nginx/0.8.53 + Amazon ELB + HttpRealIpModuleでプロセスが死亡する。

検証過程をメモ。

Amazon EC2上で動作しているnginx/0.8.53のerror.logに

worker process XXX exited on signal 11

というログがありSIGSEGVが発生したので検証してみました。


どうも、nginxのHttpRealIpModule内のset_real_ip_from, real_ip_headerディレクティブが原因の様で、何故かX-Forwarded-Forヘッダーを適当なIPを追加してELBを経由した場合のみSIGSEGVが発生します。
(現在も調査中)


上記のディレクティブを有効にするとaccess.logにはploxyのIPでは無く通信元のIPが書き込まれるというディレクティブです。

環境

AMI(OS) Basic 64-bit Amazon Linux AMI
nginx/0.8.53
ELB

telnetによる検証(X-Forwarded-Forを付与しない)

$ telnet ec2-xxx.xxx.xxx.xxx.ap-northeast-1.compute.amazonaws.com 80
Trying xxx.xxx.xxx.xxx...
Connected to ec2-xxx.xxx.xxx.xxx.ap-northeast-1.compute.amazonaws.com.
Escape character is '^]'.
GET /test.html HTTP/1.1
host: ec2-xxx.xxx.xxx.xxx.ap-northeast-1.compute.amazonaws.com
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 03 May 2011 12:10:17 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Tue, 03 May 2011 09:44:49 GMT
Connection: keep-alive
Accept-Ranges: bytes

正常に通信出来ました。


次にELBに通信した場合。

$ telnet nginx-test-xxxxxxxxxx.ap-northeast-1.elb.amazonaws.com 80
Trying xxx.xxx.xxx.xxx...
Connected to nginx-test-xxxxxxxxxx.ap-northeast-1.elb.amazonaws.com.
Escape character is '^]'.
GET /test.html HTTP/1.1
host: nginx-test-xxxxxxxxxx.ap-northeast-1.elb.amazonaws.com
Connection: keep-alive

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Date: Tue, 03 May 2011 12:13:33 GMT
Last-Modified: Tue, 03 May 2011 09:44:49 GMT
Server: nginx/0.8.53
Content-Length: 0
Connection: keep-alive

正常に通信出来ました。


telnetによる検証(X-Forwarded-Forを付与)

まずインスタンスに直接アクセスした場合。
|

$ telnet ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com 80
Trying xxx.xxx.xxx.xxx...
Connected to ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com.
Escape character is '^]'.
GET /test.html HTTP/1.1
host: ec2-xxx-xxx-xxx-xxx.ap-northeast-1.compute.amazonaws.com
X-Forwarded-For: 192.168.0.10, 223.25.164.105
X-Forwarded-Port: 80
X-Forwarded-Proto: http
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 03 May 2011 11:48:32 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Tue, 03 May 2011 09:44:49 GMT
Connection: keep-alive
Accept-Ranges: bytes
|