My current nginx setup always kill the TCP connection after 5 minutes of
inactivity, i.e no transaction.
[From wireshark, nginx send RST to upstream server and then send FIN,ACK to
downstream client]
I have this setup which requires TLS1.2 connection connecting from my
internal network [client application] to public network [server]. It only
use TCP ports (not http/https) and establish with a server located at
public network. The client application does not support TLS1.2 connection
hence the introduction of nginx proxy/reverse proxy for TLS wrapping
purpose. You may refer below :
Internal Network
| INTERNET/Public
[Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public
Server]
<Non TLS TCP Traffic> <TLS 1.2>
- using stream module
- no error shown in nginx error log
- access log showing TCP 200 Status but the session only last 300s
everytime. [Recorded in the access_log]
Below is my nginx configuration
# more nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 2048;
}
stream {
resolver 127.0.0.1;
include /etc/nginx/conf.d/*.conf;
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time $upstream_addr'
'"$upstream_bytes_sent" "$upstream_bytes_received"
"$upstream_connect_time"';
access_log /var/log/nginx/stream.access.log basic;
error_log log_file;
error_log /var/log/nginx/error_log;
server {
listen 35012;
proxy_pass X.X.X.X:35012;
proxy_timeout 86400s;
proxy_connect_timeout 1200s;
proxy_socket_keepalive on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 30m;
# For securing TCP Traffic with upstream servers.
proxy_ssl on;
proxy_ssl_certificate /etc/ssl/certs/backend.crt;
proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
# proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;
# proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
#To have NGINX proxy previously negotiated connection parameters and use a
so-called abbreviated handshake - Fast
proxy_ssl_session_reuse on;
}
}
After capturing the tcp packet and check via wireshark, I found out that
the nginx is sending out the RST to the public server and then send FIN/ACK
(refer attached pcap picture) to client application.
I have tried to enable keepalive related parameters as per the nginx config
above and also check on the OS's TCP tunable and i could not find any
related settings which make NGINX to kill the TCP connection.
Anyone encountering the same issues?
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
