Opened 13 years ago

Closed 13 years ago

Last modified 6 weeks ago

#142 closed defect (fixed)

infinite loop until server fails in upstream module with round robin

Reported by: unixant@… Owned by: somebody
Priority: minor Milestone:
Component: nginx-module Version: 1.1.x
Keywords: round robin infinite loop Cc:
uname -a: Linux localhost.localdomain 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686 i386 GNU/Linux
nginx -V: nginx version: nginx/1.0.12
built by gcc 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC)
configure arguments: --with-debug --add-module=addon/jstatus --prefix=output

Description

I use nginx as a load balancing for backend web server.
if this upstream has n servers,and m backup servers,and the n servers are not available(Connection refused),round robin will try n*max_fails times to connect to the n servers。but if there is no backup servers,round robin only try n times to the n servers.
such as:

upstream bdbk {

#no program listen on 8081,8082

server 127.0.0.1:8081 max_fails=3 fail_timeout=10s;
server 127.0.0.1:8082 max_fails=3 fail_timeout=10s;

server 127.0.0.1:8083 max_fails=3 fail_timeout=10s backup;
server 127.0.0.1:8084 max_fails=3 fail_timeout=10s backup;

}

if i make a request,upstream try 6(n*max_fails) to connect to 8081 8082 , then round robin try to connect to backup server.

if there is no backup servers。nginx only try 2(n) connect to 8081 8082。


Attachments (5)

nginx.conf (934 bytes ) - added by unixant@… 13 years ago.
debug.log (16.2 KB ) - added by unixant@… 13 years ago.
error.log (95 bytes ) - added by unixant@… 13 years ago.
upstreams.list (9.1 KB ) - added by unixant@… 13 years ago.
access.log (219 bytes ) - added by unixant@… 13 years ago.

Download all attachments as: .zip

Change History (7)

by unixant@…, 13 years ago

Attachment: nginx.conf added

by unixant@…, 13 years ago

Attachment: debug.log added

by unixant@…, 13 years ago

Attachment: error.log added

by unixant@…, 13 years ago

Attachment: upstreams.list added

by unixant@…, 13 years ago

Attachment: access.log added

comment:1 by Maxim Dounin, 13 years ago

Resolution: duplicate
Status: newclosed

This a variation of #47.

comment:2 by Sergey Kandaurov <pluknet@…>, 6 weeks ago

Resolution: duplicatefixed

In 9302:bb4f30755c57/nginx:

SSL: optional ssl_client_certificate for ssl_verify_client.

Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names. In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version. For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142). Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed. A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@…>

Note: See TracTickets for help on using tickets.