using nginx open source to tunnel https requests to backend set

Brendan Doyle brendan.doyle at oracle.com
Wed Jan 8 22:55:54 UTC 2020


Hi,

So I want to use nginx open source as a load balancer to forward https 
requests
to a backend set where the TLS is terminated by the application on the 
backend
servers. i.e I want to tunnel the TLS traffic. And I'm wondering about 
the best
approach.

What I'm thinking is that I use the streams module to load balance the TCP
traffic to the backend set.

But my concern is that I need session persistence, else the TLS handshake
might fall between two different backend hosts.

So I'm thinking that I need to use something like:

a)
  upstream backend_hosts {
     ip_hash ;
     server host1.example.com;
     server host2.example.com;
     server host3.example.com;
}

b)
  upstream backend_hosts {
     hash $remote_addr$remote_port consistent;
     server host1.example.com;
     server host2.example.com;
     server host3.example.com;
}


To ensure session persistence, the disadvantage of a) is that all 
traffic from a given IP
will always go to the same server, so it is not load balancing per 
session per say.

With b) I guess there is more chance of a unique tcp src port per TCP 
session, so there
will be a better persistent spread.


Thoughts

Thanks




More information about the nginx mailing list