Welcome! Log In Create A New Profile

Advanced

Re: pls. help for adding another parameter to ngx_upstream_server

Maxim Dounin
November 18, 2013 09:10AM
Hello!

On Sat, Nov 16, 2013 at 06:31:42PM +0900, moto kawasaki wrote:

[...]

> mdounin> > Now, I am struggling to add "setfib=N" parameter to "server" token in
> mdounin> > "upstream" clause, and so far failed.
> mdounin>
> mdounin> Could you please point out use cases for such a parameter?
> mdounin> Shouldn't it be something like proxy_bind instead?
>
> Yes, suppose you are hosting web servers for multiple clients, and
> those clients requires to be root on their web servers.
> My nginx server locates between their (hosted) web servers and the
> Internet as http proxy server.
>
> My current architecture is one nginx node for each client node, which
> is something like this.
>
> Internet ---+--- nginx_A ------ web_server_A (for client A)
> |
> +--- nginx_B ------ web_server_B
> |
> +--- nginx_C ------ web_server_C
>
> The reasen why I use three nginx nodes is to forbid layer2 attack
> among clients' nodes. ex.) ARP spoofing attack from web_server_A to B.
>
> Then, as number of clients grows, I have to operate/administer that
> number of nginx nodes. This is O(N), and now it is reaching the upper
> limit (of my time mainly).
>
> So I would like to use one nginx node for several clients' nodes, like
> this:
>
> Internet ------ nginx_X ---+--- web_server_A
> |
> +--- web_server_B
> |
> +--- web_server_C
>
> Now, in order to avoid ARP spoofing, web_server_[ABC] locates in
> different tagged VLAN, and nginx_X understand such VLANS as different
> interfaces (ex. igb0.100, igb0.101,...)
>
> But nginx_X node also does ipfw NAPT (for SSH, SMTP, etc.), and thus
> it do routing (sysctl -w net.inet.ip.forwarding=1).
>
> So, I want to separate those VLANs using setfib in upstream/server.
> I am sure that this can be achieved by using ipfw ACLs too, but in
> that case I have to take care of ACLs for all existing clients' nodes
> when adding a new client node.

Well, as far as I can tell there is no reasons to do per-server
setfib in this usecase, and

proxy_setfib N;

should be enough. It should be much easier to implement than what
you are trying to do in your patch.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

pls. help for adding another parameter to ngx_upstream_server

moto kawasaki 999 November 15, 2013 03:38AM

Re: pls. help for adding another parameter to ngx_upstream_server

Vladimir Homutov 348 November 15, 2013 04:44AM

Re: pls. help for adding another parameter to ngx_upstream_server

moto kawasaki 378 November 16, 2013 04:34AM

Re: pls. help for adding another parameter to ngx_upstream_server

Maxim Dounin 391 November 18, 2013 09:10AM

Re: pls. help for adding another parameter to ngx_upstream_server Attachments

moto kawasaki 340 November 26, 2013 11:39AM

Re: pls. help for adding another parameter to ngx_upstream_server

Maxim Dounin 334 November 26, 2013 11:39AM

Re: pls. help for adding another parameter to ngx_upstream_server

moto kawasaki 296 November 26, 2013 09:08PM

Re: pls. help for adding another parameter to ngx_upstream_server

moto kawasaki 442 November 29, 2013 02:06AM

Re: pls. help for adding another parameter to ngx_upstream_server

Maxim Dounin 356 November 15, 2013 05:26AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready