Moving SSL termination to the edge increased the instance of 502 errors

Drew Turner drew at drewnturner.com
Wed Nov 29 14:17:01 UTC 2017


What's the backend for this IIS, NGINX, Apache, etc?  Is it requiring SNI?
Do you have multiple hostnames?

On Wed, Nov 29, 2017 at 7:05 AM, Michael Ottoson <michael.ottoson at cri.com>
wrote:

> Thanks, Maxim.
>
> That makes a lot of sense.  However, the problem started at exactly the
> same time we moved SSL termination.  There were no changes to the
> application.  It is unlikely to be a mere coincidence - but it could be.
>
> We were previously using HAPROXY for load balancing (well, the company we
> inherited this from did) and the same happened when they tried moving SSL
> termination.
>
> There is a reply to my question on serverfault, suggesting increasing
> keepalives (https://www.nginx.com/blog/load-balancing-with-nginx-
> plus-part2/#keepalive).  This is because moving SSL increases the number
> of TCP connects.  I'll give that a try and report back.
>
> -----Original Message-----
> From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Maxim Dounin
> Sent: Wednesday, November 29, 2017 7:43 AM
> To: nginx at nginx.org
> Subject: Re: Moving SSL termination to the edge increased the instance of
> 502 errors
>
> Hello!
>
> On Wed, Nov 29, 2017 at 04:27:37AM +0000, Michael Ottoson wrote:
>
> > Hi All,
> >
> > We installed nginx as load balancer/failover in front of two upstream
> web servers.
> >
> > At first SSL terminated at the web servers and nginx was configured as
> TCP passthrough on 443.
> >
> > We rarely experiences 502s and when it did it was likely due to
> tuning/tweaking.
> >
> > About a week ago we moved SSL termination to the edge.  Since then we've
> been getting daily 502s.  A small percentage - never reaching 1%.  But with
> ½ million requests per day, we are starting to get complaints.
> >
> > Stranger: the percentage seems to be rising.
> >
> > I have more details and a pretty picture here:
> >
> > https://serverfault.com/questions/885638/moving-ssl-termination-to-the
> > -edge-increased-the-instance-of-502-errors
> >
> >
> > Any advice how to squash those 502s?  Should I be worried nginx is
> leaking?
>
> First of all, you have to find the reason for these 502 errors.
> Looking into the error log is a good start.
>
> As per provided serverfault question, you see "no live upstreams"
> errors in logs.  These errors mean that all configured upstream servers
> were disabled due to previous errors (see http://nginx.org/en/docs/http/
> ngx_http_upstream_module.html#max_fails),
> that is, these errors are just a result of previous errors.  You have to
> find out real errors, they should be in the error log too.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171129/e2ecebf6/attachment.html>


More information about the nginx mailing list