Fix proxy_bind with upstreams with keepalive

Maxim Dounin mdounin at
Thu Jan 21 17:55:41 UTC 2021


On Thu, Jan 21, 2021 at 06:24:58PM +0300, Андрей Бич wrote:

>    There was a problem that we encountered: proxy_bind option is sometimes
>    ignored when keepalive enabled in target upstream.
>    In search for connection in cache the only comparison is with target
>    address and local address set by proxy_bind is ignored.
>    I'd like to propose the following change to fix this issue.
>    Would like to receive your comments.

Thank you for your patch.

Cache of upstream connections only takes into account the address 
of the server it connects to.  If you want to take into account 
other connection-related properties, such as different proxy_bind, 
proxy_socket_keepalive, or various SSL options such as SNI name or 
ciphers/protocols used, you are expected to take care of this 
yourself, either by using different upstream{} blocks, or by not 
using keepalive cache.

Further, taking proxy_bind into account doesn't look right at 
least in some use cases.  For example, consider a configuration 
where connections to a backend are configured to use random source 
IP addresses from a set of IP addresses available on the server
(such configurations are sometimes used to avoid hitting 64k 
connections limit).  With your patch, checking if source address 
matches the one selected for a particular request will needlessly 
reject some connections.

Maxim Dounin

More information about the nginx-devel mailing list