Hi Roman, Thanks for the suggestion. Let me get the debugging log up and retest again.
On Tue, Feb 20, 2024, 1:02 AM Roman Arutyunyan <a...@nginx.com> wrote: > Hi, > > On Mon, Feb 19, 2024 at 04:24:04PM +0800, Kin Seng wrote: > > My current nginx setup always kill the TCP connection after 5 minutes of > > inactivity, i.e no transaction. > > [From wireshark, nginx send RST to upstream server and then send FIN,ACK > to > > downstream client] > > This could be the normal behavior if you had 'proxy_timeout 5m;' in your > config. > But since apparently you have 86400s as proxy timeout value, something > else is > going on. > > Could you provide more details like debug log for example? > > > I have this setup which requires TLS1.2 connection connecting from my > > internal network [client application] to public network [server]. It only > > use TCP ports (not http/https) and establish with a server located at > > public network. The client application does not support TLS1.2 connection > > hence the introduction of nginx proxy/reverse proxy for TLS wrapping > > purpose. You may refer below : > > > > Internal Network > > | INTERNET/Public > > [Client Application] <-----> [NGINX Reverse Proxy] <--- | ---> [Public > > Server] > > <Non TLS TCP Traffic> <TLS 1.2> > > > > > > - using stream module > > - no error shown in nginx error log > > - access log showing TCP 200 Status but the session only last 300s > > everytime. [Recorded in the access_log] > > > > Below is my nginx configuration > > > > # more nginx.conf > > > > user nginx; > > worker_processes auto; > > error_log /var/log/nginx/error.log; > > pid /run/nginx.pid; > > > > # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. > > include /usr/share/nginx/modules/*.conf; > > > > events { > > worker_connections 2048; > > } > > > > stream { > > resolver 127.0.0.1; > > include /etc/nginx/conf.d/*.conf; > > > > log_format basic '$remote_addr [$time_local] ' > > '$protocol $status $bytes_sent $bytes_received ' > > '$session_time $upstream_addr' > > '"$upstream_bytes_sent" "$upstream_bytes_received" > > "$upstream_connect_time"'; > > > > access_log /var/log/nginx/stream.access.log basic; > > > > error_log log_file; > > error_log /var/log/nginx/error_log; > > > > server { > > listen 35012; > > proxy_pass X.X.X.X:35012; > > proxy_timeout 86400s; > > proxy_connect_timeout 1200s; > > proxy_socket_keepalive on; > > ssl_session_cache shared:SSL:5m; > > ssl_session_timeout 30m; > > > > # For securing TCP Traffic with upstream servers. > > proxy_ssl on; > > proxy_ssl_certificate /etc/ssl/certs/backend.crt; > > proxy_ssl_certificate_key /etc/ssl/certs/backend.key; > > proxy_ssl_protocols TLSv1.2; > > proxy_ssl_ciphers HIGH:!aNULL:!MD5; > > > > # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; > > # proxy_ssl_verify on; > > proxy_ssl_verify_depth 2; > > > > #To have NGINX proxy previously negotiated connection parameters and use > a > > so-called abbreviated handshake - Fast > > proxy_ssl_session_reuse on; > > > > } > > } > > > > > > After capturing the tcp packet and check via wireshark, I found out that > > the nginx is sending out the RST to the public server and then send > FIN/ACK > > (refer attached pcap picture) to client application. > > > > I have tried to enable keepalive related parameters as per the nginx > config > > above and also check on the OS's TCP tunable and i could not find any > > related settings which make NGINX to kill the TCP connection. > > > > Anyone encountering the same issues? > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org > > https://mailman.nginx.org/mailman/listinfo/nginx > > -- > Roman Arutyunyan > _______________________________________________ > nginx mailing list > nginx@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx