Welcome! Log In Create A New Profile

Advanced

proxy_pass and weird behaviour

Posted by Michael Grimm 
Michael Grimm
proxy_pass and weird behaviour
March 11, 2017 09:10AM
Hi —

(This is nginx 1.11.10 and up to date FreeBSD STABLE-11)

I recently implemented LE certificates for my virtual domains, which will be served at two hosts, accessed by round-robin DNS, aka two IP addresses. In order to get the acme challenges running, I did implement the following configuration:

Host A and Host B:

# port 80
server {
include include/IPs-80;
server_name example.com;
location / {
# redirect letsencrypt ACME challenge requests to local-at-host-A.lan
location /.well-known/acme-challenge/ {
proxy_pass http://local-at-host-A.lan;
}
# all other requests are redirect to https, permanently
return 301 https://$server_name$request_uri;
}
}

# port 443
[snip]


Server local-at-host-A.lan (LE acme) finally serves the acme challenge directory:

server {
include include/IPs-80;
server_name local-at-host-A.lan;
# redirect all letsencrypt ACME challenges to one global directory
location /.well-known/acme-challenge/ {
root /var/www/acme/;
}
}



Well, that is working, somehow, except: If the LE server addresses Host A, the challenge file is going to be retrieved instantaneously. If the LE server addresses Host B, only every *other* request is being served instantaneously:

1. access: immediately download
2. access: 60 s wait, then download
3. access: immediately download
4. access: 60 s wait, then download
etc.


Hmm, default proxy_connect_timeout is 60s, I know. But why every other connect?

Every feedback on how to solve/debug that issue is highly welcome.

Thanks and regards,
Michael
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: proxy_pass and weird behaviour
March 13, 2017 01:50PM
Hello!

On Sat, Mar 11, 2017 at 09:07:54AM +0100, Michael Grimm wrote:

[...]

> Well, that is working, somehow, except: If the LE server
> addresses Host A, the challenge file is going to be retrieved
> instantaneously. If the LE server addresses Host B, only every
> *other* request is being served instantaneously:
>
> 1. access: immediately download
> 2. access: 60 s wait, then download
> 3. access: immediately download
> 4. access: 60 s wait, then download
> etc.
>
>
> Hmm, default proxy_connect_timeout is 60s, I know. But why every
> other connect?

You are using "proxy_pass http://local-at-host-A.lan;"; in your
configuration. What are the IP addresses it resolves to?

The behaviour observed suggests that the name resolves to 2
different addresses, so nginx uses round-robin to balance between
these addresses, and only one of these addresses is reacheable.

The exact pattern also requires more than 10 seconds between (2)
and (4), else (4) will be directed to a properly working address,
see http://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout.
Though it is something likely to happen when testing manually.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Michael Grimm
Re: proxy_pass and weird behaviour
March 14, 2017 03:20PM
Maxim Dounin <[email protected]> wrote:
> On Sat, Mar 11, 2017 at 09:07:54AM +0100, Michael Grimm wrote:

> [...]
>
>> Well, that is working, somehow, except: If the LE server
>> addresses Host A, the challenge file is going to be retrieved
>> instantaneously. If the LE server addresses Host B, only every
>> *other* request is being served instantaneously:
>>
>> 1. access: immediately download
>> 2. access: 60 s wait, then download
>> 3. access: immediately download
>> 4. access: 60 s wait, then download
>> etc.
>>
>>
>> Hmm, default proxy_connect_timeout is 60s, I know. But why every
>> other connect?
>
> You are using "proxy_pass http://local-at-host-A.lan;"; in your
> configuration. What are the IP addresses it resolves to?
>
> The behaviour observed suggests that the name resolves to 2
> different addresses, so nginx uses round-robin to balance between
> these addresses, and only one of these addresses is reacheable.

Bingo! I had had two issues in that regard: My local resolver returned
one IPv4 and on IPv6 address for local-at-host-A.lan, and in my server
block I had had an include statement with listen statements for IPv4 and
IPv6 addresses. (Those were left-overs I didn't bear in mind when
removing IPv6 functionality for that given nginx server.)

Now, everything is working as expected. Thank you very much for pointing
me to the right direction!

With kind regards,
Michael
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login