<div dir="auto">Dear Francis,<div dir="auto"><br></div><div dir="auto">thank you very much for your detailed explanation.</div><div dir="auto">I will investigate in order to detect the right way (and tool) to rich my goal thinking about your words.</div><div dir="auto"><br></div><div dir="auto">Have a great day.</div><div dir="auto">Regards,</div><div dir="auto">Mauro</div></div><br><div class="gmail_quote"><div dir="ltr">Il dom 29 apr 2018 11:09 Francis Daly <<a href="mailto:francis@daoine.org" target="_blank" rel="noreferrer">francis@daoine.org</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Apr 27, 2018 at 01:41:26AM +0200, Mauro Tridici wrote:<br>
<br>
Hi there,<br>
<br>
> So, I would like to ask you if I can use NGINX i order to start a port forwarding from an internet client to a server machine in my private LAN preserving the client IP.<br>
<br>
In general, what you want cannot be done (I believe).<br>
<br>
There are some specific cases where it can be made to work. Maybe your<br>
case is, or can be made, one of those.<br>
<br>
One case is where the upstream service can be told to expect the<br>
"proxy protocol". The client connects to nginx; nginx is configured<br>
with a suitable "proxy_protocol on" directive, and writes some extra<br>
information at the start of the tcp connection to the upstream service;<br>
that service reads that information and knows the original client address.<br>
<br>
Another case is where the upstream server will always send all IP traffic<br>
addressed to the original clients, through the port-forwarding server;<br>
and where the network between the port-forwarding server and the upstream<br>
server is happy for spoofed source addresses on IP packets to pass. In<br>
that case, the port-forwarding server can be clever with the packets<br>
that it forwards, and can be clever with the response packets from the<br>
upstream server. Nginx is not the right tool to be the port-forwarding<br>
service in that case; something within your operating system's IP stack<br>
should be investigated instead.<br>
<br>
Good luck with it,<br>
<br>
f<br>
-- <br>
Francis Daly <a href="mailto:francis@daoine.org" rel="noreferrer noreferrer" target="_blank">francis@daoine.org</a><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" rel="noreferrer noreferrer" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>