search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
735 stars 252 forks source link

max_down_retries unlimited causes issues in some environments #226

Open akulakhan opened 4 years ago

akulakhan commented 4 years ago

It has been my experience that the max_down_retries parameter being defaulted to unlimited will result in mysterious issues with nginx becoming unresponsive. My running theory is that some firewall/ddos prevention mechanism that I don't control ends up blocking connections if there's too many retry attempts.

It may also be that the probing mechanism which detects "down" LDAP endpoints is a little too sensitive. In large enterprise environments it's likely that there is various load balancing and crazy routing going on, which seems to trigger this "down" status pretty frequently.

Anyways my suggestion is to make the max_down_retries default some limited amount. In my environment, setting it to 10 seemed to fix the issues I was seeing.

catsem commented 3 years ago

First, sorry for reactivating such an old topic. I also had questions related to the retry count and had a look at the code. If I understand the code correctly with my limited c skills, the default of value 0 for max_down_retries means no retries at all! I think there is no option for an unlimted retry mode.