ngx_stream_zone_sync_module 模块

The ngx_stream_zone_sync_module module (1.13.8) provides the necessary support for synchronizing contents of shared memory zones between nodes of a cluster. To enable synchronization for a particular zone, a corresponding module must support this feature. Currently, it is possible to synchronize HTTP sticky sessions, information about excessive HTTP requests, and key-value pairs both in http and stream.

This module is available as part of our commercial subscription.

Example Configuration

Minimal configuration:

http {
   ...

   upstream backend {
      server backend1.example.com:8080;
      server backend2.example.com:8081;

      sticky learn
             create=$upstream_cookie_examplecookie
             lookup=$cookie_examplecookie
             zone=client_sessions:1m sync;
   }

   ...
}

stream {
   ...


   server {
       zone_sync;

       listen 127.0.0.1:12345;

       # cluster of 2 nodes
       zone_sync_server a.example.com:12345;
       zone_sync_server b.example.com:12345;

   }

A more complex configuration with SSL enabled and with cluster members defined by DNS:

...

stream {
   ...

   resolver 127.0.0.1 valid=10s;

   server {
       zone_sync;

       # the name resolves to multiple addresses that correspond to cluster nodes
       zone_sync_server cluster.example.com:12345 resolve;

       listen 127.0.0.1:4433 ssl;

       ssl_certificate     localhost.crt;
       ssl_certificate_key localhost.key;

       zone_sync_ssl on;

       zone_sync_ssl_certificate     localhost.crt;
       zone_sync_ssl_certificate_key localhost.key;
   }
}

Directives

Syntax:

zone_sync;
   

Default:

—    

Context:

server
   

Enables the synchronization of shared memory zones between cluster nodes. Cluster nodes are defined using zone_sync_server directives.

Syntax:

zone_sync_buffers number size;
   

Default:

zone_sync_buffers 8 4k|8k;
   

Context:

stream, server
   

Sets the number and size of the per-zone buffers used for pushing zone contents. By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform.

A single buffer must be large enough to hold any entry of each zone being synchronized.

Syntax:

zone_sync_connect_retry_interval time;
   

Default:

zone_sync_connect_retry_interval 1s;
   

Context:

stream, server
   

Defines an interval between connection attempts to another cluster node.

Syntax:

zone_sync_connect_timeout time;
   

Default:

zone_sync_connect_timeout 5s;
   

Context:

stream, server
   

Defines a timeout for establishing a connection with another cluster node.

Syntax:

zone_sync_interval time;
   

Default:

zone_sync_interval 1s;
   

Context:

stream, server
   

Defines an interval for polling updates in a shared memory zone.

Syntax:

zone_sync_recv_buffer_size size;
   

Default:

zone_sync_recv_buffer_size 4k|8k;
   

Context:

stream, server
   

Sets size of a per-connection receive buffer used to parse incoming stream of synchronization messages. The buffer size must be equal or greater than one of the zone_sync_buffers. By default, the buffer size is equal to zone_sync_buffers size multiplied by number.

Syntax:

zone_sync_server address [resolve];
   

Default:

—    

Context:

server
   

Defines the address of a cluster node. The address can be specified as a domain name or IP address with a mandatory port, or as a UNIX-domain socket path specified after the “unix:” prefix. A domain name that resolves to several IP addresses defines multiple nodes at once.

The resolve parameter instructs nginx to monitor changes of the IP addresses that correspond to a domain name of the node and automatically modify the configuration without the need of restarting nginx.

Cluster nodes are specified either dynamically as a single zone_sync_server directive with the resolve parameter, or statically as a series of several directives without the parameter.

Each cluster node should be specified only once.

All cluster nodes should use the same configuration.

In order for the resolve parameter to work, the resolver directive must be specified in the stream block. Example:

stream {
   resolver 10.0.0.1;

   server {
       zone_sync;
       zone_sync_server cluster.example.com:12345 resolve;
       ...
   }
}

Syntax:

zone_sync_ssl on | off;
   

Default:

zone_sync_ssl off;
   

Context:

stream, server
   

Enables the SSL/TLS protocol for connections to another cluster server.

Syntax:

zone_sync_ssl_certificate file;
   

Default:

—    

Context:

stream, server
   

Specifies a file with the certificate in the PEM format used for authentication to another cluster server.

Syntax:

zone_sync_ssl_certificate_key file;
   

Default:

—    

Context:

stream, server
   

Specifies a file with the secret key in the PEM format used for authentication to another cluster server.

Syntax:

zone_sync_ssl_ciphers ciphers;
   

Default:

zone_sync_ssl_ciphers DEFAULT;
   

Context:

stream, server
   

Specifies the enabled ciphers for connections to another cluster server. The ciphers are specified in the format understood by the OpenSSL library.

The full list can be viewed using the “openssl ciphers” command.

Syntax:

zone_sync_ssl_conf_command command;
   

Default:

—    

Context:

stream, server
   

This directive appeared in version 1.19.4.

Sets arbitrary OpenSSL configuration commands when establishing a connection with another cluster server.

The directive is supported when using OpenSSL 1.0.2 or higher.

Several zone_sync_ssl_conf_command directives can be specified on the same level. These directives are inherited from the previous configuration level if and only if there are no zone_sync_ssl_conf_command directives defined on the current level.

Note that configuring OpenSSL directly might result in unexpected behavior.

Syntax:

zone_sync_ssl_crl file;
   

Default:

—    

Context:

stream, server
   

Specifies a file with revoked certificates (CRL) in the PEM format used to verify the certificate of another cluster server.

Syntax:

zone_sync_ssl_name name;
   

Default:

zone_sync_ssl_name host from zone_sync_server;
   

Context:

stream, server
   

This directive appeared in version 1.15.7.

Allows overriding the server name used to verify the certificate of a cluster server and to be passed through SNI when establishing a connection with the cluster server.

By default, the host part of the zone_sync_server address is used, or resolved IP address if the resolve parameter is specified.

Syntax:

zone_sync_ssl_password_file file;
   

Default:

—    

Context:

stream, server
   

Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Syntax:

zone_sync_ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];
   

Default:

zone_sync_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   

Context:

stream, server
   

Enables the specified protocols for connections to another cluster server.

Syntax:

zone_sync_ssl_server_name on | off;
   

Default:

zone_sync_ssl_server_name off;
   

Context:

stream, server
   

This directive appeared in version 1.15.7.

Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with another cluster server.

Syntax:

zone_sync_ssl_trusted_certificate file;
   

Default:

—    

Context:

stream, server
   

Specifies a file with trusted CA certificates in the PEM format used to verify the certificate of another cluster server.

Syntax:

zone_sync_ssl_verify on | off;
   

Default:

zone_sync_ssl_verify off;
   

Context:

stream, server
   

Enables or disables verification of another cluster server certificate.

Syntax:

zone_sync_ssl_verify_depth number;
   

Default:

zone_sync_ssl_verify_depth 1;
   

Context:

stream, server
   

Sets the verification depth in another cluster server certificates chain.

Syntax:

zone_sync_timeout timeout;
   

Default:

zone_sync_timeout 5s;
   

Context:

stream, server
   

Sets the timeout between two successive read or write operations on connection to another cluster node. If no data is transmitted within this time, the connection is closed.

API endpoints

The synchronization status of a node is available via the /stream/zone_sync/ endpoint of the API which returns the following metrics.

Starting, stopping, removing a cluster node

To start a new node, update a DNS record of a cluster hostname with the IP address of the new node and start an instance. The new node will discover other nodes from DNS or static configuration and will start sending updates to them. Other nodes will eventually discover the new node using DNS and start pushing updates to it. In case of static configuration, other nodes need to be reloaded in order to send updates to the new node.

To stop a node, send the QUIT signal to the instance. The node will finish zone synchronization and gracefully close open connections.

To remove a node, update a DNS record of a cluster hostname and remove the IP address of the node. All other nodes will eventually discover that the node is removed, close connections to the node, and will no longer try to connect to it. After the node is removed, it can be stopped as described above. In case of static configuration, other nodes need to be reloaded in order to stop sending updates to the removed node.

说说我的看法
全部评论(
没有评论
关于
本网站专注于 Java、数据库(MySQL、Oracle)、Linux、软件架构及大数据等多领域技术知识分享。涵盖丰富的原创与精选技术文章,助力技术传播与交流。无论是技术新手渴望入门,还是资深开发者寻求进阶,这里都能为您提供深度见解与实用经验,让复杂编码变得轻松易懂,携手共赴技术提升新高度。如有侵权,请来信告知:hxstrive@outlook.com
公众号