problem with proxy pass

Stefano Serano stefano.serano at ngway.it
Mon Mar 2 08:25:10 UTC 2020


Hi.

i've changed the configuration:

stream {
    upstream master {
        server 10.0.0.7:1515;
    }
    upstream mycluster {
    hash $remote_addr consistent;
        server 10.0.0.7:1514;
        server 10.0.0.6:1514;

    }
    server {
        listen 1515;
        proxy_pass master;
    }
    server {
        listen 1514 udp;
        proxy_pass mycluster;
        proxy_bind 10.0.0.8;
    }
}



Execute this command on agent:


 nc -vnzu -w 1 192.168.1.5 1514

to check if is abel to connect to my Nxinx LB port, the result is positive:

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.1.5:1514.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds.

Same from LB to my HIDS node:
nc -vnzu -w 5 10.0.0.6 1514
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.6:1514.
Ncat: UDP packet sent successfully


but my agents are still unable to send logs over port 1514 UDP







________________________________
Da: nginx <nginx-bounces at nginx.org> per conto di Reinis Rozitis <r at roze.lv>
Inviato: lunedì 2 marzo 2020 00:09:53
A: nginx at nginx.org
Oggetto: RE: problem with proxy pass

> The agents in my local network(192.x.x.x)) instead, are able to authenticate
> over port 1515 TCP, but not to send logs over 1514 UDP. The agents log said
> that they are unable to connect over that port.
>
> If I temporally change the port 1514 UDP to 1514 TCP in my HIDS nodes, and
> make the same change on Nginx configuration, they are able to send logs
> like nothing happen

This gives more things to test:
(I would also change the error_log level to notice and see if there is anything logged)

1. Can you test from any client in the lan (192.x.x.x) that you are able to connect to the nginx udp port Iand send some message /csee if it lands in the backends), for example with netcat: nc -u your.centos.ip 1514

2. See if you are able to actually connect from the centos box to the backends: nc -u 10.0.0.7 1514


With two network interfaces there might be also routing issues and depending on the configuration you could need to specify the outgoing 10.x interface with proxy_bind (https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html?#proxy_bind)

Something like:

    server {
        listen 1514 udp;
        proxy_pass mycluster;
        proxy_bind 10.x.x.x; // the ip of the centos machine
    }

rr


_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ai sensi dell'art. 13 del Regolamento UE 2016/679 (GDPR), si informa che gli eventuali dati personali indicati in questo documento sono trattati dallo Scrivente secondo i principi di correttezza liceità e trasparenza. L'informativa completa è disponibile a richiesta presso i ns uffici o all'indirizzo email: info at ngway.it. Si informa inoltre che le informazioni contenute nella presente comunicazione e i relativi allegati possono essere riservate e sono, comunque, destinate esclusivamente alle persone o alla Società destinatari. La diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, ai sensi dell'art. 616 c.p. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200302/94a7fd06/attachment.htm>


More information about the nginx mailing list