TCP connection limit on dynamic backend

[R, Rajkumar (Raj)]

Thanks for your quick response.

Is there a way to delay the execution of limit_conn. Please suggest if there's a way forward on this. 

thanks,
raj

-----Original Message-----
From: nginx <nginx-bounces at nginx.org> On Behalf Of Roman Arutyunyan
Sent: Tuesday, March 26, 2019 4:59 PM
To: nginx at nginx.org
Subject: Re: TCP connection limit on dynamic backend

Hi,

On Tue, Mar 26, 2019 at 09:13:44AM +0000, R, Rajkumar (Raj) wrote:
> Hi,
> 
> Using nginx in TCP/Stream mode and would like to limit the number of active connection to my backend server whereas the backend is resolved dynamically based on the SNI header ($ssl_preread_server_name).  But this does not allow any connections to the backend with below config.  I see examples of limiting backend connections if the backend server block is pre configured.
> 
> Could you please confirm if this achievable or supported currently with Stream mode?
> 
> Below is the related config part.
> 
> map $ssl_preread_server_name $backend_svr {
>       ~^(\w+).test.com $1-tcp.default.svc.cluster.local;
>   }
> 
> limit_conn_zone $ssl_preread_server_name zone=perserver:10m;
> 
> server {
>       listen      443 reuseport so_keepalive=30s:30s:3 backlog=64999;
>       proxy_pass $backend_svr:443;
>       limit_conn perserver 255;
>       ssl_preread on;
> }

The problem is limit_conn is executed at an earlier phase than ssl_preread.
The $ssl_preread_server_name variable is just empty at that moment.
You basically limit client connections by an empty variable.

-- 
Roman Arutyunyan
_______________________________________________
nginx mailing list
nginx at nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=LDE-f1bLxMPmcrsp8ONITcznNqEIlhe9ffKEZPeB7EI&m=unQV1WrV4FRI5jvKwIh6Zn5db3ZaY3WQha37LnjRjrE&s=tV5nHAXiBKw4H6XIbKfCKiSzzDoVF8aHoL95w2mgtbQ&e=