Welcome! Log In Create A New Profile

Advanced

PROXY protocol to upstream server

Posted by Danila Vershinin 
Danila Vershinin
PROXY protocol to upstream server
August 12, 2018 10:40PM
Hi,

It seems that nginx can accept PROXY protocol fine, but when it comes to forwarding, it can only do so only within a stream { server { … proxy_protocol on; } } .

Are there any plans to add proxy_protocol on; for regular HTTP server blocks so it can be used alongside proxy_pass? This would come in very handy in a situation where NGINX is used as SSL terminator, e.g.:

NGINX (SSL) → (Proxy protocol) → Varnish.

Varnish supports accepting PROXY protocol.


Best Regards,
Danila

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: PROXY protocol to upstream server
August 12, 2018 11:20PM
Hello!

On Sun, Aug 12, 2018 at 11:33:25PM +0300, Danila Vershinin wrote:

> It seems that nginx can accept PROXY protocol fine, but when it
> comes to forwarding, it can only do so only within a stream {
> server { … proxy_protocol on; } } .
>
> Are there any plans to add proxy_protocol on; for regular HTTP
> server blocks so it can be used alongside proxy_pass? This would
> come in very handy in a situation where NGINX is used as SSL
> terminator, e.g.:
>
> NGINX (SSL) → (Proxy protocol) → Varnish.
>
> Varnish supports accepting PROXY protocol.

There are no such plans, because in HTTP the same connection can
be used for requests from different clients. Consider using
X-Forwarded-For instead.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Danila Vershinin
Re: PROXY protocol to upstream server
August 13, 2018 12:40AM
Hi Maxim,

I understand. Followup question is:

Is NGINX capable of presenting clients with different SSL certificate based on SNI?
As in:

stream {
server {
ssl_certificate foo.example.com http://foo.example.com/.crt;
ssl_certificate bar.example.com http://bar.example.com/.crt;
...
}
}

Best Regards,
Danila

> On 13 Aug 2018, at 00:12, Maxim Dounin <[email protected]> wrote:
>
> Hello!
>
> On Sun, Aug 12, 2018 at 11:33:25PM +0300, Danila Vershinin wrote:
>
>> It seems that nginx can accept PROXY protocol fine, but when it
>> comes to forwarding, it can only do so only within a stream {
>> server { … proxy_protocol on; } } .
>>
>> Are there any plans to add proxy_protocol on; for regular HTTP
>> server blocks so it can be used alongside proxy_pass? This would
>> come in very handy in a situation where NGINX is used as SSL
>> terminator, e.g.:
>>
>> NGINX (SSL) → (Proxy protocol) → Varnish.
>>
>> Varnish supports accepting PROXY protocol.
>
> There are no such plans, because in HTTP the same connection can
> be used for requests from different clients. Consider using
> X-Forwarded-For instead.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: PROXY protocol to upstream server
August 13, 2018 04:30PM
Hello!

On Mon, Aug 13, 2018 at 01:38:38AM +0300, Danila Vershinin wrote:

> I understand. Followup question is:
>
> Is NGINX capable of presenting clients with different SSL certificate based on SNI?
> As in:
>
> stream {
> server {
> ssl_certificate foo.example.com http://foo.example.com/.crt;
> ssl_certificate bar.example.com http://bar.example.com/.crt;
> ...
> }
> }

No, currently there is no SNI support in the stream module (except
$ssl_preread_server_name in the stream ssl preread module, see
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login