Почему со временем перестаёт работать nginx proxy_pass до всех jails в FreeBSD 12?

Question

[chifth]

Всем привет.
Кто имеет опыт с FreeBSD + Jails , подскажите пожалуёста, почему со временем (обычно менее суток) все веб-сервисы в jails'ах становятся недоступными?

Описание:
Есть домашний сервер на FreeBSD 12. Мощностей достаточно.

Карта сети:
Роутер == редирект80 == Сервер == fw редирект80 == jail1 nginx reverse-proxy == proxy_pass на остальные jails зависимо от запрашиваемого домена.

На сервере развернуто несколько jails с nginx (reverse proxy) и несколькими веб-сервисами (transmission, личный сайт, _h5ai файлменеджер и emby (фильмотека). Каждый со своим nginx внутри.
Со временем, перестают быть доступными все jails именно на 80 порту. Тоесть глохнут nginx, на которые сделан proxy_pass. По IP всё везде пингуется.

Подскажите пожалуйста
- правильные конфиги для редиректов (может я где-то забыл или указал неверные лимиты\таймауты и тупо кончаются соединения у fastcgi?
- где можно посмотреть почему пакеты не уходят запросившему (может где-то кривой конфиг и пакеты начинают крутится в сети и ложат её)
- я даже не знаю что ещё вам сообщить. пишите что надо предоставить (логи, конфиги, явки, пароли)... нужны опытные экстрасенсы.

Comments

[Павел Межуев]

Что значит «глохнут»? Какое сообщение об ошибке? Какие действия позволяют решить проблему?

[chifth]

Павел Межуев, сообщение в браузере - connection timeout.
Помогает перезагрузка jail.
каждого лично

Answer 1

[Gansterito]

netstat -apn внутри jail показывает открытые сокеты NGINX?

Comments

[chifth]

Что-то не работает (неправильный аргумент команды)

Ну и когда jail глохнет, я в него и зайти не могу. только что заметил.

[Gansterito]

chifth, ах, да, FreeBSD... netstat -an тогда
Ну вот уже выясняется, что проблема не в NGINX.

[chifth]

Gansterito, внутри клетки вывод небольшой.
На самом сервере вывод огромный:

[chifth]

Кусок nginx/error.log (конец) из jail`a который не отвечает.

2020/05/05 04:00:57 [info] 30578#100951: *1447 kevent() reported about an closed connection (54: Connection reset by peer) while sending response to client, client: 10.0.0.2, server: file.chifty.top, request: "GET /torrent/Film/Cars%203%202017%201080p.BluRay.DTS.x264-Geek.Rus.Ukr.Eng.mkv HTTP/1.0", host: "10.0.0.4", referrer: "https://file.chifty.top/torrent/Film/"
2020/05/05 04:01:26 [info] 30578#100951: *1450 client prematurely closed connection while sending response to client, client: 10.0.0.2, server: file.chifty.top, request: "GET /torrent/Film/Cars%203%202017%201080p.BluRay.DTS.x264-Geek.Rus.Ukr.Eng.mkv HTTP/1.0", host: "10.0.0.4", referrer: "https://file.chifty.top/torrent/Film/"
2020/05/06 14:47:52 [notice] 30577#100874: signal 15 (SIGTERM) received from 25899, exiting
2020/05/06 14:47:52 [notice] 30578#100951: exiting
2020/05/06 14:47:52 [notice] 30577#100874: signal 23 (SIGIO) received
2020/05/06 14:47:52 [notice] 30578#100951: exit
2020/05/06 14:47:52 [notice] 30577#100874: signal 14 (SIGALRM) received
2020/05/06 14:47:52 [notice] 30577#100874: signal 20 (SIGCHLD) received from 30578
2020/05/06 14:47:52 [notice] 30577#100874: worker process 30578 exited with code 0
2020/05/06 14:47:52 [notice] 30577#100874: exit
2020/05/06 14:47:58 [notice] 27116#101950: using the "kqueue" event method
2020/05/06 14:47:58 [notice] 27116#101950: nginx/1.16.1
2020/05/06 14:47:58 [notice] 27116#101950: OS: FreeBSD 12.1-RELEASE-p3
2020/05/06 14:47:58 [notice] 27116#101950: kern.osreldate: 1201000, built on 1201000
2020/05/06 14:47:58 [notice] 27116#101950: hw.ncpu: 4
2020/05/06 14:47:58 [notice] 27116#101950: net.inet.tcp.sendspace: 32768
2020/05/06 14:47:58 [notice] 27116#101950: kern.ipc.somaxconn: 128
2020/05/06 14:47:58 [notice] 27116#101950: getrlimit(RLIMIT_NOFILE): 232551:232551
2020/05/06 14:47:58 [notice] 27117#100861: start worker processes
2020/05/06 14:47:58 [notice] 27117#100861: start worker process 27118
2020/05/07 11:08:50 [notice] 27117#100861: signal 15 (SIGTERM) received from 82066, exiting
2020/05/07 11:08:50 [notice] 27118#101688: exiting
2020/05/07 11:08:50 [notice] 27117#100861: signal 23 (SIGIO) received
2020/05/07 11:08:50 [notice] 27118#101688: exit
2020/05/07 11:08:50 [notice] 27117#100861: signal 20 (SIGCHLD) received from 27118
2020/05/07 11:08:50 [notice] 27117#100861: worker process 27118 exited with code 0
2020/05/07 11:08:50 [notice] 27117#100861: exit
2020/05/07 11:08:55 [notice] 83297#101688: using the "kqueue" event method
2020/05/07 11:08:55 [notice] 83297#101688: nginx/1.16.1
2020/05/07 11:08:55 [notice] 83297#101688: OS: FreeBSD 12.1-RELEASE-p3
2020/05/07 11:08:55 [notice] 83297#101688: kern.osreldate: 1201000, built on 1201000
2020/05/07 11:08:55 [notice] 83297#101688: hw.ncpu: 4
2020/05/07 11:08:55 [notice] 83297#101688: net.inet.tcp.sendspace: 32768
2020/05/07 11:08:55 [notice] 83297#101688: kern.ipc.somaxconn: 128
2020/05/07 11:08:55 [notice] 83297#101688: getrlimit(RLIMIT_NOFILE): 232551:232551
2020/05/07 11:08:55 [notice] 83298#100877: start worker processes
2020/05/07 11:08:55 [notice] 83298#100877: start worker process 83299
2020/05/07 20:54:52 [notice] 83298#100877: signal 15 (SIGTERM) received from 16433, exiting
2020/05/07 20:54:52 [notice] 83299#101092: signal 15 (SIGTERM) received from 16433, exiting
2020/05/07 20:54:52 [info] 83299#101092: kevent() failed (4: Interrupted system call)
2020/05/07 20:54:52 [notice] 83299#101092: exiting
2020/05/07 20:54:52 [notice] 83299#101092: exit
2020/05/07 20:54:52 [notice] 83298#100877: signal 20 (SIGCHLD) received from 83299
2020/05/07 20:54:52 [notice] 83298#100877: worker process 83299 exited with code 0
2020/05/07 20:54:52 [notice] 83298#100877: exit
2020/05/07 20:57:34 [notice] 9784#100852: using the "kqueue" event method
2020/05/07 20:57:34 [notice] 9784#100852: nginx/1.16.1
2020/05/07 20:57:34 [notice] 9784#100852: OS: FreeBSD 12.1-RELEASE-p3
2020/05/07 20:57:34 [notice] 9784#100852: kern.osreldate: 1201000, built on 1201000
2020/05/07 20:57:34 [notice] 9784#100852: hw.ncpu: 4
2020/05/07 20:57:34 [notice] 9784#100852: net.inet.tcp.sendspace: 32768
2020/05/07 20:57:34 [notice] 9784#100852: kern.ipc.somaxconn: 128
2020/05/07 20:57:34 [notice] 9784#100852: getrlimit(RLIMIT_NOFILE): 232551:232551
2020/05/07 20:57:34 [notice] 9786#100904: start worker processes
2020/05/07 20:57:34 [notice] 9786#100904: start worker process 9787
2020/05/08 20:41:33 [info] 9787#100993: *199 kevent() reported that client prematurely closed connection, so upstream connection is closed too while sending request to upstream, client: 10.0.0.2, server: file.chifty.top, request: "POST /torrent/Film/? HTTP/1.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "10.0.0.4", referrer: "https://file.chifty.top/torrent/Film/"

[chifth]

UPD:
1. Рестарт nginx клетки-сервиса не помогает.
2. Рестарт nginx клетки reverse-proxy - помогает.
3. Вручную рестартануть reverse-proxy в клетке не могу т.к пишет ошибку

nginx:/root@[16:44] # service nginx restart
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: [emerg] bind() to 0.0.0.0:443 failed (49: Can't assign requested address)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

Хотя конфиг правильный и при рестарте всего jail всё работает:

Stoping jail: nginx, parallel timeout=5
jstop done in 6 seconds
set resource limit: [ ]
jail renice: 1
Starting jail: nginx, parallel timeout=5
nginx: created
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
32-bit compatibility ldconfig path: /usr/lib32
Setting hostname: nginx.thouse.chifty.top.
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related).
Updating motd:.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
Starting sendmail_submit.
Starting sendmail_msp_queue.
Starting cron.

Sun May 10 16:46:31 EEST 2020
jstart done in 4 seconds
jrestart done in 10 seconds
jrestart done in 10 seconds

Вот мой nginx.conf на reverse-proxy:

nginx:/root@[16:51] # cat /usr/local/etc/nginx/nginx.conf
user  www;
worker_processes  1;
error_log /var/log/nginx/error.log info;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    access_log /var/log/nginx/access.log;

    sendfile        on;
    keepalive_timeout  65;

    server {
        server_name emby.chifty.top;

        location / {
                proxy_pass      http://10.0.0.6:8096;
        }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /usr/local/etc/letsencrypt/live/emby.chifty.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/emby.chifty.top/privkey.pem; # managed by Certbot
    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


    server {
        server_name mysql.chifty.top;

        location / {
                proxy_pass      http://10.0.0.3;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /usr/local/etc/letsencrypt/live/mysql.chifty.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/mysql.chifty.top/privkey.pem; # managed by Certbot
    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

    server {
        server_name file.chifty.top;

        location / {
                proxy_http_version 1.1;
                proxy_temp_file_write_size 64k;
                proxy_connect_timeout 10080s;
                proxy_send_timeout 10080;
                proxy_read_timeout 10080;
                proxy_buffer_size 64k;
                proxy_buffers 16 32k;
                proxy_busy_buffers_size 64k;
                proxy_redirect off;
                proxy_request_buffering off;
                proxy_buffering off;
                proxy_pass      http://10.0.0.4;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /usr/local/etc/letsencrypt/live/file.chifty.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/file.chifty.top/privkey.pem; # managed by Certbot
    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

    server {
        server_name torrent.chifty.top;

        location / {
                proxy_pass      http://10.0.0.1:9091;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /usr/local/etc/letsencrypt/live/torrent.chifty.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/torrent.chifty.top/privkey.pem; # managed by Certbot
    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

    server {
        server_name  chifty.top;
        root /usr/local/www/chifty;
        index index.php index.html index.htm;

        location / {
            proxy_pass      http://10.0.0.5;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /usr/local/etc/letsencrypt/live/chifty.top-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /usr/local/etc/letsencrypt/live/chifty.top-0001/privkey.pem; # managed by Certbot
    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


    server {
    if ($host = chifty.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80;
        server_name  chifty.top;
    return 404; # managed by Certbot


}

    server {
    if ($host = file.chifty.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        listen 80;
        server_name file.chifty.top;
    return 404; # managed by Certbot


}

    server {
    if ($host = mysql.chifty.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        listen 80;
        server_name mysql.chifty.top;
    return 404; # managed by Certbot


}

    server {
    if ($host = torrent.chifty.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



        listen 80;
        server_name torrent.chifty.top;
    return 404; # managed by Certbot


}

    server {
    if ($host = emby.chifty.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name emby.chifty.top;
    listen 80;
    return 404; # managed by Certbot


}}
nginx:/root@[16:51] #

[chifth]

Ещё кое-что нашёл тут: https://forum.nginx.org/read.php?21,8103,8944#msg-8944
Но не понимаю как пофиксить у себя