<div dir="auto">Hi Roman,<div dir="auto">Thanks for the suggestion. Let me get the debugging log up and retest again.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 20, 2024, 1:02 AM Roman Arutyunyan <<a href="mailto:arut@nginx.com">arut@nginx.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
On Mon, Feb 19, 2024 at 04:24:04PM +0800, Kin Seng wrote:<br>
> My current nginx setup always kill the TCP connection after 5 minutes of<br>
> inactivity, i.e no transaction.<br>
> [From wireshark, nginx send RST to upstream server and then send FIN,ACK to<br>
> downstream client]<br>
<br>
This could be the normal behavior if you had 'proxy_timeout 5m;' in your config.<br>
But since apparently you have 86400s as proxy timeout value, something else is<br>
going on.<br>
<br>
Could you provide more details like debug log for example?<br>
<br>
> I have this setup which requires TLS1.2 connection connecting from my<br>
> internal network [client application] to public network [server]. It only<br>
> use TCP ports (not http/https) and establish with a server located at<br>
> public network. The client application does not support TLS1.2 connection<br>
> hence the introduction of nginx proxy/reverse proxy for TLS wrapping<br>
> purpose. You may refer below :<br>
> <br>
> Internal Network<br>
> | INTERNET/Public<br>
> [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public<br>
> Server]<br>
> <Non TLS TCP Traffic> <TLS 1.2><br>
> <br>
> <br>
> - using stream module<br>
> - no error shown in nginx error log<br>
> - access log showing TCP 200 Status but the session only last 300s<br>
> everytime. [Recorded in the access_log]<br>
> <br>
> Below is my nginx configuration<br>
> <br>
> # more nginx.conf<br>
> <br>
> user nginx;<br>
> worker_processes auto;<br>
> error_log /var/log/nginx/error.log;<br>
> pid /run/nginx.pid;<br>
> <br>
> # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.<br>
> include /usr/share/nginx/modules/*.conf;<br>
> <br>
> events {<br>
> worker_connections 2048;<br>
> }<br>
> <br>
> stream {<br>
> resolver 127.0.0.1;<br>
> include /etc/nginx/conf.d/*.conf;<br>
> <br>
> log_format basic '$remote_addr [$time_local] '<br>
> '$protocol $status $bytes_sent $bytes_received '<br>
> '$session_time $upstream_addr'<br>
> '"$upstream_bytes_sent" "$upstream_bytes_received"<br>
> "$upstream_connect_time"';<br>
> <br>
> access_log /var/log/nginx/stream.access.log basic;<br>
> <br>
> error_log log_file;<br>
> error_log /var/log/nginx/error_log;<br>
> <br>
> server {<br>
> listen 35012;<br>
> proxy_pass X.X.X.X:35012;<br>
> proxy_timeout 86400s;<br>
> proxy_connect_timeout 1200s;<br>
> proxy_socket_keepalive on;<br>
> ssl_session_cache shared:SSL:5m;<br>
> ssl_session_timeout 30m;<br>
> <br>
> # For securing TCP Traffic with upstream servers.<br>
> proxy_ssl on;<br>
> proxy_ssl_certificate /etc/ssl/certs/backend.crt;<br>
> proxy_ssl_certificate_key /etc/ssl/certs/backend.key;<br>
> proxy_ssl_protocols TLSv1.2;<br>
> proxy_ssl_ciphers HIGH:!aNULL:!MD5;<br>
> <br>
> # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;<br>
> # proxy_ssl_verify on;<br>
> proxy_ssl_verify_depth 2;<br>
> <br>
> #To have NGINX proxy previously negotiated connection parameters and use a<br>
> so-called abbreviated handshake - Fast<br>
> proxy_ssl_session_reuse on;<br>
> <br>
> }<br>
> }<br>
> <br>
> <br>
> After capturing the tcp packet and check via wireshark, I found out that<br>
> the nginx is sending out the RST to the public server and then send FIN/ACK<br>
> (refer attached pcap picture) to client application.<br>
> <br>
> I have tried to enable keepalive related parameters as per the nginx config<br>
> above and also check on the OS's TCP tunable and i could not find any<br>
> related settings which make NGINX to kill the TCP connection.<br>
> <br>
> Anyone encountering the same issues?<br>
<br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank" rel="noreferrer">nginx@nginx.org</a><br>
> <a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
<br>
--<br>
Roman Arutyunyan<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank" rel="noreferrer">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>