preserve client source address when proxying to upstream
Maxim Dounin
mdounin at mdounin.ru
Wed Dec 16 16:56:05 UTC 2015
Hello!
On Wed, Dec 16, 2015 at 06:56:02PM +0300, Vsevolod Petrov wrote:
> Hello,
>
> proxy_bind directive allows to specify source IP address for proxied
> connections.
> This directive can be set to local IP address.
>
> I'm wondering if there's a way to set $remote_addr as proxy_bind address?
> Or any other non-local IP address?
>
> The idea is to see original client source IP address at the server site.
> While it's not http traffic I cannot use XFF header.
>
> Destination MAC address in the response packet from the server is set to
> nginx server interface address. So, there's no problem at layer 2
> communication.
>
> Can nginx listen for responses coming to non-local destination address?
In theory this is possible with appropriate OS-level support, and
as long as you are able to route packets properly. In particular,
this should be possible on OpenBSD using SO_BINDANY, on FreeBSD
using IP_BINDANY, and on Linux using IP_TRANSPARENT/IP_FREEBIND.
An erlier attempt to make it work on nginx can be found here
(OpenBSD-specific patch):
http://mailman.nginx.org/pipermail/nginx-devel/2010-October/000533.html
As far as I understand, doing proper support should be mostly
trivial now with variables support in proxy_bind.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list