can't setup nginx as transparent proxy server
Roman Arutyunyan
arut at nginx.com
Tue Aug 9 06:10:04 UTC 2016
Hi,
On Tue, Aug 09, 2016 at 01:20:46PM +0800, Peng Xie wrote:
> Hi,
>
> I am relatively new to nginx. I would like to setup nginx as a
> transparent reverse proxy.
>
> Here is the topology of my network.
> ,----
> | +------------------------+
> | | |
> | | 192.168.56.109:80 | <-- upstream which is the real http server on port 80
> | | |
> | +------------------------+
> | ^
> | |
> | |
> | +------------------------+
> | | |
> | | 192.168.56.108:800 | <-- proxy_server which run nginx as a reverse proxy server on port 800
> | | |
> | +------------------------+
> | ^
> | |
> | |
> | +------------------------+
> | | |
> | | 192.168.56.1 | <-- client
> | | |
> | +------------------------+
> `----
>
> Here is my nginx.conf.
> ,----
> | server {
> | listen 800;
> | server_name localhost;
> |
> | location / {
> | proxy_pass http://192.168.56.109:80;
> | proxy_bind $remote_addr transparent;
> | }
> `----
>
> If not use proxy_bind, Cient can access upstream through
> 192.168.56.108:800. Of course, the proxy is not transparent in this
> situation.
>
> To make the proxy_server transparent, I read these documents: doc1)
> [http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_bind]
>
> doc2) [https://www.kernel.org/doc/Documentation/networking/tproxy.tx]
>
> Add proxy_bind into nginx.conf according to doc1. Reload nginx:
> ,----
> | nginx -s reload
> `----
>
> According to doc2, I write a shell-script as follow:
> ,----
> | #!/bin/bash
> | set -x
> | sudo iptables -F
> | sudo iptables -X
> |
> | sudo iptables -t mangle -N DIVERT;
> | sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT;
> | sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1;
> | sudo iptables -t mangle -A DIVERT -j ACCEPT;
> | sudo ip rule add fwmark 1 lookup 100;
> | sudo ip route add local 0.0.0.0/0 dev lo table 100;
> | sudo iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 800;
> `----
>
> Now, I access proxy on client:
> ,----
> | ➜ ~ curl -v http://192.168.56.108:800
> | * Rebuilt URL to: http://192.168.56.108:800/
> | * Trying 192.168.56.108...
> | * Connected to 192.168.56.108 (192.168.56.108) port 800 (#0)
> | > GET / HTTP/1.1
> | > Host: 192.168.56.108:800
> | > User-Agent: curl/7.43.0
> | > Accept: */*
> | >
> `----
>
> And then I try port 80:
> ,----
> | ➜ ~ curl -v http://192.168.56.108:80
> | * Rebuilt URL to: http://192.168.56.108:80/
> | * Trying 192.168.56.108...
> `----
>
> Client can't access the upstream now!
>
> Use proxy_bind to set a transparent proxy server may be a new feature on
> nginx. I've searched for a long time. Does anybody have a suggestion?
>
> Thanks Peng Xie
Did you try to tcpdump the packets at proxy and upstream?
--
Roman Arutyunyan
More information about the nginx
mailing list