totally transparent proxying with nginx on openbsd

Maxim Dounin mdounin at
Sun Nov 7 19:25:28 MSK 2010


On Sun, Nov 07, 2010 at 01:00:11AM +1000, David Gwynne wrote:

> On Thu, Oct 28, 2010 at 08:14:01PM +0400, Maxim Dounin wrote:


> > > 1. it is completely specific to openbsd.
> > 
> > You may want to look at IP_TRANSPARENT in Linux as well.  AFAIR 
> > somebody was working implementing IP_TRANSPARENT support in nginx, 
> > though I don't know details.
> i dont have any linux boxes in an environment i could do this work
> on. there is also little motivation for me to do it personally since
> i would have no use for it.
> however, if changing something in my diffs would help add this
> functionality to linux, then i would be happy to incorporate such
> changes.

No Linux boxes here too.  Just happen to know how it's done under 

> > > 2. it needs root privileges to use the SO_BINDANY sockopt.
> > 
> > Some fine-grained access control in OS is required to allow 
> > SO_BINDANY for non-root processes.  Quick look suggests it's not 
> > currently possible in OpenBSD.  In Linux it's possible to 
> > allow usage of IP_TRANSPARENT for non-root processes via 
> > CAP_NET_ADMIN capability.
> would it be possible to get nginx master process to do the bind on
> the workers behalf, and then hand it to the worker using fd passing
> over a socket?

While theoretically possible - this aproach looks silly (no idea 
how to translate "автогеном через задницу" into English ;)).


> > > +        if (setsockopt(s, SOL_SOCKET, SO_BINDANY,
> > > +                    &bindany, sizeof(bindany)) == -1)
> > 
> > This is obviously needs some configure tests and #ifdef's.
> have you got an example of this i can use?

See e.g. auto/os/features, here is simple example to detect 
F_READAHEAD presence:

ngx_feature_incs="#include <fcntl.h>"
ngx_feature_test="fcntl(0, F_READAHEAD, 1);"
. auto/feature

This makes NGX_HAVE_F_READAHEAD define available if compilation 


> this diff moves the storage of the clients address info from
> individual members of struct ngx_connection_s to a ngx_addr_t. this
> allows it to be easily handed to a ngx_peer_connection_t as the
> local address.

While I have no strong opinion whether this change is good or not, 
I really recommend making this a separate patch.  Additionally, 
this change looks incomplete - at least realip module isn't 

Maxim Dounin

More information about the nginx-devel mailing list