TCP connection limit on dynamic backend

R, Rajkumar (Raj) rajkumaradass at
Tue Mar 26 12:27:06 UTC 2019

Thanks for your quick response.

Is there a way to delay the execution of limit_conn. Please suggest if there's a way forward on this. 


-----Original Message-----
From: nginx <nginx-bounces at> On Behalf Of Roman Arutyunyan
Sent: Tuesday, March 26, 2019 4:59 PM
To: nginx at
Subject: Re: TCP connection limit on dynamic backend


On Tue, Mar 26, 2019 at 09:13:44AM +0000, R, Rajkumar (Raj) wrote:
> Hi,
> Using nginx in TCP/Stream mode and would like to limit the number of active connection to my backend server whereas the backend is resolved dynamically based on the SNI header ($ssl_preread_server_name).  But this does not allow any connections to the backend with below config.  I see examples of limiting backend connections if the backend server block is pre configured.
> Could you please confirm if this achievable or supported currently with Stream mode?
> Below is the related config part.
> map $ssl_preread_server_name $backend_svr {
>       ~^(\w+) $1-tcp.default.svc.cluster.local;
>   }
> limit_conn_zone $ssl_preread_server_name zone=perserver:10m;
> server {
>       listen      443 reuseport so_keepalive=30s:30s:3 backlog=64999;
>       proxy_pass $backend_svr:443;
>       limit_conn perserver 255;
>       ssl_preread on;
> }

The problem is limit_conn is executed at an earlier phase than ssl_preread.
The $ssl_preread_server_name variable is just empty at that moment.
You basically limit client connections by an empty variable.

Roman Arutyunyan
nginx mailing list
nginx at

More information about the nginx mailing list