<div dir="ltr">Thanks for the detailed description! The use case that you described explains all:<div>"...<span style="font-size:12.8px"> to uniquely identify client </span><span style="font-size:12.8px">even if it is behind a NAT or we need to find out a particular </span><span style="font-size:12.8px">process which established the connection."</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Both </span><span style="font-size:12.8px">56324 and 443 values could be used in certain scenarios and now we'd need to introduce new variable to satisfy all valid use cases.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Perhaps this could evolve into a new feature and new var?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Kind regards,</span></div><div><span style="font-size:12.8px">Janusz</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-05-15 17:04 GMT+02:00 Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<span class=""><br>
On Mon, May 15, 2017 at 04:00:07PM +0200, Janusz M wrote:<br>
<br>
> Hi Maxim,<br>
><br>
> First of all thanks for your quick reply. I read the nginx 1.11.0 and<br>
> 1.11.4 release notes, thanks. Perhaps I wasn't as clear in my description<br>
> as possible.<br>
><br>
> Please consider the following scenario:<br>
><br>
> * a client (user) with IP 185.12.12.12 makes an HTTPS request to the app<br>
> and hits the load balancer<br>
> * load balancer forwards both HTTP and HTTPS requests to nginx server on<br>
> port 80 (standard Amazon AWS setup)<br>
> * Proxy Protocol is turned on, load balancer adds the following line to the<br>
> request:<br>
><br>
> PROXY TCP4 185.12.12.12 172.31.0.11 56324 443<br>
<br>
</span>So, as per PROXY protocol specification, source address is<br>
185.12.12.12, source port is 56324. Destination address is<br>
172.31.0.11, destination port is 443.<br>
<span class=""><br>
> * nginx with proxy_protocol on reads port 56324 to $proxy_protocol_port.<br>
><br>
><br>
> The point is that with the current implementation, either nginx's behaviour<br>
> or proxy protocol itself feels inconsistent.<br>
> You wrote:<br>
> "The $proxy_protocol_port, much like $proxy_protocol_addr, reflects client<br>
> port for the proxy protocol header. "<br>
> but in fact, what we see in those variables is the client IP (public IP of<br>
> the client's computer) and the load balancer port (not the client port).<br>
<br>
</span>When the original client connection uses 185.12.12.12 source<br>
address and 56324 source port, $proxy_protocol_addr will contain<br>
185.12.12.12, and $proxy_protocol_port will contain 56324. This<br>
is perfectly consistent and will allow to uniquely identify client<br>
even if it is behind a NAT or we need to find out a particular<br>
process which established the connection.<br>
<br>
Both destination address and destination port are not available<br>
via nginx variables. As previously suggested, if you want to<br>
distinguish between different destinations, you can easily do so<br>
by using distinct listening sockets in nginx.<br>
<br>
It looks like you somehow think that "client port" means "the port<br>
which client used as a destination of a connection". This is<br>
certainly not what it used to mean. Each TCP connection has two<br>
sides, and each side has an address and a port. When one of the<br>
sides is a client, "client address" is the address of this side,<br>
and "client port" is the port of this side. Please refer to TCP<br>
protocol description for more information.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
______________________________<wbr>_________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx-devel</a><br>
</div></div></blockquote></div><br></div>