Hey folks,
Im running NGINX -> LB(F5) -> HA Proxy nodes fronting a private cloud platform(OpenShift),
We have found what happens with nginx keepalive to the LB then to the HA Proxy nodes that traffic meant for one "pod" on the cloud platform gets routed to another application pod by chance during active traffic meant for both because we have different proxy routes that all go to the same LB(ip:port) when NGINX reverse proxies and stores that active connection for reuse.
So with this directive in mind:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
Is there any way at all to enforce nginx to make a new keepalive connection on a per hostname basis as opposed to just IP:PORT(even if the different hostnames share the same IP:PORT), so essentially the underlying keepalive cache not only tracks IP:PORT but a 3rd element of hostname to consider too? Could this potentially be done with openresty and the lua nginx module without modifying NGINX directly?
It may seem weird but its true, as soon as we disabled keepalive we found NGINX able to send traffic to our private cloud without different cloud service traffic getting routed to the wrong application pod.
I think this issue stems from the HA proxies doing client+server side keepalive to pods but I cannot ask the cloud team to change so its up to NGINX to fix the situation.
Thanks to anyone out there who knows in advance!,
Jeremy
Im running NGINX -> LB(F5) -> HA Proxy nodes fronting a private cloud platform(OpenShift),
We have found what happens with nginx keepalive to the LB then to the HA Proxy nodes that traffic meant for one "pod" on the cloud platform gets routed to another application pod by chance during active traffic meant for both because we have different proxy routes that all go to the same LB(ip:port) when NGINX reverse proxies and stores that active connection for reuse.
So with this directive in mind:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
Is there any way at all to enforce nginx to make a new keepalive connection on a per hostname basis as opposed to just IP:PORT(even if the different hostnames share the same IP:PORT), so essentially the underlying keepalive cache not only tracks IP:PORT but a 3rd element of hostname to consider too? Could this potentially be done with openresty and the lua nginx module without modifying NGINX directly?
It may seem weird but its true, as soon as we disabled keepalive we found NGINX able to send traffic to our private cloud without different cloud service traffic getting routed to the wrong application pod.
I think this issue stems from the HA proxies doing client+server side keepalive to pods but I cannot ask the cloud team to change so its up to NGINX to fix the situation.
Thanks to anyone out there who knows in advance!,
Jeremy