Welcome! Log In Create A New Profile

Advanced

NGINX Reverse Proxy Server sending RST and FIN every 5 Minutes of inactivity

Posted by rebornks 
Forum List Message List New Topic
rebornks
NGINX Reverse Proxy Server sending RST and FIN every 5 Minutes of inactivity
February 14, 2024 10:01PM
My current nginx setup always kill the TCP connection after 5 minutes of inactivity, i.e no transaction.

I have this setup which requires TLS1.2 connection connecting from my internal network [client application] to public network [server]. It only use TCP ports (not http/https) and establish with a server located at public network. The client application does not support TLS1.2 connection hence the introduction of nginx proxy/reverse proxy for TLS wrapping purpose. You may refer below :

[Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public Server]
Internal Network | INTERNET/Public
<Non TLS TCP Traffic> <TLS 1.2>


- using stream module
- no error shown in nginx error log
- access log showing TCP 200 Status but the session only last 300s everytime. [Recorded in the access_log]

Below is my nginx configuration

# more nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 2048;
}

stream {
resolver 127.0.0.1;
include /etc/nginx/conf.d/*.conf;

log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time $upstream_addr'
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

access_log /var/log/nginx/stream.access.log basic;

error_log log_file;
error_log /var/log/nginx/error_log;

server {
listen 35012;
proxy_pass X.X.X.X:35012;
proxy_timeout 86400s;
proxy_connect_timeout 1200s;
proxy_socket_keepalive on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 30m;

# For securing TCP Traffic with upstream servers.
proxy_ssl on;
proxy_ssl_certificate /etc/ssl/certs/backend.crt;
proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

# proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;
# proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

#To have NGINX proxy previously negotiated connection parameters and use a so-called abbreviated handshake - Fast
proxy_ssl_session_reuse on;

}
}


After capturing the tcp packet and check via wireshark, I found out that the nginx is sending out the RST to the public server and then send FIN/ACK (refer attached pcap picture)

I have tried to enable keepalive related parameters as per the nginx config above and also check on the OS's TCP tunable and i could not find any related settings which make NGINX to kill the TCP connection.

Anyone encountering the same issues?
Reply Quote
Attachments:
open | download - accesslog1.jpg (30.1 KB)
open | download - wiresharkpcap1.png (39.5 KB)
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 189
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready