KeepAlive Not Working as expected for a Reverse Proxy Scenario

dubstep · April 10, 2012, 12:54pm

Hi,

The KeepAlive Timeout is set to 2 hours, but we can see that the
connections start terminating after a few minutes.
The KeepAlive module does not seems to be behaving as expected.
The connections are created on port :343.
The configuration file nginx.conf is :-

user nginx;
worker_processes 16;
error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
#worker_connections 16192;
#worker_connections 161920;
worker_connections 40960;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
“$request”
’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 7200 7200;
tcp_keepalive on;
tcp_keepcnt 10;
tcp_keepidle 3600;
tcp_keepintvl 1m;
#gzip on;

#
# The default server
#
    server {
            listen 4443;
            server_name _;
            location /nginx_status {

copied from

http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
stub_status on;
access_log off;
}
}
server {
listen 80;
server_name _;
# keepalive_timeout 7200 7200;
#charset koi8-r;
access_log logs/host.access.log main;
location / {
proxy_pass http://172.31.253.50:180/;
include /etc/nginx/proxy.conf;
}
}
server {
listen 443 ssl;
ssl on;
ssl_verify_client on;
server_name _;
ssl_certificate /home/rsiwal/cps.chargepoint.net.crt;
#ssl_client_certificate /etc/httpd/certs/
chargepoint.net/server/certs/cps.chargepoint.net.crt;
ssl_client_certificate /home/rsiwal/chargepoint.net.crt;
ssl_certificate_key /home/rsiwal/cps.chargepoint.net.pem;
location / {
proxy_pass http://172.31.253.50:1443/;
include /etc/nginx/proxy.conf;
}
}
server {
listen 343 ssl;
ssl on;
ssl_verify_client on;
server_name _;
#ssl_session_cache shared:SSL:40m; # Works fine upto 15K
ssl_session_cache shared:SSL:70m;
#######ssl_session_timeout 5m; #
ssl_session_timeout 120m; #
tcp_keepalive on;
tcp_keepcnt 10;
tcp_keepidle 7200;
tcp_keepintvl 1m;
access_log logs/ssl-access.log main;
error_log logs/ssl-error.log debug;
keepalive_requests 10000;
#keepalive_disable none
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 300;
client_body_timeout 300;
ssl_certificate /home/rsiwal/cps.chargepoint.net.crt;
ssl_certificate_key /home/rsiwal/cps.chargepoint.net.pem;
ssl_client_certificate /home/rsiwal/chargepoint.net.crt;
location / {
proxy_pass http://172.31.253.50:1343/;
include /etc/nginx/proxy.conf;
}
}
include /etc/nginx/conf.d/*.conf;
}

Rajnesh_Kumar_Siwal · April 10, 2012, 3:03pm

Hello!

On Tue, Apr 10, 2012 at 04:23:14PM +0530, Rajnesh Kumar Siwal wrote:

The KeepAlive Timeout is set to 2 hours, but we can see that the
connections start terminating after a few minutes.
The KeepAlive module does not seems to be behaving as expected.
The connections are created on port :343.
The configuration file nginx.conf is :-

[…]

keepalive_timeout  7200 7200;

How do you test?

Note: many (most?) browsers won’t keep connections open for such a
long time and will close them after a minute or so. E.g. Chrome
unconditionally closes connections after 5 minutes.

Note well: nginx itself might close keepalive connections before
timeout passes if it’s short on worker_connections. Though I
suppose you are hitting browsers behaviour instead.

Maxim D.

Rajnesh_Kumar_Siwal · April 10, 2012, 3:04pm

On Tuesday 10 April 2012 14:53:14 Rajnesh Kumar Siwal wrote:

Hi,

The KeepAlive Timeout is set to 2 hours, but we can see that the
connections start terminating after a few minutes.
The KeepAlive module does not seems to be behaving as expected.

So, what’s in the error log? Are you sure that the client doesn’t close
the
connection? Some browsers actually do after a minute or few.

[…]

tcp_keepalive on;
tcp_keepcnt 10;
tcp_keepidle 7200;
tcp_keepintvl 1m;

There are no such directives in the official nginx distribution. But you
can set
SO_KEEPALIVE by parameter of the listen directive:

listen 443 ssl so_keepalive=2h:1m:10;

Please, take a look at the docs: Module ngx_http_core_module

wbr, Valentin V. Bartenev

Rajnesh_Kumar_Siwal · April 11, 2012, 7:41am

Thanks Valentin, but it still is not accepting the parameters:-

[[email protected] conf]# /etc/init.d/nginxfromsrc start
Starting nginx: nginx: [emerg] invalid parameter “so_keepalive=2h:1m:10”
in
/usr/local/nginx-1.0.14/conf/nginx.conf:
96

Secondly, I don’t see the message that the client is terminating the
connections.
In case I use elinks to open the URL and close it, it displays me that
the
KeepAlive connection is terminated by the client.
So, I am pretty sure that the connections are not terminated by the
client.

Additionally, we are using CURL library to check it.
We have a simulator that create the connections and sends data using
CURL
library.
The same scenario is working fine with Apache and the connections are
persistent.

On Tue, Apr 10, 2012 at 4:23 PM, Rajnesh Kumar Siwal <

Rajnesh_Kumar_Siwal · April 11, 2012, 1:05pm

On Wednesday 11 April 2012 09:40:18 Rajnesh Kumar Siwal wrote:

Thanks Valentin, but it still is not accepting the parameters:-

[[email protected] conf]# /etc/init.d/nginxfromsrc start
Starting nginx: nginx: [emerg] invalid parameter “so_keepalive=2h:1m:10” in
/usr/local/nginx-1.0.14/conf/nginx.conf:
96

It’s no coincidence I asked to take a look at the documentation, you
also
need nginx 1.1.11 or above.

Secondly, I don’t see the message that the client is terminating the
connections.

What’s in the error logs?

In case I use elinks to open the URL and close it, it displays me that the
KeepAlive connection is terminated by the client.
So, I am pretty sure that the connections are not terminated by the client.

Additionally, we are using CURL library to check it.
We have a simulator that create the connections and sends data using CURL
library.
The same scenario is working fine with Apache and the connections are
persistent.

Could you provide debug log?
http://nginx.org/en/docs/debugging_log.html

wbr, Valentin V. Bartenev

Rajnesh_Kumar_Siwal · April 12, 2012, 9:01pm

Thanks Valentin, I have compiled 1.1.18.
Can we consider the development release 1.1.18 to be stable ?
Will it be safe to use it in production environment ?

Rajnesh_Kumar_Siwal · April 12, 2012, 9:36pm

On Thursday 12 April 2012 23:00:09 Rajnesh Kumar Siwal wrote:

Thanks Valentin, I have compiled 1.1.18.
Can we consider the development release 1.1.18 to be stable ?
Will it be safe to use it in production environment ?

Nginx “stable” branch provides API and behavior stability. Both branches
are
reliable to use in production, but when you use “devel” you should read
change
logs slightly more careful before update to the new version.

You may consider to update to the 1.1.19 which was released today,
especially if
you use mp4 module, because of security issue:

[nginx-announce] security advisory

Also note, that the 1.1 “devel” branch will become 1.2, the new “stable”
in a
few weeks:

Roadmap – nginx

wbr, Valentin V. Bartenev

KeepAlive Not Working as expected for a Reverse Proxy Scenario

The KeepAlive Timeout is set to 2 hours, but we can see that the connections start terminating after a few minutes. The KeepAlive module does not seems to be behaving as expected. The connections are created on port :343. The configuration file nginx.conf is :-

copied from

The KeepAlive Timeout is set to 2 hours, but we can see that the
connections start terminating after a few minutes.
The KeepAlive module does not seems to be behaving as expected.
The connections are created on port :343.
The configuration file nginx.conf is :-