Identifying "Writing" connections in status stub

[Peter Booth]

Vlad,

You might not need to replicate it- you have it happening in production in front of you.
Some questions:

1. When is the last time that your production nginx was restarted?
2. Do you have regular restarts?
3. Is there an obstacle to restarting at some point?
4. Is this a single instance or do you have multiple nginx hosts?
5. What 3rd party models are you using?
6. Is the website in question an enterprise app or something that is internet visible? 

Maxim’s hypothesis of leaking sockets from third party plugin is the simplest, most likely explanation for what you report.

I start from a position of trusting nothing. If you can you capture the output of lsof -i :80 or net stat -ant | grep TCP or a 
similar ss command you can know for certain that your visualization is “telling the truth”
Certainly the line labeled “Writing” looks unusual. Do you know of any site events that might have caused the minimum on
23 July, the spike on 24th, and the step up on 25th July?

Peter 




> On Jul 30, 2017, at 4:09 AM, Vlad K. <nginx-ml at acheronmedia.hr> wrote:
> 
> On 2017-07-30 01:47, Maxim Dounin wrote:
>> It might not be trivial to debug such socket leaks though, and
>> before doing anything else it is in general a good idea to:
>> - make sure you are using latest nginx version, and
>> - the problem is not in a 3rd party module (that is, you can
>>  reproduce it without 3rd party modules).
> 
> It's latest stable, 1.12.1 on FreeBSD.
> 
> Unfortunately I can't remove 3rd party modules as this is production. I have no idea what to do to try replicate that in testing.
> 
> But thanks for your reply.
> 
> 
> 
> -- 
> Vlad K.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170730/f94e14a7/attachment-0001.html>