SSLEngine closed already exception triggered by reload
nginxuser2018
nginx-forum at forum.nginx.org
Fri Nov 9 17:42:48 UTC 2018
Hi Maxim,
We have tried different settings with 'lingering_close always;' and
'lingering_time', 'lingering_timeout' up to 240s with no success.
Would you be able to confirm whether it is an nginx problem in the lingering
close automatic logic as you mentioned if I provide an example to reproduce
it?
Thanks,
Dario
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Mon, Nov 05, 2018 at 09:14:33AM -0500, nginxuser2018 wrote:
>
> > I noticed that if I setup a simple scenario where a client is making
> > concurrent requests on a server with nginx configured as a reverse
> proxy and
> > SSL traffic termination endpoint, if I trigger a reload with 'nginx
> -s
> > reload' mid requests, often times the client will throw an
> > 'javax.net.ssl.SSLException: SSLEngine closed already
> > at io.netty.handler.ssl.SslHandler.wrap(...)(Unknown Source)'
> exception.
> >
> > I'm using Scala with the Play framework, which uses netty under the
> hood.
> >
> > Is there any configuration that could avoid these exceptions being
> thrown?
> >
> > I cannot reproduce it using for example using Play to serve HTTPS,
> so I can
> > possibly rule out a problem in the client and think it is a problem
> with
> > nginx?
>
> On Tue, Nov 06, 2018 at 08:49:07AM -0500, nginxuser2018 wrote:
>
> > One setting that I noticed mitigates the problem is to use
> `lingering_close
> > always;` however in our infrastructure this can lead to the build up
> of
> > worker processes (for the duration of the lingering_timeout). What
> are the
> > advantages and drawbacks of using this setting?
>
> Upon configuration reload, nginx will close connections after it
> finishes processing already active requests in these connections.
> And given that "lingering_close always;" helps, I think there are
> two possible cases here:
>
> 1. Closing the connection by nginx happens and the wrong time,
> right before the next request is received on this connection, so
> RST is sent on the connection before the client is able get the
> response and the connection close. If this is indeed the case,
> using "lingering_close always;" might be the right thing to do -
> or, alternatively, lingering close automatic logic might need to
> be improved.
>
> 2. The client isn't smart enough to check that the connection is
> closed before sending the next request, and/or isn't smart enough
> to recover from asynchronous close events (a good description can
> be found in RFC 2616, "8.1.4 Practical Considerations",
> https://tools.ietf.org/html/rfc2616#section-8.1.4). In this case,
> a proper fix would be to improve the client.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281786,281894#msg-281894
More information about the nginx
mailing list