.conf), added a note to myself and subsequent maintainers and everything was all right with the world again.
How to not get into this mess in the first place
grepping one level higher (/etc/* instead of /etc/nginx*) would have allowed me to find the culprit. But a more reliable and powerful tool is nginx -T, which prints out all the configuration files that are considered.
Other useful commands:
nginx -s reload after you change configs
nginx -v to find out your nginx version. To enable TSL version 1.3, you need version 1.13.0+.
openssl version: you need at least OpenSSL 1.1.1 "built with TLSv1.3 support"
curl -I -v --tlsv<major.minor> <your_site> for testing whether a certain version of TLS is in fact enabled
journalctl -u nginx --since "10 minutes ago" to make absolutely sure something else isn't going on.
Want to add another (somewhat obscure) possibility since the CERTbot one didn't cover me. Mine is only for NGINX installs with multiple domains. Basically the info you specify for your specific domain may be modified because of the server default. That default is set from the first domain name encountered when reading the config (basically alphabetically). Details on this page.
http://nginx.org/en/docs/http/configuring_https_servers.html
A common issue arises when configuring two or more HTTPS servers listening on a single IP address:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
With this configuration a browser receives the default server’s certificate, i.e. www.example.com regardless of the requested server name. This is caused by SSL protocol behaviour. The SSL connection is established before the browser sends an HTTP request and nginx does not know the name of the requested server. Therefore, it may only offer the default server’s certificate.
The issue wasn't in the server itself, but instead in the AWS Load Balancer having wrong SSL Ciphers selected.
Related
I have a fully dockerised application:
nginx as proxy
a backend server (express.js)
a database (mongodb)
a frontend server (express js)
goaccess for logging
The problem is when I hit my backend endpoint with a POST request, the response is never sent to the client. A 499 code is logged by nginx along with this log
epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream,
The client is the browser, there is no doubt about it.
The error arise after 1min of processing in firefox and 5min of processing in chrome. As far as I know, these times match the timeout settings of theses browsers. I could increase the timeout in firefox but it is not a viable solution.
When I get rid of the proxy, the request completes and the client get the response in about 15min. So I think there is a problem with the nginx configuration but I don't know what.
So far I tried to increase all timeout you can imagine but that didn't change anything.
I also try to set the proxy_ignore_client_abort in nginx but it is not useful in my case. Indeed the connection between nginx and my backend is still alive and the request completes after 15min (code 200 in nginx logs) but the ui is not updated because the client has terminated the connection with nginx.
I think that the browser thinks nginx is dead, because it doesn't receive any data, so it closes the TCP connection.
I'll try later on to "stimulates" this TCP connection when the request is still processing by switching between my website pages (so the browser should not close the connection), but if I have to do some weird stuff to get my backend result, it is not a viable solution.
There should be a way to process long requests without facing these browser's timeout but I don't know how.
Any help would be appreciated :)
My nginx configuration:
user nginx;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 16M;
# mime
include mime.types;
default_type application/octet-stream;
# logging
log_format my_log '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" ';
access_log /var/log/nginx/access.log my_log;
error_log /var/log/nginx/error.log info;
# limits
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=main:10m rate=10r/s;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as_is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactially valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Load configs
include /etc/nginx/conf.d/localhost.conf;
}
and localhost.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/live/localhost/cert.pem;
ssl_certificate_key /etc/nginx/live/localhost/key.pem;
include /etc/nginx/conf.d/security.conf;
include /etc/nginx/conf.d/proxy.conf;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log info;
# nginx render files or proxy the request
location / {
try_files $uri #front;
}
location #front {
proxy_pass http://frontend:80;
}
location ^~ /api/v1 {
proxy_read_timeout 30m; # because an inference with SIMP can takes some time
proxy_send_timeout 30m;
proxy_connect_timeout 30m;
proxy_pass http://backend:4000;
}
location = /report.html {
root /usr/share/goaccess/html/;
}
location ^~ /ws {
proxy_pass http://goaccess:7890;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_read_timeout 7d;
proxy_connect_timeout 3600;
}
include /etc/nginx/conf.d/general.conf;
}
EDIT:
The request is sent via the Angular HttpClient, maybe this module is built in a way to abort requests if a response in not send in a short time frame, I'll try to investigate on that.
Ok I think I can answer my own question.
HTTP requests are not designed for long requests. When a request is issued, a response should be delivered as quickly as possible.
When you are doing a long process job, you should use workers and messages architecture (or event driven architecture) with tools like rabbitmq or kafka. You can also use polling (but it is not the more efficient solution).
So that, in my POST handler what I should do is when data arrive send a message to my broker and then issue an appropriate response (like request is processing).
The worker subscribe to a queue and can receive the message previously delivered, do the job and then reply back to my back end. We can then use a STOMP (websocket) plugin to route the result to the front end.
I have taken a project builded with Laravel 4.2 and PHP 5.6.
And have mounted the server with Docker.
The server uses Nginx, certificates from Let’s Encrypt with Certbot.
These are the configuration files of the Nginx:
nginx.conf
server {
index index.php index.html;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/public;
server_name example.com.py www.example.com.py;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
gzip_static on;
}
listen [::]:443 ssl http2 ipv6only=on; # managed by Cetbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com.py/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com.py/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
and options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:40m; #holds approx 40 x 4000 sessions
ssl_session_timeout 2h;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
The project is an E-commerce that conects with a local Credit Card Payments procesor company.
Everthing works fine until the Payments procesor, responds to a url in my server for payment confirmation.
Here is what my server responds to the Payments procesor when it sends the request to the payments confirmation url:
[Status 500]
OpenSSL: : SSL: : SSLError: Receivedfatalalert: handshake_failure
I have no log of any error or anything in my laravel.log or my nginx log.
I copy pasted the same request and reproduced it with Postman and it works fine returning the correct 200 response.
The payment procesor told me that i need to validate only certificates with TLS1.2 and above and as you can see in my options-ssl-nginx.conf
file, thats already validated.
Does Anyone knows what could be missing?
Thanks in advance
UPDATE 1:
I raised the level for the error logs of nginx, and i got the following errors:
This one with a test:
SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 190.128.218.209, server: 0.0.0.0:443
I also got this one some hours before:
SSL_do_handshake() failed (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, client: 3.236.110.87, server: 0.0.0.0:443
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
You cipher set is very restrictive, i.e. there are only 5 TLS 1.2 ciphers for RSA certificates (the ECDSA ones are likely irrelevant since you likely don't use a ECC certificate). It might well be that the specific client used by the payment processor company neither supports these TLS 1.2 ciphers nor supports TLS 1.3.
It might be useful to just comment out the ssl_ciphers line so that it falls back to the default settings, which are usually (with current versions of OpenSSL) are still secure but broader.
This is in continuation to the question, that I posted on SO yesterday. I am not sure if should make another questions or just link it to the older post.
Neways, I have been trying to deploy ruby on rails app onto Bluemix. After much trail and error, I finally managed to push the app and start it. But, when I try to open the web app. Bluemix throws me an error
403 Forbidden
nginx
If I understand correctly, this has something to do with permissions to access certain folder on my RoR app. How to resolve this. DO I have to change permission on my local app before pushing it to bluemix or is there something to be done on bluemix?
Here is the link
EDIT :
This is my error log on ngnix folder on bluemix
2015/07/23 10:16:39 [error] 37#0: *2 directory index of "/home/vcap/app/public/" is forbidden, client: 75.126.52.20, server: localhost, request: "GET / HTTP/1.1", host: "csw-events.mybluemix.net"
ngnix.conf file on bluemix
worker_processes 1;
daemon off;
error_log /home/vcap/app/nginx/logs/error.log;
events { worker_connections 1024; }
http {
log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
access_log /home/vcap/app/nginx/logs/access.log cloudfoundry;
default_type application/octet-stream;
include mime.types;
sendfile on;
gzip on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;
tcp_nopush on;
keepalive_timeout 30;
port_in_redirect off; # Ensure that redirects don't include the internal container PORT - 61596
server_tokens off;
server {
listen 61596;
server_name localhost;
location / {
root /home/vcap/app/public;
index index.html index.htm Default.htm;
}
}
}
The ngix folder does not exist on my local system. It is created when i push my app to bluemix (Or am I missing something here?)
You can not use the Nginx (static buildpack to serve your Ruby on Rails app. You must use the Ruby buildpack for that.
The problem was caused for two reasons (atleast in my scenario).
a) Not using the correct build pack. The one which solved my problem was using this buildpack from CF
cf push csw-events -b https://github.com/cloudfoundry/ruby-buildpack.git
b) Sensitivity of the manifest file - Bluemix started throwing the following error:
FAILED
Error reading manifest file:
yaml: [] control characters are not allowed at line 1, column 1
This was resolved by downloading the manifest file again and replacing only specific part of it (like the command part).
I am running uwsgi in emperor mode
uwsgi --emperor /path/to/vassals/ --buffer-size=32768
and getting this error
invalid request block size: 21327 (max 4096)...skip
What to do? I also tried -b 32768.
I aslo ran into same issue while following some tutorial.
The problem was that I set the option socket = 0.0.0.0:8000 instead of http = 0.0.0.0:8000.
socket option intended to be used with some third-party router (nginx for instance), while when http option is set uwsgi can accept incoming HTTP requests and route them by itself.
The correct solution is not to switch to HTTP protocol. You just need to increase the buffer size in uWSGI settings.
buffer-size=32768
or in commandline mode:
-b 32768
Quote from official documentation:
By default uWSGI allocates a very small buffer (4096 bytes) for the headers of each request. If you start receiving “invalid request block size” in your logs, it could mean you need a bigger buffer. Increase it (up to 65535) with the buffer-size option.
If you receive ‘21573’ as the request block size in your logs, it could mean you are using the HTTP protocol to speak with an instance speaking the uwsgi protocol. Don’t do this.
From here: https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html
I could fix it adding --protocol=http to the uwsgi.
I ran into the same issue trying to run it under nginx and was following the
docs here. It is important to note that once you switch to nginx you have to make sure you are not trying to access the app on the port specified by the --socket param but rather the "listen" port in nginx.conf. Although your problem is described differently the title matches exactly the issue I had.
This error is shown when uWSGI server is using uwsgi protocol and one tries to access it via http protocol by curl or web browser directly. If you can, try configuring your uWSGI server to use http protocol, so you can access it via web browser or curl.
In case you cannot (or do not want to) change it, you can use a reverse proxy (e.g. nginx) in front of local or remote uWSGI server, see https://uwsgi-docs.readthedocs.org/en/latest/Nginx.html
If it feels like too much work, give a try to uwsgi-tools python package:
$ pip install uwsgi-tools
$ uwsgi_curl 10.0.0.1:3030
There is also a simple reverse proxy server uwsgi_proxy if you need to access your application(s) via web browser etc. See more expanded answer https://stackoverflow.com/a/32893520/179581
As pointed out in another comment from the docs:
If you receive ‘21573’ as the request block size in your logs, it could mean you are using the HTTP protocol to speak with an instance speaking the uwsgi protocol. Don’t do this.
If you are using Nginx, this will occur if you are have this configuration (or something similarly odd):
proxy_pass http://unix:/path/to/socket.sock
this is speaking HTTP to uWSGI (which makes it grumpy). Instead, use:
uwsgi_pass unix:/path/to/socket.sock;
man i m havin same issue;
so i did it ...
look using UWSGI + DJANGO + NGINX + REACT +
1 - nano /etc/uwsgi/sites/app_plataform.ini [uwsgi]
DJANGO_SETTINGS_MODULE = app_plataform.settings env =
DJANGO_SETTINGS_MODULE settings.configure()
chdir = /home/app_plataform home = /root/app_plataform
module = prometheus_plataform.wsgi:application
master = true processes = 33 buffer-size=32768
socket = /home/app_plataform/app_plataform.sock
chmod-socket = 777 vacuum = true
2 - make a serious performance upgrade on nginx ... user www-data;
worker_processes auto; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf;
events { worker_connections 4092; multi_accept on; }
http { ##UPGRADE CONFIGS
client_body_buffer_size 16K; client_header_buffer_size 16k;
client_max_body_size 32m; #large_client_header_buffers 2 1k;
client_body_timeout 12; client_header_timeout 12; keepalive_timeout
15; send_timeout 10; access_log off;
## # Basic Settings ##
sendfile on; tcp_nopush on; tcp_nodelay on; #keepalive_timeout 65;
types_hash_max_size 2048; server_tokens off;
server_names_hash_bucket_size 64; # server_name_in_redirect off;
include /etc/nginx/mime.types; default_type
application/octet-stream;
## # SSL Settings ##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
## # Logging Settings ##
access_log /var/log/nginx/access.log; error_log
/var/log/nginx/error.log;
## # Gzip Settings ##
gzip on; gzip_comp_level 2; gzip_min_length 1000; gzip_proxied
expired no-cache no-store private auth; gzip_types text/plain
application/x-javascript text/xml text/css application/xml; gzip_vary
on;
#gzip_proxied any; #gzip_comp_level 6; gzip_buffers 16 8k;
gzip_http_version 1.1; #gzip_types text/plain text/css
application/json application/javascript text/xml application/xml
application/xml+rss text/javascript;
## # Virtual Host Configs ##
include /etc/nginx/conf.d/.conf; include
/etc/nginx/sites-enabled/; }
3 - then ... restart services or reebot server ...
systemctl restart uwsgi & systemctl restart nginx
for this particular error invalid request block size: 21327 (max 4096)...skip
it depends on where you're running your solution either on a local machine or a remote server(AWS......).
this solution worked for me as I shrugged with this working on my local machine and as well within a docker container
1 -- change from socket = :8000 in your ini file to http= :8000
and this would work perfectly within docker as well
You can increase the buffer size in uWSGI settings.
The quick solution would be, Remove cookies from the browser for that URL.
Open developer tools in browser > Go to Application tab and > remove cookies associated with the URL.
I have a server with the next components:
Ubuntu 12.04
Nginx 1.2.2
Passenger 3.0.15
I'm running a Ruby on Rails app on this server.
Now in my error.log of Nginx I found this error popping up regularly.
[ pid=12615 thr=3065355072 file=ext/nginx/HelperAgent.cpp:923 time=2012-10-22 09:31:03.929 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
Does anybody has an idea where this issue comes from?
This is my Nginx conf:
user deployer staff;
worker_processes 5;
error_log /var/log/nginx/error.log notice;
pid /var/log/nginx/nginx.pid;
events {
worker_connections 2048;
multi_accept on;
}
http {
passenger_root /var/lib/gems/1.9.1/gems/passenger-3.0.15;
passenger_ruby /usr/bin/ruby1.9.1;
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server {
passenger_enabled on;
server_name xxx.com;
listen 80;
rails_env production;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
root /var/rails/alfa_paints/current/public;
error_page 404 /404.html;
error_page 500 502 503 504 /500.html;
}
}
You configuration looks fine. I think the error is exactly what it says: the end user clicked "stop" on their browser, closing the TCP connection to the server. Everything in your application stack is likely working as designed. Unless you have end users complaining about the app not working, that's the most likely explanation.
That said, if you're seeing this error a lot, the next question you might ask is "why are users hitting the stop button so much"? Maybe part of your application is taking too long to respond to users, and you need to either speed it up or add some sort of progress indicator. You might look back at your logs and see if you can correlate the errors with a particular kind of request.
another situation maybe like this nginx Timeout serving large requests
to resolve this problem,you can try this:
gem install passenger #use the lastest passenger
passenger-config --root # get passenger_root_path
#download the lastest nginx file and cd nginx-X.X.X
./configure --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --add-module=$passenger_root_path/ext/nginx
make
make install
after this, config nginx.conf and restart,you will find everything is ok!