Opened 2 years ago

Last modified 8 weeks ago

#1639 new enhancement

Add support for writing PROXY protocol v2 to upstream

Reported by: ko.cloudflare.com@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: proxy protocol proxy-protocol proxy_protocol Cc:
uname -a:
nginx -V:

Description

With nginx 1.13.11, support for reading version 2 of the PROXY protocol (the binary variant) was added. However, nginx also allows to write the PROXY protocol to a TCP upstream with the "proxy_protocol on;" setting in a server block. However, it seems like this is always version 1. (Implemented as ngx_proxy_protocol_write in ngx_proxy_protocol.c.)

It would be great if version 2 would be supported as well. Maybe configurable by specifying an integer in the configuration "proxy_protocol 2;". Are there any plans to implement this?

Change History (5)

comment:1 by Maxim Dounin, 2 years ago

This was considered (and I believe there was a patch), yet there were no compelling reasons to add support was identified. As such, it was postponed till there will be some reasons identified (if at all).

The main reason for the client-side PROXY protocol version 2 support was Amazon NLB, which can only use PROXY protocol version 2.

comment:2 by ko.cloudflare.com@…, 2 years ago

I guess the main reason would be that it's faster to parse, especially with IPv6 addresses. I can't find a patch in the mailing list archive.

comment:3 by Maxim Dounin, 2 years ago

I guess the main reason would be that it's faster to parse, especially with IPv6 addresses.

In our practice, version 1 is actually much easier to parse. As for the speed, I haven't seen any numbers - likely because it's not something measurable compared to the connection consts.

I can't find a patch in the mailing list archive.

This was an internal patch, it wasn't in the mailing list.

comment:4 by ko.cloudflare.com@…, 2 years ago

Fair enough. I also don't have any numbers at the moment and I guess I can live with v1 for the time being. I guess this can be closed. Thanks for your replies!

Last edited 2 years ago by ko.cloudflare.com@… (previous) (diff)

comment:5 by mstavrev@…, 8 weeks ago

The extra benefit of Proxy protocol version 2 support is the additional TLV support. It can be used by front-end SSL offloaders (theoretically NGinx) to forward client certificate information to back-end servers for non-HTTP protocols. One such example usage is VerneMQ MQTT broker, which can make use of Proxy v2 protocol to obtain client certificate details for identity and authorization.
Deployment on Kubernetes becomes more and more popular and it is very useful to utilize the same ingress (Nginx-ingress, which basically is configuring and suppervisioning a regular Nginx instance) for SSL termination of non-HTTP protocols as well.

Note: See TracTickets for help on using tickets.