【问题标题】:NGINX sendmsg() failed (1: Operation not permitted) while proxying and sending to upstreamNGINX sendmsg() 在代理和发送到上游时失败(1:不允许操作)
【发布时间】:2021-07-07 15:59:10
【问题描述】:

我一直在尝试在工作就绪的 NGINX 服务器中实现新的通信流程。服务器在 kubernetes 的 DaemonSet 中运行,且 hostNetwork 为 true。这一新流程会将来自客户端的收入 UDP 连接转发到保留原始端口的一个后端。 我已经尝试过这个配置(在流块内):

server {
     listen 12000-12100 udp;
     proxy_pass backend_name:$server_port;
     proxy_bind $remote_addr:$remote_port transparent;
     proxy_responses 0;
     resolver 1.2.2.10;
}

当UDP数据包来到nginx时,日志输出为:

2021/07/01 06:19:55 [alert] 30#30: *24650 sendmsg() failed (1: Operation not permitted) while proxying and sending to upstream, udp client: 172.21.2.114, server: 0.0.0.0:12037, upstream: "1.2.123.101:12037", bytes from/to client:1946/0, bytes from/to upstream:0/0
2021/07/01 06:19:56 [alert] 30#30: *24652 sendmsg() failed (1: Operation not permitted) while proxying and sending to upstream, udp client: 172.21.2.114, server: 0.0.0.0:12037, upstream: "1.2.123.101:12037", bytes from/to client:973/0, bytes from/to upstream:0/0
2021/07/01 06:19:58 [alert] 30#30: *24654 sendmsg() failed (1: Operation not permitted) while proxying and sending to upstream, udp client: 172.21.2.114, server: 0.0.0.0:12037, upstream: "1.2.123.101:12037", bytes from/to client:973/0, bytes from/to upstream:0/0
2021/07/01 06:20:02 [alert] 30#30: *24656 sendmsg() failed (1: Operation not permitted) while proxying and sending to upstream, udp client: 172.21.2.114, server: 0.0.0.0:12037, upstream: "1.2.123.101:12037", bytes from/to client:973/0, bytes from/to upstream:0/0
2021/07/01 06:20:10 [alert] 30#30: *24658 sendmsg() failed (1: Operation not permitted) while proxying and sending to upstream, udp client: 172.21.2.114, server: 0.0.0.0:12037, upstream: "1.2.123.101:12037", bytes from/to client:973/0, bytes from/to upstream:0/0

我在主配置文件中使用用户 root 和 worker_processes auto。

我已阅读本指南以帮助我,但没有结果: [https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/][1]

我找不到任何其他人发生过这样的问题,“代理和发送到上游时”的消息在网络中没有巧合。

有人可以帮我解决正在发生的事情吗?

【问题讨论】:

    标签: nginx udp


    【解决方案1】:

    最后,我了解到问题与操作系统有关,而不仅仅是 Nginx。当操作系统尝试使用 sendmsg 函数打开套接字时,操作系统防火墙(iptables)拒绝此操作。 iptables 对上游服务器有一个拒绝规则。 此规则由 kubelet 服务创建,因为目标 pod 端点不可访问。 获取目标端口中配置的 pod,使其可用;从而清除 iptables 拒绝规则并正确转发流量。

    【讨论】:

      猜你喜欢
      • 2012-08-18
      • 1970-01-01
      • 2012-06-19
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2019-01-25
      • 2023-01-27
      相关资源
      最近更新 更多