How to configure Nginx LB IP-Transparency for custom UDP application

Francis Daly francis at daoine.org
Fri Jul 19 19:43:20 UTC 2019


On Fri, Jul 12, 2019 at 11:44:22PM +0530, Jeya Murugan wrote:
> On Tue, Jul 9, 2019 at 8:41 PM Roman Arutyunyan <arut at nginx.com> wrote:

Hi there,

> > > I am using *NGINX 1.13.5 as a Load Balancer for one of my
> > > CUSTOM-APPLICATION *which will listen on* UDP port 2231,67 and 68.*
> > >
> > > I am trying for Load Balancing with IP-Transparency.

> > > When I using the proxy_protocol method the packets received from a remote
> > > client is modified and send to upstream by NGINX LB not sure why/how the
> > > packet is modified and also the remote client IP is NOT as source IP.

proxy_protocol is not IP-Transparency.

The source IP in the packet sent from nginx, is nginx.

If you use nginx as the proxy_protocol client, then your "backend" service
must run the proxy_protocol server -- which is basically "modify the
backend code to read a few extra bytes at the start or each connection,
before it does its own normal thing".

(For udp, "each connection" might be "each packet".)

You probably do not want to do that.

> > > When I using proxy_bind, the packet is forwarded to configured upstream
> > but
> > > the source IP is not updated with Remote Client IP.

That should work -- in as much as "nginx asks the operating system to
change the source address of the outgoing packet". If your operating
system does not co-operate, there's not a lot nginx can do.

> > > *Configuration:*

Note that the web page that you reference does suggest that
"proxy_responses 1;" is needed. I don't know if that will influence what
you are seeing, though.

What operating system are you running on?

"uname -a" should say; and will give the kernel version involved. That
might indicate a problem. Although I guess that if your nginx was
reporting "transparent proxying is not supported on this platform",
you have have seen it.

Note also that you seem to be testing with the client, nginx, and the
backend server all on the same subnet. That might cause some confusion
when it comes to the response packet; I don't know if it would interfere
with the nginx operating system changing the packet source IP address,
or with the iptables mangling.

And, you use:

> > >         proxy_bind $remote_addr:2231 transparent;

which may well work, but is not exactly what the document you refer
to uses.

In principle, there is no reason why the udp traffic to port 2231 must
come from port 2231; if you use $remote_port like the document shows,
it removes one more place where your config differs from theirs.

So, I don't have an answer for you; but maybe the above points at some
things you can check or change, to see if it improves for you.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list