Welcome! Log In Create A New Profile

Advanced

Re: preserve client source address when proxying to upstream

Vsevolod Petrov
December 17, 2015 07:30AM
Thanks for pointing me in the right direction, Maxim!

I've found a number of posts where people are discussing nginx acting as
listener at 0.0.0.0:80/0 for outbound traffic, making able the system to
review every outgoing packet. In this way nginx can act as transparent
proxy that do not perform destination address translation.

What I'm asking for is a special handling for inbound packets. I still want
nginx to perform destination address translation, but I need to keep
original source address in the packet.

As far as I understood, both scenarios relies on using
IP_TRANSPARENT/IP_FREEBIND
on Linux as you mentioned previously.
While there's no complete solution at the moment, I think that it's great
idea to add such functions in the future, at least in commercial version of
nginx. From the other side, positioning nginx as ADC solution requires to
give administrators more control over applications delivery and translating
source/destination addresses/ports are just necessary options.


--
Vsevolod Petrov

2015-12-16 19:56 GMT+03:00 Maxim Dounin <mdounin@mdounin.ru>:

> Hello!
>
> On Wed, Dec 16, 2015 at 06:56:02PM +0300, Vsevolod Petrov wrote:
>
> > Hello,
> >
> > proxy_bind directive allows to specify source IP address for proxied
> > connections.
> > This directive can be set to local IP address.
> >
> > I'm wondering if there's a way to set $remote_addr as proxy_bind address?
> > Or any other non-local IP address?
> >
> > The idea is to see original client source IP address at the server site.
> > While it's not http traffic I cannot use XFF header.
> >
> > Destination MAC address in the response packet from the server is set to
> > nginx server interface address. So, there's no problem at layer 2
> > communication.
> >
> > Can nginx listen for responses coming to non-local destination address?
>
> In theory this is possible with appropriate OS-level support, and
> as long as you are able to route packets properly. In particular,
> this should be possible on OpenBSD using SO_BINDANY, on FreeBSD
> using IP_BINDANY, and on Linux using IP_TRANSPARENT/IP_FREEBIND.
>
> An erlier attempt to make it work on nginx can be found here
> (OpenBSD-specific patch):
>
> http://mailman.nginx.org/pipermail/nginx-devel/2010-October/000533.html
>
> As far as I understand, doing proper support should be mostly
> trivial now with variables support in proxy_bind.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Re: preserve client source address when proxying to upstream

Vsevolod Petrov December 17, 2015 07:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 156
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 466 on July 09, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready