NGINX non-HTTP port forwarding from internet to private LAN preserving the client IP

Mauro Tridici mauro.tridici at cmcc.it
Sun Apr 29 09:26:32 UTC 2018


Dear Francis,

thank you very much for your detailed explanation.
I will investigate in order to detect the right  way (and tool) to rich my
goal thinking about your  words.

Have a great day.
Regards,
Mauro

Il dom 29 apr 2018 11:09 Francis Daly <francis at daoine.org> ha scritto:

> On Fri, Apr 27, 2018 at 01:41:26AM +0200, Mauro Tridici wrote:
>
> Hi there,
>
> > So, I would like to ask you if I can use NGINX i order to start a port
> forwarding from an internet client to a server machine in my private LAN
> preserving the client IP.
>
> In general, what you want cannot be done (I believe).
>
> There are some specific cases where it can be made to work. Maybe your
> case is, or can be made, one of those.
>
> One case is where the upstream service can be told to expect the
> "proxy protocol". The client connects to nginx; nginx is configured
> with a suitable "proxy_protocol on" directive, and writes some extra
> information at the start of the tcp connection to the upstream service;
> that service reads that information and knows the original client address.
>
> Another case is where the upstream server will always send all IP traffic
> addressed to the original clients, through the port-forwarding server;
> and where the network between the port-forwarding server and the upstream
> server is happy for spoofed source addresses on IP packets to pass. In
> that case, the port-forwarding server can be clever with the packets
> that it forwards, and can be clever with the response packets from the
> upstream server. Nginx is not the right tool to be the port-forwarding
> service in that case; something within your operating system's IP stack
> should be investigated instead.
>
> Good luck with it,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180429/779575fc/attachment.html>


More information about the nginx mailing list