support upgrade-insecure-requests option

bench/bench.sh

@@ -1,29 +1,29 @@
 #!/bin/sh
 
-echo "----------------------------"
-echo "Benchmark on rpxy"
-ab -c 100 -n 10000 http://127.0.0.1:8080/index.html
-
-echo "----------------------------"
-echo "Benchmark on nginx"
-ab -c 100 -n 10000  http://127.0.0.1:8090/index.html
-
-echo "----------------------------"
-echo "Benchmark on caddy"
-ab -c 100 -n 10000  http://127.0.0.1:8100/index.html
-
-
 # echo "----------------------------"
 # echo "Benchmark on rpxy"
-# #wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8080 --pct
+# ab -c 100 -n 10000 http://127.0.0.1:8080/index.html
 
 # echo "----------------------------"
 # echo "Benchmark on nginx"
-# # wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8090 --pct
+# ab -c 100 -n 10000  http://127.0.0.1:8090/index.html
 
 # echo "----------------------------"
 # echo "Benchmark on caddy"
-# # wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html
-# rewrk -c 256 -t 4 -d 15s -h http://127.0.0.1:8100 --pct
+# ab -c 100 -n 10000  http://127.0.0.1:8100/index.html
+
+
+echo "----------------------------"
+echo "Benchmark on rpxy"
+#wrk -t8 -c100 -d30s http://127.0.0.1:8080/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8080 --pct
+
+echo "----------------------------"
+echo "Benchmark on nginx"
+# wrk -t8 -c100 -d30s http://127.0.0.1:8090/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8090 --pct
+
+echo "----------------------------"
+echo "Benchmark on caddy"
+# wrk -t8 -c100 -d30s http://127.0.0.1:8100/index.html
+rewrk -c 256 -t 8 -d 15s -h http://localhost:8100 --pct

bench/docker-compose.yml

@@ -5,12 +5,12 @@ services:
     container_name: backend-nginx
     restart: unless-stopped
     environment:
-      - VIRTUAL_HOST="127.0.0.1"
+      - VIRTUAL_HOST=localhost
       - VIRTUAL_PORT=80
     expose:
       - 80
-    ports:
-      - 127.0.0.1:8888:80
+    # ports:
+      # - 127.0.0.1:8888:80
     logging:
       options:
         max-size: "10m"
@@ -45,6 +45,8 @@ services:
     tty: false
     privileged: true
     volumes:
+      - ./nginx_data/vhost:/etc/nginx/vhost.d
+      - ./nginx_data/conf:/etc/nginx/conf.d/
       - /var/run/docker.sock:/tmp/docker.sock:ro
     logging:
       options:

bench/nginx_data/conf/default.conf

@@ -0,0 +1,74 @@
+# nginx-proxy version : 1.0.1-6-gc4ad18f
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+# Default dhparam
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
+map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent" '
+                 '"$upstream_addr"';
+access_log off;
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+		ssl_prefer_server_ciphers off;
+error_log /dev/stderr;
+resolver 127.0.0.11;
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+proxy_set_header X-Original-URI $request_uri;
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	server_tokens off;
+	listen 80;
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+	# localhost
+upstream localhost {
+        ## Can be connected with "bench-nw" network
+        # backend-nginx
+        server 192.168.100.100:80;
+}
+server {
+	server_name localhost;
+	listen 80 ;
+	access_log /var/log/nginx/access.log vhost;
+	location / {
+		proxy_pass http://localhost;
+}
+}

bench/rpxy.toml

@@ -1,6 +1,6 @@
 listen_port = 8080
 # listen_port_tls = 8443
-listen_ipv6 = false
+# listen_ipv6 = true
 
 max_concurrent_streams = 128
 max_clients = 512
@@ -14,11 +14,7 @@ server_name = 'localhost'
 reverse_proxy = [
   # default destination if path is not specified
   # Array for load balancing
-  { upstream = [
-    { location = 'backend-nginx', tls = false, upstream_options = [
-      # "override_host",
-    ] },
-  ] },
+  { upstream = [{ location = 'backend-nginx', tls = false }] },
   # { upstream = [{ location = '192.168.100.100', tls = false }] },
 ]