AW: Nginx multiple upstream with different protocols

Kilian Ries mail at kilian-ries.de
Thu Feb 23 10:38:42 UTC 2017 

I think i already tried what you suggested, but that doesn't work because i have to set a specific protocol in the proxy_pass command (http or https). If i have a mixed upstream group like

upstream proxy_backend {
        server xxx.xx.188.53;
        server xxx.xx.188.53:443;

}

 i always get protocol errors like 502 or 400 because i cannot switch between http and https in the proxy_pass command
________________________________
Von: nginx <nginx-bounces at nginx.org> im Auftrag von B.R. via nginx <nginx at nginx.org>
Gesendet: Mittwoch, 22. Februar 2017 18:52:00
An: nginx ML
Cc: B.R.
Betreff: Re: Nginx multiple upstream with different protocols

I suggest you proxy traffic to an upstream group, and then use failure/timeout parameters there with proper tuning to retry requests on the second upstream in case the first in the list fails.
?It will have an overhead if the 1st entry of the upstream group is invalid on initial connection, but hopefully the 'down' status will help limiting that overhead on average.?
---
B. R.

On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <mail at kilian-ries.de<mailto:mail at kilian-ries.de>> wrote:

No they cannot be the same (sadly) because i dont't know how the upstream is serving the content. Think of a situation where i am not in control of the upstream backends and they may change from http to https over time.

________________________________
Von: nginx <nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>> im Auftrag von Cox, Eric S <eric.cox at kroger.com<mailto:eric.cox at kroger.com>>
Gesendet: Mittwoch, 22. Februar 2017 15:58:26
An: nginx at nginx.org<mailto:nginx at nginx.org>
Betreff: RE: Nginx multiple upstream with different protocols

If you are SSL on the frontend (server directive) why would you want to proxy between ssl/non-ssl on the upstreams? Can they not be the same? I don't get what you are trying to solve?

From: nginx [mailto:nginx-bounces at nginx.org<mailto:nginx-bounces at nginx.org>] On Behalf Of Kilian Ries
Sent: Wednesday, February 22, 2017 9:55 AM
To: nginx at nginx.org<mailto:nginx at nginx.org>
Subject: Nginx multiple upstream with different protocols


Hi,



i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.



The config should look like this:



upstream proxy_backend {

        server xxx.xx.188.53;

        server xxx.xx.188.53:443;

}



server {

        listen 443 ssl;

        ...

        location / {

                proxy_pass http://proxy_backend<https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=>;

                #proxy_pass https://proxy_backend<https://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=>;

        }

     }





The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.



So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?



Thanks

Greets

Kilian

________________________________

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

_______________________________________________
nginx mailing list
nginx at nginx.org<mailto:nginx at nginx.org>
http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170223/ff528de6/attachment-0001.html>

More information about the nginx mailing list