2011年3月10日星期四

Using nginx as ssl terminator in front of load balancer

Hi all,
We have an existing load balancer with haproxy, and we'd like to use
Nginx to act as our SSL decryption service. We use chose haproxy over
nginx for load balancing because we need more TCP load balancing than
http balancing for our application. I'm attempting to set up the
following request path through our systems.


HTTP --> haproxy --> jetty

HTTPS --> NGINX --> haproxy --> jetty.


Our application requires sticky session, and I'm using cookie entries in
the haproxy layer to "stick" the client to a back end system. This is
working well with HTTP. However, when using HTTPS, I find that we seem
to be getting randomly redirected to a new server. I'm unsure if this
is due to nginx passing something incorrectly to haproxy due to my
configuration, or if haproxy is missing the cookie. Here is my nginx
configuration file for ssl.

server {
listen 443;

ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;

server_name <%= node[:hostname] %>;

access_log <%= node[:nginx][:log_dir] %>/ssl.access.log;

location / {

proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

I'm using version nginx/0.7.67 on Ubuntu 10.10 server and configuring it
with chef. Obviously the ruby variables are replaced with real paths.


Whenever a client connects to nginx it correctly connects to haproxy and
my request is forwarded to a Jetty node. My cookie is returned with
both my JSESSIONID and the node I'm attached to. However, we use AJAX
validation. As soon as a user exits a field, it's validated. This
sends an AJAX http post to the server.

Instead of getting a response from the post, I seem to be constantly
getting a redirect with a new JSESSIONID. I'm by no means a guru with
ningx or haproxy, so I may have missed something obvious. For clarity
I've also included my haproxy config. Any ideas what what could be
causing this? Firefox seems to work fine, however Chrome is always
redirecting the user.

haproxyconfig

listen logbookapp 0.0.0.0:80
balance leastconn
#Make sure the aviator app has been loaded
option httpchk /aviator/home
option httplog
option forwardfor
log global
cookie SERVERID insert nocache indirect
server ip-10-160-90-137 10.160.90.137:8080 cookie ip-10-160-90-137
weight 1 maxconn 300 check
server ip-10-168-126-182 10.168.126.182:8080 cookie ip-10-168-126-182
weight 1 maxconn 300 check
server ip-10-167-9-170 10.167.9.170:8080 cookie ip-10-167-9-170 weight
1 maxconn 300 check
server deadbug 10.160.90.137:81 backup

Thanks,
Todd

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,182181,182181#msg-182181


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

没有评论:

发表评论