答复: 答复: nginx plus with ssl on TCP load balance not work

smith smith.hua at zoom.us
Thu Jun 11 14:42:53 UTC 2015


No, I did not set proxy_ssl on.

Sorry, mymistake, the log from the backend server is normal, but all of them are 302, not 200. So there are always redirect, why?

10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2
10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2
10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2
10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2
10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2
10.0.0.2,[11/Jun/2015:14:34:33 +0000],GET,/signin,HTTP/1.1,302,0,12690,Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36, 10.0.0.2

And the log from nginx is still many try in nginx
2015/06/11 08:48:28 [info] 12719#0: *451 client 10.0.0.1:1642 connected to 0.0.0.0:80
2015/06/11 08:48:28 [info] 12719#0: *451 proxy 172.31.5.228:26620 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *451 upstream disconnected, bytes from/to client:704/452, bytes from/to upstream:452/704
2015/06/11 08:48:28 [info] 12719#0: *453 client 10.0.0.1:1518 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *453 proxy 172.31.5.228:17021 connected to 10.0.0.2:80
2015/06/11 08:48:28 [info] 12719#0: *453 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
2015/06/11 08:48:28 [info] 12719#0: *455 client 10.0.0.1:2943 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *455 proxy 172.31.5.228:26622 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *455 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
2015/06/11 08:48:28 [info] 12719#0: *457 client 10.0.0.1:2187 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *457 proxy 172.31.5.228:17023 connected to 10.0.0.2:80
2015/06/11 08:48:28 [info] 12719#0: *457 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:28 [info] 12719#0: *459 client 10.0.0.1:2346 connected to 0.0.0.0:443
2015/06/11 08:48:28 [info] 12719#0: *459 proxy 172.31.5.228:26624 connected to 10.0.0.3:80
2015/06/11 08:48:28 [info] 12719#0: *459 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:29 [info] 12719#0: *461 client 10.0.0.1:2495 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *461 proxy 172.31.5.228:17025 connected to 10.0.0.2:80
2015/06/11 08:48:29 [info] 12719#0: *461 upstream disconnected, bytes from/to client:517/0, bytes from/to upstream:0/517
2015/06/11 08:48:29 [info] 12719#0: *463 client 10.0.0.1:3742 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *463 proxy 172.31.5.228:26626 connected to 10.0.0.3:80
2015/06/11 08:48:29 [info] 12719#0: *463 upstream disconnected, bytes from/to client:221/0, bytes from/to upstream:0/221
2015/06/11 08:48:29 [info] 12719#0: *465 client 10.0.0.1:3743 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *465 proxy 172.31.5.228:17027 connected to 10.0.0.2:80
2015/06/11 08:48:29 [info] 12719#0: *465 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174
2015/06/11 08:48:29 [info] 12719#0: *467 client 10.0.0.1:2343 connected to 0.0.0.0:443
2015/06/11 08:48:29 [info] 12719#0: *467 proxy 172.31.5.228:26628 connected to 10.0.0.3:80
2015/06/11 08:48:29 [info] 12719#0: *467 upstream disconnected, bytes from/to client:174/0, bytes from/to upstream:0/174



-----邮件原件-----
发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表 Ruslan Ermilov
发送时间: 2015年6月11日 10:11
收件人: nginx at nginx.org
主题: Re: 答复: nginx plus with ssl on TCP load balance not work

On Thu, Jun 11, 2015 at 09:03:55AM -0000, smith wrote:
> With info level log enabled.
> 
> Found these:
> 
> 80's log: 
> 2015/06/11 08:48:18 [info] 12719#0: *449 client 10.0.0.1:1494 
> connected to 0.0.0.0:80
> 2015/06/11 08:48:18 [info] 12719#0: *449 proxy 172.31.5.228:17019 
> connected to 10.0.0.2:80
> 2015/06/11 08:48:19 [info] 12719#0: *449 upstream disconnected, bytes 
> from/to client:689/7900, bytes from/to upstream:7900/689
> 
> It's success
> 
> 443's log: tried several times, not work, now page show 
> ERR_CONNECTION_CLOSED, still not work
> 
> 2015/06/11 08:48:28 [info] 12719#0: *451 client 10.0.0.1:1642 
> connected to 0.0.0.0:80
> 2015/06/11 08:48:28 [info] 12719#0: *451 proxy 172.31.5.228:26620 
> connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *451 upstream disconnected, bytes 
> from/to client:704/452, bytes from/to upstream:452/704
> 2015/06/11 08:48:28 [info] 12719#0: *453 client 10.0.0.1:1518 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *453 proxy 172.31.5.228:17021 
> connected to 10.0.0.2:80
> 2015/06/11 08:48:28 [info] 12719#0: *453 upstream disconnected, bytes 
> from/to client:517/0, bytes from/to upstream:0/517
> 2015/06/11 08:48:28 [info] 12719#0: *455 client 10.0.0.1:2943 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *455 proxy 172.31.5.228:26622 
> connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *455 upstream disconnected, bytes 
> from/to client:221/0, bytes from/to upstream:0/221
> 2015/06/11 08:48:28 [info] 12719#0: *457 client 10.0.0.1:2187 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *457 proxy 172.31.5.228:17023 
> connected to 10.0.0.2:80
> 2015/06/11 08:48:28 [info] 12719#0: *457 upstream disconnected, bytes 
> from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:28 [info] 12719#0: *459 client 10.0.0.1:2346 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:28 [info] 12719#0: *459 proxy 172.31.5.228:26624 
> connected to 10.0.0.3:80
> 2015/06/11 08:48:28 [info] 12719#0: *459 upstream disconnected, bytes 
> from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:29 [info] 12719#0: *461 client 10.0.0.1:2495 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *461 proxy 172.31.5.228:17025 
> connected to 10.0.0.2:80
> 2015/06/11 08:48:29 [info] 12719#0: *461 upstream disconnected, bytes 
> from/to client:517/0, bytes from/to upstream:0/517
> 2015/06/11 08:48:29 [info] 12719#0: *463 client 10.0.0.1:3742 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *463 proxy 172.31.5.228:26626 
> connected to 10.0.0.3:80
> 2015/06/11 08:48:29 [info] 12719#0: *463 upstream disconnected, bytes 
> from/to client:221/0, bytes from/to upstream:0/221
> 2015/06/11 08:48:29 [info] 12719#0: *465 client 10.0.0.1:3743 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *465 proxy 172.31.5.228:17027 
> connected to 10.0.0.2:80
> 2015/06/11 08:48:29 [info] 12719#0: *465 upstream disconnected, bytes 
> from/to client:174/0, bytes from/to upstream:0/174
> 2015/06/11 08:48:29 [info] 12719#0: *467 client 10.0.0.1:2343 
> connected to 0.0.0.0:443
> 2015/06/11 08:48:29 [info] 12719#0: *467 proxy 172.31.5.228:26628 
> connected to 10.0.0.3:80
> 2015/06/11 08:48:29 [info] 12719#0: *467 upstream disconnected, bytes 
> from/to client:174/0, bytes from/to upstream:0/174
> 
> 
> And from the backend web servers, found request not correct: 
> 10.0.0.1,[11/Jun/2015:08:57:42 
> +0000],\x16\x03\x01\x02,/,HTTP/0.9,501,0,2030,-, 10.0.0.1
> 
> Normal request should be
> 172.31.11.248,[11/Jun/2015:09:00:30 
> +0000],GET,/signin,HTTP/1.1,200,5924,211592,Mozilla/5.0 (Windows NT 
> 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.60 
> Safari/537.36,36.7.69.39, 172.31.11.248
> 
> So it that any bug?
> 
> -----邮件原件-----
> 发件人: smith [mailto:smith.hua at zoom.us]
> 发送时间: 2015年6月11日 8:35
> 收件人: 'nginx at nginx.org'
> 主题: 答复: nginx plus with ssl on TCP load balance not work
> 
> When I'm trying http ssl, I found need to set proxy_set_header X-Forwarded-Proto $scheme; in server block, or it will also encounter ERR_TOO_MANY_REDIRECTS.
> 
> Is TCP has same kind of setting?
> 
> -----邮件原件-----
> 发件人: smith [mailto:smith.hua at zoom.us]
> 发送时间: 2015年6月11日 8:28
> 收件人: nginx at nginx.org
> 主题: 答复: nginx plus with ssl on TCP load balance not work
> 
> The 80 is normal, And I tried use http ssl, also works. Don't know Why TCP not work.
> 
> -----邮件原件-----
> 发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表 Roman 
> Arutyunyan
> 发送时间: 2015年6月11日 8:25
> 收件人: nginx at nginx.org
> 主题: Re: nginx plus with ssl on TCP load balance not work
> 
> What about the 80 port of the stream balancer?
> Does it proxy the connection normally?
> 
> PS: no access log is supported in the stream module.
> Connection information (addresses etc) is logged to error log with the info loglevel.
> 
> On 11 Jun 2015, at 10:49, smith <smith.hua at zoom.us> wrote:
> 
> > Nginx.conf:
> >
> > user  nginx;
> > worker_processes  auto;
> > worker_rlimit_nofile 65535;
> >
> > error_log  /var/log/nginx/error.log warn;
> > pid        /var/run/nginx.pid;
> >
> >
> > events {
> >    use epoll;
> >    worker_connections  65535;
> > }
> >
> >
> > http {
> >    include       /etc/nginx/mime.types;
> >    default_type  application/octet-stream;
> >
> >    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
> > '
> >                      '$status $body_bytes_sent "$http_referer" '
> >                      '"$http_user_agent" "$http_x_forwarded_for"';
> >
> >    access_log  /var/log/nginx/access.log  main;
> >
> >    sendfile        on;
> >    #tcp_nopush     on;
> >
> >    keepalive_timeout  65;
> >
> >    #gzip  on;
> >
> >    include /etc/nginx/conf.d/*.conf; }
> >
> >
> > stream {
> >
> >    include /etc/nginx/xxxx.d/*.conf;
> > }
> >
> > And the content in previous email is in xxxx.d/xxxx.conf
> >
> > There is no file under /etc/nginx/conf.d
> >
> >
> > Thanks.
> >
> >
> > -----邮件原件-----
> > 发件人: nginx-bounces at nginx.org [mailto:nginx-bounces at nginx.org] 代表
> > Roman
> > Arutyunyan
> > 发送时间: 2015年6月11日 7:45
> > 收件人: nginx at nginx.org
> > 主题: Re: nginx plus with ssl on TCP load balance not work
> >
> > Hi,
> >
> > Could you provide the full config of the nginx/stream balancer?
> >
> > On 11 Jun 2015, at 09:29, huakaibird <nginx-forum at nginx.us> wrote:
> >
> >> Hi,
> >>
> >> I’m using nginx plus with ssl on TCP load balance, Configured like 
> >> the documentation, but it not work.  (All the IP below is not
> >> real-ip) I have web servers behind, I want to use ssl offloading, and 
> >> I choose TCP load balance. listen on 443 and proxy to web server's 80.
> >>
> >> Page access always report ERR_TOO_MANY_REDIRECTS.
> >>
> >> Error log
> >> 2015/06/11 03:00:32 [error] 8362#0: *361 upstream timed out (110:
> >> Connection timed out) while connecting to upstream, client: 10.0.0.1,
> > server:
> >> 0.0.0.0:443, upstream: "10.0.0.2:443", bytes from/to client:656/0, 
> >> bytes from/to upstream:0/0
> >>
> >> 10.0.0.2 this ip is the nginx ip, while it is used as upstream?
> >>
> >> The configuration is like this, remove the real ip
> >>
> >> server {
> >>       listen 80 so_keepalive=30m::10;
> >>       proxy_pass backend;
> >>       proxy_upstream_buffer 2048k;
> >>       proxy_downstream_buffer 2048k;
> >>
> >>   }
> >>
> >> server {
> >>       listen 443 ssl;
> >>       proxy_pass backend;
> >>       #proxy_upstream_buffer 2048k;
> >>       #proxy_downstream_buffer 2048k;
> >>       ssl_certificate     ssl/chained.crt;
> >>       #ssl_certificate     ssl/4582cfef411bb.crt;
> >>       ssl_certificate_key ssl/zoomus20140410.key;
> >>       #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
> >>       #ssl_ciphers         HIGH:!aNULL:!MD5;
> >>       ssl_handshake_timeout 3s;
> >>       #ssl_session_cache   shared:SSL:20m;
> >>       #ssl_session_timeout 4h;
> >>
> >>   }
> >>
> >>
> >>   upstream backend {
> >>       server *.*.*.*:80;
> >>       server *.*.*.*:80;
> >>   }

It looks like you have "proxy_ssl on;" in the stream{} block,
do you?

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list