Opened 8 years ago
Closed 5 years ago
#1206 closed enhancement (fixed)
Proxy protocol server information is not surfaced
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.11.x |
| Keywords: | proxy protocol | Cc: | |
| uname -a: | Linux ingress-579214399-9bk5h 4.7.3-coreos-r2 #1 SMP Thu Feb 2 02:26:10 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.11.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --add-module=/tmp/build/ngx_devel_kit-0.3.0 --add-module=/tmp/build/set-misc-nginx-module-0.31 --add-module=/tmp/build/nginx-module-vts-0.1.11 --add-module=/tmp/build/lua-nginx-module-0.10.7 --add-module=/tmp/build/headers-more-nginx-module-0.32 --add-module=/tmp/build/nginx-goodies-nginx-sticky-module-ng-08a395c66e42 --add-module=/tmp/build/nginx-http-auth-digest-7955af9c77598c697ac292811914ce1e2b3b824c --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-upstream-nginx-module-0.06 |
||
Description
Setup:
AWS ELB -> Nginx -> Application server
ELB listening on port 80 and 443 doing SSL offloading and Proxy Protocol to expose client IP and enabling websockets.
Feature:
Would like to surface the proxy protocol server port so that Nginx config can employ logic based on SSL (port 443) or non SSL (port 80) connections.
Change History (6)
comment:1 by , 8 years ago
follow-up: 4 comment:3 by , 6 years ago
I agree that this feels like a significant missing feature. Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).
comment:4 by , 6 years ago
Replying to andrew.kubos.co@…:
Without this, there's no way to tell on an AWS ELB in SSL -> TCP mode whether you're receiving an unwrapped SSL or TCP connection, so you cannot implement http -> https redirection (for websockets, for example).
It should be trivial to configure distinct listening sockets on nginx side for different ports on ELB side. While a variable for destination port as available in the PROXY protocol might help to simplify some configurations, it doesn't look like there is "no way" to do something.
comment:6 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
It would be useful to have something like "proxy_protocol_destinantion_port" that contains the 'destination port' from http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
An admin can use this to know if a connection is secure or not without tricks like "X-Forwarded-Proto".
If that is implemented, another options is if we want 'real_ip_header proxy_protocol' to set $server_port