<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Ivan,<br><div><br><blockquote type="cite"><div>On 30 Oct 2023, at 16:05, Rozhuk Ivan <rozhuk.im@gmail.com> wrote:</div><br class="Apple-interchange-newline"><div><div>Hi!<br><br>I got incorrect proxy header:<br>PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795 0\r\nSSH-2.0-OpenSSH_9.3\r\n<br><br>Expect:<br>PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n<br><br><br><br>My config:<br>172.16.0.208 - initiator and tcp server on 4443 port.<br>172.16.0.254 - nginx host<br><br>initiator:<br>ssh root@172.16.0.254 -p 443<br><br>tcp server on 4443: any app that can accept tcp and print received data.<br><br><br>nginx config:<br>========================================<br># Set default for TLS and non TLS connections.<br>map $ssl_preread_protocol $upstream_proto_val {<br><span class="Apple-tab-span" style="white-space:pre">      </span>""<span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_test.sock;<br><span class="Apple-tab-span" style="white-space:pre">        </span>default<span class="Apple-tab-span" style="white-space:pre">     </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_http.sock;<br>}<br><br># ALPN map table.<br>map $ssl_preread_alpn_protocols $upstream_alpn_val {<br><span class="Apple-tab-span" style="white-space:pre">  </span>default<span class="Apple-tab-span" style="white-space:pre">     </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>$upstream_proto_val;<br><span class="Apple-tab-span" style="white-space:pre">      </span>"xmpp-client"<span class="Apple-tab-span" style="white-space:pre">     </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_xmpp.sock;<br><span class="Apple-tab-span" style="white-space:pre">        </span>"xmpps-client"<span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_xmpp.sock;<br><span class="Apple-tab-span" style="white-space:pre">        </span>"stun.turn"<span class="Apple-tab-span" style="white-space:pre">       </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_stun.sock;<br><span class="Apple-tab-span" style="white-space:pre">        </span>"stun.nat-discovery"<span class="Apple-tab-span" style="white-space:pre">      </span>unix:/var/run/nginx_443_stun.sock;<br>}<br><br><br># ALPN router.<br>server {<br><span class="Apple-tab-span" style="white-space:pre">       </span>listen<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>*:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10;<br><span class="Apple-tab-span" style="white-space:pre">   </span>listen<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span>[::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10 ipv6only=on;<br><br><span class="Apple-tab-span" style="white-space:pre">  </span>ssl_preread<span class="Apple-tab-span" style="white-space:pre"> </span>on;<br><span class="Apple-tab-span" style="white-space:pre">       </span>#proxy_protocol<span class="Apple-tab-span" style="white-space:pre">     </span>$proxy_protocol_val;<br><span class="Apple-tab-span" style="white-space:pre">      </span>proxy_protocol<span class="Apple-tab-span" style="white-space:pre">      </span>on;<br><span class="Apple-tab-span" style="white-space:pre">       </span>proxy_pass<span class="Apple-tab-span" style="white-space:pre">  </span>$upstream_alpn_val;<br>}<br><br><br>server {<br><span class="Apple-tab-span" style="white-space:pre">      </span>listen<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_test.sock proxy_protocol rcvbuf=1m sndbuf=1m;<br><br><span class="Apple-tab-span" style="white-space:pre">   </span>set_real_ip_from<span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:;<br><br><span class="Apple-tab-span" style="white-space:pre">  </span>proxy_protocol<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>on;<br><span class="Apple-tab-span" style="white-space:pre">       </span>proxy_pass<span class="Apple-tab-span" style="white-space:pre">  </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>172.16.0.208:4443;<br>}<br><br># Strip proxy protocol for xmpp.<br>server {<br><span class="Apple-tab-span" style="white-space:pre">       </span>listen<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>unix:/var/run/nginx_443_xmpp.sock proxy_protocol rcvbuf=1m sndbuf=1m;<br><br><span class="Apple-tab-span" style="white-space:pre">   </span>proxy_protocol<span class="Apple-tab-span" style="white-space:pre">      </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>off;<br><span class="Apple-tab-span" style="white-space:pre">      </span>proxy_pass<span class="Apple-tab-span" style="white-space:pre">  </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>127.0.0.1:5223;<br>}<br><br>========================================<br><br><br>PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will work. It does not accept vars, only static values from config.<br></div></div></blockquote><br></div><div>Currently the realip module only changes the client address (c->sockaddr) and leaves the server address (c->local_sockaddr) unchanged.</div><div>The behavior is the same for Stream and HTTP and is explained by the fact that initially the module only supported HTTP fields like</div><div>X-Real-IP and X-Forwarded-For, which carry only client address.</div><div><br></div><div>Indeed it does look inconsistent in scenarios like yours when address families are different. But do you really need the server address</div><div>or you just highlight the inconsistency?</div><br><div>
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>----</div><div>Roman Arutyunyan</div><div>arut@nginx.com</div><div><br></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">

</div>
<br></body></html>