Nginx with dynamic upstreams (opens in new tab)

It's not quite as bad as that. AWS's short TTL means that they can change the IP whenever they like, not that they will. I would imagine that most of the time, long-lived connections to an ELB will be fine.

If the ELB does get a new address, then yes, the connection will fail, the client will have to reconnect, and when it does, it will need to do a fresh address lookup. But since the connection is over a network, failure is a possibility regardless of what AWS does, and so clients need to be able to detect failure and reconnect anyway.

Regarding how the ELB works, then I think the AWS engineers have a different idea on how to implement stuff. AWS is very much a dynamic platform and the engineers seem to have embraced this when they came up with this solution.

It doesn't necessarily mean you can't use websockets through an ELB, it just means that you would need to be able to handle reconnects, but that shouldn't be a new challenge for any system relying on connections being open for long. Also, the load balancer servers doesn't switch every 60 seconds, you can have connections running for a lot longer than that. I would also assume the load balancers keep handling connections for a while after they were taken out of the DNS rotation, in order to make sure DNS caches are updated before the IP addresses stops working.

You can hold a TCP connection open through an ELB basically as long as you want. The default idle timeout is 60s but can be increased to 1hr, this is a non-factor if you are sending any sort of data though.

When the "routing rug" is pulled out from under you all you need to do is re-resolve and re-establish the TCP connection which will likely live on for days (in most cases weeks) without disconnecting again.

This is fine for most use cases I am aware of.

As for Websockets, you will need to run the ELB in TCP mode to do that and probably run a real HTTP proxy behind it that supports Websockets/UPGRADE and uses constant source-ip hashing and supports the TCP PROXY protocol. i.e HAProxy. You can run HAProxy or other any other proxy that matches the above in an ELB to get good highly available Websockets proxy layer.

Yes. Some of the nginx plus features are very small, and there's even 3rd party modules that add such features. This particular case seems like an outright bug, with a hack workaround. Would they take a patch to fix it?

It makes me think that they must be intentionally omitting features in order to make plus valuable. That seems rather cheesy. Obviously it's their code and right, but I think it shows how hard it is to profit off an open source program.

I think there's room for interpretation but that in cases like this, it is indeed a bug.

Many applications are programmed this way but I firmly believe that an application needs to honor the TTL of a DNS request for any subsequent connections, for exactly this reason. DNS records change. Sometimes frequently. IMO you shouldn't need yo kick your apps to get them to use the new hostname for subsequent connections.

It should just schedule a DNS update before the previous one has expired, and if the addresses have changed shift over, so it should not cause any delays.

It was not that reliable for us. We still had unexplained occurrences of IP caching and it's easy to fat finger the configuration and lose the resolving functionality. Anyway, as I mentioned haproxy has vastly superior load balancing capabilities. Nginx still has a lot of work to do to match haproxy in this area.

There are a lot of reasons. Simpler configuration, mutual SSL, URL rewriting and the like. That stuff would really suck if we only used haproxy.

well damn that's such a simple solution if that variable works in proxy_pass.. One of those "How did I miss that?" solutions

Of course rigorous testing before going live, but it gives options. I love options :)

Lua + Redis is a nice way to do this, I have a small project https://github.com/spro/simon that does dynamic routing and load balancing based on Hostname -> IP:Port sets in Redis. Adding a new route is as simple as:

  sadd backends:hnapi.dev 192.168.0.42:10555

The sibling comment to this pointed out the $host variable. I imagine something along the line of proxy_pass http://$host.internaldomain; or something on that line.

I'll have to look into it further :)

I am acutely aware of HAProxy however the rest of the team is, no surprise I'm sure, familiar with nginx. Likely I'll end up doing the usual nginx->haproxy->backend chain again. HAPROXY appears to have an enterprise now(it may have had forever I just have not noticed) but it appears to be much more focused on value-add support and stack validation than hiding simple-to-implement stuff behind a paywall and open-core. This is more of a frustration with nginx which could be so much more for us if:

* They were not purposely holding back features so they can be pay-walled

* Re-compiling were not necessary to add functionality

* More cohesive modification ecosystem

I know I said "reverse proxy" which HAProxy is cleary the more superior, but I didn't mean to limit my statement to reverse proxies. nginx does have a lot of other functionality people rely on..

Before the end of the year Kong will support Postgres.