Hi.
You're right, i think i've to better explain. Here my situation:
1. I've two HIDS nodes that use port 1515 TCP for agents authentication, and 1514 UDP to receive logs from agents. If I point agents from outside and inside my network directly to the nodes, no problem arises.
2. I've moved these nodes to another network: 10.0.0.0 and added a new centos 7 machine that I want to use as proxy to forward ports 1515 and 1514UDP t my two HIDS nodes. This machine is configured with two ethernet adapers: one configured to communicate with the nodes on network 10.0.0.0, and another configured to communicate with the agents outside my network(publicated throughout my firewall) ad with the agents in my local network 192.x.x.x.
Now, on my proxy machine I've: disabled Firewalld, Disable Selinux and installed nginx with this configuration:
--------------------------------------
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 10000;
}
stream {
upstream master {
server 10.0.0.7:1515;
}
upstream mycluster {
hash $remote_addr consistent;
server 10.0.0.7:1514;
server 10.0.0.6:1514;
}
server {
listen 1515;
proxy_pass master;
}
server {
listen 1514 udp;
proxy_pass mycluster;
}
#error_log /var/log/nginx/error.log debug;
}
--------------------------------------
All the agents from outside my network have no problem, the can authenticate themselves to my HIDS Nodes over port 1515 TCP and send logs over port 1514 UDP.
The agents in my local network(192.x.x.x)) instead, are able to authenticate over port 1515 TCP, but not to send logs over 1514 UDP. The agents log said that they are unable to connect over that port.
If I temporally change the port 1514 UDP to 1514 TCP in my HIDS nodes, and make the same change on Nginx configuration, they are able to send logs like nothing happen, but I can't use this solution because i would need to change the port in all agents configuration manually, so I need to make the port 1514 udp work.
Hope i've make the situation more clear, have a nice day.
Stefano Serano
Tel: 0331-726090
Fax: 0331-728229
e-mail: stefano.serano@ngway.it
http://www.ngway.it
-----Messaggio originale-----
Da: nginx <nginx-bounces@nginx.org> Per conto di Reinis Rozitis
Inviato: giovedì 27 febbraio 2020 18:46
A: nginx@nginx.org
Oggetto: RE: problem with proxy pass
> From the hosts outside i've no connection problem, but from inside they are unable to connect to the port. No firewall are enable on Nginx LB( Centos 7 machine by the way) and Selinux is disabled.
By "from inside" you mean other hosts in LAN or the same centos machine?
If first then it's most likely firewall (limited outbond udp on the clients) or routing related.
Without knowing the details/network topology there is not much to suggest - try to test if the clients can connect to any other (open) port, icmp ping the centos machine or inspect the network activity with tcpdump.
rr
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ai sensi dell'art. 13 del Regolamento UE 2016/679 (GDPR), si informa che gli eventuali dati personali indicati in questo documento sono trattati dallo Scrivente secondo i principi di correttezza liceità e trasparenza. L’informativa completa è disponibile a richiesta presso i ns uffici o all’indirizzo email: info@ngway.it. Si informa inoltre che le informazioni contenute nella presente comunicazione e i relativi allegati possono essere riservate e sono, comunque, destinate esclusivamente alle persone o alla Società destinatari. La diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, ai sensi dell’art. 616 c.p. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
