#2594 closed defect (duplicate)
Stream proxy ptotocol header is not valid
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | 1.25.x |
| Keywords: | Cc: | ||
| uname -a: | Linux devel 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.25.3
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --sbin-path=/usr/local/sbin/nginx --with-threads --with-file-aio --with-pcre --with-pcre-jit --with-stream --with-cc-opt='-O2 -g' --with-ld-opt=' -Wl,-E' --with-http_addition_module --with-http_auth_request_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module |
||
Description
Nginx sends proxy protocol header without triling "\r\n" when unix socket path is too long,
Sample config:
`
strema {
server {
listen *.80;
proxy_pass unix:/var/run/1.socket;
proxy_protocol on;
}
server {
listen unix:/var/run/1.socket prtoxy_protocol;
proxy_pass 127.0.0.1:8080;
proxy_protocol on;
}
}
`
When send simple HTTP GET request to :80 - it;s ok;
But when socket oath is ontr, than 80 chars - nginx sends data like this ( WITHOUT "\r\n" separator after proxy protocol header ):
`
PROXY TCP 1.2.3.4 unix:.... pott1 port2GET
`
Change History (8)
comment:1 by , 10 months ago
comment:2 by , 10 months ago
Looks like you also have set_real_ip_from directive somewhere in your configuration. In this case indeed you can end up with a PROXY protocol header like that.
The biggest problem I see is mixed address families which are not allowed by PROXY protocol v1 specification. "PROXY UNKNOWN" should be generated instead.
comment:3 by , 10 months ago
Hi.
Thjis issue exavylu is related tp the your code, wgich generates proxy ptotocol header.
When socket path is less than 70 chars - it works as we expected.
Itherwise - header is created withous trailing "\r\n" ( less buffer space or sumethis similar ).
Listen IP family and other thungd which you mentioned - this is other questuin.
Could you please fix it (I spant a day while understood while stream not worked)?
comment:4 by , 10 months ago
Also, proxy protovol should work when we streaming traffic from ip port to the unix socket (or how we will know clien ip).
So "PROXY UNKNOWN" should not be used.
comment:5 by , 10 months ago
Socket path is not an issue per se since it should not be there in the first place. Unix socket addresses are not supported by PROXY protocol v1. Anyway we are currently working on this issue.
follow-up: 8 comment:6 by , 10 months ago
This issue is similar to #2010, except the length issue breaks not only the PROXY header but the entire connection protocol. Closing this as duplicate.
comment:7 by , 10 months ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:8 by , 8 months ago
Hi.
Dorry for disturbing you,
Do you know, when this issue will be fixed?
This is important for us to know.
Could you please tell me the expected released date?
Pkease, remove ticket
https://trac.nginx.org/nginx/ticket/2593
It was created incorrectly.