pls. help for adding another parameter to ngx_upstream_server
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 18 14:09:08 UTC 2013
Hello!
On Sat, Nov 16, 2013 at 06:31:42PM +0900, moto kawasaki wrote:
[...]
> mdounin> > Now, I am struggling to add "setfib=N" parameter to "server" token in
> mdounin> > "upstream" clause, and so far failed.
> mdounin>
> mdounin> Could you please point out use cases for such a parameter?
> mdounin> Shouldn't it be something like proxy_bind instead?
>
> Yes, suppose you are hosting web servers for multiple clients, and
> those clients requires to be root on their web servers.
> My nginx server locates between their (hosted) web servers and the
> Internet as http proxy server.
>
> My current architecture is one nginx node for each client node, which
> is something like this.
>
> Internet ---+--- nginx_A ------ web_server_A (for client A)
> |
> +--- nginx_B ------ web_server_B
> |
> +--- nginx_C ------ web_server_C
>
> The reasen why I use three nginx nodes is to forbid layer2 attack
> among clients' nodes. ex.) ARP spoofing attack from web_server_A to B.
>
> Then, as number of clients grows, I have to operate/administer that
> number of nginx nodes. This is O(N), and now it is reaching the upper
> limit (of my time mainly).
>
> So I would like to use one nginx node for several clients' nodes, like
> this:
>
> Internet ------ nginx_X ---+--- web_server_A
> |
> +--- web_server_B
> |
> +--- web_server_C
>
> Now, in order to avoid ARP spoofing, web_server_[ABC] locates in
> different tagged VLAN, and nginx_X understand such VLANS as different
> interfaces (ex. igb0.100, igb0.101,...)
>
> But nginx_X node also does ipfw NAPT (for SSH, SMTP, etc.), and thus
> it do routing (sysctl -w net.inet.ip.forwarding=1).
>
> So, I want to separate those VLANs using setfib in upstream/server.
> I am sure that this can be achieved by using ipfw ACLs too, but in
> that case I have to take care of ACLs for all existing clients' nodes
> when adding a new client node.
Well, as far as I can tell there is no reasons to do per-server
setfib in this usecase, and
proxy_setfib N;
should be enough. It should be much easier to implement than what
you are trying to do in your patch.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list