Welcome! Log In Create A New Profile

Re: Transmission remote GUI proxy_protocol broken header

Forum List Message List New Topic Print View

Francis Daly

September 22, 2016 02:46PM

On Thu, Sep 22, 2016 at 05:54:35AM -0400, adrhc wrote:

Hi there,

> What is the thing writing to nginx? (stunnel, I think)
> stunnel according to the setup:

I strongly suspect that your stunnel is not doing what you want it to do.

If you "tcpdump" the traffic out of stunnel; or if you replace nginx
with a "netcat" listener so you can see the bytes that are transferred;
I think you will see something other than plain http coming out of it.

> How is it configured?

> [tls to any http]
> sni = tls:*
> # using nginx proxy_protocol (is http though using 443!):
> connect = 127.0.0.1:443
> protocol = proxy

https://www.stunnel.org/static/stunnel.html, in the "sni=" section,
says """The connect option of the slave service is ignored when the
protocol option is specified, as protocol connects to the remote host
before TLS handshake."""

I suspect that that is related to what stunnel is doing. Have you any
way of verifying that stunnel can do what you want, and does do what
you want with this configuration?

> What version of proxy_protocol is stunnel writing?
> it's the one from nginx 1.11.3 ...

nginx is listening (I think) for proxy-protocol version 1. If stunnel
is writing version 2, things will go wrong.

> If it is trying to speak something other than http wrapped in tls,
> it is unlikely that nginx will be able to process the requests.
> I gues it tries not because it's working fine with
> https://adrhc.go.ro/transmission/ but when stunnel is not involved e.g.:
> Transmission remote GUI:443 -> sshttp:443 -> nginx:127.0.0.1:1443 (with ssl,
> without listen ... proxy_protocol, port_in_redirect off)

Ok, so from that you can read that nginx access log to see what the
first request that "transmission" makes is.

Then you can see whether that gets to your no-ssl nginx on port 443. I
think you have shown that it does not.

If you are interested in testing, it might be worth seeing what happens
if you put stunnel in front of nginx-ssl-proxy-protocol, or in front of
nginx-ssl, or in front of nginx without proxy-protocol. Depending on the
bytes that make it to nginx and how hey are interpreted, that might point
at whether the problem is with stunnel writing, or with nginx reading,
in the original case that you care about.

Good luck with it,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Transmission remote GUI proxy_protocol broken header	adrhc	September 19, 2016 09:08AM
Re: Transmission remote GUI proxy_protocol broken header	Francis Daly	September 20, 2016 03:52PM
Re: Transmission remote GUI proxy_protocol broken header	adrhc	September 21, 2016 04:05AM
Re: Transmission remote GUI proxy_protocol broken header	Francis Daly	September 21, 2016 12:56PM
Re: Transmission remote GUI proxy_protocol broken header	adrhc	September 22, 2016 05:54AM
Re: Transmission remote GUI proxy_protocol broken header	Francis Daly	September 22, 2016 02:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 173

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018