<div dir="ltr">Thanks for pointing me in the right direction, Maxim!<div><br></div><div>I've found a number of posts where people are discussing nginx acting as listener at <a href="http://0.0.0.0:80/0">0.0.0.0:80/0</a> for outbound traffic, making able the system to review every outgoing packet. In this way nginx can act as transparent proxy that do not perform destination address translation.<br><div><br></div><div>What I'm asking for is a special handling for inbound packets. I still want nginx to perform destination address translation, but I need to keep original source address in the packet.</div></div><div><br></div><div>As far as I understood, both scenarios relies on using <span style="font-size:12.8px">IP_TRANSPARENT/IP_FREEBIND on Linux as you mentioned previously.</span></div><div><span style="font-size:12.8px">While there's no complete solution at the moment, I think that it's great idea to add such functions in the future, at least in commercial version of nginx. From the other side, positioning nginx as ADC solution requires to give administrators more control over applications delivery and translating source/destination addresses/ports are just necessary options.</span></div><div><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">--<br>Vsevolod Petrov</div></div>
<br><div class="gmail_quote">2015-12-16 19:56 GMT+03:00 Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<span class=""><br>
On Wed, Dec 16, 2015 at 06:56:02PM +0300, Vsevolod Petrov wrote:<br>
<br>
> Hello,<br>
><br>
> proxy_bind directive allows to specify source IP address for proxied<br>
> connections.<br>
> This directive can be set to local IP address.<br>
><br>
> I'm wondering if there's a way to set $remote_addr as proxy_bind address?<br>
> Or any other non-local IP address?<br>
><br>
> The idea is to see original client source IP address at the server site.<br>
> While it's not http traffic I cannot use XFF header.<br>
><br>
> Destination MAC address in the response packet from the server is set to<br>
> nginx server interface address. So, there's no problem at layer 2<br>
> communication.<br>
><br>
> Can nginx listen for responses coming to non-local destination address?<br>
<br>
</span>In theory this is possible with appropriate OS-level support, and<br>
as long as you are able to route packets properly. In particular,<br>
this should be possible on OpenBSD using SO_BINDANY, on FreeBSD<br>
using IP_BINDANY, and on Linux using IP_TRANSPARENT/IP_FREEBIND.<br>
<br>
An erlier attempt to make it work on nginx can be found here<br>
(OpenBSD-specific patch):<br>
<br>
<a href="http://mailman.nginx.org/pipermail/nginx-devel/2010-October/000533.html" rel="noreferrer" target="_blank">http://mailman.nginx.org/pipermail/nginx-devel/2010-October/000533.html</a><br>
<br>
As far as I understand, doing proper support should be mostly<br>
trivial now with variables support in proxy_bind.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</font></span></blockquote></div><br></div></div>