Module ngx_stream_zone_sync_module
The ngx_stream_zone_sync_module
module (1.13.8)
provides the necessary support for synchronizing contents of
shared memory zones
between nodes of a cluster.
To enable synchronization for a particular zone, a corresponding module
must support this feature.
Currently, it is possible to synchronize HTTP
sticky
sessions, information about
excessive HTTP requests,
and key-value pairs both in
http
and stream.
This module is available as part of our commercial subscription.
Example Configuration
Minimal configuration:
http { ... upstream backend { server backend1.example.com:8080; server backend2.example.com:8081; sticky learn create=$upstream_cookie_examplecookie lookup=$cookie_examplecookie zone=client_sessions:1m sync; } ... } stream { ... server { zone_sync; listen 127.0.0.1:12345; # cluster of 2 nodes zone_sync_server a.example.com:12345; zone_sync_server b.example.com:12345; }
A more complex configuration with SSL enabled and with cluster members defined by DNS:
... stream { ... resolver 127.0.0.1 valid=10s; server { zone_sync; # the name resolves to multiple addresses that correspond to cluster nodes zone_sync_server cluster.example.com:12345 resolve; listen 127.0.0.1:4433 ssl; ssl_certificate localhost.crt; ssl_certificate_key localhost.key; zone_sync_ssl on; zone_sync_ssl_certificate localhost.crt; zone_sync_ssl_certificate_key localhost.key; } }
Directives
Syntax: |
zone_sync; |
---|---|
Default: | — |
Context: |
server |
Enables the synchronization of shared memory zones between cluster nodes. Cluster nodes are defined using zone_sync_server directives.
Syntax: |
zone_sync_buffers |
---|---|
Default: |
zone_sync_buffers 8 4k|8k; |
Context: |
stream , server |
Sets the number
and size
of the
per-zone buffers used for pushing zone contents.
By default, the buffer size is equal to one memory page.
This is either 4K or 8K, depending on a platform.
A single buffer must be large enough to hold any entry of each zone being synchronized.
Syntax: |
zone_sync_connect_retry_interval |
---|---|
Default: |
zone_sync_connect_retry_interval 1s; |
Context: |
stream , server |
Defines an interval between connection attempts to another cluster node.
Syntax: |
zone_sync_connect_timeout |
---|---|
Default: |
zone_sync_connect_timeout 5s; |
Context: |
stream , server |
Defines a timeout for establishing a connection with another cluster node.
Syntax: |
zone_sync_interval |
---|---|
Default: |
zone_sync_interval 1s; |
Context: |
stream , server |
Defines an interval for polling updates in a shared memory zone.
Syntax: |
zone_sync_recv_buffer_size |
---|---|
Default: |
zone_sync_recv_buffer_size 4k|8k; |
Context: |
stream , server |
Sets size
of a per-connection receive buffer used to parse
incoming stream of synchronization messages.
The buffer size must be equal or greater than one of the
zone_sync_buffers.
By default, the buffer size is equal to
zone_sync_buffers size
multiplied by number
.
Syntax: |
zone_sync_server |
---|---|
Default: | — |
Context: |
server |
Defines the address
of a cluster node.
The address can be specified as a domain name or IP address
with a mandatory port, or as a UNIX-domain socket path
specified after the “unix:
” prefix.
A domain name that resolves to several IP addresses defines
multiple nodes at once.
The resolve
parameter instructs nginx to monitor
changes of the IP addresses that correspond to a domain name of the node
and automatically modify the configuration
without the need of restarting nginx.
Cluster nodes are specified either dynamically as a single
zone_sync_server
directive with
the resolve
parameter, or statically as a series of several
directives without the parameter.
Each cluster node should be specified only once.
All cluster nodes should use the same configuration.
In order for the resolve
parameter to work,
the resolver directive
must be specified in the
stream block.
Example:
stream { resolver 10.0.0.1; server { zone_sync; zone_sync_server cluster.example.com:12345 resolve; ... } }
Syntax: |
zone_sync_ssl |
---|---|
Default: |
zone_sync_ssl off; |
Context: |
stream , server |
Enables the SSL/TLS protocol for connections to another cluster server.
Syntax: |
zone_sync_ssl_certificate |
---|---|
Default: | — |
Context: |
stream , server |
Specifies a file
with the certificate in the PEM format
used for authentication to another cluster server.
Syntax: |
zone_sync_ssl_certificate_key |
---|---|
Default: | — |
Context: |
stream , server |
Specifies a file
with the secret key in the PEM format
used for authentication to another cluster server.
Syntax: |
zone_sync_ssl_ciphers |
---|---|
Default: |
zone_sync_ssl_ciphers DEFAULT; |
Context: |
stream , server |
Specifies the enabled ciphers for connections to another cluster server. The ciphers are specified in the format understood by the OpenSSL library.
The full list can be viewed using the
“openssl ciphers
” command.
Syntax: |
zone_sync_ssl_conf_command |
---|---|
Default: | — |
Context: |
stream , server |
This directive appeared in version 1.19.4.
Sets arbitrary OpenSSL configuration commands when establishing a connection with another cluster server.
The directive is supported when using OpenSSL 1.0.2 or higher.
Several zone_sync_ssl_conf_command
directives
can be specified on the same level.
These directives are inherited from the previous configuration level
if and only if there are
no zone_sync_ssl_conf_command
directives
defined on the current level.
Note that configuring OpenSSL directly might result in unexpected behavior.
Syntax: |
zone_sync_ssl_crl |
---|---|
Default: | — |
Context: |
stream , server |
Specifies a file
with revoked certificates (CRL)
in the PEM format used to verify
the certificate of another cluster server.
Syntax: |
zone_sync_ssl_name |
---|---|
Default: |
zone_sync_ssl_name host from zone_sync_server; |
Context: |
stream , server |
This directive appeared in version 1.15.7.
Allows overriding the server name used to verify the certificate of a cluster server and to be passed through SNI when establishing a connection with the cluster server.
By default, the host part of the zone_sync_server address is used, or resolved IP address if the resolve parameter is specified.
Syntax: |
zone_sync_ssl_password_file |
---|---|
Default: | — |
Context: |
stream , server |
Specifies a file
with passphrases for
secret keys
where each passphrase is specified on a separate line.
Passphrases are tried in turn when loading the key.
Syntax: |
zone_sync_ssl_protocols
[ |
---|---|
Default: |
zone_sync_ssl_protocols TLSv1.2 TLSv1.3; |
Context: |
stream , server |
Enables the specified protocols for connections to another cluster server.
Syntax: |
zone_sync_ssl_server_name |
---|---|
Default: |
zone_sync_ssl_server_name off; |
Context: |
stream , server |
This directive appeared in version 1.15.7.
Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with another cluster server.
Syntax: |
zone_sync_ssl_trusted_certificate |
---|---|
Default: | — |
Context: |
stream , server |
Specifies a file
with trusted CA certificates in the PEM format
used to verify
the certificate of another cluster server.
Syntax: |
zone_sync_ssl_verify |
---|---|
Default: |
zone_sync_ssl_verify off; |
Context: |
stream , server |
Enables or disables verification of another cluster server certificate.
Syntax: |
zone_sync_ssl_verify_depth |
---|---|
Default: |
zone_sync_ssl_verify_depth 1; |
Context: |
stream , server |
Sets the verification depth in another cluster server certificates chain.
Syntax: |
zone_sync_timeout |
---|---|
Default: |
zone_sync_timeout 5s; |
Context: |
stream , server |
Sets the timeout
between two successive
read or write operations on connection to another cluster node.
If no data is transmitted within this time, the connection is closed.
API endpoints
The synchronization status of a node is available via the /stream/zone_sync/ endpoint of the API which returns the following metrics.
Starting, stopping, removing a cluster node
To start a new node, update a DNS record of a cluster hostname with the IP address of the new node and start an instance. The new node will discover other nodes from DNS or static configuration and will start sending updates to them. Other nodes will eventually discover the new node using DNS and start pushing updates to it. In case of static configuration, other nodes need to be reloaded in order to send updates to the new node.
To stop a node, send the QUIT
signal to the instance.
The node will finish zone synchronization
and gracefully close open connections.
To remove a node, update a DNS record of a cluster hostname and remove the IP address of the node. All other nodes will eventually discover that the node is removed, close connections to the node, and will no longer try to connect to it. After the node is removed, it can be stopped as described above. In case of static configuration, other nodes need to be reloaded in order to stop sending updates to the removed node.