pls. help for adding another parameter to ngx_upstream_server

Maxim Dounin mdounin at
Mon Nov 18 14:09:08 UTC 2013


On Sat, Nov 16, 2013 at 06:31:42PM +0900, moto kawasaki wrote:


> mdounin> > Now, I am struggling to add "setfib=N" parameter to "server" token in
> mdounin> > "upstream" clause, and so far failed.
> mdounin> 
> mdounin> Could you please point out use cases for such a parameter?  
> mdounin> Shouldn't it be something like proxy_bind instead?
> Yes, suppose you are hosting web servers for multiple clients, and
> those clients requires to be root on their web servers.
> My nginx server locates between their (hosted) web servers and the
> Internet as http proxy server.
> My current architecture is one nginx node for each client node, which
> is something like this.
>     Internet ---+--- nginx_A ------ web_server_A (for client A)
>                 |
>                 +--- nginx_B ------ web_server_B
>                 |
>                 +--- nginx_C ------ web_server_C
> The reasen why I use three nginx nodes is to forbid layer2 attack
> among clients' nodes. ex.) ARP spoofing attack from web_server_A to B.
> Then, as number of clients grows, I have to operate/administer that
> number of nginx nodes. This is O(N), and now it is reaching the upper
> limit (of my time mainly).
> So I would like to use one nginx node for several clients' nodes, like
> this:
>     Internet ------ nginx_X ---+--- web_server_A
>                                |
>                                +--- web_server_B
>                                |
>                                +--- web_server_C
> Now, in order to avoid ARP spoofing, web_server_[ABC] locates in
> different tagged VLAN, and nginx_X understand such VLANS as different
> interfaces (ex. igb0.100, igb0.101,...)
> But nginx_X node also does ipfw NAPT (for SSH, SMTP, etc.), and thus
> it do routing (sysctl -w net.inet.ip.forwarding=1).
> So, I want to separate those VLANs using setfib in upstream/server.
> I am sure that this can be achieved by using ipfw ACLs too, but in
> that case I have to take care of ACLs for all existing clients' nodes
> when adding a new client node.

Well, as far as I can tell there is no reasons to do per-server 
setfib in this usecase, and 

    proxy_setfib N;

should be enough.  It should be much easier to implement than what 
you are trying to do in your patch.

Maxim Dounin

More information about the nginx-devel mailing list