Opened 6 years ago

Last modified 17 months ago

#1639 new enhancement

Add support for writing PROXY protocol v2 to upstream

Reported by: ko.cloudflare.com@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.15.x
Keywords: proxy protocol proxy-protocol proxy_protocol Cc:
uname -a:
nginx -V:

Description

With nginx 1.13.11, support for reading version 2 of the PROXY protocol (the binary variant) was added. However, nginx also allows to write the PROXY protocol to a TCP upstream with the "proxy_protocol on;" setting in a server block. However, it seems like this is always version 1. (Implemented as ngx_proxy_protocol_write in ngx_proxy_protocol.c.)

It would be great if version 2 would be supported as well. Maybe configurable by specifying an integer in the configuration "proxy_protocol 2;". Are there any plans to implement this?

Change History (11)

comment:1 by Maxim Dounin, 5 years ago

This was considered (and I believe there was a patch), yet there were no compelling reasons to add support was identified. As such, it was postponed till there will be some reasons identified (if at all).

The main reason for the client-side PROXY protocol version 2 support was Amazon NLB, which can only use PROXY protocol version 2.

comment:2 by ko.cloudflare.com@…, 5 years ago

I guess the main reason would be that it's faster to parse, especially with IPv6 addresses. I can't find a patch in the mailing list archive.

comment:3 by Maxim Dounin, 5 years ago

I guess the main reason would be that it's faster to parse, especially with IPv6 addresses.

In our practice, version 1 is actually much easier to parse. As for the speed, I haven't seen any numbers - likely because it's not something measurable compared to the connection consts.

I can't find a patch in the mailing list archive.

This was an internal patch, it wasn't in the mailing list.

comment:4 by ko.cloudflare.com@…, 5 years ago

Fair enough. I also don't have any numbers at the moment and I guess I can live with v1 for the time being. I guess this can be closed. Thanks for your replies!

Last edited 5 years ago by ko.cloudflare.com@… (previous) (diff)

comment:5 by mstavrev@…, 4 years ago

The extra benefit of Proxy protocol version 2 support is the additional TLV support. It can be used by front-end SSL offloaders (theoretically NGinx) to forward client certificate information to back-end servers for non-HTTP protocols. One such example usage is VerneMQ MQTT broker, which can make use of Proxy v2 protocol to obtain client certificate details for identity and authorization.
Deployment on Kubernetes becomes more and more popular and it is very useful to utilize the same ingress (Nginx-ingress, which basically is configuring and suppervisioning a regular Nginx instance) for SSL termination of non-HTTP protocols as well.

comment:6 by carl.hoerberg@…, 3 years ago

Second that, TLS support, so that non-http upstream servers can know if the connection was made with TLS or not, and can report TLS version and TLS cipher being used correctly.

Last edited 3 years ago by carl.hoerberg@… (previous) (diff)

comment:7 by vasiliy.soshnikov@…, 3 years ago

Hello,

I send the PATCH today which adds proxy protocol v2 support. Also codes could be found at the GH[1].

Not all features are introduced in the patch. It does not have some of TLVs which seems not used a lot.

Please feel free to test it.

This patch is using for communication with AMQP servers.

[1] https://github.com/dedok/nginx-stream-proxy-protocol-v2

comment:8 by Maxim Dounin, 3 years ago

For the record, the patch as sent to the nginx-devel mailing list is here.

comment:9 by nextgens@…, 2 years ago

We would definitely use it in Mailu (https://mailu.io/) too if it was upstreamed.

The usecase there is similar: ngx_mail_core -> Postfix and we would like to have access to TLS handshake details.

comment:10 by goldyfruit@…, 17 months ago

I facing the same issue raised by mstavrev (comment 5) with VerneMQ. Any plan about the patch made by vasiliy.soshnikov (comment 7)?

Last edited 17 months ago by goldyfruit@… (previous) (diff)

in reply to:  10 comment:11 by Maxim Dounin, 17 months ago

Replying to goldyfruit@…:

Any plan about the patch made by vasiliy.soshnikov (comment 7)?

The patch is reviewed and needs more work, see the nginx-devel@ thread linked above. I'm not aware of anybody working on it.

Note: See TracTickets for help on using tickets.