http_upstream
module#
Module is used to define groups of servers that can be referenced by the proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass and grpc_pass directives.
Example Configuration#
upstream backend {
zone backend 1m;
server backend1.example.com weight=5;
server backend2.example.com:8080;
server backend3.example.com service=_example._tcp resolve;
server unix:/tmp/backend3;
server backup1.example.com:8080 backup;
server backup2.example.com:8080 backup;
}
resolver 127.0.0.53 status_zone=resolver;
server {
location / {
proxy_pass http://backend;
}
}
Directives#
upstream#
- Syntax:
upstream
name { … }- Default:
—
- Context:
http
Defines a group of servers. Servers can listen on different ports. In addition, servers listening on TCP and UNIX-domain sockets can be mixed.
Example:
upstream backend {
server backend1.example.com weight=5;
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
server unix:/tmp/backend3;
server backup1.example.com backup;
}
By default, requests are distributed between the servers using a weighted round-robin balancing method. In the above example, each 7 requests will be distributed as follows: 5 requests go to backend1.example.com and one request to each of the second and third servers.
If an error occurs during communication with a server, the request will be passed to the next server, and so on until all of the functioning servers will be tried. If a successful response could not be obtained from any of the servers, the client will receive the result of the communication with the last server.
upstream_probe#
Important
The directive is PRO-only.
- Syntax:
upstream_probe
name [uri=address] [port=number] [interval=time] [test=condition] [essential] [fails=number] [passes=number] [max_body=number] [mode=always|idle|onfail];- Default:
—
- Context:
location
Defines an active health probe for peers within the upstream groups
that are specified for proxy_pass, uwsgi_pass, and so on
in the same location
context with the upstream_probe
directive.
Subsequently, Angie regularly probes each peer of the upstream group
according to the parameters configured here.
A peer’s probe is passed if the request to the peer succeeds, considering all
parameter settings of the upstream_probe
directive and the settings that
control how upstreams are used by the directive’s location
context.
This includes the proxy_next_upstream and uwsgi_next_upstream
directives, etc.; also, proxy_set_header and so on.
To make use of the probes, the upstream must have a shared memory zone (zone). One upstream may be configured with several probes.
The following parameters are accepted:
|
Mandatory name of the probe. |
|
Request URI to be added to the argument for proxy_pass,
uwsgi_pass, etc. |
|
Alternative port number for the probe request. |
|
Interval between probes. |
|
HTTP method of the probe. |
|
The condition for the probe, defined as a string of variables.
If the variables’ substitution yields |
|
If set, the initial state of the peer is being checked, so the peer doesn’t receive client requests until the probe is passed. |
|
Number of subsequent failed probes that
renders the peer unhealthy. |
|
Number of subsequent passed probes that
renders the peer unhealthy. |
|
Maximum amount of memory for the response body. |
|
Probe mode, depending on the peers’ health:
By default — |
Example:
upstream backend {
zone backend 1m;
server backend1.example.com;
server backend2.example.com;
}
map $upstream_status $good {
200 "1";
}
server {
listen ...;
location @probes {
...
proxy_pass http://backend;
upstream_probe backend_probe
uri=/probe
port=10004
interval=5s
test=$good
essential
fails=3
passes=3
max_body=10m
mode=idle;
}
}
Details of probe operation:
Initially, the peer won’t receive client requests until it passes all
essential
probes configured for it. If there are no such probes, the peer is considered healthy.The peer is considered unhealthy and won’t receive client requests, if any of the probes configured for it hits
fails
or the peer reaches max_fails.For an unhealthy peer to be considered healthy again, all probes configured for it must reach their respective
passes
.
server#
- Syntax:
server
address [parameters];- Default:
—
- Context:
upstream
Defines the address and other parameters of a server. The address can be specified as a domain name or IP address, with an optional port, or as a UNIX-domain socket path specified after the “unix:” prefix. If a port is not specified, the port 80 is used. A domain name that resolves to several IP addresses defines multiple servers at once.
The following parameters can be defined:
|
sets the weight of the server |
|
limits the maximum number of simultaneous active connections to the proxied server. |
Note
If idle keepalive connections, multiple workers, and the shared memory are enabled, the total number of active and idle connections to the proxied server may exceed the max_conns value.
max_fails=
number — sets the number of unsuccessful attempts to
communicate with the server that should happen in the duration set by the
fail_timeout
parameter to consider the server unavailable for a duration
also set by the fail_timeout
parameter.
What is considered an
unsuccessful attempt is defined by the proxy_next_upstream,
fastcgi_next_upstream, uwsgi_next_upstream,
scgi_next_upstream, memcached_next_upstream, and
grpc_next_upstream directives.
When max_fails
is reached, the peer is also considered unhealthy by
the upstream_probe probes; it won’t receive client requests until
the probes consider it healthy again.
|
the default number of unsuccessful attempts |
|
disables the accounting of attempts |
fail_timeout=
time — sets:
the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable;
and the period of time the server will be considered unavailable.
By default, the parameter is set to 10 seconds.
|
marks the server as a backup server. It will be passed requests when the primary servers are unavailable. |
|
marks the server as permanently unavailable. |
Caution
The parameter backup
cannot be used along with the hash, ip_hash, and random load balancing methods.
New in version 1.1.0.
|
enables monitoring changes to the list of IP addresses that corresponds to a domain name, updating it without a configuration reload. For this parameter to work, the resolver and resolver_timeout directives should be specified in the upstream block or inherited from the http. |
|
enables resolving DNS SRV records and sets the service name. For this parameter to work, specify the resolve server parameter, providing a hostname without a port number. |
New in version 1.2.0.
|
sets the server ID within the group. |
zone#
- Syntax:
zone
name [size];- Default:
—
- Context:
upstream
Defines the name and size of the shared memory zone that keeps the group’s configuration and run-time state that are shared between worker processes. Several groups may share the same zone. In this case, it is enough to specify the size only once.
hash#
- Syntax:
hash
key [consistent];- Default:
—
- Context:
upstream
Specifies a load balancing method for a server group where the client-server mapping is based on the hashed key value. The key can contain text, variables, and their combinations. Note that adding or removing a server from the group may result in remapping most of the keys to different servers. The method is compatible with the Cache::Memcached Perl library.
If the consistent
parameter is specified, the ketama consistent hashing method will be used instead. The method ensures that only a few keys will be remapped to different servers when a server is added to or removed from the group. This helps to achieve a higher cache hit ratio for caching servers. The method is compatible with the Cache::Memcached::Fast Perl library with the ketama_points parameter set to 160.
ip_hash#
- Syntax:
ip_hash
;- Default:
—
- Context:
upstream
Specifies that a group should use a load balancing method where requests are distributed between servers based on client IP addresses. The first three octets of the client IPv4 address, or the entire IPv6 address, are used as a hashing key. The method ensures that requests from the same client will always be passed to the same server except when this server is unavailable. In the latter case client requests will be passed to another server. Most probably, it will always be the same server as well.
If one of the servers needs to be temporarily removed, it should be marked with the down
parameter in order to preserve the current hashing of client IP addresses.
upstream backend {
ip_hash;
server backend1.example.com;
server backend2.example.com;
server backend3.example.com down;
server backend4.example.com;
}
keepalive#
- Syntax:
keepalive
connections;- Default:
—
- Context:
upstream
Activates the cache for connections to upstream servers.
The connections
parameter sets the maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process. When this number is exceeded, the least recently used connections are closed.
Note
It should be particularly noted that the keepalive directive does not limit the total number of connections to upstream servers that an Angie worker process can open. The connections parameter should be set to a number small enough to let upstream servers process new incoming connections as well.
Attention
When using load balancing methods other than the default round-robin method, it is necessary to activate them before the keepalive directive.
Example configuration of memcached upstream with keepalive connections:
upstream memcached_backend {
server 127.0.0.1:11211;
server 10.0.0.2:11211;
keepalive 32;
}
server {
#...
location /memcached/ {
set $memcached_key $uri;
memcached_pass memcached_backend;
}
}
For HTTP, the proxy_http_version directive should be set to “1.1” and the “Connection” header field should be cleared:
upstream http_backend {
server 127.0.0.1:8080;
keepalive 16;
}
server {
#...
location /http/ {
proxy_pass http://http_backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
# ...
}
}
Note
Alternatively, HTTP/1.0 persistent connections can be used by passing the “Connection: Keep-Alive” header field to an upstream server, though this method is not recommended.
For FastCGI servers, it is required to set fastcgi_keep_conn for keepalive connections to work:
upstream fastcgi_backend {
server 127.0.0.1:9000;
keepalive 8;
}
server {
#...
location /fastcgi/ {
fastcgi_pass fastcgi_backend;
fastcgi_keep_conn on;
# ...
}
}
Note
SCGI and uwsgi protocols do not have a notion of keepalive connections.
keepalive_requests#
- Syntax:
keepalive_requests
number;- Default:
keepalive_requests 1000;
- Context:
upstream
Sets the maximum number of requests that can be served through one keepalive connection. After the maximum number of requests is made, the connection is closed.
Closing connections periodically is necessary to free per-connection memory allocations. Therefore, using too high maximum number of requests could result in excessive memory usage and not recommended.
keepalive_time#
- Syntax:
keepalive_time
time;- Default:
keepalive_time 1h;
- Context:
upstream
Limits the maximum time during which requests can be processed through one keepalive connection. After this time is reached, the connection is closed following the subsequent request processing.
keepalive_timeout#
- Syntax:
keepalive_timeout
time;- Default:
keepalive_timeout 60s;
- Context:
upstream
Sets a timeout during which an idle keepalive connection to an upstream server will stay open.
least_conn#
- Syntax:
least_conn
;- Default:
—
- Context:
upstream
Specifies that a group should use a load balancing method where a request is passed to the server with the least number of active connections, taking into account weights of servers. If there are several such servers, they are tried in turn using a weighted round-robin balancing method.
random#
- Syntax:
random
[two];- Default:
—
- Context:
upstream
Specifies that a group should use a load balancing method where a request is passed to a randomly selected server, taking into account weights of servers.
The optional two
parameter instructs Angie to randomly select two servers and then choose a server using the specified method. The default method is least_conn which passes a request to a server with the least number of active connections.
sticky#
New in version 1.2.0.
- Syntax:
sticky
cookie name [attr1=value] [attr2=value] [attr3] …;
sticky
route $variable [$variable2] [$variable3] …;- Default:
—
- Context:
upstream
Session persistence can be configured using either cookie
or route
method, specified as first argument.
cookie
: information about the designated server is passed in an HTTP cookie generated by Angie.
A request that comes from a client not yet bound to a particular server is passed to the server selected by the configured balancing method. Further requests with this cookie will be passed to the designated server. If the designated server cannot process a request, the new server is selected as if the client has not been bound yet.
It’s allowed to set an arbitrary attribute for the cookie, the only one set by default is path=/. Attribute can be set using text, variables and their combination. Also, it’s possible to reset any cookie attribute by configuring it empty: attr=. For instance, with sticky cookie path= Angie will set the cookie with no path attribute.
upstream backend {
server backend1.example.com:8080;
server backend2.example.com:8080;
sticky cookie example domain=$my_domain max-age=3600;
}
The cookie value comes from the sid parameter; if sticky_secret is set, this value is also hashed.
route
: proxied server assigns client a route on receipt when a session starts.
When the route
method is used, proxied server assigns client a route on receipt of the first request. All subsequent requests from this client will carry routing information in a cookie or URI. This information is compared with the sid
parameter of the server directive to identify the server to which the request should be proxied. If the designated server cannot process a request, the new server is selected by the configured balancing method as if there is no routing information in the request.
upstream backend {
server backend1.example.com:8080 sid="server1";
server backend2.example.com:8080 sid="server2";
sticky route $cookie_route $arg_route;
}
Configured as above, Angie searches for sid
in cookie 'route' first, then in request argument (URI) 'route'.
sticky_strict#
New in version 1.2.0.
- Syntax:
sticky_strict
on | off;- Default:
sticky_strict off;
- Context:
upstream
When enabled, makes Angie to return http 502 error to the client if desired server is not available instead of using any other available, as in case when no server in upstream is available.
sticky_secret#
New in version 1.2.0.
- Syntax:
sticky_secret
$complex_value;- Default:
—
- Context:
upstream
Makes Angie to protect cookie value by hashing it with salt. Salt may contain variables, for example, client address:
upstream backend {
server backend1.example.com:8080;
server backend2.example.com:8080;
sticky cookie cookie_name;
sticky_secret my_secret.$remote_addr;
}
resolver#
New in version 1.1.0.
- Syntax:
resolver
address … [valid=time] [ipv4=on|off] [ipv6=on|off] [status_zone=zone];- Default:
—
- Context:
upstream
Configures name servers used to resolve names of upstream servers into addresses, for example:
resolver 127.0.0.53 [::1]:5353;
The address can be specified as a domain name or IP address, with an optional port. If port is not specified, the port 53 is used. Name servers are queried in a round-robin fashion.
By default, Angie caches answers using the TTL value of a response.
|
optional parameter allows overriding cached entry validity |
resolver 127.0.0.53 [::1]:5353 valid=30s;
By default, Angie will look up both IPv4 and IPv6 addresses while resolving.
|
disables looking up of IPv4 addresses |
|
disables looking up of IPv6 addresses |
|
optional parameter, enables statistics collection for specified zone |
Tip
To prevent DNS spoofing, it is recommended configuring DNS servers in a properly secured trusted local network.
resolver_timeout#
New in version 1.1.0.
- Syntax:
resolver_timeout
time;- Default:
resolver_timeout 30s;
- Context:
upstream
Sets a timeout for name resolution, for example:
resolver_timeout 5s;
Embedded Variables#
The http_upstream
module supports the following embedded variables:
$upstream_addr
#
keeps the IP address and port, or the path to the UNIX-domain socket of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas, e.g. :
192.168.1.1:80, 192.168.1.2:80, unix:/tmp/sock
If an internal redirect from one server group to another happens, initiated by “X-Accel-Redirect” or error_page, then the server addresses from different groups are separated by colons, e.g.:
192.168.1.1:80, 192.168.1.2:80, unix:/tmp/sock : 192.168.10.1:80, 192.168.10.2:80
If a server cannot be selected, the variable keeps the name of the server group.
$upstream_bytes_received
#
number of bytes received from an upstream server. Values from several connections are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_bytes_sent
#
number of bytes sent to an upstream server. Values from several connections are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_cache_status
#
keeps the status of accessing a response cache. The status can be either “MISS”, “BYPASS”, “EXPIRED”, “STALE”, “UPDATING”, “REVALIDATED” or “HIT”.
$upstream_connect_time
#
keeps time spent on establishing a connection with the upstream server; the time is kept in seconds with millisecond resolution. In case of SSL, includes time spent on handshake. Times of several connections are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_header_time
#
keeps time spent on receiving the response header from the upstream server; the time is kept in seconds with millisecond resolution. Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_http_
name#
keep server response header fields. For example, the “Server” response header field is available through the $upstream_http_server variable. The rules of converting header field names to variable names are the same as for the variables that start with the “$http_” prefix. Only the header fields from the response of the last server are saved.
$upstream_probe_body
#
keeps the peer response body,
received during an upstream_probe;
its size is limited by max_body
.
$upstream_response_length
#
keeps the length of the response obtained from the upstream server; the length is kept in bytes. Lengths of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_response_time
#
keeps time spent on receiving the response from the upstream server; the time is kept in seconds with millisecond resolution. Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_status
#
keeps status code of the response obtained from the upstream server. Status codes of several responses are separated by commas and colons like addresses in the $upstream_addr variable. If a server cannot be selected, the variable keeps the 502 (Bad Gateway) status code.
$upstream_sticky_status
#
Status of sticky request.
|
the request to the upstream with no sticky enabled |
|
request without sticky information |
|
request with sticky information was routed to desired backend |
|
request with sticky information was routed to backend selected by balancing algorithm |
Values from several connections are separated by commas and colons like addresses in the $upstream_addr variable.
$upstream_trailer_
имя#
keeps fields from the end of the response obtained from the upstream server.