Nginx multiple upstream with different protocols

Andrei lagged at gmail.com
Thu Feb 23 12:12:17 UTC 2017


I suggest splitting your upstreams by protocol, then proxying requests
depending on HTTPS headers to the apropriate group. There's an example on
how to detect HTTPs at
http://serverfault.com/questions/527780/nginx-detect-https-connection-using-a-header

On Thu, Feb 23, 2017 at 4:38 AM, Kilian Ries <mail at kilian-ries.de> wrote:

> I think i already tried what you suggested, but that doesn't work because
> i have to set a specific protocol in the proxy_pass command (http or
> https). If i have a mixed upstream group like
>
> upstream proxy_backend {
>         server xxx.xx.188.53;
>         server xxx.xx.188.53:443;
>
> }
>
>  i always get protocol errors like 502 or 400 because i cannot switch
> between http and https in the proxy_pass command
> ------------------------------
> *Von:* nginx <nginx-bounces at nginx.org> im Auftrag von B.R. via nginx <
> nginx at nginx.org>
> *Gesendet:* Mittwoch, 22. Februar 2017 18:52:00
> *An:* nginx ML
> *Cc:* B.R.
> *Betreff:* Re: Nginx multiple upstream with different protocols
>
> I suggest you proxy traffic to an upstream group, and then use
> failure/timeout parameters there with proper tuning to retry requests on
> the second upstream in case the first in the list fails.
> ​It will have an overhead if the 1st entry of the upstream group is
> invalid on initial connection, but hopefully the 'down' status will help
> limiting that overhead on average.​
> ---
> *B. R.*
>
> On Wed, Feb 22, 2017 at 5:08 PM, Kilian Ries <mail at kilian-ries.de> wrote:
>
>> No they cannot be the same (sadly) because i dont't know how the upstream
>> is serving the content. Think of a situation where i am not in control of
>> the upstream backends and they may change from http to https over time.
>> ------------------------------
>> *Von:* nginx <nginx-bounces at nginx.org> im Auftrag von Cox, Eric S <
>> eric.cox at kroger.com>
>> *Gesendet:* Mittwoch, 22. Februar 2017 15:58:26
>> *An:* nginx at nginx.org
>> *Betreff:* RE: Nginx multiple upstream with different protocols
>>
>>
>> If you are SSL on the frontend (server directive) why would you want to
>> proxy between ssl/non-ssl on the upstreams? Can they not be the same? I
>> don’t get what you are trying to solve?
>>
>>
>>
>> *From:* nginx [mailto:nginx-bounces at nginx.org] *On Behalf Of *Kilian Ries
>> *Sent:* Wednesday, February 22, 2017 9:55 AM
>> *To:* nginx at nginx.org
>> *Subject:* Nginx multiple upstream with different protocols
>>
>>
>>
>> Hi,
>>
>>
>>
>> i'm trying to setup two Nginx upstreams (one with HTTP and one with
>> HTTPS) and the proxy_pass module should decide which of the upstreams is
>> serving "valid" content.
>>
>>
>>
>> The config should look like this:
>>
>>
>>
>> upstream proxy_backend {
>>
>>         server xxx.xx.188.53;
>>
>>         server xxx.xx.188.53:443;
>>
>> }
>>
>>
>>
>> server {
>>
>>         listen 443 ssl;
>>
>>         ...
>>
>>         location / {
>>
>>                 proxy_pass http://proxy_backend
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=wcDWb0xGOKhBVtan1kM5-AVvxNT0ZMnUT9r-yLbyjAQ&e=>
>> ;
>>
>>                 #proxy_pass https://proxy_backend
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__proxy-5Fbackend&d=DwMFAw&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=20GRp3QiDlDBgTH4mxQcOIMPCXcNvWGMx5Y0qmfF8VE&m=ggR0dMpbDQRqzdhj1Aoq_FUpo8iYplzYiTPyRlQMs9Y&s=ztdy1u_d7Ag0QPBnpk1R-LazdfexcrTnljKLZet4VFA&e=>
>> ;
>>
>>         }
>>
>>      }
>>
>>
>>
>>
>>
>> The Problem is that i don't know if the upstream is serving the content
>> via http or https. Is there any possibility to tell nginx to change the
>> protocol from the proxy_pass directive? Because if i set proxy_pass to
>> https, i get an error (502 / 400) if the upstream website is running on
>> http and vice versa.
>>
>>
>>
>> So i'm searching for a way to let Nginx decide if he should proxy_pass
>> via http or https. Can anybody help me with that configuration?
>>
>>
>>
>> Thanks
>>
>> Greets
>>
>> Kilian
>>
>> ------------------------------
>>
>> This e-mail message, including any attachments, is for the sole use of
>> the intended recipient(s) and may contain information that is confidential
>> and protected by law from unauthorized disclosure. Any unauthorized review,
>> use, disclosure or distribution is prohibited. If you are not the intended
>> recipient, please contact the sender by reply e-mail and destroy all copies
>> of the original message.
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170223/6bd2c27d/attachment.html>


More information about the nginx mailing list