Hi,

On Tue, Mar 26, 2019 at 09:13:44AM +0000, R, Rajkumar (Raj) wrote:
> Hi,
>
> Using nginx in TCP/Stream mode and would like to limit the number of active connection to my backend server whereas the backend is resolved dynamically based on the SNI header ($ssl_preread_server_name). But this does not allow any connections to the backend with below config. I see examples of limiting backend connections if the backend server block is pre configured.
>
> Could you please confirm if this achievable or supported currently with Stream mode?
>
> Below is the related config part.
>
> map $ssl_preread_server_name $backend_svr {
> ~^(\w+).test.com $1-tcp.default.svc.cluster.local;
> }
>
> limit_conn_zone $ssl_preread_server_name zone=perserver:10m;
>
> server {
> listen 443 reuseport so_keepalive=30s:30s:3 backlog=64999;
> proxy_pass $backend_svr:443;
> limit_conn perserver 255;
> ssl_preread on;
> }

The problem is limit_conn is executed at an earlier phase than ssl_preread.
The $ssl_preread_server_name variable is just empty at that moment.
You basically limit client connections by an empty variable.

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx