nginx grpc double proxy failoverNode.js + Nginx - What now?Share Nginx server configurationforce_ssl on a Rails 4 app with nginx + unicorn gives a 503 (Service Temporarily Unavailable) errorDoing SSL client authentication is pythonAWS EB - Redirect all traffic to httpsproxy_cache_valid directive caching error in nginxWordpress constant redirect with nginx upstreamKeycloak Redirect url with nginx is going to http rather than https502 Bad Gateway Nginx Reverse ProxyNginx erorr 404 Not Found

Examples where existence is harder than evaluation

Passport stamps art, can it be done?

What's the difference between "ricochet" and "bounce"?

What's the "magic similar to the Knock spell" referenced in the Dungeon of the Mad Mage adventure?

How do carbureted and fuel injected engines compare in high altitude?

Names of the Six Tastes

Narcissistic cube asks who are we?

When do you stop "pushing" a book?

Generating 10-character passwords, with 3-6 digits and 3-6 uppercase letters, in C++

How likely are Coriolis-effect-based quirks to develop in starship crew members?

What are these round pads on the bottom of a PCB?

Are on’yomi words loanwords?

resoldering copper waste pipe

Ugin's Conjurant vs. un-preventable damage

Probability of taking balls without replacement from a bag question

How does weapons training transfer to empty hand?

What can cause an unfrozen indoor copper drain pipe to crack?

How can Sam Wilson fulfill his future role?

Is there an idiom that means "revealing a secret unintentionally"?

How to handle DM constantly stealing everything from sleeping characters?

How to get MAX value using SOQL when there are more than 50,000 rows

Using wilcox.test() and t.test() in R yielding different p-values

Are double contractions formal? Eg: "couldn't've" for "could not have"

Is it safe to keep the GPU on 100% utilization for a very long time?

nginx grpc double proxy failover

Node.js + Nginx - What now?Share Nginx server configurationforce_ssl on a Rails 4 app with nginx + unicorn gives a 503 (Service Temporarily Unavailable) errorDoing SSL client authentication is pythonAWS EB - Redirect all traffic to httpsproxy_cache_valid directive caching error in nginxWordpress constant redirect with nginx upstreamKeycloak Redirect url with nginx is going to http rather than https502 Bad Gateway Nginx Reverse ProxyNginx erorr 404 Not Found

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

I have GRPC service that binded on localhohst and nginx proxy as ssl terminator on same host(lets name it localhost-proxy).
Also at the edge I have another nginx grpc proxy which I want to use as a balancer+failover, this proxy redirects to localhost-proxy.
Problem is in edge-proxy failover configuration - I doesn't work when service is switched of but localhost-proxy is working. When service is switched off - localhost-proxy returns http status 204 with grpc-status=14 header.
First my confiuration was:

#localhost-proxy

upstream direct 
 server localhost:50032;
 keepalive 10;
 keepalive_timeout 60s;


server 
 listen 50042 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/direct.json grpc_json;

 location / 
 grpc_set_header X-Real-IP $client_ip;

 grpc_pass grpc://direct;
 

 include /etc/nginx/errors.grpc.conf;
 default_type application/grpc;



edge-proxy:
upstream edge 
 server localhost-proxy1:50042;
 server localhost-proxy2:50042 backup;
 keepalive_timeout 60s;


server 
 listen 50052 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/edge.json grpc_json;

 grpc_ssl_certificate /etc/service/certs/internal_api_client/client.crt;
 grpc_ssl_certificate_key /etc/service/certs/internal_api_client/client.key;
 grpc_ssl_trusted_certificate /etc/service/certs/internal_api_client/serverCA.crt;
 grpc_ssl_verify on;
 grpc_ssl_name api.server;
 grpc_set_header X-Real-IP $client_ip;
 grpc_connect_timeout 5s;
 location / 
 grpc_connect_timeout 5s;



 grpc_pass grpcs://edge;

But with this configuration failover works only if localhost-proxy is switched off. When it is up - edge proxy just returns response from localhost-proxy. This is not what I want.
After I've add this to localhost-proxy config:

...
 grpc_pass grpc://direct;
#from here 
 error_page 502 = /error502grpc;
 

 location = /error502grpc 
 internal;
 default_type application/grpc;
 add_header grpc-status 14;
 add_header grpc-message "unavailable";
 return 502;

It starts return 502 to edge-proxy when service is unavailable.

After this I've tried this with edge-proxy:

Add grpc_next_upstream error timeout http_502 non_idempotent invalid_header; - no effect

 ...
 grpc_intercept_errors on;
 error_page 502 = @failover;
 }
 location @failover 
 grpc_pass grpcs://edge_failover;
 

upstream edge_failover 
 server localhost-proxy2:50052;
 keepalive 10;
 keepalive_timeout 60s;

Still no effect - it returns same 502 response.

I want failover on edge-proxy, and it should change upstream when service is down(regardless of localhost-proxy). But I don't now how to do this.

UPDATE

After some investigation in failover logs I've found that with latest variant(2) request actually goes to failover backend, but - nginx resend only grpc headers, no request body(GRPC DATA packet) sent. So failover awaits full request and then edge-proxy resets connection by timeout.

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

add a comment |

#localhost-proxy

upstream direct 
 server localhost:50032;
 keepalive 10;
 keepalive_timeout 60s;


server 
 listen 50042 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/direct.json grpc_json;

 location / 
 grpc_set_header X-Real-IP $client_ip;

 grpc_pass grpc://direct;
 

 include /etc/nginx/errors.grpc.conf;
 default_type application/grpc;



edge-proxy:
upstream edge 
 server localhost-proxy1:50042;
 server localhost-proxy2:50042 backup;
 keepalive_timeout 60s;


server 
 listen 50052 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/edge.json grpc_json;

 grpc_ssl_certificate /etc/service/certs/internal_api_client/client.crt;
 grpc_ssl_certificate_key /etc/service/certs/internal_api_client/client.key;
 grpc_ssl_trusted_certificate /etc/service/certs/internal_api_client/serverCA.crt;
 grpc_ssl_verify on;
 grpc_ssl_name api.server;
 grpc_set_header X-Real-IP $client_ip;
 grpc_connect_timeout 5s;
 location / 
 grpc_connect_timeout 5s;



 grpc_pass grpcs://edge;

...
 grpc_pass grpc://direct;
#from here 
 error_page 502 = /error502grpc;
 

 location = /error502grpc 
 internal;
 default_type application/grpc;
 add_header grpc-status 14;
 add_header grpc-message "unavailable";
 return 502;

It starts return 502 to edge-proxy when service is unavailable.

After this I've tried this with edge-proxy:

Add grpc_next_upstream error timeout http_502 non_idempotent invalid_header; - no effect

 ...
 grpc_intercept_errors on;
 error_page 502 = @failover;
 }
 location @failover 
 grpc_pass grpcs://edge_failover;
 

upstream edge_failover 
 server localhost-proxy2:50052;
 keepalive 10;
 keepalive_timeout 60s;

Still no effect - it returns same 502 response.

I want failover on edge-proxy, and it should change upstream when service is down(regardless of localhost-proxy). But I don't now how to do this.

UPDATE

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

add a comment |

#localhost-proxy

upstream direct 
 server localhost:50032;
 keepalive 10;
 keepalive_timeout 60s;


server 
 listen 50042 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/direct.json grpc_json;

 location / 
 grpc_set_header X-Real-IP $client_ip;

 grpc_pass grpc://direct;
 

 include /etc/nginx/errors.grpc.conf;
 default_type application/grpc;



edge-proxy:
upstream edge 
 server localhost-proxy1:50042;
 server localhost-proxy2:50042 backup;
 keepalive_timeout 60s;


server 
 listen 50052 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/edge.json grpc_json;

 grpc_ssl_certificate /etc/service/certs/internal_api_client/client.crt;
 grpc_ssl_certificate_key /etc/service/certs/internal_api_client/client.key;
 grpc_ssl_trusted_certificate /etc/service/certs/internal_api_client/serverCA.crt;
 grpc_ssl_verify on;
 grpc_ssl_name api.server;
 grpc_set_header X-Real-IP $client_ip;
 grpc_connect_timeout 5s;
 location / 
 grpc_connect_timeout 5s;



 grpc_pass grpcs://edge;

...
 grpc_pass grpc://direct;
#from here 
 error_page 502 = /error502grpc;
 

 location = /error502grpc 
 internal;
 default_type application/grpc;
 add_header grpc-status 14;
 add_header grpc-message "unavailable";
 return 502;

It starts return 502 to edge-proxy when service is unavailable.

After this I've tried this with edge-proxy:

Add grpc_next_upstream error timeout http_502 non_idempotent invalid_header; - no effect

 ...
 grpc_intercept_errors on;
 error_page 502 = @failover;
 }
 location @failover 
 grpc_pass grpcs://edge_failover;
 

upstream edge_failover 
 server localhost-proxy2:50052;
 keepalive 10;
 keepalive_timeout 60s;

Still no effect - it returns same 502 response.

I want failover on edge-proxy, and it should change upstream when service is down(regardless of localhost-proxy). But I don't now how to do this.

UPDATE

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

#localhost-proxy

upstream direct 
 server localhost:50032;
 keepalive 10;
 keepalive_timeout 60s;


server 
 listen 50042 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/direct.json grpc_json;

 location / 
 grpc_set_header X-Real-IP $client_ip;

 grpc_pass grpc://direct;
 

 include /etc/nginx/errors.grpc.conf;
 default_type application/grpc;



edge-proxy:
upstream edge 
 server localhost-proxy1:50042;
 server localhost-proxy2:50042 backup;
 keepalive_timeout 60s;


server 
 listen 50052 ssl http2;

 ssl_certificate /etc/service/certs/internal_api_server/server.crt;
 ssl_certificate_key /etc/service/certs/internal_api_server/server.key;
 ssl_client_certificate /etc/service/certs/internal_api_server/clientCA.crt;
 ssl_verify_client on;

 access_log /var/log/nginx/edge.json grpc_json;

 grpc_ssl_certificate /etc/service/certs/internal_api_client/client.crt;
 grpc_ssl_certificate_key /etc/service/certs/internal_api_client/client.key;
 grpc_ssl_trusted_certificate /etc/service/certs/internal_api_client/serverCA.crt;
 grpc_ssl_verify on;
 grpc_ssl_name api.server;
 grpc_set_header X-Real-IP $client_ip;
 grpc_connect_timeout 5s;
 location / 
 grpc_connect_timeout 5s;



 grpc_pass grpcs://edge;

...
 grpc_pass grpc://direct;
#from here 
 error_page 502 = /error502grpc;
 

 location = /error502grpc 
 internal;
 default_type application/grpc;
 add_header grpc-status 14;
 add_header grpc-message "unavailable";
 return 502;

It starts return 502 to edge-proxy when service is unavailable.

After this I've tried this with edge-proxy:

Add grpc_next_upstream error timeout http_502 non_idempotent invalid_header; - no effect

 ...
 grpc_intercept_errors on;
 error_page 502 = @failover;
 }
 location @failover 
 grpc_pass grpcs://edge_failover;
 

upstream edge_failover 
 server localhost-proxy2:50052;
 keepalive 10;
 keepalive_timeout 60s;

Still no effect - it returns same 502 response.

I want failover on edge-proxy, and it should change upstream when service is down(regardless of localhost-proxy). But I don't now how to do this.

UPDATE

nginx grpc failover

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

edited Mar 23 at 8:55

asked Mar 22 at 23:37

ice

5321317

asked Mar 22 at 23:37

ice

5321317

asked Mar 22 at 23:37

ice

5321317

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55309103%2fnginx-grpc-double-proxy-failover%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Styjun

0

Your Answer

Post as a guest

0

0

Post as a guest

Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현

0

Your Answer

Sign up or log in

Post as a guest

Post as a guest

0

0

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현