Welcome! Log In Create A New Profile

Advanced

Re: proxy_protocol send incorrect header

Roman Arutyunyan
October 30, 2023 09:02AM
Hi Ivan,

> On 30 Oct 2023, at 16:05, Rozhuk Ivan <rozhuk.im@gmail.com> wrote:
>
> Hi!
>
> I got incorrect proxy header:
> PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 0\r\nSSH-2.0-OpenSSH_9.3\r\n
>
> Expect:
> PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n
>
>
>
> My config:
> 172.16.0.208 - initiator and tcp server on 4443 port.
> 172.16.0.254 - nginx host
>
> initiator:
> ssh root@172.16.0.254 -p 443
>
> tcp server on 4443: any app that can accept tcp and print received data.
>
>
> nginx config:
> ========================================
> # Set default for TLS and non TLS connections.
> map $ssl_preread_protocol $upstream_proto_val {
> "" unix:/var/run/nginx_443_test.sock;
> default unix:/var/run/nginx_443_http.sock;
> }
>
> # ALPN map table.
> map $ssl_preread_alpn_protocols $upstream_alpn_val {
> default $upstream_proto_val;
> "xmpp-client" unix:/var/run/nginx_443_xmpp.sock;
> "xmpps-client" unix:/var/run/nginx_443_xmpp.sock;
> "stun.turn" unix:/var/run/nginx_443_stun.sock;
> "stun.nat-discovery" unix:/var/run/nginx_443_stun.sock;
> }
>
>
> # ALPN router.
> server {
> listen *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10;
> listen [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 ipv6only=on;
>
> ssl_preread on;
> #proxy_protocol $proxy_protocol_val;
> proxy_protocol on;
> proxy_pass $upstream_alpn_val;
> }
>
>
> server {
> listen unix:/var/run/nginx_443_test.sock proxy_protocol rcvbuf=1m sndbuf=1m;
>
> set_real_ip_from unix:;
>
> proxy_protocol on;
> proxy_pass 172.16.0.208:4443;
> }
>
> # Strip proxy protocol for xmpp.
> server {
> listen unix:/var/run/nginx_443_xmpp.sock proxy_protocol rcvbuf=1m sndbuf=1m;
>
> proxy_protocol off;
> proxy_pass 127.0.0.1:5223;
> }
>
> ========================================
>
>
> PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will work. It does not accept vars, only static values from config.

Currently the realip module only changes the client address (c->sockaddr) and leaves the server address (c->local_sockaddr) unchanged.
The behavior is the same for Stream and HTTP and is explained by the fact that initially the module only supported HTTP fields like
X-Real-IP and X-Forwarded-For, which carry only client address.

Indeed it does look inconsistent in scenarios like yours when address families are different. But do you really need the server address
or you just highlight the inconsistency?

----
Roman Arutyunyan
arut@nginx.com




_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_protocol send incorrect header

Rozhuk Ivan October 30, 2023 08:06AM

Re: proxy_protocol send incorrect header

Roman Arutyunyan October 30, 2023 09:02AM

Re: proxy_protocol send incorrect header

Rozhuk Ivan October 30, 2023 10:48AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 292
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready