NGINX non-HTTP port forwarding from internet to private LAN preserving the client IP
francis at daoine.org
Sun Apr 29 09:08:52 UTC 2018
On Fri, Apr 27, 2018 at 01:41:26AM +0200, Mauro Tridici wrote:
> So, I would like to ask you if I can use NGINX i order to start a port forwarding from an internet client to a server machine in my private LAN preserving the client IP.
In general, what you want cannot be done (I believe).
There are some specific cases where it can be made to work. Maybe your
case is, or can be made, one of those.
One case is where the upstream service can be told to expect the
"proxy protocol". The client connects to nginx; nginx is configured
with a suitable "proxy_protocol on" directive, and writes some extra
information at the start of the tcp connection to the upstream service;
that service reads that information and knows the original client address.
Another case is where the upstream server will always send all IP traffic
addressed to the original clients, through the port-forwarding server;
and where the network between the port-forwarding server and the upstream
server is happy for spoofed source addresses on IP packets to pass. In
that case, the port-forwarding server can be clever with the packets
that it forwards, and can be clever with the response packets from the
upstream server. Nginx is not the right tool to be the port-forwarding
service in that case; something within your operating system's IP stack
should be investigated instead.
Good luck with it,
Francis Daly francis at daoine.org
More information about the nginx