Opened 6 years ago
Last modified 2 years ago
#1639 new enhancement
Add support for writing PROXY protocol v2 to upstream
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.15.x |
| Keywords: | proxy protocol proxy-protocol proxy_protocol | Cc: | |
| uname -a: | |||
| nginx -V: | |||
Description
With nginx 1.13.11, support for reading version 2 of the PROXY protocol (the binary variant) was added. However, nginx also allows to write the PROXY protocol to a TCP upstream with the "proxy_protocol on;" setting in a server block. However, it seems like this is always version 1. (Implemented as ngx_proxy_protocol_write in ngx_proxy_protocol.c.)
It would be great if version 2 would be supported as well. Maybe configurable by specifying an integer in the configuration "proxy_protocol 2;". Are there any plans to implement this?
Change History (11)
comment:1 by , 6 years ago
comment:2 by , 6 years ago
I guess the main reason would be that it's faster to parse, especially with IPv6 addresses. I can't find a patch in the mailing list archive.
comment:3 by , 6 years ago
I guess the main reason would be that it's faster to parse, especially with IPv6 addresses.
In our practice, version 1 is actually much easier to parse. As for the speed, I haven't seen any numbers - likely because it's not something measurable compared to the connection consts.
I can't find a patch in the mailing list archive.
This was an internal patch, it wasn't in the mailing list.
comment:4 by , 6 years ago
Fair enough. I also don't have any numbers at the moment and I guess I can live with v1 for the time being. I guess this can be closed. Thanks for your replies!
comment:5 by , 4 years ago
The extra benefit of Proxy protocol version 2 support is the additional TLV support. It can be used by front-end SSL offloaders (theoretically NGinx) to forward client certificate information to back-end servers for non-HTTP protocols. One such example usage is VerneMQ MQTT broker, which can make use of Proxy v2 protocol to obtain client certificate details for identity and authorization.
Deployment on Kubernetes becomes more and more popular and it is very useful to utilize the same ingress (Nginx-ingress, which basically is configuring and suppervisioning a regular Nginx instance) for SSL termination of non-HTTP protocols as well.
comment:6 by , 4 years ago
Second that, TLS support, so that non-http upstream servers can know if the connection was made with TLS or not, and can report TLS version and TLS cipher being used correctly.
comment:7 by , 4 years ago
Hello,
I send the PATCH today which adds proxy protocol v2 support. Also codes could be found at the GH[1].
Not all features are introduced in the patch. It does not have some of TLVs which seems not used a lot.
Please feel free to test it.
This patch is using for communication with AMQP servers.
[1] https://github.com/dedok/nginx-stream-proxy-protocol-v2
comment:8 by , 4 years ago
For the record, the patch as sent to the nginx-devel mailing list is here.
comment:9 by , 3 years ago
We would definitely use it in Mailu (https://mailu.io/) too if it was upstreamed.
The usecase there is similar: ngx_mail_core -> Postfix and we would like to have access to TLS handshake details.
follow-up: 11 comment:10 by , 2 years ago
I facing the same issue raised by mstavrev (comment 5) with VerneMQ. Any plan about the patch made by vasiliy.soshnikov (comment 7)?
comment:11 by , 2 years ago
Replying to goldyfruit@…:
Any plan about the patch made by vasiliy.soshnikov (comment 7)?
The patch is reviewed and needs more work, see the nginx-devel@ thread linked above. I'm not aware of anybody working on it.
This was considered (and I believe there was a patch), yet there were no compelling reasons to add support was identified. As such, it was postponed till there will be some reasons identified (if at all).
The main reason for the client-side PROXY protocol version 2 support was Amazon NLB, which can only use PROXY protocol version 2.