1
<?xml version="1.0"?>
2

3
<!--
4
  Copyright (C) Nginx, Inc.
5
  -->
6

7
<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
8

9
<module name="Module ngx_stream_upstream_module"
10
        link="/en/docs/stream/ngx_stream_upstream_module.html"
11
        lang="en"
12
        rev="42">
13

14
<section id="summary">
15

16
<para>
17
The <literal>ngx_stream_upstream_module</literal> module (1.9.0)
18
is used to define groups of servers that can be referenced
19
by the <link doc="ngx_stream_proxy_module.xml" id="proxy_pass"/>
20
directive.
21
</para>
22

23
</section>
24

25

26
<section id="example" name="Example Configuration">
27

28
<para>
29
<example>
30
upstream <emphasis>backend</emphasis> {
31
    hash $remote_addr consistent;
32

33
    server backend1.example.com:12345  weight=5;
34
    server backend2.example.com:12345;
35
    server unix:/tmp/backend3;
36

37
    server backup1.example.com:12345   backup;
38
    server backup2.example.com:12345   backup;
39
}
40

41
server {
42
    listen 12346;
43
    proxy_pass <emphasis>backend</emphasis>;
44
}
45
</example>
46
</para>
47

48
<para>
49
Dynamically configurable group with
50
periodic <link doc="ngx_stream_upstream_hc_module.xml">health checks</link> is
51
available as part of our
52
<commercial_version>commercial subscription</commercial_version>:
53
<example>
54
resolver 10.0.0.1;
55

56
upstream <emphasis>dynamic</emphasis> {
57
    zone upstream_dynamic 64k;
58

59
    server backend1.example.com:12345 weight=5;
60
    server backend2.example.com:12345 fail_timeout=5s slow_start=30s;
61
    server 192.0.2.1:12345            max_fails=3;
62
    server backend3.example.com:12345 resolve;
63
    server backend4.example.com       service=http resolve;
64

65
    server backup1.example.com:12345  backup;
66
    server backup2.example.com:12345  backup;
67
}
68

69
server {
70
    listen 12346;
71
    proxy_pass <emphasis>dynamic</emphasis>;
72
    health_check;
73
}
74
</example>
75
</para>
76

77
</section>
78

79

80
<section id="directives" name="Directives">
81

82
<directive name="upstream">
83
<syntax block="yes"><value>name</value></syntax>
84
<default/>
85
<context>stream</context>
86

87
<para>
88
Defines a group of servers.
89
Servers can listen on different ports.
90
In addition, servers listening on TCP and UNIX-domain sockets
91
can be mixed.
92
</para>
93

94
<para>
95
Example:
96
<example>
97
upstream backend {
98
    server backend1.example.com:12345 weight=5;
99
    server 127.0.0.1:12345            max_fails=3 fail_timeout=30s;
100
    server unix:/tmp/backend2;
101
    server backend3.example.com:12345 resolve;
102

103
    server backup1.example.com:12345  backup;
104
}
105
</example>
106
</para>
107

108
<para>
109
By default, connections are distributed between the servers using a
110
weighted round-robin balancing method.
111
In the above example, each 7 connections will be distributed as follows:
112
5 connections go to <literal>backend1.example.com:12345</literal>
113
and one connection to each of the second and third servers.
114
If an error occurs during communication with a server, the connection will
115
be passed to the next server, and so on until all of the functioning
116
servers will be tried.
117
If communication with all servers fails, the connection will be closed.
118
</para>
119

120
</directive>
121

122

123
<directive name="server">
124
<syntax><value>address</value> [<value>parameters</value>]</syntax>
125
<default/>
126
<context>upstream</context>
127

128
<para>
129
Defines the <value>address</value> and other <value>parameters</value>
130
of a server.
131
The address can be specified as a domain name or IP address
132
with an obligatory port, or as a UNIX-domain socket path
133
specified after the “<literal>unix:</literal>” prefix.
134
A domain name that resolves to several IP addresses defines
135
multiple servers at once.
136
</para>
137

138
<para>
139
The following parameters can be defined:
140
<list type="tag">
141

142
<tag-name id="weight">
143
<literal>weight</literal>=<value>number</value>
144
</tag-name>
145
<tag-desc>
146
sets the weight of the server, by default, 1.
147
</tag-desc>
148

149
<tag-name id="max_conns">
150
<literal>max_conns</literal>=<value>number</value>
151
</tag-name>
152
<tag-desc>
153
limits the maximum <value>number</value> of simultaneous
154
connections to the proxied server (1.11.5).
155
Default value is zero, meaning there is no limit.
156
If the server group does not reside in the <link id="zone">shared memory</link>,
157
the limitation works per each worker process.
158
<note>
159
Prior to version 1.11.5, this parameter was available as part of our
160
<commercial_version>commercial subscription</commercial_version>.
161
</note>
162
</tag-desc>
163

164
<tag-name id="max_fails">
165
<literal>max_fails</literal>=<value>number</value>
166
</tag-name>
167
<tag-desc>
168
sets the number of unsuccessful attempts to communicate with the server
169
that should happen in the duration set by the <literal>fail_timeout</literal>
170
parameter to consider the server unavailable for a duration also set by the
171
<literal>fail_timeout</literal> parameter.
172
By default, the number of unsuccessful attempts is set to 1.
173
The zero value disables the accounting of attempts.
174
Here, an unsuccessful attempt is an error or timeout
175
while establishing a connection with the server.
176
</tag-desc>
177

178
<tag-name id="fail_timeout">
179
<literal>fail_timeout</literal>=<value>time</value>
180
</tag-name>
181
<tag-desc>
182
sets
183
<list type="bullet">
184

185
<listitem>
186
the time during which the specified number of unsuccessful attempts to
187
communicate with the server should happen to consider the server unavailable;
188
</listitem>
189

190
<listitem>
191
and the period of time the server will be considered unavailable.
192
</listitem>
193

194
</list>
195
By default, the parameter is set to 10 seconds.
196
</tag-desc>
197

198
<tag-name id="backup">
199
<literal>backup</literal>
200
</tag-name>
201
<tag-desc>
202
marks the server as a backup server.
203
Connections to the backup server will be passed
204
when the primary servers are unavailable.
205
<note>
206
The parameter cannot be used along with the
207
<link id="hash"/> and <link id="random"/> load balancing methods.
208
</note>
209
</tag-desc>
210

211
<tag-name id="down">
212
<literal>down</literal>
213
</tag-name>
214
<tag-desc>
215
marks the server as permanently unavailable.
216
</tag-desc>
217

218
<tag-name id="resolve">
219
<literal>resolve</literal>
220
</tag-name>
221
<tag-desc>
222
monitors changes of the IP addresses
223
that correspond to a domain name of the server,
224
and automatically modifies the upstream configuration
225
without the need of restarting nginx.
226
The server group must reside in the <link id="zone">shared memory</link>.
227
<para>
228
In order for this parameter to work,
229
the <literal>resolver</literal> directive
230
must be specified in the
231
<link doc="ngx_stream_core_module.xml" id="resolver">stream</link> block
232
or in the corresponding <link id="resolver">upstream</link> block.
233
</para>
234

235
<para>
236
<note>
237
Prior to version 1.27.3, this parameter was available only as part of our
238
<commercial_version>commercial subscription</commercial_version>.
239
</note>
240
</para>
241
</tag-desc>
242

243
<tag-name id="service">
244
<literal>service</literal>=<value>name</value>
245
</tag-name>
246
<tag-desc>
247
enables resolving of DNS
248
<link url="https://datatracker.ietf.org/doc/html/rfc2782">SRV</link>
249
records and sets the service <value>name</value> (1.9.13).
250
In order for this parameter to work, it is necessary to specify
251
the <link id="resolve"/> parameter for the server
252
and specify a hostname without a port number.
253
<para>
254
If the service name does not contain a dot (“<literal>.</literal>”), then
255
the <link url="https://datatracker.ietf.org/doc/html/rfc2782">RFC</link>-compliant name
256
is constructed
257
and the TCP protocol is added to the service prefix.
258
For example, to look up the
259
<literal>_http._tcp.backend.example.com</literal> SRV record,
260
it is necessary to specify the directive:
261
<example>
262
server backend.example.com service=http resolve;
263
</example>
264
If the service name contains one or more dots, then the name is constructed
265
by joining the service prefix and the server name.
266
For example, to look up the <literal>_http._tcp.backend.example.com</literal>
267
and <literal>server1.backend.example.com</literal> SRV records,
268
it is necessary to specify the directives:
269
<example>
270
server backend.example.com service=_http._tcp resolve;
271
server example.com service=server1.backend resolve;
272
</example>
273
</para>
274

275
<para>
276
Highest-priority SRV records
277
(records with the same lowest-number priority value)
278
are resolved as primary servers,
279
the rest of SRV records are resolved as backup servers.
280
If the <link id="backup"/> parameter is specified for the server,
281
high-priority SRV records are resolved as backup servers,
282
the rest of SRV records are ignored.
283
</para>
284

285
<para>
286
<note>
287
Prior to version 1.27.3, this parameter was available only as part of our
288
<commercial_version>commercial subscription</commercial_version>.
289
</note>
290
</para>
291
</tag-desc>
292

293
</list>
294
</para>
295

296
<para>
297
Additionally,
298
the following parameters are available as part of our
299
<commercial_version>commercial subscription</commercial_version>:
300
<list type="tag">
301

302
<tag-name id="slow_start">
303
<literal>slow_start</literal>=<value>time</value>
304
</tag-name>
305
<tag-desc>
306
sets the <value>time</value> during which the server will recover its weight
307
from zero to a nominal value, when unhealthy server becomes
308
<link doc="ngx_stream_upstream_hc_module.xml" id="health_check">healthy</link>,
309
or when the server becomes available after a period of time
310
it was considered <link id="fail_timeout">unavailable</link>.
311
Default value is zero, i.e. slow start is disabled.
312
<note>
313
The parameter cannot be used along with the
314
<link id="hash"/> and <link id="random"/> load balancing methods.
315
</note>
316
</tag-desc>
317

318
</list>
319
</para>
320

321
<para>
322
<note>
323
If there is only a single server in a group, <literal>max_fails</literal>,
324
<literal>fail_timeout</literal> and <literal>slow_start</literal> parameters
325
are ignored, and such a server will never be considered unavailable.
326
</note>
327
</para>
328

329
</directive>
330

331

332
<directive name="zone">
333
<syntax><value>name</value> [<value>size</value>]</syntax>
334
<default/>
335
<context>upstream</context>
336

337
<para>
338
Defines the <value>name</value> and <value>size</value> of the shared
339
memory zone that keeps the group’s configuration and run-time state that are
340
shared between worker processes.
341
Several groups may share the same zone.
342
In this case, it is enough to specify the <value>size</value> only once.
343
</para>
344

345
<para>
346
Additionally,
347
as part of our <commercial_version>commercial subscription</commercial_version>,
348
such groups allow changing the group membership
349
or modifying the settings of a particular server
350
without the need of restarting nginx.
351
The configuration is accessible via the
352
<link doc="../http/ngx_http_api_module.xml">API</link> module (1.13.3).
353
<note>
354
Prior to version 1.13.3,
355
the configuration was accessible only via a special location
356
handled by
357
<link doc="../http/ngx_http_upstream_conf_module.xml" id="upstream_conf"/>.
358
</note>
359
</para>
360

361
</directive>
362

363

364
<directive name="state">
365
<syntax><value>file</value></syntax>
366
<default/>
367
<context>upstream</context>
368
<appeared-in>1.9.7</appeared-in>
369

370
<para>
371
Specifies a <value>file</value> that keeps the state
372
of the dynamically configurable group.
373
</para>
374

375
<para>
376
Examples:
377
<example>
378
state /var/lib/nginx/state/servers.conf; # path for Linux
379
state /var/db/nginx/state/servers.conf;  # path for FreeBSD
380
</example>
381
</para>
382

383
<para>
384
The state is currently limited to the list of servers with their parameters.
385
The file is read when parsing the configuration and is updated each time
386
the upstream configuration is
387
<link doc="../http/ngx_http_api_module.xml" id="stream_upstreams_stream_upstream_name_servers_">changed</link>.
388
Changing the file content directly should be avoided.
389
The directive cannot be used
390
along with the <link id="server"/> directive.
391
</para>
392

393
<para>
394
<note>
395
Changes made during
396
<link doc="../control.xml" id="reconfiguration">configuration reload</link>
397
or <link doc="../control.xml" id="upgrade">binary upgrade</link>
398
can be lost.
399
</note>
400
</para>
401

402
<para>
403
<note>
404
This directive is available as part of our
405
<commercial_version>commercial subscription</commercial_version>.
406
</note>
407
</para>
408

409
</directive>
410

411

412
<directive name="hash">
413
<syntax><value>key</value> [<literal>consistent</literal>]</syntax>
414
<default/>
415
<context>upstream</context>
416

417
<para>
418
Specifies a load balancing method for a server group
419
where the client-server mapping is based on the hashed <value>key</value> value.
420
The <value>key</value> can contain text, variables,
421
and their combinations (1.11.2).
422
Usage example:
423
<example>
424
hash $remote_addr;
425
</example>
426
Note that adding or removing a server from the group
427
may result in remapping most of the keys to different servers.
428
The method is compatible with the
429
<link url="https://metacpan.org/pod/Cache::Memcached">Cache::Memcached</link>
430
Perl library.
431
</para>
432

433
<para>
434
If the <literal>consistent</literal> parameter is specified,
435
the <link url="https://www.metabrew.com/article/libketama-consistent-hashing-algo-memcached-clients">ketama</link>
436
consistent hashing method will be used instead.
437
The method ensures that only a few keys
438
will be remapped to different servers
439
when a server is added to or removed from the group.
440
This helps to achieve a higher cache hit ratio for caching servers.
441
The method is compatible with the
442
<link url="https://metacpan.org/pod/Cache::Memcached::Fast">Cache::Memcached::Fast</link>
443
Perl library with the <value>ketama_points</value> parameter set to 160.
444
</para>
445

446
</directive>
447

448

449
<directive name="least_conn">
450
<syntax/>
451
<default/>
452
<context>upstream</context>
453

454
<para>
455
Specifies that a group should use a load balancing method where a connection
456
is passed to the server with the least number of active connections,
457
taking into account weights of servers.
458
If there are several such servers, they are tried in turn using a
459
weighted round-robin balancing method.
460
</para>
461

462
</directive>
463

464

465
<directive name="least_time">
466
<syntax>
467
    <literal>connect</literal> |
468
    <literal>first_byte</literal> |
469
    <literal>last_byte</literal>
470
    [<literal>inflight</literal>]</syntax>
471
<default/>
472
<context>upstream</context>
473
<appeared-in>1.7.11</appeared-in>
474

475
<para>
476
Specifies that a group should use a load balancing method where a connection
477
is passed to the server with the least average time and
478
least number of active connections, taking into account weights of servers.
479
If there are several such servers, they are tried in turn using a
480
weighted round-robin balancing method.
481
</para>
482

483
<para>
484
If the <literal>connect</literal> parameter is specified,
485
time to
486
<link id="var_upstream_connect_time">connect</link>
487
to the upstream server is used.
488
If the <literal>first_byte</literal> parameter is specified,
489
time to receive the
490
<link id="var_upstream_first_byte_time">first byte</link> of data is used.
491
If the <literal>last_byte</literal> is specified,
492
time to receive the
493
<link id="var_upstream_session_time">last byte</link> of data is used.
494
If the <literal>inflight</literal> parameter is specified (1.11.6),
495
incomplete connections are also taken into account.
496
<note>
497
Prior to version 1.11.6,
498
incomplete connections were taken into account by default.
499
</note>
500
</para>
501

502
<para>
503
<note>
504
Prior to version 1.31.0,
505
this directive was available only as part of our
506
<commercial_version>commercial subscription</commercial_version>.
507
</note>
508
</para>
509

510
</directive>
511

512

513
<directive name="random">
514
<syntax>[<literal>two</literal> [<value>method</value>]]</syntax>
515
<default/>
516
<context>upstream</context>
517
<appeared-in>1.15.1</appeared-in>
518

519
<para>
520
Specifies that a group should use a load balancing method where a connection
521
is passed to a randomly selected server, taking into account weights
522
of servers.
523
</para>
524

525
<para>
526
The optional <literal>two</literal> parameter
527
instructs nginx to randomly select
528
<link url="https://homes.cs.washington.edu/~karlin/papers/balls.pdf">two</link>
529
servers and then choose a server
530
using the specified <literal>method</literal>.
531
The default method is <literal>least_conn</literal>
532
which passes a connection to a server
533
with the least number of active connections.
534
</para>
535

536
<para id="random_least_time">
537
The <literal>least_time</literal> method passes a connection to a server
538
with the least average time and least number of active connections.
539
If <literal>least_time=connect</literal> parameter is specified,
540
time to
541
<link id="var_upstream_connect_time">connect</link>
542
to the upstream server is used.
543
If <literal>least_time=first_byte</literal> parameter is specified,
544
time to receive the
545
<link id="var_upstream_first_byte_time">first byte</link> of data is used.
546
If <literal>least_time=last_byte</literal> is specified,
547
time to receive the
548
<link id="var_upstream_session_time">last byte</link> of data is used.
549
<note>
550
The <literal>least_time</literal> method is available as a part of our
551
<commercial_version>commercial subscription</commercial_version>.
552
</note>
553
</para>
554

555
</directive>
556

557

558
<directive name="resolver">
559
<syntax>
560
    <value>address</value> ...
561
    [<literal>valid</literal>=<value>time</value>]
562
    [<literal>ipv4</literal>=<literal>on</literal>|<literal>off</literal>]
563
    [<literal>ipv6</literal>=<literal>on</literal>|<literal>off</literal>]
564
    [<literal>status_zone</literal>=<value>zone</value>]</syntax>
565
<default/>
566
<context>upstream</context>
567
<appeared-in>1.27.3</appeared-in>
568

569
<para>
570
Configures name servers used to resolve names of upstream servers
571
into addresses, for example:
572
<example>
573
resolver 127.0.0.1 [::1]:5353;
574
</example>
575
The address can be specified as a domain name or IP address,
576
with an optional port.
577
If port is not specified, the port 53 is used.
578
Name servers are queried in a round-robin fashion.
579
</para>
580

581
<para id="resolver_ipv6">
582
By default, nginx will look up both IPv4 and IPv6 addresses while resolving.
583
If looking up of IPv4 or IPv6 addresses is not desired,
584
the <literal>ipv4=off</literal> (1.23.1) or
585
the <literal>ipv6=off</literal> parameter can be specified.
586
</para>
587

588
<para id="resolver_valid">
589
By default, nginx caches answers using the TTL value of a response.
590
The optional <literal>valid</literal> parameter allows overriding it:
591
<example>
592
resolver 127.0.0.1 [::1]:5353 valid=30s;
593
</example>
594
<note>
595
To prevent DNS spoofing, it is recommended
596
configuring DNS servers in a properly secured trusted local network.
597
</note>
598
</para>
599

600
<para id="resolver_status_zone">
601
The optional <literal>status_zone</literal> parameter (1.17.5)
602
enables
603
<link doc="../http/ngx_http_api_module.xml" id="resolvers_">collection</link>
604
of DNS server statistics of requests and responses
605
in the specified <value>zone</value>.
606
The parameter is available as part of our
607
<commercial_version>commercial subscription</commercial_version>.
608
</para>
609

610
<para>
611
<note>
612
Since version 1.17.5 and prior to version 1.27.3,
613
this directive was available only as part of our
614
<commercial_version>commercial subscription</commercial_version>.
615
</note>
616
</para>
617

618
</directive>
619

620

621
<directive name="resolver_timeout">
622
<syntax><value>time</value></syntax>
623
<default>30s</default>
624
<context>upstream</context>
625
<appeared-in>1.27.3</appeared-in>
626

627
<para>
628
Sets a timeout for name resolution, for example:
629
<example>
630
resolver_timeout 5s;
631
</example>
632
</para>
633

634
<para>
635
<note>
636
Since version 1.17.5 and prior to version 1.27.3,
637
this directive was available only as part of our
638
<commercial_version>commercial subscription</commercial_version>.
639
</note>
640
</para>
641

642
</directive>
643

644
</section>
645

646

647
<section id="variables" name="Embedded Variables">
648

649
<para>
650
The <literal>ngx_stream_upstream_module</literal> module
651
supports the following embedded variables:
652
<list type="tag">
653

654
<tag-name id="var_upstream_addr"><var>$upstream_addr</var></tag-name>
655
<tag-desc>
656
keeps the IP address and port,
657
or the path to the UNIX-domain socket of the upstream server (1.11.4).
658
If several servers were contacted during proxying,
659
their addresses are separated by commas, e.g.
660
“<literal>192.168.1.1:12345, 192.168.1.2:12345, unix:/tmp/sock</literal>”.
661
If a server cannot be selected,
662
the variable keeps the name of the server group.
663
</tag-desc>
664

665
<tag-name id="var_upstream_bytes_received"><var>$upstream_bytes_received</var></tag-name>
666
<tag-desc>
667
number of bytes received from an upstream server (1.11.4).
668
Values from several connections
669
are separated by commas like addresses in the
670
<link id="var_upstream_addr">$upstream_addr</link> variable.
671
</tag-desc>
672

673
<tag-name id="var_upstream_bytes_sent"><var>$upstream_bytes_sent</var></tag-name>
674
<tag-desc>
675
number of bytes sent to an upstream server (1.11.4).
676
Values from several connections
677
are separated by commas like addresses in the
678
<link id="var_upstream_addr">$upstream_addr</link> variable.
679
</tag-desc>
680

681
<tag-name id="var_upstream_connect_time"><var>$upstream_connect_time</var></tag-name>
682
<tag-desc>
683
time to connect to the upstream server (1.11.4);
684
the time is kept in seconds with millisecond resolution.
685
Times of several connections
686
are separated by commas like addresses in the
687
<link id="var_upstream_addr">$upstream_addr</link> variable.
688
</tag-desc>
689

690
<tag-name id="var_upstream_first_byte_time"><var>$upstream_first_byte_time</var></tag-name>
691
<tag-desc>
692
time to receive the first byte of data (1.11.4);
693
the time is kept in seconds with millisecond resolution.
694
Times of several connections
695
are separated by commas like addresses in the
696
<link id="var_upstream_addr">$upstream_addr</link> variable.
697
</tag-desc>
698

699
<tag-name id="var_upstream_last_addr"><var>$upstream_last_addr</var></tag-name>
700
<tag-desc>
701
keeps the IP address or the path to the UNIX-domain socket
702
of the last selected upstream server (1.29.3).
703

704
<para>
705
<note>
706
This variable is available as part of our
707
<commercial_version>commercial subscription</commercial_version>.
708
</note>
709
</para>
710

711
</tag-desc>
712

713
<tag-name id="var_upstream_session_time"><var>$upstream_session_time</var></tag-name>
714
<tag-desc>
715
session duration in seconds with millisecond resolution (1.11.4).
716
Times of several connections
717
are separated by commas like addresses in the
718
<link id="var_upstream_addr">$upstream_addr</link> variable.
719
</tag-desc>
720

721
</list>
722
</para>
723

724
</section>
725

726
</module>
727

728