totally transparent proxying with nginx on openbsd
mdounin at mdounin.ru
Sun Nov 7 19:25:28 MSK 2010
On Sun, Nov 07, 2010 at 01:00:11AM +1000, David Gwynne wrote:
> On Thu, Oct 28, 2010 at 08:14:01PM +0400, Maxim Dounin wrote:
> > > 1. it is completely specific to openbsd.
> > You may want to look at IP_TRANSPARENT in Linux as well. AFAIR
> > somebody was working implementing IP_TRANSPARENT support in nginx,
> > though I don't know details.
> i dont have any linux boxes in an environment i could do this work
> on. there is also little motivation for me to do it personally since
> i would have no use for it.
> however, if changing something in my diffs would help add this
> functionality to linux, then i would be happy to incorporate such
No Linux boxes here too. Just happen to know how it's done under
> > > 2. it needs root privileges to use the SO_BINDANY sockopt.
> > Some fine-grained access control in OS is required to allow
> > SO_BINDANY for non-root processes. Quick look suggests it's not
> > currently possible in OpenBSD. In Linux it's possible to
> > allow usage of IP_TRANSPARENT for non-root processes via
> > CAP_NET_ADMIN capability.
> would it be possible to get nginx master process to do the bind on
> the workers behalf, and then hand it to the worker using fd passing
> over a socket?
While theoretically possible - this aproach looks silly (no idea
how to translate "автогеном через задницу" into English ;)).
> > > + if (setsockopt(s, SOL_SOCKET, SO_BINDANY,
> > > + &bindany, sizeof(bindany)) == -1)
> > This is obviously needs some configure tests and #ifdef's.
> have you got an example of this i can use?
See e.g. auto/os/features, here is simple example to detect
ngx_feature_test="fcntl(0, F_READAHEAD, 1);"
This makes NGX_HAVE_F_READAHEAD define available if compilation
> this diff moves the storage of the clients address info from
> individual members of struct ngx_connection_s to a ngx_addr_t. this
> allows it to be easily handed to a ngx_peer_connection_t as the
> local address.
While I have no strong opinion whether this change is good or not,
I really recommend making this a separate patch. Additionally,
this change looks incomplete - at least realip module isn't
More information about the nginx-devel