Opened 2 years ago

Closed 2 years ago

#1543 closed defect (worksforme)

UDP proxy with "proxy_protocol on" resends empty udp packet

Reported by: dkovalen@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.10.x
Keywords: Cc:
uname -a: Linux narodmon.ru 2.6.32-696.23.1.el6.x86_64 #1 SMP Tue Mar 13 22:44:18 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E'

Description

Good day.

I'm using stable nginx 1.10.2 from repository for CentOS 6.9.
I need to use nginx as tcp/udp proxy with proxy_protocol to retransmit client's IP to destination instead of proxy's IP.

Configuration part for tcp/udp proxy of nginx.conf is:

stream {

server {

listen 1234;
proxy_connect_timeout 2s;
proxy_timeout 10s;
proxy_protocol on;
proxy_pass dest.server:1234;

}
server {

listen 1234 udp;
proxy_connect_timeout 2s;
proxy_timeout 10s;

# proxy_protocol on;

proxy_responses 0;
proxy_pass dest.server:1234;

}}

TCP proxy works well, packets resends normally with 1st line "PROXY IP1 IP2..." but for UDP proxy resends only 1st line "PROXY IP1 IP2..." with empty UDP packet body.

If I uncomment the "proxy_protocol on" line in UDP proxy configuration, packets are resends normally with a non-empty body, but without the PROXY header that I need.

Line "proxy_responses 0" does not affect anything.

Change History (1)

comment:1 by Maxim Dounin, 2 years ago

Resolution: worksforme
Status: newclosed

In nginx versions prior to 1.11.5 nginx sends PROXY protocol header as a separate packet when used with UDP. This was changed as a side effect of introducing request filters in the stream module in 56fc55e32f23. In all supported versions PROXY protocol header is sent in the same UDP packet as the original packet contents.

(Note well that the PROXY protocol specification doesn't really define how UDP should be handled, so it might not be a good idea to use it with UDP.)

Note: See TracTickets for help on using tickets.