<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 11pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Greetings nginx,</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 11pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 11pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<div>nginx version: nginx/1.18.0 running an AWS EC2 instance with an Amazon Linux 2 AMI. </div>
<div><br>
</div>
<div>Using this nginx.conf for reverse proxy and mutual authentication of some specialized mobile devices.<br>
</div>
<div><br>
</div>
<div> server {</div>
<div> listen 443 ssl ;</div>
<div> server_name serviceapi.company.com;</div>
<div> root /usr/share/nginx/html/....;</div>
<div> index app.php app_dev.php config.php;</div>
<div> location / {</div>
<div> proxy_pass https://upstream;</div>
<div> }</div>
<div><br>
</div>
<div> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</div>
<div> ssl_certificate /etc/pki/nginx/private/...crt;</div>
<div> ssl_certificate_key /etc/pki/nginx/private/...key;</div>
<div> ssl_client_certificate /etc/pki/nginx/private/...pem;</div>
<div><br>
</div>
<div> ssl_verify_client on;</div>
<div> ssl_prefer_server_ciphers on;</div>
<div> ssl_session_cache shared:SSL:1m;</div>
<div> ssl_session_timeout 5m;</div>
<div> ssl_ciphers HIGH:!aNULL:!MD5;</div>
<div> ssl_verify_depth 3;</div>
<div> }</div>
<div><br>
</div>
<div>This works well but has one critical issue. The proxy_pass directive URL (upstream) is an endpoint in AWS Route53 defined by an API gateway that is fronted by an ELB. That is, https://upstream resolves to the IPv4 addresses of an ELB in AWS. The issue
is that nginx is only resolving this endpoint when it starts. Let's say:</div>
<div><br>
</div>
<div>dig upstream +short</div>
<div>1.2.3.4</div>
<div>1.2.3.5</div>
<div><br>
</div>
<div>As long as these two ELB IPs do not change, then device traffic gets proxied to upstream without issue. However if the ELB resource is recreated in AWS and these IPs change:</div>
<div><br>
</div>
<div>dig upstream +short</div>
<div>6.7.8.9</div>
<div>6.7.8.10</div>
<div><br>
</div>
<div>this causes:</div>
<div><br>
</div>
<div>2022/03/04 20:57:21 [error] 18352#0: *30682 connect() failed (111: Connection refused) while connecting to upstream, client: <client_ip>, server: serviceapi.company.com, request: "GET /<path>/pending HTTP/1.1", upstream: "https://1.2.3.4/<path>/pending",
host: "<endpoint-used-by-devices>"</div>
<div><br>
</div>
<div>The nginx service has cached 1.2.3.4 at runtime and the fact that the https://upstream now resolves to different IPs has broken the proxy. Restarting the nginx service fixes the issue since it then resolves https://upstream to the new ELB IPs.</div>
<div><br>
</div>
<div><b>Question-1</b></div>
<div><br>
</div>
<div>Is there a directive to add to our nginx.conf server block that will force nginx to re-resolve its proxy_pass URL upon error? If not upon error, then perhaps at some configurable time interval?</div>
<div><br>
</div>
<div>I have my eye on proxy_cache_use_stale, but not sure if this is suited to our use case.</div>
<div><br>
</div>
<div><b>Question-2</b></div>
<div><br>
</div>
The devices using this setup are specialized and testing is not easy. Is there a command line option that will allow a user with SSH access to the EC2 instance where nginx is running to verify what nginx currently has in its cache for https://upstream? (i.e.
rather than having to wait for a real device to error). The access.log does not display this information, only the error.log does.<br>
</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 11pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: "Segoe UI", "Segoe UI Web (West European)", "Helvetica Neue", sans-serif; font-size: 11pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Thanks!</div>
</body>
</html>