proxy_protocol send incorrect header
Hi! I got incorrect proxy header: PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 0\r\nSSH-2.0-OpenSSH_9.3\r\n Expect: PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n My config: 172.16.0.208 - initiator and tcp server on 4443 port. 172.16.0.254 - nginx host initiator: ssh root@172.16.0.254 -p 443 tcp server on 4443: any app that can accept tcp and print received data. nginx config: # Set default for TLS and non TLS connections. map $ssl_preread_protocol $upstream_proto_val { "" unix:/var/run/nginx_443_test.sock; default unix:/var/run/nginx_443_http.sock; } # ALPN map table. map $ssl_preread_alpn_protocols $upstream_alpn_val { default $upstream_proto_val; "xmpp-client" unix:/var/run/nginx_443_xmpp.sock; "xmpps-client" unix:/var/run/nginx_443_xmpp.sock; "stun.turn" unix:/var/run/nginx_443_stun.sock; "stun.nat-discovery"unix:/var/run/nginx_443_stun.sock; } # ALPN router. server { listen *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10; listen [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 ipv6only=on; ssl_preread on; #proxy_protocol $proxy_protocol_val; proxy_protocol on; proxy_pass $upstream_alpn_val; } server { listen unix:/var/run/nginx_443_test.sock proxy_protocol rcvbuf=1m sndbuf=1m; set_real_ip_fromunix:; proxy_protocol on; proxy_pass 172.16.0.208:4443; } # Strip proxy protocol for xmpp. server { listen unix:/var/run/nginx_443_xmpp.sock proxy_protocol rcvbuf=1m sndbuf=1m; proxy_protocol off; proxy_pass 127.0.0.1:5223; } PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will work. It does not accept vars, only static values from config. ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: proxy_protocol send incorrect header
Hi Ivan, > On 30 Oct 2023, at 16:05, Rozhuk Ivan wrote: > > Hi! > > I got incorrect proxy header: > PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 > 0\r\nSSH-2.0-OpenSSH_9.3\r\n > > Expect: > PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n > > > > My config: > 172.16.0.208 - initiator and tcp server on 4443 port. > 172.16.0.254 - nginx host > > initiator: > ssh root@172.16.0.254 -p 443 > > tcp server on 4443: any app that can accept tcp and print received data. > > > nginx config: > > # Set default for TLS and non TLS connections. > map $ssl_preread_protocol $upstream_proto_val { > "" unix:/var/run/nginx_443_test.sock; > default unix:/var/run/nginx_443_http.sock; > } > > # ALPN map table. > map $ssl_preread_alpn_protocols $upstream_alpn_val { > default $upstream_proto_val; > "xmpp-client" unix:/var/run/nginx_443_xmpp.sock; > "xmpps-client" unix:/var/run/nginx_443_xmpp.sock; > "stun.turn" unix:/var/run/nginx_443_stun.sock; > "stun.nat-discovery"unix:/var/run/nginx_443_stun.sock; > } > > > # ALPN router. > server { > listen *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10; > listen [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 > ipv6only=on; > > ssl_preread on; > #proxy_protocol $proxy_protocol_val; > proxy_protocol on; > proxy_pass $upstream_alpn_val; > } > > > server { > listen unix:/var/run/nginx_443_test.sock > proxy_protocol rcvbuf=1m sndbuf=1m; > > set_real_ip_fromunix:; > > proxy_protocol on; > proxy_pass 172.16.0.208:4443; > } > > # Strip proxy protocol for xmpp. > server { > listen unix:/var/run/nginx_443_xmpp.sock > proxy_protocol rcvbuf=1m sndbuf=1m; > > proxy_protocol off; > proxy_pass 127.0.0.1:5223; > } > > > > > PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will > work. It does not accept vars, only static values from config. Currently the realip module only changes the client address (c->sockaddr) and leaves the server address (c->local_sockaddr) unchanged. The behavior is the same for Stream and HTTP and is explained by the fact that initially the module only supported HTTP fields like X-Real-IP and X-Forwarded-For, which carry only client address. Indeed it does look inconsistent in scenarios like yours when address families are different. But do you really need the server address or you just highlight the inconsistency? Roman Arutyunyan a...@nginx.com ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
Re: proxy_protocol send incorrect header
On Mon, 30 Oct 2023 17:00:38 +0400 Roman Arutyunyan wrote: > > I got incorrect proxy header: > > PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 > > 0\r\nSSH-2.0-OpenSSH_9.3\r\n > > > > Expect: > > PROXY TCP4 172.16.0.208 172.16.0.254 9795 > > 443\r\nSSH-2.0-OpenSSH_9.3\r\n > > > Currently the realip module only changes the client address > (c->sockaddr) and leaves the server address (c->local_sockaddr) > unchanged. The behavior is the same for Stream and HTTP and is > explained by the fact that initially the module only supported HTTP > fields like X-Real-IP and X-Forwarded-For, which carry only client > address. > > Indeed it does look inconsistent in scenarios like yours when address > families are different. But do you really need the server address or > you just highlight the inconsistency? 1. I am writing proxy protocol (PP) parser, and it uses: inet_pton(family, straddr, sa_addr) where family was taken from TCP4/TCP6 => AF_INET/AF_INET6 It fail by 2 reasons: a. inet_pton() support only AF_INET/AF_INET6 at least on FreeBSD b. It never get AF_UNIX - since it is not expected in proxy protocol v1. 2. Even in case I do addr type auto detection, record for AF_UNUX should be: /var/run/nginx_443_test.sock not unix:/var/run/nginx_443_test.sock 3. Proxy protocol designed to pass info about client connection, so it is impossible get mix of AF_INET/AF_INET6/AF_UNIX in one connection. __Current nginx implementation violate proxy protocol specification.__ 4. I suppose other parser implementations of proxy protocol will be also fail to parse mixed address families. In my use case 443 shared between few services, one of them support proxy protocol but does not support TLS+PP, so I need terminate TLS using nginx and pass PP+plain text to service. Few services does not support PP, and I must make additional proxy inside nginx to remove PP because proxy_protocol option does not support variables. ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx