Skip to content

Latest commit

 

History

History

doc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

= Name =

nginx_tcp_proxy_module - support TCP proxy with Nginx

Table of Contents

Installation

Download the latest stable version of the release tarball of this module from github

The development version of this module is here. I have added the features of tcp_ssl_proxy, tcp_upstream_busyness, access_log.

Grab the nginx source code from nginx.org, for example, the version 1.0.9 (see nginx compatibility), and then build the source with this module:

<geshi lang="bash"> $ wget 'http://nginx.org/download/nginx-1.0.9.tar.gz' $ tar -xzvf nginx-1.0.9.tar.gz $ cd nginx-1.0.9/ $ patch -p1 < /path/to/nginx_tcp_proxy_module/tcp.patch $ ./configure --add-module=/path/to/nginx_tcp_proxy_module $ make $ make install </geshi>


Synopsis

<geshi lang="nginx"> http { server { listen 80; location /status { check_status; } } } </geshi> <geshi lang="nginx"> tcp { upstream cluster { # simple round-robin server 127.0.0.1:3306; server 127.0.0.1:1234; check interval=3000 rise=2 fall=5 timeout=1000; #check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello; #check interval=3000 rise=2 fall=5 timeout=1000 type=http; #check_http_send "GET / HTTP/1.0\r\n\r\n"; #check_http_expect_alive http_2xx http_3xx; } server { listen 8888; proxy_pass cluster; } } </geshi>

Description

This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_websocket_module, ngx_tcp_ssl_module, ngx_tcp_upstream_ip_hash_module. All these modules work togther to add the support of TCP proxy with Nginx. I also add other features: ip_hash, upstream server health check, status monitor.

The motivation of writing these modules is Nginx's high performance and robustness. At first, I developed this module just for general TCP proxy. And now, this module is frequently used in websocket reverse proxying.

You can't use the same listening port with HTTP modules.

Directives

ngx_tcp_moodule

tcp

syntax: tcp {...}

default: none

context: main

description: All the tcp related directives are contained in the tcp block.

ngx_tcp_core_moodule

server

syntax: server {...}

default: none

context: tcp

description: All the specific server directives are contained in the server block.

listen

syntax: listen address:port [bind]

default: none

context: server

description: The same as listen. The parameter of default means the default server if you have several server blocks with the same port.

access_log

syntax: access_log path [buffer=size] | off

default: access_log logs/tcp_access.log

context: tcp, server

description: Set the access.log. Each record's format is like this:

log_time worker_process_pid client_ip host_ip accept_time upstream_ip bytes_read bytes_write

2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19 172.19.0.129:80 80 236305

  • log_time: The current time when writing this log. The log action is called when the proxy session is closed.
  • worker_process_pid: the pid of worker process
  • client_ip: the client ip
  • host_ip: the server ip and port
  • accept_time: the time when the server accepts client's connection
  • upstream_ip: the upstream server's ip
  • bytes_read: the bytes read from client
  • bytes_write: the bytes written to client

allow

syntax: allow [address]

default: none

context: server

description: Directive grants access for the network or addresses indicated.

deny

syntax: deny [address]

default: none

context: server

description: Directive grants access for the network or addresses indicated.

so_keepalive

syntax: so_keepalive on|off

default: off

context: main, server

description: The same as so_keepalive.

tcp_nodelay

syntax: tcp_nodelay on|off

default: on

context: main, server

description: The same as tcp_nodelay.

timeout

syntax: timeout milliseconds

default: 60000

context: main, server

description: set the timeout value with clients.

server_name

syntax: server_name name

default: The name of the host, obtained through gethostname()

context: tcp, server

description: The same as server_name. You can specify several server name in different server block with the same port. They can be used in websocket module.

resolver

syntax: resolver address

default: none

context: tcp, server

description: DNS server

resolver_timeout

syntax: resolver_timeout time

default: 30s

context: tcp, server

description: Resolver timeout in seconds.

ngx_tcp_upstream_module

upstream

syntax: upstream {...}

default: none

context: tcp

description: All the upstream directives are contained in this block. The upstream server will be dispatched with round robin by default.

server

syntax: server name [parameters]

default: none

context: upstream

description: Most of the parameters are the same as server. Default port is 80.

check

syntax: check interval=milliseconds [fall=count] [rise=count] [timeout=milliseconds] [type=tcp|ssl_hello|smtp|mysql|pop3|imap]

default: none, if parameters omitted, default parameters are interval=30000 fall=5 rise=2 timeout=1000

context: upstream

description: Add the health check for the upstream servers. At present, the check method is a simple tcp connect.

The parameters' meanings are:

  • interval: the check request's interval time.
  • fall(fall_count): After fall_count check failures, the server is marked down.
  • rise(rise_count): After rise_count check success, the server is marked up.
  • timeout: the check request's timeout.
  • type: the check protocol type:
  1. tcp is a simple tcp socket connect and peek one byte.
  2. ssl_hello sends a client ssl hello packet and receives the server ssl hello packet.
  3. http sends a http requst packet, recvives and parses the http response to diagnose if the upstream server is alive.
  4. smtp sends a smtp requst packet, recvives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.
  5. mysql connects to the mysql server, recvives the greeting response to diagnose if the upstream server is alive.
  6. pop3 recvives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.
  7. imap connects to the imap server, recvives the greeting response to diagnose if the upstream server is alive.

check_http_send

syntax: check_http_send http_packet

default: "GET / HTTP/1.0\r\n\r\n"

context: upstream

description: If you set the check type is http, then the check function will sends this http packet to check the upstream server.

check_http_expect_alive

syntax: check_http_expect_alive [http_2xx]

default: http_2xx | http_3xx

context: upstream

description: These status codes indicate the upstream server's http response is ok, the backend is alive.

check_smtp_send

syntax: check_smtp_send smtp_packet

default: "HELO smtp.localdomain\r\n"

context: upstream

description: If you set the check type is smtp, then the check function will sends this smtp packet to check the upstream server.

check_smtp_expect_alive

syntax: check_smtp_expect_alive [smtp_2xx]

default: smtp_2xx

context: upstream

description: These status codes indicate the upstream server's smtp response is ok, the backend is alive.

check_shm_size

syntax: check_shm_size size

default: (number_of_checked_upstream_blocks + 1) * pagesize

context: tcp

description: If you store hundreds of serveres in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.

check_status

syntax: check_status

default: none

context: location

description: Display the health checking servers' status by HTTP. This directive is set in the http block.

ngx_tcp_upstream_busyness_module

busyness

syntax: busyness

default: none

context: upstream

description: the upstream server will be dispatched by backend servers' busyness.

ngx_tcp_upstream_ip_hash_module

ip_hash

syntax: ip_hash

default: none

context: upstream

description: the upstream server will be dispatched by ip_hash.

ngx_tcp_proxy_module

proxy_pass

syntax: proxy_pass host:port

default: none

context: server

description: proxy the request to the backend server. Default port is 80.

proxy_buffer

syntax: proxy_buffer size

default: 4k

context: tcp, server

description: set the size of proxy buffer.

proxy_connect_timeout

syntax: proxy_connect_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of connection to backends.

proxy_read_timeout

syntax: proxy_read_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of reading from backends.

proxy_send_timeout

syntax: proxy_send_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of sending to backends.

ngx_tcp_websocket_module

websocket_pass

syntax: websocket_pass [path] host:port

default: none

context: server

description: proxy the websocket request to the backend server. Default port is 80. You can specify several different pathes in the same server block.

websocket_buffer

syntax: websocket_buffer size

default: 4k

context: tcp, server

description: set the size of proxy buffer.

websocket_connect_timeout

syntax: websocket_connect_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of connection to backends.

websocket_read_timeout

syntax: websocket_read_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of reading from backends.

websocket_send_timeout

syntax: websocket_send_timeout miliseconds

default: 60000

context: tcp, server

description: set the timeout value of sending to backends.

ngx_tcp_ssl_module

The default config file includes this ngx_tcp_ssl_module. If you want to compile nginx without ngx_tcp_ssl_module, copy the ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config, reconfigrure and compile nginx.

ssl

syntax: ssl [on|off]

default: ssl off

context: tcp, server

Enables SSL for a server.

ssl_certificate

syntax: ssl_certificate file

default: ssl_certificate cert.pem

context: tcp, server

This directive specifies the file containing the certificate, in PEM format, for this virtual host. This file can contain also other certificates and the server private key. Since version 0.6.7 the file path is relative to the directory where nginx main configuration file, nginx.conf, resides.

ssl_certificate_key

syntax: ssl_certificate_key file

default: ssl_certificate_key cert.pem

context: tcp, server

This directive specifies the file containing the private key, in PEM format, for this virtual host. Since version 0.6.7 the file path is relative to the directory where nginx main configuration file, nginx.conf, resides.

ssl_client_certificate

syntax: ssl_client_certificate file

default: none

context: tcp, server

This directive specifies the file containing the CA (root) certificate, in PEM format, that is used for validating client certificates.

ssl_dhparam

syntax: ssl_dhparam file

default: none

context: tcp, server

This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM format, utilized for exchanging session keys between server and client.

ssl_ciphers

syntax: ssl_ciphers openssl_cipherlist_spec

default: ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

context: tcp, server

This directive describes the list of cipher suites the server supports for establishing a secure connection. Cipher suites are specified in the OpenSSL cipherlist format, for example:

<geshi lang="nginx"> ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; </geshi>

The complete cipherlist supported by the currently installed version of OpenSSL in your platform can be obtained by issuing the command:

openssl ciphers

ssl_crl

syntax: ssl_crl file

default: none

context: tcp, server

This directive, introduced in Nginx version 0.8.7, specifies the filename of a Certificate Revocation List, in PEM format, which is used to check the revocation status of certificates.

ssl_prefer_server_ciphers

syntax: ssl_prefer_server_ciphers [on|off]

default: ssl_prefer_server_ciphers off

context: tcp, server

The server requires that the cipher suite list for protocols SSLv3 and TLSv1 are to be preferred over the client supported cipher suite list.

ssl_protocols

syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1]

default: ssl_protocols SSLv2 SSLv3 TLSv1

context: tcp, server

This directive enables the protocol versions specified.

ssl_verify_client

syntax: ssl_verify_client on|off|optional

default: ssl_verify_client off

context: tcp, server

This directive enables the verification of the client identity. Parameter 'optional' checks the client identity using its certificate in case it was made available to the server. (Was 'ask' before 0.8.7 and 0.7.63)

ssl_verify_depth

syntax: ssl_verify_depth number

default: ssl_verify_depth 1

context: tcp, server

This directive sets how deep the server should go in the client provided certificate chain in order to verify the client identity.

ssl_session_cache

syntax: ssl_session_cache off|none|builtin:size and/or shared:name:size

default: ssl_session_cache off

context: tcp, server

The directive sets the types and sizes of caches to store the SSL sessions.

The cache types are:

  • off -- Hard off: nginx says explicitly to a client that sessions can not reused.
  • none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.
  • builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See "References" below.
  • shared -- the cache is shared between all worker processes. The size of the cache is assigned in bytes: 1 MB cache can contain roughly 4000 sessions. Each shared cache must be given an arbitrary name. A shared cache with a given name can be used in several virtual hosts.
It's possible to use both types of cache — builtin and shared — simultaneously, for example:

<geshi lang="nginx"> ssl_session_cache builtin:1000 shared:SSL:10m; </geshi>

Bear in mind however, that using only shared cache, i.e., without builtin, should be more effective.

For Nginx versions below 0.8.34 this directive shouldn't be set to 'none' or 'off' if ssl_verify_client is set to 'on' or 'optional'.

ssl_session_timeout

syntax: ssl_session_timeout time

default: ssl_session_timeout 5m

context: tcp, server

This directive defines the maximum time during which the client can re-use the previously negotiated cryptographic parameters of the secure session that is stored in the SSL cache.

Compatibility

  • My test bed is 0.7.65+

Notes

The http_response_parse.rl and smtp_response_parse.rl are ragel scripts , you can edit the script and compile it like this:

<geshi lang="bash"> $ ragel -G2 http_response_parse.rl $ ragel -G2 smtp_response_parse.rl </geshi>

TODO

Known Issues

  • This module can't use the same listening port with the HTTP module.

Changelogs

v0.19

  • add many check methods

v0.1

  • first release

Authors

Weibin Yao(姚伟斌) yaoweibin at gmail dot com

Copyright & License

This README template copy from agentzh.

I borrowed a lot of code from upstream and mail module from the nginx 0.7.* core. This part of code is copyrighted by Igor Sysoev. And the health check part is borrowed the design of Jack Lindamood's healthcheck module healthcheck_nginx_upstreams;

This module is licensed under the BSD license.

Copyright (C) 2011 by Weibin Yao <[email protected]></[email protected]>.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.