Loading...
Latest news
HTTP2 Support and Install – Part 1
Goaccess
CMS Master Slave Rules
Apache 2.4 with PHP-FPM
Apache 2.2 + PHP-FPM
Real Time Concepts

Using Nginx as an SSL-terminated load balancer

Laxman -

Caveats:

  • Bandwidth for all the backends is limited by the bandwidth of the reverse proxies. A single instance big enough to handle the traffic of all thebweb nodes might be expensive.
  • Unless deploying multiple nginx nodes behind a shared IP, you’re further adding a Single Point of Failure.

Configuration:

For non-SSL traffic:
default.conf

server {
listen 80;
server_name example.com;

client_max_body_size 10M;

access_log /var/log/nginx/example.com-access.log;
error_log /var/log/nginx/example.com-error.log;

location / {
proxy_pass http://production;

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}

For SSL traffic:

default-ssl.conf

server {
listen 443 ssl;
ssl on;
server_name example.com;

client_max_body_size 10M;

access_log /var/log/nginx/example.com-ssl-access.log;
error_log /var/log/nginx/example.com-ssl-error.log;

ssl_certificate /etc/pki/tls/certs/example.com-chained.crt;
ssl_certificate_key /etc/pki/tls/private/example.com.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

location / {
proxy_pass https://production-secure/;

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}

Note: You may need to disable proxy_buffering entirely, or increase the size of the proxy_buffer in the above settings. This is because proxy buffering can cause SSL handshake errors like the following:
2014/05/09 12:27:08 [info] 1768401#0: *25 client closed prematurely connection while SSL handshaking, client: 10.183.252.20, server: webcast.cisco. com

Further documentation here:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering

Nodes included in the load balancer:

backends.conf

upstream production {
server 10.x.x.x;
server 10.x.x.x;
}
upstream production-secure {
server 10.x.x.x:443;
server 10.x.x.x:443;
}

Leave a Reply

Your email address will not be published. Required fields are marked *