pls. help for adding another parameter to ngx_upstream_server

Sat Nov 16 09:31:42 UTC 2013

Mr. Homutov and Mr. Dounin:

Thank you very much for your quick replies.
I'd apologize lack of information, and also my laziness not to test
simplified configuration -- details follows.

vl> > [emerg] 3848#0: invalid parameter "setfib=5" in /usr/local/etc/nginx/nginx.conf:18
vl> >
vl> > The line 18 of nginx.conf contains setfib=5 (see (a) above.)
vl> 
vl> can you please show full configuration?

This is quite useful suggestion, since after I cut off surplus lines
from my nginx.conf, nginx seems to stop aborting with emerge message.

I am so embarrassed for me not to try this simplified configuration.

Even now, I cannot reach upstream yet, nor see any packets on the
interface.
Therefore, it doesn't work yet, but please give me some time to check
out what happens inside.

vl> > This "uscf->flags" has been set in the function
vl> >        ngx_http_upstream() at line 4434;
vl> 
vl> you are expected to enable specific flags in each balancing module that support
vl> it. For example, ip_hash module doesn't support 'backup' flag and thus does
vl> not set 'NGX_HTTP_UPSTREAM_BACKUP' in ngx_http_upstream_ip_hash().
vl>
vl> I suggest that you have specified something different from the default balancer
vl> and thus got this error, since your patch doesn't allow this parametr in it.

I guess setting that flag is done at line 4434 of
http/ngx_http_upstream.c, with uscf = ngx_upstream_add()
http://lxr.evanmiller.org/http/source/http/ngx_http_upstream.c#L4415

If true, I do want set NGX_HTTP_UPSTREAM_SETFIB here, and did it.

mdounin> > Now, I am struggling to add "setfib=N" parameter to "server" token in
mdounin> > "upstream" clause, and so far failed.
mdounin> 
mdounin> Could you please point out use cases for such a parameter?  
mdounin> Shouldn't it be something like proxy_bind instead?

Yes, suppose you are hosting web servers for multiple clients, and
those clients requires to be root on their web servers.
My nginx server locates between their (hosted) web servers and the
Internet as http proxy server.

My current architecture is one nginx node for each client node, which
is something like this.

    Internet ---+--- nginx_A ------ web_server_A (for client A)
                |
                +--- nginx_B ------ web_server_B
                |
                +--- nginx_C ------ web_server_C

The reasen why I use three nginx nodes is to forbid layer2 attack
among clients' nodes. ex.) ARP spoofing attack from web_server_A to B.

Then, as number of clients grows, I have to operate/administer that
number of nginx nodes. This is O(N), and now it is reaching the upper
limit (of my time mainly).

So I would like to use one nginx node for several clients' nodes, like
this:

    Internet ------ nginx_X ---+--- web_server_A
                               |
                               +--- web_server_B
                               |
                               +--- web_server_C

Now, in order to avoid ARP spoofing, web_server_[ABC] locates in
different tagged VLAN, and nginx_X understand such VLANS as different
interfaces (ex. igb0.100, igb0.101,...)

But nginx_X node also does ipfw NAPT (for SSH, SMTP, etc.), and thus
it do routing (sysctl -w net.inet.ip.forwarding=1).

So, I want to separate those VLANs using setfib in upstream/server.
I am sure that this can be achieved by using ipfw ACLs too, but in
that case I have to take care of ACLs for all existing clients' nodes
when adding a new client node.
# Uh, I like configuring nginx much more than that of ipfw :-)

Now, Thank you two (and others) very much!!

I will check the behavior of nginx with simplified configuration,
and perhaps shall come back with questions.

Best Regards.

-- 
moto kawasaki <moto at kawasaki3.org>