Nginx reverse proxy – doesn’t close upstream connection when HTTPS client disconnects

httpsnginx

I have a server which needs to know when the client closes the connection. The server is behind an nginx reverse proxy. Everything works fine over HTTP, but as soon as I turn SSL on, nginx seems to hold the upstream connection open for a full minute after the HTTPS client has disconnected.

How can I get nginx to close the upstream connection when the client disconnects?

Here's my nginx config:

ssl_session_cache off;
server {
  listen 443;
  ssl on;
  ssl_certificate server.crt;
  ssl_certificate_key server.key;
  location /find {
    proxy_pass http://my_upstream;
    proxy_ignore_client_abort off;
    proxy_buffering off;
  }
}

Best Answer

Quite late but might be helpful for others. I had the same problem and it turned out to be an issue with nginx (see https://www.ruby-forum.com/topic/4412004):

So the underlying problem is that the nginx stream layer abstraction isn't clean enough to handle low level OS events and then map them through the SSL layer to read/write/eof conceptual events as needed. Instead you need an OS level "eof" event, which you then assume maps through the SSL abstraction layer to a SSL stream eof event.

Ok, so I had a look at the kqueue eof handling, and what's needed for epoll eof handling, and created a quick patch that seems to work.

I applied the patch on 1.4.2 and it worked! No problems so far. Hopefully it will be fixed in one of the next releases.

Edited

This problem seems to be solved with nginx version >=1.5.5:

Feature: now nginx uses EPOLLRDHUP events to detect premature connection close by clients if the "epoll" method is used.

Related Solutions

NGINX – Proxy HTTPS Requests to an HTTP Backend

The type of proxy you are trying to set up is called a reverse proxy. A quick search for reverse proxy nginx got me this page:

http://intranation.com/entries/2008/09/using-nginx-reverse-proxy/

In addition to adding some useful features like an X-Forwarded-For header (which will give your app visibility into the actual source IP), it specifically does:

proxy_redirect off

Good luck! :)

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

For anybody stumbling across this question that wants to use nginx you can set this up like any normal proxy, and to accept a self-signed certificate from the backend you need to provide the exported pem certificate (and perhaps a key) and set ssl verification off. For example:

...

server {
    listen       10.1.2.3:80;
    server_name  10.1.2.3 myproxy.mycompany.com;

    location / {
         proxy_pass                    https://backend.server.ip/;
         proxy_ssl_trusted_certificate /etc/nginx/sslcerts/backend.server.pem;
         proxy_ssl_verify              off;

         ... other proxy settings
    }

If your secure back end is using Server Name Identification SNI with multiple hosts being served per IP/Port pair you may also need to include proxy_ssl_server_name on; in the configuration. This works on nginx 1.7.0 and later.

Best Answer

Related Solutions

NGINX – Proxy HTTPS Requests to an HTTP Backend

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

Related Topic