Forum Discussion
does nginx (1.20 or newer) re-resolve DNS for proxy_pass?
This blog post explains the various methods NGINX and NGINX Plus handles domain resolution - https://www.nginx.com/blog/dns-service-discovery-nginx-plus/. To summarize, you can configure NGINX to resolve hostnames regularly using these methods (credits to original blog post):
1. Setting the Domain Name in a Variable
resolver 10.0.0.2 valid=10s;
server {
location / {
set $backend_servers backends.example.com;
proxy_pass http://$backend_servers:8080;
}
}
NGINX re‑resolves the domain name when its TTL expires. You must include the
directive to explicitly specify the name server (NGINX does not refer to /etc/resolv.conf as in the first two methods). By including the resolver
valid
parameter to the resolver
directive, you can tell NGINX to ignore the TTL and re‑resolve names at a specified frequency instead. Here we tell NGINX to re‑resolve names every 10 seconds.
Drawback is that because the upstream group is not used, specify the load‑balancing algorithm or other parameters to the server directive.
2. (NGINX Plus only) Using DNS A records
resolver 10.0.0.2 valid=10s;
upstream backends {
zone backends 64k;
server backends.example.com:8080 resolve;
}
server {
location / {
proxy_pass http://backends;
}
}
By default, NGINX Plus honors the TTL, re‑resolving names when records expire. To have NGINX Plus instead re‑resolve names at a specified frequency, include the valid parameter to the resolver directive.
This gives the additional benefit of being able to configure additional settings for upstream servers via the server directive.
---
Do take a look at the blog post to see other methods available, such as via DNS SRV records which supports dynamic port numbers and weightings. Hope that helps.
I've made a set of tests (I use a regular nginx 1.20.1 version, not nginx plus):
1. According to tcpdump - nginx will periodically re-query the DNS for "example.com" if the following config part is used:
location ^~ /_example/ {
proxy_pass https://example.com/_example/;
proxy_set_header Host my-site;
}
However, confusingly - even if DNS changed, the value resolved at nginx startup will be still used!
2. Setting the domain name in the variable - this unfortunately works differently than the "equivalent" without the variable:
a) without the variable:
location ^~ /_example/ {
proxy_pass https://example.com/_example/;
proxy_set_header Host my-site;
}
- connection to local-server/_example/image.jpg will be passed to example.com/_example/image.jpg
- only DNS resolved at startup is used, even though nginx queries DNS for "example.com" from time to time
b) with the variable:
location ^~ /_example/ {
set $backend_server example.com;
proxy_pass https://$backend_server/_example/;
proxy_set_header Host my-site;
}
- connection to local-server/_example/image.jpg will be passed to example.com/_example/ - note the missing "image.jpg" when querying the upstream!
- DNS changes work
- Leon_SengNov 01, 2022Employee
On 1, I don't have knowledge of how the underlying code is written, but barring the periodic DNS requests, NGINX seems to be behaving as intended in terms of resolving the host with new value after restart/config reload.
On 2, try changing your location block to
location ^~ /_example/ { set $backend_server example.com; proxy_pass https://$backend_server/$request_uri; proxy_set_header Host my-site; }
- netsec-groupFeb 07, 2023Nimbostratus
Hi Leon,
one question regarding NGINX (not NGINX+) and setting DNS in a variable.
We are using this method (#1) but having the "set" directive in the server section instead of in the location section. We noticed that NGINX is not updating new IP address ... even if we see DNS requests and responses with updated IP@ (this is happening using AWS ALB).
Is it necessary to have the "set" directive inside the location section instead of in the server location?
Like this:
nginx version: nginx/1.20.2
Thanks for your help,
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com