Welcome! Log In Create A New Profile

Advanced

proxy protocol over a plain tcp with ssl

Posted by nir 
nir
proxy protocol over a plain tcp with ssl
January 11, 2018 02:30PM
I'm trying to configure nginx which is behind an haproxy to pass the proxy
protocol over a plain tcp connection. It works well.
When I add ssl to the equation it fails. Below is the nginx configuration
block I'm using.
Is it a configuration issue or might be that it's not at all possible for
nginx to pass proxy protocol with ssl if the connection is not strictly
https?


stream {
upstream some_backend {
server some_host:18010;
}

server {
listen 8010;
listen 8012 ssl;
proxy_pass some_backend;
proxy_protocol on;

ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSLTCP:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278113#msg-278113

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Roman Arutyunyan
Re: proxy protocol over a plain tcp with ssl
January 11, 2018 06:30PM
Hi,

On Thu, Jan 11, 2018 at 08:22:47AM -0500, nir wrote:
> I'm trying to configure nginx which is behind an haproxy to pass the proxy
> protocol over a plain tcp connection. It works well.
> When I add ssl to the equation it fails. Below is the nginx configuration
> block I'm using.
> Is it a configuration issue or might be that it's not at all possible for
> nginx to pass proxy protocol with ssl if the connection is not strictly
> https?

It's not clear what exactly is not working, can you elaborate on that?

Just in case, PROXY protocol header is always sent (and expected) by nginx
prior to anything else. For SSL connections, PROXY protocol header is sent
prior to SSL handshake and is not encrypted.

> stream {
> upstream some_backend {
> server some_host:18010;
> }
>
> server {
> listen 8010;
> listen 8012 ssl;
> proxy_pass some_backend;
> proxy_protocol on;
>
> ssl_certificate /etc/ssl/server.crt;
> ssl_certificate_key /etc/ssl/server.key;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers HIGH:!aNULL:!MD5;
> ssl_session_cache shared:SSLTCP:20m;
> ssl_session_timeout 4h;
> ssl_handshake_timeout 30s;
> }
> }
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278113#msg-278113
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
nir
Re: proxy protocol over a plain tcp with ssl
January 11, 2018 07:30PM
Hi Roman,
I'm trying to pass the proxy protocol to my backend through Nginx when the
traffic is encrypted

This configuration block
listen 8012;
proxy_pass backend;
proxy_protocol on;

allows me to pass a non encrypted traffic and the proxy protocol

This configuration block:
listen 8012 proxy_protocol ssl;
proxy_pass backend;

allows me to pass encrypted traffic to my backend but the proxy protocol is
not passed

This configuration block:
listen 8012 ssl;
proxy_pass backend;
proxy_protocol on;

fails on SSL handshake


The last configuration block was my first attempt and I expected it to
work.
The first two are debug attempts.
If you can tell my why the last one doesn't work and how can it be fixed it
will help a lot

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278124#msg-278124

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
nir
Re: proxy protocol over a plain tcp with ssl
January 12, 2018 01:30AM
Well, seems that you need to read the manual with the right perspective...
https://stackoverflow.com/questions/48211083/proxy-protocol-and-ssl

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278113,278128#msg-278128

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login