=encoding utf-8 =head1 NAME ngx_stream_zone_sync_module - Module ngx_stream_zone_sync_module =head1 The C module (1.13.8) provides the necessary support for synchronizing contents of L between nodes of a cluster. To enable synchronization for a particular zone, a corresponding module must support this feature. Currently, it is possible to synchronize HTTP L sessions, information about L, and key-value pairs both in L and L. B This module is available as part of our commercial subscription. =head1 Example Configuration Minimal configuration: http { ... upstream backend { server backend1.example.com:8080; server backend2.example.com:8081; sticky learn create=$upstream_cookie_examplecookie lookup=$cookie_examplecookie zone=client_sessions:1m sync; } ... } stream { ... server { zone_sync; listen 127.0.0.1:12345; # cluster of 2 nodes zone_sync_server a.example.com:12345; zone_sync_server b.example.com:12345; } A more complex configuration with SSL enabled and with cluster members defined by DNS: ... stream { ... resolver 127.0.0.1 valid=10s; server { zone_sync; # the name resolves to multiple addresses that correspond to cluster nodes zone_sync_server cluster.example.com:12345 resolve; listen 127.0.0.1:4433 ssl; ssl_certificate localhost.crt; ssl_certificate_key localhost.key; zone_sync_ssl on; zone_sync_ssl_certificate localhost.crt; zone_sync_ssl_certificate_key localhost.key; } } =head1 Directives =head2 zone_sync B zone_sync I<> B I<> B I Enables the synchronization of shared memory zones between cluster nodes. Cluster nodes are defined using L directives. =head2 zone_sync_buffers B zone_sync_buffers I> I>> B I<8 4kE8k> B I B I Sets the I> and I> of the per-zone buffers used for pushing zone contents. By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform. B A single buffer must be large enough to hold any entry of each zone being synchronized. =head2 zone_sync_connect_retry_interval B zone_sync_connect_retry_interval I>> B I<1s> B I B I Defines an interval between connection attempts to another cluster node. =head2 zone_sync_connect_timeout B zone_sync_connect_timeout I>> B I<5s> B I B I Defines a timeout for establishing a connection with another cluster node. =head2 zone_sync_interval B zone_sync_interval I>> B I<1s> B I B I Defines an interval for polling updates in a shared memory zone. =head2 zone_sync_recv_buffer_size B zone_sync_recv_buffer_size I>> B I<4kE8k> B I B I Sets I> of a per-connection receive buffer used to parse incoming stream of synchronization messages. The buffer size must be equal or greater than one of the L. By default, the buffer size is equal to zone_sync_buffers I> multiplied by I>. =head2 zone_sync_server B zone_sync_server I> [C]> B I<> B I Defines the I> of a cluster node. The address can be specified as a domain name or IP address with a mandatory port, or as a UNIX-domain socket path specified after the “C” prefix. A domain name that resolves to several IP addresses defines multiple nodes at once. The C parameter instructs nginx to monitor changes of the IP addresses that correspond to a domain name of the node and automatically modify the configuration without the need of restarting nginx. Cluster nodes are specified either dynamically as a single C directive with the C parameter, or statically as a series of several directives without the parameter. B Each cluster node should be specified only once. B All cluster nodes should use the same configuration. In order for the C parameter to work, the L directive must be specified in the L block. Example: stream { resolver 10.0.0.1; server { zone_sync; zone_sync_server cluster.example.com:12345 resolve; ... } } =head2 zone_sync_ssl B zone_sync_ssl I E C> B I B I B I Enables the SSLETLS protocol for connections to another cluster server. =head2 zone_sync_ssl_certificate B zone_sync_ssl_certificate I>> B I B I Specifies a I> with the certificate in the PEM format used for authentication to another cluster server. =head2 zone_sync_ssl_certificate_key B zone_sync_ssl_certificate_key I>> B I B I Specifies a I> with the secret key in the PEM format used for authentication to another cluster server. =head2 zone_sync_ssl_ciphers B zone_sync_ssl_ciphers I>> B I B I B I Specifies the enabled ciphers for connections to another cluster server. The ciphers are specified in the format understood by the OpenSSL library. The full list can be viewed using the “C” command. =head2 zone_sync_ssl_conf_command B zone_sync_ssl_conf_command I> I>> B I B I This directive appeared in version 1.19.4. Sets arbitrary OpenSSL configuration L when establishing a connection with another cluster server. B The directive is supported when using OpenSSL 1.0.2 or higher. Several C directives can be specified on the same level. These directives are inherited from the previous configuration level if and only if there are no C directives defined on the current level. B Note that configuring OpenSSL directly might result in unexpected behavior. =head2 zone_sync_ssl_crl B zone_sync_ssl_crl I>> B I B I Specifies a I> with revoked certificates (CRL) in the PEM format used to verify the certificate of another cluster server. =head2 zone_sync_ssl_name B zone_sync_ssl_name I>> B I B I B I This directive appeared in version 1.15.7. Allows overriding the server name used to verify the certificate of a cluster server and to be passed through SNI when establishing a connection with the cluster server. By default, the host part of the L address is used, or resolved IP address if the L parameter is specified. =head2 zone_sync_ssl_password_file B zone_sync_ssl_password_file I>> B I B I Specifies a I> with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key. =head2 zone_sync_ssl_protocols B zone_sync_ssl_protocols I< [C] [C] [C] [C] [C] [C]> B I B I B I Enables the specified protocols for connections to another cluster server. =head2 zone_sync_ssl_server_name B zone_sync_ssl_server_name I E C> B I B I B I This directive appeared in version 1.15.7. Enables or disables passing of the server name through L (SNI, RFC 6066) when establishing a connection with another cluster server. =head2 zone_sync_ssl_trusted_certificate B zone_sync_ssl_trusted_certificate I>> B I B I Specifies a I> with trusted CA certificates in the PEM format used to verify the certificate of another cluster server. =head2 zone_sync_ssl_verify B zone_sync_ssl_verify I E C> B I B I B I Enables or disables verification of another cluster server certificate. =head2 zone_sync_ssl_verify_depth B zone_sync_ssl_verify_depth I>> B I<1> B I B I Sets the verification depth in another cluster server certificates chain. =head2 zone_sync_timeout B zone_sync_timeout I>> B I<5s> B I B I Sets the I> between two successive read or write operations on connection to another cluster node. If no data is transmitted within this time, the connection is closed. =head1 API endpoints The synchronization status of a node is available via the LstreamEzone_syncE|ngx_http_api_module> endpoint of the API which returns the L metrics. =head1 Starting, stopping, removing a cluster node To start a new node, update a DNS record of a cluster hostname with the IP address of the new node and start an instance. The new node will discover other nodes from DNS or static configuration and will start sending updates to them. Other nodes will eventually discover the new node using DNS and start pushing updates to it. In case of static configuration, other nodes need to be reloaded in order to send updates to the new node. To stop a node, send the C signal to the instance. The node will finish zone synchronization and gracefully close open connections. To remove a node, update a DNS record of a cluster hostname and remove the IP address of the node. All other nodes will eventually discover that the node is removed, close connections to the node, and will no longer try to connect to it. After the node is removed, it can be stopped as described above. In case of static configuration, other nodes need to be reloaded in order to stop sending updates to the removed node.