pls. help for adding another parameter to ngx_upstream_server
mdounin at mdounin.ru
Mon Nov 18 14:09:08 UTC 2013
On Sat, Nov 16, 2013 at 06:31:42PM +0900, moto kawasaki wrote:
> mdounin> > Now, I am struggling to add "setfib=N" parameter to "server" token in
> mdounin> > "upstream" clause, and so far failed.
> mdounin> Could you please point out use cases for such a parameter?
> mdounin> Shouldn't it be something like proxy_bind instead?
> Yes, suppose you are hosting web servers for multiple clients, and
> those clients requires to be root on their web servers.
> My nginx server locates between their (hosted) web servers and the
> Internet as http proxy server.
> My current architecture is one nginx node for each client node, which
> is something like this.
> Internet ---+--- nginx_A ------ web_server_A (for client A)
> +--- nginx_B ------ web_server_B
> +--- nginx_C ------ web_server_C
> The reasen why I use three nginx nodes is to forbid layer2 attack
> among clients' nodes. ex.) ARP spoofing attack from web_server_A to B.
> Then, as number of clients grows, I have to operate/administer that
> number of nginx nodes. This is O(N), and now it is reaching the upper
> limit (of my time mainly).
> So I would like to use one nginx node for several clients' nodes, like
> Internet ------ nginx_X ---+--- web_server_A
> +--- web_server_B
> +--- web_server_C
> Now, in order to avoid ARP spoofing, web_server_[ABC] locates in
> different tagged VLAN, and nginx_X understand such VLANS as different
> interfaces (ex. igb0.100, igb0.101,...)
> But nginx_X node also does ipfw NAPT (for SSH, SMTP, etc.), and thus
> it do routing (sysctl -w net.inet.ip.forwarding=1).
> So, I want to separate those VLANs using setfib in upstream/server.
> I am sure that this can be achieved by using ipfw ACLs too, but in
> that case I have to take care of ACLs for all existing clients' nodes
> when adding a new client node.
Well, as far as I can tell there is no reasons to do per-server
setfib in this usecase, and
should be enough. It should be much easier to implement than what
you are trying to do in your patch.
More information about the nginx-devel