proxy_protocol mixed address family

nginx.list at melmac.space nginx.list at melmac.space
Mon Jan 15 17:52:14 UTC 2024 

Hey together,

I would like to follow up on the Thread from October 2023 with the
subject "proxy_protocol send incorrect header".[0]

TL;DR:
are there any plans to make it possible that the realip module can also
change the destination address and not just the source address?
Or to just not touch anything at all so that proxy_protocol stuff can
traverse multiple layers with changing IP versions?


I have the following Setup:

IPv4:
User --> 4to6 Proxy (Alpine Linux / nginx 1.24.x) --> 
SNI Proxy (Debian Bookworm / nginx 1.22.x) --> Mixed Downstream with Traefik or nginx

IPv6:
User --> SNI Proxy (Debian Bookworm / nginx 1.22.x) --> Mixed Downstream with Traefik or nginx

So basically IPv6 is going directly to the Proxy and for v4 there is a
quite simple configured nginx as 4to6 Proxy.
Use case is to have IPv4 just at the edge on as few servers as possible.

4to6 and SNI Proxy both use the stream module(s) and just at the third
layer the http logic kicks in.

//

My Problem exists just for the IPv4 way and is that the second layer SNI nginx, sends proxy-protocol
stuff with v4 source and v6 destination address even though the INET
Protocol is set to TCP4.

Thats not a problem for nginx as it parses everything fine in the
last/third layer.
But for Traefik its a problem as it says it cannot parse the header and
so the connection will be closed again.
Also Wireshark says the packets are broken.

One non feasible workaround could be to completely disable any logic in the second
layer Proxy, like described in a blog[1] in section "Untrusted
Redirector 2". So don't listen on proxy_protocol and don't send it.
Problem with that is that it seems I'm not able to use ssl_preread
anymore so there must be static proxy_passing.

//

Just as additional note, the point when it breaks is if
"set_real_ip_from  $TRUSTED_IP;" is set.
Then the source address is replaced with the v4 address, but the
destination address stays the v6 address between first and second layer
proxy.


So what to do?

Quote from the linked thread[2]:
> Currently the realip module only changes the client address
> (c->sockaddr) and leaves the server address (c->local_sockaddr)
> unchanged.
> The behavior is the same for Stream and HTTP and is explained by the
> fact that initially the module only supported HTTP fields like
> X-Real-IP and X-Forwarded-For, which carry only client address.

there seems to be no solution.

Is there any plan for the future?
And for the time beeing is there any other TCP Proxy where it is
possible to transport the client and serveraddress through multiple
layers with changing IP versions?


Gordon (:

[0]https://mailman.nginx.org/pipermail/nginx/2023-October/GYTVUIBJ65RJ3X4KDEPNVGXZ2S4STIVT.html
[1]https://0xda.de/blog/2020/02/red-team-proxy-protocol-nginx/
[2]https://mailman.nginx.org/pipermail/nginx/2023-October/CKEFWBSQL46HJTHDOJVX6CNUYETKBE53.html

More information about the nginx mailing list