upstream (tcp stream mode) doesn't detect connecton failure
Adam Cecile
adam.cecile at hitec.lu
Tue Jan 9 22:48:54 UTC 2018
On 01/09/2018 02:46 PM, Maxim Dounin wrote:
> Hello!
>
> On Mon, Jan 08, 2018 at 12:37:41PM +0000, Cecile, Adam wrote:
>
>> Hello,
>>
>>
>> I'm using this quite complicated setup involving SNI routing and proxy_protocol but I'm stuck on something.
>>
>>
>> Here is the configuration file:
>>
>> http://paste.debian.net/hidden/62e13f9c/
>>
>>
>> Routing, proxy_protocol, logging stuff is working just fine, the only (quite critical issue) is that the "mag" upstream doesn't see connection failures and does not switch to the second server.
>>
>>
>> In the mag.log file I just see:
>>
>> 98.98.98.98 [08/Jan/2018:10:56:10 +0100] proxying to "mag":10.0.0.1:443 TCP 500 0 239 1.01
>>
>>
>> But instead of blacklisting this server and moving to 10.0.0.2 I receive a connection closed error on the client.
> As far as I understand your configuration, you have two stream
> proxy layers:
>
> 1. The first one uses ssl_preread to obtain SNI name and tries to
> do some routing based on it. This layer also adds to the PROXY
> protocol to backend connections.
>
> 2. The second one strips PROXY protocol header.
>
> The problem with "upstream doesn't see connection failures" is
> because connection failures are only seen at the second layer (the
> log line above belongs to the second layer). The first layer will
> only see a connection close, and it won't know if there was an
> error or not.
>
> Also note:
>
> - You use $proxy_protocol_addr in the "upstream mag {...}" block,
> but the upstream block is used only in the first layer, where
> $proxy_protocol_addr won't be available according to your
> configuration.
>
> - You use $name in the logs of the second layer. It will always
> point to "map", as there is no ssl_preread in the second layer,
> hence $ssl_preread_server_name will be not available.
>
> Depending on what you actually want to achieve, the most
> straightforward solution might be to actually remove the second
> proxy layer.
Hello,
The proxy protocol was used for the "non-stream" routing on SNI when
forwarding to nginx itself as "local_https". At this point it's using
regular https vhost, that's why I added proxy_protocol to easily be able
to extract the original client address.
Aim of the two servers on 8080 and 8181 are only to strip proxy_protocol
before going to upstream mag. I'd be happy to remove them but if I do
that I need a way to strip out proxy_protocol inside the "upstream mag"
block. Is it possible ?
Thanks a lot,
Adam.
More information about the nginx
mailing list