can't setup nginx as transparent proxy server

Francis Daly francis at daoine.org
Tue Aug 9 14:29:31 UTC 2016


On Tue, Aug 09, 2016 at 01:20:46PM +0800, Peng Xie wrote:

Hi there,

> I am relatively new to nginx.  I would like to setup nginx as a
> transparent reverse proxy.

What, specifically, do you mean by "transparent", here?

I think that the nginx proxy_bind config is intended so that the upstream
server is fooled into thinking that it is talking to the original client,
instead of to nginx.

(And to achieve that, you need that outside-of-nginx networking is set
up to get the packets to the right places.)

It is not clear to me that your idea of "transparent" is the same as that.

> doc2) [https://www.kernel.org/doc/Documentation/networking/tproxy.tx]

> According to doc2, I write a shell-script as follow:
> ,----
> | #!/bin/bash
> | set -x
> | sudo iptables -F
> | sudo iptables -X
> | 
> | sudo iptables -t mangle -N DIVERT;
> | sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT;
> | sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1;
> | sudo iptables -t mangle -A DIVERT -j ACCEPT;
> | sudo ip rule add fwmark 1 lookup 100;
> | sudo ip route add local 0.0.0.0/0 dev lo table 100;
> | sudo iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY  --tproxy-mark 0x1/0x1 --on-port 800;
> `----

This does not look to me like it will do what you want.

>From the nginx documentation:

"""
In order for this parameter to work, it is necessary to run nginx worker
processes with the superuser privileges and configure kernel routing
table to intercept network traffic from the proxied server.
"""

That does not appear to be intercepting the network traffic from the
proxied server.

(And your nginx.conf snippet did not appear to show things running with
the superuser privileges.)

> Use proxy_bind to set a transparent proxy server may be a new feature on
> nginx. I've searched for a long time. Does anybody have a suggestion?

There is "client", "nginx", and "upstream". They all have their own IP
addresses (and ports).

Can you describe your intended connection, from which machine to which
machine using which address and port? That might make it clear whether
what you want is doable.

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list