proxy_pass and weird behaviour

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

proxy_pass and weird behaviour

Michael Grimm
Hi —

(This is nginx 1.11.10 and up to date FreeBSD STABLE-11)

I recently implemented LE certificates for my virtual domains, which will be served at two hosts, accessed by round-robin DNS, aka two IP addresses. In order to get the acme challenges running, I did implement the following configuration:

Host A and Host B:

        # port 80
        server {
                include include/IPs-80;
                server_name example.com;
                location / {
                        # redirect letsencrypt ACME challenge requests to local-at-host-A.lan
                        location /.well-known/acme-challenge/ {
                        proxy_pass http://local-at-host-A.lan;
                        }
                        # all other requests are redirect to https, permanently
                        return 301 https://$server_name$request_uri;
                }
        }

        # port 443
        [snip]


Server local-at-host-A.lan (LE acme) finally serves the acme challenge directory:

        server {
                include include/IPs-80;
                server_name local-at-host-A.lan;
                # redirect all letsencrypt ACME challenges to one global directory
                location /.well-known/acme-challenge/ {
                        root /var/www/acme/;
                }
        }



Well, that is working, somehow, except: If the LE server addresses Host A, the challenge file is going to be retrieved instantaneously. If the LE server addresses Host B, only every *other* request is being served instantaneously:

        1. access: immediately download
        2. access: 60 s wait, then download
        3. access: immediately download
        4. access: 60 s wait, then download
        etc.


Hmm, default proxy_connect_timeout is 60s, I know. But why every other connect?

Every feedback on how to solve/debug that issue is highly welcome.

Thanks and regards,
Michael
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: proxy_pass and weird behaviour

Maxim Dounin
Hello!

On Sat, Mar 11, 2017 at 09:07:54AM +0100, Michael Grimm wrote:

[...]

> Well, that is working, somehow, except: If the LE server
> addresses Host A, the challenge file is going to be retrieved
> instantaneously. If the LE server addresses Host B, only every
> *other* request is being served instantaneously:
>
> 1. access: immediately download
> 2. access: 60 s wait, then download
> 3. access: immediately download
> 4. access: 60 s wait, then download
> etc.
>
>
> Hmm, default proxy_connect_timeout is 60s, I know. But why every
> other connect?

You are using "proxy_pass http://local-at-host-A.lan;" in your
configuration.  What are the IP addresses it resolves to?

The behaviour observed suggests that the name resolves to 2
different addresses, so nginx uses round-robin to balance between
these addresses, and only one of these addresses is reacheable.

The exact pattern also requires more than 10 seconds between (2)
and (4), else (4) will be directed to a properly working address,
see http://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout.  
Though it is something likely to happen when testing manually.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: proxy_pass and weird behaviour

Michael Grimm
Maxim Dounin <[hidden email]> wrote:
> On Sat, Mar 11, 2017 at 09:07:54AM +0100, Michael Grimm wrote:

> [...]
>
>> Well, that is working, somehow, except: If the LE server
>> addresses Host A, the challenge file is going to be retrieved
>> instantaneously. If the LE server addresses Host B, only every
>> *other* request is being served instantaneously:
>>
>> 1. access: immediately download
>> 2. access: 60 s wait, then download
>> 3. access: immediately download
>> 4. access: 60 s wait, then download
>> etc.
>>
>>
>> Hmm, default proxy_connect_timeout is 60s, I know. But why every
>> other connect?
>
> You are using "proxy_pass http://local-at-host-A.lan;" in your
> configuration.  What are the IP addresses it resolves to?
>
> The behaviour observed suggests that the name resolves to 2
> different addresses, so nginx uses round-robin to balance between
> these addresses, and only one of these addresses is reacheable.

Bingo! I had had two issues in that regard: My local resolver returned
one IPv4 and on IPv6 address for local-at-host-A.lan, and in my server
block I had had an include statement with listen statements for IPv4 and
IPv6 addresses. (Those were left-overs I didn't bear in mind when
removing IPv6 functionality for that given nginx server.)

Now, everything is working as expected. Thank you very much for pointing
me to the right direction!

With kind regards,
Michael
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...