Am 16.07.2019 um 13:29 schrieb Jeya Murugan: > @all : Can someone help /point-out what i have missed in > proxy_protocol > here?
the proxy protocol is only designed for tcp not udp. > > I am using *NGINX 1.13.5 as a Load Balancer for one of my > > CUSTOM-APPLICATION *which will listen on* UDP port 2231,67 and 68.* > > > > I am trying for Load Balancing with IP-Transparency. > > > > > > > > When I using the proxy_protocol method the packets received from a > remote > > client is modified and send to upstream by NGINX LB not sure > why/how the > > packet is modified and also the remote client IP is NOT as source > IP. > > The proxy_protocol directive adds a PROXY protocol header to the > datagram, > that's why it's modified. The directive does not change the source > address. > Instead, the remote client address is passed in the PROXY protocol > header. > > <jeya> : Okay. Do we have any options to send remote client IP as > source > address? Due to additional proxy header the packet is dropped by the > application running in the upstream.How can the proxy header can be > stripped in the upstream end? > > Do we need to do configuration/rules on the upstream > end? > > > > When I using proxy_bind, the packet is forwarded to configured > upstream but > > the source IP is not updated with Remote Client IP. > > What is the reason for the port next to $remote_addr in proxy_bind? > Also make sure nginx master runs with sufficient privileges. > > > <Jeya> : Yes, application running with root privilege as specified in the > conf file > > Also, the proxy_bind syntax is referred in the below link.' > > > https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#proxy_bind > > > proxy_bind $remote_addr:$remote_port transparent; > > > > *Basically, in both methods, the remote client address was not used > as a > > source IP. I hope I missed some minor parts. Can someone help to > resolve > > this issue?* > > > > > > > > The following are the detailed configuration for your reference. > > > > > > > > *Method 1 :- proxy_protocol* > > > > > > > > *Configuration:* > > > > > > > > user *root;* > > worker_processes 1; > > error_log /var/log/nginx/error.log debug; > > pid /var/run/nginx.pid; > > events { > > worker_connections 1024; > > > > } > > > > stream { > > server { > > listen 10.43.18.107:2231 <http://10.43.18.107:2231> udp; > > proxy_protocol on; > > proxy_pass 10.43.18.172:2231 <http://10.43.18.172:2231>; > > } > > server { > > listen 10.43.18.107:67 <http://10.43.18.107:67> udp; > > proxy_protocol on; > > proxy_pass 10.43.18.172:67 <http://10.43.18.172:67>; > > } > > server { > > listen 10.43.18.107:68 <http://10.43.18.107:68> udp; > > proxy_protocol on; > > proxy_pass 10.43.18.172:68 <http://10.43.18.172:68>; > > } > > } > > > > *TCPDUMP O/P :* > > > > > > > > *From LB:* > > > > 10:05:07.284259 IP 10.43.18.116.2231 > 10.43.18.107.2231: UDP, > length 43 > > > > 10:05:07.284555 IP 10.43.18.107.51775 > 10.43.18.172.2231: UDP, > length 91 > > > > > > > > *From upstream[Custom application]:* > > > > 10:05:07.284442 IP 10.43.18.107.51775 > 10.43.18.172.2231: UDP, > length 91 > > > > > > > > *Method 2:- [ proxy_bind ]* > > > > > > > > *Configuration:* > > > > > > > > user root; > > worker_processes 1; > > error_log /var/log/nginx/error.log debug; > > pid /var/run/nginx.pid; > > events { > > worker_connections 1024; > > } > > > > stream { > > server { > > listen 10.43.18.107:2231 <http://10.43.18.107:2231> udp; > > proxy_bind $remote_addr:2231 transparent; > > proxy_pass 10.43.18.172:2231 <http://10.43.18.172:2231>; > > } > > server { > > listen 10.43.18.107:67 <http://10.43.18.107:67> udp; > > proxy_bind $remote_addr:67 transparent; > > proxy_pass 10.43.18.172:67 <http://10.43.18.172:67>; > > } > > server { > > listen 10.43.18.107:68 <http://10.43.18.107:68> udp; > > proxy_bind $remote_addr:68 transparent; > > proxy_pass 10.43.18.172:68 <http://10.43.18.172:68>; > > } > > > > } > > > > > > > > *Also, added the below rules :* > > > > > > > > ip rule add fwmark 1 lookup 100 > > > > ip route add local 0.0.0.0/0 <http://0.0.0.0/0> dev lo table 100 > > iptables -t mangle -A PREROUTING -p udp -s 10.43.18.0/24 > <http://10.43.18.0/24> --sport 2231 -j > > MARK --set-xmark 0x1/0xffffffff > > iptables -t mangle -A PREROUTING -p udp -s 10.43.18.0/24 > <http://10.43.18.0/24> --sport 67 -j MARK > > --set-xmark 0x1/0xffffffff > > iptables -t mangle -A PREROUTING -p udp -s 10.43.18.0/24 > <http://10.43.18.0/24> --sport 68 -j MARK > > --set-xmark 0x1/0xffffffff > > > > > > > > However, still, the packet is sent from NGINX LB with its own IP, > not with > > the remote client IP address. > > > > > > > > *TCPDUMP O/P from LB:* > > > > > > > > 11:49:51.999829 IP 10.43.18.116.2231 > 10.43.18.107.2231: UDP, > length 43 > > > > 11:49:52.000161 IP 10.43.18.107.2231 > 10.43.18.172.2231: UDP, > length 43 > > > > > > > > *TPCDUM O/P from Upstream:* > > > > > > > > 11:49:52.001155 IP 10.43.18.107.2231 > 10.43.18.172.2231: UDP, > length 43 > > > > > > > > *Note:* I have followed the below link. > > > > > > > > > > https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/ > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org <mailto:nginx@nginx.org> > > http://mailman.nginx.org/mailman/listinfo/nginx > > > -- > Roman Arutyunyan > _______________________________________________ > nginx mailing list > nginx@nginx.org <mailto:nginx@nginx.org> > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx