On 8 February 2013 02:05, Maxim Dounin <mdounin@mdounin.ru> wrote:
> Hello!
>
> On Fri, Feb 08, 2013 at 11:20:35AM +0800, Fufeng Yao wrote:
>
>> Hi, all
>> I've got an nginx server in an internal network, and the server will
>> forward request to outer net using proxy_pass,
>> it seems like:
>> proxy_pass http://[public ip]:[port]
>> Unfortunately, the firewall block most of the port, so the proxy_pass
>> failed.
>> I have two questions:
>> How the proxy_pass use port to forward the request? pick a random port?
>
> Outoing port (as well as IP address, unless proxy_bind is used) is
> selected by your OS. Use your system configuration options to
> tune port range used.
>
> E.g. on FreeBSD it can be done with net.inet.ip.portrange.first
> and net.inet.ip.portrange.last sysctl's. On Linux it's tuned with
> net.ipv4.ip_local_port_range sysctl or
> /proc/sys/net/ipv4/ip_local_port_range.
>
>> Would that be possible to set a port range (10000~20000 e.g) for proxy_pass
>> to use?
>
> In theory, nginx can use bind() syscall to select some particular
> port, but only one of them, and this doesn't make sense with
> proxy_pass - as this will not allow more than one connection to
> the same destination address. That is, tuning the OS as suggested
> above is the only way to go.

Or, alternatively, a local firewall with port translation can be used
to ensure that all outgoing ports that are used would be the ones that
would pass the upstream firewall.

See http://www.openbsd.org/faq/pf/rdr.html for some details, which has
a couple of examples of port redirection/translation within the
firewall.

C.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx