Welcome! Log In Create A New Profile

Advanced

Re: can't setup nginx as transparent proxy server

Previous Message Next Message
Forum List Message List New Topic Print View
Francis Daly
August 09, 2016 10:42AM
On Tue, Aug 09, 2016 at 01:20:46PM +0800, Peng Xie wrote:

Hi there,

> I am relatively new to nginx. I would like to setup nginx as a
> transparent reverse proxy.

What, specifically, do you mean by "transparent", here?

I think that the nginx proxy_bind config is intended so that the upstream
server is fooled into thinking that it is talking to the original client,
instead of to nginx.

(And to achieve that, you need that outside-of-nginx networking is set
up to get the packets to the right places.)

It is not clear to me that your idea of "transparent" is the same as that.

> doc2) [https://www.kernel.org/doc/Documentation/networking/tproxy.tx]

> According to doc2, I write a shell-script as follow:
> ,----
> | #!/bin/bash
> | set -x
> | sudo iptables -F
> | sudo iptables -X
> |
> | sudo iptables -t mangle -N DIVERT;
> | sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT;
> | sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1;
> | sudo iptables -t mangle -A DIVERT -j ACCEPT;
> | sudo ip rule add fwmark 1 lookup 100;
> | sudo ip route add local 0.0.0.0/0 dev lo table 100;
> | sudo iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 800;
> `----

This does not look to me like it will do what you want.

From the nginx documentation:

"""
In order for this parameter to work, it is necessary to run nginx worker
processes with the superuser privileges and configure kernel routing
table to intercept network traffic from the proxied server.
"""

That does not appear to be intercepting the network traffic from the
proxied server.

(And your nginx.conf snippet did not appear to show things running with
the superuser privileges.)

> Use proxy_bind to set a transparent proxy server may be a new feature on
> nginx. I've searched for a long time. Does anybody have a suggestion?

There is "client", "nginx", and "upstream". They all have their own IP
addresses (and ports).

Can you describe your intended connection, from which machine to which
machine using which address and port? That might make it clear whether
what you want is doable.

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

can't setup nginx as transparent proxy server

Peng Xie August 09, 2016 01:22AM

Re: can't setup nginx as transparent proxy server

Roman Arutyunyan August 09, 2016 02:12AM

Re: can't setup nginx as transparent proxy server

Francis Daly August 09, 2016 10:42AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 173
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready