<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">I suggest you proxy traffic to an upstream group, and then use failure/timeout parameters there with proper tuning to retry requests on the second upstream in case the first in the list fails.<br></div><div class="gmail_extra"><div style="font-size:small;color:rgb(51,51,153)" class="gmail_default">It will have an overhead if the 1st entry of the upstream group is invalid on initial connection, but hopefully the 'down' status will help limiting that overhead on average.</div><div><div class="gmail_signature" data-smartmail="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <span dir="ltr"><<a href="mailto:mail@kilian-ries.de" target="_blank">mail@kilian-ries.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div id="m_-1893229326221018781divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>No they cannot be the same (sadly) because i dont't know how the upstream is serving the content. Think of a situation where i am not in control of the upstream backends and they may change from http to https over time.</p>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_-1893229326221018781divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>Von:</b> nginx <<a href="mailto:nginx-bounces@nginx.org" target="_blank">nginx-bounces@nginx.org</a>> im Auftrag von Cox, Eric S <<a href="mailto:eric.cox@kroger.com" target="_blank">eric.cox@kroger.com</a>><br>
<b>Gesendet:</b> Mittwoch, 22. Februar 2017 15:58:26<br>
<b>An:</b> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<b>Betreff:</b> RE: Nginx multiple upstream with different protocols</font>
<div> </div>
</div><div><div class="h5">
<div>
<div class="m_-1893229326221018781WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If you are SSL on the frontend (server directive) why would you want to proxy between ssl/non-ssl on the upstreams? Can they not be the same? I don’t get what
you are trying to solve?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> nginx [mailto:<a href="mailto:nginx-bounces@nginx.org" target="_blank">nginx-bounces@nginx.<wbr>org</a>]
<b>On Behalf Of </b>Kilian Ries<br>
<b>Sent:</b> Wednesday, February 22, 2017 9:55 AM<br>
<b>To:</b> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<b>Subject:</b> Nginx multiple upstream with different protocols<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div id="m_-1893229326221018781divtagdefaultwrapper">
<p><span style="font-family:"Calibri","sans-serif";color:black">Hi,<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">i'm trying to setup two Nginx upstreams (one with HTTP and one with HTTPS) and the proxy_pass module should decide which of the upstreams is serving "valid" content.<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">The config should look like this:<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">upstream proxy_backend {<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> server xxx.xx.188.53;<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> server xxx.xx.188.53:443;<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">}<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">server {<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> listen 443 ssl;<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> ...<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> location / {<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> proxy_pass
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=" id="m_-1893229326221018781LPlnk114613" target="_blank">
http://proxy_backend</a>;<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> #proxy_pass
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=" id="m_-1893229326221018781LPlnk248790" target="_blank">
https://proxy_backend</a>;<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> }<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"> }<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">The Problem is that i don't know if the upstream is serving the content via http or https. Is there any possibility to tell nginx to change the protocol from the proxy_pass directive? Because if
i set proxy_pass to https, i get an error (502 / 400) if the upstream website is running on http and vice versa.<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">So i'm searching for a way to let Nginx decide if he should proxy_pass via http or https. Can anybody help me with that configuration?<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black"><u></u> <u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Thanks <u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Greets<u></u><u></u></span></p>
<p><span style="font-family:"Calibri","sans-serif";color:black">Kilian<u></u><u></u></span></p>
</div>
</div>
<br>
<hr>
<font size="2" color="Gray" face="Arial"><br>
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.<br>
</font></div>
</div></div></div>
<br>______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br></div></div>