[PATCH] proxy-protocol dst variables and proxy-proxy-protocol

Maxim Dounin mdounin at mdounin.ru
Thu Nov 10 14:59:42 UTC 2016 

Hello!

On Thu, Nov 10, 2016 at 01:06:54AM +0100, Bjørnar Ness wrote:

[...]

> > Current question is:
> >
> > What "listen ... proxy_protocol" should mean in case of mail.  In
> > other modules, it just means that PROXY protocol header is parsed
> > and appropriate variables are available for use.  It would be good
> > to have similar meaning in mail, but there are realip module and
> > no variables in mail.
> 
> But Auth module can get the variables passed via headers, which is
> certainly a usecase, also, to be able to send same proxy protocol header out
> as you get in, the proxy-proxy-protocol scenario, it needs to be
> stored somewhere.
> This will work seemlessly on both mail, http and stream when proxy-protocol is
> enabled in both listen and outgoing, think of it as a "transparent
> smart-proxy" :)

It looks like then only use case you have in mind is nginx between 
some frontend which adds a PROXY protocol header and a backend 
which is able to accept such a header.  Certainly this is not the 
only real use case, but just one of multiple possible ones.

Other use cases include:

- nginx behind some balancer which adds PROXY protocol, and a 
  backend which doesn't understand PROXY protocol behind it;

- nginx in front of a backend which understands PROXY protocol, 
  and nothing in front of nginx.

Also, every time I see the word "smart" I start thinking about 
security problems introduced along the way.

> > In the stream module similar problem was resolved by not
> > introducing "listen ... proxy_protocol" till variables support was
> > added, and by adding realip module at the same time.  May be there
> > are better options.
> >
> > I certainly dislike what is currently suggested, that is, just
> > passing an address provided via PROXY protocol to backends via
> > XCLIENT.
> >
> > Introducing PROXY protocol to backends instead of XCLIENT looks
> > as a separate thing.
> 
> I think adding more support for XCLIENT these days is not needed, as the
> software in common use today supports proxy protocol native.

This doesn't seem to take into account the fact that PROXY 
protocol can only pass addresses, while XCLIENT is able to provide 
various other information like a client login, hostname and so on.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list