Open dilyanpalauzov opened 1 week ago
Hi @dilyanpalauzov,
If I put in the same location / { js_content …; and proxy_pass …; } then js_content is not executed (even if it contains a single .log() function) and there is no warnings or hints for this by nginx -t. I have nginx 1.26.2 with njs 0.8.6.
yes, both js_content
and proxy_pass
install a content handler for request processing for a given location. nginx allows you to have only have a single content handler for a given location.
For DOS protection, have you considered limit_req and limit_conn modules? It is a recommended and effective approach to mitigate DOS attacks.
Hello,
in my case I do not want to limit somehow the number of requests, I avoid them 100%. limit_req
and limit_conn
will not help here. What I did at the end was to modify the code of the webserver, which receives the requests from nginx and executes cgi-bin/z.
It would be better, if Nginx/njs had this option to limit traffic.
Greetings // Dilyan
I want to mitigate a DOS attack by filtering incoming requests based on some criteria. If the criteria are met, then the request processing should continue (POST should be passed to
proxy_pass
). If the criteria are not met, then I can return “200 Hello World!”, redirect to another page, or somehow avoid further handling. My current configuration does useproxy_pass
and works very good, except it cannot filter requests based on the desired criteria.Is it possible to inspect the body of a HTTP request, and if it is OK, then to process the command in the Nginx configuration just after the NJS checks were done (thus handle the lines after js_content, like proxy_pass) ? Should the inspection be done in
js_content
and what shall be executed in the script: to continue with the next directive in the nginx configuration, or to abort with “200 Hello World!”?If this is not possible, how should I handle this use case? I had
and this works very good. Now I do instead
a.js
:nginx config
If I call directly
curl -D- http://127.0.0.2/cgi-bin/z?INDEX
there is no location header, but if I run the call over Nginx there is a302 Location: https://server/b?INDEX
header. In the general case, the cgi-bin file will sometimes return and sometimes not return a location header. As /b is internal location, I could rewrite it withproxy_redirect http://127.0.0.2/cgi-bin/z /;
and then the reply to the client contains:302 location: https://server/?INDEX
. This leads to a loop, as reply always has 302 location, the request goes again over "location /", then internalRediect('/b') and so on. Removinginternal
does not help.For me it seems impossible, when Nginx always includes Location header for proxy_pass after a (possibly internal) redirect within Nginx, to avoid sending 302 Location to the client. This locations cause the a.filt to be executed, in order to filter out the DOS attack, doing internal redirect,
If I put in the same location / { js_content …; and proxy_pass …; } then js_content is not executed (even if it contains a single .log() function) and there is no warnings or hints for this by
nginx -t
. I have nginx 1.26.2 with njs 0.8.6.js_content
to work together with and before proxy_pass, so that it can either redirect/rewrite the request to some URL, or continue with proxy_pass.location / { js_content …; and proxy_pass …; }
js_content is not supposed to do anything,nginx -t
should report it.