Nginx：代理连接时上游服务器暂时禁用

发布于 2025-01-10 16:07:57 字数 1298 浏览 0 评论 0原文

我在 ECS Fargate 上运行 Nginx，并使用以下配置来实现直通 TLS 代理。我遇到间歇性错误 - 在某些 AWS 区域中代理连接时上游服务器暂时禁用。后端域是API网关域。

stream {
  map_hash_max_size 256;
  map_hash_bucket_size 256;

  map $ssl_preread_protocol $tlsmap {
      "TLSv1.2"                $upstream;
      "TLSv1.3"                $upstream;
      default                  blackhole;
  }

  map $ssl_preread_server_name $upstream {
        <api_domain> api_domain;
        default blackhole;
  }

  upstream api_domain {
        server api_domain:443;
  }

  upstream blackhole {
        server  127.0.0.1:123;
  }

  server {
        listen 443;
        proxy_pass $tlsmap;
        ssl_preread on;
  }
}

以下是该请求的 nginx 日志：

{
    "time_local": "<removed>",
    "remote_addr": "<removed>",
    "remote_port": "24907",
    "ssl_preread_server_name": "<removed>",
    "ssl_preread_protocol": "TLSv1.2",
    "status": "200",
    "bytes_sent": "0",
    "bytes_received": "0",
    "session_time": "60.012",
    "upstream_addr": "<removed>",
    "upstream_bytes_sent": "0, 517",
    "upstream_bytes_received": "0, 0",
    "upstream_connect_time": "-, 0.000",
    "connection": "85860",
    "ssl_protocol": "",
    "ssl_cipher": ""
}

有关可以微调哪些配置来解决此问题的任何指示？

原文

I am running Nginx on ECS Fargate with below config to implement a passthrough TLS proxy. I am getting intermittent errors - upstream server temporarily disabled while proxying connection in some of the AWS regions. The backend domain is an API Gateway domain.

stream {
  map_hash_max_size 256;
  map_hash_bucket_size 256;

  map $ssl_preread_protocol $tlsmap {
      "TLSv1.2"                $upstream;
      "TLSv1.3"                $upstream;
      default                  blackhole;
  }

  map $ssl_preread_server_name $upstream {
        <api_domain> api_domain;
        default blackhole;
  }

  upstream api_domain {
        server api_domain:443;
  }

  upstream blackhole {
        server  127.0.0.1:123;
  }

  server {
        listen 443;
        proxy_pass $tlsmap;
        ssl_preread on;
  }
}

Below is the nginx log for the request:

{
    "time_local": "<removed>",
    "remote_addr": "<removed>",
    "remote_port": "24907",
    "ssl_preread_server_name": "<removed>",
    "ssl_preread_protocol": "TLSv1.2",
    "status": "200",
    "bytes_sent": "0",
    "bytes_received": "0",
    "session_time": "60.012",
    "upstream_addr": "<removed>",
    "upstream_bytes_sent": "0, 517",
    "upstream_bytes_received": "0, 0",
    "upstream_connect_time": "-, 0.000",
    "connection": "85860",
    "ssl_protocol": "",
    "ssl_cipher": ""
}

Any pointers on what configuration can be fine tuned to fix this ?

分享到QQ

分享到微博