Nginx four-layer agent function main part of the document

In Nginx, the four-tier data is called the stream, and the modules related to the four-tier agent are mainly:

Ngx_stream_core_module: The basic function module of four layer agent
Ngx_stream_upstream_module: Four-tier agent forwarding to upstream module
Ngx_stream_proxy_module: Four-tier agent-related configuration
Other stream-related modules are used for such purposes as SSL support, GEOIP support, simple access control support, etc., and this test is not used.

Considerations for use

The four-layer Nginx function is simpler, and its access control module is not suitable for the protection of UDP Flood because the source station IP can be forged.

The premise of using health detection is that they are in a shared memory zone, pay attention to the hierarchical relationship of each block, zone is the function of configuring the upstream server group shared memory, so zone to put in upstream block. The status command, the monitoring dashboard, is the content of the Ngx_http_status_module, which is strictly not part of the four-tier agent.

I am using the UDP back-generation configuration:

Stream {

Upstream Dns_server {
Zone Stream_dns 10m;
Server 127.0.0.1:53;
}

Match DNS {
Send \x00\x2a\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x06\x73\x65\x72\x76\x65\x72\x0a\x73\x74\x61\x72\x64\x75\ x73\x74\x65\x72\x02\x6d\x65\x00\x00\x01\x00\x01;
Expect ~* \x6a;
}


server {
Listen 10086 UDP;
Proxy_pass Dns_server;
Error_log/home/nginx/dns-error.log Debug;
Health_check UDP Match=dns interval=1s;
Status_zone Stream_dns;
}
}

Health Inspection page configuration:

server {
Listen 8080;

root/usr/share/nginx/html;

Location/status {
Status
}
Location =/status.html {
}
}
Ngx_stream_core_module

The Ngx_stream_core_module module is available from version 1.9.0, and the default compilation does not include this module, which requires adding--with-stream to the compilation parameters.

Syntax: Listen address:port [SSL] [UDP] [backlog=number] [bind] [Ipv6only=on|off] [reuseport] [so_keepalive=on|off|[ KEEPIDLE]:[KEEPINTVL]:[KEEPCNT]];
Environment: Server

Set the port and address that accepts the connection, either with a port number or an IP or host name.

Listen 127.0.0.1:12345;
Listen *:12345;
Listen 12345; # Same as *:12345
Listen localhost:12345;
The IPV6 address needs to be labeled with brackets:

Shell

Listen [:: 1]:12345;
Listen [::]:12345;
1
2
Listen [:: 1]:12345;
Listen [::]:12345;
UNIX sockets need to use the prefix "UNIX:"

Listen Unix:/var/run/nginx.sock;

SSL parameter All connections need to use SSL encryption;

The UDP parameter specifies to listen on the UDP port (supported from version 1.9.13);

Other related parameters:

The Backlog=number parameter sets the maximum number of pending connection queues for the Listen () call, by default, backlog is set to 1 on BSD, and the other platform is set to 511;

The bind parameter uses the given address:port to produce a separate bind () call to use multiple listen commands to listen for the same port number on different addresses;

Ipv6only=on|off parameter, configure [::] The listener address accepts IPV4 requests, and this option defaults to on;

The Reuseport parameter (supported from 1.9.1) creates a listening socket (using So_reuseport) independently for each worker process, allowing the kernel to distribute inbound connections to different worker processes, supporting only linux3.9+ and Dragonfly BSD;

So_keepalive=on|off| The [keepidle]:[keepintvl]:[keepcnt] parameter configures the TCP keepalive feature;

Different Server blocks must listen different address + port combinations.

Syntax: Resolver address ... [Valid=time] [Ipv6=on|off];
Environment: Server

To configure the DNS server used to resolve the upstream domain name:

Resolver 127.0.0.1 [:: 1]:5353;

The address can be given in the form of an IP or domain name, or it can be accompanied by a port number. By default, nginx resolves V4 and V6 addresses and caches resolution results in TTL time.

Syntax: Resolver_timeout time;
Default: 30 seconds
Environment: Stream,server
(Available starting from 1.11.3 version)

Sets the DNS resolution timeout time.

Syntax: server {...}
Environment: Stream

Set up a standalone Server.

Syntax: Stream {...}
Environment: Main

The configuration environment for Server that provides four-tier proxies is similar to HTTP {...}.

Syntax: Tcp_nodelay on | Off
Default: On
Environment: Stream,server
(Available starting from 1.9.4 version)

Turn on or off the Tcp_nodelay option, which will be applied to both the client and the upstream server.

Syntax: Variables_hash_bucket_size size;
Default: 64
Environment: Stream
(Available starting from 1.11.2 version)

Set the bucket size of the variable hash table, and set the details to see the standalone document

Syntax: Variables_hash_max_size size;
Default: 1024
Environment: Stream
(Available starting from 1.11.2 version)

Sets the maximum size of the hash table, and sets the details to see the standalone document

Built-in variables, (Ngx_stream_core_module module supports variables from 1.11.2):

$binary _remote_addr: Client address in binary form
$bytes _sent: Number of bytes sent to client
$connection: Connection serial number
$hostname: Host Name
$msec: Current time in milliseconds resolution
Version of the $nginx _version:nginx
$pid: Worker's PID
$remote _addr: Client Address
$remote _port: Client ports
$server _ADDR: Accept the service-side address of the connection, obtain this variable requires system call once, to avoid generating system calls to specify the listener address after the listen command and to increase the bind parameter
$server _port: Service-side ports that accept connections
$time local time in _iso8601:iso 8601 format
$time _local: local time in the usual log format
Ngx_stream_proxy_module

Ngx_stream_proxy_module allows the data stream to be delivered via TCP, UDP, and Unix sockets, starting with the 1.9.0 version.

Syntax: Proxy_bind address [transparent] | Off
Environment: Stream, server
(Available starting from 1.9.2 version)

Specify an outward connection the value of the parameter can contain a variable (1.11.2) by the specified IP. Parameter off can eliminate the effect of the Proxy_bind command inherited from the previous level, allowing the system to automatically select an export IP.

Transparent (transparent proxy) parameters can be sent to the source station (proxied server) The source IP of the connection is non-local IP, such as: The client's real IP. Proxy_bind $remote _addr Transparent; To achieve this, the Nginx worker process needs to run with Superuser privileges and configure the kernel routing table to intercept network traffic that is sent back by the source station.

Syntax: Proxy_buffer_size size;
Default: 16k
Environment: Stream, server
(Available starting from 1.9.14 version)

Sets the size of the buffer when reading data from the source station, and also sets the buffer size for reading data from the client.

Syntax: Proxy_connect_timeout time;
Default: 60s;
Environment: Stream, server

Defines the connection timeout that has been established with the source station.

Grammar: Proxy_download_rate rate;
Default: 0;
Environment: Stream, server

The rate limit for accepting data from the source station is rate in bytes, with a default value of 0 that is unrestricted. This limit is for each connection, so when you open two connections to the source station, the total rate will be twice times the rate value.

Syntax: Proxy_next_upstream on | Off
Default: On;
Environment: Stream, server

If the connection to the source station cannot be established, try to pass the client's connection down one source station.

The number and time of attempts to connect to the next source station can be limited.

Syntax: Proxy_next_upstream_timeout time;
Default: 0;
Environment: Stream, server

Limit the maximum attempt time when connecting to the next source station, with a default value of 0, that is, no limit.

Syntax: proxy_next_upstream_tires number;
Default: 0;
Environment: Stream, server

Limit the maximum number of attempts to connect to the next source station, with a default value of 0, that is, no limit.

Syntax: Proxy_pass address;
Environment: Server

Set the source station address, the address can be in the form of domain name or IP and port, such as Proxy_pass localhost:12345;
, or it can be a Unix socket such as Proxy_pass unix:/tmp/stream.socket;.

When a domain name is resolved to multiple IPs, polling is done using the Round-robin method, or the server group (Ngx_stream_upstream_module provided), such as the Proxy_pass $upstream;

With server groups, server name first searches in a server group, and queries with resolver if no results are available.

Grammar: Proxy_protocol;
Default: Off;
Environment: Stream, server
(Available starting from 1.9.2 version)

Enable proxy Proxy_protocol
Connect to the source station.

Syntax: proxy_response number;
Environment: Stream, server
(Available starting from 1.9.3 version)

When the UDP agent is enabled, set the number of datagrams expected to be received from the source station, by default there is no limit to the number of messages received, and will continue to receive the response until Proxy_timeout times out.

Syntax: Proxu_ssl on | Off
Default: Off;
Environment: Stream, server

Enable SSL for the connection between the Hayuan stations.

Syntax: Proxy_ssl_certificate file;
Environment: Stream, server

Specifies that a certificate in PEM format is used to authenticate the SSL connection to the source station.

Syntax: Proxy_ssl_certificate_key file;
Environment: Stream, server

Specifies a PEM-formatted private key to authenticate the SSL connection to the source station.

Grammar: Proxy_ssl_ciphers ciphers;
Default: Deafault;
Environment: Stream, server

Specifies the encryption suite used to shake the source station in a OpenSSL library-readable format, using the command OpenSSL ciphers to view the complete list.

Syntax: PROXY_SSL_CRL file;
Environment: Stream, server

Specifies a list of revoked certificates.

Syntax: proxy_ssl_name name;
Default: Host from Proxy_pass;
Environment: Stream, server

Used to overwrite server name in the SNI request to the source station, which can contain variables (starting with the 1.11.3 version), by default, the host name in the Proxy_pass parameter is used.

Syntax: Proxy_ssl_password_file file;
Environment: Stream, server

Specifies the cryptographic password for the private key, one for each line, and the password is tried in turn when the private key file is loaded.

Syntax: Proxy_ssl_session_reuse on | Off
Default:on;
Context:stream, Server

Specifies whether the SSL session is reused when connecting to the source station, and if a "ssl3_get_finished" error occurs, try turning off SSL sessions for reuse.

Syntax: Proxy_ssl_protocols [SSLV2] [SSLv3] [TLSV1] [TLSv1.1] [TLSv1.2];
Default: TLSv1 TLSv1.1 TLSv1.2;
Environment: Stream, server

The specified SSL protocol version is used when connecting to the source station.

Syntax: Proxy_ssl_trusted_certificate file;
Environment: Stream, server

A list of trusted CAs in PEM format is used to verify the authentication validity of the source station.

Syntax: Proxy_ssl_verify on | Off
Default: Off;
Environment: Stream, server

Whether authentication is enabled and from the source station.

Syntax: proxy_ssl_verify_depth number;
Default: 1;
Environment: Stream, server

Specifies the number of certificate chain layers that verify the source station authentication.

Syntax: Proxy_timeout time;
Default: 10m;
Environment: Stream, server

Specifies the timeout interval for two read and write operations, which are applied simultaneously to the connection to the client and to the source station. If there is no data transfer at this time, the connection will be closed.

Grammar: Proxy_upload_rate rate;
Default: 0;
Environment: Stream, server
(provided starting from 1.9.3)

Limits the rate at which data is read from the client, the number unit is BYTE/S, and the default value of 0 indicates there is no limit. This number is for each connection, so when you open two connections, the data transfer rate will be twice times that value.

Ngx_stream_upstream_module

The Ngx_stream_upstream_module module appears in version 1.9.0 to define the source station server groups and associated configurations that can be invoked by Proxy_pass, and the subscription version also supports dynamic configuration groups and active health detection.

Syntax: Upstream name {...}
Environment: Stream

Define a set of servers that can listen to different ports or listen to a mix of TCP ports and Unix sockets:

Upstream Backend {
Server backend1.example.com:12345 weight=5;
Server 127.0.0.1:12345 max_fails=3 fail_timeout=30s;
Server Unix:/tmp/backend2;
Server backend3.example.com:12345 Resolve;

Server backup1.example.com:12345 backup;
}
By default, the inbound connection is divided by the round-robin algorithm into each back-end, and in this example, where the weights are configured, an average of 5 per 7 inbound connections will be transferred to Backend1, and the second and third backend to each connection; If the connection fails, it will try the next Server, the connection will be closed when all fails.

Syntax: server address [parameters];
Environment: Upstream

Defines the address and parameters of the server, which can be given in the form of an IP or domain name, which the port number must indicate, or Unix: The prefix indicates that the address is a UNIX socket, and if the domain name is resolved to multiple IPs, it is considered to define multiple servers.

Parameter table:

The Weight=number parameter specifies the weight value of the weighted Round-robin algorithm.
The Max_fails=number parameter specifies the maximum number of failed retries.
The Fail_timeout=number parameter also specifies the timeout for a connection to the back-end server and the time that a server is considered unavailable.
The backup parameter will mark the server as standby, and the connection will be uploaded to the backup server when all the primary servers are unavailable.
The down parameter will manually mark a server as unavailable.
Max_conns=number limit the maximum number of connections to the source station, which defaults to 0, that is, there is no limit.
The Resolve parameter monitors the IP change of the server domain name, without the need to modify the server configuration in upstream or reboot the Nginx, which requires the server group to be in a shared memory zone. Use this parameter to have at least one resolver command in the stream block:
Shell

Stream {
Resolver 10.0.0.1;

Upstream U {
Zone ...;
...
Server example.com:12345 Resolve;
}
}

The service=name parameter resolves the DNS SRV record, and to use this command requires a resolve parameter and cannot contain the port number after hostname.
The Slow_start=time parameter sets the time for a Server recovery that is considered unavailable and defaults to 0, that is, the Slow_start is closed
Note that when there is only one server in a server group, the max_fails fail_timeout slow_start parameter will be ignored.

Syntax: zone name [size];
Environment: Upstream

A zone uses name and size to define a shared memory area, where workers can share profiles and live state, and multiple server groups can share a zone, so only one zone must be declared.

In addition, as part of a fee subscription, the dynamic configuration group allows the server in the group to replace or modify the members of the group without fully rereading the configuration file, and refer to upstream_conf in Ngx_http_stream_module.

Syntax: state file;
Environment: Upstream
(Available starting from 1.9.7 version)

Specifies a file path that holds the current configuration state of the dynamic configuration group, which includes the list of servers in the configuration group and the parameters of each server. This file is updated every time that the profile is parsed and the upstream configuration changes, noting that the file should not be edited directly.

Syntax: hash key [consistent];
Environment: Upstream

The client-server-side mapping hash algorithm used for load balancing is based on key, and the hash key can contain literals and variables such as hash $remote _addr.

Grammar: Least_conn;
Environment: Upstream

With the minimum connection load balancing algorithm, Nginx will automatically select the backend with the least connection, and if multiple back-end joins are equal, the weighted round-robin will be used to select it.

Syntax: Least_time Connect | First_byte | Last_byte;
Environment: Upstream

Using the "Fastest connection" load balancing algorithm, Nginx will select the fastest backend, and the "fastest" definition can be defined by the parameter as the first package time, the transmission completion time, or the connection establishment time.

Syntax: health_check [parameters];
Environment: Server

Turn on the periodic active health detection function of the server group.

Parameter table:

The Interval=time parameter sets the interval of two health checks, in seconds, and the default value is 5.
The Fails=number parameter sets the Server to be unhealthy after the health check consecutive failure reaches a specified number of times.
The Pass=number parameter sets the health check to mark the Server as healthy after it has reached a specified number of times.
The Match=name parameter specifies, by name, a condition that a match block passes for health detection, and by default only detects whether a TCP connection can be successfully established.
The Port=number parameter defines the port number of the connection when health detection is performed, and the default is equal to the port number of the server block.
The UDP parameter specifies a UDP health check, the match parameter must be specified, and the send and expect contents are provided.
Shell

server {
Proxy_pass backend;
Health_check;
}

This configuration will detect every 5 seconds whether each server in the configuration group can successfully establish a TCP connection, and when the connection fails, health checks will not pass and the server will be marked as unhealthy. The client will not be connected to an unhealthy server at this time.

Health testing can also specify what data to send and what to expect to receive, which is set independently in the match command and referenced in the match parameter of the Health_check command.

The server group must be in the same shared memory area.

If a server group has multiple health checks set up, a check that fails does not mark the entire server group as unhealthy.

Grammar: health_check_timeout timeout;
Default: Health_check_timeout 5s;
Environment: Stream, server

For health-detection operations, overwrite proxy_timeout values with health_check_timeout values.

Syntax: Match name {...}
Environment: Stream

Defines a set of tests with a name that validates the health-check return value.

Parameter table:

The send string parameter defines the string that is sent to the server.
Expect string | ~ The regex parameter defines the string returned by the server and can be matched using a regular match, such as "~*" for case insensitive matching and case sensitive matching using "~".
Both the send and expect parameters can use the "\x" prefix to denote a 16-character, such as "\x80\x1a".
Health testing passes when the following conditions are met:
TCP Connection Establishment
The string in send was sent successfully
Server Response compliant expect
Value specified by Health_check_timeout is not exceeded
Sample Example:

Shell

Upstream Backend {
Zone Upstream_backend 10m;
Server 127.0.0.1:12345;
}

Match HTTP {
Send "get/http/1.0\r\nhost:localhost\r\n\r\n";
Expect ~ "OK";
}

server {
Listen 12346;
Proxy_pass backend;
Health_check match=http;
}