Opened 3 years ago

Closed 3 months ago

#1206 closed enhancement (fixed)

Proxy protocol server information is not surfaced

Reported by: pwillie@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.11.x
Keywords: proxy protocol Cc:
uname -a: Linux ingress-579214399-9bk5h 4.7.3-coreos-r2 #1 SMP Thu Feb 2 02:26:10 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.31 --add-module=/tmp/build/nginx-module-vts-0.1.11 --add-module=/tmp/build/lua-nginx-module-0.10.7 --add-module=/tmp/build/headers-more-nginx-module-0.32 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --add-module=/tmp/build/nginx-http-auth-digest-7955af9c77598c697ac292811914ce1e2b3b824c --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.06

Description

Setup:

AWS ELB -> Nginx -> Application server

ELB listening on port 80 and 443 doing SSL offloading and Proxy Protocol to expose client IP and enabling websockets.

Feature:

Would like to surface the proxy protocol server port so that Nginx config can employ logic based on SSL (port 443) or non SSL (port 80) connections.

Change History (6)

comment:1 by josh4trunks@…, 3 years ago

It would be useful to have something like "proxy_protocol_destinantion_port" that contains the 'destination port' from http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
An admin can use this to know if a connection is secure or not without tricks like "X-Forwarded-Proto".

If that is implemented, another options is if we want 'real_ip_header proxy_protocol' to set $server_port

comment:2 by Maxim Dounin, 2 years ago

See also #1428.

comment:3 by andrew.kubos.co@…, 17 months ago

I agree that this feels like a significant missing feature. Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).

in reply to:  3 comment:4 by Maxim Dounin, 17 months ago

Replying to andrew.kubos.co@…:

Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).

It should be trivial to configure distinct listening sockets on nginx side for different ports on ELB side. While a variable for destination port as available in the PROXY protocol might help to simplify some configurations, it doesn't look like there is "no way" to do something.

comment:5 by Roman Arutyunyan <arut@…>, 3 months ago

In 7591:89adf49fe76a/nginx:

Parsing server PROXY protocol address and port (ticket #1206).

New variables $proxy_protocol_server_addr and $proxy_protocol_server_port are
added both to HTTP and Stream.

comment:6 by Roman Arutyunyan, 3 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.