Dropped https client connection doesn't drop backend proxy_pass connection

Maxim Dounin mdounin at mdounin.ru
Sat Mar 16 23:49:01 UTC 2013


Hello!

On Sat, Mar 16, 2013 at 09:32:27AM +1100, Robert Mueller wrote:

> 
> > In case of https, in many (most) cases there are pending data - 
> > due to various SSL packets send during connection close.  This 
> > means connection close detection with https doesn't work unless 
> > you use kqueue.
> > 
> > Further reading:
> > 
> > http://mailman.nginx.org/pipermail/nginx/2011-June/027672.html
> > http://mailman.nginx.org/pipermail/nginx/2011-November/030630.html
> 
> These reports appear to relate to SSL upstream connections (both refer
> to ngx_http_upstream_check_broken_connection). I'm talking about an SSL
> client connection, with a plain http upstream connection.

Both are about client connections.  The 
ngx_http_upstream_check_broken_connection() function is here to 
check if client is disconnected or not.

> When an https client drops it's connection, the upstream http proxy
> connection is not dropped. If nginx can't detect an https client
> disconnect properly, that must mean it's leaking connection information
> internally doesn't it?

No.  It just can't say if a connection was closed or not as there 
are pending data in the connection, and it can't read data (there 
may be a pipelined request).  Therefore in this case, being on the 
safe side, it assumes the connection isn't closed and doesn't try 
to abort upstream request.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list