proxy_protocol_port variable should store the PROXY_PORT rather than CLIENT_PORT

Maxim Dounin mdounin at
Mon May 15 15:04:22 UTC 2017


On Mon, May 15, 2017 at 04:00:07PM +0200, Janusz M wrote:

> Hi Maxim,
> First of all thanks for your quick reply. I read the nginx 1.11.0 and
> 1.11.4 release notes, thanks. Perhaps I wasn't as clear in my description
> as possible.
> Please consider the following scenario:
> * a client (user) with IP makes an HTTPS request to the app
> and hits the load balancer
> * load balancer forwards both HTTP and HTTPS requests to nginx server on
> port 80 (standard Amazon AWS setup)
> * Proxy Protocol is turned on, load balancer adds the following line to the
> request:
>   PROXY TCP4 56324 443

So, as per PROXY protocol specification, source address is, source port is 56324.  Destination address is, destination port is 443.

> * nginx with proxy_protocol on reads port 56324 to $proxy_protocol_port.
> The point is that with the current implementation, either nginx's behaviour
> or proxy protocol itself feels inconsistent.
> You wrote:
> "The $proxy_protocol_port, much like $proxy_protocol_addr, reflects client
> port for the proxy protocol header. "
> but in fact, what we see in those variables is the client IP (public IP of
> the client's computer) and the load balancer port (not the client port).

When the original client connection uses source 
address and 56324 source port, $proxy_protocol_addr will contain, and $proxy_protocol_port will contain 56324.  This 
is perfectly consistent and will allow to uniquely identify client 
even if it is behind a NAT or we need to find out a particular 
process which established the connection.

Both destination address and destination port are not available 
via nginx variables.  As previously suggested, if you want to 
distinguish between different destinations, you can easily do so 
by using distinct listening sockets in nginx.

It looks like you somehow think that "client port" means "the port 
which client used as a destination of a connection".  This is 
certainly not what it used to mean.  Each TCP connection has two 
sides, and each side has an address and a port.  When one of the 
sides is a client, "client address" is the address of this side, 
and "client port" is the port of this side.  Please refer to TCP 
protocol description for more information.

Maxim Dounin

More information about the nginx-devel mailing list