Dropped https client connection doesn't drop backend proxy_pass connection

Maxim Dounin mdounin at mdounin.ru
Sat Mar 16 23:49:01 UTC 2013


On Sat, Mar 16, 2013 at 09:32:27AM +1100, Robert Mueller wrote:

> > In case of https, in many (most) cases there are pending data - 
> > due to various SSL packets send during connection close.  This 
> > means connection close detection with https doesn't work unless 
> > you use kqueue.
> > 
> > Further reading:
> > 
> > http://mailman.nginx.org/pipermail/nginx/2011-June/027672.html
> > http://mailman.nginx.org/pipermail/nginx/2011-November/030630.html
> These reports appear to relate to SSL upstream connections (both refer
> to ngx_http_upstream_check_broken_connection). I'm talking about an SSL
> client connection, with a plain http upstream connection.

Both are about client connections.  The 
ngx_http_upstream_check_broken_connection() function is here to 
check if client is disconnected or not.

> When an https client drops it's connection, the upstream http proxy
> connection is not dropped. If nginx can't detect an https client
> disconnect properly, that must mean it's leaking connection information
> internally doesn't it?

No.  It just can't say if a connection was closed or not as there 
are pending data in the connection, and it can't read data (there 
may be a pipelined request).  Therefore in this case, being on the 
safe side, it assumes the connection isn't closed and doesn't try 
to abort upstream request.

Maxim Dounin

More information about the nginx mailing list