Nginx as reverse proxy - proxy_ssl_x questions

2023-11-18 Thread Mark 
Hello there.

Having a proxy directive like;

location / {
proxy_pass http://10.10.10.4:4020;
...

I wonder when using proxy_pass http://... (not httpS),
are these directives effective, under the proxy_pass?

proxy_ssl_name $host;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;

Or they would work ONLY if proxy_pass is pointed to an "https://";?

Best wishes,
Regards.
Mark.
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx

Re: Nginx as reverse proxy - proxy_ssl_x questions

2023-11-18 Thread Maxim Dounin 
Hello!

On Sat, Nov 18, 2023 at 01:54:21PM +0300, Mark wrote:

> Hello there.
> 
> Having a proxy directive like;
> 
> location / {
> proxy_pass http://10.10.10.4:4020;
> ...
> 
> I wonder when using proxy_pass http://... (not httpS),
> are these directives effective, under the proxy_pass?
> 
> proxy_ssl_name $host;
> proxy_ssl_server_name on;
> proxy_ssl_session_reuse off;
> 
> Or they would work ONLY if proxy_pass is pointed to an "https://";?

The "proxy_ssl_*" directives define configuration for SSL 
proxying.  That is, corresponding values are only used when 
proxy_pass is used with the "https" scheme.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx

Re: Limiting number of client TLS connections

2023-11-18 Thread Maxim Dounin 
Hello!

On Sat, Nov 18, 2023 at 02:44:20PM +0800, Zero King wrote:

> I want Nginx to limit the rate of new TLS connections and the total (or 
> per-worker) number of all client-facing connections, so that under a 
> sudden surge of requests, existing connections can get enough share of 
> CPU to be served properly, while excessive connections are rejected and 
> retried against other servers in the cluster.
> 
> I am running Nginx on a managed Kubernetes cluster, so tuning kernel 
> parameters or configuring layer 4 firewall is not an option.
> 
> To serve existing connections well, worker_connections can not be used, 
> because it also affects connections with proxied servers.
> 
> Is there a way to implement these measures in Nginx configuration?

No, nginx does not provide a way to limit rate of new connections 
and/or total number of established connections.  Instead, firewall is 
expected to be used for such tasks.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx