Fix proxy_bind with upstreams with keepalive
Maxim Dounin
mdounin at mdounin.ru
Thu Jan 21 17:55:41 UTC 2021
Hello!
On Thu, Jan 21, 2021 at 06:24:58PM +0300, Андрей Бич wrote:
> There was a problem that we encountered: proxy_bind option is sometimes
> ignored when keepalive enabled in target upstream.
> In search for connection in cache the only comparison is with target
> address and local address set by proxy_bind is ignored.
> I'd like to propose the following change to fix this issue.
> Would like to receive your comments.
Thank you for your patch.
Cache of upstream connections only takes into account the address
of the server it connects to. If you want to take into account
other connection-related properties, such as different proxy_bind,
proxy_socket_keepalive, or various SSL options such as SNI name or
ciphers/protocols used, you are expected to take care of this
yourself, either by using different upstream{} blocks, or by not
using keepalive cache.
Further, taking proxy_bind into account doesn't look right at
least in some use cases. For example, consider a configuration
where connections to a backend are configured to use random source
IP addresses from a set of IP addresses available on the server
(such configurations are sometimes used to avoid hitting 64k
connections limit). With your patch, checking if source address
matches the one selected for a particular request will needlessly
reject some connections.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list