Hello!

On Wed, Jan 10, 2018 at 07:18:36PM +0100, Adam Cecile wrote:

[...]

> > Ok, so you use multiple proxy layers to be able to combine
> > backends which support/need PROXY protocol and ones which do not,
> > right? This looks like a valid reason, as "proxy_protocol" is
> > either on or off in a particular server.
> Yes exactly !
>
> Aim of this setup is to do SNI routing to TCP endpoints (with failover)
> or HTTPS virtual hosts.
> >
> > If you want nginx to switch to a different backend while
> > maintaining two proxy layers, consider moving balancing to the
> > second layer instead. This way balancing will happen where
> > connection errors can be seen, and so nginx will be able to switch
> > to a different server on errors.
>
> Could you be more specific and show me how to do this with my current
> configuration ? I'm a bit lost...

At the first level, differentiate between hosts based on
$ssl_preread_server_name. Proxy to either "local_https" or to a
second-level server, say 8080. On the second level server, proxy
to an upstream group with servers you want to balance. Example
configuration (completely untested):

map $ssl_preread_server_name $name {
default local_https;
"" second;
pub.domain.com second;
}

upstream local_https {
server 127.0.0.1:8443;
}

upstream second {
server 127.0.0.1:8080;
}

upstream u {
server 10.0.0.1:443;
server 10.0.0.2:443;
}

server {
listen 443;
ssl_preread on;
proxy_pass $name;
proxy_protocol on;
}

server {
listen 127.0.0.1:8080 proxy_protocol;
proxy_pass u;
}

Logging and timeouts omitted for clarity.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx