Opened 11 months ago

Closed 11 months ago

Last modified 9 months ago

#2594 closed defect (duplicate)

Stream proxy ptotocol header is not valid

Reported by: zdm@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.25.x
Keywords: Cc:
uname -a: Linux devel 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.3
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin/nginx --with-threads --with-file-aio --with-pcre --with-pcre-jit --with-stream --with-cc-opt='-O2 -g' --with-ld-opt=' -Wl,-E' --with-http_addition_module --with-http_auth_request_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module

Description

Nginx sends proxy protocol header without triling "\r\n" when unix socket path is too long,
Sample config:
`
strema {

server {

listen *.80;

proxy_pass unix:/var/run/1.socket;
proxy_protocol on;

}

server {

listen unix:/var/run/1.socket prtoxy_protocol;
proxy_pass 127.0.0.1:8080;
proxy_protocol on;

}

}
`

When send simple HTTP GET request to :80 - it;s ok;

But when socket oath is ontr, than 80 chars - nginx sends data like this ( WITHOUT "\r\n" separator after proxy protocol header ):
`
PROXY TCP 1.2.3.4 unix:.... pott1 port2GET
`

Change History (8)

comment:1 by zdm@…, 11 months ago

Pkease, remove ticket
https://trac.nginx.org/nginx/ticket/2593

It was created incorrectly.

comment:2 by Roman Arutyunyan, 11 months ago

Looks like you also have set_real_ip_from directive somewhere in your configuration. In this case indeed you can end up with a PROXY protocol header like that.

The biggest problem I see is mixed address families which are not allowed by PROXY protocol v1 specification. "PROXY UNKNOWN" should be generated instead.

comment:3 by zdm@…, 11 months ago

Hi.

Thjis issue exavylu is related tp the your code, wgich generates proxy ptotocol header.

When socket path is less than 70 chars - it works as we expected.
Itherwise - header is created withous trailing "\r\n" ( less buffer space or sumethis similar ).

Listen IP family and other thungd which you mentioned - this is other questuin.

Could you please fix it (I spant a day while understood while stream not worked)?

comment:4 by zdm@…, 11 months ago

Also, proxy protovol should work when we streaming traffic from ip port to the unix socket (or how we will know clien ip).

So "PROXY UNKNOWN" should not be used.

comment:5 by Roman Arutyunyan, 11 months ago

Socket path is not an issue per se since it should not be there in the first place. Unix socket addresses are not supported by PROXY protocol v1. Anyway we are currently working on this issue.

comment:6 by Roman Arutyunyan, 11 months ago

This issue is similar to #2010, except the length issue breaks not only the PROXY header but the entire connection protocol. Closing this as duplicate.

comment:7 by Roman Arutyunyan, 11 months ago

Resolution: duplicate
Status: newclosed

in reply to:  6 comment:8 by dzagashev@…, 9 months ago

Hi.

Dorry for disturbing you,

Do you know, when this issue will be fixed?
This is important for us to know.
Could you please tell me the expected released date?

Note: See TracTickets for help on using tickets.