[nginx-stable+yubi] NGINX worker process exiting on signal 11 (core dumped) when using yubikey and proxy_pass in a location config
Here is my setup:
Running a web server on a localhost on port 8080.
Using NGINX as a proxy from 443 to this server on port 8080.
This works fine, but I wanted to include two factor authorization using YubiKeys. I found this great version of NGINX with yubikey support (stable) here: https:/
I've run into 3 issues:
1) I put it in the location directive for "/" but it seems to only enforce/prompt for the yubikey on the the '/' location, and not on any sub locations (ex: '/sign-in"). The yubikey does not prompt at all if they are moved to the server directive secion (above the location)
2) The yubikey authentication works just fine when you're just serving up some default files in the nginx directory, but as soon as I have it proxy_pass to my other server, I get a worker process core dump:
"2015/03/01 06:22:17 [alert] 13510#0: worker process 13523 exited on signal 11 (core dumped)"
It's as if it can't handle passing off to the proxy after validation (whereas with the html files it was serving it had no issues)
3) Not really important in this case, as I just disabled it, but the yubikey module crashes if you enable the SPDY module too
I have debugging enabled, and would be happy to post it if people want to see it. Also, I'm not sure how to send this question/bug to Thomas, since this is the first time I've posted to Launchpad, so any help with notifying him would be appreciated. Below is the config I'm using
-------
server_tokens off; # for security-
error_log /var/log/
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP
server {
listen 80 default_server; # if this is not a default server, remove "default_server"
listen [::]:80 default_server ipv6only=on;
server_name <removed by me>; # this domain must match Common Name (CN) in the SSL certificate
root /usr/share/
index index.html index.htm; # this is also irrelevant
# redirect non-SSL to SSL
location / {
rewrite ^ https:/
}
}
# HTTPS server
server {
listen 443 ssl;
# Originally we had spdy enabled here, but it craps out the Yubikey. Can't have both, so for now we pick YUBI
#listen 443 ssl spdy; # we enable SPDY here
server_name <removed by me>; # this domain must match Common Name (CN) in the SSL certificate
root html; # irrelevant
index index.html; # irrelevant
ssl_certificate /etc/nginx/
ssl_
# performance enhancement for SSL
ssl_stapling on;
ssl_
ssl_
# safety enhancement to SSL: make sure we actually use a safe cipher
ssl_
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-
# config to enable HSTS(HTTP Strict Transport Security) https:/
# to avoid ssl stripping https:/
add_header Strict-
# If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https:/
}
# pass all requests to Meteor
location / {
proxy_pass http://
# Yubikey credentials, using the client ID and secret key from when we first set it up
# auth_yubikey "Restricted Zone";
# auth_yubikey_
# auth_yubikey_
# auth_yubikey_
# auth_yubikey_file "/etc/yubikey.
# auth_yubikey_ttl "43200";
# this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
Question information
- Language:
- English Edit question
- Status:
- Solved
- Assignee:
- No assignee Edit question
- Solved by:
- Thomas Ward
- Solved:
- Last query:
- Last reply: