Proxy variables at upstream level

rohit.c.joshi · 2016-05-25T07:52:57+00:00

On 24 May 2016 at 18:26, <gabriel@mongefranco.com> wrote:Does anyone know of web application frameworks for OpenResty (or Nginx+Lua) that are still ac...

Proxy variables at upstream level

rohit.c.joshi

We have requirement for different parameters per upstream server.
Eg connection timeout , read timeout, SSL protocols/certs/keys etc

What is the best way to achieve?
  I know one of the way is to create separate location blocks and use ngx.exe. We have 500+ upstream servers. Would it be any issue ( performance/memory) if we create 500+ location blocks? 

Any advise on adding this support at upstream level? 

Thanks

agentzh

Hello!

On Tue, May 24, 2016 at 4:52 PM, RJoshi wrote:
> We have requirement for different parameters per upstream server.
> Eg connection timeout , read timeout, SSL protocols/certs/keys etc
>
> What is the best way to achieve?
>   I know one of the way is to create separate location blocks and use ngx.exe. We have 500+ upstream servers. Would it be any issue ( performance/memory) if we create 500+ location blocks?
>
> Any advise on adding this support at upstream level?
>

balancer_by_lua* combined with ssl_certificate_by_lua* look like a
good fit for this. And we have pending PRs in the lua-nginx-module
github repo that allows per-request timeout settings.

Regards,
-agentzh

rohit.c.joshi

Thanks @agentzh.

1. Will the per request timeout PR be included in 1.9.15.1 release?

2. I thought ssl_by_lua is for incoming/downstream requests. Our requirements are for outgoing/upstream 3rd party connections which requires different SSL certs/keys etc

3. Have you done any performance comparison  between balancer_by_lua vs Nginx upstream routing? 

Thanks,

agentzh

Hello!

On Fri, May 27, 2016 at 2:31 PM, RJoshi wrote:
> 1. Will the per request timeout PR be included in 1.9.15.1 release?
>

No, the merge window of 1.9.15.1 is already closed. Maybe 1.9.15.2.

> 2. I thought ssl_by_lua is for incoming/downstream requests. Our requirements are for outgoing/upstream 3rd party connections which requires different SSL certs/keys etc
>

You need *client-side* SSL certificates for upstream connections? If
they are still *server-side* certificates, then it makes no difference
here.

> 3. Have you done any performance comparison  between balancer_by_lua vs Nginx upstream routing?
>

balancer_by_lua* is just the balancer, that is, picking up a peer for
nginx upstream to use. You still use the nginx upstream facility as
well as the ngx_proxy module to do the real work. It's usually nothing
in terms of resource usage as compared to everything else.

Regards,
-agentzh

rohit.c.joshi

Yes, we have to use client side certificates issued by 3rd party/partner companies for upstream connections.

For now, I am creating a custom location and routing using ngx.exec("@xxx_com").

location @xxx_com {

internal;

access_log logs/access.log perf_log;

proxy_connect_timeout 10s;

proxy_read_timeout 60s;

proxy_ssl_verify on;

proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

proxy_ssl_protocols TLSv1.2;

proxy_ssl_certificate xxx-clientid.pem;

proxy_ssl_certificate_key xxx-clientid.key;

proxy_ssl_server_name on;

proxy_ssl_name $ssl_server_name;

proxy_pass $upstream_http_scheme://$upstream_domain$upstream_uri;

}

On Friday, 27 May 2016 20:23:13 UTC-4, agentzh wrote:

Hello!

On Fri, May 27, 2016 at 2:31 PM, RJoshi wrote:
> 1. Will the per request timeout PR be included in 1.9.15.1 release?
>

No, the merge window of 1.9.15.1 is already closed. Maybe 1.9.15.2.

> 2. I thought ssl_by_lua is for incoming/downstream requests. Our requirements are for outgoing/upstream 3rd party connections which requires different SSL certs/keys etc
>

You need *client-side* SSL certificates for upstream connections? If
they are still *server-side* certificates, then it makes no difference
here.

> 3. Have you done any performance comparison between balancer_by_lua vs Nginx upstream routing?
>

balancer_by_lua* is just the balancer, that is, picking up a peer for
nginx upstream to use. You still use the nginx upstream facility as
well as the ngx_proxy module to do the real work. It's usually nothing
in terms of resource usage as compared to everything else.

Regards,
-agentzh

agentzh

Hello!

On Fri, May 27, 2016 at 7:39 PM, RJoshi wrote:
> Yes, we have to use client side certificates issued by 3rd party/partner
> companies for upstream connections.
>

Then we need to do more work to allow setting client-side SSL
certificate and keys for the ngx_proxy module.

Regards,
-agentzh

rohit.c.joshi

Should this be added as part of upstream section of config as these client certs/keys are specific to upstream servers?

agentzh

Hello!

On Thu, Jun 2, 2016 at 5:59 PM, RJoshi wrote:
> Should this be added as part of upstream section of config as these client certs/keys are specific to upstream servers?
>

It should be a Lua/C API instead of being a configuration directive directly.

Regards,
-agentzh