proxy_protocol send incorrect header

2023-10-30 Thread Rozhuk Ivan
Hi!

I got incorrect proxy header:
PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 
0\r\nSSH-2.0-OpenSSH_9.3\r\n

Expect:
PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n



My config:
172.16.0.208 - initiator and tcp server on 4443 port.
172.16.0.254 - nginx host

initiator:
ssh root@172.16.0.254 -p 443

tcp server on 4443: any app that can accept tcp and print received data.


nginx config:

# Set default for TLS and non TLS connections.
map $ssl_preread_protocol $upstream_proto_val {
""  unix:/var/run/nginx_443_test.sock;
default unix:/var/run/nginx_443_http.sock;
}

# ALPN map table.
map $ssl_preread_alpn_protocols $upstream_alpn_val {
default $upstream_proto_val;
"xmpp-client"   unix:/var/run/nginx_443_xmpp.sock;
"xmpps-client"  unix:/var/run/nginx_443_xmpp.sock;
"stun.turn" unix:/var/run/nginx_443_stun.sock;
"stun.nat-discovery"unix:/var/run/nginx_443_stun.sock;
}


# ALPN router.
server {
listen  *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10;
listen  [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 
ipv6only=on;

ssl_preread on;
#proxy_protocol $proxy_protocol_val;
proxy_protocol  on;
proxy_pass  $upstream_alpn_val;
}


server {
listen  unix:/var/run/nginx_443_test.sock 
proxy_protocol rcvbuf=1m sndbuf=1m;

set_real_ip_fromunix:;

proxy_protocol  on;
proxy_pass  172.16.0.208:4443;
}

# Strip proxy protocol for xmpp.
server {
listen  unix:/var/run/nginx_443_xmpp.sock 
proxy_protocol rcvbuf=1m sndbuf=1m;

proxy_protocol  off;
proxy_pass  127.0.0.1:5223;
}




PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will 
work. It does not accept vars, only static values from config.

___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx


Re: proxy_protocol send incorrect header

2023-10-30 Thread Roman Arutyunyan
Hi Ivan,

> On 30 Oct 2023, at 16:05, Rozhuk Ivan  wrote:
> 
> Hi!
> 
> I got incorrect proxy header:
> PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 
> 0\r\nSSH-2.0-OpenSSH_9.3\r\n
> 
> Expect:
> PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n
> 
> 
> 
> My config:
> 172.16.0.208 - initiator and tcp server on 4443 port.
> 172.16.0.254 - nginx host
> 
> initiator:
> ssh root@172.16.0.254 -p 443
> 
> tcp server on 4443: any app that can accept tcp and print received data.
> 
> 
> nginx config:
> 
> # Set default for TLS and non TLS connections.
> map $ssl_preread_protocol $upstream_proto_val {
>   ""  unix:/var/run/nginx_443_test.sock;
>   default unix:/var/run/nginx_443_http.sock;
> }
> 
> # ALPN map table.
> map $ssl_preread_alpn_protocols $upstream_alpn_val {
>   default $upstream_proto_val;
>   "xmpp-client"   unix:/var/run/nginx_443_xmpp.sock;
>   "xmpps-client"  unix:/var/run/nginx_443_xmpp.sock;
>   "stun.turn" unix:/var/run/nginx_443_stun.sock;
>   "stun.nat-discovery"unix:/var/run/nginx_443_stun.sock;
> }
> 
> 
> # ALPN router.
> server {
>   listen  *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10;
>   listen  [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 
> ipv6only=on;
> 
>   ssl_preread on;
>   #proxy_protocol $proxy_protocol_val;
>   proxy_protocol  on;
>   proxy_pass  $upstream_alpn_val;
> }
> 
> 
> server {
>   listen  unix:/var/run/nginx_443_test.sock 
> proxy_protocol rcvbuf=1m sndbuf=1m;
> 
>   set_real_ip_fromunix:;
> 
>   proxy_protocol  on;
>   proxy_pass  172.16.0.208:4443;
> }
> 
> # Strip proxy protocol for xmpp.
> server {
>   listen  unix:/var/run/nginx_443_xmpp.sock 
> proxy_protocol rcvbuf=1m sndbuf=1m;
> 
>   proxy_protocol  off;
>   proxy_pass  127.0.0.1:5223;
> }
> 
> 
> 
> 
> PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will 
> work. It does not accept vars, only static values from config.

Currently the realip module only changes the client address (c->sockaddr) and 
leaves the server address (c->local_sockaddr) unchanged.
The behavior is the same for Stream and HTTP and is explained by the fact that 
initially the module only supported HTTP fields like
X-Real-IP and X-Forwarded-For, which carry only client address.

Indeed it does look inconsistent in scenarios like yours when address families 
are different. But do you really need the server address
or you just highlight the inconsistency?


Roman Arutyunyan
a...@nginx.com




___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx


Re: proxy_protocol send incorrect header

2023-10-30 Thread Rozhuk Ivan
On Mon, 30 Oct 2023 17:00:38 +0400
Roman Arutyunyan  wrote:

> > I got incorrect proxy header:
> > PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795
> > 0\r\nSSH-2.0-OpenSSH_9.3\r\n
> > 
> > Expect:
> > PROXY TCP4 172.16.0.208 172.16.0.254 9795
> > 443\r\nSSH-2.0-OpenSSH_9.3\r\n
> > 

> Currently the realip module only changes the client address
> (c->sockaddr) and leaves the server address (c->local_sockaddr)
> unchanged. The behavior is the same for Stream and HTTP and is
> explained by the fact that initially the module only supported HTTP
> fields like X-Real-IP and X-Forwarded-For, which carry only client
> address.
> 
> Indeed it does look inconsistent in scenarios like yours when address
> families are different. But do you really need the server address or
> you just highlight the inconsistency?


1. I am writing proxy protocol (PP) parser, and it uses:
inet_pton(family, straddr, sa_addr)
where family was taken from TCP4/TCP6 => AF_INET/AF_INET6
It fail by 2 reasons:
a. inet_pton() support only AF_INET/AF_INET6 at least on FreeBSD
b. It never get AF_UNIX - since it is not expected in
proxy protocol v1.

2. Even in case I do addr type auto detection, record for AF_UNUX
should be:
/var/run/nginx_443_test.sock
not
unix:/var/run/nginx_443_test.sock

3. Proxy protocol designed to pass info about client
connection, so it is impossible get mix of
AF_INET/AF_INET6/AF_UNIX in one connection.
__Current nginx implementation violate proxy protocol specification.__

4. I suppose other parser implementations of proxy protocol
will be also fail to parse mixed address families.


In my use case 443 shared between few services, one of them
support proxy protocol but does not support TLS+PP,
so I need terminate TLS using nginx and pass PP+plain text to service.

Few services does not support PP, and I must make additional proxy
inside nginx to remove PP because proxy_protocol option does not
support variables.
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx