Dropped https client connection doesn't drop backend proxy_pass connection
mdounin at mdounin.ru
Tue Mar 19 14:54:31 UTC 2013
On Tue, Mar 19, 2013 at 03:45:10PM +1100, Robert Mueller wrote:
> > > When an https client drops it's connection, the upstream http proxy
> > > connection is not dropped. If nginx can't detect an https client
> > > disconnect properly, that must mean it's leaking connection information
> > > internally doesn't it?
> > No. It just can't say if a connection was closed or not as there
> > are pending data in the connection, and it can't read data (there
> > may be a pipelined request). Therefore in this case, being on the
> > safe side, it assumes the connection isn't closed and doesn't try
> > to abort upstream request.
> Oh right I see now.
> So the underlying problem is that the nginx stream layer abstraction
> isn't clean enough to handle low level OS events and then map them
> through the SSL layer to read/write/eof conceptual events as needed.
> Instead you need an OS level "eof" event, which you then assume maps
> through the SSL abstraction layer to a SSL stream eof event.
Not exactly. The underlying problem is that BSD sockets API
doesn't provide standard means to detect EOF without reading all
pending data, and hence OS-specific extensions have to be used to
reliably detect pending EOFs.
> Ok, so I had a look at the kqueue eof handling, and what's needed for
> epoll eof handling, and created a quick patch that seems to work.
> Can you check this out, and see if it looks right. If so, any chance you
> can incorporate it upstream?
> If there's anything you want changed, let me know and I'll try and fix
> it up.
I don't really like what you did in ngx_http_upstream.c. And
there are more places where ev->pending_eof is used, and probably
at least some of these places should be adapted, too.
Additionally, poll_ctl(2) manpage claims the EPOLLRDHUP only
available since Linux 2.6.17, and this suggests it needs some
configure tests/conditional compilation.
Valentin is already worked on this, and I believe he'll be able to
provide a little bit more generic patch.
More information about the nginx