[I] bug: Defining "proxy_bind transparent" in nginx snippet results in "Operation not permitted" error [apisix]

[via GitHub]

barabasbe-commsignia opened a new issue, #12174:
URL: https://github.com/apache/apisix/issues/12174

   ### Current Behavior
   
   When providing nginx stream configuration through APISIX configuration 
snippet, containing `proxy_pass transparent` (for UDP), the attached error is 
observed, and the packet is not forwarded.
   
   **The same configuration works with `apache/apisix:3.11.0-redhat` image.**
   
   On the `debian` image, setting the required capabilities to nginx manually, 
and restarting the Docker container, the error no longer appears and the 
packets are forwarded:
   
   ```
   docker compose exec -it -u root gateway /bin/sh
   apt update
   apt install libcap2-bin
   setcap "cap_net_raw=ep cap_net_admin=ep" 
/usr/local/openresty/nginx/sbin/nginx
   exit
   docker compose restart gateway
   ```
   
   Underlying cause is presumed to be lack of superuser privileges for `nginx`, 
missing from the `debian` image, but present on the `redhat` image.
   
   ### Expected Behavior
   
   Expected to have the UDP packets forwarded without any problems.
   
   ### Error Logs
   
   ```
   gateway-1  | 2025/04/24 11:38:23 [alert] 51#51: *20807 
setsockopt(IP_TRANSPARENT) failed (1: Operation not permitted) while connecting 
to upstream, udp client: 192.168.11.91, server: 0.0.0.0:42000, upstream: 
"172.17.1.21:42000", bytes from/to client:43/0, bytes from/to upstream:0/0
   ```
   
   ### Steps to Reproduce
   
   Configuration:
   
   `config.yml`
   
   ```
   apisix:
     enable_stream: true
     proxy_mode: http&stream
   
   ...
   
   nginx_config:
     stream_configuration_snippet: |
       server {
         listen 127.0.0.1:42000 udp;
         proxy_bind $remote_addr:$remote_port transparent;
         proxy_pass "message-service.host:42000";
       }
   ```
   
   ### Environment
   
   - APISIX version (run `apisix version`): Docker image 
`apache/apisix:3.11.0-debian`
   - Operating system (run `uname -a`): See Docker image
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): See Docker 
image
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`): No etcd (standalone configuration)
   - APISIX Dashboard version, if relevant: Not used
   - Plugin runner version, for issues related to plugin runners: See Docker 
image
   - LuaRocks version, for installation issues (run `luarocks --version`): See 
Docker image
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org