Hi Ivan,
> On 30 Oct 2023, at 16:05, Rozhuk Ivan <rozhuk...@gmail.com> wrote:
>
> Hi!
>
> I got incorrect proxy header:
> PROXY TCP4 172.16.0.208 unix:/var/run/nginx_443_test.sock 9795
> 0\r\nSSH-2.0-OpenSSH_9.3\r\n
>
> Expect:
> PROXY TCP4 172.16.0.208 172.16.0.254 9795 443\r\nSSH-2.0-OpenSSH_9.3\r\n
>
>
>
> My config:
> 172.16.0.208 - initiator and tcp server on 4443 port.
> 172.16.0.254 - nginx host
>
> initiator:
> ssh root@172.16.0.254 -p 443
>
> tcp server on 4443: any app that can accept tcp and print received data.
>
>
> nginx config:
> ========================================
> # Set default for TLS and non TLS connections.
> map $ssl_preread_protocol $upstream_proto_val {
> "" unix:/var/run/nginx_443_test.sock;
> default unix:/var/run/nginx_443_http.sock;
> }
>
> # ALPN map table.
> map $ssl_preread_alpn_protocols $upstream_alpn_val {
> default $upstream_proto_val;
> "xmpp-client" unix:/var/run/nginx_443_xmpp.sock;
> "xmpps-client" unix:/var/run/nginx_443_xmpp.sock;
> "stun.turn" unix:/var/run/nginx_443_stun.sock;
> "stun.nat-discovery" unix:/var/run/nginx_443_stun.sock;
> }
>
>
> # ALPN router.
> server {
> listen *:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10;
> listen [::]:443 rcvbuf=1m sndbuf=1m so_keepalive=30m::10
> ipv6only=on;
>
> ssl_preread on;
> #proxy_protocol $proxy_protocol_val;
> proxy_protocol on;
> proxy_pass $upstream_alpn_val;
> }
>
>
> server {
> listen unix:/var/run/nginx_443_test.sock
> proxy_protocol rcvbuf=1m sndbuf=1m;
>
> set_real_ip_from unix:;
>
> proxy_protocol on;
> proxy_pass 172.16.0.208:4443;
> }
>
> # Strip proxy protocol for xmpp.
> server {
> listen unix:/var/run/nginx_443_xmpp.sock
> proxy_protocol rcvbuf=1m sndbuf=1m;
>
> proxy_protocol off;
> proxy_pass 127.0.0.1:5223;
> }
>
> ========================================
>
>
> PS: it will be very nice if this "proxy_protocol $proxy_protocol_val;" will
> work. It does not accept vars, only static values from config.
Currently the realip module only changes the client address (c->sockaddr) and
leaves the server address (c->local_sockaddr) unchanged.
The behavior is the same for Stream and HTTP and is explained by the fact that
initially the module only supported HTTP fields like
X-Real-IP and X-Forwarded-For, which carry only client address.
Indeed it does look inconsistent in scenarios like yours when address families
are different. But do you really need the server address
or you just highlight the inconsistency?
----
Roman Arutyunyan
a...@nginx.com
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
