Re: 答复: nginx plus with ssl on TCP load balance not work
Ruslan Ermilov
ru at nginx.com
Thu Jun 11 10:10:44 UTC 2015
On Thu, Jun 11, 2015 at 09:03:55AM -0000, smith wrote:
> With info level log enabled.
>
> Found these:
>
> 80's log:
> 2015/06/11 08:48:18 [info] 12719#0: *449 client 10.0.0.1:1494 connected to 0.0.0.0:80
> 2015/06/11 08:48:18 [info] 12719#0: *449 proxy 172.31.5.228:17019 connected to 10.0.0.2:80
> 2015/06/11 08:48:19 [info] 12719#0: *449 upstream disconnected, bytes from/to client:689/7900, bytes from/to upstream:7900/689
>
> It's success
>
> 443's log: tried several times, not work, now page show ERR_CONNECTION_CLOSED, still not work
>
> 2015/06/11 08:48:28 [info] 12719#0: *451 client 10.0.0.1:1642 connected to 0.0.0.0:80
> 2015/06/11 08:48:28 [info] 12719#0: *451 proxy 172.31.5.228:26620 connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *451 upstream disconnected, bytes from/to client:704/452, bytes from/to upstream:452/704
> 2015/06/11 08:48:28 [info] 12719#0: *453 client 10.0.0.1:1518 connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *453 proxy 172.31.5.228:17021 connected to 10.0.0.2:80
> 2015/06/11 08:48:28 [info] 12719#0: *453 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
> 2015/06/11 08:48:28 [info] 12719#0: *455 client 10.0.0.1:2943 connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *455 proxy 172.31.5.228:26622 connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *455 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
> 2015/06/11 08:48:28 [info] 12719#0: *457 client 10.0.0.1:2187 connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *457 proxy 172.31.5.228:17023 connected to 10.0.0.2:80
> 2015/06/11 08:48:28 [info] 12719#0: *457 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:28 [info] 12719#0: *459 client 10.0.0.1:2346 connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *459 proxy 172.31.5.228:26624 connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *459 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:29 [info] 12719#0: *461 client 10.0.0.1:2495 connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *461 proxy 172.31.5.228:17025 connected to 10.0.0.2:80
> 2015/06/11 08:48:29 [info] 12719#0: *461 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
> 2015/06/11 08:48:29 [info] 12719#0: *463 client 10.0.0.1:3742 connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *463 proxy 172.31.5.228:26626 connected to 10.0.0.3:80
> 2015/06/11 08:48:29 [info] 12719#0: *463 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
> 2015/06/11 08:48:29 [info] 12719#0: *465 client 10.0.0.1:3743 connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *465 proxy 172.31.5.228:17027 connected to 10.0.0.2:80
> 2015/06/11 08:48:29 [info] 12719#0: *465 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:29 [info] 12719#0: *467 client 10.0.0.1:2343 connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *467 proxy 172.31.5.228:26628 connected to 10.0.0.3:80
> 2015/06/11 08:48:29 [info] 12719#0: *467 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
>
>
> And from the backend web servers, found request not correct:
> 10.0.0.1,[11/Jun/2015:08:57:42 +0000],\x16\x03\x01\x02,/,HTTP/0.9,501,0,2030,-, 10.0.0.1
>
> Normal request should be
> 172.31.11.248,[11/Jun/2015:09:00:30 +0000],GET,/signin,HTTP/1.1,200,5924,211592,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.60 Safari/537.36,36.7.69.39, 172.31.11.248
>
> So it that any bug?
>
> -----邮件原件-----
> 发件人: smith [mailto:smith.hua at zoom.us]
> 发送时间: 2015年6月11日 8:35
> 收件人: 'nginx at nginx.org'
> 主题: 答复: nginx plus with ssl on TCP load balance not work
>
> When I'm trying http ssl, I found need to set proxy_set_header X-Forwarded-Proto $scheme; in server block, or it will also encounter ERR_TOO_MANY_REDIRECTS.
>
> Is TCP has same kind of setting?
>
> -----邮件原件-----
> 发件人: smith [mailto:smith.hua at zoom.us]
> 发送时间: 2015年6月11日 8:28
> 收件人: nginx at nginx.org
> 主题: 答复: nginx plus with ssl on TCP load balance not work
>
> The 80 is normal, And I tried use http ssl, also works. Don't know Why TCP not work.
>
> -----邮件原件-----
> 发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表 Roman Arutyunyan
> 发送时间: 2015年6月11日 8:25
> 收件人: nginx at nginx.org
> 主题: Re: nginx plus with ssl on TCP load balance not work
>
> What about the 80 port of the stream balancer?
> Does it proxy the connection normally?
>
> PS: no access log is supported in the stream module.
> Connection information (addresses etc) is logged to error log with the info loglevel.
>
> On 11 Jun 2015, at 10:49, smith <smith.hua at zoom.us> wrote:
>
> > Nginx.conf:
> >
> > user nginx;
> > worker_processes auto;
> > worker_rlimit_nofile 65535;
> >
> > error_log /var/log/nginx/error.log warn;
> > pid /var/run/nginx.pid;
> >
> >
> > events {
> > use epoll;
> > worker_connections 65535;
> > }
> >
> >
> > http {
> > include /etc/nginx/mime.types;
> > default_type application/octet-stream;
> >
> > log_format main '$remote_addr - $remote_user [$time_local] "$request"
> > '
> > '$status $body_bytes_sent "$http_referer" '
> > '"$http_user_agent" "$http_x_forwarded_for"';
> >
> > access_log /var/log/nginx/access.log main;
> >
> > sendfile on;
> > #tcp_nopush on;
> >
> > keepalive_timeout 65;
> >
> > #gzip on;
> >
> > include /etc/nginx/conf.d/*.conf;
> > }
> >
> >
> > stream {
> >
> > include /etc/nginx/xxxx.d/*.conf;
> > }
> >
> > And the content in previous email is in xxxx.d/xxxx.conf
> >
> > There is no file under /etc/nginx/conf.d
> >
> >
> > Thanks.
> >
> >
> > -----邮件原件-----
> > 发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表
> > Roman
> > Arutyunyan
> > 发送时间: 2015年6月11日 7:45
> > 收件人: nginx at nginx.org
> > 主题: Re: nginx plus with ssl on TCP load balance not work
> >
> > Hi,
> >
> > Could you provide the full config of the nginx/stream balancer?
> >
> > On 11 Jun 2015, at 09:29, huakaibird <nginx-forum at nginx.us> wrote:
> >
> >> Hi,
> >>
> >> I’m using nginx plus with ssl on TCP load balance, Configured like
> >> the documentation, but it not work. (All the IP below is not
> >> real-ip) I have web servers behind, I want to use ssl offloading, and
> >> I choose TCP load balance. listen on 443 and proxy to web server's 80.
> >>
> >> Page access always report ERR_TOO_MANY_REDIRECTS.
> >>
> >> Error log
> >> 2015/06/11 03:00:32 [error] 8362#0: *361 upstream timed out (110:
> >> Connection timed out) while connecting to upstream, client: 10.0.0.1,
> > server:
> >> 0.0.0.0:443, upstream: "10.0.0.2:443", bytes from/to client:656/0,
> >> bytes from/to upstream:0/0
> >>
> >> 10.0.0.2 this ip is the nginx ip, while it is used as upstream?
> >>
> >> The configuration is like this, remove the real ip
> >>
> >> server {
> >> listen 80 so_keepalive=30m::10;
> >> proxy_pass backend;
> >> proxy_upstream_buffer 2048k;
> >> proxy_downstream_buffer 2048k;
> >>
> >> }
> >>
> >> server {
> >> listen 443 ssl;
> >> proxy_pass backend;
> >> #proxy_upstream_buffer 2048k;
> >> #proxy_downstream_buffer 2048k;
> >> ssl_certificate ssl/chained.crt;
> >> #ssl_certificate ssl/4582cfef411bb.crt;
> >> ssl_certificate_key ssl/zoomus20140410.key;
> >> #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> >> #ssl_ciphers HIGH:!aNULL:!MD5;
> >> ssl_handshake_timeout 3s;
> >> #ssl_session_cache shared:SSL:20m;
> >> #ssl_session_timeout 4h;
> >>
> >> }
> >>
> >>
> >> upstream backend {
> >> server *.*.*.*:80;
> >> server *.*.*.*:80;
> >> }
It looks like you have "proxy_ssl on;" in the stream{} block,
do you?
More information about the nginx
mailing list