upstream (tcp stream mode) doesn't detect connecton failure

Maxim Dounin mdounin at
Wed Jan 10 18:58:28 UTC 2018


On Wed, Jan 10, 2018 at 07:18:36PM +0100, Adam Cecile wrote:


> > Ok, so you use multiple proxy layers to be able to combine
> > backends which support/need PROXY protocol and ones which do not,
> > right?  This looks like a valid reason, as "proxy_protocol" is
> > either on or off in a particular server.
> Yes exactly !
> Aim of this setup is to do SNI routing to TCP endpoints (with failover) 
> or HTTPS virtual hosts.
> >
> > If you want nginx to switch to a different backend while
> > maintaining two proxy layers, consider moving balancing to the
> > second layer instead.  This way balancing will happen where
> > connection errors can be seen, and so nginx will be able to switch
> > to a different server on errors.
> Could you be more specific and show me how to do this with my current 
> configuration ? I'm a bit lost...

At the first level, differentiate between hosts based on 
$ssl_preread_server_name.  Proxy to either "local_https" or to a 
second-level server, say 8080.  On the second level server, proxy 
to an upstream group with servers you want to balance.  Example 
configuration (completely untested):

    map $ssl_preread_server_name $name {
        default                  local_https;
        ""                       second;           second;

    upstream local_https {

    upstream second {

    upstream u {

    server {
        listen 443;
        ssl_preread on;
        proxy_pass $name;
        proxy_protocol on;

    server {
        listen proxy_protocol;
        proxy_pass u;

Logging and timeouts omitted for clarity.

Maxim Dounin

More information about the nginx mailing list