preserve client source address when proxying to upstream

Vsevolod Petrov v.d.petrov at gmail.com
Thu Dec 17 12:00:51 UTC 2015


Thanks for pointing me in the right direction, Maxim!

I've found a number of posts where people are discussing nginx acting as
listener at 0.0.0.0:80/0 for outbound traffic, making able the system to
review every outgoing packet. In this way nginx can act as transparent
proxy that do not perform destination address translation.

What I'm asking for is a special handling for inbound packets. I still want
nginx to perform destination address translation, but I need to keep
original source address in the packet.

As far as I understood, both scenarios relies on using
IP_TRANSPARENT/IP_FREEBIND
on Linux as you mentioned previously.
While there's no complete solution at the moment, I think that it's great
idea to add such functions in the future, at least in commercial version of
nginx. From the other side, positioning nginx as ADC solution requires to
give administrators more control over applications delivery and translating
source/destination addresses/ports are just necessary options.


--
Vsevolod Petrov

2015-12-16 19:56 GMT+03:00 Maxim Dounin <mdounin at mdounin.ru>:

> Hello!
>
> On Wed, Dec 16, 2015 at 06:56:02PM +0300, Vsevolod Petrov wrote:
>
> > Hello,
> >
> > proxy_bind directive allows to specify source IP address for proxied
> > connections.
> > This directive can be set to local IP address.
> >
> > I'm wondering if there's a way to set $remote_addr as proxy_bind address?
> > Or any other non-local IP address?
> >
> > The idea is to see original client source IP address at the server site.
> > While it's not http traffic I cannot use XFF header.
> >
> > Destination MAC address in the response packet from the server is set to
> > nginx server interface address. So, there's no problem at layer 2
> > communication.
> >
> > Can nginx listen for responses coming to non-local destination address?
>
> In theory this is possible with appropriate OS-level support, and
> as long as you are able to route packets properly.  In particular,
> this should be possible on OpenBSD using SO_BINDANY, on FreeBSD
> using IP_BINDANY, and on Linux using IP_TRANSPARENT/IP_FREEBIND.
>
> An erlier attempt to make it work on nginx can be found here
> (OpenBSD-specific patch):
>
> http://mailman.nginx.org/pipermail/nginx-devel/2010-October/000533.html
>
> As far as I understand, doing proper support should be mostly
> trivial now with variables support in proxy_bind.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20151217/c1ade177/attachment.html>


More information about the nginx mailing list