@@ -621,6 +621,11 @@ ngx_stream_upstream_module ngx_stream_upstream_hc_module + + +ngx_stream_zone_sync_module + + diff --git a/xml/en/docs/stream/ngx_stream_zone_sync_module.xml b/xml/en/docs/stream/ngx_stream_zone_sync_module.xml new file mode 100644 --- /dev/null +++ b/xml/en/docs/stream/ngx_stream_zone_sync_module.xml @@ -0,0 +1,453 @@ + + + + + + + + +

+ + +The ngx_stream_zone_sync_module module (1.13.8) +provides the necessary support for synchronizing contents of +shared memory zones +between nodes of a cluster. +To enable synchronization for a particular zone, a corresponding module +must support this feature. +Currently, it is possible to synchronize +sticky +sessions. + +

+ + +

+ + +Minimal configuration: + +http { + ... + + upstream backend { + server backend1.example.com:8080; + server backend2.example.com:8081; + + sticky learn + create=$upstream_cookie_examplecookie + lookup=$cookie_examplecookie + zone=client_sessions:1m sync; + } + + ... +} + +stream { + ... + + + server { + zone_sync; + + listen 127.0.0.1:8090; + + # cluster of 2 nodes: each name resolves to a single IP address + zone_sync_server a.example.com; + zone_sync_server b.example.com; + + } + +A more complex configuration with SSL enabled +and with cluster members defined by DNS: + +... + +stream { + ... + + resolver 127.0.0.1 valid=10s; + + server { + zone_sync; + + # the name resolves to multiple addresses that correspond to cluster nodes + zone_sync_server cluster.example.com resolve; + + listen 127.0.0.1:4433 ssl; + + ssl_certificate localhost.crt; + ssl_certificate_key localhost.key; + + zone_sync_ssl on; + + zone_sync_ssl_certificate localhost.crt; + zone_sync_ssl_certificate_key localhost.key; + } +} + + + +

+ + +

+ + + + +stream +server + + +Enables the synchronization of shared memory zones between cluster nodes. +Cluster nodes are defined using directives. + + + + + + +address [resolve] + +stream +server + + +Defines the address of a cluster node +and an optional method of resolving it. +The address can be specified as a domain name or IP address +with a mandatory port, or as a UNIX-domain socket path +specified after the “unix:” prefix. +A domain name that resolves to several IP addresses defines +multiple servers at once. + + + +The "resolve" parameter makes nginx to +monitor changes of the IP addresses +that correspond to a domain name of the server +and automatically modifies the configuration +without the need of restarting nginx. + + + +In order for this parameter to work, +the directive +must be specified in the + block. +Example: + +stream { + resolver 10.0.0.1; + + server { + zone_sync; + ... + zone_sync_server example.com resolve; + } +} + + + + + +Each cluster node must be specified only once. +If using domain names, ensure they are resolvable to a single IP address. + + +The own address of a node is ignored, thus, there is no need to have different +configurations on different nodes. + + + + + + + +time +1s +stream +server + + +Defines an interval for polling updates in a shared memory zone. + + + + + + +time +5s +stream +server + + +Defines a timeout for establishing a connection with another cluster node. + + + + + + +time +1s +stream +server + + +Defines an interval between connection attempts to another cluster node. + + + + + + +timeout +5s +stream +server + + +Sets the timeout between two successive +read or write operations on connection to another cluster node. +If no data is transmitted within this time, the connection is closed. + + + + + + +number size +256 4k|8k +stream +server + + +Sets the number and size of the +per-zone buffers used for pushing zone contents. +By default, the buffer size is equal to one memory page. +This is either 4K or 8K, depending on a platform. + + + + + + +size +4k|8k +stream +server + + +Sets size of a per-connection receive buffer used to parse +incoming stream of synchronization messages. +By default, the buffer size is equal to one memory page. +This is either 4K or 8K, depending on a platform. + + + + + + +on | off +off +stream +server + + +Enables the SSL/TLS protocol for connections to another cluster server. + + + + + + +file + +stream +server + + +Specifies a file with the certificate in the PEM format +used for authentication to another cluster server. + + + + + + +file + +stream +server + + +Specifies a file with the secret key in the PEM format +used for authentication to another cluster server. + + + + + + +ciphers +DEFAULT +stream +server + + +Specifies the enabled ciphers for connections to another cluster server. +The ciphers are specified in the format understood by the OpenSSL library. + + + +The full list can be viewed using the +“openssl ciphers” command. + + + + + + +file + +stream +server + + +Specifies a file with revoked certificates (CRL) +in the PEM format used to verify +the certificate of another cluster server. + + + + + + +file + +stream +server + + +Specifies a file with passphrases for +secret keys +where each passphrase is specified on a separate line. +Passphrases are tried in turn when loading the key. + + + + + + + + [SSLv2] + [SSLv3] + [TLSv1] + [TLSv1.1] + [TLSv1.2] + [TLSv1.3] +TLSv1 TLSv1.1 TLSv1.2 +stream +server + + +Enables the specified protocols for connections to another cluster server. + + + + + + +file + +stream +server + + +Specifies a file with trusted CA certificates in the PEM format +used to verify +the certificate of another cluster server. + + + + + + +on | off +off +stream +server + + +Enables or disables verification of another cluster server certificate. + + + + + + +number +1 +stream +server + + +Sets the verification depth in another cluster server certificates chain. + + + + +

+ + +

+ +The synchronization status of a node is available via the +/stream/zone_sync/ +endpoint of the API which returns the +following +metrics. + + +

+ + +

+ +To start a new node, update a DNS record of a cluster hostname +with the IP address of the new node and start an instance. +The new node will discover other nodes from DNS or static configuration +and will start sending updates to them. +Other nodes will eventually discover the new node using DNS and +start pushing updates to it. +In case of static configuration, +other nodes need to be reloaded in order to send updates to the new node. + + + +To stop a node, send the QUIT signal to the instance. +The node will finish zone synchronization +and gracefully close open connections. + + + +To remove a node, update a DNS record of a cluster hostname +and remove the IP address of the node. +All other nodes will eventually discover that the node is removed, +close connections to the node, and will no longer try to connect to it. +After the node is removed, it can be stopped as described above. +In case of static configuration, other nodes need to be reloaded +in order to stop sending updates to the removed node. + + +

+ + diff --git a/xml/ru/docs/http/ngx_http_auth_jwt_module.xml b/xml/ru/docs/http/ngx_http_auth_jwt_module.xml --- a/xml/ru/docs/http/ngx_http_auth_jwt_module.xml +++ b/xml/ru/docs/http/ngx_http_auth_jwt_module.xml @@ -9,7 +9,7 @@ + rev="6">

@@ -93,6 +93,7 @@ location / { http server location +limit_except Включает проверку JSON Web Token. @@ -153,8 +154,12 @@ auth_jwt "closed site" token=$cookie_aut Сопоставление имён начинается с верхнего уровня дерева JSON. Для массива переменная хранит список его элементов, разделяемых запятыми. -auth_jwt_claim_set $email info e-mail; -auth_jwt_claim_set $job info "job title"; +location / { + auth_jwt "closed site"; + auth_jwt_key_file conf/keys.json; + auth_jwt_claim_set $email info e-mail; + auth_jwt_claim_set $job info "job title"; +} До версии 1.13.7 можно было указать лишь одно имя, @@ -165,12 +170,32 @@ auth_jwt_claim_set $job info "job title" + +время +0s +http +server +location +1.13.11 + + +Задаёт максимально допустимое отклонение времени для компенсации +расхождения часов при проверке JWT claims +exp +и +nbf. + + + + + файл http server location +limit_except Задаёт файл в формате diff --git a/xml/ru/docs/http/ngx_http_core_module.xml b/xml/ru/docs/http/ngx_http_core_module.xml --- a/xml/ru/docs/http/ngx_http_core_module.xml +++ b/xml/ru/docs/http/ngx_http_core_module.xml @@ -10,7 +10,7 @@ + rev="78">

@@ -1002,9 +1002,11 @@ keep-alive, эти буферы освобождаются. Если разрешён метод GET, то метод HEAD также будет разрешён. Доступ к остальным методам может быть ограничен при помощи директив модулей -ngx_http_access_module +ngx_http_access_module, +ngx_http_auth_basic_module и -ngx_http_auth_basic_module: +ngx_http_auth_jwt_module +(1.13.10): limit_except GET { allow 192.168.1.0/32; diff --git a/xml/ru/docs/http/ngx_http_upstream_module.xml b/xml/ru/docs/http/ngx_http_upstream_module.xml --- a/xml/ru/docs/http/ngx_http_upstream_module.xml +++ b/xml/ru/docs/http/ngx_http_upstream_module.xml @@ -10,7 +10,7 @@ + rev="70">

@@ -827,7 +827,8 @@ server { lookup=$переменная zone=имя:размер [timeout=время] - [header] + [header] + [sync] upstream 1.5.7 @@ -1004,7 +1005,7 @@ upstream backend { Сессии хранятся в зоне разделяемой памяти, имя и размер которой задаются параметром zone. -Зоны размером в 1 мегабайт достаточно для хранения около 8 тысяч сессий +Зоны размером в 1 мегабайт достаточно для хранения около 4 тысяч сессий на 64-битной платформе. Сессии, к которым не было обращений в течение времени, заданного параметром timeout, удаляются из зоны. @@ -1016,6 +1017,12 @@ upstream backend { сразу после получения заголовков ответа от сервера группы. + +Параметр sync (1.13.8) разрешает +синхронизацию +данной зоны разделяемой памяти. + + @@ -1140,6 +1147,16 @@ upstream backend { последнего сервера. +$upstream_queue_time + +хранит время, проведённое запросом в очереди +(1.13.9); +время хранится в секундах с точностью до миллисекунд. +Времена нескольких ответов +разделяются запятыми и двоеточиями подобно адресам в переменной +$upstream_addr. + + $upstream_response_length

diff --git a/xml/ru/docs/index.xml b/xml/ru/docs/index.xml --- a/xml/ru/docs/index.xml +++ b/xml/ru/docs/index.xml @@ -8,7 +8,7 @@

@@ -626,6 +626,11 @@ ngx_stream_upstream_module ngx_stream_upstream_hc_module + + +ngx_stream_zone_sync_module [en] + + diff --git a/yaml/nginx_api.yaml b/yaml/nginx_api.yaml --- a/yaml/nginx_api.yaml +++ b/yaml/nginx_api.yaml @@ -9,7 +9,7 @@ info: key-value pairs management for [http](https://nginx.org/en/docs/http/ngx_http_keyval_module.html) and [stream](https://nginx.org/en/docs/stream/ngx_stream_keyval_module.html). -basePath: /api/2 +basePath: /api/3 tags: - name: General Info - name: Processes @@ -26,6 +26,7 @@ tags: - name: Stream Server Zones - name: Stream Upstreams - name: Stream Keyvals + - name: Stream Zone Sync - name: Method GET - name: Method POST - name: Method PATCH @@ -1476,6 +1477,27 @@ paths: description: Method disabled (*MethodDisabled*) schema: $ref: '#/definitions/NginxError' + /stream/zone_sync/: + get: + tags: + - Stream Zone Sync + - Method GET + summary: Return sync status of a node + description: Returns synchronization status of a cluster node. + operationId: getStreamZoneSync + produces: + - application/json + responses: + '200': + description: Success + schema: + $ref: '#/definitions/NginxStreamZoneSync' + '404': + description: | + Zone sync not configured (*ZoneSyncNotConfigured*), + [stream](https://nginx.org/en/docs/stream/ngx_stream_core_module.html#stream) not configured (*StreamNotConfigured*) + schema: + $ref: '#/definitions/NginxError' ### ###DEFINITIONS ### @@ -3140,6 +3162,60 @@ definitions: key1: value1 key2: value2 key3: value3 + NginxStreamZoneSync: + title: Stream Zone Sync Node + type: object + properties: + zones: + type: object + title: Zone Sync Zones + description: Synchronization information per each shared memory zone. + additionalProperties: + $ref: '#/definitions/NginxStreamZoneSyncZone' + status: + type: object + description: Synchronization information per node in a cluster. + properties: + bytes_in: + type: integer + description: The number of bytes received by this node. + msgs_in: + type: integer + description: The number of messages received by this node. + msgs_out: + type: integer + description: The number of messages sent by this node. + bytes_out: + type: integer + description: The number of bytes sent by this node. + nodes_online: + type: integer + description: The number of peers this node is connected to. + example: + zones: + zone1: + records_pending: 2061 + records_total: 260575 + zone2: + records_pending: 0 + records_total: 14749 + status: + bytes_in: 1364923761 + msgs_in: 337236 + msgs_out: 346717 + bytes_out: 1402765472 + nodes_online: 15 + NginxStreamZoneSyncZone: + title: Sync Zone + description: Synchronization status of a shared memory zone. + type: object + properties: + records_pending: + type: integer + description: The number of records that need to be sent to the cluster. + records_total: + type: integer + description: The total number of records stored in the shared memory zone. NginxError: title: Error description: |