( Amadeus77 | 2025. 09. 11., cs – 15:10 )

Nos van egy külső nginx proxy vm klént és egy email szerver vm ként nginx-el. WAF nincs.  Memória mindkét vm-en van bőven.

Működés: proxyk újraindítása után nehány percig tökéletesen megy aztán egyre többet kell várni a kliensen a válaszra. Mobilon próbáltam csak köröz meg köröz és valamikor egyszer csak jön válasz.

Külső NGINX conf-ból a releváns részek:

------------------------------------------

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

error_log /var/log/nginx/error.log;

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

# configuration file /etc/nginx/sites-enabled/sajatdomain.conf:
server {
        listen 80 default;
        server_name sajatdomain.hu;
        access_log /var/log/nginx/access-sajatdomain.log;

        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $http_host;
            proxy_pass http://[websrv ip]/;
        }

}

server {
        listen 443 ssl http2;
        server_name mail.sajatdomain.hu;
        access_log /var/log/nginx/access-sajatdomain.log;
        error_log /var/log/nginx/error-sajatdomain.log info;

        ssl_certificate /etc/letsencrypt/live/sajatdomain.hu-0003/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/sajatdomain.hu-0003/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        proxy_ssl_verify off;
        include /etc/nginx/templates/activesync.tmpl;
}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/templates/activesync.tmpl:
        location ^~ /Microsoft-Server-ActiveSync {
            proxy_pass https://[mailsrv ip]/Microsoft-Server-ActiveSync;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;  #$http_host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 3700; 
            proxy_send_timeout 3700;
            proxy_read_timeout 3700;
            proxy_buffers 64 512k;   # Needed since the 2022-04 Update for SOGo

            proxy_buffer_size 128k;
            proxy_busy_buffers_size 512k;

#            proxy_http_version 1.1;
        }

Miután kiegészítettem error logot info val kiderült, hogy ez a szerver is dobálja az epoll_wait -et:

2025/09/11 13:44:05 [info] 678915#678915: *1 epoll_wait() reported that client prematurely closed connection, so upstream connection is closed too while reading response header from upstream, client: 87.244.193.30, server: mail.sajatdomain.hu, request: "POST /Microsoft-Server-ActiveSync?Cmd=Ping&User=info%40sajatdomain.hu&DeviceId=androidc1576947619&DeviceType=Android HTTP/1.1", upstream: "https://[mailsrv ip]:443/Microsoft-Server-ActiveSync?Cmd=Ping&User=info%40sajatdomain.hu&DeviceId=androidc1576947619&DeviceType=Android", host: "mail.sajatdomain.hu"

Feltünt hogy itt még a http 1.1 -es.

 

mail server nginx conf:

----------------------------

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/conf-enabled/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

# configuration file /etc/nginx/conf-enabled/0-general.conf:
map_hash_bucket_size 1024;

# configuration file /etc/nginx/conf-enabled/cache.conf:
map $sent_http_content_type $expires {
    default                     off;
    application/x-javascript    1d;
    text/css                    1d;
    ~image/                     1d;
}

expires $expires;

# configuration file /etc/nginx/conf-enabled/client_max_body_size.conf:
client_max_body_size 12m;

# configuration file /etc/nginx/conf-enabled/default_type.conf:
default_type application/octet-stream;

# configuration file /etc/nginx/conf-enabled/gzip.conf:
gzip on;
gzip_vary on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_min_length 10240;

gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript text/json application/json application/x-javascript application/xml application/xml+rss;

gzip_disable "MSIE [1-6]\.";

# configuration file /etc/nginx/conf-enabled/headers.conf:
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection '1; mode=block';
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Referrer-Policy strict-origin;

 

# configuration file /etc/nginx/sites-enabled/sajatdomain_hu.conf:

server {
#    listen 443 ssl;
#    listen [::]:443 ssl;
    listen 443 ssl;
    server_name mail.sajatdomain.hu;

    access_log /var/log/nginx/sajatdomain-access-443.log;
    error_log /var/log/nginx/sajatdomain-error-443.log info;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
    include /etc/nginx/templates/autoconfig.tmpl;
}

 

# configuration file /etc/nginx/templates/ssl.tmpl:
ssl_protocols TLSv1.2;

# Fix 'The Logjam Attack'.
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh2048_param.pem;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/private/cert.key;

 

# configuration file /etc/nginx/templates/sogo.tmpl:

location ^~ /Microsoft-Server-ActiveSync {
    proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;

    proxy_connect_timeout 3540; 
    proxy_send_timeout 3540;
    proxy_read_timeout 3540;
    proxy_buffers 64 512k;
    proxy_buffer_size 128k;
    proxy_busy_buffers_size 512k;
}