From 00742048239a9960e69527154f297df4218c26d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Tue, 30 Jun 2020 17:59:03 +0200 Subject: [PATCH] add sticky session and healthcheck support --- nginx-tls/Config.in | 17 +- nginx-tls/Makefile | 50 +++- .../patches-sticky/100-ssl-headers.patch | 14 ++ .../patches-upstream-check/100-check.patch | 238 ++++++++++++++++++ .../patches-upstream-check/101-sticky.patch | 58 +++++ 5 files changed, 372 insertions(+), 5 deletions(-) create mode 100644 nginx-tls/patches-sticky/100-ssl-headers.patch create mode 100644 nginx-tls/patches-upstream-check/100-check.patch create mode 100644 nginx-tls/patches-upstream-check/101-sticky.patch diff --git a/nginx-tls/Config.in b/nginx-tls/Config.in index cb88c67..719cc60 100644 --- a/nginx-tls/Config.in +++ b/nginx-tls/Config.in @@ -154,6 +154,21 @@ config NGINX_HTTP_BROWSER prompt "Enable HTTP browser module" default y +config NGINX_HTTP_UPSTREAM_ZONE + bool + prompt "Enable zone directive in the upstream block" + default y + +config NGINX_HTTP_UPSTREAM_STICKY + bool + prompt "Enable HTTP sticky session" + default y + +config NGINX_HTTP_UPSTREAM_HEALTHCHECK + bool + prompt "Enable HTTP health check" + default y + config NGINX_HTTP_UPSTREAM_HASH bool prompt "Enable HTTP hash module" @@ -202,7 +217,7 @@ config NGINX_LUA config NGINX_HTTP_REAL_IP bool prompt "Enable HTTP real ip module" - default n + default y config NGINX_HTTP_SECURE_LINK bool diff --git a/nginx-tls/Makefile b/nginx-tls/Makefile index 252aa52..1496d14 100644 --- a/nginx-tls/Makefile +++ b/nginx-tls/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx-tls PKG_VERSION:=1.12.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://nginx.org/download/ @@ -61,7 +61,9 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_LUA \ CONFIG_NGINX_HTTP_REAL_IP \ CONFIG_NGINX_HTTP_SECURE_LINK \ - CONFIG_NGINX_STREAM + CONFIG_NGINX_STREAM \ + CONFIG_NGINX_HTTP_UPSTREAM_STICKY \ + CONFIG_NGINX_HTTP_UPSTREAM_HEALTHCHECK include $(INCLUDE_DIR)/package.mk @@ -71,7 +73,8 @@ define Package/nginx-tls SUBMENU:=Web Servers/Proxies TITLE:=Nginx web server URL:=http://nginx.org/ - DEPENDS:=+NGINX_PCRE:libpcre +(NGINX_SSL||NGINX_HTTP_CACHE||NGINX_HTTP_AUTH_BASIC):libopenssl +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread +NGINX_STREAM:libatomicops + DEPENDS:=+NGINX_PCRE:libpcre +(NGINX_SSL||NGINX_HTTP_CACHE||NGINX_HTTP_AUTH_BASIC):libopenssl +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +libpthread + PKG_BUILD_DEPENDS:=+NGINX_STREAM:libatomicops MENU:=1 endef @@ -200,6 +203,9 @@ endif ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) ADDITIONAL_MODULES += --without-http_upstream_keepalive_module endif +ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_ZONE),y) + ADDITIONAL_MODULES += --without-http_upstream_zone_module +endif ifeq ($(CONFIG_NGINX_HTTP_V2),y) ADDITIONAL_MODULES += --with-http_v2_module endif @@ -217,6 +223,13 @@ ifeq ($(CONFIG_NGINX_SSL),y) ADDITIONAL_MODULES += --with-stream_ssl_preread_module endif endif +ifeq ($(CONFIG_NGINX_HTTP_UPSTREAM_STICKY),y) + ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-sticky/ +endif +ifeq ($(CONFIG_NGINX_HTTP_UPSTREAM_HEALTHCHECK),y) + ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-upstream-check/ + TARGET_CFLAGS += -DNGX_HTTP_UPSTREAM_CHECK +endif TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK TARGET_LDFLAGS += -Wl,--gc-sections @@ -239,7 +252,6 @@ define Build/Configure --with-cc="$(TARGET_CC)" \ --with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ --with-ld-opt="$(TARGET_LDFLAGS)" \ - --without-http_upstream_zone_module \ ) endef @@ -261,10 +273,40 @@ endef define Build/Prepare $(call Build/Prepare/Default) + $(if $(CONFIG_NGINX_HTTP_UPSTREAM_STICKY),$(call Prepare/nginx-sticky)) + $(if $(CONFIG_NGINX_HTTP_UPSTREAM_HEALTHCHECK),$(call Prepare/nginx-upstream-check)) $(if $(CONFIG_NGINX_NAXSI),$(call Prepare/nginx-naxsi)) $(if $(CONFIG_NGINX_LUA),$(call Prepare/lua-nginx)) endef +define Download/nginx-upstream-check + VERSION:=v0.3.0 + SUBDIR:=nginx-upstream-check + FILE:=nginx-upstream-check-module-$(PKG_VERSION)-$$(VERSION).tar.gz + URL:=https://github.com/yaoweibin/nginx_upstream_check_module.git + PROTO:=git +endef + +define Prepare/nginx-upstream-check + $(eval $(call Download,nginx-upstream-check)) + gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS) + $(call PatchDir,$(PKG_BUILD_DIR),./patches-upstream-check) +endef + +define Download/nginx-sticky + VERSION:=1.2.6 + SUBDIR:=nginx-sticky + FILE:=nginx-sticky-module-$(PKG_VERSION)-$$(VERSION).tar.gz + URL:=https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng.git + PROTO:=git +endef + +define Prepare/nginx-sticky + $(eval $(call Download,nginx-sticky)) + gzip -dc $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS) + $(call PatchDir,$(PKG_BUILD_DIR),./patches-sticky) +endef + define Download/nginx-naxsi VERSION:=cf73f9c8664127252c2a4958d2e169516d3845a1 SUBDIR:=nginx-naxsi diff --git a/nginx-tls/patches-sticky/100-ssl-headers.patch b/nginx-tls/patches-sticky/100-ssl-headers.patch new file mode 100644 index 0000000..e58ded6 --- /dev/null +++ b/nginx-tls/patches-sticky/100-ssl-headers.patch @@ -0,0 +1,14 @@ +--- a/nginx-sticky/ngx_http_sticky_misc.c 2015-08-06 12:43:01.000000000 +0200 ++++ b/nginx-sticky/ngx_http_sticky_misc.c 2017-10-06 11:48:16.399988930 +0200 +@@ -9,6 +9,12 @@ + #include + #include + #include ++#ifndef MD5_DIGEST_LENGTH ++#include ++#endif ++#ifndef SHA_DIGEST_LENGTH ++#include ++#endif + + #include "ngx_http_sticky_misc.h" diff --git a/nginx-tls/patches-upstream-check/100-check.patch b/nginx-tls/patches-upstream-check/100-check.patch new file mode 100644 index 0000000..fc35c03 --- /dev/null +++ b/nginx-tls/patches-upstream-check/100-check.patch @@ -0,0 +1,238 @@ +diff -burN nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_hash_module.c nginx-1.12.1/src/http/modules/ngx_http_upstream_hash_module.c +--- nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_hash_module.c 2017-07-11 13:24:08.000000000 +0000 ++++ nginx-1.12.1/src/http/modules/ngx_http_upstream_hash_module.c 2017-07-13 17:58:44.687213233 +0000 +@@ -9,6 +9,9 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif + + typedef struct { + uint32_t hash; +@@ -235,6 +238,14 @@ + goto next; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get hash peer, check_index: %ui", peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto next; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +@@ -538,6 +549,15 @@ + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get consistent_hash peer, check_index: %ui", ++ peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->server.len != server->len + || ngx_strncmp(peer->server.data, server->data, server->len) + != 0) +diff -burN nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_ip_hash_module.c nginx-1.12.1/src/http/modules/ngx_http_upstream_ip_hash_module.c +--- nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_ip_hash_module.c 2017-07-11 13:24:08.000000000 +0000 ++++ nginx-1.12.1/src/http/modules/ngx_http_upstream_ip_hash_module.c 2017-07-13 17:59:48.205692500 +0000 +@@ -9,6 +9,9 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif + + typedef struct { + /* the round robin data must be first */ +@@ -205,6 +208,15 @@ + goto next; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get ip_hash peer, check_index: %ui", ++ peer->check_index); ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto next; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +diff -burN nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_least_conn_module.c nginx-1.12.1/src/http/modules/ngx_http_upstream_least_conn_module.c +--- nginx-1.12.1_orig/src/http/modules/ngx_http_upstream_least_conn_module.c 2017-07-11 13:24:08.000000000 +0000 ++++ nginx-1.12.1/src/http/modules/ngx_http_upstream_least_conn_module.c 2017-07-13 18:05:34.417398156 +0000 +@@ -9,6 +9,10 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif ++ + + static ngx_int_t ngx_http_upstream_init_least_conn_peer(ngx_http_request_t *r, + ngx_http_upstream_srv_conf_t *us); +@@ -147,6 +151,16 @@ + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get least_conn peer, check_index: %ui", ++ peer->check_index); ++ ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +@@ -202,6 +216,16 @@ + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get least_conn peer, check_index: %ui", ++ peer->check_index); ++ ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->conns * best->weight != best->conns * peer->weight) { + continue; + } +diff -burN nginx-1.12.1_orig/src/http/ngx_http_upstream_round_robin.c nginx-1.12.1/src/http/ngx_http_upstream_round_robin.c +--- nginx-1.12.1_orig/src/http/ngx_http_upstream_round_robin.c 2017-07-11 13:24:09.000000000 +0000 ++++ nginx-1.12.1/src/http/ngx_http_upstream_round_robin.c 2017-07-13 18:13:00.510764315 +0000 +@@ -9,6 +9,10 @@ + #include + #include + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif ++ + + #define ngx_http_upstream_tries(p) ((p)->number \ + + ((p)->next ? (p)->next->number : 0)) +@@ -98,6 +102,15 @@ + peer[n].down = server[i].down; + peer[n].server = server[i].name; + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (!server[i].down) { ++ peer[n].check_index = ++ ngx_http_upstream_check_add_peer(cf, us, &server[i].addrs[j]); ++ } else { ++ peer[n].check_index = (ngx_uint_t) NGX_ERROR; ++ } ++#endif ++ + *peerp = &peer[n]; + peerp = &peer[n].next; + n++; +@@ -162,6 +175,16 @@ + peer[n].down = server[i].down; + peer[n].server = server[i].name; + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (!server[i].down) { ++ peer[n].check_index = ++ ngx_http_upstream_check_add_peer(cf, us, &server[i].addrs[j]); ++ } ++ else { ++ peer[n].check_index = (ngx_uint_t) NGX_ERROR; ++ } ++#endif ++ + *peerp = &peer[n]; + peerp = &peer[n].next; + n++; +@@ -228,6 +251,9 @@ + peer[i].max_conns = 0; + peer[i].max_fails = 1; + peer[i].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[i].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + *peerp = &peer[i]; + peerp = &peer[i].next; + } +@@ -344,6 +370,9 @@ + peer[0].max_conns = 0; + peer[0].max_fails = 1; + peer[0].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[0].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + peers->peer = peer; + + } else { +@@ -378,6 +407,9 @@ + peer[i].max_conns = 0; + peer[i].max_fails = 1; + peer[i].fail_timeout = 10; ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ peer[i].check_index = (ngx_uint_t) NGX_ERROR; ++#endif + *peerp = &peer[i]; + peerp = &peer[i].next; + } +@@ -443,6 +475,12 @@ + goto failed; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ goto failed; ++ } ++#endif ++ + rrp->current = peer; + + } else { +@@ -537,6 +575,12 @@ + continue; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ continue; ++ } ++#endif ++ + if (peer->max_fails + && peer->fails >= peer->max_fails + && now - peer->checked <= peer->fail_timeout) +diff -burN nginx-1.12.1_orig/src/http/ngx_http_upstream_round_robin.h nginx-1.12.1/src/http/ngx_http_upstream_round_robin.h +--- nginx-1.12.1_orig/src/http/ngx_http_upstream_round_robin.h 2017-07-11 13:24:09.000000000 +0000 ++++ nginx-1.12.1/src/http/ngx_http_upstream_round_robin.h 2017-07-13 18:13:30.254055435 +0000 +@@ -38,6 +38,10 @@ + ngx_msec_t slow_start; + ngx_msec_t start_time; + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_uint_t check_index; ++#endif ++ + ngx_uint_t down; + + #if (NGX_HTTP_SSL || NGX_COMPAT) diff --git a/nginx-tls/patches-upstream-check/101-sticky.patch b/nginx-tls/patches-upstream-check/101-sticky.patch new file mode 100644 index 0000000..1b8407e --- /dev/null +++ b/nginx-tls/patches-upstream-check/101-sticky.patch @@ -0,0 +1,58 @@ +Index: ngx_http_sticky_module.c +=================================================================== +--- a/nginx-sticky/ngx_http_sticky_module.c (revision 45) ++++ b/nginx-sticky/ngx_http_sticky_module.c (working copy) +@@ -10,6 +10,11 @@ + + #include "ngx_http_sticky_misc.h" + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++#include "ngx_http_upstream_check_module.h" ++#endif ++ ++ + /* define a peer */ + typedef struct { + ngx_http_upstream_rr_peer_t *rr_peer; +@@ -287,6 +292,16 @@ + return NGX_BUSY; + } + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get sticky peer, check_index: %ui", ++ peer->check_index); ++ ++ if (ngx_http_upstream_check_peer_down(peer->check_index)) { ++ return NGX_BUSY; ++ } ++#endif ++ + /* if it's been ignored for long enought (fail_timeout), reset timeout */ + /* do this check before testing peer->fails ! :) */ + if (now - peer->accessed > peer->fail_timeout) { +@@ -303,6 +318,14 @@ + /* ensure the peer is not marked as down */ + if (!peer->down) { + ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pc->log, 0, ++ "get sticky peer, check_index: %ui", ++ peer->check_index); ++ ++ if (!ngx_http_upstream_check_peer_down(peer->check_index)) { ++#endif ++ + /* if it's not failedi, use it */ + if (peer->max_fails == 0 || peer->fails < peer->max_fails) { + selected_peer = (ngx_int_t)n; +@@ -317,6 +340,9 @@ + /* mark the peer as tried */ + iphp->rrp.tried[n] |= m; + } ++#if (NGX_HTTP_UPSTREAM_CHECK) ++ } ++#endif + } + } + }