Module ngx_stream_upstream_module

Example Configuration
Directives
     upstream
     server
     zone
     state
     hash
     least_conn
     least_time
     health_check
     health_check_timeout
     match
Embedded Variables

The ngx_stream_upstream_module module (1.9.0) is used to define groups of servers that can be referenced by the proxy_pass directive.

Example Configuration

upstream backend {
    hash $remote_addr consistent;

    server backend1.example.com:12345  weight=5;
    server backend2.example.com:12345;
    server unix:/tmp/backend3;

    server backup1.example.com:12345   backup;
    server backup2.example.com:12345   backup;
}

server {
    listen 12346;
    proxy_pass backend;
}

Dynamically configurable group, available as part of our commercial subscription:

resolver 10.0.0.1;

upstream dynamic {
    zone upstream_dynamic 64k;

    server backend1.example.com:12345 weight=5;
    server backend2.example.com:12345 fail_timeout=5s slow_start=30s;
    server 192.0.2.1:12345            max_fails=3;
    server backend3.example.com:12345 resolve;
    server backend4.example.com       service=http resolve;

    server backup1.example.com:12345  backup;
    server backup2.example.com:12345  backup;
}

server {
    listen 12346;
    proxy_pass dynamic;
    health_check;
}

Directives

Syntax: upstream name { ... }
Default:
Context: stream

Defines a group of servers. Servers can listen on different ports. In addition, servers listening on TCP and UNIX-domain sockets can be mixed.

Example:

upstream backend {
    server backend1.example.com:12345 weight=5;
    server 127.0.0.1:12345            max_fails=3 fail_timeout=30s;
    server unix:/tmp/backend2;
    server backend3.example.com:12345 resolve;

    server backup1.example.com:12345  backup;
}

By default, connections are distributed between the servers using a weighted round-robin balancing method. In the above example, each 7 connections will be distributed as follows: 5 connections go to backend1.example.com:12345 and one connection to each of the second and third servers. If an error occurs during communication with a server, the connection will be passed to the next server, and so on until all of the functioning servers will be tried. If communication with all servers fails, the connection will be closed.

Syntax: server address [parameters];
Default:
Context: upstream

Defines the address and other parameters of a server. The address can be specified as a domain name or IP address with an obligatory port, or as a UNIX-domain socket path specified after the “unix:” prefix. A domain name that resolves to several IP addresses defines multiple servers at once.

The following parameters can be defined:

weight=number
sets the weight of the server, by default, 1.
max_conns=number
limits the maximum number of simultaneous connections to the proxied server (1.11.5). Default value is zero, meaning there is no limit. If the server group does not reside in the shared memory, the limitation works per each worker process.
Prior to version 1.11.5, this parameter was available as part of our commercial subscription.
max_fails=number
sets the number of unsuccessful attempts to communicate with the server that should happen in the duration set by the fail_timeout parameter to consider the server unavailable for a duration also set by the fail_timeout parameter. By default, the number of unsuccessful attempts is set to 1. The zero value disables the accounting of attempts. Here, an unsuccessful attempt is an error or timeout while establishing a connection with the server.
fail_timeout=time
sets
  • the time during which the specified number of unsuccessful attempts to communicate with the server should happen to consider the server unavailable;
  • and the period of time the server will be considered unavailable.
By default, the parameter is set to 10 seconds.
backup
marks the server as a backup server. Connections to the backup server will be passed when the primary servers are unavailable.
down
marks the server as permanently unavailable.

Additionally, the following parameters are available as part of our commercial subscription:

resolve
monitors changes of the IP addresses that correspond to a domain name of the server, and automatically modifies the upstream configuration without the need of restarting nginx. The server group must reside in the shared memory.

In order for this parameter to work, the resolver directive must be specified in the stream block. Example:

stream {
    resolver 10.0.0.1;

    upstream u {
        zone ...;
        ...
        server example.com:12345 resolve;
    }
}

service=name
enables resolving of DNS SRV records and sets the service name (1.9.13). In order for this parameter to work, it is necessary to specify the resolve parameter for the server and specify a hostname without a port number.

If the service name does not contain a dot (“.”), then the RFC-compliant name is constructed and the TCP protocol is added to the service prefix. For example, to look up the _http._tcp.backend.example.com SRV record, it is necessary to specify the directive:

server backend.example.com service=http resolve;

If the service name contains one or more dots, then the name is constructed by joining the service prefix and the server name. For example, to look up the _http._tcp.backend.example.com and server1.backend.example.com SRV records, it is necessary to specify the directives:

server backend.example.com service=_http._tcp resolve;
server example.com service=server1.backend resolve;

Highest-priority SRV records (records with the same lowest-number priority value) are resolved as primary servers, the rest of SRV records are resolved as backup servers. If the backup parameter is specified for the server, high-priority SRV records are resolved as backup servers, the rest of SRV records are ignored.

slow_start=time
sets the time during which the server will recover its weight from zero to a nominal value, when unhealthy server becomes healthy, or when the server becomes available after a period of time it was considered unavailable. Default value is zero, i.e. slow start is disabled.
The parameter cannot be used along with the hash load balancing method.

If there is only a single server in a group, max_fails, fail_timeout and slow_start parameters are ignored, and such a server will never be considered unavailable.

Syntax: zone name [size];
Default:
Context: upstream

Defines the name and size of the shared memory zone that keeps the group’s configuration and run-time state that are shared between worker processes. Several groups may share the same zone. In this case, it is enough to specify the zone size only once.

Additionally, as part of our commercial subscription, such groups allow changing the group membership or modifying the settings of a particular server without the need of restarting nginx. The configuration is accessible via a special location handled by upstream_conf.

Syntax: state file;
Default:
Context: upstream

This directive appeared in version 1.9.7.

Specifies a file that keeps the state of the dynamically configurable group.

Examples:

state /var/lib/nginx/state/servers.conf; # path for Linux
state /var/db/nginx/state/servers.conf;  # path for FreeBSD

The state is currently limited to the list of servers with their parameters. The file is read when parsing the configuration and is updated each time the upstream configuration is changed. Changing the file content directly should be avoided. The directive cannot be used along with the server directive.

Changes made during configuration reload or binary upgrade can be lost.

This directive is available as part of our commercial subscription.

Syntax: hash key [consistent];
Default:
Context: upstream

Specifies a load balancing method for a server group where client-server mapping is based on the hashed key value. The key can contain text, variables, and their combinations (1.11.2). Usage example:

hash $remote_addr;

Note that adding or removing a server from the group may result in remapping most of the keys to different servers. The method is compatible with the Cache::Memcached Perl library.

If the consistent parameter is specified, the ketama consistent hashing method will be used instead. The method ensures that only a few keys will be remapped to different servers when a server is added to or removed from the group. This helps to achieve a higher cache hit ratio for caching servers. The method is compatible with the Cache::Memcached::Fast Perl library with the ketama_points parameter set to 160.

Syntax: least_conn;
Default:
Context: upstream

Specifies that a server group should use a load balancing method where a connection is passed to the server with the least number of active connections, taking into account weights of servers. If there are several such servers, they are tried in turn using a weighted round-robin balancing method.

Syntax: least_time connect | first_byte | last_byte;
Default:
Context: upstream

Specifies that a group should use a load balancing method where a connection is passed to the server with the least average time and least number of active connections, taking into account weights of servers. If there are several such servers, they are tried in turn using a weighted round-robin balancing method.

If the connect parameter is specified, time to connect to the upstream server is used. If the first_byte parameter is specified, time to receive the first byte of data is used. If the last_byte is specified, time to receive the last byte of data is used.

This directive is available as part of our commercial subscription.

Syntax: health_check [parameters];
Default:
Context: server

Enables periodic health checks of the servers in a group.

The following optional parameters are supported:

interval=time
sets the interval between two consecutive health checks, by default, 5 seconds;
jitter=time
sets the time within which each health check will be randomly delayed, by default, there is no delay;
fails=number
sets the number of consecutive failed health checks of a particular server after which this server will be considered unhealthy, by default, 1;
passes=number
sets the number of consecutive passed health checks of a particular server after which the server will be considered healthy, by default, 1;
match=name
specifies the match block configuring the tests that a successful connection should pass in order for a health check to pass. By default, only the ability to establish a TCP connection with the server is checked;
port=number
defines the port used when connecting to a server to perform a health check (1.9.7); by default, equals the server port;
udp
specifies that the UDP protocol should be used for health checks instead of the default TCP protocol (1.9.13); requires a match block with the send and expect parameters.

For example,

server {
    proxy_pass backend;
    health_check;
}

will check the ability to establish a TCP connection to each server in the backend group every five seconds. When a connection to the server cannot be established, the health check will fail, and the server will be considered unhealthy. Client connections are not passed to unhealthy servers.

Health checks can also be configured to test data obtained from the server. Tests are configured separately using the match directive and referenced in the match parameter.

The server group must reside in the shared memory.

If several health checks are defined for the same group of servers, a single failure of any check will make the corresponding server be considered unhealthy.

This directive is available as part of our commercial subscription.

Syntax: health_check_timeout timeout;
Default:
health_check_timeout 5s;
Context: stream, server

Overrides the proxy_timeout value for health checks.

This directive is available as part of our commercial subscription.

Syntax: match name { ... }
Default:
Context: stream

Defines the named test set used to verify server responses to health checks.

The following parameters can be configured:

send string;
sends a string to the server;
expect string | ~ regex;
a literal string (1.9.12) or a regular expression that the data obtained from the server should match. The regular expression is specified with the preceding “~*” modifier (for case-insensitive matching), or the “~” modifier (for case-sensitive matching).

Both send and expect parameters can contain hexadecimal literals with the prefix “\x” followed by two hex digits, for example, “\x80” (1.9.12).

Health check is passed if:

Example:

upstream backend {
    zone     upstream_backend 10m;
    server   127.0.0.1:12345;
}

match http {
    send     "GET / HTTP/1.0\r\nHost: localhost\r\n\r\n";
    expect ~ "200 OK";
}

server {
    listen       12346;
    proxy_pass   backend;
    health_check match=http;
}

Only the first proxy_buffer_size bytes of data obtained from the server are examined.

This directive is available as part of our commercial subscription.

Embedded Variables

The ngx_stream_upstream_module module supports the following embedded variables:

$upstream_addr
keeps the IP address and port, or the path to the UNIX-domain socket of the upstream server (1.11.4). If several servers were contacted during proxying, their addresses are separated by commas, e.g. “192.168.1.1:12345, 192.168.1.2:12345, unix:/tmp/sock”.
$upstream_bytes_sent
number of bytes sent to an upstream server (1.11.4). Values from several connections are separated by commas like addresses in the $upstream_addr variable.
$upstream_bytes_received
number of bytes received from an upstream server (1.11.4). Values from several connections are separated by commas like addresses in the $upstream_addr variable.
$upstream_connect_time
time to connect to the upstream server (1.11.4); the time is kept in seconds with millisecond resolution. Times of several connections are separated by commas like addresses in the $upstream_addr variable.
$upstream_first_byte_time
time to receive the first byte of data (1.11.4); the time is kept in seconds with millisecond resolution. Times of several connections are separated by commas like addresses in the $upstream_addr variable.
$upstream_session_time
session duration in seconds with millisecond resolution (1.11.4). Times of several connections are separated by commas like addresses in the $upstream_addr variable.