Opened 3 years ago

Last modified 14 months ago

#1206 new enhancement

Proxy protocol server information is not surfaced

Reported by: pwillie@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.11.x
Keywords: proxy protocol Cc:
uname -a: Linux ingress-579214399-9bk5h 4.7.3-coreos-r2 #1 SMP Thu Feb 2 02:26:10 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.9 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.31 --add-module=/tmp/build/nginx-module-vts-0.1.11 --add-module=/tmp/build/lua-nginx-module-0.10.7 --add-module=/tmp/build/headers-more-nginx-module-0.32 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --add-module=/tmp/build/nginx-http-auth-digest-7955af9c77598c697ac292811914ce1e2b3b824c --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.06

Description

Setup:

AWS ELB -> Nginx -> Application server

ELB listening on port 80 and 443 doing SSL offloading and Proxy Protocol to expose client IP and enabling websockets.

Feature:

Would like to surface the proxy protocol server port so that Nginx config can employ logic based on SSL (port 443) or non SSL (port 80) connections.

Change History (4)

comment:1 Changed 3 years ago by josh4trunks@…

It would be useful to have something like "proxy_protocol_destinantion_port" that contains the 'destination port' from http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
An admin can use this to know if a connection is secure or not without tricks like "X-Forwarded-Proto".

If that is implemented, another options is if we want 'real_ip_header proxy_protocol' to set $server_port

comment:2 Changed 2 years ago by mdounin

See also #1428.

comment:3 follow-up: Changed 14 months ago by andrew.kubos.co@…

I agree that this feels like a significant missing feature. Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).

comment:4 in reply to: ↑ 3 Changed 14 months ago by mdounin

Replying to andrew.kubos.co@…:

Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).

It should be trivial to configure distinct listening sockets on nginx side for different ports on ELB side. While a variable for destination port as available in the PROXY protocol might help to simplify some configurations, it doesn't look like there is "no way" to do something.

Note: See TracTickets for help on using tickets.