Nginx websocket代理每个插槽使用三个连接

时间:2016-07-21 11:19:25

标签: sockets nginx proxy

我正在尝试创建一个Nginx配置,它将作为传入websocket连接的代理(主要用于SSL卸载),但我遇到了连接限制。我遵循了几个指南和SO答案,以容纳更多的连接,但奇怪的东西引起了我的注意。我目前连接了18K客户端,当我在Nginx机器上运行ss -s时,这是报告:

Total: 54417 (kernel 54537)
TCP:   54282 (estab 54000, closed 280, orphaned 0, synrecv 0, timewait 158/0), ports 18263

Transport Total     IP        IPv6
*         54537     -         -
RAW       0         0         0
UDP       1         1         0
TCP       54002     36001     18001
INET      54003     36002     18001
FRAG      0         0         0

我理解如何有36K IP连接,但我没有得到的是那些额外的IPv6连接来自哪里。我在扩展25K以上的连接时遇到了问题,我认为其中一部分原因是每个套接字都设置了三个连接。所以,我的问题是这样的:有谁知道那些额外的连接来自哪里?

整个系统在Kubernetes集群中运行,配置如下:

nginx.conf

user  nginx;
worker_processes  auto;
worker_rlimit_nofile 500000;

error_log  /dev/stdout warn;
pid        /var/run/nginx.pid;

# Increase worker connections to accommodate more sockets
events {
  worker_connections  500000;
  use epoll;
  multi_accept on;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  off; # don't use it, so don't waste cpu, i/o and other resources.

  tcp_nopush     on;
  tcp_nodelay on;

  include /etc/nginx/conf.d/*.conf;
}

proxy.conf(包含在conf.d中):

  server {
    listen 0.0.0.0:443 ssl backlog=100000;

    # Set a big keepalive timeout to make sure no connections are dropped by nginx
    # This should never be less than the MAX_CLIENT_PING_INTERVAL + MAX_CLIENT_PING_TIMEOUT in the ws-server config!
    keepalive_timeout 200s;
    keepalive_requests 0;
    proxy_read_timeout 200s;

    ssl_certificate           /app/secrets/cert.chain.pem;
    ssl_certificate_key       /app/secrets/key.pem;
    ssl_prefer_server_ciphers On;
    ssl_protocols TLSv1.2;

    location / {
      proxy_pass          http://127.0.0.1:8443;
      proxy_http_version  1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
  }

我还在Unix中设置了以下选项:

/etc/sysctl.d/custom.conf

fs.file-max = 1000000
fs.nr_open = 1000000
net.ipv4.netfilter.ip_conntrack_max = 1048576
net.core.somaxconn = 1048576
net.ipv4.tcp_max_tw_buckets = 1048576
net.ipv4.ip_local_port_range 1024 65000
net.ipv4.tcp_max_syn_backlog = 3240000
net.nf_conntrack_max = 1048576
net.ipv4.tcp_tw_reuse= 1
net.ipv4.tcp_fin_timeout= 15

/etc/security/limits.d/custom.conf

root soft nofile 1000000
root hard nofile 1000000
* soft nofile 1000000
* hard nofile 1000000

1 个答案:

答案 0 :(得分:0)

在一些同事的帮助下,我发现实际上Kubernetes通过在一个IP名称空间中连接Pod中的容器来混淆一切(这样每个容器都可以通过localhostlink)访问另一个容器。 )。所以我在那里看到了:

  • 来自代理的传入连接
  • 来自代理的传出连接
  • 来自服务器的传入连接

虽然这对我在单个实例上实现更多连接没有帮助,但它确实解释了这种奇怪的行为。

相关问题
最新问题