答复: nginx plus with ssl on TCP load balance not work

smith smith.hua at zoom.us
Thu Jun 11 09:03:55 UTC 2015


With info level log enabled.

Found these:

80's log: 
2015/06/11 08:48:18 [info] 12719#0: *449 client 10.0.0.1:1494 connected to 0.0.0.0:80
2015/06/11 08:48:18 [info] 12719#0: *449 proxy 172.31.5.228:17019 connected to 10.0.0.2:80
2015/06/11 08:48:19 [info] 12719#0: *449 upstream disconnected, bytes from/to client:689/7900, bytes from/to upstream:7900/689

It's success

443's log: tried several times, not work, now page show ERR_CONNECTION_CLOSED, still not work

2015/06/11 08:48:28 [info] 12719#0: *451 client 10.0.0.1:1642 connected to 0.0.0.0:80
2015/06/11 08:48:28 [info] 12719#0: *451 proxy 172.31.5.228:26620 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *451 upstream disconnected, bytes from/to client:704/452, bytes from/to upstream:452/704
2015/06/11 08:48:28 [info] 12719#0: *453 client 10.0.0.1:1518 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *453 proxy 172.31.5.228:17021 connected to 10.0.0.2:80
2015/06/11 08:48:28 [info] 12719#0: *453 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
2015/06/11 08:48:28 [info] 12719#0: *455 client 10.0.0.1:2943 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *455 proxy 172.31.5.228:26622 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *455 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
2015/06/11 08:48:28 [info] 12719#0: *457 client 10.0.0.1:2187 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *457 proxy 172.31.5.228:17023 connected to 10.0.0.2:80
2015/06/11 08:48:28 [info] 12719#0: *457 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:28 [info] 12719#0: *459 client 10.0.0.1:2346 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *459 proxy 172.31.5.228:26624 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *459 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:29 [info] 12719#0: *461 client 10.0.0.1:2495 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *461 proxy 172.31.5.228:17025 connected to 10.0.0.2:80
2015/06/11 08:48:29 [info] 12719#0: *461 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
2015/06/11 08:48:29 [info] 12719#0: *463 client 10.0.0.1:3742 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *463 proxy 172.31.5.228:26626 connected to 10.0.0.3:80
2015/06/11 08:48:29 [info] 12719#0: *463 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
2015/06/11 08:48:29 [info] 12719#0: *465 client 10.0.0.1:3743 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *465 proxy 172.31.5.228:17027 connected to 10.0.0.2:80
2015/06/11 08:48:29 [info] 12719#0: *465 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:29 [info] 12719#0: *467 client 10.0.0.1:2343 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *467 proxy 172.31.5.228:26628 connected to 10.0.0.3:80
2015/06/11 08:48:29 [info] 12719#0: *467 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174


And from the backend web servers, found request not correct: 
10.0.0.1,[11/Jun/2015:08:57:42 +0000],\x16\x03\x01\x02,/,HTTP/0.9,501,0,2030,-, 10.0.0.1

Normal request should be
172.31.11.248,[11/Jun/2015:09:00:30 +0000],GET,/signin,HTTP/1.1,200,5924,211592,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.60 Safari/537.36,36.7.69.39, 172.31.11.248

So it that any bug?

-----邮件原件-----
发件人: smith [mailto:smith.hua at zoom.us] 
发送时间: 2015年6月11日 8:35
收件人: 'nginx at nginx.org'
主题: 答复: nginx plus with ssl on TCP load balance not work

When I'm trying http ssl, I found need to set proxy_set_header X-Forwarded-Proto $scheme; in server block, or it will also encounter ERR_TOO_MANY_REDIRECTS.

Is TCP has same kind of setting?

-----邮件原件-----
发件人: smith [mailto:smith.hua at zoom.us]
发送时间: 2015年6月11日 8:28
收件人: nginx at nginx.org
主题: 答复: nginx plus with ssl on TCP load balance not work

The 80 is normal, And I tried use http ssl, also works. Don't know Why TCP not work.

-----邮件原件-----
发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表 Roman Arutyunyan
发送时间: 2015年6月11日 8:25
收件人: nginx at nginx.org
主题: Re: nginx plus with ssl on TCP load balance not work

What about the 80 port of the stream balancer?
Does it proxy the connection normally?

PS: no access log is supported in the stream module.
Connection information (addresses etc) is logged to error log with the info loglevel.

On 11 Jun 2015, at 10:49, smith <smith.hua at zoom.us> wrote:

> Nginx.conf:
>
> user  nginx;
> worker_processes  auto;
> worker_rlimit_nofile 65535;
>
> error_log  /var/log/nginx/error.log warn;
> pid        /var/run/nginx.pid;
>
>
> events {
>    use epoll;
>    worker_connections  65535;
> }
>
>
> http {
>    include       /etc/nginx/mime.types;
>    default_type  application/octet-stream;
>
>    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
> '
>                      '$status $body_bytes_sent "$http_referer" '
>                      '"$http_user_agent" "$http_x_forwarded_for"';
>
>    access_log  /var/log/nginx/access.log  main;
>
>    sendfile        on;
>    #tcp_nopush     on;
>
>    keepalive_timeout  65;
>
>    #gzip  on;
>
>    include /etc/nginx/conf.d/*.conf;
> }
>
>
> stream {
>
>    include /etc/nginx/xxxx.d/*.conf;
> }
>
> And the content in previous email is in xxxx.d/xxxx.conf
>
> There is no file under /etc/nginx/conf.d
>
>
> Thanks.
>
>
> -----邮件原件-----
> 发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表
> Roman
> Arutyunyan
> 发送时间: 2015年6月11日 7:45
> 收件人: nginx at nginx.org
> 主题: Re: nginx plus with ssl on TCP load balance not work
>
> Hi,
>
> Could you provide the full config of the nginx/stream balancer?
>
> On 11 Jun 2015, at 09:29, huakaibird <nginx-forum at nginx.us> wrote:
>
>> Hi,
>>
>> I’m using nginx plus with ssl on TCP load balance, Configured like 
>> the documentation, but it not work.  (All the IP below is not
>> real-ip) I have web servers behind, I want to use ssl offloading, and 
>> I choose TCP load balance. listen on 443 and proxy to web server's 80.
>>
>> Page access always report ERR_TOO_MANY_REDIRECTS.
>>
>> Error log
>> 2015/06/11 03:00:32 [error] 8362#0: *361 upstream timed out (110:
>> Connection timed out) while connecting to upstream, client: 10.0.0.1,
> server:
>> 0.0.0.0:443, upstream: "10.0.0.2:443", bytes from/to client:656/0, 
>> bytes from/to upstream:0/0
>>
>> 10.0.0.2 this ip is the nginx ip, while it is used as upstream?
>>
>> The configuration is like this, remove the real ip
>>
>> server {
>>       listen 80 so_keepalive=30m::10;
>>       proxy_pass backend;
>>       proxy_upstream_buffer 2048k;
>>       proxy_downstream_buffer 2048k;
>>
>>   }
>>
>> server {
>>       listen 443 ssl;
>>       proxy_pass backend;
>>       #proxy_upstream_buffer 2048k;
>>       #proxy_downstream_buffer 2048k;
>>       ssl_certificate     ssl/chained.crt;
>>       #ssl_certificate     ssl/4582cfef411bb.crt;
>>       ssl_certificate_key ssl/zoomus20140410.key;
>>       #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
>>       #ssl_ciphers         HIGH:!aNULL:!MD5;
>>       ssl_handshake_timeout 3s;
>>       #ssl_session_cache   shared:SSL:20m;
>>       #ssl_session_timeout 4h;
>>
>>   }
>>
>>
>>   upstream backend {
>>       server *.*.*.*:80;
>>       server *.*.*.*:80;
>>   }
>>
>>
>>
>> nginx -v
>> nginx version: nginx/1.7.11 (nginx-plus-r6-p1)
>>
>> And I’m using amazon linux
>> uname -a
>> Linux ip-*.*.*.* 3.14.35-28.38.amzn1.x86_64 #1 SMP Wed Mar 11
>> 22:50:37 UTC
>> 2015 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>> BTW, tcp how to set access log?
>>
>> Posted at Nginx Forum:
>> http://forum.nginx.org/read.php?2,259522,259522#msg-259522
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
> --
> Roman Arutyunyan
>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

--
Roman Arutyunyan



_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list